Business Continuity Management Policy and Plan

 Business Continuity
Management Policy
and Plan
1
Contents
Page No:
1.0
2.0
3.0
4.0
4.1
4.2
5.0
6.0
6.1
6.2
7.0
8.0
9.0
8.0
9.0
Introduction
Purpose
Definitions
Roles, Duties & Responsibilities
Legal And Statutory Duties, Responsibilities And Guidance
Specific Duties And Responsibilities Within The CCG
Business Continuity Management Plan
Initiating The Plan
6.1 Causes Of Service Interruption
6.2 Activating The Plan
Record Keeping
Communication
Training Requirements
Implementation, Monitoring And Review
Documentation
3
3
4
4
5
5
6
7
7
7
10
10
10
10
11
Appendices
Appendix 1 Business Continuity Management Plan Template 12
Appendix 2 Business Continuity Action Plan
13
Appendix 3 Crisis Response Team Notes Template
15
2
1.
INTRODUCTION.
Business Continuity Management (BCM) is a statutory requirement for NHS West
Lancashire Clinical Commissioning Group (CCG) to undertake. The Civil Contingencies
Act 2004 and the NHS Emergency Planning Guidance 2005 requires the CCG to have a
Business Continuity Management Policy (BCMP) to ensure that, in the event of a
significant service interruption, critical day-to-day functions can be maintained whilst
timely recovery and restoration of key services, systems and processes is also
achieved.
It is the policy of the CCG to take all reasonable steps to ensure that in the event of a
service interruption, the organisation will be able to maintain essential services and
restore normal services as soon as possible in the circumstances prevailing at the time.
This Business Continuity Management (BCM) Policy aims to introduce the concept of
BCM to the CCG.
Alongside ensuring business continuity the CCG has to ensure emergency
preparedness as a Category 2 responder. The CCG’s main role will be to support
Category 1 responders (main NHS providers which requires an escalation route to their
commissioners and NHS England which may require support from CCGs). Details of the
CCG’s emergency preparedness can be found on the major incident plan.
2.
PURPOSE
This Policy sets out the general principles and corporate framework for the creation and
revision of Business Continuity Management Plan relevant to the business activities of
the CCG. These will be formulated in accordance with the strategic objectives for the
CCG in place from time to time. This document aims to ensure that all business
continuity processes carried out by the CCG are executed in an agreed and controlled
manner.
The business continuity management procedures described are separate from, but may
operate in conjunction with, the Major Incident Response Plan in times of emergency or
serious incident as per the definitions in the Major Incident Response Plan. It may also
operate in conjunction with the CCG’s Risk Management processes in place from time
to time.
In the event of service interruption, this policy sets out the framework for the CCG to:
• Manage and maintain the continuation of critical, core functions and services
• Manage the recovery and restoration of normal functions and services
.
3
3.
DEFINITIONS
The following definitions apply to terms used in this Policy, in accordance with BS25991:2006:
Activity: Processes or sets of processes undertaken by the CCG, or on behalf of the
CCG, that supports delivery of services.
Business As Usual: Pre-defined acceptable levels of service delivery
Business Continuity Management (BCM): Process to identify potential threats,
assess the impact of those threats on the CCG, and building a framework to support
CCG resilience to those threats, including protecting patients and stake-holders
interests and achieving strategic objectives. Includes strategic and tactical capability of
the CCG to plan for and respond to business interruptions in order to support continued
delivery of ‘business as usual’.
Critical Activities: Those activities carried out by the CCG which are most timesensitive and important for ensured continued delivery. These will be mainly those
services essential for immediate life and death of patients. These activities will typically
suffer if delayed by more than one hour.
Disruption: Any event, planned or unplanned, which causes an interruption to the
CCG’s ability to continue business as usual.
Essential Activities: Those activities carried out by the CCG which are sensitive and
important, but not critical to life and death of patients. These activities will normally
suffer if delayed by more than one day.
Major Incident: An event classified as a major incident according to the CCG Major
Incident Response Plan.
Non-Urgent Activities: Those activities carried out by the CCG which can be
postponed or delayed most easily. These activities will begin to suffer if delayed by
more than one month.
Routine Activities: Those activities carried out by the CCG which support business
delivery on a daily basis and are not critical or essential. These activities will typically
start to suffer if delayed by more than one week.
Service Recovery: The process through which business as usual is reached, following
an interruption or disruption event
4
4. ROLES, DUTIES & RESPONSIBILITIES
4.1 Legal and Statutory duties, responsibilities and guidance
The following general (Statutory) duties apply:
1.
The Civil Contingencies Act 2004 places a duty on CCGs to have business
continuity plans in place to ensure that they can continue to exercise their
functions in the event of an emergency so far as is reasonably practicable. The
duty relates to all functions, not just their emergency response functions.
CCA Definition of an emergency is as follows:
An event or situation which threatens serious damage to human welfare in a place in
the UK, the environment of a place in the UK, or war or terrorism which threatens
serious damage to the security of the UK.
2.
3.
Healthcare Standards require the organisation to be able to continue essential
routine work during an incident or emergency situation and to provide essential
supplies, with documented procedures for procuring additional or alternative
supplies
British Standard 2599-1:2006 gives guidance for establishing a Business
Continuity Plan and Process within an organisation and this policy is written
accordingly.
4.2 Specific duties and responsibilities within the CCG
The following specific duties and responsibilities apply within the CCG:
a) Accountable Officer (AO): The AO has overall statutory responsibility for the
strategic and operational management of the CCG, including ensuring that the CCG has
in place robust arrangements for business continuity management and service
recovery.
b) CCG Governing Body: The CCG Governing Body is responsible for setting the
strategic context in which business continuity and service recovery procedures are
developed, and for the formal review and approval of this Policy. The Governing Body is
also responsible for determining the accepted levels of ‘business as usual’, through
monitoring service delivery and approving suggested developments. Through the
commissioning and contract monitoring processes, the Governing Body is responsible
for gaining assurance that providers commissioned by the CCG have adequate BCM
systems and processes in place to ensure service continuity.
5
c) Head of Corporate Affairs: The Head of Corporate Affairs is responsible for
ensuring that business continuity management plans to support the core business
functions are completed and updated as necessary.
d) CCG Senior Managers (Deputy Chief Officer, Senior Operating Officer and Chief
Finance Officer) will:
•
Ensure that their element of the BCM plan is reviewed at six monthly
intervals and updated as necessary to maintain good quality control of
document information
•
Notify any BCM plan revisions to the Head of Corporate Affairs
•
Support business continuity awareness and acceptance amongst staff and
ensure that all of their staff are aware of their responsibilities within the
BCM plan
•
Encourage and participate in training or exercises.
e) Public Health Lancashire will, via a memorandum of understanding with the CCG,
will ensure that adequately tested emergency plans are in place to protect the health of
NHS West Lancashire CCG population from threats ranging from relatively minor
disease outbreaks to full-scale public health emergencies and will ensure that NHS
West Lancashire CCG has access to, and is briefed on, relevant emergency plans. The
Head of Corporate Affairs will liaise with Public Health Lancashire.
f) All CCG Staff: All staff are responsible for co-operating with the implementation of
this Policy and any relevant plans as part of their normal duties and responsibilities.
5.
BUSINESS CONTINUITY PLANS
The BCM plan will be written in accordance with the template attached to this policy
(appendix 1).
As the CCG is a small organisation an overarching plan will be developed that covers all
work areas with exceptions for any work area highlighted. The BCM Action Plan is at
appendix 2.
The CCG senior manager leading that work area will be responsible for ensuring any
exceptions relating to their work area are communicated to the Head of Corporate
Affairs.
The anticipated outcomes of completing the template and thus building the Business
Continuity Management Plan includes:
6
1. Identification of critical, essential, routine and non-urgent activities of the CCG
2. Prioritising delivery of those activities in response to a disruption
3. Minimising the effects of any disruption and allowing return to business as usual
as fast as possible
4. Increased staff awareness through of BCM principles and processes
5. Supporting the achievement of CCG strategic objectives and associated action
plans
6. Ensuring legal compliance with planning obligations
7. Inform a response process which is flexible to meet changes in service delivery
of the CCG
As BCM plans are developed, the BCM policy may be adjusted as and when agreed by
the CCG Governing Body to reflect the development of this strategy.
6.
INITIATING THE PLANS
The Business Continuity Management Plan will be initiated when any disruption to
service delivery is experienced.
6.1 Causes of Service Interruption:
There are many and varied possible causes of service disruption. As a general guide,
service continuity planning should be carried out to minimise the effects of a number of
potentially disruptive events:
•
•
•
•
Major accident or incident, national disaster, epidemic, terrorist attack
Fire, flood, extreme weather conditions
Loss of utilities, including IT and telephone systems
Major disruption to staffing; epidemic, transport disruption, industrial action,
inability to recruit; mass resignations (e.g. lottery syndicate).
It should be borne in mind that these events may not be mutually exclusive, e.g.
extreme weather leads to loss of electricity, disruption to transport, staff unable to get to
work.
A cause of a service disruption event may also become an internal major incident for
the CCG and invoke the CCG’s Major Incident Response Plan. In this event, the BCM
plans should be carried out simultaneously with the response to the major incident, as
far as is possible.
6.2
Plan activation
The senior manager in the work area concerned will decide with discussion with other
senior managers and either the Chief Officer or Chief Finance Officer whether the plan
or any part of it should be activated using the process in the following flowchart. Out of
hours the decision will be made by the on-call manager.
7
Once the plan is activated the incident will be managed by the senior manager of the
work area in which the incident occurred. The senior manager has responsibility for
convening the crisis response team to ensure that essential services are maintained
and that recovery plans are put into place. The crisis response team membership is at
the discretion of the senior manager as each incident is different but at a minimum the
team must include another senior manager, a governing body member (usually the
Chief Officer or Chief Finance Officer), Head of Corporate Affairs and a
Communications Manager.
Anyone called to attend the crisis response team by the senior manager must attend.
There are no exceptions.
Records of all decisions and actions taken by the crisis response team will be made.
See appendix 3 for the crisis response team notes template.
8
Process plan for activation
Crisis occurs
(emergency plan may already be
in action)
Consider if crisis able to be
contained within usual
resources
Yes
No
No further action at this
stage
Discuss with CO or CFO and agree
that business continuity plan
should be activated
Notify staff and any service or
other organisation/ stakeholder
that may be affected
Set up crisis recovery team
Initiate business continuity plan
Progress and any further
developments to be assessed daily
as a minimum. It may need to be
more frequent.
9
7.
RECORD KEEPING
Good record keeping is paramount if the BCM plan is initiated. The senior manager
leading the crisis is responsible for ensuring that accurate records are kept of all
decisions and actions taken in their area of work once the BCM plan is initiated. This
includes the crisis recovery team record keeping – see appendix 3.
All records created during the implementation of the BCM plan will be kept by the Head
of Corporate Affairs. These records will be stored in line with the CCG’s Record
Management Policy.
8.
COMMUNICATIONS
Good communication is essential at a time of crisis. A communication plan will be
developed to ensure there are appropriate statements for internal and external
communication and processes for ensuring communication to all CCG staff in the event
of an emergency.
7.
TRAINING REQUIREMENTS
All Governing Body members and senior managers need to be aware of the contents of
this policy, and ensure that they are acquainted with the CCG’s Business Continuity
Plan and have access to the appropriate templates.
The Head of Corporate Affairs will, on request, provide support, assistance and advice,
including instruction in the application of the process and use of the templates.
Public Health Lancashire are also available to adequately test emergency plans and to
provide briefings on relevant emergency plans.
8.
IMPLEMENTATION, MONITORING AND REVIEW
The Head of Corporate Affairs is responsible for ensuring that this document is
reviewed, and, if necessary, revised in the light of legislative, guidance or organisational
change.
Review shall be at intervals of no greater than 6 months; this can be undertaken at team
meetings. A full test of the Business Continuity Management Plan will be undertaken
yearly. All senior managers will be expected to take part in these exercises. A cold
debriefing session will take place following the exercise to establish if any changes need
to be made as a result of the exercise. Senior managers will be asked to review their
Business Continuity Management Plan at this stage and submit to the Head of
Corporate Affairs to co-ordinate the CCG’s overall plans.
10
9.
ASSOCIATED DOCUMENTATION
This document is separate from but complementary to:
1. The CCG Major Incident Response Plan
2. Risk Management Strategy
11
Appendix 1
Business Continuity Plan – Template
Priority for the Restoration of Services
1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an essential service/function
2. Urgent: Within 8 hours – Will degrade to ‘Critical’ if not addressed within this time band
3. Essential: Within 24 hours – Major disruption – no danger to staff and/or patients. Does not prevent provision of an essential
service/function
4. Important: Within 3 days – Will affect services without causing danger to patients
5. Necessary: Within 7 days – Minor disruption to services
6. Routine: Within 14 days – Will not directly disrupt services but will cause inconvenience
7. Non-Urgent: Within 28 days – Will involve non-urgent repairs
Threat
Priority for
restoring
service
Contingency measures required
Loss of staff
Loss of telephone
communication
Loss of email
Loss of internet
Loss of network including all
software packages and
telephone system
Fuel shortage
Loss of building either due to
fire or loss of utilities – gas,
electric and water
Clinical or safety disaster
12
Actions required to
restore service
Risk if priority unable to
be met
Appendix 2
Business Continuity Action Plan
Priority for the Restoration of Services
1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an essential service/function
2. Urgent: Within 8 hours – Will degrade to ‘Critical’ if not addressed within this time band
3. Essential: Within 24 hours – Major disruption – no danger to staff and/or patients. Does not prevent provision of an essential
service/function
4. Important: Within 3 days – Will affect services without causing danger to patients
5. Necessary: Within 7 days – Minor disruption to services
6. Routine: Within 14 days – Will not directly disrupt services but will cause inconvenience
7. Non-Urgent: Within 28 days – Will involve non-urgent repairs
Threat
Loss of staff
Priority for
restoring
service
4 for critical staff
6 for non critical
staff
Contingency measures required
Actions required to
restore service
Risk if priority unable to
be met
Matrix working for critical staff to
share learning
Formal appointment of
successor
Deputies for each critical area
Secure extra support from
CSU
Impact on ability to
conduct business,
progress work plans and
maintain governance
including reporting of
performance
Defer meeting dates for statutory
meetings to endeavour to meet
quorums
Loss of telephone
communication
3
Seek extra support from CSU for
interim periods
Use of corporate mobile phones
Contact CSU IT
department
Impact on timeliness of
communication and ability
to progress some areas of
work at the speed required
eg. querying invoices
Contact CSU IT
department
Impact on ability to maintain
leadership
Use of email (assuming network is
still operational)
Loss of email
3
Use of telephone system (assuming
system is still operational as linked to
network)
Use of corporate mobile phones
13
Impact on ability to conduct
business in a timely manner
Use of postal system
Use of fax
Use of courier for urgent documents
Loss of internet
4 for general use
Other research methods. Copies of key
documents on the network.
Contact CSU IT
department
Inability to receive
performance report from web
based packages
Use of corporate 3G ipads and iphones
for any urgent internet requirements
3 for integrated
financial system
Information governance risk
concerning person identifiable
information being sent via the
postal system. Safe Haven
fax arrangement to be used
and registered mail to be
used
Inability to pay invoices on
time
Home working (assuming staff have
access to internet at home) for urgent
tasks
Use of alternative NHS accommodation
for urgent payment of invoices
Loss of network including all
software packages (resulting
in loss of access to critical
information) and telephone
system
Fuel shortage
Loss of building either due to
fire or loss of utilities – gas,
electric and water
Clinical or safety disaster
3
NA
Contact CSU IT
department
Impact on ability to
performance core business,
meet statutory requirements
5
Use of home working and VPN
Use of alternative NHS accommodation
Use of conferencing calling
NA
Impact on conduct of
business and maintenance of
statutory requirements
As appropriate to the threat
Possible overload on
alternative NHS
accommodation
6
Use of corporate ipads/iphones for
Facetime
Use of home working and VPN
Use of alternative NHS accommodation
1
Scan any critical information held in
paper format only
Major incident plan to be implemented
14
As appropriate to threat
Risk over destruction of paper
records if fire
Impact on ability to deliver
core business as incident
takes priority
APPENDIX 3
Crisis Response Team Notes
Reason for Invoking Plan:
Date:
Time:
Brief Summary of Situation:
Department/s Affected:
Other Organisations Involved / Alerted:
Name of note taker:
Date:
15
Actions Required By Whom
Immediate:
Within 8 Working Hours:
Within 1 Working Day:
Within 3 Days:
Within 1 Week:
Situation to be reviewed every ………..hrs / …….days
Name of note taker:
Date:
16