In response to such business disruption, entities need to have arrangements in place to support the continuation and/or resumption of essential services and ultimately return to business as usual.
Often these arrangements will need to operate alongside emergency or disaster management arrangements to ensure the safety of staff and assets. Business continuity management (BCM) is the development, implementation and maintenance of policies, frameworks and programs, to assist an entity manage a business disruption, as well as build entity resilience.
The Australian Government may direct its agencies to implement heightened security levels. In addition to these specific requirements, entities should seek to adopt a BCM approach that is relevant, appropriate and cost-effective.
In this respect, clearly defining the purpose, priorities and coverage of BCM is important.
Effective BCM arrangements give entity management and stakeholders greater confidence in the entity’s ability to manage the impact of a disruption and return to business as usual. In line with policy requirements and expectations of the Protective Security Policy Framework (PSPF), each of the entities had established relevant governance structures, assessed risks, identified critical functions, services or assets, undertaken business impact analyses, and developed business continuity plans (BCPs).
Each of the entities assessed their business continuity risk at an entity-wide level, and developed a BCM program to manage their risk exposure.Of these critical functions, 120 related to the six Mission Critical Activities and the remainder were considered to be enabling services.Responses were to be managed across 33 BCPs, each varying in comprehensiveness.In this regard, entities have some flexibility in relation to the structure, content and comprehensiveness of their programs. Entities subject to the PSPF are required to report annually on their compliance with the mandatory PSPF requirements to their portfolio minister.Of the 110 entities that reported on the GOV 11 mandatory requirement in 2013, 12 entities reported that they were non-compliant.The volume of documentation is potentially problematic from a recovery perspective.To assist in making decisions regarding potential recovery action, DSS should prioritise and rationalise its critical functions at an entity-wide level.This would involve determining entity priorities for services and assets, particularly in relation to resourcing and the continuation, recovery and/or stand down of functions. Since January 2010, the audited entities have each experienced a number of business disruptions, ranging in impact from the minor and inconvenient—partial evacuations and all day outages of critical systems—to the significant—week-long office closures due to weather events including cyclones and floods.In most cases the entities’ emergency or disaster response arrangements were initiated quickly to provide protection for staff and property, however, in this period Finance was the only entity that had initiated its BCM arrangements in response to disruptions to provide protection for affected critical functions. CASA and DSS managed several significant disruptions in 2011, including the Queensland floods and Cyclone Yasi, without activating business continuity arrangements.The majority of the non-compliant entities were in the process of finalising reviews of their BCPs at the time of reporting. The ANAO has conducted four audits since 2002 that have focused on BCM arrangements in entities.Each of these audits has identified areas for improvement.