Business Continuity Management Framework
Business Continuity Management Framework
Business Continuity Management Framework
MANAGEMENT FRAMEWORK
DOCUMENT INFORMATION
VERSION NUMBER: 4
DATE RESCINDED:
Strategic documents are amended from time to time, therefore you should not rely on a
printed copy being the current version. Please consult the Loddon Shire website to
ensure that the version you are using is up to date.
BCM takes an informed approach to managing the risks associated with disruptive events
affecting the delivery of services and critical business functions. This framework defines and
applies best practice BCM methodologies for robust continuity planning to assist with
managing Council service delivery and critical business functions during disruptive events.
The BCM framework is underpinned by Council’s BCM Policy, which outlines the approach
and principles for developing and maintaining a BCM program.
This framework incorporates best practice standards in accordance with the Business
Continuity Institute Good Practice Guidelines 2018 edition and ISO22301:2019 (ISO22301)
Business Continuity Management Systems–Requirements.
An important key to the success of business continuity in any organisation is support and
commitment at the highest level. For this reason, this document has been adopted by
Council.
1 PURPOSE
The purpose of the BCM framework is to provide a detailed, informed, holistic and structured
approach that integrates the BCM lifecycle elements into the key deliverables of Council’s BCM
program. The BCM lifecycle key deliverables include:
providing a clearly defined governance structure which oversees and supports alignment
between BCM Policy and the BCM program
embedding BCM by raising awareness and developing competencies through induction,
communication, training and exercises
conducting a Business Impact Analysis that identifies and prioritises Council’s critical
business functions, estimates timeframes for recovery, resource requirements,
interdependencies and risk assessments
designing solutions for the identified critical business functions that consolidate and
optimise available resources safely, are consistent with all Council policies and are
achievable
implementing solutions by establishing a documented plan for activation and
mobilisation of resources captured in solution design
validating the effectiveness of the BCM program through regular testing and review.
2 OBJECTIVES
In developing and implementing the formal BCM framework, Council has several objectives,
which include:
safeguarding lives, welfare and confidence of all Council stakeholders, including Councillors,
employees, volunteers, contractors, visitors, and the travelling public
safeguarding Council assets
maintaining stakeholder confidence (internal and external)
quickly recovering and resuming Council’s critical business functions, services and activities
mitigating financial loss
identifying measures that help to minimise the potential for disruptive events.
3 BUDGET IMPLICATIONS
There are minor budget implications for management of a BCM program; there may be budget
implications should a disruptive event ever occur. This framework sets out measures aimed to
reduce the potential budget implications of a disruptive event.
4 RISK ASSESSMENT
This framework has been developed to minimise the risks associated with disruptive events.
Risk assessment of the associated disruption scenarios will be consistent with Council’s Risk
Management Policy and Risk Management Framework.
1
5 BUSINESS CONTINUITY MANAGEMENT FRAMEWORK
In order to comply with good practice BCM, Council will establish the following elements:
5.1 Governance
The BCM program has the commitment and endorsement of Council’s Management Executive
Group (MEG). MEG will have oversight of the BC Program and ensure appropriate funding, staff
and training are provided for its ongoing support.
The BCM Policy outlines the governance structure which includes interested parties responsible
for the implementation, monitoring and audit of the BC Program.
Business continuity training for all Business Continuity Team members is essential for an
effective response to a disruptive event. Relevant staff must understand activation trigger points
and maintain competency. Relevant training, for example, desktop training (at a minimum) will
be undertaken on an annual basis and will include alternates for key roles.
The BIA prioritises restoration of these activities in the event of a disruption. It takes into
account tangible financial impacts of a disruption (e.g. increased cost of working, loss of
revenue, fines, and penalties) and intangible and non-financial impacts (e.g. reputational, legal,
regulatory, and customer servicing impact).
BIA’s will be undertaken once per year for each directorate. That is, one directorate per quarter,
as per the advice of the Audit and Risk Committee.
5.3.2 Risk Assessment
The Risk Assessment evaluates and records the critical continuity related vulnerabilities of each
of the identified critical business functions and their activities including potential disruption
scenarios. Risk Assessment will be consistent with Councils Risk Management Policy and
framework.
5.3.3 Documentation
All BIA and Risk Assessment documentation (methods, findings and conclusions) will be up to
date and reflect Council’s current condition, be reviewed annually, and be authorised and
signed off by the MEG.
2
All plans for critical BCM information include:
identified and defined critical business processes, activities and/or functions and the priority
of their restoration
critical success factors, peak periods (e.g. seasonal) and disruption threats
Maximum Tolerable Period of Disruption (MTPD) - Identified maximum period of time that
Council can tolerate the loss of a process or function before a serious impact on operations
or service delivery
Recovery Time Objective (RTO): The anticipated timeframe for actual recovery of the
process and/or function to a minimum acceptable level
Recovery Point Objectives (RPO): Identified data recovery requirements
information technology dependencies
ownership of assets affected by a business continuity event
physical resources available
resources needed if a disruption event occurs
business continuity plan activation, roles, responsibilities and succession plans for
unavailable staff.
Selection of recovery strategies and solutions must be designed to meet the requirements to
recover all disruption related scenarios within the identified time frames thereby limiting the
impact of disruption. Recovery strategies and solutions will aim to:
identify measures that can reduce the likelihood of disruption to prioritised activities
shorten the period of disruption for prioritised activities
ensure the timely restoration of all affected critical activities and resources safely
remain fully up to date and reflect current business requirements, Business Impact Analysis
(BIA) process mapping, timeframes and priorities
be formally reviewed for compliance, with all applicable standards on an annual basis
be up to date, fully documented, reviewed and signed off by MEG.
5.5 Planning
Council will identify and document a Business Continuity Plan (BCP) that will contain the
following elements derived from the recovery strategy and solution outputs:
all information, procedures and processes required for continuity of all critical activities
including the recovery levels that must be achieved over time
assigned roles and responsibilities for activating recovery strategy and solution procedures
contained in the plan
an up to date inventory of the resources required over time to deliver the recovery strategies
clearly identified locations at which recovery can take place.
A formal maintenance program ensures the continued compliance of the BCM program within
the BCM Framework. The maintenance program includes:
review of the entire BCM program
ensuring that all changes and improvements that affect BCM are identified and appropriately
risk assessed
full documentation that ensures up-to-date status of the BCM program and reflects current
requirements.
The roles and responsibilities of key personnel in a business continuity event are:
The Loddon Shire Business Continuity Team Leader is the responsible officer for business
continuity within the Shire.
6.1.1 Pre-event
ensures members of the team are adequately trained
ensures recovery procedures, resources and facilities are readily available
reviews and maintains plans as required by the Business Continuity Framework.
6.1.2 Event
The role can be referred to the Chief Executive Officer in the occurrence of a BC event.
During the BC event, the BC Leader:
o endeavours to ensure employees’ safety at all times
o notifies and updates the Loddon Shire Council Business Continuity Team
o decides on activation and response and recovery of the Business Continuity Plan
o determines where the first meeting of the BCP Team will be held and advise
members
o determines the location of the crisis centre
o guides and makes decisions on behalf of Loddon Shire Council regarding resourcing
and restoration of Council priorities
o conducts media interviews as delegated by CEO or appoints a delegate to this task
with CEO approval
o identifies an alternate to lead the team if unavailable
o determines suitable alternatives to assist with the ongoing response e.g. may co-opt
other members of the business or other suitably qualified external providers
o decides on official stand down of the Loddon Shire Council Business Continuity Plan
(BCP).
6.1.3 Post-event
conducts a post-incident review including debrief and recommendations, following return to
normal business operations, or
engages other suitably qualified external providers to conduct a post-incident Business
Continuity Review.
6.2.1 Pre-event
supports the Business Continuity Team Leader
ensures the Business Continuity Plans are accessible for the Business Continuity Team
members.
6.2.2 Event
ensures key information and events are properly logged
sources and allocates the resources in conjunction with members of the Business Continuity
Team
collates and updates all Team Member Log Sheets.
5
6.2.3 Post-event
participates in post-incident review including debrief and recommendation, following return
to normal business operations
assists in preparing post-incident reports
collates and provides information to form part of any corporate use e.g. Insurance Claim.
6.3.1 Pre-event
commits to attending training in business continuity
reviews critical functions and resources required during update of the Business Continuity
Framework or Business Continuity Plan.
6.3.2 Event
Refers to Community Wellbeing Directorate critical business functions, resources and recovery
strategies in the BCP, and:
advises all managers in the directorate of the business continuity event, and how that will
impact their operations
if necessary, asks managers to contact staff to advise them when and where to attend work
ensures that identified critical business functions within the Community Wellbeing
Directorate are restored to a minimal level as a first priority and supports the directorate in
restoration of services
coordinates the assessment, salvage, and restoration of Community Wellbeing Directorate
functions to minimise the effect of the event on Council operations
identifies an alternate representative for Community Wellbeing Directorate if unavailable,
and ensures they are briefed as required.
6.3.3 Post-event
participates in post incident review including debrief and recommendations, following return
to normal business operations
assists in preparing post-incident reports
collates and provides information to form part of any corporate use e.g. Insurance Claim.
6.4.1 Pre-event
commits to attending training in business continuity
reviews critical functions and resources required during update of the Business Continuity
Framework or Business Continuity Plan.
6.4.2 Event
Refers to Corporate Services Directorate critical business functions, resources and recovery
strategies in the BCP, and:
advises all managers in the directorate of the business continuity event, and how that will
impact their operations
if necessary, asks managers to contact staff to advise them when and where to attend work
ensures that identified critical business functions within the Corporate Services Directorate
are restored to a minimal level as a first priority and supports the directorate in restoration of
services
assesses the submissions from departments of Council for operational resources, and:
o amends to fit the available accommodation
o instructs an authorised officer to obtain resources from the offices and/or depots, or
6
o procures the required resources if offices and/or depots are unable to supply or
unable to be entered
considers any legal issues and seeks appropriate advice as required
identifies an alternate representative for Corporate Services Directorate if unavailable, and
ensures they are briefed as required.
6.4.3 Post-event
participates in post-incident review including debrief and recommendations, following return
to normal business operations
assists in preparing post-incident reports.
6.5.1 Pre-event
commits to attending training in business continuity
reviews critical functions and resources required during update of the Business Continuity
Framework or Business Continuity Plan.
6.5.2 Event
Refers to Operations Directorate critical business functions, resources and recovery strategies
in the BCP, and:
advises all managers in the directorate of the business continuity event, and how that will
impact their operations
if necessary, asks managers to contact staff to advise them when and where to attend work
coordinates and sets up the primary or secondary Business Continuity Centre
validates all decisions concerning any damaged buildings, which includes securing sites,
safety, access control to the site and preparation of technical documentation to assist the
Business Continuity Team
ensures that identified critical business functions within the Operations Directorate are
restored to a minimal level as a first priority and supports the directorate in restoration of
services
refers to the Municipal Emergency Management Plan (MEMP) if the event affects large
proportions of the community e.g. flood
organises all contractual services (carpentry, electrical, electrical, plumbing, and others as
needed) for all temporary premises
identifies an alternate representative for Operations Directorate if unavailable and ensures
they are briefed as required.
6.5.3 Post-event
participates in post-incident review including debrief and recommendations, following return
to normal business operations
assists in preparing post-incident Plan reports
collates and provides information to form part of any corporate use e.g. Insurance Claim.
6.6.1 Pre-event
commits to attending training in business continuity
ensures all staff records are up to date and available.
7
6.6.2 Event
assesses occupational health and safety and welfare issues relating to the event , and
arranges any support services required
coordinates industrial relations issues that may arise out of the event, such as:
o necessity of alternate duties (working outside of classifications)
o employees working extended hours or shifts
o changing lines of supervision as a result of the event
o inconvenience associated with temporary accommodation
provides a list of current employees and long term contractors, and their next of kin details
manages insurance related issues, which include:
o liaison with insurer
o relay of instructions and advice from insurance broker (and their assessor and
underwriter)
o accept, dispute, or negotiate with the broker.
6.6.3 Post-event
participates in post-incident review including debrief and recommendations, following return
to normal business operations
assists in preparing post-incident reports
collates and provides information to form part of any corporate use e.g. insurance claim
prepares insurance claim with the help of the insurance broker.
6.7.1 Pre-event
ensures that the nominated business continuity site (Serpentine Office) is prepared
sufficiently to cater for extra IT capability should an event occur
prepares Serpentine Office IT to ensure that it can be transferred to another site should an
event occur
commits to attending training in business continuity.
develops, maintains and tests accounts on social networks, as per Council’s Social Media
Strategy, to ensure they are operational before an event.
6.7.2 Event
assesses Council’s information and technology requirements and liaise with Council’s IT
contractor as required
ensures that IT functionality is restored as soon as practicable.
6.8.1 Pre-event
member of Council’s Municipal Emergency Management Plan committee
commits to attending training in business continuity.
8
6.8.2 Event
provides management and coordination oversight to the activities and resources of the
Works Department, as instructed by the Business Continuity Team.
6.8.3 Post-event
participates in post-incident review including debrief and recommendations, following return
to normal business operations
assists in preparing post-incident reports.
6.9.1 Pre-event
commits to attending training in business continuity.
6.9.2 Event
provides management and coordination oversight to the activities and resources relating to
buildings, public facilities, and tip sites, as instructed by the Business Continuity Team.
6.9.3 Post-event
participates in post-incident review including debrief and recommendations, following return
to normal business operations
assists in preparing post-incident reports.
7 REPORTING
Business Continuity Management activities including updating plans, staff training and testing
will be reported to the MEG on a regular basis. This will be undertaken at least annually.
9
8 FRAMEWORK COMPLIANCE
This Framework will be updated to reflect changes within Council as they occur. This
Framework will be reviewed annually as part of a formal review process and/or timetable.
9 SCHEDULE OF COMPLIANCE
Internal Review Activity Activity Owner Delivery Timeframe
Annually (as per
policy adopted by
Management Executive Council on 27 July
BCM Policy Review
Group 2021) (This should
be Tri-annually at
the next review)
Management Executive
BCM Framework Review Tri-Annually
Group
Review and update the Business Manager Organisation Tri-Annually
Continuity Plan as required: Development
critical business Directors
information/activities/functions
recovery Strategies
Crisis Communications Procedure Communications Officer Annually
contact details-review and
update:
- Internal contacts
- External contacts.
BCM awareness training to: Manager Organisation Annually
Business Continuity Team Development
Leader
Business Continuity Team
Members
General awareness Business
Continuity training to staff.
Testing: Manager Organisation Annually
desktop Development
simulated test at Risk
Management Committee
Reporting to MEG on: Manager Organisation Annually
status of plan completion Development
and/or updates
number of staff trained in
Business Continuity
Management
number of plans tested and
results of testing.
10
5.4 Recovery strategies $2000 Nil $2000 Council annually
and solutions
5.5 Planning $2000 Nil $2000 Council tri-annually
5.6 Exercise and testing Nil Nil Time Council annually
5.7 Maintenance and Nil Nil Time Council annually
review
11 DEFINITIONS
Abbreviation/word Definition
MTPD - Maximum Tolerable The time it would take for adverse impacts, which might
Period of Disruption arise as a result of not providing a product/service or
performing an activity, to become unacceptable.
BAU - Business as usual BAU is where Council has returned to normal operations
after an incident
BCP (Business Continuity Documented procedures that guide Council to respond,
Plan) recover, resume and restore to a predefined level or
operation following a business continuity event.
RPO - Recovery Point The point to which information used by an activity must be
Objective restored to enable the activity to operate on resumption.
RTO - Recovery Time The period of time following an incident within which a
Objective product or an activity must be resumed or resources must
be recovered.
12 REVIEW
The Manager Organisational Development will review this framework for any necessary
amendments no later than 1 year after adoption of this current version.
11