• BSBCON601A - Develop and maintain business continuity plans

BSBCON601A
Develop and maintain business continuity plans

This unit describes the performance outcomes, skills and knowledge required to work within the business continuity framework to develop and implement business continuity plans in order for an organisation to manage risk and ensure business resilience when faced with a disruptive event. No licensing, legislative, regulatory or certification requirements apply to this unit at the time of endorsement.

Application

This unit is for individuals working in positions of authority who are approved to implement change across the division, business area, program area or project area.

This unit addresses the knowledge and processes necessary to develop and maintain business continuity requirements. Business continuity awareness and planning help the organisation to identify barriers and/or interruptions, and to determine how the organisation will achieve critical business objectives (even at diminished capacity) until full functionality is restored.

The focus is on risk and vulnerability assessment, business impact assessments, and business continuity and communication plans.


Elements and Performance Criteria

ELEMENT

PERFORMANCE CRITERIA

1. Conduct risk and vulnerability assessments

1.1. Identify the relationship between corporate risk and the organisation's business continuity management framework

1.2. Analyse and determine internal and external risk context by collecting information that relates to the organisation's priorities, operations and environment

1.3. Analyse and identify potential internal and external sources of disruption to the organisation's priorities, operations and environment

2. Develop and report on the business impact assessment/s

2.1. Identify the organisation's critical business functions and their dependencies and interdependencies, and analyse and evaluate risks through the business impact assessment/s

2.2. Develop risk and disruption scenarios through the business impact assessment/s

2.3. Validate risk and disruption scenarios through the business impact assessment/s

2.4. Analyse, validate and report on the outcomes of the business impact assessment/s to management

3. Develop, implement and report on risk treatments

3.1. Develop and implement risk treatments

3.2. Participate in risk treatment review

3.3. Report on risk treatment review to management and relevant appropriate personnel

3.4. Update risk treatment review in line with feedback provided by relevant personnel

4. Determine interdependencies and develop response strategies

4.1. Develop the organisation's emergency response, continuity and recovery strategies

4.2. Consult and seek endorsement on the organisation's emergency response, continuity and recovery strategies from management and other appropriate personnel

4.3. Identify and manage synergies and conflicts in resource availability and access in conjunction with management

4.4. Coordinate the organisation's emergency response, continuity and recovery strategies

5. Establish the business continuity plan

5.1. Consult relevant personnel and seek support for the development of the organisation's business continuity plan/s

5.2. Ensure content of business continuity plan is comprehensive and meets, where applicable, the requirements of regulations, standards, industry practice and geographical dispersion

5.3. Document and analyse feedback received through consultation and finalise business continuity plan

5.4. Demonstrate accountability for the organisation's business continuity plan/s

6. Establish the communication plan within the organisation's planning framework

6.1. Identify stakeholders and determine objective and scope of communication plan for periods before, during and after disruptions occur

6.2. Determine organisation's communication capabilities in line with objectives and scope, and identify gaps and options for meeting shortfalls

6.3. Develop and implement across the organisation, appropriate risk and incident monitoring, reporting and escalation processes

7. Deliver business continuity professional development activities

7.1. Promote the application of the business continuity management framework and plan to all relevant personnel on an ongoing basis

7.2. Provide staff with appropriate information relating to the cyclical review process of the business continuity management plan

7.3. Conduct business continuity management plan exercises in line with the organisation's policies and procedures

7.4. Conduct post exercise debriefs, complete post exercise reviews and update business continuity strategies and plans as required

7.5. Manage and record staff learning and development in relation to the business continuity management framework in accordance with organisational requirements, and framework policies and procedures

7.6. Report on the outcomes of staff learning and development, and business continuity framework exercises to relevant personnel

Required Skills

Required skills

analytical skills to analyse relevant workplace information and data, and to make observations and connections between workplace tasks and interactions in relation to people, activities, equipment, environment and systems

communication, teamwork and leadership skills to:

read and interpret an organisation's reports, policies and procedures in order to develop business continuity management plan/s

effectively communicate and work with a diverse range of individuals at all levels during and after a disruptive event

effectively negotiate the trust and confidence of colleagues and stakeholders

effectively undertake detailed business impact assessment activities across the spectrum of the organisation's stakeholders

information technology skills to effectively respond to information technology issues

initiative and enterprise skills to generate a range of options in response to a disruptive event

planning and organisational skills to participate in or to establish the organisation's improvement and planning processes

presentation skills to develop and present reports or presentations that deal with complex ideas and concepts, and to articulate information and ideas clearly

research skills to undertake the necessary background research for risk and vulnerability assessment, business impact assessment and business continuity plan

risk management and project planning skills to effectively develop and execute potentially complex business continuity planning strategies and plans

stress management skills to work effectively and positively under the pressure of a major incident or situation within the workplace.

Required knowledge

Australian/New Zealand Standard AS/NZS 4360:2004Risk Management

Australian/New Zealand Standard HandbookAS/NZS HB221:2004 Business Continuity Management

organisation's policies and procedures, including business continuity strategies

overall operations of the organisation, including existing data and information systems, paper and digital recordkeeping systems

past and current internal, external and industry disruptions

relevant legislation and regulations that impact on business continuity, such as OHS, environment, duty of care, contract, company, freedom of information, industrial relations, emergency management, privacy and confidentiality, due diligence, records management

types of available insurance, what is required and insurance providers in relation to business continuity planning

types of available recoverable services.

Evidence Required

The Evidence Guide provides advice on assessment and must be read in conjunction with the performance criteria, required skills and knowledge, range statement and the Assessment Guidelines for the Training Package.

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the following is essential:

knowledge of the organisation's overall business continuity framework and how it interrelates with the critical business functions

development and implementation of a business continuity plan that includes appropriate links to emergency response, disaster recovery plans and detailed continuity and recovery strategies

effective management of the communication and staff development activities relating to business continuity risk and vulnerability assessment.

Context of and specific resources for assessment

Assessment must ensure:

access to workplace business continuity documentation

access to feedback from teams and management.

Method of assessment

A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

direct questioning combined with review of portfolios of evidence and third party workplace reports of on-the-job performance by the participant

work based projects or case studies

observation of presentations

oral or written questioning to assess knowledge of business continuity management framework and business continuity plans

review of documented critical success factors, and goals or objectives for area

review of risks prioritised for risk treatment and disruption scenarios

evaluation of business impact assessment

evaluation of business continuity and communication strategies and plans.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended.


Range Statement

The range statement relates to the unit of competency as a whole. It allows for different work environments and situations that may affect performance. Bold italicised wording, if used in the performance criteria, is detailed below. Essential operating conditions that may be present with training and assessment (depending on the work situation, needs of the candidate, accessibility of the item, and local industry and regional contexts) may also be included.

Corporate risk may include:

electronic information security

espionage/commercial confidence/sensitivity breach

governance

insolvency

major fraud

professional negligence - threat of major legal action against directors

Organisations may include:

commercial enterprises

community

government

non-commercial enterprises

not-for-profit

religious organisations

Risk may include:

aeronautical

armed hold-up

biological

chemical

civil disturbance

disability/death of key person

economic

electronic

erosion

explosion

fire

fraud

hazardous materials

industrial accident

infrastructure failure

market failure

natural disaster

operational collapse - insolvency

pandemic

pollution

privacy and confidentiality

radiological/nuclear

robbery and/or major vandalism

sabotage

structure failure

terrorism

transport accident

war

water

weather/climate change

Critical business functions may include:

business objectives

customer service functions

financial systems

human resource functions

management

OHS

organisational structure

payroll

records management

Dependencies may include:

office furniture

office supplies

personnel

support activities

systems and applications

vital records

Interdependencies may include:

communications

outsourcer and third party suppliers

power

sanitation

security

transport

water

Business impact assessment/s may include:

breach/reduction of customer service standards

cost/impact on existing and/or increased finance

escalating losses over time

impact of loss of business/resources

loss of revenue

potential fines/penalties/litigation costs

reputation/brand damage

statutory/regulatory breaches

Disruption scenarios may include:

damage to/loss of critical infrastructure

information and intelligence - unavailable

equipment and other assets - unavailable

litigation

loss of access to building

loss of access to precinct

loss of access to records and organisational information systems

loss of building

loss of communications - voice

loss of communications - data

loss of distribution chain

loss of information technology systems

loss of number and availability of staff, including key staff

not meeting legal and business requirements

partnership dependencies - denial of access to goods and services from suppliers, outsourcers

Management may include:

chief executive officer

company board

delegated business continuity management director/officer

department managers

directors

supervisors

Risk treatment may include:

activating evacuation plan

activating lockdown procedures

activating workplace emergency management plan

personnel working from home

relocation of facilities

temporarily suspending activities

transferring activities

Emergency response strategies may include:

contact lists to report incident/s

documentation/reporting/recording procedures

evacuation plan

location of evacuation assembly point

lock down procedures

names and responsibilities of wardens

personnel instructions for evacuation

process for accounting personnel

workplace emergency management plan

Continuity strategies may include:

action required to resume critical business activities to pre-disruption capacity

contact lists of critical personnel and stakeholders

counselling

critical business activities and prioritisation of when they can/need to resume

list of resources

relocation to alternative worksite

resource replacement

treatment for critical business activities

Recovery strategies may include:

customer confidence/relationship management

damage assessment

market re-establishment

process for assessing loss and filing insurance claims

relocation of business to original location

salvage and restoration of records, infrastructure and premises

Resources may include:

critical written and/or electronic records

emergency services

facilities and/or accommodation

finances

information technology infrastructure and applications management

insurance

personnel

plant and equipment

premises

telecommunications

Business continuity plan/s may include:

introduction

organisational details

objectives

purpose

critical business functions

assumptions

processes

activation and stand down

responsibility

version control and maintenance

operational requirements

critical success factors

interdependencies

outage times

compliance

people

structure

roles and responsibilities

contact details

continuity arrangements

accommodation

resources

workarounds and alternate solutions

continuity management tasks

communications

other plans

checklists

maps and drawings

Stakeholders may include:

chief executive officer

company board

customers

directors

families/next-of-kin

funders

local community

media

personnel

professional bodies

shareholders

relevant government minister/s and department/s

regulators

sponsors

suppliers

Communication plan may include:

accessibility

assumptions

audience

boundaries

business continuity terminology

capability

equipment

hierarchical organisational chart of internal and external emergency services personnel/delegates

mode

monitoring procedures

radio silence

reporting and recording procedures

sensitivities

Exercises may include:

drills

discussion exercises

modelling

planned walkthroughs

scenario planning and exercising

simulated exercises

testing


Sectors

Unit sector


Competency Field

Industry Capability - Continuity


Employability Skills

This unit contains employability skills.


Licensing Information

Not applicable.