Part A: Preliminary
1. Purpose of policy
1.1 The following policy is intended to assist the University to respond effectively to incidents that may interrupt the ongoing operations of individual Cost Centres or the University as a whole.
1.2 Business Continuity Management, Critical Incident Management, and IT Disaster Recovery form part of the University's Risk Management Framework.
1.3 This policy and related procedures will enable key management staff to plan and manage both the immediate and longer-term consequences of incidents that impact on Cost Centres.
2. Application of policy
2.1 This policy applies to all staff, students and members of University decision-making or advisory bodies, including the University Council and its Committees.
In this policy the following definitions apply:
Business Continuity Plan (BCP) means a plan that provides for events which might threaten the on-going operations of Critical Functions of the University.
Business Recovery Team means the team that is made up of appropriate members of a Cost Centre and is responsible, upon the occurrence of an adverse event, for managing the recovery of the affected area’s Critical Functions.
This team is not responsible for the restoration of the affected site or services, the resumption of IT services, the procurement of replacement equipment, the counselling of staff or media relations.
They are responsible for contacting the appropriate Specialist Support teams who would assume these tasks and to follow the agreed instructions as contained in their individual Cost Centre Business Continuity Plan.
The Leader of the Business Recovery Team will be the designated representative on the Critical Incident Management Team and will report the status of the team’s recovery operations.
Business Impact Analysis (BIA) means the critical foundation work required in the Business Continuity process. It identifies important areas and resources required by a Cost Centre to respond effectively to a Business Continuity disruption.
Command Centre means where the Business Recovery Team and/or the Critical Incident Management Team will operate from.
The Business Recovery and Critical Incident Management Teams are responsible for setting up and running of their designated Command Centre.
Critical Function means a function that must be performed in order to meet overall daily, weekly, and/or monthly business requirements.
Critical Incident means the term used to refer to a particular incident, episode or crisis that may result in a ‘high’ level of risk, directly or indirectly to the core operations of the University. For consistency, the term Critical Incident is preferred to crisis, emergency or other similar expressions. Critical Incidents are the highest level of incident which may affect the operations of the University. A ‘high’ level of risk would be determined using the risk management process, as outlined in the Risk Management Procedures.
Critical incidents are distinguished from Significant or Routine Incidents in that Critical Incidents require the creation of a Critical Incident Management Team (CIMT) for special purpose management and recovery under the direction of the designated Critical Incident Director.
Critical Incidents can be further distinguished from Significant and Routine Incidents in that a Critical Incident:
- has the potential to significantly disrupt the operations of the University, or a major part of it, putting at risk the University’s ability to efficiently and effectively continue its teaching, learning and research activities
- may bring the University into disrepute
- crosses over the responsibilities of several Cost Centres
- may impact on critical IT service availability, with a potential down time of greater than 2 hours
- is likely to bring negative media coverage to the University
- may incur a significant cost to rectify the situation promptly; and/or
- may result in critical injuries or death to staff, students or members of the public.
Critical Incidents may include:
Direct Critical Incidents, such as
- loss of a building (fire, earthquake, storm, etc)
- loss of key utilities such as electricity, gas or water
- a pandemic outbreak
- extreme climatic conditions causing closure of the University
- major demonstration or protest
- telecommunications failure
- server and Local Area Network failure of greater than 2 hours; and/or
- serious industrial action, strikes or riots.
Indirect Critical Incidents to individuals, such as:
- serious accident or injury
- acts of self-harm
- serious sexual assault
- serious assault, robbery, and armed hold-up
- event or threat that causes extreme stress, fear or injury; and/or
- kidnapping or attempted kidnapping.
Critical Incident Management Team (CIMT) means in the event of a Critical Incident, a Critical Incident Management Team will be formed which will have responsibility for management of the Critical Incident until normal operations have resumed.
A Critical Incident Director will form the CIMT. The CIMT is incident-specific and formed each time a new Critical Incident occurs. Membership of the CIMT may vary, depending upon the nature of the Critical Incident, in line with the Critical Incident Management Policy and Procedures.
The CIMT will generally comprise the following University personnel:
|Team Member||Responsible for:||Specialist Support Team|
|Vice-Chancellor and President; Deputy Vice-Chancellors; Chief Operating Officer; and Pro Vice-Chancellors||Executive governance of response to Critical Incident. Approval of significant resource usage in response. Likely media spokesperson, as determined.|
|Director, Asset Management Services||Physical response. Will act as the Critical Incident Director, unless the role is otherwise appointed by the Vice-Chancellor and President.||Physical Resources Support Team. Emergency Control Team|
|Chief Operating Officer and Chief Financial Officer||Planning and Financial response||Physical Resources Support Team|
|Director, Human Resources||Staff response||Human Incident Support Team|
|Directors, Student Services and Engagement||Domestic student response||Human Incident Support Team|
|Director of Studies, International||International student response||Human Incident Support Team|
|Director, ICT Solutions; Director, ICT Performance||IT and telecommunications response||IT and Telecommunications Support Team|
|Director, Marketing and External Engagement||Communication response||Communications Support Team|
Fallback Site means an identified location which could feasibly be used as an alternative to a Cost Centre’s normal location in the event that an emergency situation prevents the use of the normal location. Fallback sites need to accommodate most of the requirements of the normal operating location to assist in the recovery of a Cost Centre’s critical functions.
Routine Incident means incidents that are managed within individual Cost Centres as part of their normal operations. Routine incidents are the lowest level of incident management as defined by this policy.
Characteristics of a Routine Incident include, but are not limited to:
- an incident managed by a Cost Centre utilising normal day-to-day University operating procedures
Routine Incidents may include:
- minor building repairs, eg blocked sink / toilet
- minor injury requiring minimal first aid treatment; and/or
- minor IT issue, requiring routine logging of issue with IT Service Desk eg PC failure.
Significant Incident means an incident managed by Cost Centre Managers as part of their normal business as usual operations. Assistance to manage this level of incident would normally be obtained from one or more of the Specialist Support Teams.
Characteristics of a Significant Incident include, but are not limited to:
- incident requires management by a senior member of staff to allow appropriate, prompt decisions to be made
- minor injuries to staff, students or other members of the general public
- potential trauma to staff and/or students
- potential for external media to become aware of the situation
- impact on critical IT service availability to the University with a potential down time of up to 2 hours
Significant Incidents may include:
- staff or student injuries that may require medical attention
- staff / student violence
- repairable damage to office
- IT outage up to 2 hours; and/or
- temporary telephone system outage.
4. Part B: Policy
4.1 Business Continuity Management, Critical Incident Management and IT Disaster Recovery are to be managed in accordance with the Risk Management, Business Continuity Management and Critical Incident Management Policies and Procedures.
4.2 The Business Continuity Management Framework that encompasses the University's approach to a Business Continuity disruptions is detailed in Appendix A: USC Business Continuity Management Framework.
4.3 The Business Continuity Management - Managerial Policy and related documents, eg. Business Continuity Plans, are to be reviewed regularly by Cost Centre Managers. This may be coordinated by the Chief Operating Officer and Chief Financial Officer.
4.4 A Business Impact Analysis is to be conducted by each Cost Centre regularly to determine its response to a Business Continuity disruption to a Critical Function.
4.5 Testing of the effectiveness of the Business Continuity Plans will be conducted regularly by Cost Centre Managers and may take the form of one of the following types of testing:
- communications testing
- round table scenario based testing
- transfer of some critical functions to the offsite location to confirm the feasibility of the plan
- transfer of all critical functions for an extended period to the fallback location.
4.6 The Business Continuity Management Procedures outline the process to be followed to complete a Business Impact Analysis and its related Business Continuity Plan.
4.7 In the event of a Critical Incident, the Business Recovery Team is not responsible for the restoration of the affected site or services, the resumption of IT services, the procurement of replacement equipment, the counselling of staff or media relations. They are responsible for contacting the Critical Incident Management Team who would assume these tasks and to follow the instructions provided.
4.8 The Leader of the Business Recovery Team will be a designated representative on the Critical Incident Management Team and will report the status of the team’s recovery operations (see Appendix B: Incident Escalation Guide and Appendix C: Incident Management Guide).
4.9 Escalation Criteria that distinguish the nature of Routine, Significant and Critical Incidents are provided as Appendix D: Business Continuity Management Escalation Guide.
- Appendix A – USC Business Continuity Management Framework (PDF 27KB)
- Appendix B – Incident Escalation Guide (PDF 161KB)
- Appendix C – Incident Management Guide (PDF 50KB)
- Appendix D – Business Continuity Management Escalation Guide (PDF 49KB)