content-left-bg.png
content-right-bg.png

Business continuity management procedure

Version number 5.0 | Version effective 24 January 2022

Categories

PublishingPageContent
Business continuity management procedure

Audience

Department-wide

Purpose

This procedure details the responsibilities and processes for business continuity management to reduce the likelihood and minimise the impact of disruptive events in schools, regions, divisions and the whole of department. 

Overview

This procedure outlines how the department manages business continuity, including undertaking business impact assessments (BIA) to identify critical business functions required to achieve critical objectives in disruption and developing business continuity plans (BCPs) to prepare for disruptive events. The procedure also outlines how BCPs assist in responding to and recovering from disruptive events.

Disruptive events are those that cause schools, regions and divisions to be unable to deliver one or more critical business functions. BCPs are activated when the period of disruption is likely to exceed the maximum acceptable outage for the function/s.

BCPs may also be used in disruptive events that are disaster and emergency situations, to support the continuation or resumption of critical business functions. In these events, BCPs work alongside other plans, including disaster management plans and sub-plans including emergency response plans, to ensure the department can achieve its critical objectives.

The department develops and maintains a Department of Education BCP which informs the department's Disaster Management Plan and guides response and recovery to disruption outside of a disaster event.

For the purposes of this procedure, the Office of Industrial Relations is considered equivalent to a division.

This procedure should be read in conjunction with the:

Responsibilities

All staff with a role in risk management

  • understand and manage disruption-related risk in line with this procedure and the Enterprise risk management procedure, policy and framework

Regional Directors, Assistant Director-General Finance and Assurance Services and Deputy Directors-General (as BCP owners)

  • ensure disruption-related risks, controls and actions are identified, recorded and reviewed
  • ensure BIAs capture all critical business functions 
  • ensure BCPs are fit-for-purpose and testing/exercising is completed.

Strategy and Performance

  • develop and maintain the department's BIA, BCP and testing schedule.

Coordination BCP leads and backups - minimum level Director of Regional Services (regions), Executive Director (divisions)

  • coordinate and arrange approval for the BIA for their area of responsibility
  • establish, test, maintain and improve their BCPs, including establishing a testing schedule
  • ensure coordination BCP kits are up-to-date and accessible
  • lead the coordination BCP as part of responding to a disruptive event.

All Managers and Directors (regions and divisions)

  • contribute to the BIA in the region or division.

Continuity and Disaster Management Committee

  • endorse the department's BIA and BCP
  • provide support to build departmental capability to effectively manage disruption-related risk
  • drive continuous improvement by examining and sharing lessons identified following testing/exercising scenarios and plan activations in disruptive events
  • oversee departmental and regional disruption planning and departmental recovery.

Executive Management Board

  • approve the department's BIA and BCP.

BCP leads and backups – minimum level Manager

  • establish, test, maintain and improve their BCPs
  • ensure BCP kits are up-to-date and accessible
  • lead the BCP as part of responding to a disruptive event.

Staff with a role in disruptive event management

  • maintain their capability for their specified role/s in BCPs
  • understand and fulfil their specific roles and responsibilities outlined in the BCP, related plans and governance documents
  • take reasonable care for their wellbeing, including managing fatigue during response and recovery.

Principals

  • undertake planning that enables the transition to alternate delivery models and supports the continuity of learning in a disruptive event
  • ensure lessons from debriefs and reviews are used to improve plans and responses.

Principal supervisors

  • support Principals to develop contextually-relevant planning for use in alternate delivery models.

Response controller in schools, regions and the department (School principal, Regional Director and Deputy Director-General - Early Childhood and Education Improvement)

  • lead the response to the disaster or emergency event
  • liaise with Coordination BCP leads in activating and tailoring BCPs
  • allocate and coordinate resources to support BCP activation.

Process

The business continuity management process, outlined in the diagram below and detailed in the process steps, is aligned with the department's approach to business continuity, disaster and emergency management. The department's approach focuses on Prevention, Preparedness, Response and Recovery.

Business continuity management process, covering 4 steps: Prevent; Prepare; Respond; and Recover

Image 1 – Business continuity management process

Identify and reduce disruption-related risks

  1. Staff with a role in risk management, as part of operational; or specific project and program planning, use the Enterprise risk management procedure to:
  • identify disruption-related risks and document in risk registers
  • establish and seek approval for controls and actions to reduce the likelihood or impact of the risks
  • implement approved controls and actions, evaluate their effectiveness and modify as required to reduce risk.

Identify critical business functions

  1. By the end of March, at least every two years or earlier if required, BCP owners (i.e. Regional Directors, Assistant Director-General Finance and Assurance Services and Deputy Directors-General) must:
  • identify coordination areas (regions; or, for divisions, branches or the division) which are to complete a BIA and develop a coordination BCP that ensures coverage (of the division)
  • nominate Coordination BCP leads (minimum level Director of Regional Services - regions and Executive Director - divisions) for each coordination area and provide advice to Strategy and Performance.
  1. Strategy and Performance must store a Business Impact Assessment and Planning tool (the tool) for coordination areas in an agreed location on the department's records management system for access. 
  2. Coordination BCP leads must coordinate Managers and Directors in their area of responsibility to complete the BIA, to identify business functions that contribute to achieving the department's critical objectives in disruption. 
  3. All Managers and Directors within regions and divisions must:
  • use the tool to record business functions within their area of responsibility that may be impacted by a disruptive event, and identify the function's activities. These must include:
    • business-as-usual activities
    • activities required from the function in a response situation
  • assess the potential consequences of the loss of the identified activities, in a worst-case scenario, against the selected criteria in the tool.
  • classify non-critical functions and provide additional information to contextualise the assessment.
  1. Coordination BCP leads must:
  • identify the Business continuity coordination function as critical so that a coordination BCP can be generated
  • once the BIA has been completed for their area of responsibility, arrange approval for the BIA by the BCP owner.
  1. The BCP owner must approve completed BIAs by the end of August, in the year of completion.
  2. Strategy and Performance must, when new BIAs are approved:
  • collate and summarise approved assessments from regions and divisions to create a departmental BIA
  • arrange Continuity and Disaster Management Committee endorsement and Executive Management Board approval of the departmental BIA.

Develop business continuity plans and kits

  1. Managers, Directors and Executive Directors who lead critical business functions (as BCP leads and Coordination BCP leads):
  • must contribute to a coordination BCP following approval of the BIA. This includes, for their critical business function, identifying and recording in the tool:
    • interdependencies and the maximum acceptable outage and its general activation priority within a disruptive event (within the context of the coordination area)
    • ICT, staff and infrastructure resources required for continuation or resumption in a disruptive event
    • management and vital records.
  1. Coordination BCP leads must, for the Business continuity coordination critical business function, complete the following activities (and record in the tool):
  • identify response strategies for continuation or resumption, which cater for impacts to staff, ICT resources and infrastructure resources
  • develop a communication plan, addressing needs of critical (within a critical business function) and non-critical staff, interdependent functions and other relevant stakeholders
  • provide additional detail on interdependencies and vital records
  • arrange for the recording of stakeholder contacts (departmental and external).
  1. BCP leads may additionally use the tool to create an individual BCP for their critical business function to support continuation, resumption and communications in a disruptive event.
  2. Coordination BCP leads must
  • establish a schedule for the testing of BCPs in the coordination area of responsibility. They may access the Testing business continuity plans factsheet for support
  • arrange consultation with BCP leads in interdependent areas, to ensure the requirements of BCPs in their area of responsibility, are understood and achievable
  • seek approval from the BCP owner to approve all BCPs and the testing schedule for the coordination area by the end of August in the year the BIA is undertaken
  • store the approved testing schedule in the agreed location.
  1. Coordination BCP leads and BCP leads must develop fit-for-purpose BCP kits to support BCP activation when enabling resources are compromised or unavailable. BCP kits may include hard copies of BCP/s, vital records identified in the BCP and contact information for critical and non-critical staff and other relevant internal and external contacts. The following kits must be developed:
  • coordination BCP kits for BCP owners, leads and backups
  • BCP kits for BCP leads and backups.
  1. The BCP owner must approve all coordination BCPs and BCPs in their region or division by the end of September, in the year of establishment, and following significant changes.
  2. Strategy and Performance, when new coordination BCPs are established, must:
  • collate approved coordination BCPs from regions and divisions to create a departmental BCP
  • arrange Continuity and Disaster Management Committee endorsement and Executive Management Board approval for the departmental BCP.
  1. Principals must annually undertake and record planning, for example, within the Annual Implementation Plan, which:
  • supports the continuity of learning in alternate delivery models
  • enables the transition to, and from alternate delivery models.
  1. In undertaking planning, the principal may involve stakeholders and stakeholder groups, for example, Principal Supervisors, the school council (if established) or Workplace Health and Safety Committee, as appropriate for the plan and school context.

Exercise, test and improve plans

  1. BCP leads and Coordination BCP leads must:
  • maintain the currency of BCPs and kits, including organising for the test of call trees and updating of stakeholder contact lists at least quarterly
  • exercise or test their BCP with staff with a role in disruptive event management according to the approved schedule prior to the high-risk season annually (mid-October), to build and maintain capability and ensure the plan is effective under different disruptive event scenarios. Note that activation of BCPs in a disruptive event contributes to annual requirements
  • record testing activities on the testing and activation log provided in the tool
  • identify lessons learned in exercises, tests and activations and use these to improve responses and plans
  • seek approval from the BCP owner for completed tests, recorded activations and changes made, and update the date approved information.

Activate and tailor plans

When a disruptive event is imminent or occurring, BCP leads and backups may need to activate and tailor one or more BCPs to address the nature, scale, impact and duration of the event. The following three disruptive event scenarios guide activation.

1.   Disruption of a single critical business function:

When disruption is imminent or occurring, the BCP lead must:

  • assess risks, including:
    • the location and extent of the disruption
    • the capacity of the team/s to manage the impact of the disruption within existing capability
    • the timing of the disruption (for example, during peak periods for the function).
  • seek approval for BCP activation from the BCP owner if:
    • the function is unable to be performed effectively; and
    • the period of disruption is likely to exceed the maximum acceptable outage.

Individual BCPs may also be activated:

  • by the BCP lead:
    • upon activation of an interdependent BCP
    • when a critical business function providing resources for the function communicates that an outage is likely to occur
  • by the Coordination BCP lead or BCP owner:
    • if multiple critical business functions are impacted and/or senior officers have information that justifies activation
    • in regions and/or divisions, if a school escalates issues that require business continuity management as part of a disruptive event
  • by the response controller as part of disaster and emergency operations at the regional or departmental level.

2.   Disruption of multiple critical business functions:

When disruption is imminent or occurring, the Coordination BCP lead must:

  • assess risks, including:
    • the location and extent of the disruption
    • the capacity of affected critical business function teams to manage the disruption within existing capability
    • the timing of the disruption (for example, during peak periods for the functions)
  • seek approval for coordination BCP activation from the BCP owner lead in circumstances where:
    • critical business functions are unable to be performed effectively
    • the period of disruption is likely to exceed the maximum acceptable outage for the functions; and
    • coordination is required to prioritise activation and resources and liaise with interdependent functions, including those providing resources.

A coordination BCP may also be activated by the Coordination BCP lead or BCP owner:

  • upon activation of interdependent critical business function/s impacting on multiple functions within the region or division
  • when a critical business function providing resources for the region or division communicates that an outage is likely to occur
  • if senior officers communicate information that justifies activation
  • in regions and/or divisions, if multiple schools escalate issues that require business continuity management as part of a disruptive event.

The response controller for the region or department may activate a coordination BCP as part of disaster and emergency operations.

3.   Disruptive event that is a disaster or emergency

When a disaster or emergency is imminent or occurring:

  • all response controllers and other officers with a lead role in disaster and/or emergency responses must prioritise the safety and wellbeing of children, students, staff and volunteers who work or participate in affected state schools, institutions and workplaces. They do this by activating and tailoring:
    • plans (for example, disaster management plans, and sub-plans, for example, emergency response plans and fire and evacuation plans)
    • groups (for example, school, regional or executive response teams).
    • the BCP for the critical business function supporting the disaster and emergency response, if resources for this function are compromised or unavailable.

When risks associated with the immediate impact of the event are managed:

  • response controllers at the regional or departmental level must direct the:
    • activation of BCPs and their priority for continuation or resumption within the affected area (for example, region, or the department, through the departmental BCP)
    • allocation of operational resources to support the BCPs, in consultation with BCP leads and Coordination BCP leads providing resources.
  • response controllers (Principals) in schools, must:
    • work with Coordination BCP leads and response controllers in regions to manage business continuity
    • facilitate the transition to alternate delivery models, as required
    • manage the continuity of learning in alternate delivery models, as required
    • report information and escalate issues and risks, as required.
  • Coordination BCP leads and BCP leads must:
    • follow the direction of the regional or departmental response controller regarding activation of BCPs
    • monitor implementation of plans, report information and escalate issues and risks, as required
    • act as a single point of contact for BCP matters for their area of responsibility.

Following the conclusion of disaster and emergency operations, BCPs may remain activated due to:

  • flow on effects from the disaster or emergency event
  • an inability to immediately return to business as usual.

In these circumstances, leadership of plans is transferred from response controllers/chairs to the:

  • BCP lead, for a single critical business function within a region or division
  • Coordination BCP lead, for multiple critical business functions within a region or division.

4.   In all three disruptive event scenarios, response controllers and BCP leads, Coordination BCP leads and/or backups must:

  • tailor plans to address the nature, scale, impact and duration of the disruptive event, including:
    • identifying functions that need to be prioritised for activation or can be deferred
    • applying the most appropriate plan strategies (for example, if workplace access is restricted, it may be appropriate to use different work locations or change how the service is delivered)
  • implement plans within their area of responsibility, monitor activation and liaise with, and maintain appropriate communication between relevant stakeholders, including interdependent BCP leads, to provide information about impact and resourcing needs (if required)
  • report status to maintain situational awareness
  • escalate issues and risks, as required
  • be cognisant of staff wellbeing (DoE employees only) and manage fatigue, for example, employing backup staff and deferring non-critical work
  • document the activation of BCPs on the template provided in the Business impact assessment and planning tool
  • record, as part of a disaster and emergency event decision log, BCP activation and other important information, which may include, functions deferred, activities undertaken, decisions made and controls and actions implemented.

Transition to business-as-usual

  1. In consultation with BCP leads providing resources to resume critical and non-critical business functions, decision making and actions must be directed by:
  • BCP leads, for single critical business functions
  • Coordination BCP leads, for multiple critical business functions
  • BCP owners, for recovery across regions or in one or more coordination BCPs in divisions
  • Managers/Directors and above in regions and divisions leading non-critical business functions, in consultation with Coordination BCP leads, who may be accessing resources from non-critical functions.
  1. BCP leads and Coordination BCP leads directing recovery activities and operations must:
  • prioritise resumption and recovery of resources and functions according to risk
  • consider access to enabling resources (ICT, staff and infrastructure)
  • manage recovery at a scale appropriate to the impact of the event
  • be cognisant of staff wellbeing (DoE employees only) and manage fatigue, for example, rotating and providing additional staff to address workload demands (created by strategies used in response or in addressing delays or backlogs of work for deferred functions and activities)
  • conduct a post-event debrief focused on what happened, what did, and did not go well, and identify lessons to improve plans (preparedness) and actions in response and recovery
  • if required, contribute to an event review, which may be self-determined or requested, to identify and leverage lessons across the system.
  1. The Continuity and Disaster Management Committee must:
  • provide ongoing management and oversight of departmental recovery activities 
  • oversee and contribute to post-event reviews
  • contribute to implementation of recommendations from reviews and leverage lessons learned.

Definitions

Term

Definition

Activating and tailoring

Activating involves putting a plan into effect or standing up a governance group (e.g. response team). Tailoring involves adjusting the plan or group to suit the situation, such as:

  • selecting the most appropriate strategies
  • changing activation priorities of critical business functions or resourcing requirements
  • selecting capabilities required for the response team.

Alternate delivery model

A model of service delivery used to continue operations to respond to the nature, scale, impact and duration of a disruptive event.

Business continuity management

A holistic approach to managing risks related to disruptive events.

Business continuity plan (BCP)

BCPs detail resources and strategies to support the coordination, resumption and continuation of critical business functions in disruptive events that are identified in BIAs.

Critical business functions in all regions and divisions are summarised in the Department of Education Business Continuity Plan.

Business functions

Processes or activities, which may be performed by a single, or multiple teams across the department, or may be provided by an external party. Single teams may have responsibility for one or more business functions.

Business impact assessment (BIA)

Detailed risk assessment that examines the nature and extent of disruptions and the likelihood of the resulting consequences. It includes consideration of the department's business functions, people, processes, infrastructure, resources, information, interdependencies and the nature and extent of capability loss over time.

Control

An existing strategy used to maintain or reduce a risk; may include any process, policy or practice and are an ongoing function of the business.

Critical business function

A business function (or part of a business function) that is identified as essential for the department in the achievement of its critical objectives. The identification of critical business functions occurs as part of a business impact assessment (BIA).

Disaster and emergency

An emergency is:

  • any explosion or fire
  • any oil or chemical spill
  • any escape of gas, radioactive material or flammable or combustible liquids
  • any accident involving an aircraft, or a train, vessel or vehicle
  • any incident involving a bomb or other explosive device or a firearm or other weapon
  • any impact of a naturally occurring event such as a flood or a landslide
  • any other accident or incident:
    • that causes or may cause a danger of death, injury or distress to any person, a loss of or damage to any property or pollution of the environment, includes a situation arising from any report in respect of any of the matters referred to in the points above which if proved to be correct would cause or may cause a danger of death, injury or distress to any person, a loss of or damage to any property or pollution of the environment.

A disaster may be declared for a serious disruption in the community, resulting from the of impact of an emergency or other event and requiring a significant coordinated response by the State and other entities to help the community recover from the disruption.

Disruptive event

An event which causes disruption to service delivery.

Maximum acceptable outage

Maximum period of time that the department can tolerate the disruption of a critical business function. Disruption may include both the discontinuance of an activity or the inability to perform it to an acceptable quality or with sufficient reliability. The department defines outages in days, for example, 1-day, 2-days, 3 to 5 days.

Risk

Effect of uncertainty on the achievement of objectives.

Legislation

Delegations/Authorisations

  • Nil

Other resources

Superseded versions

Previous seven years shown. Minor version updates not included.

4.0 Developing a business continuity plan procedure and 1.0 Implementing a business continuity plan procedure

Review date

24 January 2025
Attribution CC BY
SocialMedia_BottomRight