Professional Documents
Culture Documents
Successfully applying this Business Continuity Management Framework will increase our
ability to absorb, respond to and recover from disruptions. It also offers opportunities to
understand how we create value and establishes direct relationships to dependencies and
vulnerabilities inherent in delivering our outcomes.
I ask all staff to ensure that they are well prepared to deliver our critical functions should a
disruption occur.
Dr Jim Watterston
Director-General
Department of Education, Training and Employment
Contents ..................................................................................................................................... 1
Introduction ............................................................................................................................... 1
Purpose .................................................................................................................................. 1
Communication ...................................................................................................................... 5
Disruption-related risks may be infrequent, but have severe consequences for critical
services, and are not able to be resolved by routine management. Disruption-related risks
include physical and non-physical events such as natural disasters, pandemics, significant
loss of utilities, financial crises, accidents, and incidents that threaten our reputation.
• ensure services that are critical to our objectives continue despite the occurrence of
a potentially disruptive event
• stabilise the effects of a disruptive event and return to normal operations and a full
recovery as quickly as possible
• capitalise on opportunities created by the disruptive event. 2
1
ANAO, Business Continuity Management, Building resilience in public sector entities, Better Practice Guide,
June 2009
2
AS/NZS 5050:2010 Business continuity - Managing disruption-related risk
Page 1 of 8
Our policy
Business Continuity Management is a core component of good governance and is integral to
our Enterprise Risk Management Framework. Business Continuity Management is applied
across the entire organisation – central office divisions, regions, schools and TAFE institutes.
Our first priority in the case of a disruptive event is the immediate and ongoing safety of
customers and staff. DETE’s emergency management arrangements help us to be prepared
for, and respond to emergency situations.
Following the event, we will ensure that our critical services are operating, and that normal
business is resumed as quickly as possible.
Finally, we will learn from our experiences of disruptive events to minimise (where possible)
their likelihood and consequence in the future.
The BCM Framework links with DETE’s emergency management arrangements and with
whole of government business continuity arrangements. The Department of Premier and
Cabinet has endorsed security and response strategies to increase government agency
preparedness for critical incidents including:
Page 2 of 8
Principles Explanation
Responsive and Risk management is:
timely • systematic, structured and timely and
• responds to changes in the risk environment
Continuously Senior executives and staff:
improved • monitor and review activities impacting risk
• continue to build capability
• seek feedback from stakeholders
Enhance We will learn from each disruptive event to ensure that we are better
departmental prepared to respond to future events
resilience
Take an ‘all Our business continuity management addresses the consequences of the
hazards’ disruption (its effect on the availability of infrastructure, ICT, and people),
approach rather than on its cause
Page 3 of 8
Plan and prepare phase
Actions taken to reduce or eliminate the likelihood or effects of a disruptive event, as well as
developing capabilities to ensure effective response and recovery.
Recovery strategies and business continuity plans are developed in response to threats and
hazards identified through risk management processes.
Process Activities
Risk identification and Identify and prioritise critical business activities, and resources
business impact analysis necessary to resume these activities when they are disrupted.
• identify risks
• identify business activities
• establish the possible effects of a disruption
• determine how long critical business functions can be
disrupted
• identify resources and requirements for business
continuity.
Identify response options • identify options for maintaining business continuity,
covering people, IT systems and networks and facilities
Develop Business • organise resources to ensure the right people are available
Continuity Plans to continue critical business activities and/ or deliver
essential services
Training, testing and • train staff involved in delivering critical business activities
maintenance • conduct tests or exercises to validate the completeness
and accuracy of the plan
• maintain the plan to ensure it remains current
Response phase
Process Activities
Emergency Initial response to a disruptive event, with the first priority being safety,
response followed by securing assets.
Crisis Strategic management response to the disruptive event, aiming to
management stabilise the situation and communicate with stakeholders to limit further
deterioration.
Page 4 of 8
Recovery phase
Process Activities
Continuity Processes, controls and resources made available immediately following a
response disruptive event to ensure we resume critical functions.
Recovery Process, resources and capabilities that help us to resume normal activities.
response Also presents an opportunity to assess responses and improve business
continuity processes and capabilities.
Governance, Strategy and Planning will coordinate annual reviews, and prepare a testing
schedule for all Business Continuity Plans.
Communication
A consultative approach brings different areas of expertise together to analyse risks.
Effective communication ensures that stakeholders understand risk treatment options, and
that different views are considered in evaluating risks.
Page 5 of 8
Entity Plan and prepare phase Response and recovery phase
Executive • Oversee preparedness • Oversee and direct operations
Response arrangements during a crisis, including
Taskforce (ERT) communication with stakeholders
and with the DETE Incident
Controller as commander and
chief
DETE Recovery • Manage prioritisation and
Manager coordination of recovery activities
as directed by ERT
Emergency • Develop state-wide emergency • Work directly with regions and
Management management policy and procedure Community Safety to maintain
and Response • Provide emergency advice and staff and student safety until
assistance to schools, including emergency is resolved
Unit (EMRU)
operational response services • Manage whole of portfolio
• Assist schools to review response situational reporting
and recovery procedures
Senior • Ensure that all critical functions • Manage operations as directed by
executives have BCPs established, tested, the ERT
maintained and reviewed • Link with the District Disaster
• Ensure staff are trained on the use Management Group (DDMG) and
of the plans Local Disaster Management Group
• Build resilience and self-sufficiency (LDMG)
• Activate and implement BCPs in
response to a disruptive event
Internal Audit • Conduct compliance audits
• Report to the ARMC on BCM
effectiveness
Governance • Set and review the BCM
Strategy and framework and procedure
Planning • Coordinate the development,
review and testing of BCPs
• Provide services to support BCM
processes
Page 6 of 8
Authority and related policies
This Framework is based on:
• Queensland Government –
o Financial Accountability Act 2009
o Financial and Performance Management Standard 2009
o Disaster Management Act 2003
• Standards Australia –
o ISO/AS/NZS 31000:2009 Risk Management Principles and Guidelines
o AS/NZS 5050:2010 Business Continuity – managing disruption related risk
It is supported by:
Page 7 of 8
Glossary of Terms
Term Definition
Business area A business area for the purposes of business continuity management
includes a division, branch, region or TAFE Institute
Business Continuity The development, implementation and maintenance of strategies and
Management procedures to assist an entity manage a business disruption event, as
(BCM) well as build entity resilience. It is the capability that assists in
preventing, preparing for, responding to, managing and recovering
from the impacts of a business disruption event.
Business Continuity Identifies the responses the department will use to deliver a critical
Plans (the plan) business function following a disruptive event. Earliest possible
restoration of such functions after disruption is the main objective of
business continuity planning.
Business Impact The process the department uses to identify which functions are
Analysis (BIA) critical business functions and to ascertain the maximum acceptable
outage period (MAO) for each identified function.
Critical Business A vital function of the department without which the department
Function (critical cannot operate or carry out its key functions. If a critical business
function) function is interrupted, the department may not achieve its objectives
or deliver its services, suffer a financial loss, result in negative
reputation or image, breach a legal or regulatory requirement or fail
to meet stakeholder expectations.
Disruptive event Any event which causes a significant disruption (no building/
infrastructure, no ICT, significant staff unavailability or any
combination of the above) in the delivery of the department’s
services.
Maximum Maximum period of time a critical business function can be disrupted
Acceptable Outage before the impact is unacceptable to the department.
(the outage / MAO)
Page 8 of 8