Corporate Business Continuity Plan

Transcription

1 Corporate Business Continuity Plan Prepared and Emergency Resilience Team Version: 5.0 issued by: Date: June 2015 Review Date: April 2018

2 CONTENTS Page No Foreword 3 Distribution 4 Revision History 5 Record of Exercises 5 SECTION 1 - INTRODUCTION Aim Objectives Scope Guiding Principles 6 SECTION 2 - MANAGEMENT AND ADMINISTRATION Responsibility Distribution Training and Exercising Monitoring, Evaluation and Review 7 SECTION 3 GENERAL INFORMATION Resilience Policy and Framework Council Services and Critical Activities Associated Plans 8 SECTION 4 RESPONDING TO CORPORATE (LEVEL 3) DISRUPTIONS FIFE COUNCIL ARRANGEMENTS Background Levels of Response Incident Management Emergency Control Room Key Roles Additional Resources 14 SECTION 5 MANAGING THE RESPONSE TO A CORPORATE (LEVEL 3) DISRUPTION Key Stages of Response Notification and Initial Response to a Corporate (Level 3) Impact Activating a Response to a Corporate (Level 3) Impact Co-ordinating and Managing the Response to a Corporate (Level 3) Impact Stand Down 20 SECTION 6 MANAGING THE RECOVERY TO A COPORATE (LEVEL 3) DISRUPTION Recovery Return to Normal of a Corporate (Level 3) Impact Recovery Strategy Debrief and Lessons Learned 21 APPENDIX A Incident Log 22 APPENDIX B - Council Incident Management Team Agenda 23 APPENDIX C Action Log 25 APPENDIX D Situation Report 26

3 FOREWORD Business Continuity Planning is an essential component of corporate and service management. We all have a role to play in dealing with large or small scale disruptions that impact on the delivery of the Council s critical activities. This plan supports the Council s Resilience Policy and Framework which sets out the flexible arrangements to ensure that the management of and response to business continuity disruptions is proportionate to its scale or potential impact and sets out activation and escalation procedures for disruptions occurring within or outwith office hours. Specifically detailed in this document is how the Council will activate and coordinate a corporate response to a disruption which affects several Council Services. Each Directorate/Service has its own Directorate/Service Business Continuity Plan to manage Directorate/Service-specific disruptions. This corporate plan is continually updated, incorporating lessons learned from real life disruptions and exercises, as well as changes in corporate priorities and delivery of critical activities. Steve Grimmond Chief Executive Fife Council Page 3 of 25

4 DISTRIBUTION POST Chief Executive Executive Director, Communities Executive Director, Education and Children s Services Executive Director, Enterprise and Environment Executive Director, Finance and Corporate Services Director of Health and Social Care Head of Area Services Head of Community and Corporate Development Head of Customer Service Improvement Head of Housing Services Heads of Education and Children s Services Head of Assets, Transportation and Environment Head of Economy, Planning and Employability Assessor Head of Democratic Services Head of Finance Head of Human Resources Head of ICT Head of Legal Services Head of Procurement Head of Revenue and Shared Services Divisional General Manager East Fife Divisional General Manager Fife Wide Divisional General Manager West Fife Chief Financial Officer Communications and Customer Insight Manager Incident Managers Business Continuity Leads Emergency Resilience Team Page 4 of 25

5 REVISION HISTORY Version Nature of Review Amended By Date of next review 1.0 Annual review S Robertson May Annual review S Robertson October Final version S Robertson January Annual review S Robertson April Annual review S Robertson September 2015 incorporating exercise lessons identified 5.0 Interim review to incorporate Resilience Framework and Policy S Robertson April 2018 RECORD OF EXERCISES Exercise Name Exercise Type Venue Date of Exercise Exercise Broken Discussion-type FHWGF004, Fife 26 March 2014 Connection House Page 5 of 25

6 SECTION 1 INTRODUCTION 1.1 Aim The aim of this plan is to detail the roles, responsibilities and actions to be taken to ensure Fife Council maintains its critical activities in the event of a large scale potential or actual business continuity disruption seriously affecting more than one Directorate. 1.2 Objectives The objectives of this plan are to detail the arrangements to ensure that: the disruption to the Councils critical activities is minimised; the response to a corporate level business continuity disruption is effectively managed; the links to plans activated in response to any emergency are understood; there is effective internal and external communication; lessons learned during exercising or in response to disruptions are captured and inform the plan review process; Fife Council complies with the requirements of the Civil Contingencies Act Scope This plan sets out the Council s approach to managing a corporate level business continuity disruption. It details the arrangements to ensure that the response to a business continuity disruption is proportionate to its scale or potential impact and sets out the activation procedures for disruptions occurring within or outwith normal office hours. Details of actions or contact information required in responding to a specific business continuity disruption are not included in this plan. This information is contained within the Directorate/Service and critical activity business continuity plans/resilience plans. 1.4 Guiding Principles Business continuity disruptions are managed at the appropriate level. A business continuity response can be required to either prepare for an anticipated business continuity disruption or to respond to such a disruption. Business continuity management is a dynamic process. Lessons identified from training events, exercises and incidents are factored into the plan review process. Page 6 of 25

7 2.1 Responsibility SECTION 2 MANAGEMENT AND ADMINISTRATION The Chief Executive, Fife Council, is responsible for this plan. 2.2 Distribution This plan is distributed as per the list in this document and will be published on the Council s Intranet. Interim changes to the plan will be made, notified to recipients and noted on the version published on the Fife Council Intranet (FISH). Revised copies of the plan will be circulated following the review process (see para 2.4 below). 2.3 Training and Exercising Training, exercising and briefing will be provided for staff with a key role in this plan. A record of attendance at corporate training and exercising events will be held by the Emergency Resilience Team. The Council s Learning Management System (CLMS) should also be used by managers to record training. Staff can also record on CLMS individual attendance at events. 2.4 Monitoring, Evaluation and Review The Emergency Resilience Team will be responsible for ensuring that arrangements are in place to monitor, evaluate and review this plan. This plan will be revised, where appropriate, to include any lessons learned from training, exercising or activation of this plan. In addition to ongoing monitoring, this plan will be formally reviewed every three years. Page 7 of 25

8 SECTION 3 GENERAL INFORMATION 3.1 Resilience Policy and Framework The Civil Contingencies Act 2004 (CCA) established a range of duties for Category 1 1 responders in preparing for, responding to and recovering from emergencies, including business continuity disruptions. A Resilience Policy and Framework has been developed which details Fife Council s arrangements and roles and responsibilities that ensure compliance with its duties as a Category 1 responder under the CCA. This plan supports this framework and is one of a suite of plans which may be activated on its own or in conjunction with other emergency plans or arrangements (see 3.3 below). 3.2 Council Services and Critical Activities The Council provides a diverse range of services to the Fife community. Many of these services are critical to the livelihoods and well-being of the people of Fife, the Fife environment and in many cases there is a statutory duty placed on the Council to carry out services and activities. In business continuity terms, these are known as critical activities. However, there are many services that the Council provides that do not fall into one of these categories. Although these services are important, priority will be given to the critical activities during any level of business continuity disruption. Any team formed to manage the incident will ensure that the impact on these less critical services is managed appropriately. 3.3 Associated Plans Directorate Business Continuity Plans These plans provide information on Directorate/Service key roles and responsibilities in response to business continuity disruptions that affect the delivery of their critical activities. These plans are supported by detailed Critical Activity BC Plans and Resilience Plans. Generic Emergency Plan The Generic Emergency Plan is a plan which guides the local authority response to any emergency occurring in Fife as part of an integrated emergency response with other Category 1 responders ie blue light emergency services, NHS and SEPA. 1 Category 1 responders are emergency services, local authorities, national health boards, SEPA, Maritime and Coastguard Agency Page 8 of 25

9 Emergencies such as widespread flooding have the potential to create situations where both the Generic Emergency Plan and Business Continuity plans are activated. In such situations separate Incident Management Teams will be formed and links between the teams maintained. Fuel Shortage Plan This plan sets out the specific arrangements which will assist the Council s response to a fuel shortage in preparing to deal with a potential fuel shortage. Where there is an actual fuel disruption, the Corporate Business Continuity Plan will be activated to manage the Council s response. Pandemic Influenza Plan This plan sets out how the Council will plan for and respond to pandemic influenza. The Corporate Business Continuity Plan will be activated in response to the impact of pandemic influenza on the delivery of Council critical activities. IT Services IT System Recovery Plan This document details the processes carried out by IT Services when responding to and recovering critical IT systems in the event of an unplanned outage. Page 9 of 25

10 SECTION 4 RESPONDING TO CORPORATE (LEVEL 3) BC DISRUPTIONS FIFE COUNCIL ARRANGEMENTS 4.1 Background - Levels of Response The scale and impact of a business continuity disruption determines how the Council co-ordinates and manages its response. The following three-tiered escalated response has been developed as a guide for use by those in the Council involved in any business continuity disruption. There should be an ongoing assessment of the impact and consideration given to escalating the level of response, where appropriate. Level Scale and Impact Level of Response 1 A minor disruption at a Team level Managed by critical activity to a critical activity owner/person in control 2 A significant disruption to several critical activities across one Directorate/Service 3 A significant disruption affecting several critical activities across more than one Directorate Managed by Directorate IMT Council ECR activated Managed by Council IMT 4.2 Incident Management To ensure an effective joined up response to and limit the impact on any business continuity disruption on the Fife community, it is essential that the individual actions taken by each Service in the Council are co-ordinated. The level of co-ordination required will vary depending on the scale and impact of the business continuity disruption Council Incident Management Team (IMT) On notification of a corporate (Level 3) disruption, a Council Incident Management Team will be formed to ensure a co-ordinated response across the Council. The generic roles and responsibilities of the Council IMT include but are not limited to: Assessing what has happened and the impact to the Council. Providing corporate direction and a co-ordinated response, taking into account changing circumstances and specific date and time factors. Liaising with Directorate IMT(s) and delegating tasks. Page 10 of 25

11 Ensuring the prioritisation and continuity of critical activities affected by the disruption, including considering the need to stop less-critical activities. Monitoring and taking appropriate action to ensure that the impact on those services identified as being less critical is managed. Co-ordinating the re-deployment of staff and other Council resources between Directorates/Services. Co-ordinating the re-location of staff. Prioritising the recovery of IT systems during a Council-wide IT failure. Developing the communications strategy, including warning and informing, ensuring the Council response is communicated consistently to employees, members, Fife community, partners, media and other stakeholders. Identifying and taking any strategic HR decisions, as required. Liaising with the emergency Incident Management Team, where the Generic Emergency Plan has been activated. Ensuring resiliency of the IMT when managing longer-term business continuity disruptions, including providing an outwith working hours response. Protecting the reputation of the Council. Issuing stand down instructions. Making arrangements to debrief the incident. Developing the recovery strategy for returning to normal business. 4.3 Emergency Control Room To enhance the co-ordination of the Council s response during Corporate (Level 3) disruptions, arrangements are in place for the Emergency Control Room (ECR) to be activated. In all instances where the Council IMT has been formed, the ECR will be activated. All Council IMT actions and decisions will be co-ordinated from the ECR which is located in Conference Room 1, Ground Floor, Fife House. An ECR Standard Operating Procedure has been developed which provides guidance to those who may be required to perform a role in this facility. Where the ECR is impacted by the disruption another suitable location will be determined by the Chair Frequency of meetings The frequency of meetings will be determined by the scale and impact of the incident. There may be occasions where the Council IMT needs to meet outwith office hours to ensure the continued management of the disruption. 4.4 Key Roles This section details the key roles of members of a Council IMT, formed to manage a corporate (Level 3) disruption. Dependent on availability, Page 11 of 25

12 delegation should be used to ensure Council IMT membership is appropriate and adequate Chief Executive/Executive Directors The Chief Executive/Executive Directors have overall responsibility for managing the response to and recovery from a corporate (Level 3) disruption. Key tasks: Authorise the activation of the corporate business continuity plan Approve activation and chair of the Council IMT Lead the Council s response to managing the business continuity disruption Ensure elected members and other stakeholders are briefed Issue stand down instructions Lead the de-brief on the response to the incident and identify and action lessons learned Lead the recovery process Heads of Service/Senior Managers The Heads of Service/Senior Managers have overall responsibility for coordinating their Service area response to and recovery from any corporate (Level 3) disruption. Key tasks: Member of the Council IMT Monitor and provide regular updates to the Council IMT on the impact to their Service Implement the Council IMT decisions Maintain a record of all tasks and decisions taken Attend debriefs connected to the disruption Incident Manager The Incident Manager is responsible for co-ordinating the response to and recovery from a corporate (Level 3) disruption. Key tasks: Member of the Council IMT Co-ordinate the Council response Manage the ECR Ensure the membership of the Council IMT is appropriate to allow for an effective and co-ordinated response Agree a communications strategy Ensure regular situation reports and updates are provided to the Council Executive Team and other stakeholders Lead the recovery phase of the disruption Page 12 of 25

13 Point of contact for the multi-agency responders, if required Chair and/or attend debriefs connected to the disruption Duty Emergency Resilience Officer (ERO) The Duty ERO is responsible for providing advice, assistance and support to any level of business continuity disruption. Key tasks: Maintain a log of all tasks and decisions taken Discuss activation of the ECR and appropriate business continuity plans with the Duty Executive Director Member of the Council IMT Advisor to the Chair of the Council IMT Prepare and submit regular Council-wide situation reports Ensure effective liaison to any linked civil emergency incident Ensure lessons learned from debriefing are factored into plan review Directorate Business Continuity Lead Officer The Directorate Business Continuity Lead Officer supports senior management in the co-ordination of the response to and recovery from a business continuity disruption affecting their Directorate/Service. Key tasks: Establishing the Directorate/Service-wide impact of a disruption Member of the Council IMT, where appropriate Provide regular updates to the Council IMT on the impact to their Directorate/Service Update the Directorate IMT on the decisions made at the corporate level Attend debriefs connected with the disruption Monitor the implementation of specific lessons identified that impact on Directorates/Services Communications Officer The Communications Officer is responsible for co-ordinating the Council s warning and informing advice to employees, residents, local and national Elected Members and liaison with all other stakeholders. Key tasks: Member of the Council IMT Establish the communications strategy, specialist support requirements and a multi-disciplinary communications team Assess warning and informing requirements Arrange for internal and external communications, as directed Ensure cross-service communications are in place, as required Page 13 of 25

14 Provide liaison between the ECR and the media Link with key external agencies, as required Attend debriefs connected with the disruption ECR Support (only applicable when the ECR has been activated) This team of Council staff support the administration functions within the ECR during office hours. Key tasks: Attend the ECR on request from the Duty ERO Carry out administrative support as required to ensure the smooth running of the ECR Subject Matter Experts The following subject matter experts may be members of the Council IMT to provide information and advice on their area of expertise. Human Resources representative Legal representative Finance representative Procurement representative Health and Safety representative IT Services representative Facilities Management representative Team membership will be determined by the impact, scale and length of the business continuity disruption and may change and/or expand over the period of the disruption. 4.5 Additional resources Disruptions can occur at any time, both during and outwith office hours. Additional resources are available Contact Details Both during and outwith office hours, the Emergency Resilience Team will contact key members of the Council IMT as appropriate using the contact information contained in the Directorate/Service Business Continuity Plans. These key members will contact other appropriate staff within their Directorates as required. Page 14 of 25

15 4.5.2 Aids to assist the management of the Corporate (Level 3) response The following information is available to assist the management of the corporate (Level 3) response: Prioritised list of critical activities which can be made available by the Emergency Resilience Team at the time of a disruption. Critical activity business continuity plans/resilience plans provide detailed information on the impact caused by the disruption and planned actions for continuing to provide affected critical activities at reasonable levels. These reports are available on request from the Emergency Resilience Team and Directorate Business Continuity Lead Officers Incident Management Templates The following example templates can be used to assist in the management of the Corporate (Level 3) response: Incident Log to record the individual actions and decisions taken outwith any Council IMT (Appendix A) Council IMT meeting agenda highlighting key areas for discussion (Appendix B) Action Log template to record the actions agreed by the Council IMT (Appendix C) Situation Report to detail the up-to-date position of the disruption for submission to the Council IMT (Appendix D) Page 15 of 25

16 SECTION 5 MANAGING THE RESPONSE TO A CORPORATE (LEVEL 3) DISRUPTION 5.1 Key Stages of Response Responses to all sizes of business continuity disruptions tend to follow these key stages: Notification and initial response Activating the response Co-ordinating and Managing the Response, including standing down the response Recovery - Return to Normal strategy The following pages detail key roles and actions within each of the stages on the response to a Corporate (Level 3) impact. Information on the response to Level 1 and 2 impacts is detailed in the Directorate/ Service BC Plans. As a quick reference guide, an aide memoire has been developed summarising the key roles and actions in each of the three levels of response to and recovery from any business continuity disruption. Page 16 of 25

17 5.1.1 Notification and Initial Response to a Corporate (Level 3) Impact A business continuity disruption can happen in any Council service. Once identified as an actual or potential disruption, the member of staff should confirm the impact and notify their line manager. Where the impact has been identified as being a corporate (Level 3) disruption, the Emergency Resilience Team should be notified. A corporate (Level 3) response will be needed when one or more of the following criteria applies: It is likely that widespread disruption will be caused across several Council Services. A major site is affected that accommodates various Council Services. Arrangements in Directorate/Service business continuity plans are in danger of being overwhelmed. A co-ordinated corporate response is needed to deal with the disruption. The disruption cannot be dealt with through normal operational procedures or via the activation of Directorate/Service business continuity plans. Sharing and movement of resources is needed between Directorates/Services. Significant or prolonged loss of IT and communications. An incident with the potential to affect several buildings or the welfare of staff. An incident that is likely to cause significant or high profile public interest, unrest or concern. REMEMBER TO RECORD ALL ACTIONS AND DECISIONS TAKEN TO MANAGE THE DISRUPTION ON THE INCIDENT AND ACTION LOGS Page 17 of 25

18 5.1.2 Activating the Response to a Corporate (Level 3) Impact The Duty Emergency Resilience Officer will discuss the activation of this plan with a member of the Council Executive Team (CET) when a corporate (Level 3) business continuity disruption has either happened or is threatened to happen. Following agreement, the Duty ERO will activate the Council ECR. An Incident Manager will be appointed to manage the function of the ECR and co-ordinate the corporate Council response. The Incident Manager will be supported by a Council Incident Management Team (IMT) and, in discussion with the Duty ERO, will request Council Service representatives to join this team and attend the ECR, as required. The generic roles and responsibilities of the Council IMT are detailed at para REMEMBER TO RECORD ALL ACTIONS AND DECISIONS TAKEN TO MANAGE THE DISRUPTION ON THE INCIDENT AND ACTION LOGS Page 18 of 25

19 5.1.3 Co-ordinating and Managing the Response to a Corporate (Level 3) Impact Adopting an appropriate level of incident management (para 4.2) will ensure a fully co-ordinated response to any level of business continuity disruption. In broad terms, the larger the scale and impact of the disruption, the greater level of co-ordination is required. On notification of a Corporate (Level 3) disruption, the Incident Manager will co-ordinate and manage the Council s response to the disruption supported by the Council IMT and the ECR Stand down The Chair of the IMT will regularly review the disruption and determine when it is suitable to issue stand down instructions. The Chair of the IMT is responsible for issuing the stand down instructions and ensuring that all relevant parties are informed. REMEMBER TO RECORD ALL ACTIONS AND DECISIONS TAKEN TO MANAGE THE DISRUPTION ON THE INCIDENT AND ACTION LOGS Page 19 of 25

20 SECTION 6 MANAGING THE RECOVERY TO A CORPORATE (LEVEL 3) DISRUPTION 6.1 Recovery Return to Normal of a Corporate (Level 3) Impact Depending on the scale and impact of any level of business continuity disruption there may not be an immediate return to normal due to e.g. the need to process information gathered during the disruption whilst at the same time responding to new customer enquiries. Planning for recovery can also be one of the areas included in the coordinating and managing response stage. However, it is at the recovery stage that the full recovery strategy is implemented Recovery Strategy For a corporate (Level 3) disruption, the Council IMT will develop a recovery strategy to ensure that return to normal is appropriately managed, coordinated and resourced to continue to manage stakeholder expectations. As part of this strategy, the cost of recovery should be recorded so that the full impact of the incident can be captured during the debrief and lessons learned Debrief and Lessons Learned In all instances where this plan has been activated it is essential to capture lessons learned by a process of debriefing and plan review. The Chair of the Council IMT will ensure arrangements are in place to debrief the disruption. An action plan will be drawn up to progress recommendations identified at the debrief. Where recommendations require a revision of this plan, the Emergency Resilience Team will ensure that this plan is updated accordingly. The Incident and Action Logs completed during the response to disruption are useful reference documents during the debrief process. A Debrief and Lessons Learned procedure has been produced detailing the process and templates for completion. This procedure can be found on FISH. REMEMBER TO RECORD ALL ACTIONS AND DECISIONS TAKEN TO MANAGE THE DISRUPTION ON THE INCIDENT AND ACTION LOGS Page 20 of 25

21 (Template used to record individual actions and decisions taken outwith any Incident Management Team) INCIDENT LOG APPENDIX A INCIDENT: LOCATION: IMPACTED SERVICES: Date/Time: From/To: Action: Other Info: Time: From/To: Action: Other Info: Time: From/To: Action: Other Info: Time: From/To: Action: Other Info: Time: From/To: Action: Other Info: Time: From/To: Action: Other Info: Time: From/To: Action: Other Info: Signature. Date.. Page 21 of 25

22 (Suggested agenda structure to help clarify what should be discussed during a Council Incident Management Team meeting) APPENDIX B COUNCIL INCIDENT MANAGEMENT TEAM MEETING Agenda (insert Date of Meeting) (insert Time of Meeting) (insert Meeting Venue) Action 1 Welcome and introductions 2 Briefing on current situation: updates from Directorate/Services Incident Management Teams critical activities affected impact on customers building damage assessment IT/telephone availability number of employees affected impact on suppliers/contractors/partners affected imminent risks media interest and public relations 3 Assess effect/impact of the situation on the Council and decide on future actions/priorities Critical activities What critical activities are affected? What are the current priorities? What are we able to do? Customers Is the Council s customers affected? What is the likely impact on these customers? What is the vulnerability, demographics, locations of these customers? Accommodation What premises have been affected? Anything key stored in those building(s)? Alternative premises? Page 22 of 25

23 IT/Telephony To what extent has IT/telephony been affected? What is the impact across the Council on the loss of IT/telephony? How long might the loss be of IT/telephony? What workarounds can be put in place and what are the implications of this? Employees How are employees affected? Consider requirement and needs of vulnerable employees Agree which employees are required immediately or their ability to be available Plan what to do with employees not immediately required Ensure all employees are contactable and verify contact details Key suppliers/contractors/partners Are key suppliers, contractors, partners affected by the disruption? Are there alternatives available to use? Legal Obligations Are there any legal obligations? Health, safety and welfare issues 4 Communications strategy: Key messages Media relations Customer direct-mail Public information drops Manager briefings Elected member briefings All employee information Partner providers Other stakeholders 5 Stand down 6 Recovery and return to normal 7 Chairperson to: summarise and re-affirm priorities/actions decide if and when next meeting is required 8 Any other business Page 23 of 25

24 (Template used to record actions agreed by the Council Incident Management Team) APPENDIX C ACTION LOG Description of emergency/business continuity disruption Date Time Information, decisions and actions to be taken Action assigned to Action Status Comments Page 24 of 25

25 (Template used to detail the up-to-date position of the business continuity disruption for submission to the Incident Management Team) SITUATION REPORT APPENDIX D Report No Date Description of incident Current situation at ****hrs Action(s) Outstanding Prepared by Distributed to Page 25 of 25