Business Continuity Review Guide

The following criteria have been developed to assist Colleges and Administrative Divisions in reviewing their Business Continuity Plans:

Ownership

1.  Formal Authorisation by Dean or Director: The respective Dean, Director or equivalent is responsible for the development and implementation (where necessary) of the Business Continuity Plan (BCP) for their area. As a BCP is in essence an investment in the resilience of a College or Division to minimise the impact on objectives associated with a range of ‘extraordinary’ incidents, appropriate budgetary delegation and support is required.

2.  Business Continuity Management Team (BCPMT): To effectively respond to the wide-range of potential incidents, arguably the most essential component is to ensure that the right people can be mobilised as quickly as possible. This has been continually validated including through the effective response by ANU to a number of recent events.

To assist in the mobilisation of these people, a BCP should nominate those people best placed to co-ordinate the response within the Division. They should be nominated, authorised, trained and empowered (within the overall ANU framework); and their identity communicated so that much like a ‘fire warden’ they can effectively focus critical activities in extraordinary times. 

3.  Rigorous Business Impact Analysis: A fundamental aspect to developing an effective BCP is determining what incidents may disrupt the routine operations of the Division. This entails not only identifying potential incidents, but relating these back to the essential activities of the Division. Focusing questions include:

•  What are the primary and essential activities of the Division?
•  What are the impacts (safety, reputational, financial) if these activities are not performed?
•  What could prevent these activities from being performed?
•  What are the associated timeframes?
•  What actions should be taken: immediately (from a safety perspective and to minimise disruption); to facilitate an interim level of service; and to get back to a normal state of operation?
• What resources could be mobilised to assist and from where can they be sourced? 

4.  Integration with other internal stakeholders and service providers: Once response strategies have been drafted, a vital component in validating the plan is to ensure that there is integration in how resources are allocated between separate Colleges and Divisions. Each College/Division must validate any assumptions made about the potential response from any other College/Division (e.g. particularly in respect to activities undertaken on behalf of a College/Division by a central administrative unit or external service provider).

5.  Critical Activities Schedule: To assist with the prioritisation of resources across the University, each College and Administrative Division BCP should identify critical activities across the calendar year. A master schedule for the University will be developed and maintained by the Director Facilities and Services based on the schedules included in each BCP and validated through an annual workshop.

6.  Integration with ANU Emergency Response and Crisis Management processes: To ensure that responses are co-ordinated effectively across the ANU, each Division is responsible for ensuring its plan integrates with the ANU Emergency Response Plan. Trigger points for escalation and clear communication processes should be established between the BCMT and the ANU’s Crisis Management Team.

Documentation

7.  Clarity in communications and escalation process: Communications within the Division, across the ANU and with external agencies should be documented and essential notifications highlighted (e.g. Media, Insurance, and Regulatory). Any relevant contact details should be included and referenced to allow for effective review and update.

8.  Clarity in assigned roles and responsibilities: The role of the core BCMT members should be clearly documented; allowing for subject matter experts to be easily integrated.

9.  Effective ‘aid memoir’ style actions points; resourcing hints and contact numbers, for specific incidents: Once an incident has occurred, the BCMT will require information that can be easily sourced and understood. Long verbose statements and documentation of every potential variable will only hinder an effective response.

Training

10.  Regular training and exercise of plan and processes: The effectiveness of any plan and potential response will only be highlighted through training. Training does not need to be onerous and should be tailored to each Division. Training may range from a joint reading of the plan by the BCMT members, to desktop exercises, to carefully scripted simulated incidents (where a team of trainers provides inputs to test the BCMT in a closed and controlled environment).

11.  Induction of new Staff: Given the inherent movement in staff, new staff members should be carefully inducted into any business continuity responsibilities.

Relevance

12.  Review every 2 years as a minimum, or based on changes in the operating environment (impacts, stakeholders, suppliers): It is the responsibility of the BCMT and the Dean and/or Director of the Division to ensure that any plans that are developed remain current.

13.  Regular review of contact information (individuals, suppliers, emergency telephone numbers): The contact numbers for individuals, suppliers, and other stakeholders are the most prone to change. Therefore a more regular review process of contact details should be implemented.