Business Continuity Management

Version Number

3.2

Implementation Date

13/02/2015

Scope

Department-wide

Purpose

Outlines how the department prepares for, and responds to, a major business interruption or outage. It describes how Critical Business Activities continue to operate during a disruptive event, and normal operations are resumed as soon as possible following the event.​​​

Overview

The first priority in the case of a disruptive event is the immediate and ongoing safety of customers and staff. DETE's emergency management arrangements help us to be prepared for, and respond to emergency situations.

Following this, ensuring that our critical services are operating when service delivery is disrupted, and that normal business is resumed as quickly as possible, is guided by the Business Continuity Management Framework.

The steps in the business continuity management process are:

  1. Identification of activities that are critical to the department’s operations and must be resumed as soon as possible
  2. Identification of appropriate response options to a disruptive event
  3. Development of a Business Continuity Plan (Plan) to guide the department through a disruption 
  4. Preparation of a Business Continuity Kit (Kit) to enable the continuation of critical services
  5. Test, report and review of the Plan and Kit to remain prepared.

These five steps are outlined in the Business Continuity Management Process flowchart.

Responsibilities

An overview of responsibilities is detailed in the department’s Business Continuity Management Framework.

In addition:

Business Continuity Plan Owner 

  • Provide a single point of contact for business continuity to the business area
  • Provide leadership to the business area for business continuity
  • Ensure that necessary resources are available in the event of a disruptive event
  • Coordinate business continuity activities.

Business Continuity Plan Coordinator 

  • Develop the Plan, incorporating strategies, actions and resources to ensure critical services can continue to operate and be delivered through and beyond the business disruption
  • Test the Plan and train staff on its use
  • Prepare the Kit 
  • Review and update the Plan and Kit.

Process

Step 1: Identify critical business activities

1. Identify business activities necessary for achieving our objectives.

2. Assess how the department will be impacted if these business activities are not provided.

  • Fulfilment of objectives
  • Service delivery
  • Financial loss
  • Stakeholders’ expectations
  • Reputation or image
  • Compliance to legal or regulatory obligations.

3. Decide how long we are prepared to operate without these activities by calculating the Maximum Acceptable Outage (MAO) in business days.

  • 1–2 days
  • 3–5 days
  • 6–15 days
  • 16 days or greater.

4. Identify the level of impact to the department for each business activity and classify as a ‘Critical Business Activity’ for those with:

  • ‘Major’ or ‘Critical’ impact ratings
  • MAO of 15 business days or less.

5. Prioritise Critical Business Activities with similar MAOs.

Useful resources

Interdependencies factsheet

Step 2: Identify response strategies

6. Use an All Hazards Approach to your planning.

  • No access to buildings or infrastructure
  • No access to ICT
  • Significant number of staff unavailable
  • Any combination of these.

7. Identify response strategies that best suit the circumstances for re-establishing and maintaining Critical Business Activities.

8. Select the most appropriate options to continue business within the required MAO timeframe by considering:

  • time and cost
  • minimum resources
  • practicality and preparation
  • transition demands
  • customer impact.

9. Identify the resources necessary for each response activity.

Step 3: Develop a Business Continuity Plan

How Divisions or Branches do it

10. Prepare an Individual Business Continuity Plan (Plan) for each Critical Business Activity.

11. The Plan Owner notes approval of the Plan in TRIM.

12. Develop a Consolidated Business Continuity Plan as a collection of Critical Business Activities by:

  • prioritising actions so that business activities with a shorter MAO are re-established as quickly as possible
  • consolidating resources to reduce duplication and ensure effective use of resources within a business area.

13. The Assistant Director-General or Deputy Director-General approves the Plan in TRIM.

How Regions do it

14. Develop a Regional Business Continuity Plan as a collection of Critical Business Activities by:

  • prioritising actions so that the most Critical Business Activities are re-established quickly
  • consolidating resources to reduce duplication and check resources are used efficiently across the region.

15. The Regional Director approves the Plan in TRIM.

How the department does it

16. Governance, Strategy and Planning consolidates all Plans into a single Departmental Business Continuity Plan. This overarching Plan is endorsed by the Executive Management Board and:

  • charts the activation process
  • includes governance arrangements
  • details specific roles and responsibilities
  • provides information to make strategic judgments and prioritise resources.

Useful resources

Developing Business Continuity Plans
Response Strategies factsheet

Step 4: Organise a Business Continuity Kit

17. Prepare a Business Continuity Kit (Kit) as a readily accessible collection of all the electronic and/or hardcopy resources identified in the Plan, including:

  • Business Continuity Plan/s
  • Contact details for:
    • staff required to perform Critical Business Activities
    • all staff in the business area or region
    • key area contacts across the department and/or region
    • stakeholders such as essential suppliers or customers
  • Data and information necessary to carry out Critical Business Activities including Vital Records identified in the Plan/s.

18. Store the Kit in an easily accessible location and keep more than one copy in offsite locations.

Step 5 Maintain the Business Continuity Plan and Kit

19. Test by stepping through an activation of the Plan and Kit to check:

  • they are fit for purpose, practical and can be activated quickly and easily
  • response and recovery results are within acceptable timeframes (MAO)
  • staff are trained in the use of the Plan so they know what to expect and what their role is to avoid confusion.

NB: A checklist is available to assist with testing. The test type and amount of effort required to test the Plan will depend on the ‘criticality’ of the business activity as identified on the Business Continuity Plan Testing Schedule. GSP will notify the Plan Owner when testing is required.

20. Report the results of the test to the Business Continuity Management Working Group and update the Event Log in the Plan with the date and type of test completed.

21. Review regularly to maintain the Plan and Kit so the department remains prepared for a disruptive event by checking they are current, correct, complete and actionable. Note the revision in the Plan’s Event Log.

Online Resources

Review Date

31/07/2015
Attribution CC BY

Business area
A business area for the purposes of business continuity management includes a division, branch or region.

Business Continuity Management
The development, implementation and maintenance of strategies and procedures to assist the department to manage a business disruption event and build organisational resilience. Business Continuity Management assists with preventing, preparing for, responding to, managing and recovering from the impacts of a business disruption event.

Business Continuity Plan
Identifies the responses the department will use to deliver a Critical Business Activity following a significant disruptive event. The main objective of business continuity planning is to restore these activities as quickly as possible after a disruption.

Business Impact Analysis
The way the department identifies and prioritises Critical Business Activities and their resources, and determines the Maximum Acceptable Outage (MAO) period the department can tolerate a disruption to each activity. Business impact analysis is completed during Steps 1 and 2 of the Business Continuity Management process.

Critical Business Activity
A vital activity of the department without which the department cannot operate or carry out its key services. If a Critical Business Activity is interrupted for more than 15 business days, the department may not achieve its objectives or deliver its services, or could suffer a financial loss, result in negative reputation or image, breach a legal or regulatory requirement or fail to meet stakeholder expectations.

Disruptive event
Any event which causes a significant disruption (i.e. no building or infrastructure, no ICT, significant staff unavailability, or any combination of these) in the delivery of the department’s services.

Interdependency
The reliance of one Critical Business Activity to fulfil the obligations of another Critical Business Activity, such as, receiving essential data (input) from elsewhere or sending required data (output) to another business area. This may have an impact on the MAO for each Critical Business Activity. An interdependency can be with another internal business area or an external organization.

Maximum Acceptable Outage (MAO)
Maximum period of time a Critical Business Activity can be disrupted before the impact is unacceptable to the department.