Enterprise Risk Management

Directorate

NSW Department of Education & Communities

Business Continuity Management
Guidelines
October 2011

Document Author
Mr Frank Davies
Director, Enterprise Risk Management
Enterprise Risk Management Directorate
Level 8, 35 Bridge Street
SYDNEY NSW 2000
T. (02) 9561 8840
F. (02) 9561 8630
M. 0418 220 387
E. Frank.Davies@det.nsw.edu.au
COPYRIGHT

NSW Department of Education and Communities

All rights reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including
photocopying with the permission of the publisher.

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Contents
1.0 WHAT IS BUSINESS CONTINUITY MANAGEMENT (BCM)?.............................................4
2.0 WHY IS BCM REQUIRED?............................................................................................ 5
3.0 BCM OBJECTIVES WITHIN DEC................................................................................... 6
4.0 THE BCM PROCESS.................................................................................................... 6
5.0 STEP 1: COMMENCEMENT.......................................................................................... 7
6.0 STEP 2: CONDUCT A RISK AND VULNERABILITY ANALYSIS..........................................8
6.1 Identifying risks............................................................................................................ 8
6.2 Assessing risk.............................................................................................................. 8
6.3 Treating risk................................................................................................................. 9
7.0 STEP 3: CONDUCT A BUSINESS IMPACT ASSESSMENT................................................9
7.1 Identify resources....................................................................................................... 10
7.2 Identify interdependencies........................................................................................... 10
7.3 Determine maximum acceptable outages.......................................................................10
8.0 STEP 4: DEFINE RESPONSE STRATEGIES.................................................................11
8.1 Emergency response phase......................................................................................... 11
8.2 Continuity response.................................................................................................... 11
8.3 Recovery response..................................................................................................... 12
9.0 STEP 5: IDENTIFY RESOURCE AND INTERDEPENDENCY REQUIREMENTS.................12
10. STEP 6: DEVELOP CONTINUITY PLANS.....................................................................12
10.1 What to include in your plan....................................................................................... 12
11.0 STEP 7: DEVELOP A COMMUNICATIONS STRATEGY.................................................13
11.1 Identify stakeholders and needs.................................................................................. 13
12.0 STEP 8: MAINTAIN AND TEST PLANS.......................................................................13
12.1 Training and awareness............................................................................................. 14
12.2 Testing.................................................................................................................... 14
12.3 Maintenance............................................................................................................ 14
13.0 REFERENCES......................................................................................................... 15
2

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

14.0 APPENDICES.......................................................................................................... 16
Appendix 1: Template for Step 1 - Commencement Template.................................................16
Appendix 2: Template for Step 2 - Risk & Vulnerability Analysis Template.................................16
Appendix 3: Template for Steps 3 and 5 - Business Impact Assessment..................................17
Appendix 4: Template for Step 4 - Response Strategies........................................................18
Appendix 5: Template for Step 6 - Business Continuity Plan...................................................19
Appendix 6: Template for Step 7 - Stakeholder Communication Matrix.....................................20
Appendix 7: Business Continuity as Part of the Planning Process...........................................21
Appendix 8: Business Interruption - Incident Management Structure.......................................22
Appendix 9: Business Interruption - Incident Management Process.........................................23
Appendix 10: BCM Help card............................................................................................. 24

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Business Continuity Management Guidelines

1.0 WHAT IS BUSINESS CONTINUITY MANAGEMENT (BCM)?
The Joint Standards Australia/Standards New Zealand handbook for Business Continuity Management
(HB 221: 2004) defines business continuity as follows:
'Business Continuity Management provides the availability of processes and resources in order to ensure
the continued achievement of critical objectives.'
This is an important definition as it identifies both what a well founded approach to BCM must achieve
within DEC as well as the means of achieving it.
For your convenience, a quick reference BCM Help Card is provided at Appendix 10
Business Continuity Glossary
Acronym

Business
Continuity
Terminology

Definition

AS

Australian
Standards

The relevant AS are Standards Australia HB 221:2004 on business continuity management and
AS/NSA 4360:2004 on risk management.

BCM

Business Continuity
Management

BCM provides for the availability of processes and resources in order to ensure the continued
achievement of critical objectives.

BCP

Business Continuity
Plan

A BCP is a collection of information and procedures developed, complied and maintained in

readiness for use in the event of an emergency or a disaster. The BCP enables an organisation
to
manage a major disruption or disaster and resume critical business functions within the required
pre-determined time.

BCR

Business Continuity
Risk

A BCR is an event that could result in an unacceptable and sudden interruption to a major DEC
system or service.

BIA

Business Impact
Assessment

A BIA provides analysis of how key disruption risks could affect your business unit's operations
and
what capabilities are required to manage them.

ICC

Incident
Coordination Centre

DEC-wide ICC will be responsible for coordinating the BCPs across the department in the event
of a
significant incident. An example of how this ICC may function is provided at Appendix 8.

MAO

Maximum
Acceptable Outage

The MAO represents the maximum period of time that your business unit can tolerate the loss of
capability of a critical business function, process, asset, or IT application.

R+V

Risk and
Vulnerability
Analysis

The R&V involves analysing the services your business unit provides, identifying risks that would
disrupt the delivery of services and determining whether your business unit is vulnerable to
those
risks.

RM

Risk Management

RM aims to "manage" (usually reduce) either the likelihood or the impact of a threat.

Who is responsible for BCM within DEC?

DEC's BCM policy and procedures are supported by a top down management structure.
The Director-General is responsible for ensuring:
The department complies with the requirements of the Department of Premier and Cabinet for NSW
government agencies to develop and maintain a Business Continuity Plan (BCP); and
based on the severity of the business continuity interruption, the Director-General either convenes and
chairs, or delegates responsibility for convening and chairing, an Incident Co-ordination Centre (ICC)
to manage the incident.
Deputy Directors-General, General Managers, the Chief Information Officer, State Office Directors,
Regional Directors and Institute Directors are responsible within their areas for ensuring:
DEC's Business Continuity Management policy and procedures are implemented, and that their local
BCPs are regularly tested and monitored;
staff are designated with the responsibilities of coordinating the development and maintenance of a

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

local Business Continuity Plan in accordance with the DEC's BCM policy and procedures;
based on the severity of the business continuity interruption, they participate as a member of an ICC
convened to manage the incident;
an annual report on their areas' BCM performance is completed, approved and forwarded to the
Enterprise Risk Management Directorate for collation and submission to the Executive; and
through their SES performance agreements, they can demonstrate compliance with the department's
Business Continuity Management policy and procedures.
The Director, Enterprise Risk Management is responsible for ensuring:
The department's BCM policy, procedures and guidelines are developed, promulgated and reviewed;
senior managers are aware of their BCM responsibilities;
advice is provided to all business areas concerning BCM policy, procedures and reports;
the department complies with the Department of Premier and Cabinet requirements and corporate
policy, procedures and guidelines are monitored and evaluated; and
annual reports from all business areas on the department's overall BCM performance are collated and
the results submitted to the Executive and to the Department of Premier and Cabinet.
The Enterprise Risk Management (ERM) Directorate is responsible for ensuring:
The DEC policy database and Finance and Administration intranet website provides current advice
concerning BCM policy and procedures;
the Business Continuity Management Reference Group is convened as required; a database of the
names of the various BCM coordinators is maintained and updated regularly;
ERM develops and maintains a database of all BCPs;
ERM develops and maintains a hard copy of all current BCPs;
ERM coordinates regular reviews of all BCPs;
ERM provides hard copies to the Director-General and other senior DEC staff; and
the DEC's and the Department of Premier and Cabinet annual BCM returns are distributed, returned,
collated and forwarded on time.
Business Continuity management coordinators for business areas are responsible for:
Undertaking appropriate BCM training;
coordinating basic BCM training, and providing advice and information, for other staff in their area;
coordinating the development, testing and review of their business unit's BCP; and
liaising with ERM on the BCP for their business unit.
All staff are responsible for:
following DEC's BCM policy and procedures; and
participating as a member of their business unit's BCP team.

2.0 WHY IS BCM REQUIRED?

It is both a NSW Treasury strategy and the Department of Premier and Cabinet requirement that all NSW
agencies must have as part of their BCM strategy, a documented and tested BCP in place incorporating
considerations for influenza pandemic planning. The Department of Premier and Cabinet also requires all
agencies to have a documented pandemic response plan. However beyond these inherent obligations, BCM
constitutes good business practice. Some of the benefits of implementing and maintaining an effective BCM
capability are summarised below:
Tangible Benefits

Intangible Benefits

- Compliance with regulatory requirements

- Compliance with contractual requirements and avoidance of
liability and penalties
- Compliance with insurance policy conditions
- Reduced operational downtime
- Reduced costs of operating during a disruption
- Reduced losses as a result of a disruption and reduced costs of
backlog management
- More cost effective recovery

- Managed exposure to risks of business disruption

- Improved operational resilience to unforeseen events
- Preservation of reputation through ensuring continuity of supply
- Improved efficiency and effectiveness of processes
- Improved staff confidence
- Improved stakeholder confidence
- Improved process understanding

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

3.0 BCM OBJECTIVES WITHIN DEC
The objectives of BCM for the department are to:
Protect education and training outcomes by identifying and managing where possible any risk to major
DEC services and responding promptly to re-establish those services when interruptions occur;
Provide managers with guidelines to enable them to develop a local BCP that identifies and manages
potential and actual risks that threaten major DEC systems and services;
Provide staff with a selection of procedures that shall be used to minimise or prevent exposure to
business continuity risks;
Ensure that regular tests of BCPs are undertaken, where practical, to ensure the effectiveness and
efficiency of the plans; and
Ensure that regular reviews and updates of planned strategies are undertaken to account for changes
in critical business systems and services.
These guidelines will assist you to apply the principles of risk management outlined in AS/NZS ISO
31000:2009 Risk Management Principles and Guidelines in a simple step by step approach which will
provide a framework for developing your own BCP. An "action box" is included for each step to indicate
where you are required to complete a template.
The relationship of BCP to other facets of planning within the department is depicted at Appendix 7.

4.0 THE BCM PROCESS

These guidelines are provided to assist each business unit of the department to develop their own BCP,
which should be considered part of your normal business planning process.
The guidelines are written using a worksheet approach, with each completed using the information
gathered from within your business unit. The final worksheet, when completed, is your unit's BCP.
What is the difference between risk management and business continuity management?
Risk management aims to "manage" (usually reduce) either the likelihood or the impact of a threat. This is
different to BCM which provides processes and resources in order to ensure the continual achievement of
central BCM objectives. Hence, risk management addresses the question "how do we reduce our risk?",
whereas business continuity management addresses the question, "what do we do to continue business
operation?"
How do I do it?
It is up to individual business units to develop BCPs according to the services they provide to the
department, though each business unit's needs for a BCP differ, there are some central steps that must be
followed. The steps involved in the process are outlined in the following diagram:
Step 1: Commencement
Create awareness about BCM and gain the commitment and support of management and staff for the
implementation and maintenance of the BCP when establishing your business unit's BCM structure.
Step 2: Conduct a Risk and Vulnerability Analysis
Analyse the service(s) your unit provides, identify the risks that would disrupt the delivery of service(s) and
determine whether the unit is vulnerable to those risks.
Step 3: Conduct a Business Impact Assessment
Determine the potential organisational effects of disruptions to your unit and identify the resources required
to continue the unit's operations following these disruptions.
Step 4: Define Response Strategies
Identify emergency response, continuity and recovery strategies to effectively manage those risks.
Step 5: Identify Resource and Interdependency Requirements
Identify, consolidate and map resource requirements from across DEC according to business
priorities and according to the interdependencies with internal and external service providers.
Step 6: Develop Business Continuity Plans
Use the information collected and developed during the BCM process to write BCPs that can be
implemented following an incident.

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Step 7: Develop a Communication Strategy
Communicate with internal and external stakeholders on issues regarding documented BCPs and
planned actions prior to and following an incident.
Step 8: Maintain and Test Plans
Continue to test your BCP and ensure it remains relevant and up-to-date.
The following pages provide a more detailed explanation of each of the above steps and include action
boxes, where applicable.
NOTE: Although these guidelines provide assistance at a business unit level, it is intended that there will be
a DEC wide Incident Coordination Centre (ICC) responsible for coordinating the BCPs across the
department in the event of a significant incident. An example of how this ICC may function is provided at
Appendix 8.

5.0 STEP 1: COMMENCEMENT

In accordance with the BCM structure, senior managers should:
Create awareness of BCM within their business unit and gain support for the implementation and
ongoing maintenance of BCM;
Ensure that staff are designated with responsibilities for BCM; and
Ensure that a BCP is developed, implemented, regularly tested, received and updated as appropriate.
Senior managers can facilitate this action with their staff by asking:
'What is important to the success and sustainability of our business unit?'
'What does our business unit depend upon to continue operating?'; and
'What might prevent our business unit from achieving its key objectives?'
To help create awareness and understanding within your business unit, consider the following:
critical objectives, critical success factors and key performance indicators;
major current and emerging risk exposures;
critical business functions and processes; critical plant, property, assets and other infrastructure;
critical people and information resources; and
third party relationships such as with the community, suppliers, partners and regulators.
Senior managers should also analyse past incidents and disruptions that indicate a propensity for future
disruption, including:
occurrences within your business unit;
occurrences within DEC as a whole;
prior involvement of key interdependencies, such as suppliers, strategic alliances and other
stakeholders; and
experiences of others within the education industry, government, geographical location, etc.
Senior managers and their staff should identify and agree upon the following:
the goals and objectives of strategic and operational activities of BCM;
expected deliverables and outcomes;
time requirements, demands or constraints;
resourcing capabilities and limitations; geographical extent and boundaries; and organisational
structure, extent and boundaries.
Action
To assist in the implementation of the Commencement step, a template is provided for information gathering at Appendix 1. Although
the outcome does not form a part of the BCP itself, the output should be retained and filed.

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

6.0 STEP 2: CONDUCT A RISK AND VULNERABILITY ANALYSIS
It is important to define and understand the environment in which your business unit operates. This allows
your BCP to focus on the critical business processes, including all internal and external providers, which
ensure the unit is able to provide ongoing services to DEC.
It is important for business units to refer to and adopt DEC's Enterprise Risk Management policy which is
posted on DEC's intranet site at the Policies and Procedures link.
In brief, this entails identifying, assessing and treating risks.

6.1 Identifying risks

As part of this stage, an understanding must be gained of the risk management strategy and the focus of the
business unit, as well as its relationship to DEC's core activities. Reference to DEC's annual report can be
useful in focusing your identification of key business activities.
Risk identification can be most effective when undertaken as a brainstorming activity involving staff from
a variety of levels and activities within your business unit. The following points provide background
material for your unit:
What does my business unit do? i.e. What services does it deliver?
What inputs including all internal and external providers does our business unit depend upon to deliver
its services?
What existing strategies are in place to ensure inputs are maintained?
What risks could interrupt the inputs to our unit's business?
What existing strategies are in place to ensure that our unit's services continue?
What risks could interrupt the services provided by our unit? Refer to the risk identification checklist.

6.2 Assessing risk

Assessment and analysis will provide a priority ranking of the business continuity risks that have been
identified in the risk identification. This ranking is used as the basis to develop the business unit's BCP.
There are two criteria for assessing the impact of risk, namely determine both the severity and the likelihood
of each identified business continuity risk.
Determine the severity of the risk
Using the table below select the most appropriate severity description for each of the risks which have been
identified.
Severity

Category

Description

Catastrophic

Threatens the long-term viability of the department or business unit. Immediate action required to minimise
or mitigate the effect of the impact.

Major

Major degradation of service, impact to multiple areas of the business, would not threaten the viability of
the department, but would require significant mobilisation of resources and significant management
intervention

Moderate

Substantial degradation of service, impact to multiple areas of business, can be managed with substantial
management intervention

Minor

Minor degradation of service, impact limited to a single area of the business, management intervention
required

Low

No measurable operational impact to the business.

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Determine the likelihood of the risk
Using the table below select the most appropriate likelihood description for each of the risks which have
been identified.
Likelihood

Description of likelihood (AS 4360)

Highly likely (common)

Likely (often)

Could happen (sometimes)

Not likely

Rare (almost impossible)

Calculate overall risk

The final part of the risk assessment and analysis process is to combine the severity and likelihood scores
for each business continuity risk in order to determine a risk ranking.
The risk ranking matrix below cross-references the severity and likelihood scores for each identified risk.
The resultant risk ranking assists in determining which identified business interruption risks pose the
greatest threats to the business unit or directorate.
Risk Matrix
The risk ranking matrix indicates the following:
The higher placed ranks (1-6) are considered the greatest risks to the business. These are risks that
may require the development and application of specific management strategies.
Risks ranked 7 to 15 are medium risks and generally need a response strategy to ensure that the
controlled risk is acceptable.
Risks ranked 16 to 25 are considered acceptable risks provided they are periodically reviewed to
ensure that conditions have not changed thereby altering the level of risk.
For the purposes of formulating your business unit's BCP all risks ranked from 1 to 15 are to be considered
for the next stage - Step 3 - Risk Control.

6.3 Treating risk

There is a common misconception that the only treatment that is required in BCM is the development of the
BCP. This view misses a significant opportunity to proactively enhance the resilience of your business unit
to future disruption (i.e. preventive controls which reduce likelihood). When deciding on treatment of
intolerable risk, consideration should be given to a range of preventive controls in addition to the writing of
plans (i.e. recovery controls which reduce the impact). In some cases, planning may be the primary or only
feasible treatment option (i.e. there may in fact be no practical preventive control option).
Examples of ways in which to treat risk (i.e. reduce either the impact or likelihood of a threat
materialising) include record management practices, data backups, arrangements with external
parties etc.
Action
To assist in the implementation of the Risk Assessment step, a template is provided for information gathering at Appendix 2. Although
the outcome does not form a part of the BCP itself, the output should be retained and filed

7.0 STEP 3: CONDUCT A BUSINESS IMPACT ASSESSMENT

The Business Impact Assessment (BIA) provides an analysis of how key disruption risks could affect your
business unit's operations and what capabilities will be required to manage them. The BIA comprises three
steps:
Identify resources;
Identify interdependencies; and
Determine MAO.

10

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

7.1 Identify resources
In this step the current level of resourcing for each critical business function is identified to determine current
capabilities and the potential for future spare capacity or shortfall. It should cover for example the type,
number, location, etc of the following resources:
People: Managers, staff, contractors and consultants currently contributing to the critical business
function. Include key roles and responsibilities for each individual and location, contact details,
deputies for each position, etc;
Facilities: Identify types of facilities in use currently (for example: 25 workstations in open office, 1
manager's office, 1 meeting room);
Equipment: Identify general office equipment, telecommunications, and any specialised equipment in
use (for example computers, filing cabinets, cameras, photocopiers etc);
IT systems: Identify IT systems and applications currently in use;
Information: Identify current information requirements (for example required paper records and
electronic documents);
Budget: Identify current budget, cash flow, expenditure and/or revenue requirements;
Transport: Identify transport requirements (for example fleet requirements, vehicle hire and vehicle
parking requirements); and
Other service and assets: Identify any other key factors required to support the normal operations of
the critical business function (for example couriers, inventory etc).
Once the normal day-to-day resource requirements have been determined, managers should be
challenged to identify which resources are absolutely essential to achieve the level of operation that will
meet the critical business objectives in the event of a disruption. The aim here is to identify the minimum
resourcing that must be made available following a disruption.

7.2 Identify interdependencies

A range of interdependencies will usually need to be identified and mapped, both internally and externally.
The following types of interdependency need to be considered:
Between individual critical business functions within your business unit and across DEC as a whole;
With key suppliers (including critical infrastructure suppliers such as water, power and
telecommunications utilities);
With key customers;
With strategic partners;
With regulators; and
Parties where no current interdependency exists, but could be created following a disruption.
For each of these interdependencies, mapping should include details on: the nature and level of the
interdependency; any critical failure points; contractual conditions; service level agreements and so on. A
common shortcoming of many attempts at mapping interdependencies is neglecting to ensure that people
and resources are mapped against business needs for a minimal level of operation.

7.3 Determine maximum acceptable outages

Maximum acceptable outage (MAO) times should be determined for each of the critical business functions
(down to process level where applicable), key IT applications and other critical assets including human
resources. The MAO time represents the maximum period of time that your business unit can tolerate the
loss of capability of a critical business function, process, asset, or IT application. Note that this should be
determined by the 'owners' of the critical business function.
Action
To assist in the implementation of the MAO step, a template is provided for information gathering at Appendix 3. Although the outcome
does not form a part of the BCP itself, the output should be retained and filed

11

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

8.0 STEP 4: DEFINE RESPONSE STRATEGIES
The development of response strategies is concerned with determining how your business unit will react
to an incident, and the manner in which the different elements of this overall response will interact. The
response should include the following broad strategies:
The emergency response (initial response);
The continuity response (interim operations); and
The recovery response (back to normal).
In each case, it is advisable to consider a number of optional responses and then select the most cost
effective option.

8.1 Emergency response phase

The emergency response is the immediate response to the event. It is primarily concerned with the
protection and preservation of life and property. This response could be as simple as the activation of a
building evacuation plan, or as comprehensive as an emergency management strategy involving the
immediate protection of property, people and information across multiple sites or communities.
Typically the development of the emergency response will involve:
Determining regulatory and industry standards' requirements (e.g. for fire evacuation);
Confirming existing emergency response plans and capabilities;
Identifying gaps that require further development;
Identifying triggers for the activation of plans;
Identifying responsibilities for components of the response;
Documenting the strategy including the identity and location of component plans; and
Identifying command, coordination and control requirements for the response.
Note that your unit should already have such emergency management procedures in place (e.g. fire
evacuation procedures).
Action
To assist in deciding when and how to activate, escalate and manage the Emergency response strategy the flow chart at Appendix 9 is
provided

8.2 Continuity response

The main purpose of the continuity response is to ensure the continued delivery of a minimum acceptable
level of performance per the predefined MAOs. There are several important considerations in developing a
response in order to determine the level of detail a BCP must contain.
i) Are plans required for:
Critical business functions?
Key processes?
Specific assets, facilities, locations, or other infrastructure?
Key people?; and/or
Key supply relationships? Determining the structure of continuity planning and are documents
required?
ii) Another important consideration is to determine the structure of continuity planning and required
documents:
will one plan or multiple plans be developed?; or
will plans be developed in a hierarchy with consolidated departmental level plans sitting above local
functional plans?
iii) Confirming that the identified critical business functions (or assets, facilities, etc) are still appropriate. This
may lead to the consolidation of one or more business functions into a single critical business function for
planning purposes: iv) Identifying criteria for activating the continuity phase (i.e. triggers); and v) Identifying
criteria of the deactivation, step down, or stand down of the phase.

12

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

8.3 Recovery response
The recovery response is aimed at restoring your business unit to a long-term operationally acceptable and
sustainable capability. In developing this response it is necessary to consider what can be practically
identified and planned for and what will be decided on following the actual incident.
An important, though often neglected consideration, is the management of backlogs. As the business is
returned to 'normal' capability there is likely to be a continuing backlog of work that will require attention.
Appropriate strategies should be considered, e.g. additional temporary staff required and or staff to work
over time.
Action
To assist in the development of Response Strategies, a template is provided at Appendix 4. Although the outcome does not form a part
of the BCP itself, the output should be retained and filed

9.0 STEP 5: IDENTIFY RESOURCE AND INTERDEPENDENCY REQUIREMENTS

A critical element in determining the most suitable recovery strategy is the identification of the internal
resources that are required to continue business operations following a disruption.
While critical business resources were assessed during the risk assessment and BIA stages, it is necessary
to determine the resources that will be needed to ensure the success of each strategy from Step 4 through to
Step 8.
Some examples of business resources are:
vital records (hard copy and electronic);
contact lists of staff; operating manuals;
procedures manuals;
location of off-site storage facilities;
minimum quantity of IT equipment required (this should already have been identified by your unit);
telecommunications support;
alternate office locations (if required);
a list of staff with expertise required by the business unit;
authority for the payment of emergency expenses; and
minimum quantity of office equipment required.
If your business unit requires a specific product or service from a supplier, a commitment should be
obtained from the supplier that its BCP is operational and that they can guarantee the ongoing supply of
that product or service in the event that the supplier experiences a disruption.
Action
Review and revise your resource lists identified at Appendix 3. Although the outcome does not form a part of the BCP itself, the output
should be retained and filed

10. STEP 6: DEVELOP CONTINUITY PLANS

One of the most important issues in writing a plan for managing a disruption is to ensure that it is written so
that it can be understood and applied by those expected to use it. A plan should be written in such a way that
it could be understood by someone who has not previously seen the document. For certain functions it is
possible that the plan may have to be activated and operated by individuals not fully familiar with the
processes and procedures being employed.

10.1 What to include in your plan

Although for the majority of plans there will be no predetermined standard, as a minimum the following
generic information should be provided:
Current version;
Criteria for activation of the plan (Who has the authority to activate the plan? Who is the backup in
case this person is unavailable? Under what situations will the plan be activated?);
Specific actions and responsibilities;
Resource requirements;
Communications requirements; and

13

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Contact lists.
Emergency management plans
The detailed content of emergency management plans may be specified by regulations, national
standards (for example fire emergency evacuation plans), or by generally accepted practices (for
example industry specific or local community emergency management plans).
IT recovery plans
IT recovery plans are included within a separate IT Disaster Recovery Plan as maintained by, and available
from, the IT Directorate. Your unit's BCP should not include the technical details of IT recovery but must
determine workaround (perhaps manual) procedures which you will undertake should IT systems not be
successfully recovered as expected.
Business continuity plans
The BCP's content must be developed to reflect your business unit's functions and provide the required
capability to support the achievement of your pre-identified critical business processes within their MAO
times. A number of issues need to be considered in writing the BCP (as listed in the above dot points).
These issues may either be included within the body of the BCP, or in other relevant documents, with their
locations referenced in the BCP.
It is important to maintain effective governance and control during a major business interruption. BCPs must
therefore define explicit control requirements which help ensure that DEC governance policies and
procedures are maintained and applied during an interruption. Considerations should include:
Financial delegations and control;
Insurance claims and management; and
Appropriate communications with stakeholders (refer next section).
Action
To assist you in developing your Business Continuity Plan(s), refer to Appendix 5 for a template. This document is your actual BCP and
brings together the outcomes of each of the prior steps

11.0 STEP 7: DEVELOP A COMMUNICATIONS STRATEGY

It is vital that communications are considered as one of the highest priorities throughout all BCM activities,
both pre and post event. Your unit's BCP documentation should include formal communication plans with all
stakeholders.

11.1 Identify stakeholders and needs

Communication with stakeholders should be a feature of all stages of the BCM program. However,
following a disruption, there will often be a need to prioritise stakeholders as both audiences and
information sources. A lack of consideration in this respect can adversely impact upon stakeholder
relationships for a considerable time.
Although considerable preplanning can be undertaken, there will always be a number of decisions on
stakeholder communications that can only be made once the nature of the event and its impact become
understood. As part of the communications plan, an initial stakeholder communications matrix should be
developed and included as part of your BCP.
Action
Develop a Stakeholder Communication matrix and insert within your BCP(s). Refer to Appendix 6 for guidance

12.0 STEP 8: MAINTAIN AND TEST PLANS

Plans can date very quickly (particularly contact lists). Even after a few weeks, if not updated, the
effectiveness and relevance of plans begin to deteriorate. Furthermore, although plans may accurately
reflect the status quo, they will remain as pieces of paper unless the relevant people within your business
unit understand them and know how to use them.
Thus three key tasks are required:
Training and awareness;
Testing; and
Maintenance.

14

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

12.1 Training and awareness
Staff should understand the need for business continuity, what the plans are for and how to use them.
Therefore the capability of staff to undertake these tasks must be maintained, for example through training
and exercising. It is therefore recommended that all staff identified as having a role in the BCP receive
appropriate initial training and whenever a significant change is made to the BCP.
The following items should be covered as part of BCP training:
Objectives and intent of BCP;
Definition of threats and risks covered by the BCP;
Structure of DEC's overall BCP including relationships to Emergency Management Plans;
Roles and responsibilities of various groups involved in BCP; and
Specific roles and responsibilities of the individual being trained.

12.2 Testing
Testing all aspects of the BCP, where practical for your business unit, is critical to the BCP's success. The
type of test you choose for your plan will depend upon the potential impact of your identified business
continuity risks and the environment in which you work. Types of BCP tests include the following:
Structured Walkthrough - The most basic type of test that takes place in a group meeting setting where
the main purpose is to ensure that critical personnel from all areas are familiar with the BCP. For
example, staff are provided with a handout and work through a pre determined scenario.
Tabletop Drill - The participants choose a specific event scenario and apply the BCP to it. The main
goals here are to practice team interaction, as well as decision-making and problem-solving skills.
Functional Testing - A drill that involves the actual relocation of personnel to another site in an attempt
to establish communications and coordination as defined in the BCP. The main focus here is to test
the business continuity capabilities of groups in an actual recovery situation.
Full-Scale - The most comprehensive type of test. With this test, all or most of the BCP is put into
action. The main goals are to simulate an actual recovery situation as closely as possible. The
exercises in this case usually are longer, and should evolve and develop just as they would in an
actual crisis.
A BCP test can be considered worthwhile only if the results are analysed and compared against your
original objectives, and then acted upon. Ask yourself these important questions:
Were the test objectives completed?
What gaps did we find?
What actions must we take to bridge those gaps?
What approach should we take for our next test?
At a minimum, all BCPs must be tested at least once every year or whenever a significant change is
made to the BCP and all test plans and results must be documented and retained as an audit trail.

12.3 Maintenance
New technology, legal requirements, policy and procedures can all introduce new business continuity
risks. When the way in which your unit performs its business changes, it is important that the BCP is
reviewed and updated to reflect those changes.
Issues which may be considered during a review of your BCP include:
Is the BCP based on a risk analysis assessment that has been conducted and documented?
Has the potential impact of business continuity risks been assessed?
Has the BCP been developed to minimise disruption of services, reduce financial loss, and ensure
timely resumption of normal operations?
Does the BCP include contact details for personnel, vendors, equipment and transportation? and
Do the BCP contact details include names, positions and phone numbers of persons responsible for
the business continuity strategies?
Agencies are required to provide the Department of Premier and Cabinet with an annual report on the testing
and maintenance of their BCPs. Enterprise Risk Management Directorate will coordinate this annual report.
In addition, the department's Audit Directorate may include a review of the management of business
continuity planning as a project on their strategic audit plan. This may include random checks of business
units' BCPs. The Audit Office of New South Wales may also review business continuity planning across the

15

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

public sector.

13.0 REFERENCES
DEC's Enterprise Risk Management Policy
DEC's Emergency Planning and Response Policy and Guidelines.
DEC's Pandemic Management Strategy Guidelines.
Australian National Audit Office, Guidelines for Better Business Continuity Management. (PDF)
Disaster Recovery Institute International, "Professional Practices for Business Continuity Planners", 1997.
Standards Australia, Handbook 221:2004, Business Continuity Management.
Standards Australia, "AS/NZS 4360:2004, Risk Management", 2004.
Attorney General's Department Business Continuity Guide
A E Dwyer, "AMES Novell Office Automation and Support Applications Disaster Recovery Plan - Internal
Audit Program", Department of Education and Training, Audit Directorate, 1997.
Additional information concerning the development of business continuity plans is available by contacting the
Enterprise Risk Management Directorate on telephone number (02) 9561 8840.

16

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

14.0 APPENDICES

Appendix 1: Template for Step 1 - Commencement Template

Critical business
function

Physical location

Critical success
factor

Functional
interdependencies

Priority

Practical grouping

Title or simple
description of the
critical business
function or process,
e.g.

Identify the
location or
locations where
the activity is
conducted, e.g.

Identify what the

function is trying to
achieve, this may
be based on
minimum
acceptable
performance
standards, KPIs,
e.g.

Identify key
upstream
and downstream
interdependencies,
e.g.

Determine
Criticality
e.g.

Identify common groupings

of critical business
functions, for example those
that may be suitable for the
conduct of a combined
single BIA e.g.

Financial reports
and issues for the
Executive, TAFE
Executive Group,
VETAB and BVET

Level 3, 35
Bridge St Sydney

24 hour access to
services 4 hour
response business
hours 8 hour
response after
hours

Specialist
Personnel
Support Personnel
Technology
Communications
Data
Accommodation

Medium

Preparation of the DEC and

TAFE NSW financial
statements in accordance
with statutory requirements
and accounting standards.
Provide financial information
and advice to Senior
Management

Appendix 2: Template for Step 2 - Risk & Vulnerability Analysis Template

Critical
business
function

Risk

Existing
controls

Impact

Likelihood

Rating

Acceptable
risk

Treatment
option

Recovery
Plan
required?

Responsibility

Carry forward
from
Template 1

Describe
what can
go wrong

What
mitigating
controls
exist?

Refer
table
above

Refer table
above

Refer
table
above

Refer table
above

Accept or
reduce?

Yes or
No?

Responsible
for developing
plan

Financial
reports
and issues
for the
Executive,
TAFE
Executive
Group,
VETAB and
BVET

Loss of
functional
IT
systems

Nightly
data
backups

13

18

Reduce

Yes

Director
Finance

17

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 3: Template for Steps 3 and 5 - Business Impact Assessment

Approach

identify critical business functions per business unit;

identify the key resources required to achieve each of these functions;
determine the impact it would have if the function became inoperable; and
rank the results from the perspective of the business unit as a whole.

Example: Administrative Services

Impact assessment
Critical business functions
Provide input into government
reforms in public administration
Provide advice, issue guidelines
and maintain comprehensive
information on administrative
policies and procedures for
business areas across DEC
through management of the
directorate's website
Manage the rollout of the
records management program
throughout DEC and maintain
the TRIM System
Maintain and manage the
departmental financial and
administrative delegations
Manage the TMF scheme
system, monitor the performance
of the fund manager, liaise with
Treasury, GIO & other
educational authorities re
premiums, benchmarks etc and
manage claims under that
scheme, issue guidelines and
answer queries on insurance
matters

1-5
days

1
month

3-4
months

MAO

Key resources required to achieve

function

<24
hours

<24
hours

<24
hours
<24
hours

Applications:
- EMAIL (INT) - Email (DEC)
- EMAIL (EXT) - Email (Internet)
- Internet - Intranet
- TRIM - Records Management
- JDE-World Finance
- ELAPS - Leave Applications/ESS
- LMS - Leave Management System
- DDS - DEC Directory Services
- STMS - Special Transport
Management System
- CMP - Content Management via
Team Site

<24
hours

18

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 4: Template for Step 4 - Response Strategies

Organisational unit

Finance Department

Location

Level 3, 35 Bridge St Sydney

Contact name

Joe Bloggs

Title

Director Finance

Telephone

123 4567

Email

Joe.Bloggs@det.nsw.edu.au

Critical business function

Cheque processing

Critical infrastructure

Financial systems and cheque printer

Risk scenario

Loss of access to building

MAO

48 hours

Response requirement

Establish alternate cheque printing capability to cover 48 hour period before recovery.

Response option 1

Purchase second cheque printer for recovery site - Not favourable

Response option 2

Use a bureau service - Favourable

Response option 3

N/A

Recommended option

Use a bureau service

Response objectives

Resume cheque printing to 80% capability within 48 hours.

Detailed description of response

Notify bureau
Flat file transfer from DEC to bureau;
Bureau processes file;
Verification and validation by DEC Accounts Officer;
Authorisation to process; and
Cheque collection and distribution

Preparatory requirements

Develop list and contact details for approved bureau;

Establish capability for file generation and transfer;
Develop verification and validation process; and
Develop alternatives for cheque collection and distribution

19

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 5: Template for Step 6 - Business Continuity Plan

See separate document (in Microsoft Word format)

Business Continuity Plan Template

20

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 6: Template for Step 7 - Stakeholder Communication Matrix

Stakeholder

Communication Needs

Who

How

Staff

What has happened and why it has happened?

What will happen in the immediate future?
Where is assistance available?

Director
General

Emergency 13xxxx
number plus website

Families

Immediately:
What has happened?
Who are the staff members involved and are they safe?
What does the family do now?
Later:
How did it happen and what was the cause?

Local
community

Immediately: What has happened?

Is it safe?
Could it happen again in the near future?
Later:
What is the department doing to ensure that it does not happen again in
the future?

Customers

What is the impact on product/service delivery and quality?

How long will delivery be affected for?
How adversely will contractual conditions be affected?
Will DET be able to continue trading into the immediate and longer terms
(longer term sustainability of supply)?
What compensation will be made available?
What other alternate sources of the product/service exist?

Suppliers

Changes to supply requirements.

How long will inventory be required to be held for?
Capacity for changed pricing.
Likely duration of supply impacts.
Compensation available under contractual conditions.

Minister

What has happened and how?

What is being done to fix it?
What are the impacts on local communities/customers and how these are
being managed?
When will normal capability and capacity be restored?

Media

What has happened and how?

Who was responsible?
Can it happen again?
What similar events have happened previously?

Regulators

What has happened and how?

What is being done to fix it?
What is being done to prevent it happening again?
What is the compliance/capability/performance of other related areas?

21

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 7: Business Continuity as Part of the Planning Process

NSW Government
Policy
Sets direction

Direction
Aspiratio
n
Inspirati
on

Corporate
Goals

Corporate
Priorities

Corporate
Targets

DEC Corporate Plan

2011-2013
Objectives
Strategies
Outcomes
(updated annually)
Strategic Enabling
Plans
Results & Services
Plans (RSP)
Assets Plan
ICT Plan
Strategic HR Plan
Aboriginal Education
Plan

Internal
Enabling
Plans
Portfolio
Plans
(financial year basis)
Aligned to Corporate
Plan
F&I
OoC
OoE
Public
Schools
SR&C
TAFE & CE
WM & SI

Disability Action Plan

EAPS Plan

School &
TAFE
Institute
Plans

Literacy & Numeracy

Plan
National Goals for
Schooling
National Strategy for
VET
Business Continuity
Planning

Relate to
Portfolio
Plans.
Focused on
service
delivery
within
budget

EEO Plan

Unit Work
Plans
Relate to
Portfolio
Plans.
Focused on
service
delivery
within
budget

22

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 8: Business Interruption - Incident Management Structure

Ministers
Office

Director-General
Managing Director
TAFE NSW
Incident
Coordination
Centre (ICC)
ICC may include
but not limited
to:
Finance
Shared Services
Human Resources
Industrial
Relations
Employee
Services
Information
Technology
Media &
Communications
Resources
Incident
Management
Teams
Roles /
Responsibilities /
Functions
Formed to respond
to specific
incidents
Chief Executive
Office of Education
Chief Executive
Office of
Communities

Director Audit
Executive Director
Strategic
Relations &
Communication
Responsible for
Media
Executive Support
Corporate
Marketing
Corporate
Communication
Enterprise Risk
Management
DD-G Public
Schools
Corporate
Functions & 10
Education Regions
DD-G TAFE &
Community
Education
Corporate
Functions & 10
Institutes
DD-G Finance &
Infrastructure
Corporate
Functions & 10
Regional
Corporate
Services
DD-G Workforce
Management &
Systems
Improvement
Corporate
Functions & 10
Regional
Corporate
Services

23

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 9: Business Interruption - Incident Management Process

Significant
Significant Business
Business
Interruption
Interruption Incident
Incident
Identified
Identified

Continue
Continue to
to Review
Review &
&
Assess
Assess

Evaluation
Evaluation

Escalation
Required?

No

Process
Process Includes:
Includes:
Emergency
Emergency Procedures
Procedures
Ownership
Ownership
Establish
Establish Incident
Incident
Management
Management Teams
Teams
Roles
Roles &
& Responsibilities
Responsibilities
Incident
Incident Coordination
Coordination Centre
Centre
Impact
Impact Assessment
Assessment
Incident
Incident Categorisation
Categorisation
Escalation
Escalation
Notification
Notification
Continual
Continual Assessment
Assessment

Yes

Initiate
Incident
Management
Process

Process
Process Includes:
Includes:

Management
of Incident

Incident
resolved
Process Includes:
Formal
Formal Review
Review with
with all
all
Stakeholders
Stakeholders
Remedial
Remedial Strategies
Strategies
Feedback
Feedback to
to
Stakeholders
Stakeholders
Amendment
Amendment to
to BCP
BCP

Resolve
Incident at
Local Level

Recovery
Recovery Action
Action (Repair)
(Repair)
Communication
Communication and
and PR
PR
Media
Media
Business
Business Continuity
Continuity
Management
Management
Forward
Forward Planning
Planning
Investigation
Investigation
Legal
Legal // Regulatory
Regulatory
Finance
Finance
Human
Human Resources
Resources
External
External Organisations
Organisations
Emergency
Emergency Services
Services &
&
Local
Local Authority
Authority
Specialist
Specialist Services
Services
Continual
Continual Assessment
Assessment

Incident
Closure
Notification

Post Incident
Review

24

B us ine s s C ontinuit y M ana ge me nt Guide li ne s

Appendix 10: BCM Help card

How to Develop your Business Continuity Plan

Step 1
Review Business Continuity Guidelines (the whole of this document)
Step 2
Risk & Vulnerability analysis Refer to Section 6 of this document.
Undertake analysis using the available template at Appendix 2.
Note: A separate analysis template should be completed for each
Critical Business Function.
Step 3
Business Impact Assessment - Using your completed Risk &
Vulnerability Analysis template, refer to Section 7 of this document.
Complete the BIA template at Appendix 3.
Step 4
Define Response Strategies Refer Section 8 of this document.
Complete the Response Strategy template at Appendix 4.
Step 5
Identify Resource and Interdependency Requirements Refer
Section 9 of this document. Review the BIA template at Appendix 3.
Step 6
Business Continuity Plan - Using your completed BIA template, refer
to Section 10 of this document. Complete the BCP template at
Appendix 5.
Step 7
Develop a Communications Strategy Refer Section 11 of this
document. Complete the Stakeholder Communication Matrix
template at Appendix 6.
When you have finalised your BCP please forward it to the
Enterprise Risk Management Directorate for posting to the
departments intranet site.
Step 8
Maintaining and Testing Plans Refer to Section 12 of this
document.

NB: It is imperative that business units are able to

refer to a hard copy of their BCP in the event of a
loss of functional IT systems.

25