NDIA’s Business continuity management strategy established during financial year 2017-18
Dear National Disability Insurance Agency,
Please provide a copy of the NDIA’s business continuity management framework and strategy established in the financial year of 2017-18 as cited in the NDIA’s Annual Report 2017-18 [1]. That includes all policy and procedure underpinning the framework and strategy.
Context:
The NDIA stated that “As a part of the NDIA’s risk management strategy, a robust Business Continuity Management framework has been established and tested, to guide the rapid resumption of participant and provider services and critical business activities. The NDIA is committed to ensuring that, if a significant outage, incident or crisis occurs, participant supports and other critical business functions are continued or quickly restored” after declaring that “The NDIA has identified the risk systems, capabilities and culture needed to align with the scale, speed and rollout of the Scheme. An understanding of risk is embedded in every aspect of the organisation, from business planning processes to day-to-day operations“ [1].
The Business Continuity Institute (BCI) and the British Standard 25999 define business continuity as “ business continuity is a holistic management process that identifies impacts that threaten an organisation and provides a framework for building resilience and the capacity for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities” [2,3]. The definition was expanded to include ‘threats’ [4] and then more specific elements such as ‘security and resilience’ [5] as the British standard was subsumed by the international standards. Experts further recommend “incorporate risk analysis within the business continuity plan (BCP) process and to develop business continuity management (BCM) as a way in which operational and strategic risk management are undertaking with as a stand-alone activity, or as a complementary/integrated element of a broader risk management system” [6]. These definitions, requirements and integration with risk are echoed across number related international [11, 12, 13] and Australian standards [7, 8, 9, 10] complemented by information, document and records management [14]. These foundational standards and specifications align with the NDIA’s adoption of the “Prudential Standard CPS 220” [1] which is align with the international risk management standard ISO 31000, as prescribed by there Department of Finance [15], adopted by most insurers “as the basis for their risk assessment process” [16]. These standards also align with APRA’s own Prudential Standard CPS 232 Business Continuity Management [17], notwithstanding ISO 3100 broad adoption by most Australian State Governments [18, 19, 20, 21].
Thank you for your assistance with this request.
Yours faithfully,
Shirley
References:
1. NDIA (2018) Annual Report 2017-18, National Disability Insurance Agency, Australian Government. Available at: < https://www.ndis.gov.au/about-us/publica... >. Accessed [13 Jun 21]
2. BCI (2007) Good Practice Guidelines 2007: A management guide to implementing global good practice in business continuity management, Chapter 2, The Business Continuity Institute. Available: < http://pds14.egloos.com/pds/200902/22/51...>. Accessed [13 Jun 21]
3. BSI (2006) BS25999-1 Code of practice for business continuity management and BS25999-2 specification for business continuity management, London: British Standards Institute
4. ISO (2012) ISO 22301:2012 - Business Continuity, International Standards Organisation
5. ISO (2019) ISO 22301:2019 - Security and resilience - business continuity management systems
6. Elliot, D. Swartz, E. And Herbane, B. (2010) Business Continuity Management: A crisis management approach, 2nd ed, Routledge, page 130.
7. Australian Standards (2010) AS/NZS 5050:2010 Business continuity - managing disruption - related risk
8. Standards Australia (2004) Standards Australia, Handbook 221–2004, Business Continuity Management Handbook
9. Standards Australia (2006) Standards Australia, Handbook 292–2006, A practitioner’s guide to business continuity management
10. Standards Australai (2006) Standards Australia, Handbook 293–2006, Executive guide to business continuity management
11. ISO (2012) International Organization for Standardization 22301:2012 Societal security—Business continuity management systems—Requirements
12. ISO (2012) International Organization for Standardization 22313:2012 Societal security—Business continuity management systems—Guidance
13. ISO (2013) International Organization for Standardization/International Electrotechnical Commission 27001:2013 Information technology— Security techniques—Information security management systems—Requirements
14. Standards Australia (2001) Australian Standard International Organization for Standardization 15489:2001 Information and documentation—Records Management
15. Comcover (2021) An overview of the risk management process: Comcover information sheet, Department of Finance, Australian Government. Available at: <https://www.finance.gov.au/sites/default...>. Accessed [13 Jun 21]
16. APRA (2017) Risk Management - Thematic Observations, Letter to All Private Health Insurers (PHIs). Available at: <https://www.apra.gov.au/sites/default/fi...>. Accessed [13 Jun 21]
17. APRA (2016) Prudential Standard CPS 232 Business Continuity. Available at: < https://www.apra.gov.au/sites/default/fi...> . Accessed [13 Jun 21]
18. Victoria State Government (2016) Victorian government risk management framework: Practice guide. Available at: < https://www.vmia.vic.gov.au/-/media/Inte...>. Accessed [13 Jun 21]
19. The Treasury (2012) Risk Management toolkit for NSW public sector agencies - Volume 1: Guidance for agencies, NSW Government. Available at: < https://www.treasury.nsw.gov.au/sites/de...> . Accessed [13 Jun 21]
20. Department for communities and social inclusion (2009) Risk Management Framework, Government of South Australia. Available at: < https://dhs.sa.gov.au/__data/assets/pdf_...> . Accessed [13 Jun 21]
21. Queensland Treasury (2011) A guide to risk management, Queensland Government. Available at: < https://s3.treasury.qld.gov.au/files/gui... > . Accessed [13 Jun 21]
Thank you for contacting the National Disability Insurance Agency (NDIA).
Freedom of Information
If your message is a request for access to documents under the
Freedom of Information Act 1982 (FOI Act), we will acknowledge it within
14-days of receipt. We may be in touch with you sooner if your request is
too large or vague.
We are committed to processing all requests as quickly as possible. We
will keep in regular contact with you, especially if there's any delay in
making a decision.
Further information about FOI is available on our website:
[1]https://www.ndis.gov.au/about-us/policie...
Please contact us at [2][NDIA request email] if you have any questions or
require help.
Participant Information Access
If you are an NDIS participant and you are seeking access to your own
personal information, you can make a request online under our Participant
Information Access (PIA) process.
To make a request, please complete our online request form:
[3]https://www.ndis.gov.au/about-us/policie...
Please contact us at [4][email address] if you have any
questions or require help.
Other enquiries
If your message is for something else, you should direct it to
[5][email address].
If your message is received outside our business hours of 9am to 5pm
(AEST), Monday to Friday or on a public holiday, we will action it on the
next business day.
If your message is urgent, you can call our National Conact Centre on 1800
800 110.
Warm regards
NDIA FOI Team
Email: [6][email address]
References
Visible links
1. https://www.ndis.gov.au/about-us/policie...
2. mailto:[NDIA request email]
3. https://www.ndis.gov.au/about-us/policie...
4. mailto:[email address]
5. mailto:[email address]
6. mailto:[email address]
Dear Shirley
Thank you for your request for information.
Please find attached correspondence in relation to your request. If you
require the attachment in a different format, please let us know.
We’re sorry to let you know that it will take us longer than expected to
process your request. This is because the material you are requesting
will require multiple consultations and searches with different line
areas.
We are, therefore, writing to seek your agreement to a 30 day extension of
time under section 15AA of the FOI Act. This would make the new due date
12 August 2021.
Please let us know whether you agree by 12:00pm Friday 2 July 2021.
If you don’t agree, we may need to seek an extension from the Office of
Australian Information Commissioner.
Please contact us at [1][NDIA request email] if you have any questions or
require help.
Kind regards
Freedom of Information Officer
Parliamentary, Ministerial and FOI Branch
Government Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
References
Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
Dear Shirley
Thank you for your request for information.
Please find attached correspondence in relation to your request. If you
require the attachment in a different format, please let us know.
We’re sorry to let you know that it will take us longer than expected to
process your request. This is because the material you are requesting
will require multiple consultations and searches with different line
areas.
We are, therefore, writing to seek your agreement to a 30 day extension of
time under section 15AA of the FOI Act. This would make the new due date
12 August 2021.
Please let us know whether you agree by 12:00pm Friday 2 July 2021.
If you don’t agree, we may need to seek an extension from the Office of
Australian Information Commissioner.
Please contact us at [1][NDIA request email] if you have any questions or
require help.
Kind regards
Freedom of Information Officer
Parliamentary, Ministerial and FOI Branch
Government Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
References
Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
Dear Shirley
Thank you for your request for information.
Please find attached correspondence in relation to your request. If you
require the attachment in a different format, please let us know.
We’re sorry to let you know that it will take us longer than expected to
process your request. This is because the material you are requesting
will require multiple consultations and searches with different line
areas.
We are, therefore, writing to seek your agreement to a 30 day extension of
time under section 15AA of the FOI Act. This would make the new due date
12 August 2021.
Please let us know whether you agree by 12:00pm Friday 2 July 2021.
If you don’t agree, we may need to seek an extension from the Office of
Australian Information Commissioner.
Please contact us at [1][NDIA request email] if you have any questions or
require help.
Kind regards
Freedom of Information Officer
Parliamentary, Ministerial and FOI Branch
Government Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
References
Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
This is the mail system at host righttoknow.org.au.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<[NDIA request email]>: delivery temporarily suspended: Host or domain name not
found. Name service error for name=ndis.gov.au type=MX: Host not found, try
again