1. Purpose of policy
The purpose of this policy is to plan for, respond to and manage critical incidents that may disrupt the Critical Functions of the University.
The Business Continuity – Governing Policy and Business Continuity Management Plan are part of the University's broader protection, resilience, and sustainability system.(1)
The purpose of this suite of documents is to identify and respond to critical incidents, mitigate the loss of University assets and operations, protect the University’s reputation, reduce the impact on our people, the community and the environment and return to business-as-usual as soon as practical.
2. Policy scope and application
This policy applies to all staff, students and members of University decision-making or advisory bodies, including the University Council and its Committees. It is applicable to all University campuses or sites owned or operated by the University.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to these procedures and are critical to its effectiveness:
Business Continuity - The capability of the University to continue the delivery of its critical functions at acceptable, predefined levels following a business disruption.
Business Continuity Management (BCM) - The holistic process that identifies potential threats to the University and the impacts to the critical functions those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
Business Continuity Plan (BCP) - The University’s plan that outlines how critical business operations can be maintained or recovered in a timely fashion.
Business Continuity Management Framework – The framework the University has to manage business continuity. It includes the Business Continuity Management – Governing Policy and Business Continuity Management Plan.
Business Disruption - An event, anticipated or not, which disrupts the normal course of business operations at one or more locations.
Business Impact Analysis (BIA) - The process of analysing activities and the effect that a business disruption might have upon them.
Crisis Management Team (CMT) - The team that is mobilised to activate and oversee the BCP.
Critical Function - A function that must be performed in order to meet overall daily, weekly, and/or monthly business requirements.
Critical Incident - An incident that has a Risk Rating of high or extreme under the University’s Risk Management Framework with a consequence of at least moderate or higher. It requires a focused and concerted response and ongoing management by the Cost Centre Manager in conjunction with the IRT.
Emergency Planning Committee (EPC) - The EPC is established to ensure all applicable legislative requirements are met and sufficient resources (time, finance, equipment and personnel) are provided to enable the development and implementation of emergency (incident) plans in a multi-campus environment. This is a requirement of Australian Standard 3745-2010, Planning for emergencies in facilities. The EPC has broader planning responsibilities under USC’s protection, resilience and sustainability system.
Incident Response Team (IRT) - A team of specialists that is mobilised to assess and respond to a Critical Incident that has occurred. An IRT is established with each Critical Incident which is defined within this policy and its composition will depend on the type of incident requiring action. An IRT that has been established to respond to an emergency is also known as the Emergency Control Team. When the Business Continuity Management Plan is triggered, the IRT becomes the CMT.
Key Business Area – A Cost Centre within the University that is required to complete a BIA as its critical functions are necessary to the University’s ongoing operations during a business disruption.
4. Policy Statement
USC is vulnerable to a range of events from those with a period of warning to others that occur abruptly. Some incidents will have the ability to impact the critical functions of the University. The University will have the business continuity management systems and processes in place to facilitate the resumption of these critical functions.
5.1 The Business Continuity Management Framework will be consistent with the University’s Risk Management Framework, as outlined in the Enterprise Risk Management – Governing Policy, and will operate in conjunction with other resources including the Critical Incident Management – Governing Policy and Incident Management – Procedures.
5.2 The University will maintain a Business Continuity Management Plan (BCP). A Business Impact Analysis (BIA) approach will be used to develop the BCP.
5.3 The BCP will be approved by the University’s Executive Committee.
5.4 The Emergency Planning Committee (EPC) will oversee and monitor the currency and effectiveness of the BCP.
5.5 The BCP will be triggered by the University’s Incident Response Team (IRT). When the BCP is invoked, the IRT will become the Crisis Management Team (CMT) to manage the incident and restore critical functions.
5.6 In the event of a business disruption that impacts the broader local community, the University will work with Local and State Governments in the management of the disruption.
The Director of Marketing and External Engagement, in consultation with the CMT, will determine the appropriate internal and external communication strategy. The Vice-Chancellor and President (or delegate) is the University’s spokesperson during a business continuity event.
7. Monitoring and Review
The BCP will be reviewed and updated annually.
Footnote: (1) The protection, resilience and sustainability system is a set of policies, procedures and plans across incident management and business continuity management.