Business Continuity Plan
Review Cycle:
2 Years
Approved on:
Wednesday, 12 July, 2023
Policy Contact:
Executive Principal
Purpose:
This Policy sets out the guiding principles under which Business Continuity is to be developed, implemented and managed to enable Eastern College Australia to establish and maintain an effective level of preparedness to respond to incidents that disrupt normal operations.
Definitions:
Activity
|
process or set of processes undertaken by the College (or on its behalf) that produces or supports one or more products or services.
|
BCM Program:
|
ongoing management and governance process supported by the College Executive and appropriately resourced to implement and maintain Business Continuity management.
|
Business Continuity Management (BCM):
|
capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
|
Business Continuity Plan (BCP):
|
a document to be referred to by the affected Faculty or department during a disruptive incident that outlines the steps required to recover.
|
Business Impact Analysis (BIA):
|
process of analysing activities and the effect that a business disruption might have upon them.
|
College
|
The College refers to Eastern College Australia
|
Executive
|
Executive Principal and the Eastern Leadership Team
|
Long-term
|
This term is applicable upon serious injury or immediate leave being granted, where the employee is unable to continue their role and assuming all responsibilities required by the position for a period that exceeds three (3) calendar months.
|
MST
|
Melbourne School of Theology
|
Permanent
|
This would occur upon death, permanent injury, immediate resignation or termination, that prevents the person from continuing their role and assuming all responsibilities required by the position.
|
Recovery Time Objective:
|
the period of time following an incident within which an activity must be resumed, or resources must be recovered.
|
Scope:
The Eastern College Australia Business Continuity Plan details all critical contact information, procedures and policies related to managing critical incidents and to ensure business continuity at Eastern College Australia.
Statement:
1 Policy
The College is committed to ensuring that an effective business continuity management (BCM) program is implemented to minimise the disruption of activities due to the unavailability of ‘business as usual’ resources, for example but not limited to:
- facilities, e.g. flood, fire, power outage, chemical spill, denial of access
- people, e.g. pandemic/epidemic, industrial action, extreme flu season
- vital records, e.g. electronic and hard copy records
- information and communications technology (ICT), e.g. computer hardware, applications and telecommunications
- equipment, e.g. cold rooms, research equipment, desks and chairs
- externally provided service or resource e.g. contractors, software vendors
BCM requirements will be assessed via a Risk Analysis (RA) for activities undertaken by all Faculties and departments. Impacts will be assessed by the Risk Management Committee (RMC) in accordance with the College’s Risk Assessment Matrix, which is part of the Eastern College Australia Risk Management Policy.
Activities assessed as having a recovery time objective of 15 days or less are deemed critical activities. Recovery steps for these activities and their associated resources will be included in the College’s Business Continuity Plan (BCP).
Continuity of service provision must be adequately addressed for services, infrastructure, and/or any resources provided by an external party via certification arrangements, service level agreements and/or other contractual arrangements appropriate to the assessed level of risk.
1.1 Accountability
Eastern College Australia’s Executive will demonstrate a high level of commitment to this Policy and support a culture aimed at building organisational resilience through the implementation and continued improvement of preparedness and response capabilities.
- The Chief Operations Officer is responsible for centrally coordinating the BCM program.
- The Critical Incident Management Team (CIMT) will provide strategic direction and oversight for BCM in accordance with the Eastern College Australia Crisis Management Plan. [1]
- The Critical Incident Management Team will provide executive decisions and strategic direction on College priorities when responding to critical incidents affecting the College and managing related Business Continuity responses.
- Directors and the Executive are the custodians of BCM capability within their area. Supported by Support Services, they are responsible for the development, maintenance and validation of their specific BCP information, the management of any risks relating to BCM in accordance with the Eastern College Australia Risk Management Policy.
- The IT Manager is responsible for ICT continuity and disaster recovery processes including the alignment of ICT service levels and disaster recovery priority groups with the BIA.
2 Procedures
2.1 Activating a Business Continuity response
Activation of a Business Continuity Management (BCM) response is initiated by the Critical Incident Management Team (CIMT) Leader when an incident disrupts the business as usual operations of the College, and the disruption has or threatens to breach the Recovery Time Objective (RTO) of one or more critical activities.
During a Critical Incident the CIMT has responsibility for BCM and will establish a Business Recovery Team (BRT) who is responsible for coordinating the implementation of the Eastern College Australia Business Continuity Plan.
To support a large relocation of activities or staff, the CIMT may require the displacement of other areas who are undertaking activities that, through the Business Impact Analysis (BIA) information, are deemed non-time critical in order to access their resources. This may be required to obtain office space or equipment such as computers.
When the situation has been recovered to the point that the CIMT is stood down, the BRT may continue to work with the affected areas and report to the Critical Incident Management Team Leader.
Disruptive incidents that do not require a CIMT response, are managed through implementing the relevant section of the College’s BCP by the local area. In these instances, the BRT may provide support.
2.2 ICT Disaster Recovery
ICT disaster recovery is a component of the College's overall business continuity capability. It provides for the timely recovery and restoration of ICT systems and processes, including applications, infrastructure and data resources that support critical activities.
2.3 Business Continuity Program Elements
2.3.1 Policy and Governance
The Business Continuity policy outlines the scope and overarching responsibilities in relation to the management of the College's BCM Program.
2.3.2 Analysis
A Business Impact Analysis (BIA) is the primary information collection and assessment tool in the development of BCM strategies and plans.
The BIA identifies activities performed and measures the impact of a disruption by assessing the impact over time, determining the service level timing and the maximum tolerable period of disruption.
A Recovery Time Objective (RTO) for each activity is drafted and where these meet the scope of the Business Continuity policy, the dependencies and supporting resources are subsequently identified. Activities captured in this step are deemed critical activities.
2.3.3 Design
The information captured and assessed via the BIA process is used to prioritise the restoration of critical activities and set a suitable RTO within the context of broader College activities. Continuity and recovery strategies are then designed to meet the RTO for these activities.
2.3.4 Implementation
The strategies that have been developed at the design stage are documented within the College’s BCP, providing a pre-defined and approved course of action to be initiated in response to an operational disruption.
2.3.5 Validation
Validation of the College's BCM capability is completed annually within the CIMT exercise and periodically through BIA updates, desk checks and simulations. Refer to Table A – Business Continuity Management Validation for more information.
Risks that are identified from the Business Continuity validation program will be evaluated and treated in accordance with the College's Risk and Compliance Management policy and Risk Management Framework.
3 Leadership Continuity
The Executive Principal Succession policy will come into force where there is a permanent or long-term loss of Eastern College Australia’s Executive Principal.
4 Business Continuity Assessment
4.1 Recovery Time Objective Assessment
The Recovery Time Objective Assessment is a pre-crisis tool that ensures Eastern College Australia has an objective understanding of the time and process required to restore critical operations so it can continue day to day business functions and limit the financial and reputation risks that are likely from such an event.
Note: This Assessment is to be complete by the Risk Management Committee and reviewed annually.
|
Risk
|
RTO (Days)
|
Property access
|
Inability to use either of the 2 main entrances to the property.
Debris around the property which is hazardous to non-emergency personnel. Power lines down blocking access to the property perimeter road. |
5
|
Lecture Rooms - usability
|
Water or smoke damage
Air conditioning not providing fresh air |
5
|
Administration - usability
|
Communications - External
Communications - Internal Reinstatement of resources |
5
|
Library - usability
|
Water or smoke damage
|
10
|
Air Conditioning failure (repair)
|
Air conditioning not providing fresh air
|
3
|
Air Conditioning failure (unrecoverable)
|
Air conditioning not providing fresh air
|
30
|
Student Files (Paper)
|
Access to student records for reference
Water or smoke damage |
30
|
Student Records (Electronic)
|
Access to student records
Located in the Cloud - Backed up |
2
|
Executive Principal incapacity
|
Instability - staff and students
Continuity of decision making and project development and implementation |
5
|
Electronic Data
|
All systems would be compromised and unavailable to maintain effective operations.
Classes interruption |
1
|
Email, calendar, notes, contacts (Outlook)
|
Business interruption to staff and their contact with students, internal and external stakeholders.
|
1
|
Personal work files (Office365)
|
Loss of productivity and operational developments until systems restored.
|
1
|
Teaching programs (stored & archived)
|
Classes interruption
Future unit and course development would be hampered if these materials are not available in the medium term. |
5
|
CIVI CRM
|
Inability to communicate with donors and friends of the college.
Loss of mailing lists which are needed for fundraising and communicating events and activities to students and the broader church community. |
5
|
Paradigm
|
Loss of student records until systems are restored.
|
3
|
Reckon (QuickBooks)
|
Inability to pay staff
Inability to pay our creditors and received money from debtors (students) Inability for the Board to keep track of Eastern College Australia's financial performance. |
2
|
5 Disaster Recovery Plan
The purpose of Eastern College Australia's Disaster Recovery Plan (DRP) is to recover IT systems and infrastructure that support business processes critical to the organization’s survival. The following items form the basis of the DRP:
5.1 The Recovery Team
The Recovery Team consists of the:
- Critical Incident Management Team (CIMT)
- Executive Principal
- Chief Operations Officer
- IT Manager
- Dean of Faculty & Head of Arts
- Dean of Chinese Faculty
- Dean of Students
Pre-emergency
- Determine primary and back-up Incident Controller
- Determine primary and back-up Recovery Team
- Prepare and review the Disaster Recovery Plan
- Understand the events that may impact Eastern College Australia's business
- Mitigate any impacts before an event occurs
Post-emergency
- Establish & notify employees involved in recovery and clarify roles
- Communicate recovery action steps to all employees
- Compile a report of the actions taken during the emergency for the debrief.
- Collect and evaluate information related to the effectiveness of Eastern College Australia’s recovery plan.
- Attend meetings of the CIMT as appropriate.
5.2 Disaster Recovery Plan Checklist
The following items form the basis of the Disaster Recovery Plan.
5.2.1 Disaster Recovery - Leadership
|
Responsible
|
Recovery Details
|
Loss of Executive Principal
|
Board
|
Appoint interim
|
5.2.2 Disaster Recovery - Alternate Location
|
Responsible
|
Recovery Details
|
Locate and confirm an alternate recovery location and back-up location
|
Chief Operations Officer
|
Staff and Faculty
Work from home Lectures – Switch Delivery On campus units switched to Online where possible On Campus Daytime TBA (Eg: Local churches) On Campus Evening: TBA (Eg: St Andrew’s Christian College) |
Establish location for an emergency command centre and a back-up location
|
Chief Operations Officer
|
Internal - Primary
Chief Operations Officer Internal: Secondary Property & Services Manager’s office External: TBA (Eg: Home of Chief Operations Officer |
5.2.3 Disaster Recovery - Communications
|
Responsible
|
Recovery Details
|
Develop plan to communicate with the Critical Incident Management Team (CIMT)
|
Chief Operations Officer
|
What’sApp group: MST Emergency Evacuation
|
Develop plan to communicate both internally and externally
|
Chief Operations Officer
|
Staff and Board email groups established and available through web based Office365.
Student email groups – Paradigm Supplier and critical services contacts available through web based Office365. |
Create and store employee information: Contact details, employment details.
|
Chief Operations Officer
|
Available through web based Office365.
|
Record and store contact information for critical vendors/partners
|
IT Manager
|
Available through web based Office365.
|
Determine alternate plan for phone communications
|
IT Manager
|
WhatsApp
Mobile services |
Ensure plan includes multiple methods of communication (text, mobile phone, two-way, radio, etc)
|
IT Manager
|
|
5.2.4 Disaster Recovery - Employees
|
Responsible
|
Recovery Details
|
Establish plan for emergency transportation
|
Property & Services Manager
|
|
Develop emergency communication/notification system
|
IT Manager
|
Designated communications staff
•Chief Operations Officer •Property & Services Manager •Executive Principal Team App WhatsApp: MST Emergency Evacuation |
Accommodate people with disabilities in emergency planning
|
Property & Services Manager
|
|
5.2.5 Disaster Recovery – Technology & Data
|
Responsible
|
Recovery Details
|
Document technology hardware, software and licensing information
|
IT Manager
|
|
Develop technical recovery procedures to be followed in the event of an interruption
|
IT Manager
|
|
Determine and list individuals/vendors to manage technical recovery
|
IT Manager
|
|
Determine source for back-up technical resources (PCs, servers, printers, etc)
|
IT Manager
|
|
Document critical data to be restored and backup all data at off-site location
|
IT Manager
|
|
5.2.6 Disaster Recovery – Operations
|
Responsible
|
Recovery Details
|
Identify the systems that support the organisation’s Essential Functions.
|
IT Manager
Chief Financial Officer |
Servers
CIVI dTracker UGG Boot Paradigm Reckon QB |
Develop plan to restore Essential Systems in the event of an interruption
|
IT Manager
|
|
Determine employees responsible for restoring each Essential System
|
IT Manager
|
|
5.2.7 Disaster Recovery – Suppliers
|
Responsible
|
Recovery Details
|
Develop plan to communicate with vendors and suppliers
|
Chief Operations Officer
|
|
List key clients, suppliers, and critical recovery contacts and store copy(s) offsite
|
Chief Operations Officer
|
|
Assure key vendors and suppliers have actionable recovery plans
|
Chief Operations Officer
|
|
Develop relationships with alternate suppliers in case primary vendors are unavailable
|
Chief Operations Officer
|
|
5.2.8 Disaster Recovery – Safety
|
Responsible
|
Recovery Details
|
Assemble Disaster Recovery Kit
|
Chief Operations Officer
|
|
Create an Evacuation Plan
|
Chief Operations Officer
|
view ECA Crisis Management Plan
|
Create an Emergency Shelter Plan
|
Chief Operations Officer
|
|
5.2.9 Disaster Recovery – Plan Testing & Maintenance
|
Responsible
|
Recovery Details
|
Develop a comprehensive testing methodology for your DR plan
|
Chief Operations Officer
|
|
Conduct a Post Test Review and report results
|
Chief Operations Officer
|
|
Communicate changes in plan to all employees
|
Chief Operations Officer
|
|
Approved by:
Owning Body:
Category:
Governance [3]