Issuu on Google+

Continuity Forum News

Edition 28: November 2013

Highlights from the Australasian Business Continuity Summit 2013

Over 100 professionals gathered at the seventh annual Australasian Business Continuity Summit – held jointly by Continuity Forum and the Australasian Chapter of the Business Continuity Institute (BCI). The Summit was held on 5-6 June at Luna Park, Sydney. Two workshops were also held on 4 June, followed by the inaugural BCI awards ceremony at Westpac. During the Summit, delegates were engaged in thought-provoking and interactive presentations, delivered by subject matter experts from diverse backgrounds and organisations. The key themes of this year’s summit were Business Continuity Management Lifecycle; Business Continuity Management in Action; Business Continuity Management in Public Sector; and Thought Leadership. Topics included Crisis Management, Crisis Communications, Emergency Response, Organisational Resilience, IT Disaster Management, Risk Management and Security. The Dodgem Cars and Ferris Wheel also proved to be a great way for attendees to interact on the first night of the conference. CONTINUITY FORUM THANKS ALL SPONSORING PARTNERS OF THE SUMMIT. THE EVENT WAS MADE POSSIBLE WITH THANKS TO: Major Partner, CQ Australia ( and iModus ( Associate Partner, riskcloud.NET ( Supporting Partner, IBM Australia ( OTHER SPONSORS Linus Revive ( Mitigator ( RiskLogic ( BC3 ( Continuity and Compliance Management Services (

Australia’s only Business Continuity publication

Continued on page 4

Continuity Forum News is a newsletter for the member organisations of Continuity Forum Pty Ltd. Continuity Forum is an active network of organisations that share an interest in seeing their business continuity and disaster recovery plans are resilient and continually reviewed. MANAGER Linda Nguyen

In this issue of CF News November 2013

Highlights from the Australasian Business Continuity Summit 2013


Member Profile: Herbert Smith Freehills


Occupational Health Safety and Security Incident Management: The Role of BC


EDITOR Amy Steed

Melbourne CBD Safety Plan



Incident Management Principles



MEMBERSHIP QUERIES: EVENT QUERIES: CONTINUITY FORUM PTY LTD PO Box 810 Artarmon NSW 1570 Australia Ph: +61 (0)2 9415 4180 Fax: +61 (0)2 9411 8585

Dear Members, It is a pleasure to launch the digital version of Continuity Forum News! We are pleased to take this positive step, and trust that access to our newsletters will now be more convenient. By switching to a digital format, members will benefit from the convenience of flipping through our newsletters online. This edition touches on the topic of Incident Management and the role of Business Continuity. We thank all of our contributors for providing articles aligned with this theme. Since the last edition of Continuity Forum News, we have had a dozen new organisations join our growing membership network. We look forward to working closely with our new members in the months ahead. Continuity Forum held the Australasian Business Continuity Summit 2013 in partnership with the Australasian Chapter of the Business Continuity Institute on 5 – 6 June at Luna Park Sydney. The highlights of the Summit can be found on pages 1 & 4. Finally, we wish a very warm farewell to our Member Services Officer, Agnes Manlutac. Agnes has been a valued member of the team since 2009 and we wish her all the best for her future endeavours and look forward to seeing where her career takes her. We would like to welcome to our team, our Communications Officer, Amy Steed. She will be the editor of Continuity Forum News and will be collecting contributions for this publication. She can be contacted via email at Kind regards, Linda Nguyen, Manager Continuity Forum Pty Ltd

Sharing knowledge, experience and promoting best practice in business continuity and disaster recovery planning 2

Herbert Smith Freehills is one of

Member Profile

the world’s leading law firms, advising many of the biggest and most ambitious organisations across all major regions of the globe. There are more than 23 offices globally and nearly 5000 partners and staff. The Australian region consists of four offices of 45,000m2 with 180 partners and 1800 staff. Herbert Smith Freehills has a dedicated Business Continuity Consultant for the Australian region with responsibility for maintaining the documentation and registers, training, and coordination of Business Continuity activities. The consultant works closely with the Operations Manager and the IT Infrastructure Manager, with accountability to

the General Counsel and Chief Risk Officer. The Business Continuity Management Operations Team meet monthly to review the capability of Business Continuity position holders, plan system and process upgrades, plan training, and review lessons learned from practice evacuations and any incidents. The Business Continuity Management Executive, consisting of Australian directors, meet quarterly to review the performance of business continuity, direct and suggest action plans for the next period and ensure action is taken for significant initiatives. Even with the full-time, dedicated Business Continuity Consultant position created a few years ago there are still challenges embedding the Business Continuity Plans across the firm. One of these is attaining compliance of 180 owners of the business who prefer to continue focussing on client work rather than participate in BCM exercises.

Australia’s only Business Continuity publication

Strong leadership at the highest level is improving this situation. Another challenge is training of staff and position holders. The consultant found over the years that rather than a blanket approach, targeting training and one on one sessions are required. This is an intensive approach but is needed for the firm to be prepared to protect their client and regulatory obligations if and when an incident occurred. To increase resilience, the primary data centre was recently relocated from within the existing Sydney tenancy into an external dedicated facility. The secondary data centre is at another external location and the core applications can run from either. This will allow continuity of core systems in the remaining offices should one office experience significant disruption. HERBERT SMITH FREEHILLS BUSINESS CONTINUITY FRAMEWORK HAS 2 LAYERS: 1 An overarching structure and processes to maintain Business Continuity on a day to day basis, and to provide mechanisms for continuous improvement and embedding Business Continuity as ‘the way we do things around here’. 2 An activation plans that supports a coordinated response to a business disruption event.


Australasian Business Continuity Summit 2013 4









1 Supporting Partner IBM Australia meets a delegate in the exhibition area 2 Delegates at social function on day one 3 Associate Partner Riskcloud.NET meets with a delegate in the exhibition area 4 Conference delegates on day two

5 6 7 8

Delegates at the conference Delegates at the social dinner on day two Delegates at social function on day one Delegates and sponsors were invited to ride the dodgem cars at Luna Park

Occupational Health Safety and Security Incident Management: The Role of Business Continuity

By Michael Torrance, Lawyer, Norton Rose

At 3:10 pm on Saturday 30 June 2007, a 4x4 vehicle gained unauthorised access to the inner court of the Glasgow international airport, attempting to access the check-in area of the main terminal building.

The vehicle erupted into flames, setting the front of the terminal building alight. Two perpetrators exited the vehicle, one on fire. Both were quickly subdued by police and detained. The fire alarm was activated and the terminal evacuated as it filled with smoke. Local fire departments arrived on the scene to fight the fire within 15 minutes. All fires were extinguished within 30 minutes. All flights were grounded. There were 4500 people evacuated to a local convention centre, where they were interviewed, before being released to go home or to a hotel. By 3:09 pm on Sunday 1 July, 23 hours and 59 minutes after the incident had occurred, the airport terminal was reopened – thanks in large part to the effectiveness of the airport’s business continuity planning and execution in response to the security incident.

Australia’s only Business Continuity publication


BUSINESS CONTINUITY – A CRITICAL PART OF OCCUPATIONAL HEALTH, SAFETY AND SECURITY (OHSS) MANAGEMENT As the Glasgow airport incident illustrates, when a disaster strikes in the form of an OHSS incident, maintaining business continuity may be critical to a company’s survival. Ultimately, business continuity addresses operational vulnerability to the disruptive impact of an incident to commercial operations and contains the commercial, legal and reputational impacts of an OHSS incident. Business continuity is part of a comprehensive approach to OHSS incident response that considers the commercial, legal and reputational aspects of an OHSS incident.

LEGAL DRIVERS FOR BUSINESS CONTINUITY IN OHSS MANAGEMENT In New South Wales, work health and safety (WHS) offences are criminal offences, with possibility of imprisonment for most serious cases and individual fines of $600,000 and $3,000,000 for corporations. The role of business continuity in OHSS management must not to be taken lightly if such penalties and the commercial and reputational risks of inadequate management are to be avoided. The law requires that persons conducting businesses or undertakings (PCBUs) meet their duty to manage “risks to health and safety as far as reasonably practicable”. To meet this standard, responsible persons must weigh up the likelihood of risk; the degree of harm that might result if the risk materialises; what the responsible person concerned knew or ought to have known about risk and eliminating it; the availability of ways to eliminate or minimise the risk, the costs associated with eliminating or minimising risk; and whether such costs are “grossly disproportionate”. There are additional duties for officers of corporations to interrogate OHSS management systems through a process known as “due diligence”, to ensure the system complies with the law and addresses workplace hazards. As the following examples will illustrate, business continuity is critical in meeting legal obligations. A) INCIDENT NOTIFICATION Wherever an OHSS incident involves the death or serious injury or illness of a person, or involves a dangerous incident, there is a duty to notify regulators of the incident. This must be done “immediately after becoming aware that a notifiable incident…has occurred” using the “fastest possible means”, including by telephone or in writing. For such quick notification to occur, business continuity plans must be in place that delineate lines of responsibility and procedures for notifying proper authorities when an incident occurs.

B) DUTY TO PRESERVE INCIDENT SITES Persons with management or control of a workplace where a notifiable incident occurs must ensure so far as reasonably practicable that the site is not disturbed until an inspector arrives or any earlier time that an inspector directs. To ensure this duty is met, and limit commercial consequences, a business continuity plan must be in place providing the resources and training to personnel who can preserve incident sites and continue business despite the restrictions that may be imposed by a worksite.

CONCLUSIONS As the foregoing illustrates, business continuity is an essential component of effective management of OHSS incidents. There is a real and evident imperative for partnership between business continuity managers and their OHSS counterparts – who represent two sides of the same risk management coin for the corporation.

❝There is a real and evident imperative for partnership between business continuity managers and their OHSS counterparts – who represent two sides of the same risk management coin for the corporation.❞ C) EMERGENCY RESPONSE Legislation also requires that emergency plans be prepared for the workplace. Emergency plans must provide emergency procedures, effective response to incidents, evacuation procedures, notification plans, medical treatment, effective communication, and testing, training and instruction on the plan. Such emergency preparedness and planning requirements are a clear manifestation of business continuity planning. D) MAJOR HAZARD FACILITIES Operators of major hazard facilities have the duty to carry out hazard risk and safety assessments, take steps to control risk and develop emergency plans. This includes plans to coordinate with local fire and rescue authorities. Business continuity planning at a major hazard facility is critical to meeting these obligations.


Melbourne CBD Safety Plan

By Christine Drummond

Melbourne enjoys a reputation as one of the safest and most liveable cities in the world. The central city is a dynamic commercial, entertainment, and residential precinct with an average daily population approaching one million people.

The City of Melbourne has an ongoing commitment to provide a safe and secure environment for all people. An important part of this is to be prepared for any emergency. The Emergency Management Act 1986 is currently the core legislation which outlines municipal council responsibilities and obligations in relation to emergencies. Each municipal council must prepare and maintain a Municipal Emergency Management Plan (MEMPlan) and appoint a Municipal Emergency Management Planning Committee (MEMPC). The MEMPlan is the overarching emergency plan for the City of Melbourne which identifies the resources available in the municipal district for emergency prevention, response and recovery and specifies how those resources are to be used. Council employees partner with representatives from response and recovery agencies (such as Victoria Police, Metropolitan Fire Brigade, Ambulance Victoria and Department of Health and Human Services) on the MEMPC. The City of Melbourne has also developed a number of emergency sub-plans to the MEMPlan, including the Melbourne CBD Safety Plan.

Australia’s only Business Continuity publication


The Melbourne CBD Safety Plan is a joint initiative between the City of Melbourne, Victoria Police, Department of Human Services and the Office of the Emergency Services Commissioner. It has been developed in partnership with Victoria’s emergency management agencies, support agencies and stakeholders. Work began on this project in early 2008 and after nearly 18 months of consultative work, the Plan was launched in June 2009. The Melbourne CBD Safety Plan prepares for a wide range of possible significant events from major natural disasters to acts of terrorism. The Plan is an evacuation plan for the city and establishes a framework for a coordinated, multi-agency and community response for the safety of people caught up in an emergency or significant incident. The Plan has an all-hazards focus and manages the short-term safety and/or evacuation of people within the heavily populated central city, Southbank and Dockland areas.

The main objective of the evacuation sub-plan is to facilitate the safe movement of people from an incident, preferably to their own homes. In the likely event that public transport services have been disrupted, people may initially be directed to a Relief Centre where support services and information will be available. The evacuation sub-plan also guides decision and defines roles and responsibilities at each stage of an evacuation. The traffic management sub-plan defines immediate and short-term actions if parts of the central city are evacuated. It identifies Emergency Relief Centres and maps pedestrian movement and emergency service routes. Activation of this sub-plan depends on the location and extent of an event and level of response required. The public transport sub-plan supports the CBD Safety Plan by assisting with exit routes from the city using public transport options, such as trams, trains, buses and taxis. Under this sub-plan, a Public Transport Coordination Group (PTCG) will be established during the emergency to assess and evaluate the public transport options available to support a mass evacuation from the city. Public transport arrangements for incoming and outgoing passengers following a significant incident will also be identified and coordinated. The objectives of the communications sub-plan are to outline and ensure the City of Melbourne can play its role in meeting community needs for information during an emergency. It advocates the provision of a consistent, unified, collaborative multi-agency approach to managing public information during and after an emergency to ensure timely and accurate advice and information is released to the community and media. Media coordination and public information at an incident, including access to sites and safety for media representatives, is the responsibility of the Control Agency (the response agency nominated to control the response activities for a specified type of emergency), with support from Victoria Police as required. Releasing information

The Melbourne CBD Safety Plan provides a high level overview for the community and government and is supported by five operational sub-plans: 1 Evacuation 2 Traffic Management 3 Public Transport 4 Communications and Public Information 5 Relief and Recovery The sub-plans and standard operating procedures have been prepared by each responsible agency in partnership with the relevant emergency management organisations. The following agencies took the lead role in the preparation of the operational sub-plans: 1 Evacuation – Victoria Police 2 Traffic Management – Victoria Police 3 Public Transport – Department of Transport 4 Communications and Public Information – City of Melbourne in partnership with Emergency Management Joint Public Information Committee (EMJPIC) 5 Relief and Recovery – City of Melbourne

during an emergency is the responsibility of the Control Agency in conjunction with the EMJPIC and City of Melbourne. The relief centre sub-plan details the actions to be taken to activate and operate one or more of the Emergency Relief Centres following the decision to mass evacuate a sector of the city. Four venues within the central city have been identified as suitable for the temporary management of a large number of evacuated people: ➽ Etihad Stadium ➽ Melbourne Cricket Ground ➽ Melbourne Convention Exhibition Centre ➽ Melbourne Museum It is important to note that the plan does not exist in isolation, but complements existing emergency management plans and obligations within the community. The plan assumes that: ➽ emergency management arrangements in place adequately address State responsibilities in relation to prevention, planning, response and recovery; ➽ all buildings in the central city have in place an accurate and practiced Fire and Emergency Plan;

➽ residents of the central city have prepared their own safety arrangements and have practical ideas on what to do in case of an emergency; ➽ organisations have in place business continuity arrangements should they need to maintain critical deliverables; ➽ that a mass evacuation is scalable based on the incident; ➽ that the central city in its entirety will not be evacuated; and ➽ only a percentage of people evacuated will attend an emergency relief centre and require assistance. The majority of people will be able to self-evacuate without emergency services assistance. The City of Melbourne is responsible for maintaining the CBD Safety Plan and twice a year the City of Melbourne CBD Stakeholder Reference Group (comprising of emergency management agency representatives under a joint chair of the City of Melbourne and Victoria Police) meets to review the plan and sub-plans to ensure they are up to date. Overall the key objective of the CBD Safety Plan is to ensure the community is resilient, informed and able to leave the city quickly and safely should the need arise.

The Melbourne CBD Safety Plan is publicly available on the City of Melbourne website at


Overcoming the challenges of effective Incident Management By Agnes Manlutac, Member Services Officer, Continuity Forum Pty Ltd

Continuity Forum recently undertook some research in order to find out more information about the principles of Incident Management. By interviewing our members, we were able to uncover a couple of challenges faced by organisations when managing emergencies and major incidents and how to overcome them.

Challenge 1 Can we effectively manage an emergency incident, without properly exercising and rehearsing emergency scenarios or defining criteria?

Recommendations, from members of Continuity Forum, show us that emergency incidents will test people in the most challenging of ways. Due to the unpredictable nature of emergency incidents, organisations should consider implementing more flexible frameworks and criteria, rather than prescriptive checklists or rigid plans, in order to adapt and survive. In the interests of protecting the organisation, it is essential that there is a proper method for escalating information before the time comes to declare an emergency. Our members recommend running regular exercises as ways of improving staff awareness before an actual incident occurs. Running an exercise can also identify gaps within the processes and leads to more effective communication. Often incident management and business continuity planning are viewed as simply “plans”. Emergencies are not planned events and incident management planning should be viewed as a capability that affects the structure, communication and safety of staff.

SUGGESTED OUTCOME A proper understanding of incident management can break the perceptions ingrained in the minds of people. The seriousness and complexities they could face become more apparent as a result of the rehearsal exercise.

Challenge 2 Are solid processes and business continuity plans worth the trouble or is there a better of way of managing these situations?

A way of answering this is to consider an organisation’s resiliency. Realistically, if an organisation has reached a strong level of resilience, plans and processes do not necessarily need to be followed step by step. Over time, a resilient organisation can rely on an existing culture within the workplace where everyone is aware of what needs to be done in the event of a disruption or emergency incident. SUGGESTED OUTCOME To reach this level, organisations should view plans, documents and procedures as a blueprint or GPS, to reach a destination of resilience. The right teams, with proper practice and knowledge, can help steer the organisation through any major incident.

CONCLUSION From the discussions with members it has become clear that incident management requires an understanding that emergencies cannot be planned. Instead, businesses should incorporate clear yet flexible incident management frameworks into their overall business continuity plans.

Australia’s only Business Continuity publication


Thank you Continuity Forum wishes to thank its members who contributed to this edition of Continuity Forum News. For future submissions or story ideas, please email Amy Steed at or call 02 9415 4180.

Australia’s only Business Continuity publication


Continuity Forum News, Edition 28 November