Business Continuity Management

Framework 2014 -18

Building organisational resilience

Great state. Great opportunity

Director-General’s message
Effective business continuity management reaches beyond developing of business
continuity plans. It requires all of us to acknowledge uncertainty as a natural part of
business planning. We all need to be aware that risk is inherent in all decisions and activities
and that some risks have the potential to interrupt services, and we need to be prepared to
respond to and manage such interruptions.

Successfully applying this Business Continuity Management Framework will increase our
ability to absorb, respond to and recover from disruptions. It also offers opportunities to
understand how we create value and establishes direct relationships to dependencies and
vulnerabilities inherent in delivering our outcomes.

I ask all staff to ensure that they are well prepared to deliver our critical functions should a
disruption occur.

Dr Jim Watterston
Director-General
Department of Education, Training and Employment

Relationship to the Governance Framework

Business Continuity is part of the Risk
Management element of our Corporate
Governance Framework, as shown in this
diagram.
 Contents
Director-General’s message....................................................................................................... 0

Contents ..................................................................................................................................... 1

Introduction ............................................................................................................................... 1

Purpose .................................................................................................................................. 1

What is Business Continuity Management? .......................................................................... 1

Our policy ................................................................................................................................... 2

Business continuity principles................................................................................................ 2

Business continuity approach .................................................................................................... 3

Plan and prepare phase ......................................................................................................... 4

Response phase ..................................................................................................................... 4

Recovery phase ...................................................................................................................... 5

Monitoring and review .......................................................................................................... 5

Communication ...................................................................................................................... 5

Roles and responsibilities .......................................................................................................... 5

Authority and Related Policies................................................................................................... 7

Glossary of Terms ...................................................................................................................... 8

Introduction
Purpose
Implementing this framework ensures that we are able to continue delivering critical
services following a disruptive event. It aims to build high level resilience in all departmental
services and sites when facing major adverse events.

What is Business Continuity Management?

Business Continuity Management (BCM) is the development, implementation and
maintenance of policies, strategies and programs to assist an entity manage a business
disruption event, as well as build entity resilience. It is the capability that assists in
preventing, preparing for, responding to, managing and recovering from the impacts of a
business disruption event. 1

Disruption-related risks may be infrequent, but have severe consequences for critical
services, and are not able to be resolved by routine management. Disruption-related risks
include physical and non-physical events such as natural disasters, pandemics, significant
loss of utilities, financial crises, accidents, and incidents that threaten our reputation.

An effective framework equips us to:

• ensure services that are critical to our objectives continue despite the occurrence of
a potentially disruptive event
• stabilise the effects of a disruptive event and return to normal operations and a full
recovery as quickly as possible
• capitalise on opportunities created by the disruptive event. 2

This adaptive capability builds high level resilience, and:

• increases security awareness

• minimises financial effects and effects on service delivery targets
• improves understanding of functions and opportunities for improvement
• enhances stakeholder confidence
• protects corporate assets and reputation
• strengthens relationships with emergency response partners.

1
ANAO, Business Continuity Management, Building resilience in public sector entities, Better Practice Guide,
June 2009

2
AS/NZS 5050:2010 Business continuity - Managing disruption-related risk

Page 1 of 8
Our policy
Business Continuity Management is a core component of good governance and is integral to
our Enterprise Risk Management Framework. Business Continuity Management is applied
across the entire organisation – central office divisions, regions, schools and TAFE institutes.

Business Continuity focuses on our capacity to achieve our objectives.

Our first priority in the case of a disruptive event is the immediate and ongoing safety of
customers and staff. DETE’s emergency management arrangements help us to be prepared
for, and respond to emergency situations.

Following the event, we will ensure that our critical services are operating, and that normal
business is resumed as quickly as possible.

Finally, we will learn from our experiences of disruptive events to minimise (where possible)
their likelihood and consequence in the future.

The BCM Framework links with DETE’s emergency management arrangements and with
whole of government business continuity arrangements. The Department of Premier and
Cabinet has endorsed security and response strategies to increase government agency
preparedness for critical incidents including:

• Queensland Plan for the Protection of Government Assets from Terrorism

• Queensland Pandemic Influenza Plan
• Brisbane CBD Emergency Plan

Business continuity principles

Principles Explanation
Integrated into Ensure risk management is an integral part of
business • governance and accountability arrangements
processes • performance, planning and reporting processes
• program and project management
• decision making
• promoting the health and safety of staff and students
Transparent Our risk environment and profile:
and based on • is drawn from diverse data sources, expert judgment and stakeholder
best available feedback to make evidence-based decisions
information • recognises the capabilities, perceptions and aims of people (internal and
external) can aid or hinder the achievement of objectives and
• takes account of stakeholders in decision making

Page 2 of 8
Principles Explanation
Responsive and Risk management is:
timely • systematic, structured and timely and
• responds to changes in the risk environment
Continuously Senior executives and staff:
improved • monitor and review activities impacting risk
• continue to build capability
• seek feedback from stakeholders
Enhance We will learn from each disruptive event to ensure that we are better
departmental prepared to respond to future events
resilience
Take an ‘all Our business continuity management addresses the consequences of the
hazards’ disruption (its effect on the availability of infrastructure, ICT, and people),
approach rather than on its cause

Business continuity approach

Figure 1: The relationship between the activities in managing disruption-related risk

Page 3 of 8
Plan and prepare phase
Actions taken to reduce or eliminate the likelihood or effects of a disruptive event, as well as
developing capabilities to ensure effective response and recovery.
Recovery strategies and business continuity plans are developed in response to threats and
hazards identified through risk management processes.

Process
Risk identification and
business impact analysis
Identify response options
Develop Business
Continuity Plans
Training, testing and
maintenance
Activities
Identify and prioritise critical business activities, and resources
necessary to resume these activities when they are disrupted.
• identify risks
• identify business activities
• establish the possible effects of a disruption
• determine how long critical business functions can be
disrupted
• identify resources and requirements for business
continuity.
• identify options for maintaining business continuity,
covering people, IT systems and networks and facilities
• organise resources to ensure the right people are available
to continue critical business activities and/ or deliver
essential services
• train staff involved in delivering critical business activities
• conduct tests or exercises to validate the completeness
and accuracy of the plan
• maintain the plan to ensure it remains current

Response phase
Process Activities
Emergency Initial response to a disruptive event, with the first priority being safety,
response followed by securing assets.
Crisis Strategic management response to the disruptive event, aiming to
management stabilise the situation and communicate with stakeholders to limit further
deterioration.

Page 4 of 8
Recovery phase
Process Activities
Continuity Processes, controls and resources made available immediately following a
response disruptive event to ensure we resume critical functions.
Recovery Process, resources and capabilities that help us to resume normal activities.
response Also presents an opportunity to assess responses and improve business
continuity processes and capabilities.

Monitoring and review

The business Continuity Plan owner is responsible for its maintenance. Periodic or ad hoc
monitoring and review ensures that strategies are up to date and incorporates lessons from
testing and activation.

Governance, Strategy and Planning will coordinate annual reviews, and prepare a testing
schedule for all Business Continuity Plans.

Communication
A consultative approach brings different areas of expertise together to analyse risks.
Effective communication ensures that stakeholders understand risk treatment options, and
that different views are considered in evaluating risks.

Roles and responsibilities

Entity Plan and prepare phase Response and recovery phase
Director- • Accountable officer under the • Represent DETE on the State
General Financial Accountability Act 2009 Disaster Management Group
• Advocate for the continual (SDMG)
improvement of risk and business • Invoke the DETE Executive
continuity resilience Response Taskforce (ERT)
Executive • Provide direction on BCM
Management arrangements
Board (EMB) • Approve the BCM framework and
Level 1 BCP
Audit and Risk • Review the effectiveness of BCM
Management arrangements
Committee
(ARMC)

Page 5 of 8
Entity Plan and prepare phase
Executive • Oversee preparedness
Response arrangements
Taskforce (ERT)
DETE Recovery
Manager
Emergency • Develop state-wide emergency
Management management policy and procedure
and Response • Provide emergency advice and
assistance to schools, including
Unit (EMRU)
operational response services
• Assist schools to review response
and recovery procedures
Senior • Ensure that all critical functions
executives have BCPs established, tested,
maintained and reviewed
• Ensure staff are trained on the use
of the plans
• Build resilience and self-sufficiency
Internal Audit • Conduct compliance audits
• Report to the ARMC on BCM
effectiveness
Governance • Set and review the BCM
Strategy and framework and procedure
Planning • Coordinate the development,
review and testing of BCPs
• Provide services to support BCM
processes
Response and recovery phase
• Oversee and direct operations
during a crisis, including
communication with stakeholders
and with the DETE Incident
Controller as commander and
chief
• Manage prioritisation and
coordination of recovery activities
as directed by ERT
• Work directly with regions and
Community Safety to maintain
staff and student safety until
emergency is resolved
• Manage whole of portfolio
situational reporting
• Manage operations as directed by
the ERT
• Link with the District Disaster
Management Group (DDMG) and
Local Disaster Management Group
(LDMG)
• Activate and implement BCPs in
response to a disruptive event
Page 6 of 8
Authority and related policies
This Framework is based on:

• Queensland Government –
o Financial Accountability Act 2009
o Financial and Performance Management Standard 2009
o Disaster Management Act 2003

• Standards Australia –
o ISO/AS/NZS 31000:2009 Risk Management Principles and Guidelines
o AS/NZS 5050:2010 Business Continuity – managing disruption related risk

It is supported by:

• Australian National Audit Office –

o Business Continuity Management: Building resilience in public sector entities.
Better Practice Guide (June 2009)
o Business Continuity Management: keeping the wheels in Motion. A guide for
Effective Control (2000)

• Business Continuity Institute Good Practice Guidelines

• Queensland Department of Treasury and Trade, Financial Accountability Handbook
• Queensland Department of Science, Information Technology, Innovation and the
Arts, Queensland Government Information Standard: Information Security (IS18).

Related policies and procedures include:

• Queensland Government, Building and Fire Safety Regulations 2008

• Corporate Governance Framework
• Risk Management Framework
• DETE’s emergency management arrangements
• Procedures relating to –
o Risk Management
o Business Continuity Management
o Curriculum Activity Risk Management
o Health, safety and wellbeing
o Information security
o Legislative compliance

Page 7 of 8
Glossary of Terms
Term Definition
Business area A business area for the purposes of business continuity management
includes a division, branch, region or TAFE Institute
Business Continuity The development, implementation and maintenance of strategies and
Management procedures to assist an entity manage a business disruption event, as
(BCM) well as build entity resilience. It is the capability that assists in
preventing, preparing for, responding to, managing and recovering
from the impacts of a business disruption event.
Business Continuity Identifies the responses the department will use to deliver a critical
Plans (the plan) business function following a disruptive event. Earliest possible
restoration of such functions after disruption is the main objective of
business continuity planning.
Business Impact The process the department uses to identify which functions are
Analysis (BIA) critical business functions and to ascertain the maximum acceptable
outage period (MAO) for each identified function.
Critical Business A vital function of the department without which the department
Function (critical cannot operate or carry out its key functions. If a critical business
function) function is interrupted, the department may not achieve its objectives
or deliver its services, suffer a financial loss, result in negative
reputation or image, breach a legal or regulatory requirement or fail
to meet stakeholder expectations.
Disruptive event Any event which causes a significant disruption (no building/
infrastructure, no ICT, significant staff unavailability or any
combination of the above) in the delivery of the department’s
services.
Maximum Maximum period of time a critical business function can be disrupted
Acceptable Outage before the impact is unacceptable to the department.
(the outage / MAO)

Page 8 of 8