BUSINESS CONTINUITY MANAGEMENT IN THE
DEPARTMENT OF EDUCATION
GUIDELINES
October 2015
COPYRIGHT
© NSW Department of Education
All rights reserved. No part of this work may be reproduced or copied in any form or by any means, electronic
or mechanical, including photocopying without the written permission of the publisher.
Published by the NSW Department of Education
Direct all enquiries to the Enterprise Risk Management Unit - contact details as follows:
Level 2, 35 Bridge Street
Sydney NSW 2000
GPO Box 33 Sydney NSW 2001
Internet and intranet references
www.dec.nsw.gov.au
https://detwww.det.nsw.edu.au/lists/directoratesaz/erm/index.htm
https://www.det.nsw.edu.au/policies/general_man/erm/implementation_1_PD20040036.shtml?level=
Version no. 2.2
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Contents
1.0 Introduction .................................................................................................................................................. 3
1.1 Business Continuity Management ........................................................................................................... 3
1.2 Context .................................................................................................................................................... 3
1.3 Benefits .................................................................................................................................................... 4
1.4 Business Continuity Plans for the Department ........................................................................................ 5
1.5 Business Continuity Management Objectives ......................................................................................... 5
1.6 Relationship ............................................................................................................................................. 6
2.0 The Business Continuity Management Process .......................................................................................... 7
2.1 Overview .................................................................................................................................................. 7
2.2 The Process illustrated ............................................................................................................................ 7
2.2.1 Step 1 – Create Awareness and Identify Critical Business Functions ............................................. 9
2.2.2 Step 2 - Conduct a Risk and Vulnerability Analysis ....................................................................... 10
2.2.3 Step 3 - Conduct a Business Impact Assessment ......................................................................... 12
2.2.4 Step 4 - Define Response Strategies ............................................................................................. 14
2.2.5 Step 5 - Identify Resource and Interdependency Requirements ................................................... 16
2.2.6 Step 6 - Develop Business Continuity Plans .................................................................................. 17
2.2.7 Step 7 - Develop a Communication Strategy ................................................................................. 18
2.2.8 Step 8 - Maintain and Test Plans ................................................................................................... 18
2.3 Activation and Deployment .................................................................................................................... 20
3.0 References ................................................................................................................................................ 21
4.0 Appendices ................................................................................................................................................ 22
Appendix 1
- Roles and Responsibilities of Departmental Stakeholders .................................................. 22
Appendix 2
- Business Interruption - Incident Management Process ....................................................... 24
Appendix 3
- Terminology of Business Continuity Management ............................................................... 25
Appendix 4
- Business Continuity Plan Help Card .................................................................................... 26
Appendix 5
- Resources – supporting worksheets .................................................................................... 27
Appendix 6
- BCM Process: Step 1 – Identify Critical Business Function Template ................................ 33
Appendix 7
- BCM Process: Step 2 – Risk and Vulnerability Analysis Template...................................... 34
Appendix 8
- BCM Process: Steps 3 & 5 BIA & Resources ..................................................................... 35
Appendix 9
- BCM Process: Step 4 - Response Strategies ...................................................................... 36
Appendix 10 - BCM Process: Step 7 - Stakeholder Communication Matrix ............................................... 37
Appendix 11 - Business Interruption - Incident Management Structure ...................................................... 38
Appendix 12 - Business Continuity Management as part of the Planning Process .................................... 39
2
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
1.0 Introduction
The Department of Education (the Department) is committed to a structured and systematic approach to
Business Continuity Management (BCM) in accordance with current policy, industry standards and best
practice. These guidelines outline the Department’s approach to BCM and associated responsibilities of all
staff (see Appendix 1).
Before going any further, you should determine if you already have a Business Continuity Plan (BCP). If you
do, the objective would be to update it as required to reflect your current structures and processes. The aim
of these guidelines is to provide you with the steps to update or create a BCP for your area to address critical
business functions.
Any business unit that performs a critical business function (CBF) should develop and implement a BCP.
BCPs are not anticipated to be developed at school level as it is expected that they should be adequately
covered by emergency response plans and higher level BCPs.
1.1 Business Continuity Management
What is Business Continuity Management and why is it important?
The Business Continuity Institute1 defines BCM as a “holistic management process that identifies potential
threats to an organisation and the impacts to business operations that those threats, if realised, might cause.
It provides a framework for building organisational resilience with the capacity for an effective response that
safeguards the interests of its key stakeholders, reputation, brand and value creating activity”.
BCM is concerned with managing the effects of severe unexpected events as opposed to managing
business-as-usual issues. Accordingly, managing the effects of severe unexpected events is the primary
focus of these guidelines and the framework that underpins the management process is illustrated by
Appendix 2.
A table of terminology associated with BCM is shown in Appendix 3.
1.2 Context
To help with understanding the context, the following definitions are used in this process:
At any time throughout this document, whenever the term the Department is used, this extends to all
entities within the Department of Education cluster
A division is any one of the following areas within the Department under the leadership of a member
of the Executive – Corporate Services; External Affairs and Regulation; Strategy and Evaluation; and
School Operations and Performance
A business function is a series of logically related activities or tasks performed together to obtain a
defined set of results (see Table A for examples)
A critical business function is any vital set of activities or tasks without which the Department cannot
operate for very long. Ask the question “Can we continue to operate for a month without it and still
achieve our business objectives?”
A business unit is a branch of the corporate office, a division, a schools area, a directorate, or other
business area.
The following illustrates different types of business functions -
1
Critical. These functions cannot be performed by manual means or can be performed manually for
only a very brief period of time. In applications classified as critical, a brief suspension of processing
can be tolerated, but a considerable amount of "catching-up" will be needed to restore data to a
current or usable form.
Sensitive. These business processes can be performed, with difficulty but at tolerable cost, by
manual means for an extended period of time. Sensitive applications also require "catching-up" once
restored.
Noncritical. These applications may be interrupted for an extended period of time, at little or no cost
to the Department and require little or no "catching-up" when restored.
Business Continuity Institute is a global industry body and is headquartered in the United Kingdom.
3
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Table A: Some Examples of Business Functions
Area
Some Examples of Business functions
Detailed Functions
Accounts Payable
Accounts Receivable
Income and Expenditure
Financial Statements - Balance Sheet, Profit and Loss
Asset Management
Finance
Delivery
Developing the product (course material, syllabus, curriculum etc.)
Delivering the services
Marketing
Marketing - determining student or community needs, new products, marketing
strategy, product promotion
Human Resources
Management of the employment function – e.g. hiring, awards, pay rates and
conditions, maintenance of employee records
Wages/Salaries
Administration
Clerical and record keeping tasks – e.g. Typing, reception, filing and retrieval,
mail
Information Technology
Maintenance of IT infrastructure and associated processes (e.g. Acquisition of
new equipment, backup of data, maintenance of network, help desk)
Maintenance of telecommunication infrastructure and associated processes
(e.g. Telephones, mobiles, PABX hardware)
Acquiring assets
Disposing of assets
Practical asset management (in association with finance)
Buying goods/services required by the Department to deliver its services
Procurement
1.3 Benefits
These guidelines help staff to address government directives and other requirements. Moreover, they
evidence good business practice as BCM acts to mitigate the negative consequences of severe unexpected
events. Some of the benefits of implementing and maintaining an effective BCM capability are summarised in
Table B.
Table B: Summary of Business Continuity Management Benefits
Tangible Benefits
▪
▪
▪
▪
▪
▪
▪
Intangible Benefits
▪
▪
▪
Compliance with regulatory requirements
Compliance with contractual requirements and
avoidance of liability and penalties
Compliance with insurance policy conditions
Reduced operational downtime
Reduced costs of operating during a disruption
Reduced losses as a result of a disruption and
reduced costs of backlog management
More cost effective recovery.
▪
▪
▪
▪
4
Managed exposure to risks of business disruption
Improved operational resilience to unforeseen events
Preservation of reputation through ensuring continuity
of supply
Improved efficiency and effectiveness of processes
Improved staff confidence
Improved stakeholder confidence
Improved process understanding.
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Thus, by treating the negative consequences of an event, business continuity management can create
opportunities for benefit and gain. Hence, those business units that respond positively to a disruptive event
can position themselves to recover quickly and improve their long term business performance.
Finally, BCM helps to restore critical services as it facilitates the creation and maintenance of BCPs which
contain the recovery procedures and strategies necessary to resume critical services. BCPs are activated
when standard operational procedures and responses are rendered inoperative as a result of being
inundated by a severe unexpected event.
1.4 Business Continuity Plans for the Department
The Department adopts a three-level hierarchical approach to BCP documentation as outlined in Figure 1
below. This ensures that all components of a robust BCP are addressed across the full suite of plans whilst
ensuring that plan activation is easily facilitated across the various levels of management within the
Department. It allows the Department to focus on strategic judgements and the prioritisation of resources.
BCP Department Wide
Level 2
BCP
Division 1
BCP
Division 2
BCP
Division 3
BCP
Division n
Level 3
BCP
BCP
BCP
BCP
BCP
BCP
BCP
BCP
BCP
BCP
BCP
BCP
BCP
BCP
Operational
Strategic
Level 1
BCP Area 1
BCP Area 1
BCP Area 2
BCP Area 2
BCP Area n
BCP Area n
Figure 1: BCP Hierarchical Approach
1.5 Business Continuity Management Objectives
The objectives of BCM for the Department are to:
▪ protect academic and community outcomes by identifying and managing where possible any risk to major
Departmental products and/or services
▪ provide managers with guidelines to enable them to develop a local BCP that identifies and manages
potential and actual risks that threaten the Department’s major systems and services
▪ provide staff with a selection of procedures that shall be used to minimise or prevent exposure to
business continuity risks
▪ ensure that regular tests of BCPs are undertaken and to ensure the effectiveness and efficiency of the
plans
▪ ensure that regular reviews and updates of planned strategies are undertaken to account for changes in
critical business systems and services.
5
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
1.6 Relationship
There are a number of interrelated activities that work together to prevent and/or manage a severe
unexpected event (or business disruption event2). These include:
▪
▪
▪
▪
business continuity management (encompassing Information Technology (IT) disaster recovery)
risk management
emergency response management
incident management.
As previously discussed, BCM is an element within the wider context of risk management. Accordingly, risk
management and BCM need to be considered as part of an integrated process. Risk management is the
identification, analysis and evaluation of risks and is the important preliminary step to understanding the risks
as well as scoping the need for BCPs. The interface between risk management and BCM is reflected in
Figure 2 as follows.
Figure 2: The relationship between risk, emergency response,
incident, and business continuity management in managing a crisis situation
Each response is described in detail in Section 2.2.4 and is summarised as follows:
Emergency response: this is the tactical response to the event. It occurs immediately after the event, and
the primary concern is the protection of life and safety. The transition from emergency response to continuity
needs to be explicitly managed. To assist staff with the management process reference should be made to
the Department’s Emergency Planning and Response Policy which is published on both the Internet and
intranet. The above Policy outlines the Department’s commitment to the provision, development,
documenting and communication of emergency systems.
Continuity: this is the strategic and operational response to the business disruption. During this period the
affected business unit relies on alternative processes and resources, and aims to establish at least the
minimum level of capability and performance required.
Recovery: this is the strategic and operational response to the business disruption. During this period the
affected business unit returns to routine business processing, and aims to operate at the business-as-usual
level of capability and performance.
While a BCP is a means of minimising the impacts of a particular risk, it is not a preventative control for all
risks. Thus, overall, risk management minimises potential losses, whereas BCM provides processes and
resources in order to ensure the continual achievement of central BCM objectives. Hence, risk management
addresses the question, "how do we control or manage our risk?", whereas business continuity management
addresses the question, "what do we do to continue business operations?"
2
ANAO 2009 Guide.
6
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
A structured, systematic approach to risk management will enable business units to develop a thorough
understanding of risk issues that could prevent the achievement of their goals or objectives. As part of this
process, business units should define their essential functions and key dependencies. Moreover, they should
clearly identify those risks which may potentially result in a severe unexpected event that would disrupt the
delivery of their products and/or services.
To assist with business continuity planning a quick reference “Business Continuity Plan Help Card” is
provided at Appendix 4.
2.0 The Business Continuity Management Process
2.1 Overview
The Australian National Audit Office (ANAO) has conducted an analysis of audits of financial statements of
public sector agencies over several years, in particular business continuity implementation. Their analysis
has identified the following generic characteristics associated with best practice in relation to BCM programs.
A BCM framework is in place.
Training and awareness of business continuity has been conducted.
A risk assessment has been conducted.
A business impact analysis has been conducted.
Preparatory controls have been implemented.
The entity has documented, and the executive has endorsed, its business continuity plans and
framework.
Business continuity testing and exercises have been conducted.
The entity monitors business continuity.
2.2 The Process Illustrated
These guidelines are written using a worksheet approach, and each completed worksheet using the
information gathered from within your business unit will assist you in developing your business unit's BCP.
These worksheets are contained in Appendix 5.
Furthermore, these guidelines have adopted the relevant Australian Standards and best practice.
Accordingly, the steps which are central to the Department are based on AS/NZS 5050:2010, AS/NZS ISO
31000:2009 and the ANAO 2009 Guide. The steps are listed below.
Step 1 - Create Awareness and Identify Critical Business Functions
Step 2 - Conduct a Risk and Vulnerability Analysis
Step 3 - Conduct a Business Impact Assessment
Step 4 - Define Response Strategies
Step 5 - Identify Resource and Interdependency Requirements
Step 6 - Develop Business Continuity Plans
Step 7 - Develop a Communication Strategy
Step 8 - Maintain and Test Plans
The above process is illustrated by Figure 3 and is discussed in detail throughout this section. However,
should an event occur and is deemed to adversely affect the operations of one or more business units, then
tested plans (see Step 8) will be activated and resources deployed as reflected by the final step labelled:
Activation and Deployment.
7
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Figure 3: Business Continuity Management Process
8
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.2.1 Step 1 – Create Awareness and Identify Critical Business Functions
Create awareness about BCM and gain the commitment and support of management and staff for the
implementation and maintenance of the BCP when establishing your business unit's BCM structure.
In accordance with the BCM structure, senior managers should:
▪ create awareness of BCM within the business unit and gain support for the implementation and
ongoing maintenance of BCM
▪ ensure that staff are designated with responsibilities for BCM
▪ ensure that a BCP is developed, implemented, regularly tested, received and updated as
appropriate.
Senior managers can facilitate this action with their staff by asking:
▪ “What is important to the success and sustainability of our business unit?”
▪ “What does our business unit depend upon to continue operating?”
▪ “What might prevent our business unit from achieving its key objectives?”
To help create awareness and understanding within your business unit, consider the following:
▪ critical objectives, critical success factors and key performance indicators
▪ major current and emerging risk exposures
▪ critical business functions and processes
▪ critical plant, property, assets and other infrastructure
▪ critical people and information resources
▪ third party relationships such as with the community, suppliers, partners and regulators.
Senior managers should also analyse past incidents and disruptions that indicate a propensity for future
disruption, including:
▪ occurrences within your business unit
▪ occurrences within the Department as a whole
▪ prior involvement of key interdependencies, such as suppliers, strategic alliances and other
stakeholders
▪ experiences of others within the education sector, communities, government, geographical location,
etc.
Senior managers and their staff should identify and agree upon the following:
▪ the goals and objectives of strategic and operational activities of BCM
▪ expected deliverables and outcomes
▪ time requirements, demands or constraints
▪ resourcing capabilities and limitations, i.e. geographical extent and boundaries and organisational
structure, extent and boundaries.
The following diagram (Figure 4) illustrates the process for identifying the critical business functions and the
resources required.
Figure 4: Critical business functions
Action
To assist in the implementation of Step 1, read and understand these guidelines (the whole of this
document). To record information, use the checklist at Appendix 5A and complete the template at
Appendix 6. Retain and file all outputs for future reference.
9
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.2.2 Step 2 - Conduct a Risk and Vulnerability Analysis
2.2.2.1 Analysis components
Analyse the products and/or services that your business unit provides, identify the risks that would
disrupt the delivery of the products and/or services and determine whether the business unit is
vulnerable to those risks (see Section 2.2.2.2).
It is important to define and understand the environment in which your business unit operates. This
allows your BCP to focus on the critical business functions and processes, including all internal and
external providers, which ensure the business unit is able to provide ongoing services to the Department
and to other stakeholders.
It is also important for business units to refer to and adopt the Department’s Enterprise Risk
Management policy and guidelines which is published on the Internet and intranet.
In brief, this entails identifying, assessing, and treating risks and is discussed below.
Identifying risks
As part of this stage, an understanding must be gained of the risk management strategy and the focus of
the business unit, as well as its relationship to the Department’s core activities. Reference to the
Department’s annual report can be useful in focusing your identification of key business activities.
Risk identification can be most effective when undertaken as a brainstorming activity involving staff from
a variety of levels and activities within your business unit. The following points provide background
material for your business unit:
▪
▪
▪
▪
▪
▪
What does my business unit do? That is: what products and/or services does it deliver?
What inputs including all internal and external providers does our business unit depend upon to
deliver its products and/or services?
What existing strategies are in place to ensure inputs are maintained?
What risks could interrupt the inputs to our unit's business?
What existing strategies are in place to ensure that our unit's services continue?
What risks could interrupt the services provided by our unit?
Assessing risk
Assessment and analysis will provide a priority ranking of the business continuity risks that have been
identified in the risk identification. This ranking is used as the basis to develop the business unit's BCP.
There are two criteria for assessing the level of risk: firstly the consequence and secondly, the likelihood
of each identified business continuity risk.
Determine the consequence of the risk
To evaluate the risk level, you will need to first assess the risk consequence by identifying the potential
consequences of a risk event occurring. The 'Department-wide consequence criteria’ is used to estimate
a potential impact which a risk might have on the achievement of the Department/division objectives in
terms of negative consequence (threats) – see Table C.
10
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Table C: Department-Wide Negative Consequence Criteria (Threats)
(The potential impact on the objectives and resources)
Consequence Criteria
The Department will not meet its objectives
The Department/Business unit may not meet its objectives and will
require considerable additional resources from other areas
Impact can be absorbed with treatment but will require additional
resources to be allocated
Can be accommodated with existing resources
Virtually no change in operations
Impact Descriptor
Impact Code
Critical
5
Major
4
Moderate
3
Minor
2
Insignificant
1
Note: Use the Department’s Enterprise Risk Management (ERM) Guidelines or ERM Quick Reference
Guide to assess the risk likelihood and rating in conjunction with the above consequence table.
For the purposes of formulating your business unit's BCP all risks ranked Extreme or High are to be
considered for the next stage - Step 3 – Conduct a Business Impact Assessment.
2.2.2.2 Developing risk scenarios
Creating scenarios is a proven approach to planning for the future. When it is done in an engaging
fashion, it harnesses participants' collective experience and knowledge as well as their powers of
judgment and intuition.
The above risk assessment can define a large amount of severe unexpected events. Trying to use this
significant amount of information as the basis for the subsequent Business Impact Assessment (BIA)
(Step 3 – Conduct a Business Impact Assessment) and for subsequent planning can be an
overwhelming and unnecessary task. To improve information processing, it can be more effective to
group risks into broader risk scenarios on which to base the BIA and subsequent development of plans.
For example, consider the following potential sources of risk that one or more business units could face
at any one time:
▪
▪
▪
▪
▪
▪
▪
▪
▪
fire
flood
power failure
industrial dispute
chemical spill
delay in construction works
bomb hoax
severe storm damage
failure of building access controls.
The above risks can all have the same disruption effect and accordingly, can be grouped into a
consolidated risk description or scenario as follows:
‘following a severe unexpected event, access to one or more buildings is denied for a period of x hours
or y days’.
Action
Complete a separate analysis template (Appendix 5B) for each Critical Business Function. To record
information, complete the template at Appendix 7. Retain and file all outputs for future reference.
11
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.2.3 Step 3 - Conduct a Business Impact Assessment
This step is an essential part of the business continuity planning process as it provides an analysis of how
severe unexpected events could affect a business unit’s operations and what capabilities will be required to
manage these risks. The BIA identifies mission-critical areas and business processes that are critical to the
maintenance of the delivery of products and/or services.
Furthermore, the BIA helps to raise senior management’s awareness of undesirable consequences and
potential risks. Accordingly, business unit managers should determine the potential organisational effects of
severe unexpected events to their operations and identify the resources required to continue to operate
following these disruptions.
BIA key steps
Key steps that underpin the business impact assessment process are outlined below.
1. Developing communications for the BIA
This will assist with establishing trust and a two-way dialogue in order to develop a more effective BIA.
2. Confirming critical business functions
Given the completion of the risk and vulnerability assessment, this aspect confirms that previously identified
business functions retain their critical status.
3. Identifying resource requirement
In this step the current level of resourcing for each critical business function is identified to determine current
capabilities and the potential for future spare capacity or shortfall. It should cover for example the type,
number, location, etc. of the following resources:
▪
People: Managers, staff, contractors and consultants currently contributing to the critical business
function. Include key roles and responsibilities for each individual and location, contact details, deputies
for each position, etc.
▪
Facilities: Identify types of facilities in use currently (for example: 25 workstations in open office, 1
manager's office, 1 meeting room)
▪
Equipment: Identify general office equipment, telecommunications, and any specialised equipment in
use (for example computers, filing cabinets, cameras, photocopiers etc.)
▪
IT systems: Identify IT systems and applications currently in use
▪
Information: Identify current information requirements (for example required paper records and electronic
documents)
▪
Budget: Identify current budget, cash flow, expenditure and/or revenue requirements
▪
Transport: Identify transport requirements (for example fleet requirements, vehicle hire and vehicle
parking requirements)
▪
Other service and assets: Identify any other key factors required to support the normal operations of the
critical business function (for example couriers, inventory etc.). 3
3
Once the normal day-to-day resource requirements have been determined, business unit managers should be challenged to
identify which resources are absolutely essential to achieve the level of operation that will meet the critical business objectives in
the event of a disruption. The aim here is to identify the minimum resourcing that must be made available following a disruption.
12
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
4. Establish independencies
A range of interdependencies will usually need to be identified and mapped, both internally and externally.
The following types of interdependency need to be considered:
▪
▪
▪
▪
▪
▪
between individual critical business functions within your business unit and across the Department as a
whole
with key suppliers (including critical infrastructure suppliers such as water, power and
telecommunications utilities
with key customers
with strategic partners
with regulators
parties where no current interdependency exists, but could be created following a disruption.
For each of these interdependencies, mapping should include details on but not limited to:
▪
▪
▪
▪
the nature and level of the interdependency
any critical failure points
contractual conditions
service level agreements/objectives.
A common shortcoming of many attempts at mapping interdependencies is neglecting to ensure that people
and resources are mapped against business needs for a minimal level of operation.
5. Determine the disruption impacts
Determine the impact of the disruption on the critical business function and/or non-financial terms, over
defined periods.
The impact levels should be tested at predetermined intervals in accordance with the business unit’s
‘business cycle’ (e.g. school term or financial reporting period).
6. Identify outage times and recovery objectives
Maximum Accepted Outage (MAO) times should be determined for each of the critical business functions
(down to process level where applicable), key IT applications and other critical assets including human
resources.
The MAO time represents the maximum period of time that your business unit can tolerate the loss of
capability of a critical business function, process, asset, or IT application. Note that this should be
determined by the 'owners' of the critical business function.
7. Identify alternate workarounds and processes
Alternate workarounds and processes may need to be developed where resources or capability are
inaccessible or insufficient during the disruption such as the introduction of processing following the loss of IT
functionality.
8. Confirm current preparedness
Confirm the critical business functions’ current preparedness to manage a disruption. This may include, for
example, re-evaluating the extent of redundancies within the business area (e.g. spare equipment), that
could be redeployed to affected areas, the existence of alternative suppliers that could be contracted, or the
potential to utilise a multi-skilled team.
Action
Complete the BIA checklist at Appendix 5C. To record information, complete the template at Appendix 8.
Retain and file all outputs for future reference.
13
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.2.4 Step 4 - Define Response Strategies
The development of response strategies is concerned with determining how your business unit will react to
an incident, and the manner in which the different elements of this overall response will interact.
As previously mentioned in Section 1.6, the response should include the following broad strategies:
the emergency response (initial response)
the continuity response (interim operations)
the recovery response (back to normal).
In each case, it is advisable to consider a number of optional responses and then select the most cost
effective option.
2.2.4.1 Response strategies described
The Emergency Response
▪
The emergency response is the immediate response to the event. It is primarily concerned with the
protection and preservation of life and property. This response could be as simple as the activation
of a building evacuation plan, or as comprehensive as an emergency management strategy involving
the immediate protection of property, people and information across multiple sites or communities.
▪
Typically the development of the emergency response will involve:
▪
Determining regulatory and industry standards' requirements (e.g. for fire evacuation)
Confirming existing emergency response plans and capabilities
Identifying gaps that require further development
Identifying triggers for the activation of plans
Identifying responsibilities for components of the response
Documenting the strategy including the identity and location of component plans
Identifying command, coordination and control requirements for the response.
Note that your business unit should already have such emergency management procedures in place
(e.g. fire evacuation procedures).
Action
Use the flow chart at Appendix 2 to assist in deciding when and how to activate, escalate and manage
the Emergency response strategy. Retain and file all outputs for future reference.
The Continuity Response
▪
The main purpose of the continuity response is to ensure the continued delivery of a minimum
acceptable level of performance per the predefined MAOs. There are several important
considerations in developing a response in order to determine the level of detail a BCP must
contain and these are listed below.
(i)
Are plans required for:
▪
▪
▪
▪
▪
(ii)
critical business functions?
key processes?
specific assets, facilities, locations, or other infrastructure?
key people? and/or key supply relationships?
determining the structure of continuity planning and are documents required?
Another important consideration is to determine the structure of continuity planning and
required documents
▪ will one plan or multiple plans be developed? or
▪ will plans be developed in a hierarchy with consolidated departmental level plans sitting
above local functional plans?
(iii)
Confirming that the identified critical business functions (or assets, facilities, etc.) are still
appropriate. This may lead to the consolidation of one or more business functions into a single
critical business function for planning purposes
14
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
(iv)
Identifying criteria for activating the continuity phase (i.e. triggers)
(v)
Identifying criteria of the deactivation, step down, or stand down of the phase.
The Recovery Response
▪
The recovery response is aimed at restoring your business unit to a long-term operationally
acceptable and sustainable capability. In developing this response it is necessary to consider what
can be practically identified and planned for and what will be decided on following the actual incident.
▪
An important, though often neglected consideration, is the management of backlogs. As the
business is returned to 'normal' capability there is likely to be a continuing backlog of work that will
require attention. Appropriate strategies should be considered, e.g. additional temporary staff
required and or staff to work over time.
2.2.4.2 Cost benefit analysis
It is outside the scope of these guidelines to provide instructions as to how to perform a cost benefit analysis
in relation to the development of business continuity strategies. However, the ANAO 2009 Guide states that
“typically, the lower the maximum tolerable period of disruption, the more costly and complex the recovery
treatment is likely to be. This is particularly true when the recovery of technology is involved. It is important to
establish a realistic representation of the recovery requirements of the entity.”
In undertaking any cost benefit analysis, consideration should be given to the nature of the product and/or
service being offered, the Department’s current service delivery model and any identified internal economies
of scale.
Action
Complete the Response Strategies template at Appendix 9. Retain and file all outputs for future
reference. A description of the three responses is outlined above.
15
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.2.5 Step 5 - Identify Resource and Interdependency Requirements
Identify, consolidate and map resource requirements from across the Department according to business
priorities and according to the interdependencies with internal and external service providers. In
circumstances where multiple plans have been developed (e.g. for a range of critical business functions)
consolidation of all the resource information will be required to be performed by the business unit as
designated by the Secretary.
2.2.5.1 Factors
Factors that need to be considered include:
▪
Type, volume/quantity and location of resources required for each process during the severe unexpected
event
▪
Dedicated resource requirements, such as processes or location that require the named resources to be
dedicated to their use
▪
Access requirements, where processes or locations require access to the use of resources, but do not
require dedicated resources
▪
Identification of synergies and conflicts between processes/locations in the unit or application of
resources.
While critical business resources were assessed during the risk assessment and BIA stages, it is necessary
to determine the resources that will be needed to ensure the success of each strategy from Step 4 through
to Step 8. Thus, it is critical that when determining the most suitable recovery strategy that the identification
of the internal resources which are required to continue business operations following a disruption is carefully
performed. Some examples of business resources are as follows:
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
vital records (hard copy and electronic)
contact lists of staff
operating manuals
procedures manuals
location of off-site storage facilities
minimum quantity of IT equipment required (this should already have been identified by your business
unit)
telecommunications support
alternate office locations (if required)
a list of staff with expertise required by the business unit
authority for the payment of emergency expenses
minimum quantity of office equipment required.
If your business unit requires a specific product or service from a supplier, a commitment should be
obtained from the supplier that its BCP is operational and that they can guarantee the ongoing supply of
that product or service in the event that the supplier experiences a disruption.
Action
Review and revise your resource lists identified at Appendix 8. Retain and file all outputs for future
reference.
16
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.2.6 Step 6 - Develop Business Continuity Plans
Use the information collected and developed during the BCM process to write BCPs that can be
implemented following an incident. One of the most important issues in writing a plan for managing a
disruption is to ensure that it is written so that it can be understood and applied by those expected to use it.
A plan should be written in such a way that it could be understood by someone who has not previously seen
the document. For certain functions it is possible that the plan may have to be activated and operated by
individuals who are not fully familiar with the processes and procedures being employed.
2.2.6.1 What generic information to include in plans
Although for the majority of plans there will be no predetermined standard, as a minimum the following
generic information should be provided:
▪
▪
▪
▪
▪
▪
current version
criteria for activation of the plan (Who has the authority to activate the plan? Who is the backup in case
this person is unavailable? Under what situations will the plan be activated?)
specific actions and responsibilities
resource requirements
communication requirements
contact lists.
2.2.6.2 What information to include in specific plans
Emergency management plans
The detailed content of emergency management plans may be specified by regulations, national standards
(for example fire emergency evacuation plans), or by generally accepted practices (for example industry
specific or local community emergency management plans).
IT recovery plans
IT recovery plans are included within separate IT Service or Application Recovery Plans as maintained by,
and available from, the IT Directorate. Your business unit's BCP should not include the technical details of IT
recovery but must determine workaround (perhaps manual) procedures which you will undertake should IT
systems not be successfully recovered as expected.
Business continuity plans
The BCP's content must be developed to reflect your business unit's functions and provide the required
capability to support the achievement of your pre-identified critical business processes within their MAO
times.
It is important to maintain effective governance and control during a major business interruption. BCPs must
therefore define explicit control requirements which help ensure that the Department’s governance policies
and procedures are maintained and applied during an interruption. Content should include but not be limited
to the following:
▪
▪
▪
Financial delegations and control
Insurance claims and management
Appropriate communications with stakeholders (refer next section).
Action
The following points will assist you in developing your Business Continuity Plan(s).
▪ For a fully completed template, visit the policy section of the Internet or the intranet
▪ From the A-Z list, select Business Continuity Management Template with Sample Text
▪ Save the document to a file of your own choice or open it ready for use
▪ The document will be your actual BCP and will bring together the outcomes of each of the prior steps.
Retain and file all outputs for future reference.
17
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.2.7 Step 7 - Develop a Communication Strategy
It is vital that communications are considered as one of the highest priorities throughout all BCM activities,
both pre and post event. Your business unit's BCP documentation should include formal communication
plans with all stakeholders and address the following communication issues:
▪
▪
▪
▪
Engagement
Participation
Comprehensiveness, clarity, adequacy and transfer of information
Perceptions of the parties involved.
2.2.7.1 Identify stakeholders and their needs
Communication with stakeholders should be a feature of all stages of the BCM program. However, following
a disruption, there will often be a need to prioritise stakeholders as both audiences and information sources.
A lack of consideration in this respect can adversely impact upon stakeholder relationships for a
considerable time.
Although considerable preplanning can be undertaken, there will always be a number of decisions on
stakeholder communications that can only be made once the nature of the event and its impact become
understood. As part of the communications plan, an initial stakeholder communications matrix should be
developed and included as part of your BCP.
Action
Develop a Stakeholder Communication matrix and insert it within your BCP(s). Refer to Appendix 10 for
guidance. When you have finalised and tested your BCP forward it to the ERM Unit for uploading to the
Department’s intranet site.
Retain and file all outputs for future reference.
2.2.8 Step 8 - Maintain and Test Plans
Plans can date very quickly (particularly contact lists). Even after a few weeks, if not updated, the
effectiveness and relevance of plans begin to deteriorate. Furthermore, although plans may accurately reflect
the status quo, they will remain as pieces of paper unless the relevant people within your business unit
understand them and know how to use them. The three key tasks for effective plan management are as
follows:
Training and awareness
Staff should understand the need for business continuity, what the plans are for and how to use them.
Therefore the capability of staff to undertake these tasks must be maintained, for example through
training and exercising. Thus, all staff identified as having a role in the development of a BCP should
receive appropriate initial training and whenever a significant change is made to the BCP.
The following items should be covered as part of BCP training:
▪
▪
▪
▪
▪
Objectives and intent of BCP
Definition of threats and risks covered by the BCP
Structure of the Department’s overall BCP including relationships to Emergency Management Plans
Roles and responsibilities of various groups involved in BCP
Specific roles and responsibilities of the individual being trained.
Testing
The testing of all aspects of your business unit’s BCP (where practical) is critical to the plan’s success.
The type of test you choose for your plan will depend upon the potential impact of your identified
business continuity risks and the environment in which you work. Types of BCP tests include the
following:
18
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
▪
Structured Walkthrough - The most basic type of test that takes place in a group meeting setting
where the main purpose is to ensure that critical personnel from all areas are familiar with the BCP.
For example, staff members are provided with a handout and work through a pre-determined
scenario.
▪
Desktop Drill - The participants choose a specific event scenario and apply the BCP to it. The main
goals here are to practice team interaction, as well as decision-making and problem-solving skills.
▪
Functional Testing - A drill that involves the actual relocation of personnel to another site in an
attempt to establish communications and coordination as defined in the BCP. The main focus here is
to test the business continuity capabilities of groups in an actual recovery situation.
▪
Full-Scale - The most comprehensive type of test. With this test, all or most of the BCP is put into
action. The main goals are to simulate an actual recovery situation as closely as possible. The
exercises in this case usually are longer, and should evolve and develop just as they would in an
actual crisis.
A BCP test can be considered worthwhile only if the results are analysed and compared against your
original objectives, and then acted upon. A self-assessment test can be completed by asking the
following important questions:
▪
▪
▪
▪
Were the test objectives completed?
What gaps did we find?
What actions must we take to bridge those gaps?
What approach should we take for our next test?
At a minimum, all BCPs must be tested at least once every year or whenever a significant change is
made to the BCP. All test plans and results must be documented and retained as an audit trail.
Maintenance
New technology, legal requirements, policy and procedures can all introduce new business continuity
risks. When business processes change, it is important that the BCP is reviewed and updated to reflect
those changes. Issues which may be considered during a review of your BCP include:
▪
▪
▪
▪
▪
Is the BCP based on a risk analysis assessment that has been conducted and documented?
Has the potential impact of business continuity risks been assessed?
Has the BCP been developed to minimise disruption of services, reduce financial loss, and ensure
timely resumption of normal operations?
Does the BCP include contact details for personnel, vendors, equipment and transportation?
Do the BCP contact details include names, positions and phone numbers of persons responsible for
the business continuity strategies?
The Department's Audit Directorate may include a review of the management of business continuity
planning as a project on their strategic audit plan. This could include random checks of business units'
BCPs. The Audit Office of New South Wales may also review business continuity planning across the
public sector.
It is essential that you continue to test your BCP and ensure it remains relevant and up-to-date.
19
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
2.3 Activation and Deployment
Activation
A severe unexpected event as illustrated by Figure 5 could result in the activation of one, several, or many
emergency response plans as well as multiple business continuity plans. Moreover, progressively over time,
a series of recovery and restoration plans affecting one or multiple locations could also be activated.
Figure 5: The activation of a BCP, key time lines and
the resumption of critical business processes
BCM does not have a discrete start and end: it is a continuous and iterative process. Accordingly, the crisis
timeline depicted in Figure 5 encompassing the various components will vary according to the nature and
extent of the unexpected severe event. Thus, the MAOs and RTOs will need to be monitored throughout the
disruption as any adverse variances against stated objectives could impede the resumption of normal
business operations.
Based on best practice, business units are encouraged to manage business continuity on an ongoing basis
and have their BCPs integrated with departmental management practices.
Deployment
The activation of the above plan(s) may have business units competing for resources, time and the attention
of senior management.
Based on the Australian Standard Handbook HB 292-206 an ‘Incident Control System’ (ICS) for coordinating
and controlling the activation, deployment stand-down, and interrelationships between plans would assist the
Department to effectively manage the above situations. An ICS provides an accepted approach for achieving
control and coordination and is based upon the concepts of:
▪
▪
▪
limited effective span of control
modular structure
scalability.
This task of developing a suitable ICS for the Department is currently being undertaken by the WHS
Directorate. Once approved, the resource will be published on the Internet and the intranet.
Although these guidelines provide assistance at a business unit level, further work is required to establish a
Department-wide Incident Coordination Centre (ICC). The ICC would be responsible for coordinating BCPs
across the Department in the event of a significant incident. An example of how this ICC may function is
provided at Appendix 11.
Action
Complete the Activation and Deployment checklist at Appendix 5D.
Retain and file all outputs for future reference.
20
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Document retention
It is essential that adequate records are kept of all key decisions and communications as they relate to BCM.
These may need to be produced for the Audit Office of NSW, other auditors, government departments,
insurers, regulators, courts, release of information requests, or for departmental debriefs. Thus, it is
important that business units have at least one staff member who is tasked to collect and maintain such
documents. This would include indexing and secure storage.
Business units would benefit from this process as these documents should also prove helpful for directing
further improvements to strategies, documented plans and the development of new exercise scenarios and
simulations.
3.0 References
▪
▪
▪
▪
▪
The Department’s Enterprise Risk Management Policy
The Department’s Enterprise Risk Management Guidelines
The Department’s Emergency Planning and Response Policy and Guidelines.
The Department’s Pandemic Management Strategy Guidelines.
Disaster Recovery Institute International, "Professional Practices for Business Continuity Planners",
1997.
▪
▪
Attorney General's Department Business Continuity Guide
Australian National Audit Office Business Continuity Management. Building resilience in public sector
entities. Better Practice Guide June 2009
Australian National Audit Office Business Continuity Management. Keeping the wheels in motion. Better
Practice - A Guide to Effective Control 2000
▪
▪
▪
▪
▪
▪
Standards Australia Risk Management Standard AS/NZ ISO 31000:2009
Standards Australia Business Continuity Standard AS/NZS 5050:2010
Standards Australia Business Continuity Management Handbook HB 221:2004
Standards Australia A Practitioners Guide to Business Continuity Management HB 292-2006
Standards Australia Executive Guide to Business Continuity Management HB 293 -2006
Additional information concerning the development of business continuity plans is available by
contacting the ERM Unit on telephone number (02) 9561 8840.
21
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
4.0 Appendices
Appendix 1
- Roles and Responsibilities of Departmental Stakeholders
The following schedule outlines the roles and responsibilities of key departmental stakeholders and should
be read in conjunction with the current organisational chart.
DESIGNATED RESPONSIBLE STAFF
1.
2.
3.
4.
The Secretary is responsible for ensuring:
Deputy Secretaries, Executive Directors,
General Managers, the Chief Information
Officer, State Office Directors, Schools
Directors are responsible within their areas
for ensuring:
The Manager, Enterprise Risk Management is
responsible for ensuring:
Division heads and other members of the
Executive are responsible for ensuring:
RESPONSIBILITIES
▪
the Department complies with the requirements of the
Department of Premier and Cabinet for NSW government
agencies to develop and maintain a BCP
▪
the convening and chairing or delegation of responsibility
for convening and chairing an Incident Co-ordination
Centre (ICC) to manage the incident (the course of action
taken will depend upon the severity of the business
continuity interruption).
▪
The Department's BCM policy and guidelines are
implemented, and that their local BCPs are regularly
tested and monitored
▪
staff are designated with the responsibilities of
coordinating the development and maintenance of a local
Business Continuity Plan in accordance with the
Department’s BCM policy and procedures
▪
based on the severity of the business continuity
interruption, they participate as a member of an ICC that
is convened to manage an incident
▪
an annual report on their areas' BCM performance is
completed, approved and forwarded to the ERM Unit for
collation and submission to the Executive and to the Audit
& Risk Committee (ARC).
▪
through their performance agreements, they can
demonstrate compliance with the Department's BCM
policy and guidelines.
▪
the Department's BCM policy and guidelines are
developed, promulgated and reviewed
▪
senior managers are aware of their BCM responsibilities
▪
advice is provided to all business areas concerning BCM
policy, guidelines and reports
▪
the Department complies with the Department of Premier
and Cabinet requirements and corporate policy,
procedures and guidelines are monitored and evaluated
▪
annual reports from all business areas on the
Department's overall BCM performance are collated and
the results submitted to the Executive and to the Audit &
Risk Committee (ARC).
▪
the development and maintenance of a database of all
BCPs within their areas
▪
the development and maintenance of a hard copy of all
current BCPs
▪
the coordination of regular reviews of all BCPs
▪
the ERM Unit is provided with copies of all BCPs to
enable reporting to the Executive and the Audit and Risk
Committee (ARC).
22
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
5.
6.
Business continuity owners are responsible
for:
All staff are responsible for:
▪
undertaking appropriate BCM training
▪
coordinating basic BCM training, and providing advice
and information, for other staff in their area
▪
coordinating the development, testing and review of their
business unit's BCP
▪
liaising with the ERM Unit as required for reporting
purposes to the Executive and the ARC in relation to their
BCP.
▪
following the Department's BCM policy and procedures
▪
participating as a member of their business unit's BCP
team.
23
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 2
- Business Interruption - Incident Management Process
Significant Business
Interruption Incident
Identified
Continue to Review
& Assess
Evaluation
Process Includes:
1.
2.
3.
Emergency Procedures
Ownership
Establish Incident
Management Teams
4. Roles & Responsibilities
5. Incident Coordination
Centre
6. Impact Assessment
7. Incident Categorisation
8. Escalation
9. Notification
10. Continual Assessment
Escalation
Required?
Yes
Initiate Incident
Management
Process
Incident resolved
Process Includes:
2.
3.
4.
Formal Review with
all Stakeholders
Remedial Strategies
Feedback to
Stakeholders
Amendment to BCP
Resolve Incident at
Local Level
Process Includes:
Management of
Incident
1.
No
Post Incident
Review
24
1. Recovery Action
(Repair)
2. Communication and PR
3. Media
4. Business Continuity
Management
5. Forward Planning
6. Investigation
7. Legal / Regulatory
8. Finance
9. Human Resources
10. External Organisations
11. Emergency Services &
Local Authority
12. Specialist Services
13. Continual Assessment
Incident Closure
Notification
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 3
- Terminology of Business Continuity Management
Acronym
Business
Continuity
Terminology
Definition
AS
Australian
Standards
The relevant AS are Standards Australia AS/NZS 5050:2010 on business
continuity management and AS/NZS ISO 31000:2009 on risk management.
BCM
Business
Continuity
Management
BCM provides for the availability of processes and resources in order to ensure
the continued achievement of critical objectives.
BCP
Business
Continuity
Plan
BCR
Business
Continuity
Risk
A BCP is a collection of information and procedures developed, complied and
maintained in readiness for use in the event of an emergency or a disaster. The
BCP enables an organisation to manage a major disruption or disaster and
resume critical business functions within the required pre-determined time. The
relationship of business continuity plans to other plans within the Department is
reflected by Appendix 12.
A BCR is an event that could result in an unacceptable and sudden interruption to
a major system or service.
BIA
Business Impact
Assessment
A BIA provides analysis of how key disruption risks could affect your business
unit's operations and what capabilities are required to manage them.
ICC
Incident
Coordination
Centre
Department-wide ICC will be responsible for coordinating the BCPs across the
Department in the event of a significant incident. An example of how this ICC may
function is provided at Appendix 11.
MAO4
Maximum
Acceptable
Outage
The MAO represents the maximum period of time that your business unit can
tolerate the loss of capability of a critical business function, process, asset, or IT
application.
R+V
Risk and
Vulnerability
Analysis
The R&V involves analysing the services your business unit provides, identifying
risks that would disrupt the delivery of services and determining whether your
business unit is vulnerable to those risks.
RM
Risk Management
RM aims to "manage" (usually reduce) either the likelihood or the impact of a
threat.
RTO
Recovery Time
Objective
The RTO is the target time set for recovery of an activity, product, service, or
critical business process after a business disruption event, or recovery of an IT
system or application after a business disruption event.
4
May also be referred to in some publications as ‘Maximum tolerable period of disruption’ (MTPD), ‘Maximum tolerable down time’
(MTDT), ‘Maximum down time’ (MDT), ‘Maximum allowable outage’ (MAO) or ‘Maximum Tolerable Outage’ (MTO).
25
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 4
- Business Continuity Plan Help Card
This Help Card is designed to assist you to create a Business Continuity Plan for your business unit and is to
be read in conjunction with other Appendices as listed below.
How to Develop Your Business Continuity Plan
Step 1
Create Awareness & Identify Critical Business Functions - review Business Continuity Management
Guidelines (the whole of this document) and complete Appendix 5A & 5B.
Step 2
Risk & Vulnerability analysis – refer to Section 2.2.2 of these guidelines. Undertake analysis using the
available template at Appendix 7.
Note: A separate analysis template should be completed for each Critical Business Function.
Step 3
Business Impact Assessment - using your completed Risk & Vulnerability Analysis template, refer to
Section 2.2.3 of these guidelines. Complete the checklist contained in Appendix 5C and the BIA template
at Appendix 8.
Step 4
Define Response Strategies – refer to Section 2.2.4 of these guidelines. Complete the Response Strategy
template at Appendix 9.
Step 5
Identify Resource and Interdependency Requirements – refer to Section 2.2.5 of these guidelines. Review
the BIA template at Appendix 8.
Step 6
Business Continuity Plan - using your completed BIA template, refer to Section 2.2.6 of these guidelines.
Complete the BCP template available in the policies section of the Department’s intranet or the Internet.
Step 7
Develop a Communications Strategy – refer Section 2.2.7 of these guidelines. Complete the Stakeholder
Communication Matrix template at Appendix 10.
When you have finalised and tested your BCP forward it to the ERM Unit for uploading to the
Department’s intranet site.
Step 8
Maintaining and Testing Plans – refer to Section 2.2.8 of these guidelines.
The activation and deployment of tested BCPs is outlined in Appendix 5D.
Important note:
It is imperative that business units are able to refer to a hard copy of their BCP in the event of a loss of
functional IT systems.
26
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 5
- Resources – supporting worksheets
5A Checklist – Identify critical business functions
For each question, copy and paste this tick in the appropriate box below.
Identify critical business functions
Completed
Yes
1. Document and confirm the business unit’s objectives and
performance criteria.
2. List all critical business functions which underpin
achievement of objectives.
3. Rank the functions in order of importance to the entity’s
objectives and exclude those functions not considered
critical to achieving the objectives.
4. Review the functional organisation chart to identify general
areas of operational responsibility.
5. Obtain any supporting documentation that is available which
would provide a summary of critical business functions.
6. Interview managers responsible for critical business
functions to confirm understanding.
7. Consider interdependencies that exist:
▪ between business units
▪ with external entities or organisations.
8. Determine the minimum requirements necessary to perform
each critical business function (see Appendix 5B.4.1).
Consider:
▪ critical processes
▪ resources
people
facilities (including building and equipment)
technology (including IT systems/applications)
telecommunications
vital records
▪ interdependencies
▪ other.
9. Obtain senior management endorsement of the prioritised
list of critical business functions.
Adapted from ANAO 2009 Guide
27
No
Other actions
required
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
5B Templates – Identify critical business functions
5B.1 Document Control
Identify critical business functions document details
Version number
Authorisation date
Authorised by
Expiry date
To be revised on
5B.2 Business unit details
Business unit details
Business unit name
Contact name
Title
Location
Phone number
Mobile
Email
5B.3 Business unit objectives and performance indicators
Objectives (in priority order)
Performance indicators
1.
2.
3.
4.
5B.4 Business unit critical business functions
Critical business functions
(in priority order)
Section/Team Key contact
1.
2.
28
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
5B.4.1 Requirements to perform each critical business function
Critical Business Function 1: <insert function name>
Process 1
<insert name>
Process 2
<insert name>
Process n
<insert name>
Resources
▪ People
▪ Facilities(including building
and equipment)
▪ Technology(including IT
systems/applications)
▪ Telecommunications
▪ Vital records (including
paper and electronic).
Interdependent functions
(including internal and external)
Maximum Acceptable Outage
Other
Critical Business Function 2: <insert function name>
Process 1
<insert name>
Resources
▪ People
▪ Facilities(including building
and equipment)
▪ Technology(including IT
systems/applications)
▪ Telecommunications
▪ Vital records (including
paper and electronic).
Interdependent functions
(including internal and external)
Maximum Acceptable Outage
Other
Adapted from ANAO 2009 Guide
29
Process 2
<insert name>
Process n
<insert name>
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
5C Checklist – Undertaking a business impact analysis
For each question, copy and paste this tick in the appropriate response box below.
Identify critical business functions
Completed
Yes
1. Gather relevant existing information, such as
▪ disruption scenarios
▪ emergency response management plan
▪ incident management plan
▪ pandemic plan
▪ IT disaster recovery plan
2. Consult key personnel and business units.
Consider:
▪ building and facilities
▪ internal audit
▪ customer contact points
▪ emergency response management
▪ external stakeholders and organisations (for
example, service providers, interdependencies, and
unions)
▪ finance (and insurance)
▪ information technology
▪ risk management
▪ work health and safety
3. Evaluate the impacts of a loss of each critical business
function from the perspective of the business unit’s
objectives.
Consider the following risk focus areas as outlined in the
Department’s ERM guidelines:
▪ Service /Program delivery
▪ Financial
▪ Management effort
▪ Health & safety
▪ Legal/Compliance
▪ Reputation/External relationships
4. Identify interim process procedures (alternative or
manual processing) techniques to be adopted during the
recovery phase.
5. Determine the maximum tolerable period of disruption for
each critical business function.
6. Determine internal and external critical
interdependencies.
7. Identify vital records.
8. Determine the recovery time objective for each critical
business function and IT system/application.
9. Determine the recovery point objective electronic data.
10. Estimate the time to overcome the backlog of work
accumulated during a business disruption event.
11. Obtain senior management endorsement of the business
impact analysis.
Adapted from ANAO 2009 Guide
30
No
Other actions
required
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
5D Activating and deploying your Business Continuity Plan
Introduction
The following example and checklist reflects Activation and Deployment of the Business Continuity
Management Plan. Declaring the outage and agreeing on the appropriate time to initiate operations under
the business continuity plan can be difficult and requires advance planning. It is therefore important to give
clear guidelines on the declaration of a business disruption (severe unexpected event).
5D.1 Example – Activation levels
Level
Description
Critical
▪
Incident management team and/or the business continuity
management team convene (in person or via teleconference or
videoconference) to manage the situation.
Major
▪
Response and/or recovery situation monitored by emergency
response manager or delegate, with the incident management team
and/or other nominated management team alerted and on standby.
▪
Hourly situation reports are provided to the incident management
team and/or other nominated management team.
▪
Response and/or recovery situation monitored by administrative
support staff, with the incident management team and/or other
nominated management team alerted and on standby.
▪
Daily situation reports are provided to the incident management
team and/or other nominated management team.
Minor
Source: ANAO 2009 Guide
31
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
5D.2 Checklist – Considerations for estimating the duration of a business disruption event
For each question, copy and paste this tick in the appropriate response box below.
Identify critical business functions
Completed
Yes
No
1. Has input from emergency services, contractors been
gathered to use in the evaluation of likely repair time?
2. Are critical business functions affected?
3. If 2 is answered YES, have the impacts on the critical
business functions been considered?
4. Are the people involved in the estimation process clearly
identified?
5. Are notification procedures for those involved in the
estimation process clearly identified?
6. Are timeframes for the assessment clearly identified?
7. Do external stakeholders need to be part of the
assessment?
8. If Question 7 is answered YES, are all external
stakeholders identified?
9. Are all relevant insurance companies appropriately
informed of the incident before assessment takes place
(refer to insurance policy protocols to see if insurance
policy is void if certain disaster assessments are carried
out without the insurance company present or without their
knowledge?
Adapted from ANAO 2009 Guide
32
Other actions
required
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 6
- BCM Process: Step 1 – Identify Critical Business Function Template
Critical
business
function
Physical
location
Critical
success
factor
Functional
interdependencies
Priority
Practical
grouping
Title or simple
description of
the
critical
business
function or
process.
Identify the
location or
locations
where
the activity is
conducted.
Identify what
the
function is
trying to
achieve, this
may be based
on minimum
acceptable
performance
standards.
Identify key upstream
and downstream
interdependencies.
Determine
Criticality.
Identify common
groupings of
critical business
functions, for
example those that
may be suitable for
the conduct of a
combined single
BIA.
Level 3, 35
Bridge St
Sydney
24 hour
access to
services 4
hour
response
business
hours 8 hour
response after
hours
Specialist Personnel
Support Personnel
Technology
Communications
Data Accommodation
Medium
Preparation of the
financial
statements in
accordance with
statutory
requirements and
accounting
standards. Provide
financial
information and
advice to Senior
Management.
Worked
Example
Financial
reports
and issues for
the
Executive
33
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 7
- BCM Process: Step 2 – Risk and Vulnerability Analysis Template
Critical
business
function
Risk
Existing
controls
Impact
Likelihood
Residual
Rating
Target
Risk
Rating
Treatment
option
Recovery
Plan
required?
Responsibility
Carry
forward
from
Appendix 6
Describe
what can
go wrong
What
mitigating
controls
exist?
Refer
table
above
Refer
table
above
Refer
table
above
Refer
table
above
Accept or
reduce?
Yes or
No?
Responsible
for
developing
plan
Loss of
functional
IT
systems
Nightly
data
backups
A4
B4
F5
4L
High
Medium
Reduce
Yes
Director
Finance
Worked
Example
Cont.
Financial
reports
and issues
for the
Executive
34
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 8 - BCM Process: Steps 3 & 5 BIA & Resources
Step 3 - Business Impact Assessment
Step 5 – Resource and Interdependence
Approach
identify critical business functions per business unit
list critical business processes for each identified critical business function
identify the key resources required to achieve each of these functions
determine the impact it would have if the function became inoperable
rank the results from the perspective of the business unit as a whole.
As completed in
Appendix 5B.4.1
Example: Extract from HR Systems Support and Development Unit
Impact assessment
1-5
days
1
month
3-4
months
1. Production of pay calculation –
School / Corporate Permanent
and Temporary Employees
Critical
Critical
Critical
2
hours
2. Production of pay calculation –
TAFE Employees
Critical
Critical
Critical
2
hours
3. Production of financial interface
information – School / Corporate
Permanent and Temporary
Employees
Major
Critical
Critical
1 day
Critical business functions
35
MAO
Key resources required to achieve
function
Functional premises
iSeries hardware platforms
Oracle Database
Network Access
Email Access
Internet Access
Telephony (phone/fax)
PEPS payroll
CEPS Payroll
Leave Management System
Personnel System
SHR Web applications (ELAPS)
Specialist HRSSD Staff
ITD Support Staff
Functional premises
Lattice / UNIX hardware platforms
Oracle Database
Network Access
Email Access
Internet Access
Telephony (phone/fax)
Lattice Payroll application
Criminal Records Check system
THR Web applications
Specialist HRSSD Staff
ITD Support Staff
Functional premises
Network Access
Telephony
PEPS payroll
SAP Finance Module
Operational FTP link to SAP
Specialist HRSSD Staff
Specialist SSC Finance staff
ITD Support Staff
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 9
- BCM Process: Step 4 - Response Strategies
Organisational unit
Finance Directorate
Location
Level 3, 35 Bridge St Sydney
Contact name
Justin Time
Title
Director, Finance
Telephone
0123 4567
Email
Justin.Time@det.nsw.edu.au
Critical business function
Cheque processing
Critical infrastructure
Financial systems and cheque printer
Risk scenario
Loss of access to building
MAO
48 hours
Response requirement
Establish alternate cheque printing capability to cover 48 hour period
before recovery.
Response option 1
Use a bureau service - Favourable
Response option 2
Purchase second cheque printer for recovery site - Not favourable
Response option 3
Manually prepare cheques
Recommended option
Use a bureau service
Response objectives
Resume cheque printing to 80% capability within 48 hours.
Detailed description of
response
Notify bureau
Flat file transfer from the Department to bureau
Bureau processes file
Verification and validation by the Department’s Accounts Officer
Authorisation to process
Cheque collection and distribution
Preparatory requirements
Develop list and contact details for approved bureau
Establish capability for file generation and transfer
Develop verification and validation process
Develop alternatives for cheque collection and distribution
36
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 10 - BCM Process: Step 7 - Stakeholder Communication Matrix
Stakeholder
Communication Needs
Who
How
Staff
▪
▪
▪
Secretary
Emergency number
plus website
Families
Immediately:
▪
What has happened?
▪
Who are the staff members involved and are they safe?
▪
What does the family do now?
Later:
▪
How did it happen and what was the cause?
Local
community
Immediately:
▪
What has happened?
▪
Is it safe?
▪
Could it happen again in the near future?
Later:
▪
What is the Department doing to ensure that it does not
happen again in the future?
Students /
Customers
▪
▪
▪
▪
▪
▪
What has happened and why it has happened?
What will happen in the immediate future?
Where is assistance available?
What is the impact on product/service delivery and quality?
How long will delivery be affected for?
How adversely will contractual conditions be affected?
Will the Department be able to continue trading into the
immediate and longer terms (longer term sustainability of
supply)?
What compensation will be made available?
What other alternate sources of the product/service exist?
Suppliers
▪
▪
▪
▪
▪
Any changes to supply requirements?
How long will inventory be required to be held for?
Any capacity for changed pricing?
What is the likely duration of supply impacts?
What compensation is available under contractual
conditions?
Minister
▪
▪
▪
▪
What has happened and how?
What is being done to fix it?
What are the impacts on local communities/customers and
how these are being managed?
When will normal capability and capacity be restored?
Media
▪
▪
▪
▪
What has happened and how?
Who was responsible?
Can it happen again?
What similar events have happened previously?
Regulators
▪
▪
▪
▪
What has happened and how?
What is being done to fix it?
What is being done to prevent it happening again?
What is the compliant/capability/performance of other elated
areas?
37
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 11 - Business Interruption - Incident Management Structure
Ministers’ Offices
Director Audit
Dep Sec Strategy and
Evaluation
Secretary
Communications
Media
Executive Support
Program Management Office
Strategic Delivery
Enterprise Risk Management
Corporate Planning & Reporting
Incident Coordination
Centre (ICC)
ICC may include but not
limited to:
Finance
Shared Services
Human Resources
Industrial Relations
Employee Services
Information Technology
Media
Communications
Dep Sec School Operations
and Performance
Corporate Functions &
Schools areas
Resources
Dep Sec External Affairs
and Regulation
Incident Management
Teams
Roles / Responsibilities /
Functions
Formed to respond to
specific incidents
Dep Sec Corporate Services
Corporate Functions &
Regional Corporate
Services
38
Bus i ne s s Conti nui t y Ma na ge me nt Gui de l i nes
Appendix 12 - Business Continuity Management as part of the Planning Process
STATE PLAN
SETS DIRECTION
Direction
Aspiration
Inspiration
Department’s 5 YEAR
STRATEGIC PLAN
2012-2017
Priorities
Outcomes
Targets
(updated annually)
DEPARTMENT-WIDE PLANS
DIVISION ENABLING PLANS
Strategic Enabling Plans
Division Plans
(financial year basis)
Total Assets Plan
Aligned to 5 Year Strategic Plan
2012-2017
ICT Plan
Strategic HR Plan
S&E
CS
ExAR
SOP
Aboriginal Education Training Strategy
Disability Action Plan
School Plans
Workforce Diversity Plan
Relate to
Division Plans
which are
focused on
service delivery
within budget
Multicultural Plan
Literacy & Numeracy Action Plan
National Goals for Schooling
Business Continuity Plans
39
Unit Work
Plans
Relate to
Division Plans
which are
focused on
service delivery
within budget
