View Document

Critical Incident Management Policy

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Background and Purpose

(1) The Policy covers the incident response and disruption management planning and process requirements for all campuses, Divisions, Colleges, Schools and Divisions of the University. Specific policy requirements for the disaster recovery of IT systems and infrastructure are outside of the scope of this Policy.

Preamble

(2) The Procedure covers the requirements for incident response and disruption management planning and procedural requirements for all campuses, Divisions, Colleges, Schools, Divisions and Institutes of the University.

General

(3) The principles of these procedures are that:

  1. Key internal stakeholders are aware of the need to respond appropriately to incidents and to manage any resulting disruption that may occur;
  2. Resources and processes are made available and capable to ensure the continued achievement of the University key objectives following a critical incident;
  3. Staff are familiar with and trained in their roles under the Critical Incident Management Plan.
Top of Page

Section 2 - Scope

(4) Applies to:

  1. All campuses of the university;
  2. All staff, students, Council members, volunteers and contractors;
  3. All activities that are under the control or direction of the University, whether conducted on or off university property.
Top of Page

Section 3 - Policy Statement

(5) The aim of the Critical Incident Management Policy is to provide a framework for the response to and management of critical incidents. 

(6) Such incidents encompass those that significantly threaten the safety and security of University staff, students, contractors, guests, or visitors; the ongoing performance of the University’s critical business functions; or result in significant adverse impacts on the local community arising from University activities.

Top of Page

Section 4 - Procedure

Framework for Critical Incident Management

(7) The framework is based upon planning and preparedness for the three prime responses following any critical incident:

  1. Emergency response: providing a capability to manage the immediate issues arising from the incident and focusing on the protection of life and property;
  2. Business continuity phase: providing a capability to assist the University to continue to operate its critical business functions; and
  3. Recovery phase: restoring critical business function and infrastructure to a state of routine operation.

Annual Critical Incident Management Cycle requirements

(8) The annual Critical Incident Management Cycle is coordinated by the Risk Management Division and comprises:

  1. Identification and confirmation of key risks contributing to potential critical incidents;
  2. Ensuring specific emergency responses are in place to manage each critical incident;
  3. Confirming responsibilities and accountabilities of members of each of the defined response teams;
  4. Ensuring that a Critical Incident Management Plan is maintained;
  5. Conduct of a business impact analysis covering the University’s critical business functions;
  6. Development and maintenance of Business Continuity Plans (BCPs) providing coverage for each of the University’s critical business functions; and
  7. Review and exercising of plans on an annual basis.

Command Roles

(9) Governance, control and coordination of critical incident management are vested in a hierarchy of response teams, comprising:

  1. Critical Incident Management Team, established at a ‘Gold’ (whole of University), ‘Silver’ (central Bundoora campus command), or ‘Bronze’ level (local command at any other campus), with responsibilities for the overall management and oversight of all plans and responses;
  2. Emergency Response Team, established at each campus with responsibility for the activation and management of the Emergency Response Plan;
  3. Recovery Team, to be established for coordinating the recovery and restoration activities (composition will be dependant upon the nature of the specific recovery requirements); and
  4. Business Continuity Teams, established at College and Division level to manage the implementation of BCPs.

Governance Responsibilities

(10) Corporate Governance, Audit and Risk Committee (CGARC) will approve annually the most current version of the Critical Incident Management Plan. An annual report will be prepared for CGARC providing a review of the current critical incident management capability across the University. Such examination will be based upon a combination of assurance review and exercising of plans and capability.

(11) Suggest change headings (Maj: Responsibilities, Min: Senior Management, RMU, Internal Audit)

Senior Management Responsibilities

(12) Each senior manager, for their respective areas of responsibility, will annually:

  1. Confirm which of its functions constitute a critical business function;
  2. Determine the currency of existing Plans and identify the need for new Plans to be developed;
  3. Nominate a responsible person (BCP Coordinator) that will be tasked with preparing and maintaining Plans to meet local requirements;
  4. Provide to CGARC, through Risk Management, certification (with such caveats as necessary) to the status of their preparedness.

Risk Management Unit Responsibilities

(13) To:

  1. Co-ordinate the establishment and maintenance of the Critical Incident Management Framework;
  2. Facilitate governance reporting to CGARC;
  3. Provide advice on preparedness and response to the University community.

Internal Audit Responsibilities

(14) Internal Audit will conduct regular reviews of pertinent aspects of the Critical Incident Management Framework as deemed necessary and approved by Corporate Governance, Audit and Risk Committee.

Top of Page

Section 5 - Definitions

(15) For the purpose of this Policy and Procedure:

  1. Critical incident: A situation where the University (or parts thereof) shift from routine to non-routine operation, in response to an actual or potential incident with high consequences.   This is usually typified by the area affected requiring additional (centralised) assistance in its management
  2. Emergency: An event, actual or imminent, which endangers or threatens to endanger life, property or the environment, and which requires a timely and coordinated response.
Top of Page

Section 6 - Stakeholders

Responsibility for implementation – Critical Incident Management Team; Threat Assessment Team; Emergency Management Team; Emergency Planning Committee.
Responsibility for monitoring implementation and compliance – Corporate Governance, Audit and Risk Committee.