BUSINESS CONTINUITY

MANAGEMENT FRAMEWORK
 DOCUMENT INFORMATION

DOCUMENT TYPE: Strategic document

DOCUMENT STATUS: Approved

POLICY OWNER POSITION: Manager Organisational Development

INTERNAL COMMITTEE Audit and Risk Committee

ENDORSEMENT: Risk Management Committee
APPROVED BY: Council

DATE ADOPTED: 11/05/2022

VERSION NUMBER: 4

REVIEW DATE: 11/05/2023

DATE RESCINDED:

RELATED STRATEGIC Business Continuity Policy

DOCUMENTS, POLICIES OR Business Continuity Plan
PROCEDURES: Information Technology Disaster Recovery Plan
RELATED LEGISLATION: Business Continuity Institute Good Practice Guidelines –
2018 Edition
ISO22300:2021 Security and Resilience
ISO 22301:2019 Business Continuity Management
Systems
EVIDENCE OF APPROVAL:

Signed by Chief Executive Officer

FILE LOCATION: K:\EXECUTIVE\Strategies policies and

procedures\Strategies - adopted PDF and Word\STR
Business Continuity Management Framework V4.docx

Strategic documents are amended from time to time, therefore you should not rely on a
printed copy being the current version. Please consult the Loddon Shire website to
ensure that the version you are using is up to date.

This document is available in alternative formats (e.g. larger font) if requested.

 CONTENTS
1 PURPOSE .........................................................................................................................1
2 OBJECTIVES ....................................................................................................................1
3 BUDGET IMPLICATIONS ................................................................................................1
4 RISK ASSESSMENT ........................................................................................................1
5 BUSINESS CONTINUITY MANAGEMENT FRAMEWORK .............................................2
5.1 Governance..............................................................................................................2
5.2 Embedding BC Awareness ......................................................................................2
5.3 Understanding core components of BCM information .............................................2
5.3.1 Business Impact Analysis (BIA) ........................................................................................ 2
5.3.2 Risk Assessment .............................................................................................................. 2
5.3.3 Documentation.................................................................................................................. 2
5.4 Recovery strategies and solutions ...........................................................................3
5.5 Planning ...................................................................................................................3
5.6 Exercise and testing .................................................................................................4
5.7 Maintenance and review ..........................................................................................4
6 ROLES AND RESPONSIBILITIES ...................................................................................4
7 REPORTING .....................................................................................................................9
8 FRAMEWORK COMPLIANCE .........................................................................................10
9 SCHEDULE OF COMPLIANCE........................................................................................10
10 DEFINITIONS ....................................................................................................................10
11 REVIEW ............................................................................................................................11
 EXECUTIVE SUMMARY

Business Continuity Management (BCM) is defined as “a holistic management process that

identifies potential threats to an organisation and the impacts to business those threats, if
realised might cause…” (ISO22300:2021)

BCM takes an informed approach to managing the risks associated with disruptive events
affecting the delivery of services and critical business functions. This framework defines and
applies best practice BCM methodologies for robust continuity planning to assist with
managing Council service delivery and critical business functions during disruptive events.

The BCM framework is underpinned by Council’s BCM Policy, which outlines the approach
and principles for developing and maintaining a BCM program.

This framework incorporates best practice standards in accordance with the Business
Continuity Institute Good Practice Guidelines 2018 edition and ISO22301:2019 (ISO22301)
Business Continuity Management Systems–Requirements.

An important key to the success of business continuity in any organisation is support and
commitment at the highest level. For this reason, this document has been adopted by
Council.
1 PURPOSE
The purpose of the BCM framework is to provide a detailed, informed, holistic and structured
approach that integrates the BCM lifecycle elements into the key deliverables of Council’s BCM
program. The BCM lifecycle key deliverables include:

 providing a clearly defined governance structure which oversees and supports alignment
between BCM Policy and the BCM program
 embedding BCM by raising awareness and developing competencies through induction,
communication, training and exercises
 conducting a Business Impact Analysis that identifies and prioritises Council’s critical
business functions, estimates timeframes for recovery, resource requirements,
interdependencies and risk assessments
 designing solutions for the identified critical business functions that consolidate and
optimise available resources safely, are consistent with all Council policies and are
achievable
 implementing solutions by establishing a documented plan for activation and
mobilisation of resources captured in solution design
 validating the effectiveness of the BCM program through regular testing and review.

2 OBJECTIVES
In developing and implementing the formal BCM framework, Council has several objectives,
which include:
 safeguarding lives, welfare and confidence of all Council stakeholders, including Councillors,
employees, volunteers, contractors, visitors, and the travelling public
 safeguarding Council assets
 maintaining stakeholder confidence (internal and external)
 quickly recovering and resuming Council’s critical business functions, services and activities
 mitigating financial loss
 identifying measures that help to minimise the potential for disruptive events.

3 BUDGET IMPLICATIONS
There are minor budget implications for management of a BCM program; there may be budget
implications should a disruptive event ever occur. This framework sets out measures aimed to
reduce the potential budget implications of a disruptive event.

4 RISK ASSESSMENT
This framework has been developed to minimise the risks associated with disruptive events.
Risk assessment of the associated disruption scenarios will be consistent with Council’s Risk
Management Policy and Risk Management Framework.

1
5 BUSINESS CONTINUITY MANAGEMENT FRAMEWORK
In order to comply with good practice BCM, Council will establish the following elements:

5.1 Governance

The BCM program has the commitment and endorsement of Council’s Management Executive
Group (MEG). MEG will have oversight of the BC Program and ensure appropriate funding, staff
and training are provided for its ongoing support.

The BCM Policy outlines the governance structure which includes interested parties responsible
for the implementation, monitoring and audit of the BC Program.

5.2 Embedding BC awareness

Key components for embedding BCM program awareness are:

 including BCM as part of the induction process
 communicating the importance of BCM into Council culture
 planned activities, such as business continuity exercises, that achieve an appropriate level
of awareness and which clarify roles and responsibilities
 participative training through involvement in formal training programs for key staff identified
in Business Continuity Plans (BCP).

Business continuity training for all Business Continuity Team members is essential for an
effective response to a disruptive event. Relevant staff must understand activation trigger points
and maintain competency. Relevant training, for example, desktop training (at a minimum) will
be undertaken on an annual basis and will include alternates for key roles.

5.3 Understanding core components of BCM information

5.3.1 Business Impact Analysis (BIA)

The BIA identifies critical business functions and records all skills, resources, services, systems,
infrastructure, interdependencies and supplies (both internal and external) required by each of
these activities. It builds a process map of each function to identify gaps and determine the
impact over time of a business disruption. It estimates the time frames at which not resuming
these activities would become unacceptable to Council and estimates recovery timings.

The BIA prioritises restoration of these activities in the event of a disruption. It takes into
account tangible financial impacts of a disruption (e.g. increased cost of working, loss of
revenue, fines, and penalties) and intangible and non-financial impacts (e.g. reputational, legal,
regulatory, and customer servicing impact).

BIA’s will be undertaken once per year for each directorate. That is, one directorate per quarter,
as per the advice of the Audit and Risk Committee.
5.3.2 Risk Assessment
The Risk Assessment evaluates and records the critical continuity related vulnerabilities of each
of the identified critical business functions and their activities including potential disruption
scenarios. Risk Assessment will be consistent with Councils Risk Management Policy and
framework.
5.3.3 Documentation
All BIA and Risk Assessment documentation (methods, findings and conclusions) will be up to
date and reflect Council’s current condition, be reviewed annually, and be authorised and
signed off by the MEG.
2
All plans for critical BCM information include:
 identified and defined critical business processes, activities and/or functions and the priority
of their restoration
 critical success factors, peak periods (e.g. seasonal) and disruption threats
 Maximum Tolerable Period of Disruption (MTPD) - Identified maximum period of time that
Council can tolerate the loss of a process or function before a serious impact on operations
or service delivery
 Recovery Time Objective (RTO): The anticipated timeframe for actual recovery of the
process and/or function to a minimum acceptable level
 Recovery Point Objectives (RPO): Identified data recovery requirements
 information technology dependencies
 ownership of assets affected by a business continuity event
 physical resources available
 resources needed if a disruption event occurs
 business continuity plan activation, roles, responsibilities and succession plans for
unavailable staff.

5.4 Recovery strategies and solutions

Selection of recovery strategies and solutions must be designed to meet the requirements to
recover all disruption related scenarios within the identified time frames thereby limiting the
impact of disruption. Recovery strategies and solutions will aim to:
 identify measures that can reduce the likelihood of disruption to prioritised activities
 shorten the period of disruption for prioritised activities
 ensure the timely restoration of all affected critical activities and resources safely
 remain fully up to date and reflect current business requirements, Business Impact Analysis
(BIA) process mapping, timeframes and priorities
 be formally reviewed for compliance, with all applicable standards on an annual basis
 be up to date, fully documented, reviewed and signed off by MEG.

5.5 Planning

Council will identify and document a Business Continuity Plan (BCP) that will contain the
following elements derived from the recovery strategy and solution outputs:
 all information, procedures and processes required for continuity of all critical activities
including the recovery levels that must be achieved over time
 assigned roles and responsibilities for activating recovery strategy and solution procedures
contained in the plan
 an up to date inventory of the resources required over time to deliver the recovery strategies
 clearly identified locations at which recovery can take place.

The BCP will:

 take full account of and comply with the BCM Framework
 be formally reviewed following each major change that affects strategies
 be securely held on and off site and be readily accessible by all of its potential users though
tablet devices or other electronic means
 contain related documents that are up to date and reflect Council’s current requirements
 be reviewed annually.

To support business continuity, Council has developed a supporting Information Technology

Disaster Recovery Plan (ITDRP).
3
5.6 Exercise and testing

Key components of the BCM exercise phase are:

 a formal BCM exercise program covering all operations will be in place, and will be
exercised and updated on a regular planned basis. The program ensures that each exercise
has clearly defined aims, objectives and success criteria that are formally authorised by the
MEG
 an exercise program that ensures each exercise has a post-exercise report with corrective
recommendations and a timetable for implementation
 an exercise program that ensures all electronic and paper information, critical systems and
telecommunications, recovery worksites, command centre, critical suppliers and outsourced
(including third party) recovery capabilities are tested at least annually
 a program that ensures all plans will be tested at least annually as per the International
Standard ISO22301:2019 (ISO22301) Business Continuity Management Systems–
Requirements and in line with Good Practice Guidelines.

5.7 Maintenance and review

A formal maintenance program ensures the continued compliance of the BCM program within
the BCM Framework. The maintenance program includes:
 review of the entire BCM program
 ensuring that all changes and improvements that affect BCM are identified and appropriately
risk assessed
 full documentation that ensures up-to-date status of the BCM program and reflects current
requirements.

6 ROLES AND RESPONSIBILITIES

The Business Continuity Team (BCT) will be responsible for leading Council through business
continuity events. The BCT will be made up of personnel with the relevant competencies,
subject matter expertise and experience to evaluate and assess:
 the nature and scale of a disruption and its potential impact
 the impact against pre-defined thresholds that justify initiation of a formal response
 an appropriate business continuity response
 planned actions that need to be undertaken
 establishing priorities (using life safety as the first priority)
 the effects of the disruption and the organisation’s response
 activation of the business continuity solutions
 communication with relevant interested parties, authorities and the media
Disruptions requiring an emergency or public health response may require additional resources
sourced either internally or externally, to act as the coordination and liaison point with specialist
emergency, public health and municipal agencies.
The key roles within the BCT are:
 Director Corporate Services (Business Continuity Team Leader)
 As delegated (Business Continuity Log Keeper)
 Director Community Wellbeing (Business Continuity Team Member)
 Director Corporate Services (Business Continuity Team Member)
 Director Operations (Business Continuity Team Member
 Manager Organisation Development (Business Continuity Team Member)
4
  Manager Information Technology(Business Continuity Team Member)
 Manager Works (Business Continuity Team Member)
 Manager Assets and Infrastructure (Business Continuity Team Member)
 Communications Officer (Business Continuity Team Member)

The roles and responsibilities of key personnel in a business continuity event are:

6.1 Business Continuity Team Leader – Director Corporate

The Loddon Shire Business Continuity Team Leader is the responsible officer for business
continuity within the Shire.
6.1.1 Pre-event
 ensures members of the team are adequately trained
 ensures recovery procedures, resources and facilities are readily available
 reviews and maintains plans as required by the Business Continuity Framework.
6.1.2 Event
 The role can be referred to the Chief Executive Officer in the occurrence of a BC event.
During the BC event, the BC Leader:
o endeavours to ensure employees’ safety at all times
o notifies and updates the Loddon Shire Council Business Continuity Team
o decides on activation and response and recovery of the Business Continuity Plan
o determines where the first meeting of the BCP Team will be held and advise
members
o determines the location of the crisis centre
o guides and makes decisions on behalf of Loddon Shire Council regarding resourcing
and restoration of Council priorities
o conducts media interviews as delegated by CEO or appoints a delegate to this task
with CEO approval
o identifies an alternate to lead the team if unavailable
o determines suitable alternatives to assist with the ongoing response e.g. may co-opt
other members of the business or other suitably qualified external providers
o decides on official stand down of the Loddon Shire Council Business Continuity Plan
(BCP).
6.1.3 Post-event
 conducts a post-incident review including debrief and recommendations, following return to
normal business operations, or
 engages other suitably qualified external providers to conduct a post-incident Business
Continuity Review.

6.2 Business Continuity Plan Log Keeper – As delegated

6.2.1 Pre-event
 supports the Business Continuity Team Leader
 ensures the Business Continuity Plans are accessible for the Business Continuity Team
members.
6.2.2 Event
 ensures key information and events are properly logged
 sources and allocates the resources in conjunction with members of the Business Continuity
Team
 collates and updates all Team Member Log Sheets.

5
6.2.3 Post-event
 participates in post-incident review including debrief and recommendation, following return
to normal business operations
 assists in preparing post-incident reports
 collates and provides information to form part of any corporate use e.g. Insurance Claim.

6.3 Director Community Wellbeing – Business Continuity Team Member

6.3.1 Pre-event
 commits to attending training in business continuity
 reviews critical functions and resources required during update of the Business Continuity
Framework or Business Continuity Plan.
6.3.2 Event
Refers to Community Wellbeing Directorate critical business functions, resources and recovery
strategies in the BCP, and:

 advises all managers in the directorate of the business continuity event, and how that will
impact their operations
 if necessary, asks managers to contact staff to advise them when and where to attend work
 ensures that identified critical business functions within the Community Wellbeing
Directorate are restored to a minimal level as a first priority and supports the directorate in
restoration of services
 coordinates the assessment, salvage, and restoration of Community Wellbeing Directorate
functions to minimise the effect of the event on Council operations
 identifies an alternate representative for Community Wellbeing Directorate if unavailable,
and ensures they are briefed as required.
6.3.3 Post-event
 participates in post incident review including debrief and recommendations, following return
to normal business operations
 assists in preparing post-incident reports
 collates and provides information to form part of any corporate use e.g. Insurance Claim.

6.4 Director Corporate– Business Continuity Team Member

6.4.1 Pre-event
 commits to attending training in business continuity
 reviews critical functions and resources required during update of the Business Continuity
Framework or Business Continuity Plan.
6.4.2 Event
Refers to Corporate Services Directorate critical business functions, resources and recovery
strategies in the BCP, and:

 advises all managers in the directorate of the business continuity event, and how that will
impact their operations
 if necessary, asks managers to contact staff to advise them when and where to attend work
 ensures that identified critical business functions within the Corporate Services Directorate
are restored to a minimal level as a first priority and supports the directorate in restoration of
services
 assesses the submissions from departments of Council for operational resources, and:
o amends to fit the available accommodation
o instructs an authorised officer to obtain resources from the offices and/or depots, or

6
 o procures the required resources if offices and/or depots are unable to supply or
unable to be entered
 considers any legal issues and seeks appropriate advice as required
 identifies an alternate representative for Corporate Services Directorate if unavailable, and
ensures they are briefed as required.
6.4.3 Post-event
 participates in post-incident review including debrief and recommendations, following return
to normal business operations
 assists in preparing post-incident reports.

6.5 Director Operations – Business Continuity Team Member

6.5.1 Pre-event
 commits to attending training in business continuity
 reviews critical functions and resources required during update of the Business Continuity
Framework or Business Continuity Plan.

6.5.2 Event
Refers to Operations Directorate critical business functions, resources and recovery strategies
in the BCP, and:

 advises all managers in the directorate of the business continuity event, and how that will
impact their operations
 if necessary, asks managers to contact staff to advise them when and where to attend work
 coordinates and sets up the primary or secondary Business Continuity Centre
 validates all decisions concerning any damaged buildings, which includes securing sites,
safety, access control to the site and preparation of technical documentation to assist the
Business Continuity Team
 ensures that identified critical business functions within the Operations Directorate are
restored to a minimal level as a first priority and supports the directorate in restoration of
services
 refers to the Municipal Emergency Management Plan (MEMP) if the event affects large
proportions of the community e.g. flood
 organises all contractual services (carpentry, electrical, electrical, plumbing, and others as
needed) for all temporary premises
 identifies an alternate representative for Operations Directorate if unavailable and ensures
they are briefed as required.
6.5.3 Post-event
 participates in post-incident review including debrief and recommendations, following return
to normal business operations
 assists in preparing post-incident Plan reports
 collates and provides information to form part of any corporate use e.g. Insurance Claim.

6.6 Manager Organisation Development – Business Continuity Team Member

6.6.1 Pre-event
 commits to attending training in business continuity
 ensures all staff records are up to date and available.

7
6.6.2 Event
 assesses occupational health and safety and welfare issues relating to the event , and
arranges any support services required
 coordinates industrial relations issues that may arise out of the event, such as:
o necessity of alternate duties (working outside of classifications)
o employees working extended hours or shifts
o changing lines of supervision as a result of the event
o inconvenience associated with temporary accommodation
 provides a list of current employees and long term contractors, and their next of kin details
 manages insurance related issues, which include:
o liaison with insurer
o relay of instructions and advice from insurance broker (and their assessor and
underwriter)
o accept, dispute, or negotiate with the broker.

6.6.3 Post-event
 participates in post-incident review including debrief and recommendations, following return
to normal business operations
 assists in preparing post-incident reports
 collates and provides information to form part of any corporate use e.g. insurance claim
 prepares insurance claim with the help of the insurance broker.

6.7 Manager Information Technology – Business Continuity Team Member

6.7.1 Pre-event
 ensures that the nominated business continuity site (Serpentine Office) is prepared
sufficiently to cater for extra IT capability should an event occur
 prepares Serpentine Office IT to ensure that it can be transferred to another site should an
event occur
 commits to attending training in business continuity.
 develops, maintains and tests accounts on social networks, as per Council’s Social Media
Strategy, to ensure they are operational before an event.

6.7.2 Event
 assesses Council’s information and technology requirements and liaise with Council’s IT
contractor as required
 ensures that IT functionality is restored as soon as practicable.

6.7.3 Post event

 participates in post-incident review including debrief and recommendations following, return
to normal business operations
 assists in preparing post-incident reports.

6.8 Manager Works – Business Continuity Team Member

6.8.1 Pre-event
 member of Council’s Municipal Emergency Management Plan committee
 commits to attending training in business continuity.

8
6.8.2 Event
 provides management and coordination oversight to the activities and resources of the
Works Department, as instructed by the Business Continuity Team.

6.8.3 Post-event
 participates in post-incident review including debrief and recommendations, following return
to normal business operations
 assists in preparing post-incident reports.

6.9 Manager Assets and Infrastructure – Business Continuity Team Member

6.9.1 Pre-event
 commits to attending training in business continuity.

6.9.2 Event
 provides management and coordination oversight to the activities and resources relating to
buildings, public facilities, and tip sites, as instructed by the Business Continuity Team.

6.9.3 Post-event
 participates in post-incident review including debrief and recommendations, following return
to normal business operations
 assists in preparing post-incident reports.

6.10 Communications Officer – Business Continuity Team Member

6.10.1 Pre event

 develops and maintains standard format for press releases
 ensures that the list of media contacts in the Business Continuity Plan is current.
6.10.2 Event
 ensures Council website and social media is updated with regular and correct information
 ensures print, television, and radio media outlets are updated with regular and correct
information
 maintains accurate records of all communications throughout the event
 confirms what can legally be released
 monitors media updates if possible.

6.10.3 Post Event

 participates in post-incident review including debrief and recommendations, following return
to normal business operations
 assists in preparing post-incident reports.

7 REPORTING
Business Continuity Management activities including updating plans, staff training and testing
will be reported to the MEG on a regular basis. This will be undertaken at least annually.

9
8 FRAMEWORK COMPLIANCE
This Framework will be updated to reflect changes within Council as they occur. This
Framework will be reviewed annually as part of a formal review process and/or timetable.

9 SCHEDULE OF COMPLIANCE
Internal Review Activity Activity Owner Delivery Timeframe
Annually (as per
policy adopted by
Management Executive Council on 27 July
BCM Policy Review
Group 2021) (This should
be Tri-annually at
the next review)
Management Executive
BCM Framework Review Tri-Annually
Group
Review and update the Business  Manager Organisation Tri-Annually
Continuity Plan as required: Development
 critical business  Directors
information/activities/functions
 recovery Strategies
Crisis Communications Procedure Communications Officer Annually
 contact details-review and
update:
- Internal contacts
- External contacts.
BCM awareness training to: Manager Organisation Annually
 Business Continuity Team Development
Leader
 Business Continuity Team
Members
 General awareness Business
Continuity training to staff.
Testing: Manager Organisation Annually
 desktop Development
 simulated test at Risk
Management Committee
Reporting to MEG on: Manager Organisation Annually
 status of plan completion Development
and/or updates
 number of staff trained in
Business Continuity
Management
 number of plans tested and
results of testing.

10 COSTING AND FUNDING OF ACTIONS

The following table summarises the budget impacts identified throughout this document:
Action Cost of Total Net cost Proposed Completion
project expected to Council funding timeframe
funding source
5.2 Embedding BC $2000 Nil $2000 Council ongoing
awareness

10
 5.4 Recovery strategies $2000 Nil $2000 Council annually
and solutions
5.5 Planning $2000 Nil $2000 Council tri-annually
5.6 Exercise and testing Nil Nil Time Council annually
5.7 Maintenance and Nil Nil Time Council annually
review

11 DEFINITIONS

Abbreviation/word Definition
MTPD - Maximum Tolerable The time it would take for adverse impacts, which might
Period of Disruption arise as a result of not providing a product/service or
performing an activity, to become unacceptable.
BAU - Business as usual BAU is where Council has returned to normal operations
after an incident
BCP (Business Continuity Documented procedures that guide Council to respond,
Plan) recover, resume and restore to a predefined level or
operation following a business continuity event.
RPO - Recovery Point The point to which information used by an activity must be
Objective restored to enable the activity to operate on resumption.
RTO - Recovery Time The period of time following an incident within which a
Objective product or an activity must be resumed or resources must
be recovered.

12 REVIEW
The Manager Organisational Development will review this framework for any necessary
amendments no later than 1 year after adoption of this current version.

11