Policy Corporate Governance Incident Management Policy

Incident Management Policy

Policy
Procedures
Other related documents

Intent

This policy provides a framework for the University’s response to prepare for and in the period immediately following an incident (including emergencies and critical incidents), and for its management of the longer term consequences of such an incident. This policy and the Incident Management Procedures define the roles and responsibilities of key staff in:

The management, coordination and communication of information about an emergency or critical incident; and
In the recovery and post-incident review of an incident, emergency response or critical incident and its handling.

Scope

This Policy covers all staff, students, affiliates contractors, volunteers, tenants, visitors, and controlled entities, when responding to, and dealing with, a range of incidents and emergencies that may impact on JCU campuses, remote sites, and residences.

Definitions

Chief Coordinator

Person acting to manage the response to a Critical Incident; at JCU this is the Chief of Staff.

Critical Incident

An actual or potential incident or series of events that have the potential for catastrophic damage to people, operations and/or reputation where the University (or parts thereof) shift from routine to non-routine operation. This is usually typified by the area affected requiring additional (centralised) assistance in its management and also requiring intensive coordination and management by the Critical Incident Management Group (CIMG).

A Critical Incident can only be declared by the Vice Chancellor or the Chief Coordinator in her absence.

Critical Incident Management Group

The team brought together by the Chief Coordinator to manage the response to a Critical Incident.

Emergency

An incident that arises internally, or from an external source, which may adversely affect the occupants or visitors, in a facility, and which requires an immediate response (e.g. fire).

Emergency Control Organisation (ECO)

A person or structured team of persons who coordinate and supervise emergency response, building evacuations and assist where required with emergency services.

Emergency Planning Committee (EPC)

Persons responsible for the documentation and maintenance of an emergency plan. At JCU the EPC, is the Critical Incident Management Group (CIMG).

Emergency Services

Any or all of the Police, Fire and Rescue, Ambulance and State Emergency Services (as may be appropriate to the Incident) and any organisation which could reasonably be expected to assist in the Incident or to be notified of the Incident.

Incident

A finite and often isolated event which may cause injury, illness, property, reputational or environmental damage or some combination of all five in varying degrees from insignificant to catastrophic consequences, but is managed during the normal course of operations and within normal reporting lines, processes and procedures.

Incident Controller

The person who is nominated by the Chief Coordinator to be the Incident Controller given their specialist expertise or their capacity to manage an incident occurring within their work area. Often this is the first person at the site of an incident with sufficient authority and expertise to control what can be a confusing initial response and support the Critical Incident Coordinator in the overarching management of an incident.

University Site

Includes Townsville, Cairns and Singapore Campuses, Mackay, Mt Isa, Thursday Island and Atherton Study Centres, Research Stations, vessels, and any approved worksite or residential accommodation located in Australia.

Policy

1. Commitment

1.1 James Cook University recognises that incidents can arise that have the potential to impact seriously on the safety of staff and students or other visitors or volunteers to JCU campuses and/or work locations, and/or the University’s business continuity. The University further recognises that effective planning, management and coordination are required to ensure incidents don’t become critical through inaction.

1.2 An incident may be triggered by internal or external issues such as public safety, health concerns, major fraud, mismanagement or controversial academic activities. Routine or seemingly harmless activities may develop into a Critical Incident after attracting the attention of government, regulators, interest groups, the public or the media. In addition, a simple emergency or minor issue may be turned into a Critical Incident by being insensitively or poorly managed.

1.3 Planning, management and rehearsal of critical incident responses are also keys to success in the event of a declared critical incident affecting the University.

2. Objectives

2.1 This policy and the related procedure are designed to ensure the University:

meets its duty of care obligations in providing the highest possible standard of health and safety for staff, students and visitors and other persons working at or visiting the University;
is able to respond swiftly and effectively in the event of a critical incident;
implements an integrated approach to management of risks associated with incidents or critical incidents; and
is compliant with relevant legislation and Standards so that:
- exposure of persons to health and safety risks arising from incidents or critical incidents is avoided or minimised; and
- physical and psychological trauma are reduced.

2.2 JCU will ensure that processes are in place to ensure that the University:

regularly identifies and assesses threats and potential critical incidents in order to strengthen the University’s preparedness for any such events;
has appropriate plans in place for managing an incident; and
can recover promptly from any crisis and resume normal business as soon as possible.

Roles and Responsibilities

3. Responsibilities and accountabilities are described in detail in Incident Management procedures but, in brief:

3.1 Chief Coordinator. The Chief Coordinator is responsible for the establishment, operation and review of the University’s Incident Management Plans, and has overall responsibility for coordinating the University’s response to a critical incident, including declaring when the incident has moved from a Containment and Response phase to a Recovery and Review phase (as defined below and in the Incident Management Procedure), including return to normal operations.

The CIC, assisted by the CIMG he/she chairs, has full authority for management of a Critical Incident until formal notification by the Emergency Services that they have assumed control under an appropriate Act - e.g. the Public Safety Preservation Act 1986 (Qld), the Police Powers and Responsibility Act 2000 (QLD) or the Disaster Management Act 2003 (QLD).

3.2 Critical Incident Management Group (CIMG). The CIMG is the group that will be formed in the event of a critical incident to coordinate the management of the incident. Composition is at Appendix 3 of the Critical Incident Procedure.

3.3 Incident Controller. Incident Controllers may be prenominated through Business Continuity or Incident Response Plans ready to be enacted (for example in the case of a chemical or radiation incident), or may be nominated on site as the person with the specialist expertise or with sufficient authority and capacity to manage an incident occurring within the work area especially during the confusing initial response. Incident Controllers support the Critical Incident Coordinator in the overarching management of an incident with key responsibilities including establishing and taking control, assessing the situation, identifying risk and determining priorities and communication.

3.4 Emergency Control Team. An Emergency Control Team (as per Australian Standard 3745) provides the immediate response to an emergency (such as fire or building evacuation) that may affect the safety and health of staff and students. Their composition and responsibilities are in the HSE Emergency Management Procedure.

3.5 Behaviour Risk Group. The Behaviour Risk Group reports to the Chief of Staff, who is also the University’s Risk Coordinator and Chief Coordinator. The purpose of the Group is to provide early intervention, assessment, and management advice to relevant decision makers regarding matters relating to inappropriate, concerning, or threatening behaviours by James Cook University students, staff or other visitors or volunteers at its Australian campuses and sites (not including Brisbane). The Behaviour Risk Group aims to:

strengthen the University’s capacity to identify and assess high-risk situations or individuals within the University community and to promote early intervention and management (such intervention is intended to mitigate the likelihood of escalation to violence or harm to self or others);
take a risk management approach to threats created by a student or staff member or other visitor or volunteer’s behaviour to the health and safety of self or others; and
where appropriate, the Behaviour Risk Group’s recommendations will work to support students, staff or other visitor or volunteer, and consider all options to complete their studies or continue in their engagement/employment within the University community.

3.6 Managers and Staff. Managers must make themselves fully aware of the University’s Incident Management policy and procedures within their area of accountability or span of control. All staff are responsible for adherence to the compliance obligations relevant to their position; performing their duties in a lawful and safe manner; undertaking training in accordance with the Health, Safety and Environment requirements; and reporting and escalating compliance concerns, issues, or incidents.

3.7 University Executive. The University Executive is responsible for ensuring that appropriate resources, systems and processes are in place to implement the Business Continuity Plans as developed across the organisation, and ensure compliance with policy and procedural requirements within their specific areas of operational responsibility.

3.8 Council. The JCU Council is responsible for approving and committing to the incident management and articulating the University’s appetite for risk. The Committees of Council with specific responsibilities in oversight of the University’s management of incidents are the Audit, Risk and Compliance Committee and the Health, Safety and Environment Committee.

Incident Management Framework

4. Incident management at JCU is dealt with in four phases:

4.1 Planning, Prevention and Preparedness

The University will implement strategies to avoid and mitigate the impact of Incidents through safety awareness, education and training. The University operates the following plans, policies and procedures reviewed annually/biannually:

Business Continuity Plan
Incident Management Policy and Procedures
Emergency Management procedures

A desktop exercise should be conducted annually to practise incident management procedures with a live simulation exercise to test preparedness and plans every 3 years.

In accordance with Health, Safety and Environment (HSE) requirements the University annually practises building evacuation procedures and online fire-training. Other preparedness activities for the physical estate include annual back burning and cyclone preparedness clean-ups.

4.2 Notification and Activation

The effective management of incidents and issues requires their prompt communication to the appropriate level of management. The Activation and Notification Matrix provides guidelines for the appropriate notification and escalation of issues and incidents (Appendix 2 of the Critical Incident Procedure). There is an Incident Notification Template to ensure all detail necessary is captured (Appendix 1 of the Critical Incident Procedure) but incidents may be reported by staff through phone call, email, or RiskWare.

Where an immediate emergency response is required to an incident, the University’s Emergency Management Procedure prescribes the notification arrangements. All incidents requiring an immediate emergency response are reported directly to the Chief Coordinator. Where an immediate response is not required, incidents and issues will be brought to the attention of management through the normal management structure. All major critical issues or incidents must be advised to the relevant member of the Executive. The relevant member of the Executive will consult with the University’s Chief Coordinator, who will provide advice to the Vice Chancellor relating to the activation of the Critical Incident Management Group (Appendix 3 of the Critical Incident Procedure)

4.2.1 Incident Type or Category

Given the broad definition of what constitutes an incident, six categories have been developed to help narrow the focus and allow for more specialised notification and responses. These categories are as follows:

ITSystem security event:	IT disruption incident, privacy breach, cyber security event. Disruption events for longer than 4 hours which impact on the ability of the University to deliver its services for an extended period to students or for staff (Academic and Professional) may be considered critical.
Personal security event: (staff, student or external ie visitor, contractor or tenant)	Serious Injury/illness, assault, sexual assault, theft, suicide, attempted suicide, homicide, lost/missing student, epidemic, serious student or staff misconduct or drug or alcohol abuse when impacting on academic performance or conduct. Mass casualty or fatality incidents likely to affect a number of staff and/or students may be considered critical.	Code Black (event) Code Orange (procedure) Code Blue (procedure)
Legislative compliance breach:	Statutory or regulatory, eg discrimination and harassment, ethics, integrity, WHS, financial. A breach with the potential for significant reputational damage may be considered critical.	Code Brown
Physical / infrastructure security event:	Vandalism, building fire, explosion, bomb threat, arson, traffic accident, accidental property damage. Damage which seriously impacts the ability of the University to undertake teaching or research may be considered critical.	Code Red (event) or Code Purple (procedure)
Natural disaster:	Flood, cyclone, storm, high winds, bushfire, earthquake or any natural disaster that may cause major damage to property or threaten personal safety or cause inability for the majority of staff to attend to normal operations. Damage which seriously impacts the ability of the University to undertake teaching or research may be considered critical.	Code Red or Code Yellow
Environmental:	Chemical, biological, radiological, hazardous material. A breach with the potential for significant reputational damage and/or where staff, visitors, volunteers or students may be or are affected may be considered critical.	Code Yellow

4.3 Containment and Response

The University has various procedures and incident guides to govern immediate actions on an incident and these are listed under the procedures below. An incident may be managed during the normal course of university business, may have limited notification requirements and is dealt with through normal reporting lines, processes and procedures.

An Incident Register is maintained by the Chief of Staff and reported confidentially to VCAC and Audit Committee of Council as part of risk and compliance reporting six- monthly.

A Critical Incident can only be declared by the Vice Chancellor or the Chief Coordinator. A Critical Incident Record and Log must be maintained (template at Appendix 4 of the Critical Incident procedure). The Chief Coordinator is responsible for appointing appropriate people to document and maintain accurate records of the incident and of decisions made or action taken by the CIMG.

Communications during a Critical Incident will be centrally controlled and managed by the Head, Media and Communications in accordance with the Communications Plan of the Critical Incident Procedure. The only spokesperson for the University in the event of a crisis is the Vice Chancellor. Communication strategies include internal communications among both the CIMG and across the broader JCU community as well as external communications to outside agencies (including tenants), and inclusive of all communications directly with the media, press release development and web updates or provision of JCU’s input to Police or other Emergency Services if they assume control of the incident.

4.4 Recovery and Review

The Chief Coordinator, with the advice of the Director Estate and/or the relevant Emergency Services having appropriate authority in the circumstances, will determine whether it is safe to re-enter buildings evacuated or damaged or to use equipment damaged as a result of any incident. The Chief Coordinator will provide advice to the Vice-Chancellor on reconstruction and/or other requirements to permit resumption of University operations and decision making delegations to revert to normal management structures. Elements of the Business Continuity Plan may be activated during the Recovery and Review phase.

An Incident Report is mandatory for any Critical Incident (template at Appendix 4 of the Critical Incident Procedure) and should be considered for any incident that demonstrates or highlights gaps and/or areas for improvement in planning, procedures or communication strategies. The evaluation process will incorporate feedback gathered from those present at the incident and other stakeholders. This report will be provided to the Vice-Chancellor.

Post an event, a recovery team may operate to cover ongoing media, HR, student, legal and insurance issue including counselling and other psychological or medical support services.

Procedures

The following procedures/plans support this policy:

Planning, Prevention and Preparedness

Business Continuity Policy and Framework
Business Continuity Plans
Pandemic Guidelines
ICT Disaster Recovery Plan

Notification and Activation Procedures

Activation and notification matrix
Incident notification (template)
Critical Incident Management Group Activation

Containment and Response Procedures

HSE Emergency Management Procedure
Critical Incident Record and Log
Campus Closure Procedure
Communications Plan
Psychological First Aid Plan
Incident Action Plans:
- Cyclone
- Fire
- Evacuation
- Lock Down or Shelter in Place
- Medical Emergency
- Personal Safety
- Cyber security

Recovery and Review Procedures

Incident Review Procedure and Report template

Critical Incident Management Procedure

Related policy instruments

Administration

Approval Details

Policy Sponsor	Vice Chancellor
Approval Authority	Council
Date for next review	07/09/2020

Revision History

Version no.	Approval date	Implementation date	Details	Author
17-1	07/09/2017	01/03/2018	Policy established	Chief of Staff

Critical Incident Procedure