business continuity management framework 2018€¦ · web viewthe act health business continuity...

Business Continuity Management Framework

March 2018

ContentsIntroduction..............................................................................................................................2Roles and Responsibilities.........................................................................................................4

Director-General...................................................................................................................4

Audit and Risk Management Committee..............................................................................5

Deputy Director-Generals and Direct Executive Reports......................................................5

Chief Information Officer, Digital Solutions...........................................................................5

Chief Health Officer...............................................................................................................5

Executive Director, People and Culture................................................................................5

Executive Director, Business Support Services......................................................................5

Division/Branch Executive Director.......................................................................................5

Divisional Representative......................................................................................................6

Managers/Directors..............................................................................................................7

All staff.................................................................................................................................. 8

Contractors/Service Providers..............................................................................................8

Delegate Alternatives............................................................................................................8

Development of Business Continuity Plans...............................................................................8Storage..................................................................................................................................9

High Level Business Continuity Plans..................................................................................10

Business Unit Business Continuity Plan...............................................................................11

Activation of a BCP..................................................................................................................11Operational Responses.......................................................................................................11

Internal Notification............................................................................................................12

Response to a Business Interruption Event Declaration.....................................................12

Critical Infrastructure (Risk Management Relationship).....................................................12

Recovery Plan..........................................................................................................................12Post Contingency Plan (Debriefing).........................................................................................13Estimated Cost of Implementing the BCM Plan......................................................................13Exercising or Testing of the BCP..............................................................................................14Updating the BCP - other than during an exercise..................................................................15Evaluation............................................................................................................................... 15Related Legislation, Policies and Standards............................................................................16

Legislation........................................................................................................................... 16

Policies................................................................................................................................ 16

Standards............................................................................................................................ 16

Other documents................................................................................................................16

Definitions...............................................................................................................................17

of 19

IntroductionThe ACT Health Business Continuity Management Framework (BCM Framework) outlines the planning process for developing prior arrangements and procedures to enable ACT Health to respond to an event in such a manner that critical business functions can continue within planned levels of disruption. ACT Health must continue to deliver essential health services to the ACT community when a Business Interruption Event (BIE) occurs, i.e. an unexpected or non-routine interruption to business (crises, emergencies or disasters).

The BCM Framework considers the role of the Health Emergency Plan (a sub-plan of the ACT Emergency Plan) to manage large health emergencies and aligns with ACT Health’s Internal Emergency Management Plans, which have been developed to manage emergencies involving multiple Business Units across ACT Health facilities.

The BCM Framework supports ACT Health to respond to any contingency impacting upon its operations through activation of Business Continuity Plans (BCPs), including:

Protecting people and property from harm; Provision of the continuity or resumption of critical functions/services; and Achieving a timely and orderly return to normal (pre-contingency) levels of operation.

BCM is based on the loss or unavailability of key resources, being human resources, ICT resources, and/or physical resources, regardless of the circumstances. Across ACT Health BCM will assist all Divisions and Branches to be in the highest state of preparedness in the event that a BIE occurs and/or an emergency plan is activated. It ensures that any critical functions are recovered within an acceptable timeframe to minimise disruption to an area achieving its service delivery responsibilities.

BCM enables essential services to be maintained with minimal disruption so the delivery of critical business functions can continue or be resumed as soon as possible following a BIE.

The success of BCM depends on the availability of knowledgeable and adequately trained staff, well-documented procedures and accessible information, reliable and sufficient resources, including Information Technology (IT) and outsourced services.

The BCM Framework:

Applies to all ACT Health Divisions and Branches that deliver a critical function, including acute and non-acute, in accordance with all relevant legislative requirements; and

Outlines ACT Health’s response following the declaration of a Business Interruption Event (BIE).

ACT Health has implemented a two-level approach to assure the success of business continuing during a non-routine interruption to critical services should a BIE occur:

1. High Level BCPs – to provide direction and guidance for BIEs affecting ACT Health’s critical services, for example: When there is an interruption to essential utilities (e.g. power, water, electricity)

and/or supply chain services (linen, sterilising, waste) that impact on the delivery of critical business functions; and

of 19

For situations that must be managed across a number of Business Units or health sites e.g. the evacuation of an entire building or a hospital ward.

2. Business Unit BCPs – are linked to the unit’s business plan and developed to meet the individual needs of a service or Business Unit to: Support their critical business functions; and Support any ICT applications utilised by a Business Unit (can be attached to the

Business Unit BCPs or sit separately as a specific ICT BCP).

High quality maintenance of BCPs, as well as regular testing, will assist Business Units meet the following objectives:

Maintaining the safety and wellbeing of clients, staff, contractors and service providers located within critical sites;

Ensuring ACT Health’s state of preparedness to respond to a BIE is at the highest level possible through the promotion of sound BCM processes and BCM communication planning;

Assisting the resumption of a Business Unit’s critical functions to normal business operations if a BIE is declared;

Staff understand and are proficient in the BCM roles and responsibilities; Embedding of BCM into ACT Health’s operational management structure (linked to the

Corporate Plan and the business planning process); Improving resilience of ACT Health’s critical functions; Providing links to ACT Health’s emergency management policies and procedures; and Maintaining a reporting regime that supports senior management to efficiently and

effectively manage ACT Health’s business continuity.

A specific BCP Template has been developed and is available on the BCM SharePoint site at http://inhealth/BCM/default.aspx

Roles and ResponsibilitiesStaff at all level that work in an ACT Health facilities have some level of responsibility for managing or participating in BCM. The success of returning to ‘Business as Usual’ following a BIE depends upon the awareness, imbedding and application of BCM in each critical business or clinical area.

All staff who have a role to play in the management of BCM must be able to access the BCPS relevant to their critical areas.

Director-GeneralThe Director-General (DG) is accountable, under Section 31(1) of the Financial Management Act 1996, to report to the Minister on the efficient and effective financial management of the directorate. The BCM Framework and BCPs assist the DG to manage the affairs of ACT Health to promote proper use of resources for which the DG is responsible.

The DG is a process owner (see Executive in Command definition) and has a group of executive reporting directly to this position. For BCM purposes, this group will be referred to as the Direct Executive Reports (i.e. Population Health Unit, Financial Management Unit, etc).

of 19

http://inhealth/BCM/default.aspx

Audit and Risk Management CommitteeThe Audit and Risk Management Committee oversees ACT Health BCM activity and will be provided with six-monthly status reports containing:

A list of ACT Health BCPs; and The status of any selected ACT Health BCPs that have been tested or exercised.

Deputy Director-Generals and Direct Executive ReportsEach Deputy Director-General (DDG) and all officers reporting directly to the DG (known as - Direct Executive Reports (DER), are process owners responsible for the development, endorsement, implementation, promotion and oversight of BCPs within their area of responsibility (only if critical functions have been identified), including:

High Level BCPs and Business Unit BCPs

Chief Information Officer, Digital SolutionsThe Chief Information Officer (CIO) is responsible for the oversight and working with Business Units to develop, implement, test and/or exercise BCPs for any critical Information Communication Technology (ICT) applications/systems used in ACT Health.

The CIO is to liaise with the Executive Director, BSS in relation to the management, storage and publishing of any ICT BCPs, including the external provider Shared Services BCP with ACT Health.

Chief Health OfficerA statutory office under the ACT Public Health Act 1997 and the ACT Emergencies Act 2004 may assume designated powers and roles to protect the health of the ACT community in the event of a significant BIE.

Executive Director, People and CultureThe Executive Director (ED), People and Culture, is required to provide assistance with the coordination of staffing contingencies for any affected areas in the event of an emergency or the activation of a BCP/s.

Executive Director, Business Support ServicesThe ED, Business Support Services (BSS) has overall responsibility for governance, advisory, performance reporting and oversight of BCM coordination across ACT Health.

Division/Branch Executive DirectorThe ED of a Division or Branch is responsible for implementation, approval and oversight of BCM activities within their areas and activating a BCP in the event that a BIE has been declared or when a major event affects an area ability to deliver critical services. The ED is the BCM process owner and will become the Executive-in-Command (see Definitions) of the BCM response, such as:

of 19

Roles Nominate a designate officer to act as the Divisional/Branch Representative to be the

liaison for the Division/Branch and to participate in scheduled communication meeting coordinated by BSS;

Approving of all BCP within their area of responsibility; Ensure that all necessary processes (critical functions and critical Information

Communication Technology (ICT) applications) are captured within the BCPs to appropriately restore critical functions;

Activating a BCP in the event a BIE has been declared; Reviewing of BCPs biannually (eg every two years at a minimum); Assigning roles and responsibilities to senior management and staff in respect of the

management of the area’s BCP; Keeping contact lists current; Communicating up to the next level of management of the activation of a BCP (refer to

the BCP Template (Communication Plan (during BCP activation) section); and Retaining an ED BCP folder that contains copies of all area BCPs for immediate reference

should a BIE occur.

Divisional RepresentativeThe Divisional Representative is assigned by the ED and is usually at the senior officer level. The Divisional Representative is responsible for coordinating BCM within the Division/Branch and acts as the centralised point of contact for BSS. The Divisional Representative is to adopt a train-the-trainer model to disseminate knowledge and expertise on BCM within their area, such as:

Roles Coordinating the development, maintenance, review and exercising/testing of Business

Unit’s BCPs with their Division/Branch; Collating information on the Division/Branch’s resource requirements to provide

information for the use of key resource areas; Facilitating the review of the Division/Branch’s Business Units BCPs on a biannually basis

or in the event of organisational structure changes; Working with Managers/Directors to keep staff informed of their roles and

responsibilities contained in the Business Unit BCP (ands as per the BCM Framework); Facilitating, or organising, Business Unit training and/or information sessions on BCM; Representing the Division/Branch at the quarterly Divisional Representative BCM

meetings coordinated by BSS; Overseeing the regular update of the Division/Branch’s Business Unit BCP and ensuring

that the BCPs are located in a secure alternate location; Coordinating the provision of information so that regular reports can be provided to the

ED on the status of BCM within the Division/Branch; Liaising with the CIO, Digital Services (who will then liaise with Shared Services ICT

Disaster Recovery Team (or applicable service provider as directed) to ensure that specific critical ICT programs are represented in the Shared Services ICT BCP; and

Assisting with the developing, coordinating and documenting relevant to exercising or testing scenarios of the BCP.

Managers/DirectorsManagers/Directors are responsible for specific functions of the Business Unit including identifying critical functions and strategies for continuation or resumption of these

of 19

functions. They are responsible for development, promoting the Business Unit BCP (making sure staff are trained), annual testing or exercising of BCPs, keeping their staff safe and informed of the situation should a BCP be activated, as well as coordinating the recovery of the Business Unit back to ‘Business as Usual’. To assist all Business Units to be in the highest state of preparedness Managers/Directors are responsible for actions, such as:

Roles Developing and maintaining an official record of BCM activities within the Business Unit

with respect to their roles and responsibilities under the BCP, as well as contact lists of key personnel and suitable alternative persons (using the BCP Template);

Storing BCPs on-site (with any Internal Emergency Management Plans) and off-site (with the responsible ED and ED BSS) and on a USB device (one held by the manager/director and one kept in the recovery kit);

Identifying and training suitable alternate persons should the Manager/Director be unavailable;

Considering resources (financial and human) required during contingency mode; Providing staff (including contractors and service providers located within the area) with

information about the BCM Framework and BCP; Accounting for their staff and contacting the responsible ED during a BIE to facilitate

ongoing communication (refer to the BCP Template (Communication Plan (during BCP activation) section);

Having a separate BCP/s in place (or including in the Business Unit BCPs) for service providers delivering any critical functions to the Business Unit;

Supporting critical infrastructure (for the Business Unit) and advising the responsible ED of its operational status;

Contingency planning for critical functions should there be unavailability of ICT staff and physical resources;

Overseeing the exercising or testing of the BCP critical functions on a regular basis (refer to the BCM Exercising Manual published on SharePoint);

Participating in exercising or testing of the BCP; Providing duplicate Business Unit BCPs to the ED BSS (or other interdependent sites as

identified in the BCP); Promoting relevant BCM training for staff; and Reviewing the area BCP to determine if the capabilities are current after the activation

of the BCP eg due to a major incident, BIE or organisational restructure (Lessons Learned).

of 19

All staffAll staff, contractors and service providers located within ACT Health are responsible for being informed about the Emergency Management Plans and their roles as outlined in the Business Unit’s BCP. This includes actively participating in training and following the instructions of the Emergency Officers (i.e. Wardens) in the event of an emergency.

All staff, as part of their employment in ACT Health, will maintain currency of their Mandatory Fire and Emergency Training. If there are any exercises related to the Emergency Management Plans and/or High Level and Business Unit BCPs staff are expected to participate, such as:

Roles Recording their next of kin and emergency contact information on the HR21 database

and any Business Unit contact lists (and keeping this information up to date); Providing after-hours contact information to the Business Unit manager to enable them

to make contact in the event of an emergency or BIE; and Having after-hours or mobile contact numbers available for their manager.

Contractors/Service ProvidersAll managers need to make sure that contractors/service providers used for or contributing to the provision of critical functions for a Business Unit are appropriately included in all planning in the event of an emergency, including maintaining contact information.

Any critical functions provided by contractors/service providers need to be incorporated into the Business Unit BCP and included in any testing or exercising of the BCP.

Delegate AlternativesIn the event that any of the above positions are unable to exercise the BCM roles and responsibilities, the next senior person in the ACT Health organisational structure (the delegate) shall make a declaration to activate and deactivate a BCP (either High Level BCP or Business Unit BCP).

All possible alternative delegates are required to receive the appropriate training to enable them to exercise their roles and responsibilities under the BCM Framework.

Development of Business Continuity PlansACT Health has a specific BCP Template to be used by areas (located at http://inhealth/BCM/default.aspx). BCPs set out the elements for identifying critical function, possible sources of disruption, the consequences of the disruption and a range of response actions that will be required to maintain business continuity until full service/operations can be resumed. A BCP contains critical data and information (including activation response procedures, contact lists, etc) that will enable the recovery of critical functions eg return to normal business operations.

Executive Directors will determine which areas within their Branch or Division deliver critical functions - refer to the BCP Template (Determining a Critical Business Function form) for assistance with making this determination.

of 19

http://inhealth/BCM/default.aspx

StorageBCPs must be stored:

On-site (usually located with an area’s Emergency Plan, however, each area can determine a specific process for access to the BCP); and

Off-site (either in hard copy or on a USB device). Any staff member (eg Hospital Commander, Executive Directors, Directors, Managers etc) who assumes a role during the activated BCP, should have access to a copy of all BCPs relevant to their areas when they are off-site.

The Hospital Commander should maintain a copy of all ACT Health BCPs for reference during an emergency.

The BCM Cycle diagram outlines the six step required to embed BCM into ACT Health:

All BCPs are to be established in accordance with the BCM Framework. Information contained in the BCP includes, but is not limited to:

How to access Emergency Information Staff, service provider and stakeholder contact List Critical Functions Resource Requirements Business Impact Analysis (BIA) IT Applications Disaster Recovery Plans Requirements for Interim Processing and Business Restoration Resources Instruments and Delegations Contracts and Agreements Memoranda of Understanding

of 19

It is essential that the BCM Framework is embedded across ACT Health through the development of High Level BCPs and Business Unit BCPs, so that critical business functions continue operating or are rapidly resumed in the case of a disruption.

High Level Business Continuity PlansHigh Level BCPs include, but are not limited to, the following list of services which has been developed on the basis of risk to the organisation:

Utilities (water, electricity, gas) Food Medical gas Supply Sterilising Linen Waste and cleaning Security Information Communication Technology Human Resources Generic ward evacuation Generic clinic evacuation Generic health centre and community based services evacuation

There is no whole of Canberra Hospital BCP. Should the evacuation of the whole Canberra Hospital campus occur, this is managed under the Emergency Management procedures and the use of BCPs can assist to inform this situation. The BCPs will assist with recovery of Business Units.

High Level BCPs cover BIEs that impact on many Business Units, such as interruptions to utilities, supply (e.g. consumables), staffing and infrastructure. These BIEs will have wide ranging effects on many Business Units and will require appropriate support from higher level staff within ACT Health in the mitigation of the effects of the BIE at a Business Unit level. Business Units that provide this higher level of support for subordinate areas within ACT Health need to take into account critical functions of the affected area/s when developing their BCP.

Important elements to be consider during the development of the BCP are:

Clearly defining roles and responsibilities of key staff across all levels of ACT Health; Incorporating Critical Functions and ICT applications across ACT Health; The activation process when an incident occurs that could cause the critical functions

not to perform within the Maximum Acceptable Outage (MAO); Ensuring that communications with ACT citizens, the ACT government and other

stakeholders is maintained; and Management of any service providers and contractors.

of 19

Business Unit Business Continuity PlanBusiness Unit BCPs are to be developed for services who deliver critical functions, for example:

Theatres, Imaging, Interventional Medical Imaging. ICT - Health ICT Business Continuity and Disaster Recovery Plan. Human Resources.

A Business Unit BCP:

Strengthens an area’s ability to respond to a BIE and provides the business continuity exercise regimes for the area; and

Is endorsed by the area ED (see front page of BCP Template) to ensure engagement at the senior level.

The Business Unit BCP includes:

Roles and responsibilities of key Business Unit staff; Critical Functions, infrastructure and ICT applications relative to the Business Unit; The activation process when an BIE occurs that could cause the Business Unit’s critical

functions not to perform within the Maximum Allowable Outage (MAO); and Management of Business Unit service providers and contractors.

Key Business Unit staff, including the ED, have BCP folders with a copy of each Business Unit BCP under their area of responsibility. This includes checklists, contact lists and any other documentation that supports their BCM role (in addition, all information is to be saved on a USB device). The Business Unit BCP should be also kept or co-located with the Internal Emergency Management Plan.

Activation of a BCPOperational ResponsesBCM commences when a critical function meets or exceeds its MAO. If accompanied by an emergency it commences with or immediately after an emergency response has ensured the safety of people and property. The BCM continues to guide the affected area through the recovery phase until normal business is resumed.

All ACT Health staff who may be appointed roles in managing BCM responses should be familiar with the concepts of emergency operations centres, such as a Health Emergency Control Centre (HECC) or a Hospital Emergency Operations Centre (HEOC). Staff required to participate in the BCM response must have completed appropriate training. ACT Health has adopted the Australasian Inter-service Incident Management System (AIIMS) as the appropriate training standard. AIIMS provides a common management framework that can be applied to any size event as the framework provides for an expanded response as an event changes in either size or complexity.

Emergency management and BCM are separate but complementary processes. Emergency plans and BCPs may provide guidance to each other. They work in a complementary and harmonious fashion, often at the same time, to ensure optimal safety and rapid recovery. BCPs must contain all the information needed to continue or resume the lost critical business function.

of 19

This approach of appropriate training and approved response plans, be it emergency or business continuity, will enable BCM to be seamlessly incorporated into concurrent emergency responses. Where an emergency response is activated the business continuity processes will generally be incorporated into the emergency response using the AIIMS structure.

Internal Notification A decision is made to activate the High-level or Business Unit BCP. Business Unit Manager/Director is to notify ED (ED will follow BCM processes). Manager/Director nominates a Business Unit Recovery Coordinator.

Response to a Business Interruption Event DeclarationThe BCP contains a flowchart that provides Managers/Director with direction on how to activate a Business Unit BCP.

Critical Infrastructure (Risk Management Relationship)ACT Health as owner and/or operator of critical infrastructure is required to:

Provide adequate security over its critical infrastructure assets; Actively apply risk management techniques to its planning processes for these facilities,

information technologies and communication networks; Conduct regular reviews of the risk management assessments and plans for the same; Report any incidents or suspicious activity to ACT Policing in respect of the same; Develop and regularly review BCPs for the facilities, information technologies and

communication networks; and Participate in exercising and testing BCPs (which aim to be conducted in conjunction

with the ACT Health Internal Emergency Management Plan testing).NB: Business Units will maintain responsibility for listing critical infrastructure in the BCP.

Recovery PlanTypically, the recovery phase would include the following elements:

Confirming that the problem initiating activation of the BCP has been resolved and the pre-BCP operations can be resumed.

Testing of systems and facilities before resumption of normal business operations is possible.

Advising all affected staff and key stakeholders of timing of resumption of normal business operations.

Reviewing the backlog of work and assessing resource implications and duration to rectify.

Capturing and reporting all costs associated with the contingency arrangements. Assessing staff morale and welfare (health, emotional state) to evaluate the impact of

the disruption on staff and their ability to deliver required services in the immediate future.

Acknowledging the work of the staff, and staff in other areas, who assisted in maintaining services during the disruption, and in rectifying the disruption event.

Advising ACT Insurance Authority (ACTIA) of the event within 24-48 hours so an independent loss assessor can be engaged to inspect the site once secured. Contact the ACT Health Insurance and Legal Liaison Unit who will liaise with ACTIA.

of 19

Using lessons learned, review the BCP to improve future BCP activation and temporary service arrangements.

Post Contingency Plan (Debriefing)The Debrief (Post contingency phase) would include the following elements:

1. Review of the cause of the disruption and, in light of lessons learned, update relevant documentation, including updating the BCP.

2. Consultation with the relevant DDG (or Direct Executive Report) and Business Unit Manager/Director(s) to assess the BCP activation process, including but not limited to:

Ability to identify and contact key personnel; Ability to maintain critical operations; Resource implications of the activation; Timeframes required to activate the BCP and commence limited services to maintain

business continuity; Staff welfare; Workload/resources to remove any backlog resulting from the disruption; and Measures to limit the same problem reoccurring.

The ED, relevant DDG (or Direct Executive Report) and Business Unit Manager/Director(s) may formally acknowledge those staff whose performance during the activation is worthy of formal recognition.

Estimated Cost of Implementing the BCM PlanAll costs required to support continuity arrangements are to be captured during the course of the BCP activation, for insurance purposes. To formalise this process, complete the Request for Support form (contained in the BCP template).

The cost of implementing the BCP will largely depend on:

The extent of the problem and the actions necessary to maintain continuity of identified critical services.

The staff overtime required during the BCP activation to maintain critical services, as well as following the de-activation, should there be a need to remove a backlog of outstanding work.

The possibility of an increase to FTE salary should additional temporary employees be required to supplement staff numbers in the event of the usual staff being unavailable.

of 19

Exercising or Testing of the BCPExercising or testing of High Level or Business Unit BCPs is to be carried out by BCPs owner as a ‘Business-as-Usual’ activity. Selected BCPs are to be exercised or tested under a systematic, risk rated approach by the area on annual basis. This should be guided by the ACT Health Exercising and Testing Methodology available on the BCM SharePoint page.

Due to the relatively large number of BCPs that exist within ACT Health, a rolling sample of approximately 20% of the total plans will be chosen each year to be exercised or tested. Additional validation of BCPs can also be done in conjunction with the ACT Health Internal Emergency Management Plan exercising activities.

Exercising and Testing of BCPs enables:

Comprehensive practice for staff and stakeholders involved in recovery activities; Awareness to key suppliers and stakeholders (including the Minister) of ACT Health’s

resilience should a BIE occur; Identification of failed recovery processes and costs required to resolve these failures; Assistance with the implementation of any remedial action; and Auditor and insurer confidence with a documented and tested BCP.

All exercises or tests should be evaluated, documented and changes integrated into the BCP, approved by the responsible ED and reported to the ED, BSS.

Following are five types of exercising or testing that can be utilised:

1. Discussion Based Exercises: This is a cost effective and the least time consuming of the exercise types. These exercises are structured events where participants can explore relevant issues and walk through the BCP in an unpressurised environment. Focus can be on specific areas for improvement that have been identified with the aim of finding possible solutions.

2. Table-Top Exercises: This exercise type is commonly used where the discussion is based on a relevant scenario with a time-line which may run in “real-time” or may include “time-jumps” to allow different phases of the scenario to be exercised. Participants are expected to be familiar with the BCPs being exercised and are required to demonstrate how these BCPS work as the scenario unfolds. Table-Top exercises can be a realistic, cost effective and efficient method. The Table-Top exercise can be greatly enhanced by the use of media which can make a scenario more realistic.

3. Command-Post Exercises: These exercises typically involve BCM management teams dealing with strategic, tactical and operational level issues, decision-making and actions. Participants can be located across ACT Health, all working in their usual day-to-day locations. Participants are given information in a way that stimulates a real incident and are expected to respond to the scenario as if they are in the workplace. These exercises have the added advantage of:a. testing information flow;b. strengthening communication and coordination;c. identifying equipment requirement;d. assessing local procedures (Action Cards);e. refining decision-making processes; andf. supporting role play activities (the Emergo Train System may also be utilised to

inform the Command-Post exercise).

of 19

4. Live Exercises: Live exercises can range from a small scale rehearsal of one component of the response through to a full scale rehearsal of the whole organization and potentially participating interested parties. It is anticipated that ACT Health will conduct live exercises in conjunction with all relevant exercises planned and conducted by the ACT Health Emergency Management Unit or the Canberra Hospital exercises.

5. Testing: A test is a unique and particular type of BCM exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned. It is usually applied to equipment, alternate or workaround procedures or technology, not to individuals, for example:

An out of hours telephone call out Contacting suppliers to assess their ability to respond within an agreed timeframe Invocation of document recovery contracts

It is anticipated that, over time, that a combination of these exercise options will be tailored for a particular operation and level of continuity capability.

Updating the BCP - other than during an exerciseSupporting documentation in the BCP, in particular the Contact List, should be reviewed regularly by each area at least every three months (quarterly cycle). It is suggested that any supporting documentation is “attached” (and referred to in the BCP) so as to facilitate easy updating without having to review the whole BCP.

BCM processes should also be reviewed as soon as practicable after any organisational structural change has been implemented.

The ED BSS, must be advised of all structural changes that impact on the ACT Health BCM planning activities, especially in relation to Critical Functions.

A Business Unit review is conducted using the Business Impact Analysis (BIA) on all Business Unit functions and a Resource Dependency Analysis is conducted on all Critical Functions.

A Health Check Survey is an assessment that can also be conducted by Business Units using questionnaire surveys to evaluate the extent of staff knowledge of a BCP within a Unit. Results of these surveys can assist the area ED with their BCM responsibilities.

Evaluation

Outcome Measure All identified areas who deliver critical functions have an endorsed High level and

Business Unit BCPs to support the delivery of essential services should there be a BIE e.g. a non-routine interruption to the delivery of critical services.

MethodED BSS will report to the Audit and Risk Management Committee:

On the status of BCPs that exist across ACT Health; and On the status of selected BCPs that have been tested or exercised annually.

of 19

Related Legislation, Policies and StandardsLegislation

ACT Emergencies Act 2004 ACT Financial Management Act 1996 ACT Territory Records Act 2002 (Standard for Records Management Number 8:

Business Continuity and Records Management - Notifiable Instrument NI2008-438) and (Guideline for Records Management, Number 8 – Business Continuity and Records Management)

Policies ACT Health Directorate Risk Management Policy 2015 ACT Emergency Plan - Health Emergency Plan 2017; and ACT Epidemic Infections

Disease Plan 2013 ACT Health Emergency Plan 2017 ACT Health Emergency Plan – ACT Healthcare Facility Medical Evacuation

Coordination Plan (HealthMedivacPlan) 2017 ACT Health Emergency Plan, Appendix III - Summer Plan (for Extreme Heat Events

and Elevated Fire Conditions 2015 ACT Health Emergency Plan, Appendix IV - Winter Plan (for Infectious Disease

Outbreaks) 2014 ACT Health Protective Security Policy 2017

Standards Australia and New Zealand Standard AS/NZS 5050:2010 Business continuity -

Managing disruption-related risk Australian Standard AS ISO 22301:2017 Societal security - Business continuity

management systems – Requirements Australian Standard AS ISO 22313:2017 Societal security - Business continuity

management systems – Guidance Australian Standard SA TS ISO 22317-2017 Societal security-Business continuity

management systems-Guidelines for business impact analysis (BIA) Handbooks HB 292-2006 A practitioners guide to business continuity management;

and HB 293-2006 Executive guide to business continuity management

Other documents Health ICT Business Continuity and Disaster Recovery Plan 2009 Canberra Hospital Emergency Management Plans Business Continuity Institute Good Practice Guide (2008) Australian National Audit Office (ANAO) Better Practice Guide–Business Continuity

Management-Keeping the Wheels in Motion: A Guide to Effective Control, Canberra, 2000

Australian National Audit Office (ANAO) Better Practice Guide–Business Continuity Management: Building resilience in public sector entities, Canberra, 2009

Australian Standard AS 3745-2010 Planning for emergencies in facilities

of 19

Definitions

Terms DefinitionACT Emergency Plan The aim of ACT emergency plan is to provide a basis for emergency management; coordination of

emergency service agencies; coordination if the agencies, organisations and other persons, and coordination of territory agencies with the agencies of the commonwealth and the states in the event of an emergency within the Australian Capital Territory that requires a significant and coordinated multi agency response.

Assembly Area The designated area at which employees, visitors and contractors assemble if evacuated from their building/site.

Activation When implementation has commenced in relation to all or a portion of the plans related to business continuity, crisis management, emergency, stabilization, security or recovery, in response to an actual disruption incident.

Alternate Worksite A work location, other than the primary location, to be used when the primary location is not accessible.

Business Continuity Business continuity is ‘the uninterrupted availability of all key resources supporting essential business functions'.

Business Continuity Plan (BCP) Documented collection of procedures and information that is developed complied and maintained in readiness for use in an incident to ensure an organisation to continue to deliver its critical activities at an acceptable pre –defined level.

Business Continuity Planning Process (BCPP)

Business Continuity Planning or BCP is the process of developing prior arrangements and procedures that enable an organisation to respond to an event in such a manner that critical business functions can continue within planned levels of disruption.

Business Continuity Management

A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. BCM focuses on three post – event phases: Disaster Recovery, Business Continuity (of essential functions), and Full Recovery.

Business Continuity Management Coordinator

A role that is assigned the overall responsibility for coordinating the organisation / Business Unit(s) BCM.

Business Impact Analysis (BIA) Process of analysing the criticality of business functions and the effect that a business disruption might have upon them. The BIA is undertaken for all business processes and establishes the recovery priorities, should those processes be disrupted or lost. Analysis by which an organisation assesses the quantitative (financial) and qualitative (non-financial) impacts, effects and loss that might result.

Business Interruption Event (BIE)

Any event, whether anticipated or unanticipated which disrupts the organization’s normal course of routine operations.

Business Unit Any discreet organisational unit in ACT Health.

Contact List A list of team members and key players in a crisis. The list should include home phone numbers, pager numbers, cell phone numbers, etc.

Call Tree A structured cascade process (system) that enables a list if persons, roles and / or organisations to be contacted as a part of an information or plan invocation procedure.

Control The overall direction of activities in an emergency response situation.

Consequence For risk – Consequences are the outcomes of an event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. Consequence can range from ‘insignificant’ to ‘catastrophic’ and are expressed in terms of financial impact, human impact, environmental impact, interruption to business, and impact on reputation or image. For business continuity – Consequence is the outcome of an incident that will have an impact on an organization’s objectives.Note 1 There can be a range of consequences from one incident.Note 2 A consequence can be certain or uncertain and can have positive or negative impact on objectives.

Crisis Management The process by which an organisation manages the wider impacts of business continuity emergencies, events, incidents and/or crises until it is either under control or contained without impact to the organisation or the Business Continuity Plan is invoked as part of the Crisis Management Process.

Critical Usually applied to a resource or process that may be kept going (as soon as possible) at time of a

of 19

Business Continuity emergency, event, incident or crisis.

Critical Business Functions Vital functions without which an organization cannot survive and / or effectively achieve its critical objectives. These critical functions are contained within the Business Unit BCM Plan once identified through the BIA process.

Disaster Recovery Immediate intervention taken by an organization to minimize further losses brought on by a disaster and to begin the process of recovery, including activities and programs designed to restore critical business functions and return the organization to an acceptable condition.

Disruption Event, whether anticipated (e.g. a labour strike or hurricane) or unanticipated (e.g. a blackout or earthquake), which causes an unplanned, negative deviation from the expected delivery of products or services according to the organisation’s objectives.

Damage Assessment The process used to appraise or determine the number of injuries and human loss, damage to public and private property, and the status of key facilities and services resulting from a natural or human-caused disaster or emergency.

Decision Tree A method of breaking down events visually into smaller, more manageable steps. These steps are represented as branches on a ‘tree’ with alternative decisions and options and steps leading to various potential outcomes.

Disaster An unanticipated incident or event, including natural catastrophes, technological accidents, or human-caused events, causing widespread destruction, loss, or distress to an organization that may result in significant property damage, multiple injuries, or deaths.

E/I/C The acronym for Emergency (ies), Event(s), Incident(s) or Crisis (es).

Essential Service A service without which a building would be ‘disabled’. Often applied to the utilities (water, gas, electricity, etc.) it may also include standby power systems, environmental control systems or communication networks.

Emergency Management The organisation and management of resources for dealing with all aspects of emergencies. Emergency management involves the plans, structures and arrangements which are established to bring together the normal endeavours of government, voluntary and private agencies in a comprehensive and co-ordinated way to deal with the whole spectrum of emergency needs including prevention, response and recovery.

Emergency Response The combating of emergencies and the provision of medical care, rescue and immediate relief services.

Emergency An event, actual or imminent, which endangers or threatens to endanger life, property or the environment, and which requires a timely and coordinated response.

Executive in Command (process owner)

The person directing the BCM response. This could be leading the response to a single event affecting a Business Unit or under the direction of an Incident Controller for a large scale response.

Framework The formal structure of concepts, values and practices designed to support and enclose the risk management process in ACT Health.

Gap Analysis An analysis which identifies the differences between what an organization has previously identified as its needs or requirements during an emergency or incident, and what will actually be available.

Health Emergency Control Centre

Established specifically to provide control and coordination of a medical and or health response to any major incident, event or emergency. It will be established if required within the Emergency Services Agency ECC or the Health Protection Service.

Hospital Emergency Operations Centre

A dedicated facility/room located within a hospital campus from where emergency response activities for the hospital are controlled.

Impact Evaluated consequence of a particular outcome

Maximum Acceptable / Allowable Outage (MAO) also known as Maximum Tolerable Periods of Disruption (MTPDs)

The maximum period of time that an organization can tolerate the disruption of a critical business function, before the achievement of objectives is adversely affected.

Objectives Measurable and achievable goals that may relate to a project, activity or program or an entire Business Unit.

Recovery Following the commencement of an event, recovery is the implementation of recovery strategies and procedures in order to return the organization to a sustainable level of capability and operation.

Recovery Timeline The critical path of actions and activities that describe the speed and prioritisation of the recovery process.

of 19

Recovery Point Objective (RPO) The point in time to which systems and data must be recovered after an outage (e.g. end of previous day’s processing). RPOs are often used as the basis for the development of backup strategies, and as a determinant of the amount of data that may need to be recreated after the systems or functions have been recovered.

Recovery Time Objective (RTO) The period of time required to fully re-establish adequate resource requirements to recover a critical activity, process, function, or other capability, to a required minimum operational level.

Risk Analysis The process of determining the likelihood and consequence of an event in the context of existing risk control measures.

Risk The chance of something happening that has the potential to cause loss, damage or injury thus impact upon the achievement of objectives. Risk is measured in term of consequence and likelihood.

Risk Management The culture, processes and structures that are directed towards effective management of risk.

Stand Down Formal notification that the response to a Business continuity E/I/C has been concluded.

Uncertainty State, even partial, of deficiency of information related to or understanding or knowledge of an event, its consequence, or likelihood.

Service Providers and Contractors

Service providers and contractors are engaged by ACT Health under appropriate commercial arrangements to provide a range of agency-wide goods and services. Robust BCPs must be established and exercised with these service providers and contractors, especially those contributing to, or responsible for, the delivery of Critical Functions.

of 19

business continuity management framework 2018€¦ · web viewthe act health business continuity...

Documents