• BSBCON601A - Develop and maintain business continuity plans

Develop and maintain business continuity plans

This unit describes the performance outcomes, skills and knowledge required to work within the business continuity framework to develop and implement business continuity plans in order for an organisation to manage risk and ensure business resilience when faced with a disruptive event. No licensing, legislative, regulatory or certification requirements apply to this unit at the time of endorsement.


This unit is for individuals working in positions of authority who are approved to implement change across the division, business area, program area or project area.

This unit addresses the knowledge and processes necessary to develop and maintain business continuity requirements. Business continuity awareness and planning help the organisation to identify barriers and/or interruptions, and to determine how the organisation will achieve critical business objectives (even at diminished capacity) until full functionality is restored.

The focus is on risk and vulnerability assessment, business impact assessments, and business continuity and communication plans.

Elements and Performance Criteria



1. Conduct risk and vulnerability assessments

1.1. Identify the relationship between corporate risk and the organisation's business continuity management framework

1.2. Analyse and determine internal and external risk context by collecting information that relates to the organisation's priorities, operations and environment

1.3. Analyse and identify potential internal and external sources of disruption to the organisation's priorities, operations and environment

2. Develop and report on the business impact assessment/s

2.1. Identify the organisation's critical business functions and their dependencies and interdependencies, and analyse and evaluate risks through the business impact assessment/s

2.2. Develop risk and disruption scenarios through the business impact assessment/s

2.3. Validate risk and disruption scenarios through the business impact assessment/s

2.4. Analyse, validate and report on the outcomes of the business impact assessment/s to management

3. Develop, implement and report on risk treatments

3.1. Develop and implement risk treatments

3.2. Participate in risk treatment review

3.3. Report on risk treatment review to management and relevant appropriate personnel

3.4. Update risk treatment review in line with feedback provided by relevant personnel

4. Determine interdependencies and develop response strategies

4.1. Develop the organisation's emergency response, continuity and recovery strategies

4.2. Consult and seek endorsement on the organisation's emergency response, continuity and recovery strategies from management and other appropriate personnel

4.3. Identify and manage synergies and conflicts in resource availability and access in conjunction with management

4.4. Coordinate the organisation's emergency response, continuity and recovery strategies

5. Establish the business continuity plan

5.1. Consult relevant personnel and seek support for the development of the organisation's business continuity plan/s

5.2. Ensure content of business continuity plan is comprehensive and meets, where applicable, the requirements of regulations, standards, industry practice and geographical dispersion

5.3. Document and analyse feedback received through consultation and finalise business continuity plan

5.4. Demonstrate accountability for the organisation's business continuity plan/s

6. Establish the communication plan within the organisation's planning framework

6.1. Identify stakeholders and determine objective and scope of communication plan for periods before, during and after disruptions occur

6.2. Determine organisation's communication capabilities in line with objectives and scope, and identify gaps and options for meeting shortfalls

6.3. Develop and implement across the organisation, appropriate risk and incident monitoring, reporting and escalation processes

7. Deliver business continuity professional development activities

7.1. Promote the application of the business continuity management framework and plan to all relevant personnel on an ongoing basis

7.2. Provide staff with appropriate information relating to the cyclical review process of the business continuity management plan

7.3. Conduct business continuity management plan exercises in line with the organisation's policies and procedures

7.4. Conduct post exercise debriefs, complete post exercise reviews and update business continuity strategies and plans as required

7.5. Manage and record staff learning and development in relation to the business continuity management framework in accordance with organisational requirements, and framework policies and procedures

7.6. Report on the outcomes of staff learning and development, and business continuity framework exercises to relevant personnel

Required Skills

Required skills

analytical skills to analyse relevant workplace information and data, and to make observations and connections between workplace tasks and interactions in relation to people, activities, equipment, environment and systems

communication, teamwork and leadership skills to:

read and interpret an organisation's reports, policies and procedures in order to develop business continuity management plan/s

effectively communicate and work with a diverse range of individuals at all levels during and after a disruptive event

effectively negotiate the trust and confidence of colleagues and stakeholders

effectively undertake detailed business impact assessment activities across the spectrum of the organisation's stakeholders

information technology skills to effectively respond to information technology issues

initiative and enterprise skills to generate a range of options in response to a disruptive event

planning and organisational skills to participate in or to establish the organisation's improvement and planning processes

presentation skills to develop and present reports or presentations that deal with complex ideas and concepts, and to articulate information and ideas clearly

research skills to undertake the necessary background research for risk and vulnerability assessment, business impact assessment and business continuity plan

risk management and project planning skills to effectively develop and execute potentially complex business continuity planning strategies and plans

stress management skills to work effectively and positively under the pressure of a major incident or situation within the workplace.

Required knowledge

Australian/New Zealand Standard AS/NZS 4360:2004Risk Management

Australian/New Zealand Standard HandbookAS/NZS HB221:2004 Business Continuity Management

organisation's policies and procedures, including business continuity strategies

overall operations of the organisation, including existing data and information systems, paper and digital recordkeeping systems

past and current internal, external and industry disruptions

relevant legislation and regulations that impact on business continuity, such as OHS, environment, duty of care, contract, company, freedom of information, industrial relations, emergency management, privacy and confidentiality, due diligence, records management

types of available insurance, what is required and insurance providers in relation to business continuity planning

types of available recoverable services.

Evidence Required

The Evidence Guide provides advice on assessment and must be read in conjunction with the performance criteria, required skills and knowledge, range statement and the Assessment Guidelines for the Training Package.

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the following is essential:

knowledge of the organisation's overall business continuity framework and how it interrelates with the critical business functions

development and implementation of a business continuity plan that includes appropriate links to emergency response, disaster recovery plans and detailed continuity and recovery strategies

effective management of the communication and staff development activities relating to business continuity risk and vulnerability assessment.

Context of and specific resources for assessment

Assessment must ensure:

access to workplace business continuity documentation

access to feedback from teams and management.

Method of assessment

A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

direct questioning combined with review of portfolios of evidence and third party workplace reports of on-the-job performance by the participant

work based projects or case studies

observation of presentations

oral or written questioning to assess knowledge of business continuity management framework and business continuity plans

review of documented critical success factors, and goals or objectives for area

review of risks prioritised for risk treatment and disruption scenarios

evaluation of business impact assessment

evaluation of business continuity and communication strategies and plans.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended.

Range Statement

The range statement relates to the unit of competency as a whole. It allows for different work environments and situations that may affect performance. Bold italicised wording, if used in the performance criteria, is detailed below. Essential operating conditions that may be present with training and assessment (depending on the work situation, needs of the candidate, accessibility of the item, and local industry and regional contexts) may also be included.

Corporate risk may include:

electronic information security

espionage/commercial confidence/sensitivity breach



major fraud

professional negligence - threat of major legal action against directors

Organisations may include:

commercial enterprises



non-commercial enterprises


religious organisations

Risk may include:


armed hold-up



civil disturbance

disability/death of key person







hazardous materials

industrial accident

infrastructure failure

market failure

natural disaster

operational collapse - insolvency



privacy and confidentiality


robbery and/or major vandalism


structure failure


transport accident



weather/climate change

Critical business functions may include:

business objectives

customer service functions

financial systems

human resource functions



organisational structure


records management

Dependencies may include:

office furniture

office supplies


support activities

systems and applications

vital records

Interdependencies may include:


outsourcer and third party suppliers






Business impact assessment/s may include:

breach/reduction of customer service standards

cost/impact on existing and/or increased finance

escalating losses over time

impact of loss of business/resources

loss of revenue

potential fines/penalties/litigation costs

reputation/brand damage

statutory/regulatory breaches

Disruption scenarios may include:

damage to/loss of critical infrastructure

information and intelligence - unavailable

equipment and other assets - unavailable


loss of access to building

loss of access to precinct

loss of access to records and organisational information systems

loss of building

loss of communications - voice

loss of communications - data

loss of distribution chain

loss of information technology systems

loss of number and availability of staff, including key staff

not meeting legal and business requirements

partnership dependencies - denial of access to goods and services from suppliers, outsourcers

Management may include:

chief executive officer

company board

delegated business continuity management director/officer

department managers



Risk treatment may include:

activating evacuation plan

activating lockdown procedures

activating workplace emergency management plan

personnel working from home

relocation of facilities

temporarily suspending activities

transferring activities

Emergency response strategies may include:

contact lists to report incident/s

documentation/reporting/recording procedures

evacuation plan

location of evacuation assembly point

lock down procedures

names and responsibilities of wardens

personnel instructions for evacuation

process for accounting personnel

workplace emergency management plan

Continuity strategies may include:

action required to resume critical business activities to pre-disruption capacity

contact lists of critical personnel and stakeholders


critical business activities and prioritisation of when they can/need to resume

list of resources

relocation to alternative worksite

resource replacement

treatment for critical business activities

Recovery strategies may include:

customer confidence/relationship management

damage assessment

market re-establishment

process for assessing loss and filing insurance claims

relocation of business to original location

salvage and restoration of records, infrastructure and premises

Resources may include:

critical written and/or electronic records

emergency services

facilities and/or accommodation


information technology infrastructure and applications management



plant and equipment



Business continuity plan/s may include:


organisational details



critical business functions



activation and stand down


version control and maintenance

operational requirements

critical success factors


outage times




roles and responsibilities

contact details

continuity arrangements



workarounds and alternate solutions

continuity management tasks


other plans


maps and drawings

Stakeholders may include:

chief executive officer

company board





local community



professional bodies


relevant government minister/s and department/s




Communication plan may include:





business continuity terminology



hierarchical organisational chart of internal and external emergency services personnel/delegates


monitoring procedures

radio silence

reporting and recording procedures


Exercises may include:


discussion exercises


planned walkthroughs

scenario planning and exercising

simulated exercises



Unit sector

Competency Field

Industry Capability - Continuity

Employability Skills

This unit contains employability skills.

Licensing Information

Not applicable.