As a result, the focus of the plan was on enabling resources rather than critical functions as envisaged by the GOV 11 element of the PSPF and better practice guidance.
However, CASA’s BCP did provide a list of 23 ICT systems and facilities that need to be recovered within 48 hours.
Specific areas for improvement include the need for enhanced oversight and testing of BCM arrangements, as well as the need to adopt a program management approach to BCM in order to facilitate continual review and adjustment.
The ANAO has also considered BCP and disaster recovery planning as part of the interim phase of the audits of financial statements of major general government sector agencies.
The absence of a list of critical functions, and the lack of integration of the arrangements for managing critical functions, introduces the risk that the delivery of key products and services will not be appropriately prioritised and addressed during a disruption.
To better support the management of disruptions, CASA should identify and prioritise critical functions in its BCPs, and detail key dependencies. As a larger and more diverse entity, DSS’s BCM approach was to identify six Mission Critical Activities and 281 critical functions (requiring recovery within seven days).
CASA has chosen to manage the business continuity of its most time critical activity separate from its entity-wide BCP.
While CASA’s BCP anticipates having functions and systems operational in alternative locations within 24 hours, it did not identify a list of these critical functions or activities and their key dependencies.
This would involve determining entity priorities for services and assets, particularly in relation to resourcing and the continuation, recovery and/or stand down of functions. Since January 2010, the audited entities have each experienced a number of business disruptions, ranging in impact from the minor and inconvenient—partial evacuations and all day outages of critical systems—to the significant—week-long office closures due to weather events including cyclones and floods.
In most cases the entities’ emergency or disaster response arrangements were initiated quickly to provide protection for staff and property, however, in this period Finance was the only entity that had initiated its BCM arrangements in response to disruptions to provide protection for affected critical functions. CASA and DSS managed several significant disruptions in 2011, including the Queensland floods and Cyclone Yasi, without activating business continuity arrangements.