Document Feedback - Review and Comment
Step 1 of 4: Comment on Document
How to make a comment?
1. Use this to open a comment box for your chosen Section, Part, Heading or clause.
2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.
3. Do not open more than one comment box at the same time.
4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.
Important Information
During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:
-
DO NOT jump between web pages/applications while logging comments.
-
DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.
-
DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.
-
DO NOT exit from the interface until you have completed all three stages of the submission process.
(1) This Policy outlines La Trobe University’s (University) commitment to effective management of Critical Incidents and the maintenance of services through business continuity processes. (3) This Policy should be read in conjunction with the Critical Incident Management Framework (CIM Framework). For detailed action plans and related resources, the Critical Incident Team should consult the Crisis Management Plan, which outlines specific procedural steps and provides necessary templates for implementation. These documents ensure a uniform approach in managing Critical Incidents and Business Continuity throughout the University. (4) Disaster Recovery (DR) and Information Services (IS) Incident Response plans are managed by the Chief Information Officer under separate policy documents. (5) This Policy is underpinned by the following guiding principles: (6) The University uses a risk-based incident classification process in alignment with the Risk Assessment Matrix found within the University’s Risk Management Framework. All incidents are classified as Minor (Level 1), Major (Level 2) or Critical (Level 3) to determine the appropriate level of response required to manage incidents effectively. Refer to the table below for further details. (7) The University’s Critical Incident management procedures are outlined in the CIM Framework which support coordinated decision-making through three key phases: (8) The University is committed to building and improving organisational resilience, which enhances its capacity to respond to an unexpected Business Disruption and resume operations in an efficient and orderly manner. (9) Business Continuity requirements will be informed by a Business Impact Analysis (BIA) of the activities undertaken by the relevant Divisions. A BIA is a systematic process to identify and analyse the business activities that must be restored as a priority during a Business Disruption. As part of this process, Divisions are required to determine the target and maximum timeframes to restore each Critical Business Activity. (10) The information gathered through the BIA process will assist Divisions in developing appropriate Business Continuity strategies to maintain or recover the identified Critical Business Activities, within defined timeframes. These strategies and the resources required for implementation should be documented in the Business Continuity Plan (BCP) for the relevant Division. (11) To assist Divisions, the University's BCP template includes examples of specific disruption scenarios, where Divisions are required to document the corresponding recovery strategies for: (12) Continuity of service provision must be adequately addressed for services, infrastructure or any resources provided by third parties through service level agreements or other contractual arrangements in accordance with the assessed level of risk. (13) The Critical Incident Team will determine whether a BCP is to be activated in response to a Critical Incident (Level 3) that has a sustained impact on Critical Business Activities. The Critical Incident Team will maintain primary responsibility for ongoing monitoring and decision-making of the Critical Incident and is responsible for advising and updating stakeholders of Critical Incident response activity. The University’s BCPs can be enacted individually or simultaneously and will be managed by the relevant Division Heads, under the direction of the Critical Incident Team. (14) Disruptive incidents that do not require involvement from the Critical Incident Team (ie, Major Incident (Level 2)), are managed at a local level by the relevant Division through the implementation of their BCP. Consideration must be taken for any other business area that might be impacted. (15) Each Division Head will store a copy of their respective BCP, and the Risk, Audit and Insurance Team will maintain copies of all BCPs. (16) The University's BCP template (other than IS related plans) is developed and maintained by the Risk, Audit and Insurance Team. (17) Regular updates and testing, knowledge development and awareness programs are to be undertaken as required to ensure that key staff are familiar with this Policy, the CIM Framework and the BCPs. (18) For the purpose of this Policy and Procedure: (19) This Policy is made under the La Trobe University Act 2009. (20) Associated information includes: (21) This document aligns with the following standards:Critical Incident and Business Continuity Management Policy
Section 1 - Key Information
Top of Page
Policy Type and Approval Body
Administrative – Vice-Chancellor
Accountable Executive – Policy
Chief Operating Officer
Responsible Manager – Policy
Senior Manager, Risk, Audit and Insurance
Review Date
8 November 2027
Section 2 - Purpose
Section 3 - Scope
Section 4 - Key Decisions
Top of Page
Key Decisions
Role
Declare a Critical Incident and convene the Critical Incident Team.
Chief Operating Officer or nominee
Control the University's strategic response and provide executive decisions and strategic direction relating to Critical Incidents (Level 3), and managing related Business Continuity responses.
Critical Incident Team
Section 5 - Policy Statement
Top of PageSection 6 - Procedures
Part A - Incident Classification
Incident Classification
Description
Responsible
Minor Incident (Level 1)
• has no more than a minor consequence rating in any risk category and little or no potential to escalate; and
• can be resolved satisfactorily through standard procedures and business as usual (BAU) resources.Local management with the support of Emergency Service Operators, Campus Security and Subject Matter Experts (SMEs) as required.
Major Incident (Level 2)
An event or issue that:
• has no more than a moderate consequence rating in any risk category but potential to escalate;
• may not necessarily be resolved satisfactorily by standard procedures and BAU resources; and
• may include a Business Continuity response.Senior management with the support of Emergency Service Operators, Campus Security and SMEs as required.
Critical Incident
(Level 3)A situation with a major or catastrophic consequence rating in any risk category and will be an event or issue that:
• has a long-term or profound effect;
• cannot be controlled through standard procedures and BAU resources;
• needs high levels of resourcing and support to manage, including involvement of the Critical Incident Team; and
• may require a Business Continuity response.Critical Incident Team with the support of Emergency Service Operators, Campus Security and SMEs as required.
Part B - Key Phases
Part C - Buisness Continuity Management
Part D - Training and Testing
Part E - Responsibilities
Top of Page
Key Responsibilities
Role
• Promote this Policy, the CIM Framework and any other procedures and documents relating to Critical Incident and Business Continuity management.
• Ensure members of the Critical Incident Team are aware of their responsibilities by delivering appropriate training.Health and Safety Committee
• Provide central coordination, monitoring and reporting of all University Business Continuity management initiatives.
• Facilitate governance reporting to Corporate Governance, Risk, Internal Audit and Safety Committee (CGRIASC), as required.Risk, Audit and Insurance Team
Development and ongoing review of the Business Impact Analysis and the Business Continuity Plans within the respective Divisions
Division Heads
Cyber Security Incident Response Plan, IS Business Continuity Plan and IT DR processes
Chief Information Officer
Section 7 - Definitions
Top of PageSection 8 - Authority and Associated Information