Business Continuity Management · 1 The Business Continuity Institute is a global association of accredited practitioners and thought leaders. The BCI is a key contributor to local

Business Continuity Management

Summary This Policy Directive is to ensure that the Ministry and associated agencies at 73 Miller Street overcome serious incidents or disasters such as fires, floods, accidents caused by key people, server crashes, or virus infections, insolvency of key suppliers, negative media campaigns and market upheavals and resumes normal operations within a defined period.

Document type Policy Directive

Document number PD2018_045

Publication date 10 December 2018

Author branch Financial Services and Asset Management

Branch contact (02) 9391 9273

Review date 10 December 2021

Policy manual Not applicable

File number H18/60476

Status Active

Functional group Corporate Administration - Asset Management, Finance

Applies to Ministry of Health

Distributed to Ministry of Health

Audience All Ministry and Health employed staff occupying the premises at 73 Miller Street North Sydney

Policy Directive

Secretary, NSW HealthThis Policy Directive may be varied, withdrawn or replaced at any time. Compliance with this directive is mandatory for NSW Health and is a condition of subsidy for public health organisations.

POLICY STATEMENT

PD2018_045 Issue date: December-2018 Page 1 of 3

BUSINESS CONTINUITY MANAGEMENT

PURPOSE

The Ministry of Health’s ability to fulfil its strategic purpose following a disaster relies heavily on appropriate business continuity procedures being in place (for business operations and IT service delivery).

Business objectives do not change following an event that disrupts business operations. A major disruption cannot be managed through normal day-to-day procedures and resources, requiring additional procedures and resources to restore operations within agreed and acceptable time-frames. Additionally, risk mitigation strategies must be implemented to reduce the likelihood of incurring major disruptions. Refer to PD2015_043 Risk Management - Enterprise-Wide Risk Management Policy and Framework – NSW Health for more details.

Business Continuity Management (BCM) ensures that all necessary measures are taken to maintain operational resilience in the event of a disaster.

Effective BCM ensures that the Ministry of Health maintains:

A level of appropriate operational resilience to support the needs of the business as defined by its corporate objectives

The capability to continue to provide its stakeholders with critical services regardless of any operational disruption and

Appropriate management practices embedded into ‘business as usual’ to ensure that its Business Continuity (BC) capabilities always reflect the needs, technology and structure of the organisation.

This Policy Directive can be updated and amended from time to time by the Ministry of Health at its absolute discretion. Employees will be notified of any changes.

MANDATORY REQUIREMENTS

All necessary measures will be taken to maintain operational resilience for business operations, which includes the IT systems and other services they require.

The level of operational resilience is to be based on how time critical each business activity is to the Ministry of Health’s strategic purpose. Time criticality is a measure related to the magnitude of impact over time caused by a disaster that disrupts the provision of services.

The Ministry of Health maintains a Business Continuity Management System because it has a duty to protect the interests of the organisation and its stakeholders from operational disruption.

Operational resilience measures will ensure that, in the event of a disaster, business activities and IT systems and services will be restored within agreed timeframes to agreed capacity.

POLICY STATEMENT


To ensure the Ministry of Health adopts BCM best practice, its BCM program will align to the International Standards Organisation (ISO) Security and Resilience standards, including:

ISO22301 – Societal security - Business continuity management systems - Requirements

ISO22313 – Societal security - Business continuity management systems - Guidance

BCI GPG: The Business Continuity Institute Good Practice Guidelines

IMPLEMENTATION

Responsibility The Deputy Chief Financial Officer is the Accountable Officer and has overall responsibility for Business Continuity Management.

The responsibility and accountability for the management of business continuity rests with the Executive Management Group who must ensure that changes to business operations are reflected in business continuity plans.

BC Manager The Financial Services & Asset Management Division, as the Business Continuity Manager (owner), has overall responsibility for business continuity across the Ministry of Health.

Disaster Recovery is managed by the IT Director eHealth who has the authority to ensure that emergency response and resumption procedures take priority over any other activities in the event of a disaster, to provide efficient and effective resumption of normal business operations.

The Business Continuity Manager will periodically report to the Executive Management Group.

Emergency

Response

The Crisis Management Team (CMT) is responsible for the operational response to an emergency. Responsibilities include:

Communicating with staff, emergency services, Government and third-party suppliers during an emergency

Ensuring that emergency contact lists (internal and external) are kept up-to-date

Collecting all necessary information for damage assessment and recommending a course of action and

Co-ordinating the resumption of normal business operations at ground level.

The Crisis Management Team is led by the CMT Leader.

Managers All Managers responsibilities include:

Ensuring that BC procedures for their business activities are current and appropriate to their area of responsibility

Maintaining defined acceptable service levels for their business activities in the event of a disaster

POLICY STATEMENT


Reporting and coordinating BC procedure updates and testing with the BC Manager and through Internal Audit.

Report IT-related changes (e.g. new hardware, devices or third party systems) to IT management

Ensure that staff have a sense of BCM awareness and understand their individual responsibilities in the event of a disaster

Ensure that new staff are made aware of BCP procedures.

Employees Ministry of Health and Health Agency employees, contractors and appointees will need to be aware of their responsibilities under this Policy so that they can act effectively in the event of a disaster.

Third Parties All third-party organisations providing critical products and services are responsible for:

Meeting Service Level Agreements defined by NSW Health and

Maintaining up-to-date BCP/DR capabilities in their own right.

The Business Impact Analysis process will result in the nomination of services deemed critical and the time-frames within which their services must be restored.

REVISION HISTORY

Version Approved by Amendment notes

December 2018 (PD2018_045)

Deputy Secretary and Chief Financial Officer, Financial Services and Asset Management

First Policy.

ATTACHMENTS

1. Business Continuity Management: Procedures


PROCEDURES

Issue date: December 2018

PD2018_045


PROCEDURES


CONTENTS

1 BACKGROUND ........................................................................................................................ 3

1.1 About this document ......................................................................................................... 3

1.2 Key definitions ................................................................................................................... 3

1.3 Legal and legislative framework ....................................................................................... 3

2 BCM CULTURE ........................................................................................................................ 4

2.1 Assessing .......................................................................................................................... 4

2.2 Developing ........................................................................................................................ 4

2.3 Monitoring ......................................................................................................................... 5

3 BCM LIFE CYCLE .................................................................................................................... 5

3.1 Framework definition ........................................................................................................ 5

3.2 Life cycle overview ............................................................................................................ 5

4 ANALYSIS ................................................................................................................................ 6

4.1 Business Impact Analysis ................................................................................................. 6

4.2 Dependency Analysis ....................................................................................................... 7

4.3 Evaluating Threats via Risk Assessment ......................................................................... 8

5 DESIGN ..................................................................................................................................... 8

5.1 Determining Costed BCM Strategies ............................................................................... 8

5.2 Strategic Options .............................................................................................................. 9

5.3 Tactical Options ................................................................................................................ 9

6 IMPLEMENTATION ................................................................................................................ 10

6.1 Implementing Strategies (i.e. BCM Response) .............................................................. 10

6.2 Incident Response .......................................................................................................... 10

6.3 Team structures .............................................................................................................. 10

6.4 Capability implementation .............................................................................................. 11

6.5 Procedure and Plan creation .......................................................................................... 11

7 VALIDATION .......................................................................................................................... 13

7.1 Exercising........................................................................................................................ 13

7.2 Exercise Roles and Responsibilities .............................................................................. 13

7.3 Exercise Methods and Techniques ................................................................................ 13

7.4 Exercise program ............................................................................................................ 14

7.5 Define Exercise Program ................................................................................................ 15

7.6 Individual Exercise Activity ............................................................................................. 16

7.7 Exercise reporting ........................................................................................................... 16

8 POLICY AND PROGRAM MANAGEMENT .......................................................................... 17

8.1 Maintenance and Review ............................................................................................... 17

8.2 Maintenance program ..................................................................................................... 17

8.3 Reporting......................................................................................................................... 18


PROCEDURES


1 BACKGROUND

1.1 About this document

This Business Continuity Management (BCM) Framework provides the overall structure, methodology and management attributes for fulfilling NSW Health’s BCM Policy.

NSW Health maintains a Business Continuity Management System because it has a duty to protect the interests of the organisation and its stakeholders from operational disruption.

Managing Business Continuity (BC) is to be considered from two perspectives:

Business as Usual (BAU) – to maintain and exercise the BC capability ensuring readiness for activation; and

Response and Recovery – to deploy a structure of teams tasked with Responding and Restarting business operations when a live disruption strikes.

Business Continuity Management (BCM) is a facilitated process managed by the BC Manager.

1.2 Key definitions

1. Word/Term 2. Definition

Business Continuity Management (BCM)

Business Continuity Management. A management process that identifies potential threats to an organisation and the impacts to business operations. BCM builds an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

Business Continuity Plan (BCP)

Business Continuity Plan. A set of procedures and information that will support the recovery of a business process.

Crisis Management Team

The Crisis Management Team (CMT) is responsible for the operational response to an emergency.

Disaster Recovery (DR)

Disaster Recovery involves a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster.

Business Impact Analysis

The Business Impact Analysis (BIA) identifies, quantifies and qualifies the business impacts of a loss, interruption or disruption of business activities on an organisation and provides data from which appropriate continuity strategies can be determined.

1.3 Legal and legislative framework

BCM Framework (as described in this document) is based on the following references:


PROCEDURES


ISO22301: Societal security — Business continuity management systems — Requirements

ISO22313: Societal security — Business continuity management systems — Guidance

BCI GPG: The Business Continuity Institute Good Practice Guidelines1

2 BCM CULTURE

BCM Culture is about ensuring BC is viewed positively, proactively and supportively. To improve the corporate mindset about BCM, the BCM Culture needs to be improved.

The path to create an appropriate BCM Culture is through awareness which improves beliefs, which improves attitudes which, in turn, improves behaviours.

The Awareness campaign must be:

Visible o It must have continued support from Executive Management o Include funding and staff availability to participate in the awareness program.

Inclusive o It must offer all staff involved in BCM the opportunity to participate in the

awareness program.

Focused o It must relate to supporting the corporate objectives and protecting the individual

staff member.

2.1 Assessing

The gaps in awareness and the level of appreciation and commitment to BCM will be assessed and documented.

For example, the BC Manager is to periodically reflect upon experiences during the previous term, including how responsive managers and staff are to attending BC meetings and their commitment to the delivery of quality and timely results.

2.2 Developing

The development of an awareness campaign includes the following steps:

Identify the target audience (e.g. management, employees, new recruits etc.)

Select the delivery style or method

Identify time line and frequency of delivery

Balance factual content with relevance in the work place

Include supporting background and reference information from external sources including:

o Conferences, BC Associations, courses, legislation, regulations, magazines, BC/DR web sites, vendors etc.

1 The Business Continuity Institute is a global association of accredited practitioners and thought leaders. The BCI is a key contributor to local and international standards. Ref www.thebci.org


PROCEDURES


Articulate and prioritise the key teaching points for the audience

Pilot the material with a business unit and modify material based on feedback.

2.3 Monitoring

Periodically, the BC Manager will survey the cultural mood and appetite for BCM. The results will drive change in the awareness program to result in an overall improvement in BCM Culture.

3 BCM LIFE CYCLE

A Lifecycle is a recurring management process. NSW Health recognises that Business Continuity is a management discipline and as such will be managed as an ongoing cyclic process with due consideration to this BCM Framework document.

3.1 Framework definition

NSW Health’s BCM Framework (as described in this document) is based on the following references:

ISO22301: Societal security — Business continuity management systems — Requirements

ISO22313: Societal security — Business continuity management systems — Guidance

BCI GPG: The Business Continuity Institute Good Practice Guidelines2

By adopting elements from these references, NSW Health’s BCM framework is suited to the specific nature of NSW Health’s business while adopting world’s good practice for BCM. In doing so, NSW Health acknowledges that BCM is philosophically and operationally different to Risk Management (as defined by ISO31000 Risk Management).

In principle, Risk Management is the ongoing process of considering and rating threats (in terms of Consequence and Likelihood) and implementing risk treatment strategies for risks deemed unacceptable.

Business Continuity Management is the ongoing process of considering the impact over time to stakeholders when an operational disruption strikes the organisation and implementing Response and Recovery strategies for activities and resources that deliver an unacceptable impact.

3.2 Life cycle overview

The following diagram is from the BCI Good Practice Guide and represents an internationally accepted structure for BCM.

2 The Business Continuity Institute is a global association of accredited practitioners and thought leaders. The BCI is a key contributor to local and international standards. Ref www.thebci.org


PROCEDURES


Fig 1: Life Cycle diagram from BCI Good Practice Guide 2013

4 ANALYSIS

This is the first stage of the BCM Lifecycle. The objective is to review NSW Health in terms of its corporate objectives, how it works operationally and whether there are any constraints in the environment in which it operates. The information collected drives the strategies and capabilities required to manage disruptions which might otherwise result in the inability of the business to continue as a viable entity.

4.1 Business Impact Analysis

The Business Impact Analysis (BIA) is the foundation on which the whole BCM process is built. It identifies, quantifies and qualifies the business impacts of a loss, interruption or disruption of business activities on an organisation and provides the data from which appropriate continuity strategies can be determined.

While all Business Activities are important, not all are time critical (i.e. urgent) and require a quick recovery.

The BIA process uses:


PROCEDURES


The definitions of Impact Categories (e.g. Financial, Legal, Reputational etc.)

The scale of impact magnitude (e.g. No Impact to Catastrophic Impact), and

A time frame over-which the magnitude of the impact can be assessed.

To identify:

Time-critical Business Activities,

The Maximum Tolerable Period of Disruption (MTPD) before NSW Health fails politically or operationally.

The order in which Business Activities are to be restored; and

The time frame by which Business Activities are to recommence (known as the Recovery Time Objective (RTO)). The RTO is earlier on the timeline than the MTPD and takes into consideration a variety of attributes including the tolerance of the impacted stakeholder once advised of the nature of the incident.

Impact Categories (a BCM construct) is different to, and does not replace, Consequence Categories (a Risk Management construct). Impact Categories focuses on describing the magnitude of Impact the Organisation or stakeholders will incur if a Business Activity stops for a period of time – regardless of the cause of the disruption.

4.2 Dependency Analysis

The Resource Dependency Analysis (RDA) identifies the resources required to restart and continue critical Business Activities.

The RDA process identifies:

Resources used by each critical Business Activity

How many of each resource is required to support the Business Activity as it is restored over time

The relationship between Resources and the Business Activity

The relationship between Resources and dependent Resources

To identify:

Time-critical Resources

The order in which Resources are to be restored

The quantities of each Resource that must be delivered to a Business Activity over time

The time-frames (Resource RTO) by which Resources are to be operational and available to Business Activities so that each Business Activity is restarted as per the requirements defined during the BIA.


PROCEDURES


4.3 Evaluating Threats via Risk Assessment

This activity identifies measures that can be put in place to reduce the likelihood of interruption to NSW Health’s time-critical Business Activities and the impact, should the risk be realised.

Note: This activity is sequenced after the BIA so that the focus of the Threat Assessment can be on the most time-critical Business Activities.

For details regarding the process to facilitate a Risk Assessment, refer to NSW Health’s Risk Management Framework.

5 DESIGN

The Analysis stage defines the operational requirements for Business Continuity. The Design stage develops the strategies required to deliver these operational requirements.

5.1 Determining Costed BCM Strategies

Strategy development uses the information obtained from the BIA stage to identify and select costed recovery and continuity options. This will enable NSW Health’s activities to become operational following a disruption, before NSW Health’s continued survival is threatened by their loss.

Costed Strategic Options aim to deliver capabilities and arrangements to meet the business requirements defined by the BIA and RDA. In principle:

The BIA sets the requirements for each Business Activity and their:

Relocation to a contingency site; and

Work-arounds when key Resources are not available to the Business Activity Strategies.

The RDA sets the requirements for Resource Recovery through various activities including:

Repair;

Purchase/Replacement; and

Out-source.

Each Strategy option is to be considered from the following three perspectives:

Advantages – the benefits of the strategy in how it will meet the business objective;

Disadvantages – the risks of the strategy in how it might fail to meet the business objective; and

Costs – the funding required by NSW Health to:

o Pre-establish an arrangement or capability to be used in response to a disruption

o Purchase products or services at the time of the disruption


PROCEDURES


o Purchase products or services over time to support Business Operations over the short to medium term.

NSW Health will review strategy options and, based on its risk appetite, select options delivering the right balance between the cost of Business Recovery and the speed of Business Recovery.

NSW Health will consider the definition of Strategy options in terms of three Recovery Phases:

Continuity – to an initial minimum acceptable level;

Recovery – to a sustainable level; and

Resumption – back to normal level.

5.2 Strategic Options

Strategic options are the high-level ideas that describe the various paths to be taken when a disruption strikes. Consideration is given to:

Diverse Site – The Delivery of a Product or Service from two or more geographically separate sites.

Replication – Replicating the capability at two or more geographically separate sites.

Stand-by Facilities – An alternate environment able to be made operational in a short amount of time when the need arises.

Outsourcing – The transfer of a Business Activity to a third-party organisation.

Post-incident Acquisition – Acquiring a product or service to support the restart of a Business Activity.

Insurance – The delivery of financial compensation to cover business items such as Business Interruption, lost assets, cost of increase workings etc.

Do nothing.

5.3 Tactical Options

Tactical options expand each of the accepted Strategic options to a level that describes how the strategy can be implemented. This is the most detailed part of the BCM lifecycle because it relates to:

Logistics for people and resource movement including the transfer of business processes and IT Systems to external partners etc.

Finalising costs of the strategies and defining the mechanisms for making the required payments under potentially stressful conditions.

A key metric in defining tactical options is Time. The restart of Business Activities and the availability of Resources must all be achieved no later than the time-frames defined during the BIA and RDA activities.


PROCEDURES


6 IMPLEMENTATION

The strategies that deliver the operational requirements for Business Continuity are transformed into capability and arrangements, supported by procedures and plans and underpinned by a management structure suited to, and activated by, a significant operational disruption.

6.1 Implementing Strategies (i.e. BCM Response)

While BCM Strategy Development is about ideas, BCM Strategy Implementation is about converting the ideas into a capability supported by documentation referred to as the Business Continuity Plan.

NSW Health recognises that the actions outlined in the plan are not intended to cover every eventually as, by their nature, all incidents are different. Procedures may need to be adapted to the specific event that has occurred and the opportunities it may have opened up.

6.2 Incident Response

The key requirements for an effective response are:

Emergency response – the immediate actions taken in response to the emergency e.g. evacuation;

Declaration criteria;

Escalation and control of an incident;

Communication response – internal and external stakeholders; and

Plans to resume interrupted Business Activities.

6.3 Team structures

The response and recovery of business activities after an operational disruption requires a management structure suited to provide skilled personnel. Teams are defined with:

Team name and description;

Scope of its responsibilities;

Primary Team Leader;

Secondary Team Leader;

Team Members with contact details.

Teams are defined within a hierarchy in support of a Command and Control structure. In principle, the top layer of the hierarchy is typically made up of Decision Makers and includes the following Teams:

Crisis Management Team;


PROCEDURES


Corporate Communications Team; and

Legal Team.

The middle layer usually contains Coordinators within a Recovery Director Team.

The lower layer contains the “Doers” and includes:

Property and Facilities Recovery Team;

Business Unit Recovery Team;

Resource Recovery Team;

Site Relocation Management Team;

IT Recovery Team; and

HR Recovery Team.

6.4 Capability implementation

The development of a Strategy usually results in the implementation of arrangements and capabilities to be used when the disruption strikes. The implementation of these capabilities is to be managed via traditional project management techniques which include:

Nominating a project manager;

Allocating a project time-frame;

Making required funding available;

Resourcing the project with suitably experienced staff;

Ensuring the project has the appropriate priority and that project staff are given clear time to fulfil their responsibilities; and

Tracking progress and reporting status to the BCM Manager.

Once implemented, procedures relying on the established arrangements or capabilities will need to be modified to reflect how those arrangements or capabilities are to be accessed or invoked.

6.5 Procedure and Plan creation

Plans represent the documented response of NSW Health to a disruptive incident by facilitating the resumption of Business Activities and the delivery of required Resources. Team members who use the plans will be able to analyse the implications of the incident, select and prioritise the appropriate procedures available in the plan and direct the resumption of business operations.

As such, a Procedure is:

An established or official way of doing something (Oxford Dictionary); and

A series of actions conducted in a certain order or manner (Oxford Dictionary).


PROCEDURES


And the Plan (of action or attack) is:

An organised program of measures to be taken in order to achieve a goal (Oxford Dictionary).

In summary, a Plan consists of a range of Procedures each presenting a series of tasks to be followed in sequence for Emergency Response, Business Activity recovery or Resource recovery.

Procedures should contain sufficient detail for any operational peer to follow. The procedure document is to be structured to present blocks of information to support the various types of activities to be performed. These include:

Summary of the procedure – Activity or resource name, description, RTO, location, contingency location etc.;

Summary of the strategy – High-level objective, estimated duration to complete the procedure, team responsible for following the procedure and any costs that will be incurred;

Relocation – the re-establishment of a Business Activity at a different location;

Restart – a preparation task after a disaster when a resource is not available that will enable a work-around to commence;

Work-around – the use of alternative resources to generate the output of a Business Activity without the availability of certain other resources;

Restoration – transitioning from a work-around to normal operations after resources are recovered;

Alternative – other work-around or relocation tasks to be performed if conditions prevent a restart or work-around; and

Preparation arrangements – a task to be completed BEFORE a disaster to ensure that the relocation, restart, work-around or restoration tasks can be completed.

Other types of plans may be considered depending on NSW Health’s needs. Plans include: Media, Legal, HR, Salvage & Recovery, Regulator Liaison, Government Liaison etc.

The following attributes describe the writing style that should be used for NSW Health’s procedures:

Audience - Write procedure steps for operational peers;

Tone - Write action steps or instructions to be followed and write with authority;

Completeness - Ensure procedure steps do not leave any obvious gaps;

Clarity - Be crystal clear in the use of words (avoid acronyms) and be explicit about task details where required.


PROCEDURES


7 VALIDATION

The objective of this stage is to ensure that the capabilities, arrangements, plans, procedures and management structure are proven to work and meet the business-driven requirements for Business Continuity.

7.1 Exercising

Definition: Exercising - A set of movements, tasks etc. designed to train, improve or test one’s ability (Oxford Dictionary).

After significant work in identifying continuity and recovery requirements, it is imperative to prove that NSW Health’s capabilities and procedures meet the business requirements and that staff understand what they will be required to do.

Exercising is not only an opportunity to see the implementation of planning initiatives in a controlled environment, it is also a critical step in educating staff, absorbing feedback and improving the BC program. Exercising drives a continual improvement process and is critical in providing validation of the work performed to date.

Exercising will be a regular part of NSW Health’s overall BCM program as it measures the:

Quality of planning; and

Competence of individuals (including third-party suppliers) by providing training for staff participating in the BC process and awareness for the rest of the organisation by publicising exercises.

7.2 Exercise Roles and Responsibilities

The following roles may be considered for inclusion in an Exercise:

Creator – responsible for developing the scenario and coordinating participants and resources so the Exercise can commence;

Exercise Manager – responsible for guiding the participants through the scenario;

Observer – responsible for documenting issues from which improvements can be identified;

Participant – responsible for treating the Exercise as close to real as possible and enacting the procedures for which they are responsible; and

Partners – responsible for providing accurate input regarding their participation in the Exercise as if it were a real event.

7.3 Exercise Methods and Techniques

NSW Health subscribes to the BCI’s approach as presented in the following table:


PROCEDURES


Table 1: Test Type from BCI Good Practice Guide 2010

While the intent is to gradually progress through each type of Test, NSW Health understands that it needs to set the level at which it will undertake an Exercise.

7.4 Exercise program

The exercise program includes a variety of activities performed over time to assess how well the BC capabilities, procedures and skill sets integrate to recover and restart business operations post an operational disruption.

NSW Health will undertake a perpetual series of activities consisting of:

Test – typically Pass/Fail for procedures against target timescale;

Rehearsal – focusing on practicing procedures to improve familiarity; and

Exercise – scenario-based events used to assess decision making ability.

Each activity will adhere to the following three criteria:

True to Life - must use the same procedure/process as if the scenario was real;

Pragmatic - must be realistic and use meaningful scenarios (to engage participants); and


PROCEDURES


Low Risk - must not endanger the business (e.g. operationally or at the detriment to the organisation’s reputation etc.).

The frequency and type of Exercise conducted is dependent on the level of NSW Health’s BC maturity as well as the size and operational complexity of the business. In addition, significant changes within NSW Health may also trigger the need for an Exercise. These triggers include changes to NSW Health’s:

Organisational structure, Geography, Business Activities, Resources, Staffing;

Regulatory requirements; and

External partners.

The BC Manager will facilitate an Exercise program with a cycle period of 12 months.

7.5 Define Exercise Program

The Scope of the program for the next 12 months i.e. Critical Business Activities and Resources only, should also include the following:

The nomination of an annual budget for Exercising;

Assigning an Exercise Management Team:

o Team structure is largely dependent on the nature and specifics of the test;

o Exercise Manager;

o Personnel selected for a team will be one of the following:

Responsible – for making decisions;

Accountable – for delivering / enacting the decision;

Consulted – for advising or deciding; and

Informed – for feedback and understanding.

o Consider including the broader aspects of the exercise i.e.:

HR, Legal, Finance, OH&S and Third-party Suppliers.

Structure

o High frequency of Level 1 and Level 2 Exercises e.g. to be undertaken within one week of a procedure change;

o Medium frequency of Level 3 e.g. one per year for any given Team;

o Low frequency of Level 4 e.g. once per year per group of related IT Systems; and

o Confirm whether Level 5 and Level 6 Exercises will be undertaken.

Exercising must be progressive

o Start with small, simple activities; and


PROCEDURES


o Build into more comprehensive capability.

7.6 Individual Exercise Activity

Each Exercise will be defined with the following attributes:

Exercise type;

Scenario description;

Date and time scheduled;

Required budget;

Expected duration;

Expected results;

Exercise manager;

Participants;

Exercise scope – identify which Departments, Activities, Resources and Locations are to be included in the Exercise;

Prerequisites/Assumptions; and

Risks – potential damage to NSW Health if the Exercise impacts on the organisation in a material way.

7.7 Exercise reporting

After the conclusion of each Exercise a report will be produced outlining:

Outcomes and issues;

Observations;

Actual expenditure;

Actual duration;

Indication whether the Exercise was completed;

Indication whether the Exercise was successful; and

Recommendations.

Each Exercise report will include a signature panel for sign-off as acknowledgement of the results of the Exercise and the recommendations for improvement/issues for remediation.

If required, the BC Manager may periodically (e.g. yearly) create a report summarising the Exercises of the previous year. The audience of this report may include interested parties such as:

Executive Management/Board Members;


PROCEDURES


Regulator; and

Auditors.

8 POLICY AND PROGRAM MANAGEMENT

This stage ensures that NSW Health’s BC environment always meets the needs of the business even when the organisation undergoes change.

8.1 Maintenance and Review

In concept, if the BCM process is not reviewed regularly, then, over time a capability gap will grow between the implemented BC capability and the capability needed by NSW Health in the future. Usually this gap is identified during exercising; however, this is reactionary and indicates that the organisation is exposed.

The maintenance process is an opportunity to drive BC remediation. Maintenance seeks to identify and document the:

Changes to NSW Health’s environment that impact Business Continuity;

Changes required to maintain BC currency; and

Verification that the required changes have been implemented.

8.2 Maintenance program

The maintenance program includes a variety of activities performed over time to assess and update BC information and capabilities. The frequency of BC Maintenance is:

At least yearly;

More frequently, dependent on:

Changes to the scale, complexity and nature of the business over time;

Maturity of the BC process;

Rate of change of technology;

Relocation of Business Activities to other locations;

Decisions to out-source or in-source Business Activities;

Changes to the strategic direction of NSW Health;

Changes to Third-Party relationships;

Significant change to staff numbers;

Change of stakeholder relationships;

Changes to regulatory / statutory requirements;


PROCEDURES


Mergers & acquisitions;

Audit recommendations;

Post-disaster event required amendments / improvements; and

Anything else that may cause the BC capability to be out-of-date.

BC Maintenance is a formal process requiring quality time to undertake. The review and required maintenance is to be facilitated by the BC Manager and performed by:

Business Activity Owners;

Resource Owners;

Strategy Owners;

External Relationship Managers;

Plan owners; and

Team leaders.

The BC Manager will facilitate a maintenance program aligned to this BCM Framework with a cycle period of 12 months.

8.3 Reporting

In concert with the Maintenance Program cycle (e.g. yearly), the BC Manager will report the extent to which the BC information landscape is up-to-date. This may be expressed in terms of the percentage of data items reviewed i.e. the number of data items per category (e.g. Business Activities, Resources, Procedures and Policy etc.) divided by the total number of items in the category.

The Maintenance report will include a signature panel for sign-off as acknowledgement of the level of exposure to NSW Health. That is, the lower the number of BC items that have been reviewed and maintained, the higher the risk that the organisation is relying on out-dated information.

The audience of the Maintenance report may include interested parties such as:

Management;

Regulator; and

Auditors.

Documents

Business Continuity Management · 1 The Business Continuity Institute is a global association of accredited practitioners and thought leaders. The BCI is a key contributor to local