• Section 1 - Purpose and Context
• Section 2 - Definitions
• Section 3 - Policy Statement
• Roles and Responsibilities
• Section 4 - Procedures
• Section 5 - Guidelines

Section 1 - Purpose and Context

(1) Western Sydney University (University) is committed to enabling the timely recovery of University operations during a disruption.

(2) This Business Continuity Management (BCM) Policy (“this Policy”) supports this commitment and sets out the guiding principles under which the University's Business Continuity Management is developed, implemented, and maintained as part of change management and continuous improvement.

(3) This policy:

1. affirms the University's commitment to BCM
2. establishes the principles by which the University will identify, assess and manage disruption-related risks
3. fosters an environment where staff take responsibility for managing disruption-related risks
4. provides for consistent supporting frameworks in which disruption-related risks concerning critical business processes and functions are identified, assessed, and managed
5. promotes the highest standards of University governance and supports the Board of Trustees to fulfil its functions as prescribed by section 22 of the Western Sydney University Act 1997 (NSW), and
6. is generally consistent with the principles of ISO 22301: 2019(en) Security and resilience - Business continuity management systems - Requirements.

(4) This Policy is the foundation of the Business Continuity Management, which in turn supports the University's broader program of Risk Management.

(5) This Policy aligns to the University's:

1. Risk Management Policy
2. Critical Incident Guidelines, and
3. Campus Safety and Security Standard Operating Procedures.

(6) This Policy applies to:

1. all University Schools and Research Institutes, including all campus locations
2. all University Divisions and Business Units, including controlled entities
3. any material third parties (including suppliers, vendors and contractors as represented in their contractual commitments) providing services to the University or directly to the student body, and
4. all identified critical business processes as well as critical technology infrastructure, systems, applications and critical digital services.

Section 2 - Definitions

(7) For the purpose of this policy the following definitions apply:

1. Business Continuity (BC) means the process of managing continuity and recovery of critical business processes to reduce the impact of an event which suddenly disrupts the University's operational capability.
2. Business Continuity Plan (BCP) means a collection of validated procedures and information that is developed, compiled and maintained in readiness for use, to recover critical business processes within defined timeframes in the event of a disruption.
3. Business Continuity Management (BCM) means a whole of University approach to ensure critical operations can be maintained or restored in a timely manner in the event of a disruption arising from external or internal events. Its purpose is to minimise the negative impacts (eg people, financial, legal, reputational, physical research losses and other consequences) arising from a disruption. BCM at the University is comprised of three inter-related disciplines, including:
   1. Business Continuity (BC)
   2. IT Disaster Recovery (ITDR), and
   3. Crisis Management (CM).
4. The Business Continuity Management is designed to align, and interact, with the broader arrangements for emergency management, serious incident management and standard operating procedures within Campus Safety and Security given their inter-relatedness.
5. Business Impact Analysis (BIA) means the process of analysing the activities and the effects that a business disruption might have upon them.  The BIA process seeks to identify the University's critical business processes, their resource and supplier dependencies, and associated recovery timeframes.
6. Crisis Management (CM) means the process through which the University will coordinate and manage its response to a disruptive event which may suddenly and adversely impact the reputation or strategic viability of the University. This may involve coordinating responses to events that do not necessarily disrupt the University's ability to deliver services but may, nevertheless, present a threat to the University's brand and reputation (eg adverse news trending on social media).
7. Disruption/Disruptive Event means an anticipated or unanticipated event which has the potential to harm the University during and after that immediate event.
8. Emergency Management (EM) Program means the program that ensures the University's immediate response to emergencies.
9. IT Disaster Recovery (ITDR) means the process of managing the continuity and recovery of critical technology infrastructure, systems, applications and digital services following a disruptive event.

Section 3 - Policy Statement

(8) The University will ensure that:

1. BCM is effectively implemented and maintained to minimise disruption. The BCM will consist primarily of the following elements: this Policy, Business Continuity and Crisis Management Frameworks, IT Disaster Recovery Framework, Business Continuity Plans, Training and Reporting
2. BCP’s are established to enable the recovery of critical business processes and to ensure all stakeholders including staff, students and the community, are appropriately informed and directed to enable response and recovery following a disruptive event
3. BCP’s are informed by analysis and take into consideration the University's disruption-related risks and risk appetite
4. BCP’s are regularly reviewed, tested, exercised and updated for validity, appropriateness and effectiveness
5. staff are aware of the need to appropriately prepare for, respond to and recover from disruptive events, and are provided appropriate training to meet their respective roles and responsibilities as part of the BCM
6. resources are allocated to support the scope and objectives of ongoing BCM, and
7. BC requirements are considered as part of the on-boarding of any new material supplier or third party and expectations are articulated via contractual agreements and service level agreements.

Roles and Responsibilities

(9) The Board of Trustees has overall responsibility for risk management across the University and it is responsible for approving this policy.

(10) The Audit and Risk Committee provides oversight to BCM Policy.

(11) The Vice-Chancellor and President is responsible for:

1. ensuring BCM practices are established and maintained in accordance with this Policy
2. communicating significant BCM matters to the Board and Audit and Risk Committee, and
3. ensuring that the BCM function is appropriately resourced and funded.

(12) The BCM Steering Committee:

1. is accountable for the ongoing oversight of BCM
2. provides strategic direction and monitors the management of BC activities
3. reviews and endorses the University-wide list of critical business processes
4. delegates responsibilities for the day-to-day management of BCM to the Senior Program Lead, Business Continuity and Resilience, and
5. delegates responsibility for review of BCP’s to appropriate Executive owners.

(13) Senior Program Lead, Business Continuity and Resilience:

1. leads BCM-related activities across the University, including the performance of business impact analyses, BCP development and training exercises
2. prepares reports as required to enable ongoing monitoring and oversight by the BCM Steering Committee and the Vice-Chancellor and President
3. updates and maintains this Policy and supporting frameworks
4. leads and supports staff to successfully complete BCM-related activities when required, and
5. reviews the impact on BCP as a result of any significant change at the University (eg significant organisational change and projects). This includes ensuring potential impacts are reviewed to identify and assess disruption-related risks that may be introduced by the proposed change.

(14) The Chief Information and Digital Officer is responsible for IT Service Continuity and IT Disaster Recovery processes, including the alignment of service levels and disaster recovery priority groups with recovery time objectives identified through BIA’s.

(15) Senior Management and Executives (DVC's/VP's, PVC's, Chief Officers, Deans, Campus Provosts, Executive Directors, Directors) are accountable for:

1. implementing relevant Policy requirements within the School, Division, or Business Unit. This includes linking to Unit Operational Risk Registers (refer Risk Management Policy) and subsequently developing, maintaining and validating recovery strategies, plans and requirements for their respective area
2. reviewing the output of the BIA process for their respective area, including the list of critical business processes identified
3. ensuring disruption-related risks identified by the School/Division/Business Unit are addressed in alignment with the University's Risk Management Policy
4. managing any risks relating to BCM within their respective area in accordance with the University's Risk Management Policy
5. ensuring sections of the BCP pertinent to their relevant area are reviewed and updated annually for currency, appropriateness, and completeness, and
6. completing BCM-related training and exercises as required.

(16) All Staff are required to be aware of this Policy, support and participate in the BCM-related activities such as the BIA’s, and undertake training as required.

Section 4 - Procedures

(17) This Policy will be implemented via the following BCM-related frameworks:

1. Business Continuity and Crisis Management Framework, and
2. IT Disaster Recovery Framework.

(18) These frameworks describe the analysis, planning, processes and approach through which this Policy will be executed across each key discipline (BC, CM, and IT Disaster Recovery).

(19) This Policy and supporting frameworks are further supported by the University's Procurement Policy as it relates to critical third parties.

(20) The frameworks have been designed to align and interact with one another given their inter-relatedness, as well as the broader arrangements for Emergency Management to promote a more effective and holistic response to disruptive events that may require the involvement of one or more of these disciplines.

Section 5 - Guidelines

(21) Nil.