Organization Development

MISSIONPOSSIBLE.pdf

Home >Business & Finance homework help >Operations Management homework help >Organization Development

Journal of Business Continuity & Emergency Planning Volume 9 Number 3

Mission possible: Building an effective business continuity team in seven steps

David Porter Received (in revised form): 15th October, 2015 Australian Taxation Office, 125 Henry Street, Penrith, NSW 2750 Australia Tel: +61 02 472 40293; E-mail: david.porter@ato.gov.au

David Porter has been the Director o f Business Continuity Management (BCM) at the Australian Taxation Office since September 2010. He has also chaired a whole-of-governm ent BCM Community o f Practice, with members from over 35 Commonwealth and state-based agencies. David and his team provide regular mentoring support for other organisations and have con tributed towards readiness activities across the public sector and wider finance industries. David is a regular presenter at industry events and contributor to the Business Continuity Institute Oceania 2020 think-tank. As well as leading sev eral enterprise-wide responses to business interruptions and natural disasters, David has guided senior executive groups through detailed crisis simulation testing and exercises.

A bstract Several books and studies exist on the creation, development and benefits o f high-petforming teams; m any others offer insights into the busi ness continuity management (B C M ) disci pline, crisis response and planning. Very rarely, however, do they cover both. This paper will explore the seven main development areas that helped build the foundation fo r a successful and high-performing B C M team in the Australian Taxation Office. Practical, actionable advice will be provided, recognising that the task fo r those starting out can be quite daunting and complex.

Keywords: centralised, integrated, gov ernment, mature, resilience, team

INTRODUCTION T h e A ustralian T axation O ffice (A T O ) is th e A ustralian g o v e r n m e n ts p rin c ip a l re v e n u e c o lle c tio n agency. Its ro le is to m an ag e a n d shape th e tax, excise an d s u p e ra n n u a tio n systems. D u r in g a financial year, it collects ov er A U S $ 4 0 0 b n , issues re fu n d s w o r th o v e r A U S $ 9 0 b n an d receives a b o u t 10 m illio n p h o n e calls fro m cu sto m ers. T h e A T O is o n e o f Australia's largest g o v e rn m e n t agencies, w ith 2 1 ,0 0 0 em ployees in 4 0 buildings across A ustralia.

T h e A T O ’s in te g ra te d business c o n tin u ity m a n a g e m e n t (B C M ) fra m e w o rk ensures th e A T O rem ains resilient fro m business in te rru p tio n s , crisis events an d n atu ral disasters, th ro u g h ce n tralised p la n n in g an d in te g ra te d 2 4 - h o u r responses.

T h e A T O B C M te a m is a centralised te a m o f n in e p e o p le , w h ic h leads an d m anages th e B C M fram ew o rk . T h e te a m ’s b ro a d scope o f responsibilities in c lu d e th e follow ing:

• tw e n ty - f o u r - h o u r response, triag e a n d crisis m a n a g e m e n t fo r d is ru p tio n s affecting A T O business o p eratio n s;

• ce n tralised p o lic y d e v e lo p m e n t, c o n tin g ency arra n g e m e n ts a n d B C M re so u rc ing;

• a system ic a p p ro ach to assessing an d im p ro v in g th e re silie n c e o f c ritic a l resources;

• in te g ra tio n o f th e business c o n tin u ity discipline across all business areas (eg

D a v id Porter

Journal o f Business Continuity & Emergency Planning Vol. 9, No. 3, pp. 239-250 © 1 Icnry Stewart Publications, 1749-9216

Page 239

mailto:david.porter@ato.gov.au

Building an effective business continuity team in seven steps

p e o p le , b u ild in g s, system s, security, in te rn a l an d e x te rn a l co m m u n ic a tio n s);

• le a d in g th e A T O ’s e x te rn a l responses fo r n atu ra l disasters a n d s u p p o rtin g w h o le - o f-g o v e rn m e n t responses;

• p ro v id in g assurance fo r e m e r g in g threats, e m e rg e n c y preparedness an d IT disaster re co v ery te stin g a n d re p o rtin g ;

• c h a ir in g a c ro ss-ag en c y B C M C o m m u n ity o f P ractice w ith ov er 35 m e m b e r agencies; an d

• m a in ta in in g p artn e rsh ip s across g o v e rn m e n t an d th e B C M industry.

T h e e v o lu tio n o f th e A T O B C M team in to an a w a rd -w in n in g capability was a progressive j o u r n e y ov er a fe w years. T h is is m ain ly d u e to th e large an d c o m p le x n a tu re o f th e A T O ’s o p eratio n s, critical fu n c tio n s a n d s u p p o rtin g resources. T h e a p p ro ach p ro p o se d in this pap er, how ever, is scalable a n d ca n b e ap p lied to sm aller organisations a n d c o u ld b e ac h ie v ed in a s h o rte r tim efram e.

SEVEN STEPS TO BUILDING AN EFFECTIVE BCM TEAM T h e seven steps d e sc rib e d b e lo w re p resen t th e m a in d e v e lo p m e n t areas in v o lv ed in b u ild in g th e A T O B C M team . T h e y are scalable based o n th e size o f an organisa tio n an d its com plexity. As th e y are p ro gressively im p le m e n te d , th e strategic focus o f th e o rg a n is a tio n ’s B C M ca p ab ility w o u ld shift fro m b e in g re activ e a n d r e s p o n s e -d riv e n to p ro a c tiv e an d re silien c e-fo c u sed .

T h e size a n d c o m p le x ity o f th e o rg a n i sation w ill d e te r m in e h o w m u c h tim e is re q u ire d to im p le m e n t each step.

STEP 1: GENERATE THE NEED - WHY IS THIS NECESSARY? S e n io r executive su p p o rt is c ritica l to e stab lish in g a successful B C M te a m .

S e c u rin g th a t se n io r s u p p o rt can be a c h a lle n g in g task, w ith critical d ec isio n m akers ju g g lin g m a n y c o m p e tin g p r io r i ties. T h e key is b e in g able to effectively d e m o n stra te th e n e e d a n d value o f an in te g ra te d B C M fram ew o rk , to th e p o in t w h e re its absence w o u ld place business critical fu n c tio n s o r c o m m e rc ia l viability at risk.

T h e r e are several activities th a t can help b u ild an effective business case fo r a B C M te a m to b e established to s u p p o rt an in te g ra te d B C M fram ew o rk . As m o st tran sfo r m atio n al ch a n g e w ith in organisations is m a n a g e d th ro u g h a p ro je c t m a n a g e m e n t m e th o d o lo g y , th e fo llo w in g activities c o u ld b e w o v e n in to a c o m p e llin g sto ry o f assurance, capability o r c o m p e titiv e advan tage th a t w o u ld h elp gain ex ecu tiv e su p p o r t an d p ro je c t sponsorship:

• P e rfo rm a th o ro u g h re v ie w o f all c riti cal in cid en ts th a t th e o rg a n isa tio n has faced a n d id e n tify any significant o r re c u rrin g v u ln erab ilities th a t a B C M te a m a n d fra m e w o rk c o u ld have addressed. W h e r e critica l in c id e n ts have b e e n fe w o r rare, this analysis m ay also h ig h lig h t th a t several sm aller o r re c u r rin g in c id e n ts c o u ld g e n e ra te c u m u la tive im pacts fo r th e o rg a n isa tio n over tim e.

• Id en tify costs in c u rr e d fro m prev io u s in cid en ts, in te rm s o f staffing, rev en u e o r o p e ra tio n a l costs, w h ic h c o u ld p r o v id e a financial in c e n tiv e to resolve.

• P e rfo rm an a u d it o r ask in te rn a l a u d it to assess th e o rg a n isa tio n s B C M capa bility against IS O 22301 a n d an y o th e r specific g o v ern a n c e fram ew o rk s appli cable to th e o rg an isatio n .

• Investigate h o w in c id e n ts are m a n a g e d afte r h o u rs . C o u ld a single o n -c a ll te a m m a n a g e th e m a jo rity o f lo w -le v e l issues w i t h o u t r e q u ir in g m u ltip le p e o p le to b e o n call o r w o k e n u p d u r in g th e n ig h t?

Page 240

• Id e n tify an e x te rn a l ev e n t locally o r overseas th a t ca n b e tested against th e o rg a n isa tio n ’s response capability. Assess i f th e re are any id e n tifie d gaps th a t c o u ld b e addressed by a centralised a p p ro a c h to response an d p lan n in g .

• Assess th e resources allo cated to B C M p la n n in g a n d response, in c lu d in g th o se w h e re B C M fo rm s p a r t o f a role. A re th e re areas w h e re th e re is m u ltip le o r d u p lic a te d effort? A nalyse i f a sm aller single te a m c o u ld o p e ra te in a m o re efficien t m a n n e r.

• J o in a lo cal ch a p te r o f th e Business C o n tin u ity In stitu te a n d a tte n d B C M in d u s try co n fere n ces o r n e tw o rk s .T h e re are several exam ples o f m e th o d o lo g ie s freely available across m o st in d u stries th a t c o u ld serve as g u id a n c e o r tem plates.

• S eek im p le m e n ta tio n g u id a n c e fro m an a c c re d ite d B C M consultancy.

S ince it was established, th e A T O B C M te a m has carefully n u rtu re d executive sup p o r t, w h ic h has seen th e te a m ’s re la tio n ship across th e ex ecu tiv e g ro u p gradually shift fro m an e m e rg e n c y b ac k sto p w h e n th in g s w e n t w ro n g to a proactive tru ste d adviser. T h is was p a rtic u la rly e v id e n t d u r in g readiness activities fo r n atu ra l disas ters a n d significant ev e n t p lan n in g , su ch as th e G 2 0 S u m m it in B risb a n e in N o v e m b e r 2014.

It was in late 2 0 0 9 th a t in te rn a l an d e x te r n a l a u d it re c o m m e n d a tio n s h ig h lig h te d th e n e e d fo r th e A T O to s tre n g th e n its B C M arra n g e m e n ts in line w ith its e v o lv in g a n d natio n ally m an ag e d business o p e ra tio n s. O v e r th e n e x t five years, th e A T O fo c u sed o n th e fo u n d a tio n areas o f th e B C M discipline, in lin e w ith re co g n ised standards (initially BS 2 5 9 9 9 an d , later, IS O 22301).

A n in itial p ro je c t g e n e ra te d th e fu n d a m e n ta l ele m e n ts o f th e A T O B C M fram e w o rk , w h ic h was s u p p o rte d b y th e A T O

executive as an o n g o in g p ro g ra m m e . W ith th is o n g o in g p ro g r a m m e m a n a g e m e n t ap p ro ach , th e A T O B C M te a m e x p a n d e d as areas o f th e B C M fra m e w o rk m a tu re d a n d f u r th e r o p p o rtu n itie s to in te g ra te readiness an d response a rra n g e m e n ts across th e o rg a n isa tio n w e re id e n tifie d a n d e x p a n d ed .

STEP 2: ESTABLISH TOP-DOWN GOVERNANCE - WHO IS IN CHARGE? A n effective B C M te a m requires o n g o in g sp o n so rsh ip at th e h ig h e s t level. T h is in c lu d e s n o m in a tin g an o rg a n isa tio n a l crisis leader, w h o assum es overall c o n tro l a n d re sp o n sib ility d u r in g crisis events. Ideally, th e crisis le a d e r is th e c h a ir o f th e m o st se n io r crisis m a n a g e m e n t o r response te a m a n d th e B C M sponsor. W h ile m u lti p le p o sitio n s o r individuals m ay have this capability, activ atin g a single crisis lead er fo r each response ensures a clear c o m m a n d an d c o n tro l stru ctu re .

T h e crisis lead e r sh o u ld he s u p p o rte d b y a scalable crisis m a n a g e m e n t response. T h e A T O uses a tie re d ap p ro ach , w ith th re e different crisis m a n a g e m e n t team s able to b e activated d e p e n d in g o n th e severity o f th e event. L o w -le v el crisis m a n a g e m e n t team s w ill be activated to re sp o n d to lo w -im p a c t events such as an u n p la n n e d ev acu atio n . T h e crisis m a n a g e m e n t te a m th a t responds to h ig h -lev e l events, su ch as disasters o r fatalities, is m o re se n io r in re p re se n ta tio n and, in th e A T O , it rep resen ts all m e m b e rs o f th e B C M steer in g c o m m itte e , plus several specialist areas. T h e A T O scalable ap p ro ach also su p p o rts ‘c re e p in g ’ events, w h ic h m ig h t start o f f at a lo w level o f im p act, b u t escalate in severity ov er tim e. O n c e a crisis m a n a g e m e n t te a m has b e e n activated, all o th e r m a n a g e m e n t activities are su sp e n d e d a n d th e crisis lead e r has e n te r p ris e -w id e a u th o rity over all business activities.

Building an effective business continuity team in seven steps

E x ec u tiv e g o v ern a n c e fo r B C M sh o u ld o c c u r th ro u g h an executive B C M ste e rin g c o m m itte e . A B C M ste e rin g c o m m itte e ca n play a pivotal ro le in h e lp in g shape a B C M capability in to p ro v id in g a to p - d o w n v ie w o f critic a lity an d p rio rity across th e w h o le o rg an isatio n . S ta n d in g m e m b e rsh ip o f th e A T O ’s B C M ste e rin g c o m m itte e in clu d es th e fo llo w in g p osi tio n s (w ith th e ir A u stra h an P u b lic S ervice g ra d e ):

• S eco n d C o m m issio n er, People, Systems a n d Services G ro u p (Chair);

• D e p u ty C o m m is s io n e r, S erv ice D elivery;

• C h ie f In fo rm a tio n O fficer; • D e p u ty C o m m is s io n e r, Tax

P ra c titio n e r, L o d g e m e n t S trategy and C o m p lia n c e S u p p o rt;

• C h i e f F in a n c e O fficer; • A ssistant C o m m issio n e r, P ro p e r ty &

S ecu rity ; • A ssistant C o m m issio n e r, C o n ta c t c e n

tres an d B C M ; and • B C M N a tio n a l D ire c to r (Secretariat).

T h e B C M ste e rin g c o m m itte e has th e responsibility an d a c c o u n ta b ility to:

• review, approve a n d p rio ritis e th e B C M capability p ro g ra m m e strategy;

• approve B C M g o v ern a n c e policies and assurance activities;

• sp o n so r p ro jects alig n ed to increasing o rg an isatio n al resilience;

• re v ie w an d approve th e B C M capability p ro g ra m m e o f w o rk ;

• resolve m a jo r strateg ic a n d / o r o p e ra tio n a l B C M issues; an d

• act as th e g a te k e e p e r fo r all B C M p r o cedures.

S h o rtly after th e A T O B C M ste e rin g c o m m itte e was established, th e c h a ir evolved to b e c o m e th e o rg a n isa tio n ’s crisis le a d e r a n d B C M sponsor, w h ic h h e lp e d

th e te a m c u t th ro u g h organisational b a r r i ers o r stalem ates. T h is strategic shift h e lp e d th e B C M te a m p a r tn e r closely w ith th e areas responsible fo r p ro v id in g th e critical resources th a t th e o rg a n isa tio n relies u p o n , in c lu d in g p eo p le, b u ildings, systems, secu rity, c o m m u n ic a tio n s, data a n d suppliers.

T h e A T O B C M fra m e w o rk a d d itio n ally provides a n n u a l re p o rtin g to th e A T O executive c o m m itte e a n d th e A T O R is k a n d au d it c o m m itte e . T h e s e tw o p e a k in te rn a l fo ru m s p ro v id e c o rp o ra te -le v e l in p u t a n d sc ru tin y o f th e A T O B C M capability. P o s t-in c id e n t b riefin g s are also p ro v id e d to th ese fo ru m s fo llo w in g m a jo r response activities.

STEP 3: SET PRIORITISATION AND CRITICALITY - NOT EVERYTHING IS IMPORTANT W ith effective g o v e rn a n c e in place, th e n e x t phase o f b u ild in g an effective B C M te a m is establishing an o rg an isatio n al v ie w o f critica lity an d p rio rity . E ffective B C M p la n n in g an d response w ill o fte n b e lo st in a m y ria d o f grass-roots areas all claim in g to b e critical, w ith n o clear ra tio n a le fo r such status.

T h e p re -e x istin g b o tto m - u p a p p ro ach to id e n tify in g critica lity resu lted in alm ost h a lf o f th e A T O ’s fu n c tio n s b e in g self- assessed as critical. T h is ju m b le d v ie w o f critica lity re su lted in fra g m e n te d p la n n in g a n d responses s u p p o rtin g different p r io r i ties across th e co u n try . T h e B C M team th e re fo re d ev e lo p e d an e n te rp ris e -w id e business im p a c t assessm ent process to assess th e critica lity o f th e A T O ’s fu n c tio n s m o re system atically. T h is pro cess was im m a tu re in its first ite ra tio n , b u t as it evolved, it has h e lp e d create a m o re c o n sistent ap p ro ach tow ards id e n tify in g an d p ro te c tin g critical fu n ctio n s.

A n im p o rta n t feature o f th e n e w b usi ness im p a c t assessm ent process was th e d e v e lo p m e n t o f th e A T O p rio ritie s fo r

Page 242

Ensure people are safe

Maintain reputation and community confidence in order to support effective tax administration

Maintain communication

with stakeholders

Maintain tax Maintain transfers

Maintain Continue agent revenue obligations to

services streams partners

Maintain confidentiality and integrity

of information

Contain the threat effectively

B C M m o d e l (see F igure 1). T h is m o d e l d re w fro m th e suite o f c o rp o ra te p la n n in g a n d strategy d o c u m e n ts to id en tify a series o f s u c c in c t p rio ritie s th a t th e o rg a n isa tio n n e e d e d to p ro te c t to re m a in fu n c tio n a l. T h e m o d e l was e n d o rse d b y th e A T O ex ecu tiv e a n d b e c a m e a to o l to m o d e ra te a to p - d o w n v ie w o f critica lity across th e o rg a n isa tio n . C ritic a l fu n c tio n s w e re n o w able to b e co n siste n tly assessed against spe cific im p acts to th e elem e n ts o f this m o d e l an d th e c o n se q u e n c e s o f th e ir unavailabil ity clearly id en tified . T h is e n su re d th a t n o t ju s t th e p o p u la r o r th e m o st vocal fu n c tio n s w e re id e n tifie d as critical. T h e n ew ly estab lish ed B C M s te e r in g c o m m itte e m a n a g e d any e x c e p tio n s an d p ro v id e d final e n d o r s e m e n t o f th e m a x im u m to le r able p e r io d o f d is ru p tio n ap p lied to each critical fu n c tio n .

As th e m o d e l was applied, th e B C M te a m id e n tifie d th a t several business fu n c tions, w h ic h h a d trad itio n ally self-assessed as h a v in g a h ig h level o f criticality, d id n o t in fact re q u ire a critical level o f response o r p la n n in g . T h is was f u r th e r re in fo rc e d by th e results o f specific sim ulations th a t tested a n d m e a su re d th e im p acts o f o u t

ages against th e A T O p rio ritie s fo r B C M m o d el.

S in ce e m b e d d in g th is m e th o d o lo g y in to th e b u sin ess im p a c t assessm en t process, th e A T O B C M te a m has b e e n able to p ro v id e a sin g le, e x e c u tiv e e n d o rs e d v ie w o f e n te r p ris e c ritic a lity th a t ca n b e u sed fo r business d e c is io n m a k in g in a v a rie ty o f c o n te x ts , n o t ju s t B C M .

STEP 4: USE A CENTRALISED CAPABILITY - ONE PLACE, ONE STORY Effective e n te r p ris e -w id e B C M p la n n in g a n d resp o n se requires a single source o f tr u th an d a single cap ab ility th a t c o n n e c ts a n d c o o rd in a te s th e v ario u s p arts a n d efforts o f th e o rg a n isa tio n to g e th e r. A lm o st all in c id e n ts re q u ire in p u t from m o re th an o n e p a rt o f th e o rg a n isa tio n , a n d a c e n tralised capability can ensure th a t th e rig h t stakeholders a n d su b ject ex p e rts are c o n n e c te d an d p ro v id e d w ith c o n sisten t in fo r m a tio n sim ultaneously.

P r io r to 2 0 0 9 , th e A T O s B C M m o d e l was larg e ly re s p o n s e -d riv e n , w ith a

Building an effective business continuity team in seven steps

re g io n a l a p p ro a c h . T h e r e w e re m a n y B C M c o o rd in a to rs w ith fra g m e n te d plans s c a tte re d t h r o u g h o u t th e c o u n try . T h r o u g h n e tw o r k in g w ith o th e r o rg a n i sations, it appears m a n y still fo llo w th is m o d e l. T h is results in responses to in c i d en ts o fte n b e in g m a n a g e d in c o n siste n tly at e a ch lo c a tio n , w ith d iffe rin g p rio ritie s a n d o fte n co n sid erab le d u p lic a te d effort. M u ltip le areas re sp o n d to in c id e n ts an d n o single so u rc e o f tr u th exists w ith in th e o rg a n isa tio n to in fo rm critica l d e c isio n m ak in g .

As th e A T O b eg a n stre n g th e n in g its B C M arra n g e m e n ts, it was q u ic k ly re co g n ised th at, to efficiently p e r fo rm these tasks at an e n te rp rise level, th e ex istin g fra g m e n te d a p p ro a c h n e e d e d to be c h a n g e d a n d a single B C M te a m was established.

O t h e r drivers fo r establishing a c e n tralised capability in c lu d e th e follow ing:

• increases in efficiency a n d co n sisten cy g a in e d th ro u g h a cen tralised m o d el;

• th e in creasin g assurances o f c o n tin u ity re q u ire d fro m g o v e rn m e n t agencies;

• addressing issues w ith fra g m e n te d p la n n in g an d response activities;

• establishing a single, tru s te d so u rc e o f tr u th across th e o rg a n isa tio n to enable sw ift critical d e c isio n -m a k in g d u rin g readiness o r crisis events; an d

• e n su rin g c o rp o ra te o w n e rsh ip o f B C M p o lic y a n d strategy d e v e lo p m e n t.

T h e c u r re n t A T O B C M fra m e w o rk was initially established as a p ro je c t a n d m a n ag e d th ro u g h th e A T O s p ro je c t m a n a g e m e n t office. T h e p ro je c t te a m was small an d fo r m e d th e n u cleu s o f th e fu tu re B C M te a m ’s stru ctu re . T h e te a m o f five was tasked w ith th e fo llo w in g activities:

• D e v elo p a B C M c o r p o ra te p o lic y an d id en tify th e m e m b e rsh ip fo r a B C M ste e rin g co m m itte e .

• Establish a set o f o rganisational p r io r i ties for B C M , to b e e n d o rse d by th e A T O executive (see F ig u re 1)

• A lign th e n e w A T O B C M fram ew o rk to g o v e rn m e n t re q u ire m e n ts an d an applicable in d u s try stan d ard (BS 25999 was th e standard in effect at th e tim e).

• D e v elo p a scalable, cen tralised response fram ew o rk (see F igure 2) th a t places th e B C M te a m at th e c e n tre o f all responses, c o o r d in a tin g th e activities across m u ltip le response areas.

• Establish a 2 4 - h o u r response capability th ro u g h a ce n tral c o n ta c t line.

• In itiate a to p - d o w n business im p a c t assessm ent process across th e organisa tio n .

• Id e n tify m a in le a rn in g s fro m p r io r responses a n d use th e m as m itig a tio n strategies in c o n tin g e n c y p la n n in g an d fo r co d ify in g response activities.

• In te g ra te response a rra n g e m e n ts w ith o th e r o rg a n isa tio n a l re sp o n se areas, in c lu d in g I T in c id e n t m a n a g e m e n t, facilities in c id e n t m a n a g e m e n t, security, c o m m u n ic a tio n s a n d p e o p le m a n a g e m e n t.

T h ese initial activities addressed issues o f timeliness and duplication w ith response arrangem ents and created m o re certainty fo r the executive and ow ners o f critical func tions. Establishing th e 2 4 -h o u r response capability provided co o rd in atio n across vari ous areas an d allowed th e B C M team to m anage im p o rta n t issues w ith in p re approved tolerance levels o r severity, w ith o u t m ultiple business areas rem aining o n call.

As w ell as id e n tify in g m a in learn in g s fro m th e few p re -e x istin g in te rn a l p o st in c id e n t review s, th e B C M te a m also utilised th e findings an d re c o m m e n d a tio n s fro m p u b licly available review s in to signif ic a n t disaster events an d g o v e r n m e n t re p o rts .1 F o r exam ple, several c h a rac te ris tics o f effective c o m m u n ic a tio n s w e re h ig h lig h te d in n a tu ra l disaster review s fo r

Page 244

P o rter

placed o n id e n tify in g p erso n al resilience, d e c isio n -m a k in g an d lead e rsh ip qualities. W h ile m o st te a m m e m b e rs are re c ru ite d internally, so m e g ra d u a te a n d e x te rn a l applicants have jo in e d th e te a m at v ario u s tim es. In te rn a l A T O staff w ith a w o rk in g k n o w le d g e o f c ritic a l fu n c tio n s have p ro v e n especially valuable in d ev e lo p in g B C M strategies to s u p p o rt these areas.

To ensure th e te a m m e m b e r s ’ v a rie d skills are successfully ap p lied to th e B C M discipline, all staff are tra in e d an d certified w ith th e Business C o n tin u ity In stitu te . A c o n d itio n o f re m a in in g in th e team is passing th e e x a m an d m a in ta in in g profes sio n al m e m b e r s h ip w ith th e In stitu te . U p o n j o in in g th e team , n e w m e m b e rs w ill le a rn th e skills re q u ire d fo r th e j o b by fol lo w in g a staff d e v e lo p m e n t m an u al. T h e

bushfires an d flo o d in g events w ith re c o m m e n d a tio n s fo r local e m e rg e n c y a u th o r i ties. T h e A T O B C M te a m in c o rp o r a te d th ese re c o m m e n d a tio n s in to a concise c o m m u n ic a tio n s m a trix , w h ic h provides clear g u id a n c e to a crisis m a n a g e m e n t te a m o n th e a p p ro p ria te tim in g , c o n te n t a n d d eliv ery o f im p o rta n t m essages d u rin g a crisis.

A n a ly sin g th e findings fro m do m estic a n d in te rn a tio n a l events has allow ed th e A T O B C M te a m to a d o p t applicable strategies, even i f th e agency has n o t to d ate n e e d e d to re sp o n d to p a rtic u la r types o f events.

M e m b e rs o f th e A T O B C M te a m are h a n d -p ic k e d speciahst staff, selected fo r th e ir specific k n o w le d g e , e x p e rie n c e an d capabilities. D u r in g selec tio n , em phasis is

Page 245

Building an effective business continuity team in seven steps

T able 1: C u rren t A T O B C M te a m roles an d d u ties

Role Responsibilities and duties

National Director

Assistant Director Response

Assistant Director Resilience

Project Manager Information Technology Infrastructure Library (ITIL) Project Manager Response

Project Manager Risk/Business Impact Assessment

Project Manager Buildings

Project Manager People

Project Manager Policy

Team direction, strategy and representation in external forums and industry; chairs Australian Public Service BCM Community o f Practice Primary 24/7 response lead and runs BCM control room; conducts all simulations and readiness activities BCM subject expert delivers strategic resilience projects and manages cyclical resilience assessment process Manages all links between IT and BCM across all information technology and infrastructure library areas; provides single centralised business approvals and input Conducts post-incident reviews, codifies responses and learnings and leads all training and awareness activities Cyclical review o f business impact assessment and critical resource analysis; performs resilience assessments and links to enterprise risk Oversight o f emergency preparedness and testing at all sites, input to weekly building works, contingency plans Primary staff health/safety lead; manages and negotiates enterprise overtime register; social media liaison Manages all governance activities and policy development; identifies team learnings from external responses

m a n u a l guides th e te a m m e m b e r in th e re q u ire d k n o w le d g e at ea ch stage o f th e ir d ev e lo p m e n t.

Table 1 show s h o w th e te a m ’s w o rk is b ro a d ly d iv id ed to ensure each p o sitio n has clear responsibility, b u t also natural to u c h p o in ts w ith o th e r roles to ensure shared k n o w le d g e a n d u n d e rsta n d in g o f processes. W ith close d e p e n d e n c ie s o n o th ers, te a m m e m b e rs find th e y o rg a n i cally b e c o m e fam iliar w ith th e w o rk o f o th e rs a n d can q u ick ly step in to assist w h e re re q u ire d . T h is strategy builds co llec tive resilience w ith in th e team .

T h e te a m p ro v id es 2 4 - h o u r tria g e response coverage, w ith afte r-h o u rs, o n - call a rra n g e m e n ts m an ag e d an d ro tate d th ro u g h th e te a m o n a ro stered basis. A v a rie ty o f m o b ile te c h n o lo g ie s an d devices are u se d to s u p p o rt a fte r-h o u rs responses a n d th e te a m w ill regularly test h o w to m a n ag e a resp o n se rem otely.

D u r i n g a larg e -sca le response, te a m m e m b e r s w ill su sp e n d all n o n - c r itic a l

duties, ie th o se w h ic h ca n b e d eferre d , a n d p e rfo rm response duties. A c o n tro l r o o m is activated d u rin g a response an d all te a m m e m b e rs are fully co n v e rsan t w ith lead in g th e c o n tro l ro o m a n d m a n a g in g responses.

T h e c u r r e n t A T O B C M team o f n in e is le d b y a n a tio n a l d irec to r, w h o has re sp o n sibility fo r e n s u rin g th e te a m ’s activities d eliver th e e n d o rs e d B C M p ro g ra m m e o f w o rk . T h e n a tio n a l d ire c to r re p o rts to an assistant c o m m is s io n e r w h o s e p o rtfo lio in clu d es B C M and, g iv en th e ir h ig h c r iti cality, c o n ta c t centres. T h e assistant c o m m is sio n e r assists w ith ro u tin e a u th o risa tio n s a n d s u p p o rt in a tte n d in g se n io r c o r p o ra te forum s.

T eam h a r m o n y has b e e n a c h ie v e d th ro u g h b u ild in g a c u ltu re o f respect, tru st an d exc ellen ce in all activities. H a v in g a series o f te a m custom s, s u c h as sh a rin g h u m o ro u s q u o te s, social events a n d ce le b ra tin g in d iv id u a l ac h ie v em en ts, helps th e te a m to re co v er fro m h ig h -p re ssu re situa tio n s a n d b u ild te a m cam arad erie.

Page 246

As te a m m e m b e rs leave th e team , th e y f o r m p a r t o f a ‘s h a d o w ’ n e tw o rk o f a lu m n i B C M staff th a t can b e called u p o n to assist d u r in g large-scale crisis events, o r w h e re m e m b e rs o f th e p rim a ry B C M te a m are unavailable.

STEP 5: LEVERAGE OTHER FUNCTIONS - DO NOT DO EVERYTHING E stab lish in g p a rtn e rsh ip s an d access to data sources across th e o rg a n isa tio n enables c o n c ise , scalable c o n tin g e n c y a r ra n g e m e n ts a n d resilien t design to b e p rio ritis e d a n d ap p lied to th e m o st critical resources. A m a tu re B C M te a m w ill c o o rd in a te w ith o th e r areas across th e o rg an isatio n , d ra w in g o n th e e x p e rtise fro m su b ject m a tte r ex p e rts. T h e r e m ay b e occasions w h e re lo w -le v e l in c id e n ts can b e swiftly triag e d by c o o rd in a tin g business as usual activities in a staged m a n n e r w ith o u t n e e d in g to en a c t full c o n tin g e n c y plans.

T h e m a in skill o f th e B C M te a m is h o w to q u ic k ly m o b ilise th e r ig h t parts o f th e o rg a n is a tio n th a t are n e e d e d to h e lp in fo rm th e e n te rp ris e v ie w an d c o o rd in a te th e response te a m s’ activities to gain th e m o st efficien t re co v ery o r o u tc o m e .

In p ra ctice, an in te g ra te d B C M capabil ity allows responses to b e m an ag e d c e n trally a n d across each o f th e key en a b lin g d o m ain s: p e o p le , bu ild in g s, system s, c o m m u n ic a tio n s an d security. W h ile a typical response su ch as a b u ild in g ev acu atio n m ay b e c o n s id e re d a p ro p e rty -b a s e d response, an effective e n te rp ris e response c o o r d in a te d b y a B C M te a m w o u ld c o n ta in several facets in clu d in g :

• people: e n s u rin g p e o p le are safe a n d a c c o u n te d for, a n d leave a rra n g e m e n ts i f p e o p le are sen t h o m e o r o n e x te n d e d breaks;

• buildings: b u ild in g recovery, re sto ra tio n o f essential services, e n g a g in g trades;

• systems: sh u ttin g d o w n o r p o w e rin g up site -b a se d I T e q u ip m e n t, re c o v e rin g u ser profile o r data;

• security: e n s u rin g physical se c u rity o f th e b u ild in g , records a n d data; an d

• communications: k e e p in g in fo rm e d affected staff, o th e r staff across th e c o u n try a n d o th e r im p o rta n t stakeholders.

T h e A T O B C M team coordinates all o f these activities across all groups, follow ing ag reed an d scalable prin cip les fo r each en a b lin g d o m ain . All these areas k n o w h o w to re p o rt in to th e cen tral B C M team and th e B C M te a m w ill engage th e v arious subject ex p erts as req u ired . O fte n , th e reg u lar response team s (eg facilities m an ag e m en t) w ith in this area can h andle th e in c id e n t, w ith som e c o o rd in a tio n fro m th e B C M team to g u id e th e sequence, approval o r e x te n t o f th e response activities.

T h e A T O B C M te a m has re m o te an d m o b ile access to m o st o f th e data relied u p o n by these o th e r areas, w h ic h feed in to an organisational, single so u rc e o f tru th . T h e te a m w ill regularly b r i e f all sen io r executives th ro u g h te x t m essage u p d ates a n d th e te a m is re lie d u p o n to p ro v id e th e single, tru s te d e n te rp ris e v ie w o f any in c i d e n t an d its im pact.

F u rth e r exam ples o f h o w th e A T O has in te g ra te d B C M across th e o rg a n isa tio n are h ig h lig h te d below.

Integration into Information Technology Infrastructure Library functions (ITIL) T h e A T O B C M te a m was initially involved in IT in c id e n t m a n a g e m e n t o n ly as p a r t o f its 2 4 - h o u r response a rra n g e m en ts. T h is p a rtn e rsh ip has e x p a n d e d to in c lu d e B C M as th e m ain business re p re sentative to n e g o tia te th e critica lity an d im p acts associated w ith :

• p la n n e d outages (change a n d release m a n a g e m e n t);

Building an effective business continuity team in seven steps

• in p u t in to ro o t cause analysis (problem m an a g e m e n t);

• g o v e rn a n c e o f IT disaster re co v ery test in g scope an d tim efram es; and

• fu tu re p la n n in g (availability, capacity, ev e n t m a n a g e m e n t an d I T service c o n tin u ity ).

In te g r a tin g th e B C M te a m a n d its e n te r p rise v ie w o f c ritic a lity in th e se processes saved u p to 30 staff across v ario u s business areas fr o m p r o v id in g f r a g m e n te d a n d business area specific in p u t in to th ese activities.

Coordination of planned overtime across all sites and functions T h e A T O B C M team co o rd in a tes and n e g o tia te s p la n n e d o v e rtim e across all business areas. T h is allow s I T serv ic e p ro v id e rs a n d b u ild in g c o n tra c to rs to u n d e rta k e w e e k e n d a n d a fte r-h o u rs w o rk s w ith o u t in te r r u p tin g business op eratio n s. T h e se n e g o tia tio n s en su re th a t a b alan ce is ac h iev ed b e tw e e n business areas w o rk in g e x te n d e d h o u rs a n d service p ro v id ers c o n d u c tin g essential m a in te n a n c e .

Corporate oversight of emergency planning and building issues W ith th e A T O lo c a te d in m an y offices w ith v a rie d te n a n c y a rra n g e m e n ts, a B C M te a m m e m b e r w orks closely w ith th e facilities m a n a g e m e n t areas to en su re th e e m e r g e n c y p re p a re d n e ss a n d readiness across all sites. T h is ex ten d s to p ro v id in g oversight o f site-b ased testing, in p u t in to re g u la r b u ild in g w orks, c o n s tru c tio n p r o je c ts a n d risk assessments to en su re v u ln e r abilities are id e n tifie d a n d m itig ate d .

Coordinating external responses to community disasters T h e A T O B C M fra m e w o rk s u p p o rts th e a g e n c y in te rn a lly a n d also creates a p la t f o r m fo r re s p o n d in g q u ic k ly to c o m m u n itie s a ffe c te d b y n a tu ra l disasters.

A u stra lia re g u la rly e x p e rie n c e s n a tu ra l disasters, fro m flo o d in g to b u sh fire s, c y c lo n e s to severe s to rm s. T h e A T O B C M te a m c o o rd in a te s th e re sp o n se fro m re q u ire d areas o f th e A T O . T h is m ay in c lu d e m o b ilis in g a w o rk fo rc e to disas te r-a ffe c te d areas, s u p p o r tin g o th e r a g e n cies th r o u g h w h o l e - o f - g o v e r n m e n t resp o n ses o r assisting w ith p ro c e ssin g e m e r g e n c y p a y m e n t w o rk lo a d s . I f re q u ire d , th e B C M te a m w ill also c o o r d i n a te th e a p p lic a tio n o f a u to m a tic tre a t m e n ts to th e a c c o u n ts o f affe c te d taxpayers, w h ic h d e fe r th e ir im m e d ia te ta x a tio n o b lig a tio n s u n til th e e m e rg e n c y p e r io d has passed.

Working across the Australian public service T h e A T O B C M te a m aligns th e A T O B C M fra m e w o rk w ith w h o le - o f-g o v e r n m e n t disaster activations a n d provides a single o n -c all p o in t o f c o n ta c t fo r all g o v e r n m e n t fo ru m s in clu d in g :

• A u stra lian G o v e r n m e n t C risis C o o r d in a tio n C e n tre ;

• A u stralian G o v e r n m e n t C risis C o o rd in a tio n C o m m itte e ;

• A u stra lian G o v e r n m e n t D isa ste r R e c o v e ry C o m m itte e ; a n d

• N a tio n a l E m e rg e n c y C o n ta c t C e n tre S urge Capability.

T h e A T O B C M te a m c o n tin u e s to c h a ir a cross-agency c o m m u n ity o f p ra c tic e o f 35 C o m m o n w e a lth agencies, to share B C M in fo rm a tio n an d best p ractice. T h e fo ru m is re co g n ised a n d s u p p o rte d b y th e local B usiness C o n tin u ity In s titu te c h a p te r. H ig h -p ro file in d u stry representatives re g u larly a tte n d m e m b e r m eetin g s. T h is g ro u p o f p ra c titio n e rs is re co g n ised as:

• th e p e a k n a tio n a l b o d y o f A ustralian P u b lic S ervice business c o n tin u ity p ra c titio n ers;

Page 248

P o rter

Figure 3 The ATO BCM capability roadmap

• a s o u n d in g b o a rd fo r B usiness C o n tin u ity In stitu te initiatives o r issues, re le v an t to th e p u b lic secto r; an d

• an im p o rta n t c o n su lta tio n m e c h a n ism fo r o n g o in g A ustralian N a tio n a l A u d it O ffice p o lic y d e v e lo p m e n t.

STEP 6: FOCUS ON MATURITY AND RESILIENCE - MAKE IT BULLET-PROOF As an effective B C M fra m e w o rk m atures th r o u g h o n g o in g p ro g r a m m e m a n a g e m e n t, th e re is an in h e re n t o p p o rtu n ity to shift fo c u s fro m c o n tin u ity tow ards resilience. T h is focus o n resilience w ill h e lp m itig a te th e im pacts fro m fu tu re in c i dents. T h is c o u ld in c lu d e ad d itio n al an d specific te stin g to re c o n c ile u n k n o w n s, fo reca stin g likely critical d ec isio n p o in ts a n d special ev e n t readiness.

S ince 20 1 3 , th e A T O ’s B C M fram e w o r k has m a tu r e d a n d so m e cyclical aspects o f th e te a m ’s w o rk have b e e n able to b e p artia lly a u to m a te d . T h is in clu d es u sin g p re -fille d tem p lates an d a u to m a tic n o tific a tio n s fro m a ce n tral database to u p d a te business im p a c t assessm ent in fo r m a tio n . T h is has g e n e ra te d ro o m in th e p ro g ra m m e o f w o r k to allow th e B C M

capability to b e b ro a d e n e d to in c lu d e th e system atic d e fin itio n , m e a s u re m e n t an d im p ro v e m e n t o f resilience (see F igure 3). C o n tin u in g to g en e rate this space w ith in th e B C M p ro g ra m m e fo r fo rw a rd th in k in g has b e e n a significant le arn in g ; it has h e lp e d en su re efficiency a n d played a c r u cial role in c o n tin u a lly p o s itio n in g th e A T O B C M team at th e le a d in g ed g e o f th e discipline.

A re g u la r a n d ro b u st test a n d exercise p ro g ra m m e helps ensure th e effectiveness o f th e A T O B C M fra m e w o rk a n d im p ro v e org an isatio n al resilience. T h e te a m uses a variety o f sim u la tio n m e th o d s in c lu d in g u n a n n o u n c e d a c tiv a tio n s, w a lk th ro u g h s a n d d esk to p exercises. W h e r e applicable, an n u a l b u ild in g evacuations are in c o r p o ra te d in to sim u la tio n events to ad d a d e g re e o f co n tro lle d realism.

A n effective test p ro g ra m m e w ill also in c lu d e e x a m in in g events th a t o c c u rre d o u tsid e th e o rg a n isa tio n o r even overseas, to assess h o w effectively th e o rg a n isa tio n m ig h t be able to re sp o n d i f a sim ilar in c i d e n t affected it in th e fu tu re. F o rm al review s in to significant n a tio n a l events, su ch as R o y a l C o m m issio n s, can p ro v id e valuable ad v ice fo r organisations.

All test a n d exercise events sh o u ld be

Page 249

Building an effective business continuity team in seven steps

re v ie w e d a n d r e p o r te d to th e B C M S te e rin g C o m m itte e . H a v in g all id e n tifie d im p ro v e m e n ts cen trally re g istered enables progress to b e m o n ito r e d an d lo n g e r - te r m initiatives in c o r p o r a te d in to th e B C M te a m ’s fo rw ard w o rk plans.

STEP 7: BEING RESILIENT BY DESIGN - WHERE THINGS TAKE CARE OF THEMSELVES A resilient organisation will have en terp rise system arch itectu re w ith in -b u ilt re d u n dancy th a t ensures w orkflow s can co n tin u e seamlessly d u rin g d isru p tio n events. F or exam ple, this c o u ld in clu d e carrier-level ro u tin g o f p h o n e calls an d w o rk item s, w h ic h lim its th e reliance o n local o r site- based infrastructure. A m atu re B C M capa bility is w ell p o sitio n e d to guide investm ent in those solutions th at su p p o rt th e m o st critical areas o f an organisation.

W ith a m a tu re B C M fram ew o rk an d g ro w in g in te re st in resilience across th e industry, th e A T O B C M te a m d ev e lo p e d an a p p ro ach fo r m e a su rin g an d im p ro v in g o rg a n isa tio n a l re silien c e fo r th e A T O th ro u g h a resilience assessm ent process. T h is in clu d es system atically assessing all c ritica l resources against te n resilience characteristics to id en tify gaps o r v u ln e ra bilities th a t ca n b e addressed th ro u g h strategic projects.

T h e A T O B C M te a m uses th e results fro m critical reso u rce analysis w ork sh o p s to id e n tify v u ln erab ilities an d d e p e n d e n cies o f im p o r ta n t resources across th e o rg a n isa tio n , in c lu d in g p eo p le, buildings, system s a n d suppliers. Several projects have b e e n in itia te d o r d riv en by th e B C M te a m to im p ro v e resilience in clu d in g :

• im p ro v em en ts in u n in te r r u p te d p o w e r supply fo r A T O offices;

• in te g ra tin g resilien t design in to n e w b u ild in g c o n s tru c tio n a n d re fu rb ish - m en ts; an d

• c o - d e s ig n in g h ig h -a v a ila b ility system re q u ire m e n ts a n d p rio ritie s.

To c o m p le m e n t th e increased resilience o f critical resources, th e A T O ’s arc h ite c tu re a n d business design has b e e n increasingly e m b e d d in g resilien t design th ro u g h in itia tives su ch as:

• u sin g n a tio n a l-le v e l system s a rc h ite c tu re, w ith a lo w reliance o n I T systems based in specific offices;

• au to m atically r o u tin g w o r k to sites th a t are available nationally, ra th e r th a n allo c a tin g w o rk m anually; an d

• b e in g able to p e r fo rm any ty p e o f w o rk in any seat in any office.

T h is fo cu s o n re silie n t d esig n m ean s th a t in d iv id u a l sites can b e offline a n d th e w o r k is a u to m a tic a lly r e - r o u te d to o th e r sites th a t are available. P a rt o f th e B C M re sp o n se w ill in c lu d e in c re a sin g cap acity at th e o p e r a tio n a l sites u n til th e fa u lty site is b r o u g h t b a c k o n lin e . T h is ensures th a t th e re sp o n se focuses o n re c o v e ry efforts a n d n o t o n r e - r o u tin g m a n u a lly a llo ca te d w o rk .

W h ile o th e r o rganisations m ay b e g ra p p lin g w ith th e c o n c e p t o f resilience, th e A T O has a v ie w th a t is e m b e d d e d an d w ill c o n tin u e to m atu re. T h e r e is an e m e rg in g o p p o rtu n ity to use an effective B C M capability in o rg an isatio n al design a n d to effectively id e n tify a n d p rio ritis e t o m o r ro w ’s critica l w o rk , n o t ju s t to d a y ’s.

R eference (1) T h e s e in c lu d e d th e r e p o r t o f th e

Q u e e n s la n d F lo o d s C o m m is s io n o f In q u iry , M a rc h , 2 0 1 2 ; 2 0 0 9 V ic to ria n B u sh fires R o y a l C o m m is s io n , J u ly 2 0 1 0 ; C o n n e c t in g G o v e r n m e n t: W h o l e o f G o v e r n m e n t R e s p o n s e s to A u s tra lia ’s P r i o r i t y C h a lle n g e s , D e p a r t m e n t o f C o m m u n ic a tio n s , 2 0 0 4 .

Page 250

Copyright of Journal of Business Continuity & Emergency Planning is the property of Henry Stewart Publications LLP and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.