Unit of competency details

Release 

Comments 

Release 1

This version first released with BSB07 Business Training Package version 6.0.

Revised unit. Required knowledge updated to incorporate current Australian Standards.

Replaces BSBCON601A Develop and maintain business continuity plans

Element 

Performance Criteria 

Elements describe the essential outcomes of a unit of competency.

Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the required skills and knowledge section and the range statement. Assessment of performance is to be consistent with the evidence guide.

1. Conduct risk and vulnerability assessments

1.1 Identify the relationship between corporate risk  and the organisation’s  business continuity management framework

1.2 Analyse and determine internal and external risk  context by collecting information that relates to the organisation’s priorities, operations and environment

1.3 Analyse and identify potential internal and external sources of disruption to the organisation’s priorities, operations and environment

2. Develop and report on the business impact assessment/s

2.1 Identify the organisation’s critical business functions  and their dependencies  and interdependencies , and analyse and evaluate risks through the business impact assessment/s 

2.2 Develop risk and disruption scenarios through the business impact assessment/s

2.3 Validate risk and disruption scenarios  through the business impact assessment/s

2.4 Analyse, validate and report on the outcomes of the business impact assessment/s to management 

3. Develop, implement and report on risk treatments

3.1 Develop and implement risk treatments

3.2 Participate in risk treatment  review

3.3 Report on risk treatment review to management and relevant appropriate personnel

3.4 Update risk treatment review in line with feedback provided by relevant personnel

4. Determine interdependencies and develop response strategies

4.1 Develop the organisation’s emergency response, continuity and recovery strategies 

4.2 Consult and seek endorsement on the organisation’s emergency response, continuity and recovery strategies from management and other appropriate personnel

4.3 Identify and manage synergies and conflicts in resource  availability and access in conjunction with management

4.4 Coordinate the organisation’s emergency response, continuity and recovery strategies

5. Establish the business continuity plan

5.1 Consult relevant personnel and seek support for the development of the organisation’s business continuity plan/s 

5.2 Ensure content of business continuity plan is comprehensive and meets, where applicable, the requirements of regulations, standards, industry practice and geographical dispersion

5.3 Document and analyse feedback received through consultation and finalise business continuity plan

5.4 Demonstrate accountability for the organisation’s business continuity plan/s

6. Establish the communication plan within the organisation’s planning framework

6.1 Identify stakeholders  and determine objective and scope of communication plan  for periods before, during and after disruptions occur

6.2 Determine organisation’s communication capabilities in line with objectives and scope, and identify gaps and options for meeting shortfalls

6.3 Develop and implement across the organisation, appropriate risk and incident monitoring, reporting and escalation processes

7. Deliver business continuity professional development activities

7.1 Promote the application of the business continuity management framework and plan to all relevant personnel on an ongoing basis

7.2 Provide staff with appropriate information relating to the cyclical review process of the business continuity management plan

7.3 Conduct business continuity management plan exercises  in line with the organisation’s policies and procedures

7.4 Conduct post exercise debriefs, complete post exercise reviews and update business continuity strategies and plans as required

7.5 Manage and record staff learning and development in relation to the business continuity management framework in accordance with organisational requirements, and framework policies and procedures

7.6 Report on the outcomes of staff learning and development, and business continuity framework exercises to relevant personnel

Critical aspects for assessment and evidence required to demonstrate competency in this unit 

Evidence of the following is essential:

• knowledge of the organisation’s overall business continuity framework and how it interrelates with the critical business functions
• development and implementation of a business continuity plan that includes appropriate links to emergency response, disaster recovery plans and detailed continuity and recovery strategies
• effective management of the communication and staff development activities relating to business continuity risk and vulnerability assessment.

Context of and specific resources for assessment 

Assessment must ensure:

• access to workplace business continuity documentation
• access to feedback from teams and management.

Method of assessment 

A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

• direct questioning combined with review of portfolios of evidence and third party workplace reports of on-the-job performance by the participant
• work based projects or case studies
• observation of presentations
• oral or written questioning to assess knowledge of business continuity management framework and business continuity plans
• review of documented critical success factors, and goals or objectives for area
• review of risks prioritised for risk treatment and disruption scenarios
• evaluation of business impact assessment
• evaluation of business continuity and communication strategies and plans.

Guidance information for assessment 

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended.

Corporate risk  may include:

• electronic information security
• espionage/commercial confidence/sensitivity breach
• governance
• insolvency
• major fraud
• professional negligence – threat of major legal action against directors.

Organisations  may include:

• commercial enterprises
• community
• government
• non-commercial enterprises
• not-for-profit
• religious organisations.

Risk  may include:

• aeronautical
• armed hold-up
• biological
• chemical
• civil disturbance
• disability/death of key person
• economic
• electronic
• erosion
• explosion
• fire
• fraud
• hazardous materials
• industrial accident
• infrastructure failure
• market failure
• natural disaster
• operational collapse – insolvency
• pandemic
• pollution
• privacy and confidentiality
• radiological/nuclear
• robbery and/or major vandalism
• sabotage
• structure failure
• terrorism
• transport accident
• war
• water
• weather/climate change.

Critical business functions  may include:

• business objectives
• customer service functions
• financial systems
• human resource functions
• management
• OHS
• organisational structure
• payroll
• records management.

Dependencies  may include:

• office furniture
• office supplies
• personnel
• support activities
• systems and applications
• vital records.

Interdependencies  may include:

• communications
• outsourcer and third party suppliers
• power
• sanitation
• security
• transport
• water.

Business impact assessment/s  may include:

• breach/reduction of customer service standards
• cost/impact on existing and/or increased finance
• escalating losses over time
• impact of loss of business/resources
• loss of revenue
• potential fines/penalties/litigation costs
• reputation/brand damage
• statutory/regulatory breaches.

Disruption scenarios  may include:

• damage to/loss of critical infrastructure
• information and intelligence – unavailable
• equipment and other assets – unavailable
• litigation
• loss of access to building
• loss of access to precinct
• loss of access to records and organisational information systems
• loss of building
• loss of communications – voice
• loss of communications – data
• loss of distribution chain
• loss of information technology systems
• loss of number and availability of staff, including key staff
• not meeting legal and business requirements
• partnership dependencies – denial of access to goods and services from suppliers, outsourcers.

Management  may include:

• chief executive officer
• company board
• delegated business continuity management director/officer
• department managers
• directors
• supervisors.

Risk treatment  may include:

• activating evacuation plan
• activating lockdown procedures
• activating workplace emergency management plan
• personnel working from home
• relocation of facilities
• temporarily suspending activities
• transferring activities.

Emergency response strategies  may include:

• contact lists to report incident/s
• documentation/reporting/recording procedures
• evacuation plan
• location of evacuation assembly point
• lock down procedures
• names and responsibilities of wardens
• personnel instructions for evacuation
• process for accounting personnel
• workplace emergency management plan.

Continuity strategies  may include:

• action required to resume critical business activities to pre-disruption capacity
• contact lists of critical personnel and stakeholders
• counselling
• critical business activities and prioritisation of when they can/need to resume
• list of resources
• relocation to alternative worksite
• resource replacement
• treatment for critical business activities.

Recovery strategies  may include:

• customer confidence/relationship management
• damage assessment
• market re-establishment
• process for assessing loss and filing insurance claims
• relocation of business to original location
• salvage and restoration of records, infrastructure and premises.

Resources  may include:

• critical written and/or electronic records
• emergency services
• facilities and/or accommodation
• finances
• information technology infrastructure and applications management
• insurance
• personnel
• plant and equipment
• premises
• telecommunications.

Business continuity plan/s  may include:

• introduction
• organisational details
• objectives
• purpose
• critical business functions
• assumptions
• processes
• activation and stand down
• responsibility
• version control and maintenance
• operational requirements
• critical success factors
• interdependencies
• outage times
• compliance
• people
• structure
• roles and responsibilities
• contact details
• continuity arrangements
• accommodation
• resources
• workarounds and alternate solutions
• continuity management tasks
• communications
• other plans
• checklists
• maps and drawings.

Stakeholders  may include:

• chief executive officer
• company board
• customers
• directors
• families/next-of-kin
• funders
• local community
• media
• personnel
• professional bodies
• shareholders
• relevant government minister/s and department/s
• regulators
• sponsors
• suppliers.

Communication plan  may include:

• accessibility
• assumptions
• audience
• boundaries
• business continuity terminology
• capability
• equipment
• hierarchical organisational chart of internal and external emergency services personnel/delegates
• mode
• monitoring procedures
• radio silence
• reporting and recording procedures
• sensitivities.

Exercises  may include:

• drills
• discussion exercises
• modelling
• planned walkthroughs
• scenario planning and exercising
• simulated exercises
• testing.