Printer-friendly version
Body

1.0                Purpose and Scope

1.1    Context

UQ’s operations are dependent on and influenced by many aspects of the university, such as:

  • A wide and very large scope of activities and services related to both teaching and research.

  • Multiple campuses.

  • Off campus activities and services both in Australia and abroad.

  • Large number of buildings, facilities, research equipment and other infrastructure.

  • Involvement of many people; staff, students, visitors and wider community.

Given this large scope of influences and dependencies impacting the university’s daily operations, business interruptions are likely to occur from time to time.  Disruptive incidents often result in a localised operational disruption only but sometimes can cause a critical incident when multiple areas are negatively impacted requiring a coordinated response, or in very rare circumstances result in a crisis where a strategic executive response is required.

1.2   Purpose & Scope

The purpose of this procedure is to ensure that the university builds adequate resilience and requisite capabilities to anticipate, prepare, respond, rapidly recover and minimise adverse impact from disruptive incidents, including hard to predict disruptions.  It takes into consideration potential impacts of a disruptive incident to people, assets, the local community, the environment and UQ’s reputation.

This procedure applies to actual or potentially imminent adverse incidents and events impacting on UQ, including its controlled entities.

1.3   Objectives

  • Anticipate threats to UQ’s strategic objectives.

  • Develop capabilities to prevent, prepare for, promptly respond to and rapidly recover from events that disrupt and threaten UQ.

  • Empower and develop the capabilities of individual leaders to manage disruption events and threats.

  • Integrate all levels of incident, risk and disruption management to create a consistent and enterprise wide approach. 

  • Build on and support existing organisational knowledge, skills and systems to ensure practical adoption of business resilience and critical incident management principles and capabilities.

2.0                Process and Key Controls

2.1   Incident management process

UQ has adopted the PPRR (Prevention, Preparedness, Response, and Recovery) comprehensive approach as the process for managing all phases before, during and after disruptive incidents.

The approach is continuous and all managers must understand and perform their roles and responsibilities related to all four phases of the process.

 

 

2.2   Enterprise incident response structure

UQ has a tiered enterprise incident response structure to ensure an integrated, scalable, enterprise wide and consistent response to disruptive incidents. The structure applies to all university operations and activities.

An incident response can initially be activated from all levels within the response structure (refer figure below). Once activated the response structure operates hierarchically.

Managers should understand:

  • Their individual roles and responsibilities within the structure.

  • Teams, plans and procedures to be activated at each level.

  • Their responsibility to report and/or escalate incidents to the next level above.

Enterprise incident response structure

 

 

2.3   Initial incident assessment and response

Incident assessment is a key component of incident management and ensures the appropriate level of response is activated.

Incident assessment must occur prior to activating a response at any level within the incident response structure.

Incident assessment at UQ is based on a combination of 10 key trigger incidents and critical consequences defined by the UQ Enterprise Risk Matrix.

The Initial Crisis Response Tool for Management guides managers through:

  • Assessment of trigger incidents.

  • Assessment of actual or potentially imminent consequences.

  • Required notifications and escalation of incident.

  • Required activation of teams, plans and processes.

3.0                Key Requirements

Disruptive incidents push activities from business as usual into the incident management process. This process is driven through three key requirements:

  • Formation of teams.

  • Implementation of plans.

  • Adherence to response priorities.

3.1   Teams

Level 1 - Local Response Teams (LRT)

  • Responsible for immediate response to incidents to protect people, assets, infrastructure, operations and/or services.

  • Local response managers are responsible for the direction of their staff and resources.

  • Utilise emergency response plans, incident response plans, business continuity plans and standard operating procedures to respond.

  • Report up to relevant senior manager and the UIMT (if activated).

Level 2 – University Incident Management Team (UIMT)

  • Responsible for senior management control and coordination over multiple UQ functions and ensures an adequate enterprise wide response to incidents.

  • Operates under the requirements of the University Incident Management Plan (UIMP).

  • Reports up to the Crisis Management Team (if activated) and coordinates down through the LRTs.

  • Team composition is scalable and flexible and determined by the incident response assessment.

  • See appendix 7.1 for UIMT basic composition.

Level 3 – Crisis Management Team (CMT)

  • Responsible for providing executive leadership in response to abnormal and unstable situations that threaten UQ’s strategic objectives, reputation or viability.

  • Sets the strategic objectives of the response and recovery.

  • Communicates with the Senate and is focussed on the medium to long term impacts.

  • Directs down through the UIMT.

  • Operates under the requirements of the Crisis Management Plan (CMP).

  • Team composition is scalable and flexible and determined by the incident response assessment.

  • See appendix 7.2 for CMT basic composition.

3.2   Plans

Plans detail and structure response and recovery actions and tasks. They exist at all levels of the incident response structure and are developed, practiced and tested during the preparedness phase.

Plan hierarchy

 

 

Plans within the Incident Management Process are:

Plan

Objective

Responsibility

Crisis Management Plan (CMP)

Informs and structures the VCC response to abnormal and unstable situations that threaten UQs strategic objectives, reputation and/or viability.

The CMP is developed, implemented and maintained by Enterprise Risk Services on behalf of the COO.

University Incident Management Plan (UIMP)

Coordinates and guides the senior management response to incidents that impact more than one university function, critical building and/or essential service.

The UIMP is developed, implemented and maintained by Enterprise Risk Services on behalf of the D/COO.

Communications Response Plan (CRP)

Informs and structures timely, consistent and accurate messaging that supports strategic and operational objectives.

The CRP is developed, implemented and maintained by OMC.

Local Response Plan (LRP)

Details and structures local and immediate response to protect people, assets, infrastructure, operations and/or services.

LRPs are developed, implemented and maintained by all functions.

Business Continuity Plan (BCP)

Details and structures tasks and actions to ensure critical business functions are maintained during and after critical incidents.

BCPs are developed, implemented and maintained by all functions, faculties and institutes.

Managers should have an understanding of the plans which they are responsible for and where they fit within the response structure.

3.3   Response priorities

During the response to an incident, individuals and teams can quickly become overwhelmed by a complex and dynamic situation. A key principle to overcome these circumstances is to prioritise and execute actions and tasks in order of importance. This ensures an appropriate, methodical and consistent response that creates time and space for managers. UQ has predefined the response priorities which will need to be followed by all managers and teams when responding to all incidents.

PRIORITY

CONSIDERATIONS

1

  PEOPLE

Ensure and account for the safety and security of people:

Students, staff, visitors and the public.

2

ASSETS & OPERATIONS

Contain, control and prevent further damage to or loss of:

Critical services, facilities and/or utilities and underlying infrastructure (e.g. electricity, water, transport, communications, security systems and/or information and information technology).

3

COMMUNITY & ENVIRONMENT

Contain, control and prevent further harm to:

  • local community and its amenities

  • environment.

4

LIABILITIES & COMPLIANCE

Assess and determine actual or potential breaches of law, regulations, contract, governance and or critical licence and/or accreditation.

Check for available insurance response options and requirements.

5

REPUTATION & BRAND

Ensure accurate and timely information is provided to key stakeholders and media to ensure their trust and confidence in UQ.

 

4.0                Roles, Responsibilities and Accountabilities

ROLE

INCIDENT MANAGEMENT PROCESS PHASE

Prevention

Preparedness

Response

Recovery

Faculty Exec Mgr.

  • Manage risks in accordance with Enterprise Risk Management Framework
  • Inform Insurance Services of any new or changes to activities, assets and/or infrastructure
  • Perform Business Impact Analysis
  • Develop and implement Business Continuity Plans (BCP) and/or Local Response Plans (as required)
  • Annually review, test and/or exercise plans
  • Activate Local Response Plans
  • Escalate incidents as required
  • Represent portfolio in the UIMT
  • Inform and consult with Insurance Services to ensure maximum claim outcomes
  • Develop and implement recovery plans
  • Activate Business Continuity Plans
  • Manage incident investigation
  • Ascertain and implement lessons learned
  • Manage potential regulatory breach with relevant authority
  • Review and update plans, teams and risk registers
  • Facilitate insurance assessment and claims

Institute Dep Dir.

Relevant direct report to DVCs/COO

Executive Dean

 

  • Support implementation of BCPs and Local Response Plans (as required)
  • Support testing and/or exercise of BCP’s and Local Response Plans
  • Escalate incidents as required
  • Represent faculty/institute in the CMT
  • Ascertain and implement lessons learned

Institute Director

DVCs

Executive Director OMC

 

  • Develop, implement and maintain Communications Response Plan (CRP)
  • Annually review, test and/or exercise CRP
  • Activate Communications Response Plan
  • Represent OMC in the UIMT and/or CMT
  • Ascertain and implement lessons learned
  • Review and update CRP and team
  • Facilitate insurance assessment and claims

Deputy COO

  • Support effective adoption of Enterprise Risk Management Framework
  • Support implementation of UIMP
  • Support testing and/or exercise of UIMT
  • Activate the UIMT
  • Escalate incidents as required
  • Chair the UIMT
  • Coordinate UIMT recovery actions and plans
  • Delegate responsibility for incident investigation
  • Ascertain and implement lessons learned
  • Facilitate insurance assessment and claims

COO

VC

  • Support effective adoption of Enterprise Risk Management Framework
  • Support testing and/or exercise of CMT
  • Activate the CMT
  • Chair the CMT
  • Ascertain and implement lessons learned

Provost

Governance and Risk

  • Develop, implement and maintain Enterprise Risk Management Framework
  • Ensure adequate insurance  program
  • Develop, implement & maintain UIMP/CMP
  • Annually test and/or exercise UIMT and CMT
  • Train use of Incident Management Procedure, CMP and UIMP
  • Support UIMT members
  • Support the D/COO in the UIMT
  • Support the COO in the CMT
  • Support UIMT/CMT recovery planning and actions
  • Coordinate lessons learned process
  • Coordinate insurance assessment and claims
  • Review insurance coverage

5.0                Monitoring, Review and Assurance

5.1   Enterprise Risk Services (ERS)

The ERS team will conduct an annual review of the effectiveness and implementation of this procedure and provide a report of findings and recommendations to the VCRCC.

6.0                Recording and Reporting

The following reports on the Incident Management Procedure will be produced:

Report Title

Report Content

Report Producer

Report Recipient

Frequency

Procedure review

Progress and effectiveness of implementation of the Incident Management Procedure throughout UQ.

Enterprise Risk Services

VCC

VCRCC

USMG

Annual

Post Incident Review

Post Exercise Review

(includes lessons learned)

Analysis of what happened, why it happened, and, what worked well, what didn’t work well and recommendations on how it can be done better.

Enterprise Risk Services

Crisis Incident:

SR&AC

Crisis and University Incidents:

VCC

VCRCC

USMG

As required post incident

Training and Exercise Logs

Outline of training/ exercise conducted.

Enterprise Risk Services

VCRCC

USMG

As required following the conduct of training and / or exercise

7.0                Appendix

7.1   University Incident Management Team (UIMT)

 

 

7.2   Crisis Management Team (CMT)

 

Custodians
Director, Governance and Risk