Академический Документы
Профессиональный Документы
Культура Документы
Directorate
Document Author
Mr Frank Davies
Director, Enterprise Risk Management
Enterprise Risk Management Directorate
Level 8, 35 Bridge Street
SYDNEY NSW 2000
T. (02) 9561 8840
F. (02) 9561 8630
M. 0418 220 387
E. Frank.Davies@det.nsw.edu.au
COPYRIGHT
All rights reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including
photocopying with the permission of the publisher.
Contents
1.0 WHAT IS BUSINESS CONTINUITY MANAGEMENT (BCM)?.............................................4
2.0 WHY IS BCM REQUIRED?............................................................................................ 5
3.0 BCM OBJECTIVES WITHIN DEC................................................................................... 6
4.0 THE BCM PROCESS.................................................................................................... 6
5.0 STEP 1: COMMENCEMENT.......................................................................................... 7
6.0 STEP 2: CONDUCT A RISK AND VULNERABILITY ANALYSIS..........................................8
6.1 Identifying risks............................................................................................................ 8
6.2 Assessing risk.............................................................................................................. 8
6.3 Treating risk................................................................................................................. 9
7.0 STEP 3: CONDUCT A BUSINESS IMPACT ASSESSMENT................................................9
7.1 Identify resources....................................................................................................... 10
7.2 Identify interdependencies........................................................................................... 10
7.3 Determine maximum acceptable outages.......................................................................10
8.0 STEP 4: DEFINE RESPONSE STRATEGIES.................................................................11
8.1 Emergency response phase......................................................................................... 11
8.2 Continuity response.................................................................................................... 11
8.3 Recovery response..................................................................................................... 12
9.0 STEP 5: IDENTIFY RESOURCE AND INTERDEPENDENCY REQUIREMENTS.................12
10. STEP 6: DEVELOP CONTINUITY PLANS.....................................................................12
10.1 What to include in your plan....................................................................................... 12
11.0 STEP 7: DEVELOP A COMMUNICATIONS STRATEGY.................................................13
11.1 Identify stakeholders and needs.................................................................................. 13
12.0 STEP 8: MAINTAIN AND TEST PLANS.......................................................................13
12.1 Training and awareness............................................................................................. 14
12.2 Testing.................................................................................................................... 14
12.3 Maintenance............................................................................................................ 14
13.0 REFERENCES......................................................................................................... 15
2
Business
Continuity
Terminology
Definition
AS
Australian
Standards
The relevant AS are Standards Australia HB 221:2004 on business continuity management and
AS/NSA 4360:2004 on risk management.
BCM
Business Continuity
Management
BCM provides for the availability of processes and resources in order to ensure the continued
achievement of critical objectives.
BCP
Business Continuity
Plan
BCR
Business Continuity
Risk
A BCR is an event that could result in an unacceptable and sudden interruption to a major DEC
system or service.
BIA
Business Impact
Assessment
A BIA provides analysis of how key disruption risks could affect your business unit's operations
and
what capabilities are required to manage them.
ICC
Incident
Coordination Centre
DEC-wide ICC will be responsible for coordinating the BCPs across the department in the event
of a
significant incident. An example of how this ICC may function is provided at Appendix 8.
MAO
Maximum
Acceptable Outage
The MAO represents the maximum period of time that your business unit can tolerate the loss of
capability of a critical business function, process, asset, or IT application.
R+V
Risk and
Vulnerability
Analysis
The R&V involves analysing the services your business unit provides, identifying risks that would
disrupt the delivery of services and determining whether your business unit is vulnerable to
those
risks.
RM
Risk Management
RM aims to "manage" (usually reduce) either the likelihood or the impact of a threat.
Intangible Benefits
Category
Description
Catastrophic
Threatens the long-term viability of the department or business unit. Immediate action required to minimise
or mitigate the effect of the impact.
Major
Major degradation of service, impact to multiple areas of the business, would not threaten the viability of
the department, but would require significant mobilisation of resources and significant management
intervention
Moderate
Substantial degradation of service, impact to multiple areas of business, can be managed with substantial
management intervention
Minor
Minor degradation of service, impact limited to a single area of the business, management intervention
required
Low
Likely (often)
Not likely
10
11
12
13
14
12.2 Testing
Testing all aspects of the BCP, where practical for your business unit, is critical to the BCP's success. The
type of test you choose for your plan will depend upon the potential impact of your identified business
continuity risks and the environment in which you work. Types of BCP tests include the following:
Structured Walkthrough - The most basic type of test that takes place in a group meeting setting where
the main purpose is to ensure that critical personnel from all areas are familiar with the BCP. For
example, staff are provided with a handout and work through a pre determined scenario.
Tabletop Drill - The participants choose a specific event scenario and apply the BCP to it. The main
goals here are to practice team interaction, as well as decision-making and problem-solving skills.
Functional Testing - A drill that involves the actual relocation of personnel to another site in an attempt
to establish communications and coordination as defined in the BCP. The main focus here is to test
the business continuity capabilities of groups in an actual recovery situation.
Full-Scale - The most comprehensive type of test. With this test, all or most of the BCP is put into
action. The main goals are to simulate an actual recovery situation as closely as possible. The
exercises in this case usually are longer, and should evolve and develop just as they would in an
actual crisis.
A BCP test can be considered worthwhile only if the results are analysed and compared against your
original objectives, and then acted upon. Ask yourself these important questions:
Were the test objectives completed?
What gaps did we find?
What actions must we take to bridge those gaps?
What approach should we take for our next test?
At a minimum, all BCPs must be tested at least once every year or whenever a significant change is
made to the BCP and all test plans and results must be documented and retained as an audit trail.
12.3 Maintenance
New technology, legal requirements, policy and procedures can all introduce new business continuity
risks. When the way in which your unit performs its business changes, it is important that the BCP is
reviewed and updated to reflect those changes.
Issues which may be considered during a review of your BCP include:
Is the BCP based on a risk analysis assessment that has been conducted and documented?
Has the potential impact of business continuity risks been assessed?
Has the BCP been developed to minimise disruption of services, reduce financial loss, and ensure
timely resumption of normal operations?
Does the BCP include contact details for personnel, vendors, equipment and transportation? and
Do the BCP contact details include names, positions and phone numbers of persons responsible for
the business continuity strategies?
Agencies are required to provide the Department of Premier and Cabinet with an annual report on the testing
and maintenance of their BCPs. Enterprise Risk Management Directorate will coordinate this annual report.
In addition, the department's Audit Directorate may include a review of the management of business
continuity planning as a project on their strategic audit plan. This may include random checks of business
units' BCPs. The Audit Office of New South Wales may also review business continuity planning across the
15
13.0 REFERENCES
DEC's Enterprise Risk Management Policy
DEC's Emergency Planning and Response Policy and Guidelines.
DEC's Pandemic Management Strategy Guidelines.
Australian National Audit Office, Guidelines for Better Business Continuity Management. (PDF)
Disaster Recovery Institute International, "Professional Practices for Business Continuity Planners", 1997.
Standards Australia, Handbook 221:2004, Business Continuity Management.
Standards Australia, "AS/NZS 4360:2004, Risk Management", 2004.
Attorney General's Department Business Continuity Guide
A E Dwyer, "AMES Novell Office Automation and Support Applications Disaster Recovery Plan - Internal
Audit Program", Department of Education and Training, Audit Directorate, 1997.
Additional information concerning the development of business continuity plans is available by contacting the
Enterprise Risk Management Directorate on telephone number (02) 9561 8840.
16
Physical location
Critical success
factor
Functional
interdependencies
Priority
Practical grouping
Title or simple
description of the
critical business
function or process,
e.g.
Identify the
location or
locations where
the activity is
conducted, e.g.
Identify key
upstream
and downstream
interdependencies,
e.g.
Determine
Criticality
e.g.
Financial reports
and issues for the
Executive, TAFE
Executive Group,
VETAB and BVET
Level 3, 35
Bridge St Sydney
24 hour access to
services 4 hour
response business
hours 8 hour
response after
hours
Specialist
Personnel
Support Personnel
Technology
Communications
Data
Accommodation
Medium
Risk
Existing
controls
Impact
Likelihood
Rating
Acceptable
risk
Treatment
option
Recovery
Plan
required?
Responsibility
Carry forward
from
Template 1
Describe
what can
go wrong
What
mitigating
controls
exist?
Refer
table
above
Refer table
above
Refer
table
above
Refer table
above
Accept or
reduce?
Yes or
No?
Responsible
for developing
plan
Financial
reports
and issues
for the
Executive,
TAFE
Executive
Group,
VETAB and
BVET
Loss of
functional
IT
systems
Nightly
data
backups
13
18
Reduce
Yes
Director
Finance
17
Approach
1-5
days
1
month
3-4
months
MAO
<24
hours
<24
hours
<24
hours
<24
hours
Applications:
- EMAIL (INT) - Email (DEC)
- EMAIL (EXT) - Email (Internet)
- Internet - Intranet
- TRIM - Records Management
- JDE-World Finance
- ELAPS - Leave Applications/ESS
- LMS - Leave Management System
- DDS - DEC Directory Services
- STMS - Special Transport
Management System
- CMP - Content Management via
Team Site
<24
hours
18
Organisational unit
Finance Department
Location
Contact name
Joe Bloggs
Title
Director Finance
Telephone
123 4567
Joe.Bloggs@det.nsw.edu.au
Cheque processing
Critical infrastructure
Risk scenario
MAO
48 hours
Response requirement
Establish alternate cheque printing capability to cover 48 hour period before recovery.
Response option 1
Response option 2
Response option 3
N/A
Recommended option
Response objectives
Notify bureau
Flat file transfer from DEC to bureau;
Bureau processes file;
Verification and validation by DEC Accounts Officer;
Authorisation to process; and
Cheque collection and distribution
Preparatory requirements
19
20
Stakeholder
Communication Needs
Who
How
Staff
Director
General
Emergency 13xxxx
number plus website
Families
Immediately:
What has happened?
Who are the staff members involved and are they safe?
What does the family do now?
Later:
How did it happen and what was the cause?
Local
community
Customers
Suppliers
Minister
Media
Regulators
21
NSW Government
Policy
Sets direction
Direction
Aspiratio
n
Inspirati
on
Corporate
Goals
Corporate
Priorities
Corporate
Targets
Internal
Enabling
Plans
Portfolio
Plans
(financial year basis)
Aligned to Corporate
Plan
F&I
OoC
OoE
Public
Schools
SR&C
TAFE & CE
WM & SI
EAPS Plan
School &
TAFE
Institute
Plans
Relate to
Portfolio
Plans.
Focused on
service
delivery
within
budget
EEO Plan
Unit Work
Plans
Relate to
Portfolio
Plans.
Focused on
service
delivery
within
budget
22
Ministers
Office
Director-General
Managing Director
TAFE NSW
Incident
Coordination
Centre (ICC)
ICC may include
but not limited
to:
Finance
Shared Services
Human Resources
Industrial
Relations
Employee
Services
Information
Technology
Media &
Communications
Resources
Incident
Management
Teams
Roles /
Responsibilities /
Functions
Formed to respond
to specific
incidents
Chief Executive
Office of Education
Chief Executive
Office of
Communities
Director Audit
Executive Director
Strategic
Relations &
Communication
Responsible for
Media
Executive Support
Corporate
Marketing
Corporate
Communication
Enterprise Risk
Management
DD-G Public
Schools
Corporate
Functions & 10
Education Regions
DD-G TAFE &
Community
Education
Corporate
Functions & 10
Institutes
DD-G Finance &
Infrastructure
Corporate
Functions & 10
Regional
Corporate
Services
DD-G Workforce
Management &
Systems
Improvement
Corporate
Functions & 10
Regional
Corporate
Services
23
Significant
Significant Business
Business
Interruption
Interruption Incident
Incident
Identified
Identified
Continue
Continue to
to Review
Review &
&
Assess
Assess
Evaluation
Evaluation
Escalation
Required?
No
Process
Process Includes:
Includes:
Emergency
Emergency Procedures
Procedures
Ownership
Ownership
Establish
Establish Incident
Incident
Management
Management Teams
Teams
Roles
Roles &
& Responsibilities
Responsibilities
Incident
Incident Coordination
Coordination Centre
Centre
Impact
Impact Assessment
Assessment
Incident
Incident Categorisation
Categorisation
Escalation
Escalation
Notification
Notification
Continual
Continual Assessment
Assessment
Yes
Initiate
Incident
Management
Process
Process
Process Includes:
Includes:
Management
of Incident
Incident
resolved
Process Includes:
Formal
Formal Review
Review with
with all
all
Stakeholders
Stakeholders
Remedial
Remedial Strategies
Strategies
Feedback
Feedback to
to
Stakeholders
Stakeholders
Amendment
Amendment to
to BCP
BCP
Resolve
Incident at
Local Level
Recovery
Recovery Action
Action (Repair)
(Repair)
Communication
Communication and
and PR
PR
Media
Media
Business
Business Continuity
Continuity
Management
Management
Forward
Forward Planning
Planning
Investigation
Investigation
Legal
Legal // Regulatory
Regulatory
Finance
Finance
Human
Human Resources
Resources
External
External Organisations
Organisations
Emergency
Emergency Services
Services &
&
Local
Local Authority
Authority
Specialist
Specialist Services
Services
Continual
Continual Assessment
Assessment
Incident
Closure
Notification
Post Incident
Review
24
25