Standard Operating Procedure: Business Continuity Plan (BCP) Development

This SOP provides a structured framework for Queensland Government agencies to develop, implement, and maintain a Business Continuity Plan (BCP) aligned with the Queensland Government’s mandate for public sector resilience. Adhering to these guidelines ensures that critical services remain operational or can be rapidly restored during significant disruptions, such as natural disasters, cyber-incidents, or infrastructure failures, in accordance with the Queensland Government Business Continuity Management Policy.

Phase 1: Preparation and Risk Assessment

• Establish a BCP Committee: Appoint a BCP coordinator and identify key stakeholders from IT, HR, Legal, and Facility Management.
• Define Scope: Identify which critical business functions (CBFs) must be preserved to meet statutory obligations.
• Conduct Business Impact Analysis (BIA):
  • Determine the Maximum Tolerable Period of Disruption (MTPD) for each service.
  • Identify Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
  • Map dependencies (personnel, ICT systems, supply chains, and external vendors).
• Risk Profile: Document threats specific to the Queensland context (e.g., cyclones, flooding, or heatwave-induced power outages).

Phase 2: Plan Development and Strategies

• Develop Response Strategies: Document manual workarounds for when digital systems are offline.
• Resource Identification: Catalog emergency contacts, secondary work locations, and alternate IT hardware/cloud instances.
• Communication Protocols: Establish a "Single Source of Truth" communication tree for staff, stakeholders, and the public (utilizing QGov media channels).
• Documentation: Utilize the official QGov template to ensure uniform reporting requirements for departmental oversight.

Phase 3: Testing, Maintenance, and Governance

• Training and Awareness: Conduct biennial workshops for all staff on their roles during an activation.
• Testing/Exercising: Schedule "Tabletop Exercises" annually to simulate a specific threat scenario (e.g., a flood event cutting off office access).
• Review Cycle: Update the BCP at least every 12 months or immediately following any significant organizational restructure or post-incident review.
• Audit Trail: Log all training sessions, plan revisions, and exercise outcomes for accountability reporting to the Executive Management Team.

Pro Tips & Pitfalls

Pro Tips

• Keep it Actionable: BCPs are often too dense. Ensure the first three pages contain a "Grab-and-Go" checklist of immediate actions for incident commanders.
• Leverage Existing Data: Integrate BCP data with your existing Cyber Security framework (ISO 27001 or equivalent) to avoid duplication.
• Off-site Access: Ensure hard copies of the BCP (including contact lists) are stored in an off-site, secure location in case the primary data center is compromised.

Pitfalls

• "Shelfware": Developing a plan and not testing it is a major compliance risk. If it hasn't been exercised, it doesn't work.
• Ignoring ICT Dependency: Assuming that "work from home" is a universal fix. Check if your VPN capacity can handle 100% of the workforce simultaneously during a crisis.
• Assuming Infrastructure Resilience: In Queensland, telecommunications outages during storms are frequent. Relying solely on cellular-based communication is a common point of failure.

Frequently Asked Questions (FAQ)

Q: How often does the Queensland Government require the BCP to be updated? A: Agencies are generally required to review and update their BCP annually or whenever a significant change in business operations, risk profile, or organizational structure occurs.

Q: Does the BCP cover cyber-attacks as well as natural disasters? A: Yes. A robust BCP must be "all-hazards" compliant, encompassing technical disruptions (ransomware, outages) and physical crises (floods, fire).

Q: What is the difference between an RTO and an MTPD? A: The Recovery Time Objective (RTO) is the target duration for restoring a system, while the Maximum Tolerable Period of Disruption (MTPD) is the absolute limit before the consequences of the downtime become unacceptable or irreversible.