Business Continuity Policy
The University acknowledges that business continuity management (BCM) plays an integral part in strategic and operational planning, risk management, operational management and decision-making throughout the organisation. A Business Continuity Management Plan (BCM Plan) will support implementation, monitoring and review of the Business Continuity Policy (BC Policy) and JCU business continuity arrangements more broadly.
The BCM Plan incorporates various elements from both the Good Practice Guidelines, Global Edition (GPG2013) issued by the Business Continuity Institute and ISO 22313:2012 and other recognised standards.
The BC Policy outlines the commitment of the University Council and Executive Management, towards establishing and maintaining a Business Continuity Management programme. The BCM programme is designed and built around the BC Policy which provides a commitment to:
- Communicate the importance of, and expectations surrounding BCM as it applies to certain University activities and services;
- Allocate BCM roles and responsibilities to staff for identifying and managing disruption related risks and provide adequate resources (human, financial, physical and technological) to manage business disruption effectively;
- Ensure consistent implementation of a business continuity management process across the University to ensure the continuity of critical business functions (Business Continuity Planning);
- Ensure an organised and effective approach to isolated incidents that could seriously impact critical business processes (Disaster Recovery Planning);
- Effectively manage incidents that may impact University reputation and the health and wellbeing of people associated with University activities (Emergency/Crisis Management Planning); and
- Integrate BCM within the University Risk Management Framework, Critical Incident Policy and the ICT Strategic Asset Management and ICT Operational Plans.
This BC Policy applies to all Divisions, Colleges, Centres and Institutes and significant University activities. The policy also applies to all University staff and affiliates, students, visitors and contractors engaged with facilities controlled by the University.
Specifically, this policy:
- Extends to all current and future activities, and new opportunities including those relating to JCU controlled entities;
- Emphasises the importance of robust business continuity management arrangements being developed and applied to all key activities/services based on the risks of disruption that may impact them;
- Includes assessing and identifying critical suppliers of goods and services to the University, as well as partners or stakeholders where a business disruption may have an upstream or downstream effect on University activities or processes; and
- Ensures systems, processes and documentation are established for staff to use when developing and implementing business continuity plans within their Divisions and/or business units.
The capability of the University to continue delivery of services at acceptable predefined levels following a disruptive event (e.g. cyclone, cyber- attack, etc.). Definition from ISO 22300
Business Continuity Policy (BC Policy)
The key document that sets out scope and governance of the BCM programme. The policy reflects the reasons for why the programme is being implemented (GPG2013)
Business Continuity Management Programme (BCM programme)
Ongoing management and governance process supported by the University Executive and Council of JCU. The BC programme is appropriately resourced to implement and maintain business continuity management (ISO 22301)
Business Continuity Management System (BCMS)
Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity (ISO 22301)
Business Continuity Plan (BCP)
Documented procedures that guide the University to respond, recover, resume and restore to a predefined level of operation following disruption (ISO 22301)
Business Impact Analysis (BIA)
Process of analysing University activities and the impact that a business interruption might have on those activities (ISO 22301)
Business Continuity Lifecycle (BCM Lifecycle)
A series of business continuity activities which collectively cover all phases of the BCM programme (GPG2013)
Critical Incident Management Group
The Critical Incident Management Group is the body of people convened by the Chief Coordinator to manage the University’s response to a Critical Incident
Chief of Staff, or Vice Chancellor’s nominee
1. Business Continuity Management Lifecycle
The University has adopted the GPG2013 Business Continuity Management Lifecycle (BCM Lifecycle) model as the basis for business continuity management. The model is shown below:
The model identifies the six stages of activity the University must move through (and repeat) with the overall aim of improving University resilience. More detailed procedural information on the application of the BCM Lifecycle is contained in the University BCM Framework document.
1.1 Management Practices
1.1.1 Policy and Programme Management
This is the start of the BCM Lifecycle (and purpose of this document). This stage defines the University policy relating to Business Continuity and how the policy will be implemented, controlled and validated through a BCM programme.
1.1.2 Embedding BC
This is the stage where the University continually seeks to integrate BC into “day-to-day” activities and organisational culture. Staff need to be aware of BC and understand their roles within the BCMS.
1.2 Technical Practices
In the Analysis stage, a review and assessment of the University is performed in terms of what its objectives are, how it functions and the environmental (contextual) constraints within which the University operates.
In this stage the University identifies and selects appropriate strategies and tactics to determine how recovery from a disruption will be achieved to re-establish continuity.
This is the stage of the BCM lifecycle that executes the agreed strategies and tactics through the process of developing a Business Continuity Plan (BCP).
The final stage to confirm the BCM programme meets the objectives of the University as set out in the BC policy. Validation that the University BCP is fit for purpose also occurs at this stage.
2. Roles and Responsibilities
2.1 University Council
The University Council sets policy for the University’s business continuity management, based on advice from the Audit, Risk and Compliance Committee of Council. The Council also provides strategic direction to business continuity management including resources and infrastructure related to emerging risks and changing internal/external risk context.
2.2 Audit, Risk and Compliance Committee
The Audit, Risk and Compliance Committee provides high-level guidance and structure to the University’s Business Continuity Management System and monitors results of BCP testing and awareness programs to ensure consistency and coverage across all Divisions, related business units and significant activities.
2.3 University Executive
The University Executive are the Business Continuity Plan owners with responsibility for ensuring all critical functions under their responsibility have established business continuity plans, and these plans are maintained and reviewed in accordance with the BCM Lifecycle.
2.4 Chief of Staff Office
The Chief of Staff Office for the purpose of the BC Policy includes the Risk and Compliance Officer and Insurance Officer. It is responsible for the implementation of business continuity management including the oversight of appropriate documentation, training, testing and monitoring of the BCM programme.
Media and communications in the event of a critical incident is managed by specialist staff within the Chief of Staff Office. Refer to the Incident Management Policy and Critical Incident Procedures.
2.5 Divisional and other Business Units
Directorates and Colleges within Divisions as well as Centres and Institutes must appoint a Business Continuity Function Owner (BC Function Owner).
Divisional and other business units, including JCU controlled entities, must determine their business continuity priorities and carry out an initial risk assessment on potential disruptions to activities. They are required to follow the BCM Lifecycle as it applies to their business continuity planning.
2.6 Business Continuity Function Owner
The BC Function Owner has responsibility for the implementation of continuity arrangements should a critical function be disrupted. The BC Function Owner is required to follow instructions issued by the Critical Incident Management Group or their Supervisor depending on the nature and scale of the response.
2.7 Critical Incident Management Group (CIMG)
The CIMG oversees and prioritises recovery efforts and considers the strategic direction of recovery during a business disruption. The CIMG provides leadership and control in the overall co-ordination, decision-making and communications process until recovery to predefined levels of University operations is achieved.
2.8 All Staff
Every staff member is expected to understand the importance of business continuity and familiarise themselves with this policy. Staff must support the BC programme to ensure business disruption is managed appropriately. Improved response will be achieved by staff actively taking part in awareness and training sessions as required.
Related policy instruments
The following key policies and business unit intranet site give effect to this policy:
Incident Management Policy and Critical Incident Procedures
Related documents and legislation
NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.
Date for next Major Review (in accordance with the Policy Handbook)
Chief of Staff
Business, crisis, emergency, risk, management, framework, policy, programme