Business Continuity Management Policy
This policy sets out the arrangements for the NSW Department of Education to ensure that critical services are maintained and restored following a disruptive event.
A complete revision of the Guidelines.
New toolkit and Business Continuity Plan template.
New Business Continuity Response Team Charter.Superseded Documents
Updated roles and responsibilities, simplified guidelines, revised toolkit and template and new Business Continuity Response Team charter.
Previously reviewed in 2012 to align with AS/NZS5050:2010
1. Policy statement
1.1 The department provides, funds and regulates education services for NSW students from early childhood to secondary school. The operational, financial, social and political consequences of a major disruption to critical services would be unacceptable.
1.2 This policy and its supporting documents aim to ensure that the department has arrangements in place to prevent, prepare for, respond to and recover from a disruptive event so that critical business functions and services are maintained at an acceptable level.
1.3 Senior executives (Deputy Secretaries, executive directors or directors) are required to assess and manage the risks of disruption to critical business functions for which they are accountable.
1.4 Senior executives accountable for critical business functions are required to develop, maintain and test business continuity plans (BCPs) at least on an annual basis to ensure that essential services are maintained at an acceptable level during a major disruptive event, and restored to full functionality within an acceptable timeframe. This includes review of their business impact analysis to ensure all relevant critical business functions are captured in their BCP.
1.5 Senior executives who are responsible for the delivery of one or more critical business functions are referred to as the business continuity owner of their BCP.
1.6 Each BCP must identify the senior executive(s) with the authority to approve and activate (and deactivate) the relevant BCPs in the event of a localised business disruption.
1.7 Each BCP must be approved by the business continuity owner and their deputy secretary.
1.8 In the event of the disruption affecting a number of critical business functions in multiple divisions and affecting the operations of the department as a whole, the Executive Director, Policy Coordination and Governance will mobilise the Business Continuity Response Team (BCRT) to activate the department-wide Business Continuity Activation Plan (BCAP). The BCRT, led by the appointed incident controller will prioritise and coordinate the department’s business continuity response and recovery efforts. The department-wide BCAP must be approved by the BCRT. The BCRT must activate (and deactivate) the department-wide BCAP in the event of a disruption that affects the operations of the department as a whole in accordance with the BCRT Charter.
1.9 When a BCP is activated, senior executives must ensure that the required people, information, facilities, assets and other infrastructure are available to ensure business continuity and recovery. Staff must re-prioritise their efforts to the delivery of critical business functions and services and the recovery of normal business operations. The business continuity owner must also advise Corporate Governance (Policy Coordination and Governance directorate) when their BCP is activated as this may inform the activation of the department-wide BCAP.
1.10 In the event that the incident endangers or threatens to endanger life, property or the environment, emergency management always takes priority over business continuity arrangements. BCPs are only activated once the health and safety of staff and bystanders have been assured.
1.11 In the event of an emergency, the department is required to implement its emergency management plans, as required by the department’s Emergency Management guidelines. Emergency management is handled by the department’s Health and Safety directorate.
1.12 In the event of an emergency affecting the operations of the department as a whole, the Emergency Planning and Response Committee will coordinate the department’s emergency response.
2. Audience and applicability
2.1 This policy applies to all business units with the department.
3.1 The Business Continuity Management Policy is an essential element of the department’s broader corporate governance, and Enterprise Risk Management framework.
3.2 This policy is supported by the Business Continuity Management guidelines, toolkit and templates to assist with business continuity planning.
3.3 This policy and guidelines reflect the international standard for business continuity management systems, ISO 22301:2012 and best practice.
3.4 The Enterprise Risk Management Group and the Audit and Risk Committee oversee implementation of this policy.
3.5 Staff also have responsibilities for identifying and managing risk under the department’s Enterprise Risk Management Policy, and responsibilities relating to health and safety, emergency response planning and incident notification under the department’s Work Health and Safety Policy and Incident Notification and Response Policy.
4. Responsibilities and delegations
- ultimately accountable for risk management in the department, and must attest to NSW Treasury in relation to compliance with the eight core requirements of TPP15-03 Internal Audit and Risk Management Policy for the NSW Public Sector.
- approve any substantial amendments to the existing Business Continuity Management Policy and guidelines tabled by the Deputy Secretary, Strategy and Delivery.
Executive Director, Policy Coordination and Governance
- approves amendments to the existing Business Continuity Management Policy and guidelines or where amendments are substantial, takes an amended policy or guidelines to the Executive Group for approval via the Deputy Secretary, Strategy and Delivery
- develops and maintains the department-wide Business Continuity Activation Plan (BCAP) as the business continuity coordinator for the department-wide BCAP when the plan is not activated.
- demonstrate leadership and commitment to business continuity management by:
- communicating the value and importance of effective business continuity management
- ensuring that business continuity management and continual improvement are integrated into risk management and business processes
- ensuring that the resources needed for business continuity management are available
- ensuring that BCPs are developed and maintained
- approving BCPs for their division.
Business continuity owners (Deputy Secretary, executive directors or directors) (BCO)
- build awareness of this policy, and the value and importance of business continuity management
- nominate a business continuity coordinator and ensure they have the capabilities, training and experience for the role
- undertake a business impact analysis and risk assessment to identify the risks and impacts of disruptive events on critical business functions
- implement preventative controls and prepare a BCP to manage a disruptive event on critical business functions
- ensure BCPs and the required resources are available where and when they are needed, and are adequately protected against improper use
- ensure staff are aware of their roles in the event of a major disruption
- test and update BCPs (at least) annually
- advise Corporate Governance unit (Policy Coordination and Governance directorate) when their BCP is activated as this may inform the activation of the department-wide BCAP.
Business continuity coordinators (BCC)
- nominated by business continuity owners as the liaison person for business continuity management within each business unit. Business continuity coordinators support business continuity owners to manage disruption-related risks, including developing and maintaining the BCP(s) for the business unit.
- under the department’s Work Health and Safety Policy, all government schools must develop an emergency management plan. Additional procedures are also outlined for temporarily ceasing school operations due to an emergency. This includes business continuity arrangements that meet the requirements of this policy.
- ensure they are aware of their roles and responsibilities for business continuity management and participate in any training required
- when a BCP is activated, staff must re-prioritise their efforts to the delivery of critical business functions and services and recovery of normal business operations.
Corporate Governance Unit (Policy Coordination and Governance directorate)
- establish and lead the implementation of the department’s Business Continuity Management Policy including:
- providing oversight across the department’s BCPs, including the identification and management of interdependencies
- supporting business continuity owners and business continuity coordinators by providing high-quality guidelines, tools (including business continuity exercises to test the BCP) and training to support good practice
- reporting business continuity performance and compliance with this policy to the Audit and Risk Committee
- identifying and implementing continual improvements to the suitability and effectiveness of business continuity management in the department
- monitor the activated BCPs and advise the Executive Director, Policy Coordination and Governance to mobilise the BCRT if the disruption affects a number of critical business functions within multiple divisions
- support the Executive Director, Policy Coordination and Governance in their role as business continuity coordinators for the department-wide BCAP.
Business Continuity Response Team (BCRT)
- the BCRT comprises members of the Executive Group
- the BCRT, led by the incident controller, prioritises and coordinates the department’s business continuity response and recovery efforts where the disruptive event impacts a number of critical business functions across multiple divisions
- approves the department-wide BCAP and authorises the activation and de-activation of the department-wide BCAP.
- appointed by the Secretary to lead the BCRT and coordinate department-wide business continuity management activities. The incident controller will be the business continuity coordinators when the department-wide BCAP is activated.
Enterprise Risk Management Group
- support the development, implementation and continuous improvement of the department’s Business Continuity Management Policy and its application within their divisions.
- provide assurance to the Secretary and the Audit and Risk Committee on the effectiveness of the Business Continuity Management Policy and supporting processes.
Audit and Risk Committee
- provides independent assistance to the Secretary by monitoring, reviewing and providing advice about the Business Continuity Management Policy, supporting documents and processes.
5. Monitoring and review
5.1 The Executive Director, Policy Coordination and Governance is responsible for monitoring the implementation of this policy and reviewing it (at least) every three years.
6.1 Chief Risk Officer, Corporate Governance, Policy Coordination and Governance: (02) 7814 1326 firstname.lastname@example.org