Policy Corporate Governance Business Continuity Policy

Business Continuity Policy

Print Friendly and PDFPrint Friendly


The University acknowledges that business continuity management (BCM) plays an integral part in strategic and operational planning, risk management, operational management and decision-making throughout the organisation. A Business Continuity Management Plan (BCM Plan) will support implementation, monitoring and review of the Business Continuity Policy (BC Policy) and JCU business continuity arrangements more broadly.

The BCM Plan incorporates various elements from both the Good Practice Guidelines, Global Edition (GPG2013) issued by the Business Continuity Institute and ISO 22313:2012 and other recognised standards.

The BC Policy outlines the commitment of the University Council and Executive Management, towards establishing and maintaining a Business Continuity Management programme. The BCM programme is designed and built around the BC Policy which provides a commitment to:

  • Communicate the importance of, and expectations surrounding BCM as it applies to certain University activities and services;
  • Allocate BCM roles and responsibilities to staff for identifying and managing disruption related risks and provide adequate resources (human, financial, physical and technological) to manage business disruption effectively;
  • Ensure consistent implementation of a business continuity management process across the University to ensure the continuity of critical business functions (Business Continuity Planning);
  • Ensure an organised and effective approach to isolated incidents that could seriously impact critical business processes (Disaster Recovery Planning);
  • Effectively manage incidents that may impact University reputation and the health and wellbeing of people associated with University activities (Emergency/Crisis Management Planning); and
  • Integrate BCM within the University Risk Management Framework, Critical Incident Policy and the ICT Strategic Asset Management and ICT Operational Plans.


This BC Policy applies to all Divisions, Colleges, Centres and Institutes and significant University activities. The policy also applies to all University staff and affiliates, students, visitors and contractors engaged with facilities controlled by the University.

Specifically, this policy:

  1. Extends to all current and future activities, and new opportunities including those relating to JCU controlled entities;
  2. Emphasises the importance of robust business continuity management arrangements being  developed and applied to all key activities/services based on the risks of disruption that may impact them;
  3. Includes assessing and identifying critical suppliers of goods and services to the University, as well as partners or stakeholders where a business disruption may have an upstream or downstream effect on University activities or processes; and
  4. Ensures systems, processes and documentation are established for staff to use when developing and implementing business continuity plans within their Divisions and/or business units.


Business Continuity

The capability of the University to continue delivery of services at acceptable predefined levels following a disruptive event (e.g. cyclone, cyber- attack, etc.). Definition from ISO 22300

Business Continuity Policy (BC Policy)

The key document that sets out scope and governance of the BCM programme. The policy reflects the reasons for why the programme is being implemented (GPG2013)

Business Continuity Management Programme (BCM programme)

Ongoing management and governance process supported by the University Executive and Council of JCU. The BC programme is appropriately resourced to implement and maintain business continuity management (ISO 22301)

Business Continuity Management System (BCMS)

Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity (ISO 22301)

Business Continuity Plan (BCP)

Documented procedures that guide the University to respond, recover, resume and restore to a predefined level of operation following disruption (ISO 22301)

Business Impact Analysis (BIA)

Process of analysing University activities and the impact that a business interruption might have on those activities (ISO 22301)

Business Continuity Lifecycle (BCM Lifecycle)

A series of business continuity activities which collectively cover all phases of the BCM programme (GPG2013)

Critical Incident Management Group

The Critical Incident Management Group is the body of people convened by the Chief Coordinator to manage the University’s response to a Critical Incident

Chief Coordinator

Chief of Staff, or Vice Chancellor’s nominee


1. Business Continuity Management Lifecycle

The University has adopted the GPG2013 Business Continuity Management Lifecycle (BCM Lifecycle) model as the basis for business continuity management. The model is shown below:

Business continuity diagram.

The model identifies the six stages of activity the University must move through (and repeat) with the overall aim of improving University resilience. More detailed procedural information on the application of the BCM Lifecycle is contained in the University BCM Framework document.

1.1 Management Practices

1.1.1  Policy and Programme Management 

This is the start of the BCM Lifecycle (and purpose of this document). This stage defines the University policy relating to Business Continuity and how the policy will be implemented, controlled and validated through a BCM programme.

1.1.2  Embedding BC

This is the stage where the University continually seeks to integrate BC into “day-to-day” activities and organisational culture. Staff need to be aware of BC and understand their roles within the BCMS.

1.2 Technical Practices

1.2.1  Analysis

In the Analysis stage, a review and assessment of the University is performed in terms of what its objectives are, how it functions and the environmental (contextual) constraints within which the University operates.

1.2.2  Design

In this stage the University identifies and selects appropriate strategies and tactics to determine how recovery from a disruption will be achieved to re-establish continuity.

1.2.3  Implementation

This is the stage of the BCM lifecycle that executes the agreed strategies and tactics through the process of developing a Business Continuity Plan (BCP).

1.2.4  Validation

The final stage to confirm the BCM programme meets the objectives of the University as set out in the BC policy. Validation that the University BCP is fit for purpose also occurs at this stage.

2. Roles and Responsibilities

2.1  University Council

The University Council sets policy for the University’s business continuity management, based on advice from the Audit, Risk and Compliance Committee of Council. The Council also provides strategic direction to business continuity management including resources and infrastructure related to emerging risks and changing internal/external risk context.

2.2  Audit, Risk and Compliance Committee

The Audit, Risk and Compliance Committee provides high-level guidance and structure to the University’s Business Continuity Management System and monitors results of BCP testing and awareness programs to ensure consistency and coverage across all Divisions, related business units and significant activities.

2.3  University Executive

The University Executive are the Business Continuity Plan owners with responsibility for ensuring all critical functions under their responsibility have established business continuity plans, and these plans are maintained and reviewed in accordance with the BCM Lifecycle.

2.4  Chief of Staff Office

The Chief of Staff Office for the purpose of the BC Policy includes the Risk and Compliance Officer and Insurance Officer. It is responsible for the implementation of business continuity management including the oversight of appropriate documentation, training, testing and monitoring of the BCM programme.

Media and communications in the event of a critical incident is managed by specialist staff within the Chief of Staff Office. Refer to the Incident Management Policy and Critical Incident Procedures.

2.5  Divisional and other Business Units

Directorates and Colleges within Divisions as well as Centres and Institutes must appoint a Business Continuity Function Owner (BC Function Owner).

Divisional and other business units, including JCU controlled entities, must determine their business continuity priorities and carry out an initial risk assessment on potential disruptions to activities. They are required to follow the BCM Lifecycle as it applies to their business continuity planning.

2.6  Business Continuity Function Owner

The BC Function Owner has responsibility for the implementation of continuity arrangements should a critical function be disrupted. The BC Function Owner is required to follow instructions issued by the Critical Incident Management Group or their Supervisor depending on the nature and scale of the response.

2.7  Critical Incident Management Group (CIMG)

The CIMG oversees and prioritises recovery efforts and considers the strategic direction of recovery during a business disruption. The CIMG provides leadership and control in the overall co-ordination, decision-making and communications process until recovery to predefined levels of University operations is achieved.

2.8  All Staff

Every staff member is expected to understand the importance of business continuity and familiarise themselves with this policy. Staff must support the BC programme to ensure business disruption is managed appropriately. Improved response will be achieved by staff actively taking part in awareness and training sessions as required.

Related policy instruments

The following key policies and business unit intranet site give effect to this policy:

Risk Management Policy

Incident Management Policy and Critical Incident Procedures

Health, Safety and Environment Policy

Compliance Policy

Related documents and legislation

The listing below is not meant to be exhaustive and contains key legislation and standards as updated from time to time:

Disaster Management Act

Work Health and Safety Act

Biosecurity Act

Environmental Protection Act

Fire and Emergency Services Act

Police Powers and Responsibilities Act

Building Fire Safety Regulation

Security Providers Act

Business Continuity Guidelines Global Edition 2013

AS/NZS 5050:2010 Business continuity - Managing disruption-related risk

ISO 22301: 2012 Societal security – Business continuity management systems - Requirements

ISO 22300: 2012 Societal security – Terminology

AS/NZS ISO 31000:2009 – Risk management – Principles and guidelines


NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Policy DomainCorporate Governance
Policy Sub-domainRisk, Assurance, Regulatory and Compliance

Policy Custodian

Vice Chancellor

Approval Authority


Date for next Major Review


Revision History


Approval date

Implementation date






Policy established

Chief of Staff


Business, crisis, emergency, risk, management, framework, policy, programme

Contact person Chief of Staff