View Current

Business Resilience Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) Western Sydney University (University) is committed to planning for, responding to, and recovering from disruption.

(2) This Business Resilience Policy (“this Policy”) supports this commitment and sets out the principles, roles and responsibilities of the University's business resilience arrangements, managed through the disciplines of: 

  1. Business Continuity (BC)
  2. Crisis Management (CM)
  3. IT Disaster Recovery (ITDR)
  4. Emergency Planning (EP)

(3) This policy:

  1. affirms the University's commitment to business resilience
  2. establishes the principles by which the University will identify, assess and manage disruption-related risks
  3. fosters an environment where staff take responsibility for managing disruption-related risks
  4. provides for consistent supporting frameworks in which disruption-related risks concerning critical business processes and functions are identified, assessed, and managed
  5. promotes the highest standards of University governance and supports the Board of Trustees to fulfil its functions as prescribed by section 22 of the Western Sydney University Act 1997 (NSW).

(4) This Policy is the foundation of business resilience, which in turn supports the University's broader Risk Management in alignment with the Risk Management Policy.

(5) This Policy applies to:

  1. all University Schools, Research Institutes and Divisions including all campus locations
  2. all University controlled entities, and
  3. any material third parties (including partners, suppliers, vendors and contractors as represented in their contractual commitments) providing services to the University or directly to the student body.
Top of Page

Section 2 - Definitions

(6) For the purposes of this policy, definitions that apply can be found in the Policy DDS Glossary, in addition to the following:

  1. Business Continuity (BC) means the process of managing continuity and recovery of critical business processes to reduce the impact of an event which suddenly disrupts the University's operational capability
  2. Business Continuity Plan (BCP) means a collection of validated procedures and information that is developed, compiled and maintained in readiness for use, to recover critical business processes within defined timeframes in the event of a disruption
  3. Business Resilience means a whole of University approach to ensure that in the event of disruption, the University's critical operations can be recovered, student and staff experience maintained, regulatory obligations upheld, and reputation preserved. Its purpose is to minimise the negative impacts (e.g., people, financial, legal, reputational, physical research losses and other consequences) arising from a disruption
  4. Business Impact Analysis (BIA) means the process of analysing the organisation’s critical activities, resource and supplier dependencies, and associated recovery timeframes
  5. Crisis Management (CM) means the process through which the University will coordinate and manage its response to a disruptive event which may suddenly and adversely impact the reputation or strategic viability of the University. This may involve coordinating responses to events that do not necessarily disrupt the University's ability to deliver services but may, nevertheless, present a threat to the University's brand and reputation (eg adverse news trending on social media)
  6. Disruption/Disruptive Event means an anticipated or unanticipated event which has the potential to harm the University during and after that immediate event
  7. Emergency Control Organisation (ECO) means the organisational structure that activates and provides direction during an emergency to ensure a safe response, as well as liaising with emergency services if necessary
  8. Emergency Planning (EP) means the structure and framework to respond to an internal or external emergency
  9. Emergency Planning Committee (EPC) means the committee responsible for the development, implementation and maintenance of the emergency management plan, including the warden system and evacuation diagrams
  10. IT Disaster Recovery (ITDR) means the process of managing the continuity and recovery of critical technology infrastructure, systems, applications and digital services following a disruptive event.
Top of Page

Section 3 - Policy Statement

(7) The objectives of the University's resilience framework are to:

  1. affirm the University's priority to safeguard the wellbeing of students, staff and the community during and following any disruption
  2. provide an agreed structure and systematic approach in line with good practice that enables the timely and effective response to disruption
  3. maintain minimum viable operations and re-establish critical business activities as quickly and efficiently as possible
  4. protect University facilities, infrastructure, research, assets and equipment 
  5. minimize financial, legal, regulatory and reputational impacts arising from disruption
  6. plans, including Business Continuity Plans, Crisis Management Plans, IT Disaster Recovery Plans, and Emergency Management Plans, are established to support and guide the University in responding to disruption
  7. plans are informed by analysis and take into consideration the University's disruption-related risks and risk appetite 
  8. plans are regularly reviewed, tested, exercised and updated for validity, appropriateness and effectiveness
  9. staff are aware of the need to appropriately prepare for, respond to and recover from disruptive events, and are provided appropriate training to meet their respective roles and responsibilities 
  10. resources are allocated to support the scope and objectives of ongoing business resilience
  11. business resilience requirements and supply chain risk are considered as part of the on-boarding of any new material supplier or third party and expectations are articulated via contractual agreements and service level agreements
  12. business resilience requirements are considered in relation to any partnership arrangements, proportionate to the level of risk and depth of involvement with the University.

Roles and Responsibilities

(8) The Board of Trustees has overall responsibility for risk management across the University and it is responsible for approving this policy.

(9) The Audit and Risk Committee provides oversight to the Business Resilience Policy.

(10) The Vice-Chancellor and President is responsible for:

  1. ensuring business resilience practices are established and maintained in accordance with this Policy
  2. communicating significant business resilience matters to the Board and Audit and Risk Committee, and
  3. ensuring that the business resilience function is appropriately resourced and funded.

(11) The Business Resilience Steering Committee:

  1. is accountable for the ongoing oversight of business resilience
  2. provides strategic direction and monitors the management of BC activities
  3. reviews and endorses the University-wide list of critical business processes.

(12) Senior Program Lead, Business Continuity and Resilience:

  1. coordinates business resilience related activities across the University, including the performance of business impact analyses, BCP development, communication, incident management, training and exercises
  2. prepares reports as required to enable ongoing monitoring and oversight by the Business Resilience Steering Committee and the Vice-Chancellor and President
  3. updates and maintains this Policy and supporting frameworks
  4. leads and supports staff to successfully complete business resilience related activities when required, and
  5. reviews the impact on BCP as a result of any significant change at the University (e.g., significant organisational change and projects). This includes ensuring potential impacts are reviewed to identify and assess disruption-related risks that may be introduced by the proposed change.

(13) Associate Director, Safety and Campus Delivery is responsible for:

  1. ensuring an EPC is in place
  2. through the EPC, maintaining and distributing an Emergency Management Plan (EMP), and associated capabilities including evacuation diagrams, wardens, and training
  3. supporting appointment and training of wardens and building users
  4. directing ECO in the case of an emergency.

(14) The Chief Information Officer is responsible for implementing IT Disaster Recovery planning.

(15) Unit Heads are accountable for:

  1. implementing relevant Policy requirements within the School, Division, or Business Unit. This includes linking to Unit Operational Risk Registers (refer Risk Management Policy) and developing, maintaining and validating plans and requirements for their respective area
  2. be acquainted and familiar with emergency management procedures 
  3. participate in emergency response 
  4. reviewing the output of the BIA process for their respective area, including the list of critical business processes identified
  5. ensuring disruption-related risks identified by the School/Division/Business Unit are addressed in alignment with the University's Risk Management Policy
  6. ensuring sections of the BCP pertinent to their relevant area are reviewed and updated annually for currency, appropriateness, and completeness, and
  7. completing business resilience related training and exercises as required.

(16) All Staff are required to be aware of this Policy, support and participate in the business resilience related activities, undertake training and familiarise themselves with emergency management procedures.

Top of Page

Section 4 - Procedures

(17) This Policy is implemented via the following business resilience related frameworks, or their respective successor documents:

  1. Business Continuity and Crisis Management Framework
  2. IT Disaster Recovery Guideline
  3. Emergency Management Plan (EMP).

(18) These documents describe the analysis, planning, processes and approach through which this Policy will be executed across each key discipline (BC, CM, IT Disaster Recovery and Emergency Planning).

(19) This Policy and supporting documents are further supported by the University's Procurement Policy as it relates to critical third parties.

(20) The documents have been designed to align and interact with one another given their inter-relatedness, as well as the broader arrangements for Emergency Management to promote a more effective and holistic response to disruptive events that may require the involvement of one or more of these disciplines.

Top of Page

Section 5 - Guidelines

(21) Nil.