UNDERSTANDING

Business Continuity Management

2012 VMIA.
The information provided in this document is intended for general use only. VMIA does not warrant the
information in this document and does not accept any liability to any person for information or advice
or the use of such information or advice provided in this document. VMIA encourages the free transfer,
copying and printing of this document if such activities support the purpose and intent for which
this document was developed. This document is protected by and its use subject to the terms and
conditions of VMIAs Copyright Licence.
www.vmia.vic.gov.au Business Continuity GUIDELINES | 1
What is the purpose of this document?
This introductory guide has been compiled to assist those who are new to the concepts of
Business Continuity Management (BCM). The information is not intended to be comprehensive,
however it does provide an insight into business continuity management to assist you to
continue your BCM journey.
A list of suggested reading and VMIAs business continuity management services is available at
the end of this document.This guide is divided into the following sections:
Section 1: Business Continuity Management fundamentals
Section 2: Developing Business Continuity Plans
Section 1: Business Continuity
Management fundamentals
What is Business Continuity Management?
Business Continuity Management (BCM) is a program that aids organisations to prevent and
prepare for disruption events events which prevent an organisation from continuing ordinary
business operations.
At the severe end of the scale these events could be catastrophes or disasters such as earthquakes
or floods, while at the other end disruption might be caused by a key staff member being unavailable
for work or your companys website going down.
While BCM has traditionally focused on the continuity of operations after a crisis or disaster, by
broadening the definition to disruption risk management, it becomes clearer that BCM includes
all forms of risk mitigation, including prevention.
BCM is also a key topic when talking about the concept of organisational resilience, where an
organisation is able to effectively handle changes, challenges and stress.
An important element of BCM is developing effective Business Continuity Plans (BCPs) to enable
organisations to continue key operations during and after a disruption.
BCM can include the following elements:
prevention and mitigation
crisis/incident management
emergency planning and management
business continuity planning.
2 | Business Continuity GUIDELINES www.vmia.vic.gov.au
What are the benefits of a Business Continuity
Management program?
Developing and maintaining business continuity plans are requirements for government agencies.
Beyond compliance, effective BCM can:
Minimise legal liability
Organisations are expected to act reasonably in the event of disasters. Reviews, inquiries and
inquests can shine the spotlight on organisations which do not manage disasters effectively and
can result in significant damage to the organisation and persons involved.
Protect or enhance reputation
Poor responses to crises and emergencies can destroy or impair reputations. On the other hand, an
organisation that responds effectively can improve its reputation.
Help achieve the organisations objectives and goals
A quick return to operations and services can ensure goals are reached and compliance is upheld.
Contributes to organisational resilience
The BCM process and framework can help embed a strong risk-aware and continuous-improvement
culture. It can give the organisation the flexibility to adapt to adverse circumstances. Some characteristics
of resilience might include:
- preparing and training staff for minor and major business disruptions
- enhancing coordination and governance during a disruption
- reducing the cost of operating during a disruption, freeing up resources to focus on opportunities
- protecting public value through the continuation of key services.
Doesnt our insurance cover us for any disruptions
we might face?
Organisations can invest in an Industrial Special Risks (ISR) policy or a similar policy, which includes a
section covering business interruption (BI). It is important to note a material damage event must first
occur resulting in loss or damage to insured assets for the BI cover to apply. You should review your
policy wording to check the details and exclusions to this policy.
An ISR policy can typically cover, over a determined period of time, loss of revenue, increased cost of
working and some administrative costs as a result of a business interruption. However, a large degree
of residual risk may remain and organisations need to look at other forms of risk treatment to manage
disruptions and protect reputation and value.
Some examples of disruption risk treatments include (and this is not exhaustive):
Response, contingency and recovery plans such as emergency response, crisis management and
business continuity plans (including IT disaster recovery, pandemic, security, etc).
Preparedness investments including crisis communication systems, training exercises, emergency
equipment and contingent funds or other resources.
Resilience strategies such as multi-skilling workforce, alternative operational or tactical sites,
reducing bottlenecks and single points of failure and developing a risk aware culture.
Sharing or transferring risk through arrangements or contracts with insurers, third parties or
back-up suppliers.
Section 1: BCM Fundamentals
www.vmia.vic.gov.au Business Continuity GUIDELINES | 3
What is the background for Business Continuity
Management in the Victorian public sector?
In 2004, the State Coordination and Management Council (SC&MC) mandated that all government
agencies have a Business Continuity Plan (BCP) based on the relevant Australian Standard.
In the same year, the Financial Management Compliance Framework (FMCF) established that
agencies should certify there are documented and tested back up, disaster recovery and business
continuity procedures in place that are commensurate with the Public Sector Agencys financial
management needs (Standing Direction, 17, 3.2.2 FMCF).
The Victorian Government Risk Management Framework 2011 (VGRMF) also refers to the need to
integrate emergency management, security and pandemic arrangements with the agencys BCPs.
What is the current status of Business Continuity
Management across the Victorian public sector?
A 2010 VMIA survey of 131 clients provided an insight into the BCM maturity of a diverse range of
organisations. Some of the key observations included:
Plans are in place, but not always comprehensive. Many organisations already had some
plans in place. However, the suite of plans and arrangements were not always complete or integrated.
Limited formalised crisis management arrangements. Only 35% of respondents
stated they had a clearly articulated and current crisis management plan.
Some commitment by senior management. In 66% of cases, BCM activities were
supported by senior management and were a priority for the organisation.
Always room for improvement in business resilience in the VPS. Around 48%
of organisations affected by business interruptions achieved their recovery objectives and 47%
maintained their service levels.
IT Disaster Recovery arrangements can be better aligned with business continuity.
IT disaster recovery plans did not always talk to other business functions when considering continuity
capability and recovery time objectives.
People and culture in BCM. Organisations must understand the risks related to employee
resiliency that could arise in a crisis and address them.
Not enough BCM professionals. More than half (52%) of VMIA clients surveyed do not
have any BCM professionals within the organisation. This was more acute for smaller organisations.
Section 1: BCM Fundamentals
4 | Business Continuity GUIDELINES www.vmia.vic.gov.au
Seven tips to improve your organisations Business
Continuity Management capability
1. Get the Board and Executive to champion your BCM program
2. Refer to available BCM standards and guidelines
3. Agree on a strategy and develop a road map of activities
4. Get your governance structure right and link the emergency, crisis and continuity elements
5. Understand your service and operational priorities to ensure they are protected
6. Develop strategies, including intuitive and practical plans
7. Exercise and test your plans and arrangements regularly (this is critical to maintaining and
improving your BCM capability).
What is the current Australian Standard for
Business Continuity Management?
Standards Australia released AS/NZS 5050 Business Continuity Managing Disruption-Related
Risk Standard in 2010. This replaced Australias previous BCM Standards, HB 221:2004 and HB
292:2006. A new international standard, ISO 22301:2012 Societal Security Business Continuity
Management Systems Requirements, has recently been released and is yet to be published by
Standards Australia. A companion guide to 22301 is planned for release in 2013 (ISO 22312).
The Victorian Government Risk Management Framework (VGRMF) does not mandate certification to
any one Standard. The suite of Standards and guidance materials available generally outline similar
approaches to addressing BCM.
Section 1: BCM Fundamentals
www.vmia.vic.gov.au Business Continuity GUIDELINES | 5
What is the difference between crisis management,
emergency management, business continuity and
disaster recovery?
The following definitions outline the core BCM elements:
Emergency Response (ER) the protection of people, assets and/or the environment following
a disaster or emergency (for example a fire or bomb threat).
Business continuity planning (BCP) analysing the organisation, its critical activities, inter-
dependencies and vulnerabilities, to assist in prioritising key functions and planning strategies to
recover or maintain them in the event of a significant business disruption.
Crisis management (sometimes referred to as incident management) the
governance arrangements and processes that enable an organisation to protect reputation, value,
order, manage media and stakeholders and properly disseminate timely and accurate information. As
well as managing strategic communications and relationships, crisis management arrangements will
oversee and support the response to a major emergency, crisis and/or a significant business disruption.
The crisis management plan is sometimes referred to as a Tier 1 plan or a BCM Plan. Location or
precinct BCPs may be referred to as Tier 2 plans by larger multi-site organisations. Functional BCPs
can sometimes be referred to as Tier 2 or Tier 3 plans if location BCPs are in place.
Business continuity management a management process which provides a framework
for building capability that safeguards the objectives of the organisation, including its obligations,
from business disruptions. This involves managing a disruption before (ie. risk management), during
(ie. emergency response, crisis management and BCPs) and after (BCPs) it occurs.
IT Disaster Recovery (sometimes referred to as Disaster Recovery or DR)
the recovery arrangements for IT and data availability and protection. Information technology and
communication systems are an important resource dependency for organisations generally, but a
subset of BCM (essentially, they are a BCP for the IT functions).
Risk management ISO 31000:2009 defines risk management as the coordinated activities to
direct and control an organisation with regard to risk. This typically involves establishing a framework
to ensure the organisation understands its risk environment and is effectively assessing, treating,
communicating and monitoring its risks. This includes managing all types of risk including, but not
limited to, financial, safety, compliance, operational, strategic and business disruption categories.
The below graphic shows how the response elements (emergency response, crisis management and
BCPs) often interact:
Emergency response plan
Crisis management/
communication plan
Time objective
A
c
t
i
v
i
t
y
Business
recovery plans
A
A
successful
outcome
Source: Workshop 1 Emergency Response, Business continuity management (BCM) workshop, Marsh Technology Conference 2005
Section 1: BCM Fundamentals
6 | Business Continuity GUIDELINES www.vmia.vic.gov.au
What are the critical success factors of a business
continuity program?
There are a number of factors that can help you ensure the success of your organisations BCM
program. Some of these include:
Leadership and commitment. Ensure you have management and board commitment and
your leaders allocate appropriate resources and set the tone at the top for BCM.
Good governance. Ensure the governance structure and command and control arrangements
in a declared business disruption are defined, have the appropriate authority and capacity to make
decisions and escalation processes are clearly understood. These arrangements should be
documented in the crisis or incident management plan and reflected in other ancillary plans.
Integration and alignment. Ensure there is appropriate integration and alignment between
emergency response, incident/crisis management and business continuity arrangements, (including
disaster recovery plans). Also, embed BCM activities such as training or review of plans into
management processes.
Embed in the organisational culture. The business continuity function needs to
understand the organisational culture when developing plans and arrangements to ensure their
effectiveness and staff engagement. Delivery and workshop methods, communication mediums,
terminology and language suitable to the organisational culture should be considered.
Meeting your obligations. When undertaking business continuity planning, consider your
organisations regulatory, contractual or policy requirements, and expectations in a disruption, are
understood and addressed in your plans.
Review, exercise and update. When changes occur in the operating environment, ensure
that your arrangements, assumptions and plans are reviewed for currency and accuracy. Plans may
become outdated, ineffective and require substantial investment to renew if changes occur and
plans are not reviewed in a timely manner. A great way to ensure the continuous improvement of
plans is to embed a regular exercise, testing and audit regime. Exercises also serve to prepare and
train staff.
Learn from experiences. Learn from your organisations experiences as well as from others.
Join BCM forums and networks and review legal, insurance and industry case studies.
Understand interdependencies. Consider where your organisation sits in the supply chain
and how secure and resilient your supply chain is. You will want to be aware of suppliers, clients/
customers, partners and other third parties and address vulnerabilities in your arrangements and
plans. Consider participating with key stakeholders in business continuity exercises, and review
service level agreements or contracts for BCM conditions.
Section 1: BCM Fundamentals
www.vmia.vic.gov.au Business Continuity GUIDELINES | 7
Section 2: Developing Business
Continuity Plans
How do you develop business continuity plans?
There are a number of different standards and guidelines on BCM that describe the process for developing
business continuity plans. Most of the processes outlined are similar although they may differ in the number
and order of some elements of plan development. Essentially, you will need to consider the following steps:
1. Get commitment
and understand
the business
4. Implement
strategies and
document plans
2. Assess critical
functions, impacts,
vulnerabilities and
priorities (BIA) and
risk assessment
6. Exercise, review
and improve
your plans
3. Identify strategies
and (realistic)
response plans
5. Communicate
your plans and
educate your staff
Make and
challenge
assumptions
1. Commitment and preparation
Confirm the commitment from the organisations leaders.
Establish the business continuity policy, plan, governance structure, roles and responsibilities.
Understand your business, in terms of its goals, objectives, culture, people, systems, supply chain
and decision makers.
2. Conduct a business impact analysis and risk assessment
Assess critical functions, impacts, vulnerabilities and priorities
Facilitate a disruption-related risk assessment
3. Identify strategies and (realistic) response plans
Strategies could include suspension of activities, timely recovery, manual workarounds, relocation,
preparation and prevention investments, arrangements with third parties (including insurance),
and resilience strategies.
4. Implement strategies and document plans
Develop accountable action plans
5. Communicate your plans and educate staff
Establish a communication and training plan which is tailored to the needs of different groups
involved in the BCM Program.
8 | Business Continuity GUIDELINES www.vmia.vic.gov.au
6. Exercise, review and improve your plans and arrangements
Develop a BCM testing and exercising regime which is supported by audit and review mechanisms.
Tailor the testing and exercise regime to address the various parts and priorities of the BCM Program.
7. Review assumptions
Throughout the BCM process, identify and review the key assumptions you are making about your
BCM arrangements and plans.
Throughout the process ensure assumptions are assessed, agreed and documented where appropriate.
They will help people understand the scope of the BCPs. For instance, do the plans assume that the
disruption will be limited to a precinct, a facility or part of a facility only? Do plans assume that wireless
or remote internet and phone services will be available? Identify and challenge assumptions as you
develop your plans.
What is a business impact analysis?
The business impact analysis (BIA) enables you to understand your organisations priorities and their
vulnerability to business disruptions. It will show which parts of the organisation will be most affected
by an incident and what effect it will have upon the organisation as a whole. The business impact
analysis process involves the following:
1. Identifying the organisations time-sensitive (often refered to as critical) business functions,
processes, activities or services.
2. Analysing the interdependencies that will influence the recovery times and recovery objectives for
each operation.
For example, a function of the organisation may be processing payroll. This activity is dependent
on people, access to resources and systems. If the IT systems are down, this will impact the
ability of payroll staff to do their work.
3. Determining timeframes or thesholds in which the identified functions should resume, to mitigate
significant consequences and ensure business goals are met.
This can include recovery time objectives (RTO) and the maximum acceptable outages (MAO).
Both maximum acceptable outages and recovery time objectives will need to be approved by
senior management.
To inform the time frames, the organisation should agree on impact criteria and then analyse the
functions against these criteria. Financial impact estimates can be recorded and used to inform
your insurance program.
4. Identifying existing controls and contingencies that mitigate or help manage a disruption
to operations.
For instance, your organisation may already have emergency response and crisis management
plans, IT DRP, redundant patient/office capacity in facility X, back up generators, Emergency
Codes or Critical Hospital Operating Contingencies (healthcare).
The BIA will provide the rationale and cost justification for decisions about risk mitigation and continuity,
including the development of BCPs.
Section 2: Developing business continuity plans
www.vmia.vic.gov.au Business Continuity GUIDELINES | 9
What is MAO and RTO?
There are a number of BCM acronyms and terms used when developing business continuity plans.
Some of the common terms are explained below:
MAO/MTPD: Maximum Acceptable Outage or Maximum Tolerable Period of Disruption. The maximum
acceptable outage is a measure of risk tolerance for each key business function (sometimes referred
to as process, activity or service) which is agreed by the organisation. For example, the organisation
may decide that it cannot allow certain functions to be disrupted for longer than a specified time frame.
In this sense, it assists the organisation to understand its priorities to make informed decisions about
appropriate recovery times and BCM strategies.
RTO/RTE: Recovery Time Objective or Recovery Time Estimate. This is the target time agreed for
recovery of a function. In reality, this should be based on the ability for dependencies to be restored
first or work-arounds arranged to enable the function to continue, such as how long it takes for
relevant IT systems to recover.
RPO Recovery Point Objective generally refers to a point in time when systems and data should
be recovered to after an outage (for example, the end of the previous day). Recovery point objectives
are often used as the basis for the development of IT back-up strategies, and as a determinant of the
amount of data that may need to be recreated after the systems or functions have been recovered.
The risk appetite for data recovery can vary depending on an organisations activities and risk appetite.
For instance, a banks tolerance for losing very recent information may be more acute than other
organisations.
Sometimes the recovery point objective is referred to as the minimum level at which a business
function could still operate. For example, the Finance Department can operate on 50% staff with
access to six workstations. To overcome confusion, this could be called a functions minimum
resource requirement.
Now that I have completed the business impact
analysis, how do I determine what strategies will
be most appropriate?
Once the business impact analysis is complete:
1. Conduct a risk assessment for disruption-related risks to better understand the threat environment
and response needs.
2. Conduct a BCM governance gap analysis to determine what arrangements you will need to make
to develop the BCM program.
For example, are emergency response plans, crisis management arrangements and business
continuity plans developed? Do they cover all of the key elements? Are they up to date? Are they
integrated with one another where necessary, with clearly defined accountabilities, delegated
authorities and decision making procedures?
Section 2: Developing business continuity plans
10 | Business Continuity GUIDELINES www.vmia.vic.gov.au
3. The functions should be prioritised for treatment. This can be achieved by categorising functions
into high, medium or low criticality, informed by their respective maximum acceptable outages.
4. Agree treatment strategies for key operations.
These decisions will be based on ensuring the organisation does not breach its maximum
acceptable outages.
If a recovery time objective exceeds a maximum acceptable outage for any function, you will
need to consider mitigation strategies (for example, investing in more efficient IT disaster
recovery capability) to reduce the recovery time objective to a more acceptable level, or else
re-assess your risk appetite.
For example, a key function is dependent on IT and systems to continue working. After discussions
with your IT Department it is apparent that the desired recovery time objective of four hours outage
does not match the ability of the IT department to restore systems within 24 hours. You will need to
consider investing in technology that will enable the IT systems to be restored in time to support the
business needs.
5. Using the information identified in the business impact analysis and risk assessment, establish the
minimum resource requirements for successful continuity, resumption, recovery and restoration.
Some of the factors that will drive business continuity strategies may include:
What are our disruption objectives? Do we need a particular function to:
- Restore to full/high availability immediately in other words, it cannot fail
- Can we recover it within the maximum acceptable outage?
- Do we suspend optional, non-critical services?
- Can we continue in a diminished capacity for a period of time?
What matters to us most? For example, who are our most critical clients and how do we service
them in a disruption?
What strategies are appropriate for each activity?
Is it worthwile to invest in contingency strategies (such as procuring a back-up generator)
Process transfer or relocation (for example, redirect staff to another facility with access to systems
and appropriate resources)
Temporary/manual workaround (such as shifting to manual processes)
Change, suspend or terminate services
Mutual aid agreement/arrangement (for example use of the facilities of other businesses or
secondary suppliers)
Ensuring business continuity management capabilities of suppliers and partners are effective or
sourcing additional or emergency suppliers
Insurance.
In many cases, intuitive strategies will be your answer, or at least provide a good start. Have a
conversation with the process owners and teams about what they would/could do in a disruption.
Section 2: Developing business continuity plans
www.vmia.vic.gov.au Business Continuity GUIDELINES | 11
What do I need to include in business
continuity plans?
The information below focuses primarily on continuity and recovery plans (BCPs) for business functions,
processes, activities and services, although some information will be relevant for crisis management
(or Tier 1) plans. BCM tools and templates can be found on VMIAs website at www.vmia.vic.gov.au.
There is no one-size-ts-all for developing plans. The style, format and content of business continuity
plans will vary according to the needs and culture of an organisation. One thing to keep in mind is
to keep them practical, realistic and simple where possible. It is also important to remember that no
disaster will occur exactly as anticipated. Ensure there is a good balance between providing enough
guidance and allowing a measure of flexibility to enable operational decision makers to deal with
diverse circumstances.
Some elements you may want to address in your plans:
Document control
Table of contents
Whether it is a business process (eg. department), resourcing function (such as IT, facilities or HR),
location/precinct plan or other
Governance arrangements, including activation procedures
Roles and responsibilities
Maximum acceptable outage, recovery time objective and recovery point objective thresholds
Continuity, recovery, resumption and/or restoration action/guidance checklists
Resources required, including minimum temporary resources until services are fully restored.
In addition you may need to consider:
- People
- Information and data
- Buildings, work environment and associated utilities (ensuring occupational health and safety
requirements are met)
- Facilities, equipment and consumables
- Information technology and communication systems
- Transportation & accommodation
- Finance and delegated authorities
Communication priorities and protocols
Inter-dependencies (for example suppliers or contractors your business depends on, or that depend
on you)
Key assumptions made within the plans
Resources and tools, such as an event log template, or a call tree
Plans should take an all-hazards approach, which focuses on the effects of disruptions on people,
systems, utilities, suppliers, infrastructure and surge in demand rather than every possible scenario.
Section 2: Developing business continuity plans
12 | Business Continuity GUIDELINES www.vmia.vic.gov.au
How do I ensure plans are maintained and current?
Maintaining and updating your plans is critical to ensuring the business continuity management
program is effective. The risk is that all your hard work and investment is put on a shelf and becomes
obsolete or irrelevant, particularly as the organisations profile changes over time.
Along with regular desktop reviews of plans, one of the best ways to review and improve your business
continuity management arrangements is to establish an exercising and testing framework. Exercising
can help identify gaps and improvements and ensure the currency of BCM arrangements. The
framework should establish the exercise type, frequency, scope and accountabilities.
Some of the benefits of using scenario exercises include:
A check to ensure completeness, accuracy, governance arrangements and currency of plans
Determining the feasibility and compatibility of back-up facilities and procedures
Identifying areas in the plan that require modification or enhancement
Engaging and providing training to employees
Demonstrating to internal and external stakeholders your organisations preparedness to respond
and recover
Maintaining organisational visibility of and support for crisis management and business
continuity functions
Providing evidence for business cases to improve business continuity preparation.
For scenario exercises, the scope may depend on how mature your plans are and how prepared your
people are. You will also want to consider the focus of the activity. For example, will you engage your crisis
team or your recovery teams? Will you review response capability or just recovery? Will you exercise
public relations and reputational issues as well as operational issues, and so on.
Exercise focus
Communications
Stakeholders
Response versus recovery
IT data recovery
Organisation specic factors
Format
Live activation
Role-play or group discussion
Role of the facilitator and observers
Use of exercises
(eg. stakeholder mapping)
Storyline
Realism
Known vulnerabilities
Push the boundaries
Informed by previous audits,
exercises, experiences
Assumptions explained
Participants
Use of deputies and observers
CMT and/or recovery teams
Level of information provided to them
Expectations
Section 2: Developing business continuity plans
www.vmia.vic.gov.au Business Continuity GUIDELINES | 13
Maintenance Activity Description
Validation test (eg. call-tree and accuracy
of contacts)
Reviews the accuracy and effectiveness of
communication tools and resources in the event
of a serious business disruption by manually
using the call-tree or confirming contact details.
Desktop review Educates key people about their roles in a
business disruption. The format can include
individual meetings with staff (individually or in
groups) using the plans and/or a presentation.
Desktop scenario exercise Conducted with the crisis or recovery teams,
these exercises review the assumptions made
in business continuity plans and supports staff
to understand and implement their continuity
role when required.
Offsite inventory, back-up verification and
availability of required supplies test
Reviews the condition of the agreed inventory
for business continuity and/or alternate sites.
A check list of items can be reviewed. A
discussion of needs may take place where
staff can identify gaps.
Checking with suppliers or dependencies the
time frames for delivery of materials in the event
of a business disruption can also be reviewed.
Activation of crisis/recovery teams exercise Reviews the readiness and times to activate key
roles in the event of a disruption.
Disaster recovery test Tests the capability of IT and systems to recover
in the event of a disruption.
Full or partial live scenario exercise Assesses how aspects of the business continuity
plans can be effectively implemented in real-time.
Fully integrated exercise A live exercise with removal of access to key
activities or processes, involving key elements of
the business continuity management framework,
including IT disaster recovery, crisis management
and business continuity.
Below is a table listing the various forms of exercises an organisation can employ. Some, such as
validation exercises, can be more frequent than others:
Section 2: Developing business continuity plans
14 | Business Continuity GUIDELINES www.vmia.vic.gov.au
Where can I find out more?
Refer to the various business continuity management standards and guidelines, including:
- AS/NZS 5050:2010 Business continuity managing disruption-related risk
- ISO 22301:2012 Societal security Business continuity management systems requirements
- HB 292:2006 A practitioners guide to business continuity management
- The Good Practice Guidelines, Business Continuity Institute 2010
- Business continuity management Building resilience in public sector entities, Australian National
Audit Office 2009
Keep an eye on our website www.vmia.vic.gov.au for online tools, templates and publications. In
particular, the Guides and Publications section and Business Continuity Management section.
VMIA provides business continuity management learning opportunities through our Client Learning
Program. Our current training program can be found here: www.vmia.vic.gov.au/Client-Training.aspx
There a number of professional bodies and networks that can help connect practitioners and offer
learning experiences. In Australia the key bodies are the British based Business Continuity Institute
and the Continuity Forum Pty Ltd. Social media, such as LinkedIn have professional networks that
allow practitioners to ask questions.
Section 2: Developing business continuity plans
www.vmia.vic.gov.au