1. Purpose of policy
1.1 The purpose of this policy is to plan for, respond to and manage critical incidents that may disrupt the critical functions of the University. The Business Continuity – Governing Policy and the Business Continuity Management Plan are part of the University's broader Resilience Framework. The purpose of this suite of documents is to identify and respond to critical incidents, mitigate the loss of University assets and operations, protect the University’s reputation, reduce the impact on the University community, the community and the environment and return to business-as-usual as soon as practical.
2. Policy scope and application
2.1 This policy applies to all staff, students and members of University decision-making or advisory bodies, including Council and its Committees. It is applicable to all University campuses or sites owned or operated by the University.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to its effectiveness:
Business Continuity - The capability of the University to continue the delivery of its critical functions at acceptable, predefined levels following a business disruption.
Business Continuity Management (BCM) - The holistic process that identifies potential threats to the University and the impacts to the critical functions those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
Business Continuity Plan (BCP) - The University’s plan that outlines how critical business operations can be maintained or recovered in a timely fashion.
Business Continuity Management Framework – The framework the University has to manage business continuity. It includes the Business Continuity Management – Governing Policy and Business Continuity Management Plan.
Business Continuity Team (BCT) – The team that is mobilised to implement and oversee the continuity response.
Business Disruption - An event, anticipated or not, which disrupts the normal course of business operations at one or more locations.
Business Impact Analysis (BIA) - The process of analysing activities and the effect that a business disruption might have upon them.
Critical Function - A function that must be performed in order to meet overall daily, weekly, and/or monthly business requirements.
Critical Incident - An incident that has a risk rating of high or extreme under the University’s Risk Management Framework with a consequence of at least moderate or higher. It requires a focused and concerted response and ongoing management by the Organisational Unit Manager in conjunction with the IRT. Within the context of this BCP, a business disruption would be caused by a critical incident.
Emergency Planning Committee (EPC) - The EPC is established to ensure all applicable legislative requirements are met and sufficient resources (time, finance, equipment and personnel) are provided to enable the development and implementation of emergency (incident) plans in a multi-campus environment. This is a requirement of Australian Standard 3745-2010, Planning for emergencies in facilities. The EPC has broader planning responsibilities under the University’s Resilience Framework.
Incident Response Team (IRT) - A team of specialists that is mobilised to assess and respond to an incident that has occurred.
Recovery Time Objective (RTO) – The period of time following an incident within which an activity must be resumed, or resources must be recovered.
University community means all staff members, students, consultants, contractors, volunteers, and external appointees of Council, boards and committees of the University.
4. Policy Statement
4.1 The University is vulnerable to a range of events from those with a period of warning to others that occur abruptly. Some incidents will have the ability to impact the critical functions of the University. The University will have the business continuity management systems and processes in place to facilitate the resumption of these critical functions.
5.1 The Business Continuity Management Framework will be consistent with the University’s Risk Management Framework, as outlined in the Enterprise Risk Management – Governing Policy, and will operate in conjunction with other resources including the Critical Incident Management – Governing Policy and Incident Management – Procedures.
5.2 The University will maintain a Business Continuity Management Plan (BCP).
5.3. The BCP will be developed at a whole of University level, with more detailed supplementary plans developed for Facilities Management and Information Technology. These supplementary plans will include strategies to mitigate the use of any third-party service providers.
5.4. A Business Impact Analysis (BIA) approach will be used to develop the BCP. The BIAs will be updated at least annually as part of the review of the BCP.
5.5 The BCP will be approved by the USC Executive.
5.6 The Emergency Planning Committee (EPC) will oversee and monitor the currency and effectiveness of the BCP.
5.7 The BCP will be triggered by the University’s Incident Response Team (IRT). In the event of a critical incident that invokes the BCP, the response will be managed by the Business Continuity Team (BCT) unless the decision is made for the IRT to convert to the BCT. In some circumstances, the IRT may convert to the BCT to manage the response. This decision is at the discretion of the Vice-Chancellor and President.
5.8 In the event of a critical incident that impacts the broader local community, the University will work with Local and State Governments in the management of the disruption.
5.9.1 The BCT Marketing representative, in consultation with the BCT, will determine the appropriate internal and external communication strategy. The Vice-Chancellor and President is the University’s spokesperson during a business continuity event.
5.10 Monitoring and Review
5.10.1 The BCP will be reviewed and updated annually.
6.1 The following authorities are delegated under this policy:
Responsible and accountable to the Council for business continuity.
Vice-Chancellor and President
Develop, implement, resource and maintain the protection, resilience, and sustainability system, including emergency plan, incident response procedures, and the readiness, training and awareness sessions for all persons responding to incidents and emergencies.
Chief Operating Officer
Maintain a copy of this policy.
Incident Response Team / Business Continuity Team
Conduct a Business Impact Analysis annually to determine the effectiveness of the Business Continuity Plan.
Chief Operating Officer
Develop and maintain relationships with relevant Intelligence and Government Agencies, Queensland Police Services, other Emergency Response Services, and Disaster Management Groups to ensure an effective notification, alert, support and response to potential or actual University incidents.
Senior Manager, Security/ SafeUSC
Ensure staff receive training about the University’s emergency processes.
Senior Manager, Security / SafeUSC
Ensure students are aware of the University’s emergency processes.
Academic Registrar and Director, Student Services
Senior Manager Security / SafeUSC
Coordinate an annual review of the Business Continuity Plan.
Director, Governance and Risk Management
Director, Facilities Management
Ensure the Business Continuity Plan is tested annually including conducting specific training for new Incident Response Team and Business Continuity Team members (including members who may occasionally be required to join the Incident Response Team or Business Continuity Team in particular incidents).
Director, Facilities Management
Oversee and monitor the effectiveness of the Business Continuity Plan.
Emergency Planning Committee