View current

UQ Incident Management Procedure

This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.

Section 1 - Purpose and Scope

Context

(1) UQ’s operations are dependent on and influenced by many aspects of the university, such as:

A wide and very large scope of activities and services related to both teaching and research.
Multiple campuses.
Off campus activities and services both in Australia and abroad.
Large number of buildings, facilities, research equipment and other infrastructure.
Involvement of many people – staff, students, visitors and wider community.

(2) Given this large scope of influences and dependencies impacting the university’s daily operations, business interruptions are likely to occur from time to time. Disruptive incidents often result in a localised operational disruption only, but sometimes can cause a critical incident when multiple areas are negatively impacted requiring a coordinated response, or in very rare circumstances result in a crisis where a strategic executive response is required.

Purpose & Scope

(3) The purpose of this Procedure is to ensure that the university builds adequate resilience and requisite capabilities to anticipate, prepare, respond, rapidly recover and minimise adverse impact from disruptive incidents, including hard to predict disruptions. It takes into consideration potential impacts of a disruptive incident to people, assets, the local community, the environment and UQ’s reputation.

(4) This Procedure applies to actual or potentially imminent adverse incidents and events impacting on UQ, including its controlled entities.

Objectives

(5) Anticipate threats to UQ’s strategic objectives.

(6) Develop capabilities to prevent, prepare for, promptly respond to and rapidly recover from events that disrupt and threaten UQ.

(7) Empower and develop the capabilities of individual leaders to manage disruption events and threats.

(8) Integrate all levels of incident, risk and disruption management to create a consistent and enterprise wide approach.

(9) Build on and support existing organisational knowledge, skills and systems to ensure practical adoption of business resilience and critical incident management principles and capabilities.

Top of Page

Section 2 - Process and Key Controls

Incident Management Process

(10) UQ has adopted the PPRR (Prevention, Preparedness, Response, and Recovery) comprehensive approach as the process for managing all phases before, during and after disruptive incidents.

(11) The approach is continuous and all managers must understand and perform their roles and responsibilities related to all four phases of the process.

(12) Please see the attached PPRR diagram for details.

Enterprise Incident Response Structure

(13) UQ has a tiered enterprise incident response structure to ensure an integrated, scalable, enterprise wide and consistent response to disruptive incidents. The structure applies to all university operations and activities.

(14) An incident response can initially be activated from all levels within the response structure (refer to clause 16 diagram below). Once activated, the response structure operates hierarchically.

(15) Managers should understand:

Their individual roles and responsibilities within the structure;
Teams, plans and procedures to be activated at each level; and
Their responsibility to report and/or escalate incidents to the next level above.

Diagram – Enterprise Incident Response Structure

(16) Please see attached diagram.

Initial Incident Assessment and Response

(17) Incident assessment is a key component of incident management and ensures the appropriate level of response is activated.

(18) Incident assessment must occur prior to activating a response at any level within the incident response structure.

(19) Incident assessment at UQ is based on a combination of 10 key trigger incidents and critical consequences defined by the UQ Enterprise Risk Matrix.

(20) The Initial Crisis Response Tool for Management guides managers through:

Assessment of trigger incidents;
Assessment of actual or potentially imminent consequences;
Required notifications and escalation of incident; and
Required activation of teams, plans and processes.

Top of Page

Section 3 - Key Requirements

(21) Disruptive incidents push activities from business as usual into the incident management process. This process is driven through three key requirements:

Formation of teams;
Implementation of plans; and
Adherence to response priorities.

Teams

Level 1 - Local Response Teams (LRT)

(22) Responsible for immediate response to incidents to protect people, assets, infrastructure, operations and/or services.

(23) Local response managers are responsible for the direction of their staff and resources.

(24) Utilise emergency response plans, incident response plans, business continuity plans and standard operating procedures to respond.

(25) Report up to relevant senior manager and the University Incident Management Team (if activated).

Level 2 – University Incident Management Team (UIMT)

(26) Responsible for senior management control and coordination over multiple UQ functions and ensures an adequate enterprise wide response to incidents.

(27) Operates under the requirements of the University Incident Management Plan (UIMP).

(28) Reports up to the Crisis Management Team (if activated) and coordinates down through the LRTs.

(29) Team composition is scalable and flexible and determined by the incident response assessment.

(30) See section 7 Appendix for UIMT basic composition.

Level 3 – Crisis Management Team (CMT)

(31) Responsible for providing executive leadership in response to abnormal and unstable situations that threaten UQ’s strategic objectives, reputation or viability.

(32) Sets the strategic objectives of the response and recovery.

(33) Communicates with the Senate and is focussed on the medium to long term impacts.

(34) Directs down through the UIMT.

(35) Operates under the requirements of the Crisis Management Plan (CMP).

(36) Team composition is scalable and flexible and determined by the incident response assessment.

(37) See section 7 Appendix for CMT basic composition.

Plans

(38) Plans detail and structure response and recovery actions and tasks. They exist at all levels of the incident response structure and are developed, practised and tested during the preparedness phase.

Plan Hierarchy

(39) Please see attached diagram.

Plans within the Incident Management Process are:

Plan	Objective	Responsibility
Crisis Management Plan (CMP)	Informs and structures the Vice-Chancellor's Committee (VCC) response to abnormal and unstable situations that threaten UQs strategic objectives, reputation and/or viability.	The CMP is developed, implemented and maintained by Enterprise Risk on behalf of the COO.
University Incident Management Plan (UIMP)	Coordinates and guides the senior management response to incidents that impact more than one university function, critical building and/or essential service.	The UIMP is developed, implemented and maintained by Enterprise Risk on behalf of the Deputy COO.
Communications Response Plan (CRP)	Informs and structures timely, consistent and accurate messaging that supports strategic and operational objectives.	The CRP is developed, implemented and maintained by Marketing and Communication (M&C).
Local Response Plan (LRP)	Details and structures local and immediate response to protect people, assets, infrastructure, operations and/or services.	LRPs are developed, implemented and maintained by all functions.
Business Continuity Plan (BCP)	Details and structures tasks and actions to ensure critical business functions are maintained during and after critical incidents.	BCPs are developed, implemented and maintained by all functions, faculties and institutes.

(40) Managers should have an understanding of the plans which they are responsible for and where they fit within the response structure.

Response Priorities

(41) During the response to an incident, individuals and teams can quickly become overwhelmed by a complex and dynamic situation. A key principle to overcome these circumstances is to prioritise and execute actions and tasks in order of importance. This ensures an appropriate, methodical and consistent response that creates time and space for managers. UQ has predefined the response priorities which will need to be followed by all managers and teams when responding to all incidents.

PRIORITY		CONSIDERATIONS
1	PEOPLE	Ensure and account for the safety and security of people: Students, staff, visitors and the public.
2	ASSETS & OPERATIONS	Contain, control and prevent further damage to or loss of: Critical services, facilities and/or utilities and underlying infrastructure (e.g. electricity, water, transport, communications, security systems and/or information and information technology).
3	COMMUNITY & ENVIRONMENT	Contain, control and prevent further harm to: • local community and its amenities • environment.
4	LIABILITIES & COMPLIANCE	Assess and determine actual or potential breaches of law, regulations, contract, governance and or critical licence and/or accreditation. Check for available insurance response options and requirements.
5	REPUTATION & BRAND	Ensure accurate and timely information is provided to key stakeholders and media to ensure their trust and confidence in UQ.

Top of Page

Section 4 - Roles, Responsibilities and Accountabilities

ROLE	INCIDENT MANAGEMENT PROCESS PHASE
ROLE	Prevention	Preparedness	Response	Recovery
Faculty Executive Manager	• Manage risks in accordance with Enterprise Risk Management Framework • Inform Insurance Services of any new or changes to activities, assets and/or infrastructure	• Perform Business Impact Analysis • Develop and implement Business Continuity Plans (BCP) and/or Local Response Plans (as required) • Annually review, test and/or exercise plans	• Activate Local Response Plans • Escalate incidents as required • Represent portfolio in the UIMT • Inform and consult with Insurance Services to ensure maximum claim outcomes	• Develop and implement recovery plans • Activate Business Continuity Plans • Manage incident investigation • Ascertain and implement lessons learned • Manage potential regulatory breach with relevant authority • Review and update plans, teams and risk registers • Facilitate insurance assessment and claims
Institute Deputy Director
Relevant direct report to DVCs/COO
Executive Dean		• Support implementation of BCPs and Local Response Plans (as required) • Support testing and/or exercise of BCP’s and Local Response Plans	• Escalate incidents as required • Represent faculty/institute in the CMT	• Ascertain and implement lessons learned
Institute Director
DVCs
Executive Director, Marketing and Communication (M&C)		• Develop, implement and maintain Communications Response Plan (CRP) • Annually review, test and/or exercise CRP	• Activate Communications Response Plan • Represent M&C in the UIMT and/or CMT	• Ascertain and implement lessons learned • Review and update CRP and team • Facilitate insurance assessment and claims
Deputy COO	• Support effective adoption of Enterprise Risk Management Framework	• Support implementation of UIMP • Support testing and/or exercise of UIMT	• Activate the UIMT • Escalate incidents as required • Chair the UIMT	• Coordinate UIMT recovery actions and plans • Delegate responsibility for incident investigation • Ascertain and implement lessons learned • Facilitate insurance assessment and claims
COO
Vice-Chancellor	• Support effective adoption of Enterprise Risk Management Framework	• Support testing and/or exercise of CMT	• Activate the CMT • Chair the CMT	• Ascertain and implement lessons learned
Provost		• Support testing and/or exercise of CMT	• Activate the CMT • Chair the CMT	• Ascertain and implement lessons learned
Governance and Risk Division	• Develop, implement and maintain Enterprise Risk Management Framework • Ensure adequate insurance program	• Develop, implement & maintain UIMP/CMP • Annually test and/or exercise UIMT and CMT • Train use of Incident Management Procedure, CMP and UIMP	• Support UIMT members • Support the Deputy COO in the UIMT • Support the COO in the CMT	• Support UIMT/CMT recovery planning and actions • Coordinate lessons learned process • Coordinate insurance assessment and claims • Review insurance coverage

Top of Page

Section 5 - Monitoring, Review and Assurance

Enterprise Risk

(42) The Enterprise Risk team will conduct an annual review of the effectiveness and implementation of this Procedure and provide a report of findings and recommendations to the Vice-Chancellor's Risk and Compliance Committee (VCRCC).

Top of Page

Section 6 - Recording and Reporting

(43) The following reports on this Procedure will be produced:

Report Title	Report Content	Report Producer	Report Recipient	Frequency
Procedure review	Progress and effectiveness of implementation of the Incident Management Procedure throughout UQ.	Enterprise Risk	VCC VCRCC USMG	Annual
Post Incident Review Post Exercise Review (includes lessons learned)	Analysis of what happened, why it happened, and, what worked well, what didn’t work well and recommendations on how it can be done better.	Enterprise Risk	Crisis Incident: SR&AC Crisis and University Incidents: VCC VCRCC USMG	As required post incident
Training and Exercise Logs	Outline of training/exercise conducted.	Enterprise Risk	VCRCC USMG	As required following the conduct of training and / or exercise

Top of Page

Section 7 - Appendix

University Incident Management Team (UIMT)

(44) See attached diagram.

Crisis Management Team (CMT)

(45) See attached diagram.