This policy is current as at 18/08/2018 03:09am, AEST. Please refer to policy library website (https://education.nsw.gov.au/policy-library) for an updated version.

Business Continuity Management Policy

Requirements for managing the effects of severe unexpected events which impact the continuity of the Department’s operations, or threaten the safety and security of people, reputation, brand and value creating activities.

1. Policy statement

1.1

The department provides, funds and regulates education services for NSW students from early childhood to secondary school. Through Aboriginal Affairs, the department works with Aboriginal communities to promote social, economic and cultural wellbeing. The operational, financial, social and political consequences of a major disruption to critical services would be unacceptable.

1.2

This policy and its supporting documents aim to ensure that the department has arrangements in place to prevent, prepare for, respond to and recover from a disruptive event so that critical business functions and services are maintained at an acceptable level.

1.3

Senior executives (deputy secretaries, executive directors or directors) are required to assess and manage the risks of disruption to critical business functions for which they are accountable.

1.4

Senior executives accountable for critical business functions are required to develop, maintain and test Business Continuity Plans (BCPs) at least on an annual basis to ensure that essential services are maintained at an acceptable level during a major disruptive event, and restored to full functionality within an acceptable timeframe.

1.5

Senior executives who are responsible for the delivery of one or more critical business functions are referred to as the Business Continuity Owner (BCO) of their BCP.

1.6

Each BCP must identify the senior executive(s) with the authority to approve and activate (and deactivate) the relevant BCPs in the event of a localised business disruption.

1.7

Each BCP must be approved by the BCO and their deputy secretary.

1.8

In the event of the disruption affecting a number of critical business functions in multiple divisions and affecting the operations of the department as a whole, the Deputy Secretary, Strategy and Evaluation will mobilise the Business Continuity Response Team (BCRT) to activate the department-wide BCP. The BCRT, led by the appointed Incident Controller will prioritise and coordinate the department’s business continuity response and recovery efforts. The department-wide BCP must be approved by the BCRT. The BCRT must activate (and deactivate) the department-wide BCP in the event of a disruption that affects the operations of the department as a whole in accordance with the BCRT Charter.

1.9

When a BCP is activated, senior executives must ensure that the required people, information, facilities, assets and other infrastructure are available to ensure business continuity and recovery. Staff must re-prioritise their efforts to the delivery of critical business functions and services and the recovery of normal business operations. The BCO must also advise Corporate Governance (Strategy and Evaluation) when their BCP is activated as this may inform the activation of the department-wide BCP.

1.10

In the event that the incident endangers or threatens to endanger life, property or the environment, emergency management always takes priority over business continuity arrangements. BCPs are only activated once the health and safety of staff and bystanders have been assured.

1.11

In the event of an emergency, the department is required to implement its Emergency Management Plans (EMPs), as required by the department’s Emergency Management guidelines. Emergency management is handled by the department’s Health and Safety Directorate.

1.12

In the event of an emergency affecting the operations of the department as a whole, the Emergency Planning and Response Committee (EPRC) will coordinate the department’s emergency response.

2. Audience and applicability

2.1

This policy applies to all business units with the department.

3. Context

3.1

The Business Continuity Management policy is an essential element of the department’s broader corporate governance, and Enterprise Risk Management framework.

3.2

This policy is supported by the Business Continuity Management guidelines, toolkit and templates to assist with business continuity planning.

3.3

This policy and guidelines reflect the international standard for business continuity management systems, ISO 22301:2012 and best practice.

3.4

The implementation of this policy is overseen by the Enterprise Risk Management Group and the Audit and Risk Committee.

3.5

Staff also have responsibilities for identifying and managing risk under the department’s Enterprise Risk Management policy, and responsibilities relating to health and safety, emergency response planning and incident notification under the department’s Work Health and Safety policy and Incident Reporting policy.

4. Responsibilities and delegations

Secretary

  • ultimately accountable for risk management in the department, and must attest to NSW Treasury in relation to compliance with the eight core requirements of TPP15-03 Internal Audit and Risk Management Policy for the NSW Public Sector.

Executive Group

  • approve any substantial amendments to the existing Business Continuity Management policy and guidelines tabled by the Deputy Secretary, Strategy and Evaluation.

Deputy Secretary, Strategy and Evaluation

  • approves amendments to the existing Business Continuity Management policy and guidelines or where amendments are substantial, takes an amended policy or guidelines to the Executive Group for approval
  • develops and maintains the department-wide BCP as the Business Continuity Coordinator (BCC) for the department-wide BCP when the plan is not activated.

Deputy Secretaries and Division Heads

  • demonstrate leadership and commitment to business continuity management by:
    • communicating the value and importance of effective business continuity management
    • ensuring that business continuity management and continual improvement are integrated into risk management and business processes
    • ensuring that the resources needed for business continuity management are available
    • ensuring that BCPs are developed and maintained
    • approving BCPs for their division.

Business Continuity Owners (Deputy Secretary, Division Head, Executive Directors or Directors) (BCO)

  • build awareness of this policy, and the value and importance of business continuity management
  • nominate a Business Continuity Coordinator (BCC) and ensure they have the capabilities, training and experience for the role
  • undertake a Business Impact Analysis (BIA) and risk assessment to identify the risks and impacts of disruptive events on critical business functions
  • implement preventative controls and prepare a BCP to manage a disruptive event on critical business functions
  • ensure BCPs and the required resources are available where and when they are needed, and are adequately protected against improper use
  • ensure staff are aware of their roles in the event of a major disruption
  • test and update BCPs (at least) annually
  • advise Corporate Governance Unit (Strategy and Evaluation) when their BCP is activated as this may inform the activation of the department-wide BCP

Business Continuity Coordinators (BCC)

  • Nominated by BCOs as the liaison person for business continuity management within each business unit. BCCs support BCOs to manage disruption-related risks, including developing and maintaining the BCP(s) for the business unit

Government schools

  • under the department’s Work Health and Safety Policy, all government schools must develop an Emergency Management Plan. Additional procedures are also outlined for temporarily ceasing school operations due to an emergency. This includes business continuity arrangements that meet the requirements of this policy.

Staff

  • ensure they are aware of their roles and responsibilities for business continuity management and participate in any training required
  • when a BCP is activated, staff must re-prioritise their efforts to the delivery of critical business functions and services and recovery of normal business operations

Corporate Governance Unit (Strategy and Evaluation)

  • establish and lead the implementation of the department’s Business Continuity Management policy including:
    • providing oversight across the department’s BCPs, including the identification and management of interdependencies
    • supporting BCOs and BCCs by providing high quality guidelines, tools (including business continuity exercises to test the BCP) and training to support good practice
    • reporting business continuity performance and compliance with this policy to the Audit and Risk Committee
    • identifying and implementing continual improvements to the suitability and effectiveness of business continuity management in the department
  • monitor BCPs activated and advise the Deputy Secretary, Strategy and Evaluation to mobilise the BCRT if the disruption affects a number of critical business functions within multiple divisions
  • support the Deputy Secretary, Strategy and Evaluation in its role as BCC for the department-wide BCP.

Business Continuity Response Team (BCRT)

  • The BCRT is comprised of members of the Executive Group.
  • The BCRT, led by the Incident Controller, prioritises and coordinates the department’s business continuity response and recovery efforts where the disruptive event impacts a number of critical business functions across multiple divisions
  • approves the department-wide BCP and authorises the activation and de-activation of the department-wide BCP

Incident Controller

  • appointed by the Secretary to lead the BCRT and coordinate department-wide business continuity management activities. The Incident Controller will be the BCC when the department-wide BCP is activated.

Enterprise Risk Management Group

  • support the development, implementation and continuous improvement of the department’s Business Continuity Management policy and its application within their divisions.

Internal Audit

  • provide assurance to the Secretary and the Audit and Risk Committee on the effectiveness of the Business Continuity Management policy and supporting processes.

Audit and Risk Committee

  • provides independent assistance to the Secretary by monitoring, reviewing and providing advice about the Business Continuity Management policy, supporting documents and processes

5. Monitoring, evaluation and reporting requirements

5.1

The Executive Director of Policy Coordination and Governance is responsible for monitoring the implementation of this policy, and reviewing it (at least) every three years.

6. Contact

6.1

Chief Risk Officer, Corporate Governance, Policy Coordination and Governance, (02) 9561 1029; risk@det.nsw.edu.au

Return to top of page