1. Purpose of policy
The following policy is intended to provide a framework for the response to, and management of, Critical Incidents that pertain to the University and members of the University community. Business Continuity Management, Critical Incident Management, and IT Disaster Recovery form part of the University's risk management framework.
2. Application of policy
This policy applies to all staff, students and members of University decision-making or advisory bodies, including the University Council and its Committees.
In this policy the following definitions apply:
Critical Incident means the term used to refer to a particular incident, episode or crisis that may result in a ‘high’ level of risk, directly or indirectly to the core operations of the University. For consistency, the term Critical Incident is preferred to crisis, emergency or other similar expressions. Critical Incidents are the highest level of incident which may affect the operations of the University. A ‘high’ level of risk would be determined using the risk management process, as outlined in the Risk Management Procedures.
Critical Incidents are distinguished from Significant or Routine incidents in that Critical Incidents require the creation of a Critical Incident Management Team (CIMT) for special purpose management and recovery under the direction of the designated Critical Incident Director.
Critical Incidents can be further distinguished from Significant and Routine incidents in that a Critical Incident:
- has the potential to significantly disrupt the operations of the University, or a major part of it, putting at risk the University’s ability to efficiently and effectively continue its teaching, learning and research activities
- may bring the University into disrepute
- crosses over the responsibilities of several Cost Centres
- may impact on critical IT service availability, with a potential down time of greater than 2 hours
- is likely to bring negative media coverage to the University
- may incur a significant cost to rectify the situation promptly; and/or
- may result in critical injuries or death to staff, students or members of the public.
Critical Incidents may include:
Direct Critical Incidents, such as:
- loss of a building (fire, earthquake, storm, etc)
- loss of key utilities such as electricity, gas or water
- a pandemic outbreak
- extreme climatic conditions causing closure of the University
- major demonstration or protest
- telecommunications failure
- server and Local Area Network failure of greater than 2 hours; and/or
- serious industrial action, strikes or riots.
Indirect Critical Incidents to individuals, such as:
- serious accident or injury
- acts of self-harm
- serious sexual assault
- serious assault, robbery, and armed hold-up
- event or threat that causes extreme stress, fear or injury; and/or
- kidnapping or attempted kidnapping.
Critical Incident Management Team (CIMT) means in the event of a Critical Incident, a Critical Incident Management Team will be formed which will have responsibility for management of the Critical Incident until normal operations have resumed.
A Critical Incident Director will form the CIMT. The CIMT is incident-specific and formed each time a new Critical Incident occurs. Membership of the CIMT may vary, depending upon the nature of the Critical Incident. The CIMT will generally comprise the following University personnel:
|Team Member||Responsible for:||Specialist Support Team|
Vice-Chancellor and President;
Deputy Vice-Chancellors; Chief Operating Officer and
Executive governance of response to Critical Incident.
Approval of significant resource usage in response.
Likely media spokesperson, as determined.
|Director, Asset Management Services||
Will act as the Critical Incident Director, unless the role is otherwise appointed by the Vice-Chancellor and President.
Physical Resources Support Team.
Emergency Control Team
|Chief Operating Officer; Chief Financial Officer; and Director, Capital and Commercial||Planning and Financial response||Physical Resources Support Team|
|Director, Human Resources||Staff response||Human Incident Support Team|
|Director, Student Services and Engagement||Domestic student response||Human Incident Support Team|
|Director, USC International||International student response||Human Incident Support Team|
|Director, ICT Solutions; Director, ICT Performance||IT and telecommunications response||IT and Telecommunications Support Team|
|Director, Marketing and External Engagement||Communication response||Communications Support Team|
Critical Function means a function that must be performed in order to meet overall daily, weekly, and/or monthly business requirements.
Emergency Control Team means designated University staff that has response and management responsibilities in relation to adverse incidents that require urgent responses. An Emergency Control Team includes the: Critical Incident Director, Head of Security, Building Wardens and First Aid Officers.
The Emergency Control Team has procedures for dealing with a range of contingencies and these are described in the University’s Counter Disaster Plan; Fire and Emergency Procedures and Security Operational Procedures.
Emergency Management means the preparation and arrangements for managing people safely in the event of an emergency which poses a threat to life, such as fire or a bomb threat.
Response Leaders means the senior University personnel who will lead responses to Critical Incidents and are members of Specialist Support teams within Critical Incident Management team.
Specialist Support Teams means the teams that assist the affected Cost Centre and, in the event of a Critical Incident, the CIMT by providing expertise relating to the key areas identified as providing the major foreseeable risks to the University’s business continuity. The Specialist Support Teams are the:
- Human Incident Support Team (HR, USC International, Student Services and Engagement, and Student Wellbeing personnel)
- Physical Resources Support Team (Asset Management Services and Financial Services personnel)
- IT and Telecommunications Support Team (IT personnel)
- Communications Support Team (Marketing and External Engagement personnel); and
- Emergency Control Team (Wardens, First Aid Officers, Security, Capital and Commercial personnel).
4. Critical Incident Management Framework
4.1 The University will develop and implement systems and processes for appropriate, effective and speedy responses to, and management of, Critical Incidents.
4.2 Priority will be given to responding to and managing Critical Incidents.
4.3 A Critical Incident Management Team (CIMT) will be established and maintained to manage responses to Critical Incidents consistent with the established systems and processes.
4.4 Designated Response Leaders within CIMT will guide Critical Incident response and management from first report of an incident to completion of the response, including review and evaluation of responses to the incident.
4.5 During a Critical Incident, the CIMT will liaise with the Business Recovery Team (who will generally be the management team of an affected Cost Centre).
4.6 The Vice-Chancellor and President must be informed of a Critical Incident as soon as practicable, by the Director, Asset Management Services (or delegate).
4.7 Other than the Vice-Chancellor and President, members of the University community must not communicate with the media concerning a Critical Incident unless they are approved by the Director, Marketing and External Engagement or the Vice-Chancellor and President to be a University spokesperson in relation to the incident.
4.8 The CIMT will:
(a) review its performance in planning, implementing and managing the response to each Critical Incident consistent with this policy and associated systems and procedures; and
(b) make any needed or desirable adjustments or improvements to the Critical Incident management system and procedures in light of the review processes.
4.9 This policy and its associated procedures will be publicised to prospective and current staff and students through the University’s website and staff and student portals.
4.10 In the event of a Critical Incident, the Business Recovery Team is not responsible for the restoration of the affected site or services, the resumption of IT services, the procurement of replacement equipment, the counselling of staff or media relations. They are responsible for contacting the Critical Incident Management Team who would assume these tasks and to follow the instructions provided. The Leader of the Business Recovery Team will be a designated representative on the Critical Incident Management Team and will report the status of the team’s recovery operations (see Appendix A: Incident Escalation Guide and Appendix B: Incident Management Guide).
4.11 Escalation Criteria that distinguish the nature of Routine, Significant and Critical Incidents are provided as Appendix C: Business Continuity Management Escalation Guide.
5. Records Management
5.1 The University’s approved records management system will have effective processes for record-keeping and records management in relation to Critical Incidents.
6. Accountabilities and Responsibilities
6.1 The Vice-Chancellor and President is responsible and accountable to Council for Critical Incident management.
6.2 The Vice-Chancellor and President, with support from the Chief Operating Officer and Chief Financial Officer, will provide the Audit and Risk Management Committee with summary information concerning any Critical Incidents that are rated as ‘high’ under the risk ratings outlined in the Risk Management Procedures.
6.3 The Critical Incident Management Team, led by the Critical Incident Director, is responsible and accountable to the Vice-Chancellor and President for management of responses to Critical Incidents and for ensuring that University staff, including staff who form the Emergency Control Team, are familiar with, and trained in, their roles relating to Critical Incidents.
6.4 All Cost Centre Managers of the University are responsible for advising staff within their area of responsibility of this policy and its associated procedures on a regular basis. This should also include relevant staff advice on Business Continuity Management.
6.5 The Director, Student Services and Engagement and the Director, Human Resources, will ensure students and staff receive information about this policy and its associated procedures as part of their induction or orientation to the University.
6.6 All Specialist Support Teams are to develop and maintain a Critical Incident Action Plan (or Plans) which identifies the steps to be taken by their team members should their expertise be required.
6.7 The Director, Asset Management Services will act as the Critical Incident Director, unless the role is otherwise appointed by the Vice-Chancellor and President.
Appendix C – Business Continuity Management Escalation Guide (PDF 52KB)
Please contact the Office of the Chief Operating Officer for information about the appendices.