1. Purpose of policy
1.1 The purpose of this policy is to plan for, respond to and manage critical incidents that may disrupt the Critical Functions of the University. The Business Continuity – Governing Policy and Business Continuity Management Plan are part of the University's broader protection, resilience, and sustainability system.(1) The purpose of this suite of documents is to identify and respond to critical incidents, mitigate the loss of University assets and operations, protect the University’s reputation, reduce the impact on the University’s people, the community and the environment and return to business-as-usual as soon as practical.
2. Policy scope and application
2.1 This policy applies to all staff, students and members of University decision-making or advisory bodies, including the University Council and its Committees. It is applicable to all University campuses or sites owned or operated by the University.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to its effectiveness:
Business Continuity - The capability of the University to continue the delivery of its Critical Functions at acceptable, predefined levels following a Business Disruption.
Business Continuity Management (BCM) - The holistic process that identifies potential threats to the University and the impacts to the Critical Functions those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
Business Continuity Plan (BCP) - The University’s plan that outlines how critical business operations can be maintained or recovered in a timely fashion.
Business Continuity Management Framework – The framework the University has to manage business continuity. It includes the Business Continuity Management – Governing Policy and Business Continuity Management Plan.
Business Continuity Team (BCT) – The team that is mobilised to implement and oversee the continuity response.
Business Disruption - An event, anticipated or not, which disrupts the normal course of business operations at one or more locations.
Business Impact Analysis (BIA) - The process of analysing activities and the effect that a Business Disruption might have upon them.
Critical Function - A function that must be performed in order to meet overall daily, weekly, and/or monthly business requirements.
Critical Incident - An incident that has a risk rating of high or extreme under the University’s Risk Management Framework with a consequence of at least moderate or higher. It requires a focused and concerted response and ongoing management by the Organisational Unit Manager in conjunction with the IRT. Within the context of this BCP, a Business Disruption would be caused by a Critical Incident.
Emergency Planning Committee (EPC) - The EPC is established to ensure all applicable legislative requirements are met and sufficient resources (time, finance, equipment and personnel) are provided to enable the development and implementation of emergency (incident) plans in a multi-campus environment. This is a requirement of Australian Standard 3745-2010, Planning for emergencies in facilities. The EPC has broader planning responsibilities under USC’s protection, resilience and sustainability system.
Incident Response Team (IRT) - A team of specialists that is mobilised to assess and respond to an incident that has occurred.
Key Business Area – An Organisational Unit within the University that is required to complete a BIA as its Critical Functions are necessary to the University’s ongoing operations during a Business Disruption.
Recovery Time Objective (RTO) – The period of time following an incident within which an activity must be resumed, or resources must be recovered.
4. Policy Statement
4.1 USC is vulnerable to a range of events from those with a period of warning to others that occur abruptly. Some incidents will have the ability to impact the Critical Functions of the University. The University will have the business continuity management systems and processes in place to facilitate the resumption of these Critical Functions.
5.1 The Business Continuity Management Framework will be consistent with the University’s Risk Management Framework, as outlined in the Enterprise Risk Management – Governing Policy, and will operate in conjunction with other resources including the Critical Incident Management – Governing Policy and Incident Management – Procedures.
5.2 The University will maintain a Business Continuity Management Plan (BCP).
5.3. The BCP will be developed at a whole of University level, with more detailed supplementary plans developed for Asset Management Services and Information Technology Services. These supplementary plans will include strategies to mitigate the use of any third party service providers.
5.4. A Business Impact Analysis (BIA) approach will be used to develop the BCP. The BIAs for Departments and Schools must identify the critical functions of the University, any dependencies and alternatives for undertaking that function, as well as the recovery objectives and strategy for each critical function.
5.5 The BIAs will be updated at least annually as part of the review of the BCP.
5.6 The BCP will be approved by the University’s Executive Committee.
5.7 The Emergency Planning Committee (EPC) will oversee and monitor the currency and effectiveness of the BCP. A report on the effectiveness of the BCP will be provided to the Audit and Risk Management Committee bi-annually.
5.8 The BCP will be triggered by the University’s Incident Response Team (IRT). In the event of a Critical Incident that invokes the BCP, two response teams will operate simultaneously. The IRT will respond to the incident and the BCT will work to restore Critical Functions. The University may decide to bring these teams together under certain circumstances and this will be a decision made by the Vice-Chancellor and President.
5.6 In the event of a Critical Incident that impacts the broader local community, the University will work with Local and State Governments in the management of the disruption.
6.1 The IRT Marketing representative, in consultation with the IRT, will determine the appropriate internal and external communication strategy. The Vice-Chancellor and President (or delegate) is the University’s spokesperson during a business continuity event.
7. Monitoring and Review
7.1 The BCP will be reviewed and updated annually.
Responsible and accountable to the USC Council for Business Continuity.
Vice-Chancellor and President
Develop, implement, resource and maintain the protection, resilience, and sustainability system, including emergency plan, incident response procedures, and the readiness, training and awareness sessions for all persons responding to incidents and emergencies.
Chief Operating Officer
Maintain a copy of the University’s Business Continuity Management Policy.
Incident Response Team / Business Continuity Team
Conduct a Business Impact Analysis annually to determine the effectiveness of the Business Continuity Plan.
Key Business Areas
Responsible for the administration of the University Business Continuity Policy.
Chief Operating Officer
Develop and maintain relationships with relevant Intelligence and Government Agencies, Queensland Police Services, other Emergency Response Services, and Disaster Management Groups to ensure an effective notification, alert, support and response to potential or actual USC incidents.
Senior Manager, Security/ SafeUSC
Ensure staff receive training about the University’s emergency processes.
Director, Human Resources
Ensure students are aware of the University’s emergency processes.
Academic Registrar and Director, Student Services
Coordinate an annual review of the University’s BCP and provide a report to the Audit and Risk Management Committee.
Director, Governance and Risk Management
Director, Asset Management Services
Oversee and monitor the effectiveness of the University’s BCP.
Emergency Planning Committee
Footnote: (1) The protection, resilience and sustainability system is a set of policies, procedures and plans across incident management and business continuity management.