Learning from the Victoria State Government’s Business Continuity Audit

  • 24 Oct 2022

A failure to prepare for long-term disruption

In 2020, the state of Victoria broke records. Its largest city, Melbourne, underwent a 100-plus-day lockdown to quell COVID transmissions.

How did State Government entities prepare for the pandemic scenario in the wake of a historic peacetime disruption? The State set out to learn, commissioning an Audit of business continuity measures before, during, and after.

Audit findings made headlines. No doubt because it found State Government departments’ business continuity arrangements inadequate. Responses to restoring and maintaining prioritized services were also deemed reactive.

Specifically called out was a failure to plan and prepare suitably for a long-term disruption to services.

Not like the specific pandemic threat wasn’t considered. In fact, the State Significant Risk Interdepartmental Committee (Risk IDC) rated the pandemic scenario a “likely” risk to occur with “severe” consequences likely to happen.

What’s more, tests of business continuity planning arrangements found glaring weaknesses before the pandemic hit. However, many of those weaknesses weren’t addressed in time.

Major gaps found in business continuity planning

What does the Audit suggest things went wrong? Although departments had mitigation strategies in place, the Audit found them either to be of dubious quality or poorly implemented. For instance, one department was called out for having focused almost exclusively on emergency response (i.e., protecting life, assets, and the environment) at the price of the continuity of prioritized services.

That’s not all.

As noted, departments didn’t plan sufficiently for such a large-scale, complex disruption. Developing appropriate business continuity plans (BCPs) was part of the problem. BCPs only provided mitigations for localized, short-term disruptions of less than two weeks not the extensive crisis that came.

There were other reasons that the BCPs that existed were deemed inadequate. Many failed to adhere to best practice, i.e., focused, concise, specific, and easy to use.

Instead, BCPs were duplicative, included unnecessary information, which reduced confidence from staffers. And though staffers themselves were deemed competent, the departmental plans they were working off of were found to be difficult to understand and maintain.

Other issues the Audit raised with BCPs were: 

  • Not reviewed or updated on a regular basis
  • Lacking activation criteria
  • Lacking full detail about their scope, purpose, objectives, or dependencies.

Major gaps in business impact analysis

BCPs weren’t the only business continuity arrangements found out of adherence to international standards.

Many departmental business impact analyses (BIAs) did not fully assess the impact that a disruption might have on their services.

Nor did BIAs fully consider minimum resource requirements and the internal and external suppliers that their services need to run, all gaps which can impact how effectively departments respond and maintain prioritized services during a disruption.

Why’s that? The Audit found that departments hadn’t undertaken sufficient work to collate services and assets relative to organizational priorities.

Digital transformation to uplevel business continuity arrangements

What then can other organizations, public sector or private, do to prepare for a major disruption? The Audit notes that the pandemic itself had created opportunities for organizations and agencies to make positive change.

Indeed, the pandemic served to accelerate digital transformation, enabling organizations to adopt more efficient processes in performing business continuity tasks.

Though not singled out directly, pragmatic business continuity software can help organizations of all stripes make the most of the COVID recovery by becoming better prepared for next time. Here’s how such platforms can address lapses identified by the Audit:

  • The Audit found that departmental BIAs did not fully assess the impact that a disruption might have on departmental services. Furthermore, BCPs were largely focused on localized short-term disruptions of less than two weeks. With pragmatic business continuity software, organizations can easily create an impact assessment for multiple types of impacts for each prioritized activity within a BIA, including the impact of disruptions over multiple time periods, not just shorter-term disruptions.
  • The Audit found that departments failed to consider all minimum resources requirements and the internal and external suppliers that their services need to run. Pragmatic business continuity software highlights if a prioritized activity has key staff dependencies, as well as the business-as-usual headcount required, the number of staff required for the minimum business continuity objective, whether the staff dependency is a single point of failure, in addition to recording staff members who are essential to complete the activity.
    What’s more, with pragmatic business continuity software, organizations can create and manage lists of dependencies, including internal and external suppliers. It’s also easy to add these to prioritized activities, as well as recording if there are any dependencies on other prioritized activities.
  • The Audit found that departments had inadequate recovery strategies. With pragmatic business continuity software, each recovery strategy gets an efficacy rating and testing status. Recovery strategies also follow an automated approval process, so organizations can ensure that their recovery strategies are reviewed, approved, and always tested.

In addition, by collecting and aggregating data, pragmatic business continuity software highlights any critical activities, processes, assets, and resources lacking recovery strategies, or untested recovery strategies that put your business at risk.

Finally, as important as post-mortems are to business recovery, they aren’t the end of the story. Audits, such as that performed by Victoria’s State Government, provide organizations a list of recommendations. Implementing those recommendations are just as crucial to business recovery.

Here, accelerating digital transformation with pragmatic business continuity management software is key to upleveling business preparedness and maintaining business resilience.

These digital solutions don’t just follow best practice, either; they bring best practice to life, driving continuous improvement. As a result, organizations who procure them can scale up business continuity arrangements to any incident – no matter how complex or disruptive – and back down to business as usual as quickly as possible.

Interested in learning more about the Victorian Government Business Continuity Audit and key takeaways? Check out the full guide from BCI Corporate Partner, Noggin, here: Download the free guide.

More on