Version: 3.0. Effective From: 19/06/2014

Transcription

1 Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016 Sponsor Director of Estates and Facilities Expiry Date 04/06/2017 Withdrawn Date This policy supersedes all previous issues. Business Continuity Planning Policy v3

2 Version Release Author/ Reviewer Version Control Ratified by/ Authorised by 1.0 July 2009 A Colwell HR Committee /02/2011 A Colwell Business and Service Development Committee Date 16/03/ /12/2010 Changes (please identify page no) OP 27 format CQC requirements Major Incident Planning Group /06/2014 A Colwell Business and Service Development Committee 22/02/2011 Updated risk assessment score matrix 05/06/2014 Change in management and director roles. Revised policy operation at Section 6 Business Continuity Planning Policy v3 2

3 Contents 1. Introduction Policy Scope Aim of this Policy Roles and Responsibilities Definitions Delivery of the Policy Business Services & Development Committee (BSDC) Business Continuity Group (BCG) Major Incident Planning Group (MIPG) Corporate Business Continuity Management Plan Business Continuity Plans Business Impact Analysis measuring impacts over time Threat Assessment Impacts Identification of Business Threats Continuity Planning Strategy Review of Business Continuity Plans Risk Assessments Training Equality and Diversity Monitoring compliance with the policy Consultation and review of this policy Implementation of policy (including raising awareness) References Business Continuity Planning Policy v3 3

4 1. Introduction This Trust delivers a wide range of services to its local community. Failure to deliver these services could have a detrimental impact on the health of the public and the viability of our business. It is therefore essential that the Trust has robust business continuity plans (BCP) in place. The consequences of not having effective BCP in place could have serious implications, including: failure to deliver key services possibility of loss of life or injury loss of Public Confidence exposure to the potential to legal action, leading to subsequent heavy financial penalties. 2. Policy Scope This policy is applicable to all Trust functions, services, divisions departments within and provided by the trust. The policy covers the trusts responsibilities as Category 1 responders under the Civil Contingencies Act and respective Care Quality Commissions standards. 3. Aim of this Policy The aim of this policy is to build into the culture, that business continuity is embedded within the organisation, rather than fire fighting any emergency so that business asusual is achieved in the quickest possible time. This will increase confidence in the organisation and the reputation of the Trust. 4. Roles and Responsibilities Director of Estates and Facilities (Accountable Officer Emergency Planning) The Director of Estates and Facilities leads on behalf of the Chief Executive and the Trust Board for Business Continuity Planning. Senior Managers, Heads of Service and Service Managers Senior Managers, Heads of Service and Service Managers will be responsible for undertaking appropriate risk assessment process which includes the completion of appropriate Business Continuity Plans as outlined in this policy and when required present Business Continuity Plans to the Major Incident Planning Group. In addition it is their responsibility to ensure that all risks are entered onto the Trust Risk Register Head of Facilities The Head of Facilities is responsible for the strategic delivery of the Business Continuity Planning Strategy ensuring that tactical and operational level plans are coordinated and assurance is provided via the Major Incident Planning Group Annual Report to the Trust Board on Business Continuity. Business Continuity Planning Policy v3 4

5 5 Definitions Business Continuity Management For the NHS, Business Continuity Management is defined as: The management process that enables an NHS organisation: to identify those key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation. to identify and reduce the risks and threats to the continuation of these key services. to develop plans which enable the organisation to recover and/or maintain core services in the shortest possible time. For the NHS service interruption may be defined as: Any disruptive challenge that threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal operating functions. Civil Contingencies Act Within the Civil Contingencies Act 2004, all acute Trusts have legal responsibilities as Category One responders. Category One responders are required to take up their civil protection duties and be able to perform their functions so far as necessary or desirable to respond to an emergency. Part of this responsibility is to produce Business Continuity Plans. Care Quality Commission In addition to our own internal performance monitoring the trust is also subject to Outcome 10 of the CQC standard which stipulates that People who work, visit or use our services can be confident that, in relation to maintenance and renewal: There are clear procedures, followed in practice, monitored and reviewed which cover, What will happen in the event of electricity, water or gas supply failure What will happen in the event of a fire or flooding Other emergencies that occur on the premises How the situation will be managed should IT or communication systems which are integral to the premises fail. Business Continuity Planning Policy v3 5

6 6. Delivery of the Policy 6.1 Business Services & Development Committee (BSDC) The BSDC is responsible for receiving strategic level assurance for Business Continuity. The assurance arrangements for BCP are as follows. 6.2 Business Continuity Group (BCG) The Business Continuity Group is a multi disciplinary sub group of the BSDC and has been established to provide a focus for business continuity arrangements at a Tactical/ Operational level throughout the Trust. The Group will liaise with the Major Incident Committee and report outcomes for assurance to the BSDC committee. The delivery of the policy will be undertaken by the BCG. The purpose of the Business Continuity Group is to ensure that adequate and realistic Business Continuity Plans and arrangements are in place throughout the organisation to ensure that Trust services can continue, as far as is reasonably practicable, in the case of a business continuity incident. The Business Continuity Group will ensure that effective Business Continuity Planning is undertaken across all directorates through, Business Continuity Planning Policy v3 6

7 a) Ensuring that adequate and realistic business continuity impact assessments and arrangements are in place in each functional area; b) Prioritise individual Business Continuity Plans; c) Co ordinate the integration of individual Business Continuity Plans; d) Co ordinate the production of a Trust wide Business Continuity Plans; e) Ensure that functional Business Continuity Plans are reviewed and updated in accordance with the requirements of the Trust s Business Continuity Policy; f) Monitor business continuity management control strategies, ensuring that actions are followed up; g) Co ordinate the exercising of Trust Business Continuity Plans; h) Promote and embed a business continuity management culture; i) Ensure the as far as reasonable practicable that the Trust complies with good practice guidance issued by respective industry Standards. j) Monitor progress against the Business Continuity action plan; k) Monitor the effectiveness of the Trust s Business Continuity Policy and provide assurance reports to the BSDC Committee and Trust Board Major Incident Planning Group (MIPG) Business Continuity Management can be seen as complementary to those involved in emergency management. Emergency management is carried out through the work of the Major Incident Planning Group. It is critical therefore that both processes are integrated and complementary to each other as a major incident may occur at the same time as a business continuity issue, or be triggered by it. The Trust s MIPG is to have in place effective arrangements to maintain the most critical services and to ensure that these arrangements are regularly reviewed and practiced. 6.4 Corporate Business Continuity Management Plan Response to Business Continuity Incidents are detailed within the Corporate Business Continuity Management Plan. This plan describes the management procedures both in and out of hours, to determine the severity of the business interruption and to determine the trigger points for a Hospital Control Team to be assembled. Account will also be taken of other Trust policies relating to the management of untoward incidents eg Majax Plan. 6.5 Business Continuity Plans The Trusts Business Continuity Planning process will be inclusive of a Business Impact Analysis process conducted at the departmental level. Part of this process will include the consideration of contingencies to support mitigation. Business Continuity Planning Policy v3 7

8 6.6 Business Impact Analysis measuring impacts over time Business impact analysis is crucial to the development of an effect business continuity management strategy. It consists of the following stages: The identification of key services The assessment of the principal risks to these services The consequences to the organisation if no action were taken to mitigate the risks The setting of timescales for the recovery of key services Business impact analysis must also take account of dependencies in relation to an activity/ process and/ or business function. 6.7 Threat Assessment Impacts The threat assessment utilises a framework to identify and validate the potential outcome of a loss to an activity/ process and/ or business function. The criticality of the risks will be assessed according to impact on the Trust in terms of impact categories x timing that the impact will likely have an effect on the Trust. Not all services will be as critical as others and not all impacts will be applicable to all processes or activities. The framework will therefore identify the impact as a cumulative risk score for the process/ activity. The impact categories will be classified as follows, Financial Finance including claims Legal Failure to carry out statutory duty/ inspections Regulatory Issues affecting quality Outcomes resulting in complaints Failure to undertake audit provide assurance Service Delivery Service/business interruption Environmental impact Image Adverse publicity/ reputation Health and Safety Impact on the safety of patients, staff or public (physical/psychological harm) Business Continuity Planning Policy v3 8

9 Table 1 Impact Category Guidance Impact score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Extreme HEALTH AND SAFETY Impact on the safety of patients, staff or public (physical/psychological harm) Minimal injury requiring no/minimal intervention or treatment. No time off work Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1 3 days Moderate injury requiring professional intervention Requiring time off work for 4 14 days Increase in length of hospital stay by 4 15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Major injury leading to long term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long term effects Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients REGULATORY Quality/complaints/audit LEGAL Statutory duty/ inspections Peripheral element of treatment or service suboptimal Informal complaint/inquiry No or minimal impact or breech of guidance/ statutory duty Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved Breech of statutory legislation Reduced performance rating if unresolved Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Single breech in statutory duty Challenging external recommendations/ improvement notice Non compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Enforcement action Multiple breeches in statutory duty Improvement notices Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards Multiple breeches in statutory duty Prosecution Complete systems change required Low performance rating Zero performance rating IMAGE Adverse publicity/ reputation Rumours Potential for public concern Local media coverage short term reduction in public confidence Elements of public expectation not being met Local media coverage long term reduction in public confidence Critical report National media coverage with <3 days service well below reasonable public expectation Severely critical report National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence Business Continuity Planning Policy v3 9

10 Impact score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Extreme FINANCE Finance including claims SERVICE DELIVERY Service/business interruption Environmental impact Small loss Risk of claim remote Loss/interruption of >1 hour Minimal or no impact on the environment Loss of per cent of budget Claim less than 10,000 Loss/interruption of >8 hours Minor impact on environment Loss of per cent of budget Claim(s) between 10,000 and 100,000 Loss/interruption of >1 day Moderate impact on environment Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Loss/interruption of >1 week Major impact on environment Non delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) > 1 million Permanent loss of service or facility Catastrophic impact on environment Table 3 Impact scoring = Impact category x timing Impact Risk Score Likelihood score Rare Unlikely Possible Likely Almost certain 5 Catastrophic Major Moderate Minor Negligible For grading risk, the scores obtained from the risk matrix are assigned grades as follows 1 3 Low risk 4 6 Moderate risk 8 12 High risk Extreme risk 6.5 Identification of Business Threats In the completion of the BIA the process will consider the greatest threat/s that could disrupt the Trust s business. These threats could be external e.g. Natural or man made disasters i.e. flooding, fire, Adverse weather conditions i.e. high winds (structural damage), snow Problems with the supply chain Power failure Water supply failure Fuel shortage Business Continuity Planning Policy v3 10

11 They may be internally created e.g. Communication disruptions i.e telephone, Equipment failure Network or hardware failure. Staff / skill shortage 6.7 Continuity Planning Strategy The strategy will require Business Continuity and Recovery Plans to eliminate the high risk factors and attempt to reduce the medium risk factors, identified as part of the BIA process referred to above. The strategy may accept the low risk factors. Planning considerations can include: People skills i.e. identify key staff and required skills; consider training requirements to strengthen staff flexibility, document processes, etc. Information regular computer back ups, off site storage, scanning key documents, battle box! etc. Space internal solution, alternative sites, etc. Training requirements staff will need to be familiar with the Business Continuity Plan specific to their activity. In every instance during the BIA process there will be a need for managers to conduct a cost benefit analyses between the cost of reducing the risk, the benefit achieved and the effort involved in preparing a contingency plan. 6.8 Review of Business Continuity Plans To ensure a programme to regularly review the Corporate and Clinical Directorate Business Continuity Plans. Validation and maintenance of existing plans is essential and needs to be conducted on a regular basis to ensure that the plans remain fit for purpose Risk Assessments Business Continuity Planning and subsequent reviews focuses Managers attention to the risks that might impact on the delivery of their services. Managers should also take notice of indicators of risk identified through other internal mechanisms, such as: Adverse incident reporting Security reports Fire reports Health and Safety reports Accident reports Business Continuity Planning Policy v3 11

12 7. Training Adequate training will be provided for staff to effectively adhere to the requirements of this policy in accordance with the programme identified at Appendix Equality and Diversity The Trust is committed to ensuring that, as far is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. This policy has been appropriately assessed. 9. Monitoring compliance with the policy Standard process/ issue Monitoring and Audit Method By Committee Frequency The effectiveness of this policy will be monitored through the BSDC committee with annual assurance being provided to the Trust board via the MIPG annual board paper. Board paper Head of Facilities BSDC/ MIPG board paper Annual 10. Consultation and review of this policy This policy has been reviewed in consultation with the Equality and Diversity Co ordinator, Counter Fraud Specialist and Risk Management Team. 11. Implementation of policy (including raising awareness) This policy will be circulated by the Trust Secretary via the Trust e mail system and will be available on the trust intranet for all staff to access. The policy will also be made freely available to the public via the Trusts internet page. Managers will be made aware of the policy during subsequent BCP plan reviews. 12. References Planning for NHS resilience: interim strategic national guidance for NHS organisations issued June Business Continuity Planning Policy v3 12