Business Continuity Management Policy

Transcription

1 Business Continuity Management Policy Business Continuity Policy Version 1.0 1

2 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3 Aug 13 Final draft with CDO comments PH th Sept Approved F&G Governing Body PH th Sept Approved SEH Governing body PH 1.0 October Issue PH Acknowledgment The CCGs would like to acknowledge Michaela Morris and the Isle of Wight NHS Trust for their help in the development of the Business Continuity policy and the subsequent training package. Business Continuity Policy Version 1.0 2

3 Contents 1. INTRODUCTION 4 2. AIM 4 3. OBJECTIVES 4 4. DEFINITION 5 5. WHAT IS BUSINESS CONTINUITY MANAGEMENT (BCM)? 5 6. THE BENEFITS OF AN EFFECTIVE BCM PROGRAMME 6 7. THE OUTCOMES OF AN EFFECTIVE BCM PROGRAMME 6 8. RISKS TO ACHIEVING A ROBUST BCM PROCESS 6 9. LEGAL REQUIREMENTS NATIONAL STANDARDS BCM LIFECYCLE RESPONSIBILITIES OF CCG STAFF TRAINING GOVERNANCE THE CCGS BUSINESS CONTINUITY PROCESS PRODUCING THE BUSINESS CONTINUITY PLAN EXERCISING, MAINTAINING AND REVIEWING 18 BIBLIOGRAPHY 19 Business Continuity Policy Version 1.0 3

4 1. Introduction Fareham & Gosport and South Eastern Hampshire Clinical Commissioning Groups (CCGs) are NHS commissioning organisations which commission NHS funded health services for their local populations from a variety of healthcare providers both in public and private sectors. The NHS needs to be able to plan for and respond to a wide range of incidents and emergencies that could affect health or patient care. These could be anything from severe weather to an infectious disease outbreak or a major transport accident. This Business Continuity Management Policy outlines the process that Fareham & Gosport and South Eastern Hampshire Clinical Commissioning Groups (CCGs) will follow as part of their resilience arrangements. It has been produced using the guidance and industry standards: NHS England BCM Framework Guidance 2013 Civil Contingencies Act 2004 Emergency Preparedness Guidance ISO PAS 2015 BSI NHS Aim The aim of the Business Continuity Management policy is to set out the procedures to be followed so that as far as is reasonably practicable the CCGs are able to maintain the provision of their: Civil protection duties those functions that are required to help the CCGs respond to an emergency, whether internal or external to the organisation. Critical functions those functions that must be maintained whilst responding to an emergency. 3. Objectives The objectives of this policy are to: Identify the corporate responsibility for Business Continuity Management. Define the essential services that form the core of the CCGs business Support the CCGs commitment to ensure that all departments have comprehensive Business Continuity Plans (BCPs). Enable CCGs staff to respond to an emergency in line with the requirements of the Civil Contingencies Act (CCA). Maintain core services during business disruption. Reduce, control and mitigate as far as is practically possible the effects of business interruption on the CCGs functions. Ensure the CCGs are able to recover from an emergency and can restore to normal service delivery without undue delay. Business Continuity Policy Version 1.0 4

5 Build resilience into the systems and processes, and future developments of the CCGs. Ensure that business continuity management becomes an integral part of the organisations day to day business as usual operational management. 4. Definitions Business continuity: the Strategic and Tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level Business continuity management: management process that identifies potential threats to an organisation and the impacts that those threats might cause Business Impact Analysis: process of analysing business functions and the effect a business disruption might have upon them Business continuity plan: documented collection of procedures and information that is developed and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical activities to a pre-defined level Business continuity strategy: approach by an organisation that will ensure its recovery and continuity in the face of a disaster or other business disruption 5. What is Business Continuity Management (BCM)? Business Continuity Management is a process owned by the organisation and driven by the senior management that identifies potential risks to an organisation and the impacts to daily operations that those risks might cause. An organisation s business continuity management system (BCMS) helps it anticipate, prepare for, prevent, respond to and recover from disruptions whatever their source and whatever part of the business they affect. It provides a framework that: Improves an organisation s resilience against the disruption of its ability to achieve its key objectives Provides a rehearsed method of restoring an organisation s ability to supply its key services to an agreed level within an agreed time frame after a disruption Delivers a proven capability to manage a business disruption and protect the organisations reputation Business Continuity Policy Version 1.0 5

6 The consequences of an incident may vary and could include loss of life, loss of assets, income or the ability to deliver services. BCM needs to recognise the strategic importance of key stakeholders to the delivery of its services. 6. The Benefits of an effective BCM programme The benefits of an effective BCM programme are that the organisation:- Is able to identify the impacts of an operational disruption Has in place an effective response to minimise the impact Maintains the ability to manage uninsurable risks Encourages cross team working Is able to demonstrate a credible response through exercises Fulfils a statutory duty 7. The outcomes of an effective BCM programme Key services are identified and protected, ensuring their continuity; An incident management capability is enabled to provide an effective response; The organisation s understanding of itself and its relationships with other organizations, relevant regulators or government departments, local authorities and the emergency services is properly developed, documented and understood; Staff are trained to respond effectively to an incident or disruption through appropriate exercising; Stakeholder requirements are understood and able to be delivered; Staff receive adequate support and communications in the event of a disruption; The organization s supply chain is secured; The organization s reputation is protected; The organization remains compliant with its legal and regulatory obligations. Code of Practice for Business Continuity Management (BS NHS ) 8. Risks to achieving a robust BCM process Lack of senior management engagement Competing organisational demands Lack of trained personnel Lack of dedicated resource Lack of organisation awareness and understanding 9. Legal Requirements Under the Health and Social Care Act 2012, the NHS Commissioning Board and Clinical Commissioning Groups must be properly prepared for dealing Business Continuity Policy Version 1.0 6

7 with an emergency and must monitor and control all service providers to make sure they too are prepared. Under the Civil Contingencies Act (2004), NHS organisations and subcontractors must show that they can deal with these incidents while maintaining services to patients. This work is referred to in the health community as emergency preparedness resilience and response (EPRR). NHS organisations and providers of NHS funded care must therefore be able to maintain continuous levels in key services when faced with disruption from identified local risks such as severe weather, fuel or supply shortages or industrial action. 10. National standards The main guidance for business continuity management is contained in: a. ISO Societal Security - Business Continuity Management Systems Requirements1 b. ISO Societal Security - Business Continuity Management Systems Guidance c. PAS Framework for Health Services Resilience BCM Lifecycle BCM programme management - Programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation. Understanding the organisation The activities associated with understanding the organisation provide information that enables prioritisation of an organisation s products and services, identification of critical supporting activities and the resources that are required to deliver them. Determining business continuity strategies This allows an appropriate response to be chosen for each product or service, such that the organisation can continue to deliver those products and services at the time of disruption. Developing and implementing a BCM response This involves developing incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations. BCM exercising, maintaining and reviewing BSC arrangements This leads to the organisation being able to demonstrate the extent to which its strategies and plans are complete, current and accurate and identify opportunities for improvement. Embedding BCM in the organisation s culture This enables BCM to become part of the organisation s core values and instils confidence Business Continuity Policy Version 1.0 7

8 in all stakeholders in the ability of the organisation to cope with disruptions. STEP 1: UNDERSTANDING THE ORGANISATION An understanding of the organisation in the context of BCM comes from identifying the organisations objectives, stakeholder obligations, statutory duties and the operating environment Identifying the activities, assets and resources including those outside the organisation that support the delivery of the services Assessing the impact and consequences over time of the failure of these activities, assets and resources Identifying and evaluating the perceived risks that could disrupt services 1a Carry out a Business Impact Analysis The BIA determines and documents the impact of a disruption to the activities that support its key services. For each activity supporting the delivery of a key service the organisation will: Assess over time the impacts that would occur if the activity was disrupted Establish the Maximum Tolerable Period of Disruption (MTPD) o Maximum time period after the start of the disruption within which the activity needs to be resumed o Minimum level at which the activity needs to be resumed o Length of time before normal levels of operation need to be resumed Business Continuity Policy Version 1.0 8

9 Identify any inter-dependent activities, assets infrastructure The BIA will provide a return from each of the organisations key services and then based on the aims and objectives the organisation will determine what its key critical activities are and prioritise these for early recovery. Then the resources required to re-establish these services can be assessed. 1b Risk assessment The CCGs will then assess the risks of business continuity interruption, whether this is from internal or external systems, processes or suppliers. They will record risk assessments in relation to business continuity in the corporate risk register. The CCGs will carry out a business continuity risk assessment to establish the business continuity arrangements at the outset when establishing new systems or developing new services. The CCGs as category 2 responders under the Civil Contingencies Act 2004 have a duty to ensure that any organisation providing NHS funded services has business continuity arrangements. Therefore, where services are contracted or commissioned by the CCGs, then as part of the contracting or commissioning process the CCGs will take into account the ability of the service provider to maintain their business continuity and request proof that a robust business continuity plan is in place and assess the risk of impact on the CCGs where there are no business continuity arrangements. STEP 2: DETERMINING A BUSINESS CONTINUITY STRATEGY The CCGs will then develop a BC strategy which will: Implement measures which reduce or mitigate the effects of an incident Take account of the resilience and mitigation measures Provide continuity for its critical activities Take account of those non critical services The Strategy will focus on the following organisational resources People: Succession planning, knowledge retention, staff Premises Alternative premises, Remote working Technology Loss of IT and/or infrastructure, remote working, telecoms Information Performance information, monitoring etc Business Continuity Policy Version 1.0 9

10 Supply Chain NHS funded providers of care, Utilities, Alternative suppliers Where resumption of the service can be phased over a period of time then it is possible to agree levels of resumption at fixed points in time. If the strategy chosen is to suspend certain services during a disruptive challenge it is essential that the stakeholders that have an interest in the services that will be suspended are advised that this is the strategy being adopted and why. If the strategy is implemented, communications with the stakeholders is essential to keep them informed when service the will be restored. STEP 3: DEVELOPING AND IMPLEMENTING A BCM RESPONSE The CCG will use its existing emergency arrangements to respond to an internal incident. This will include an incident response team to manage any emergency and a dedicated business continuity team for maintaining critical functions as identified by the BC process. STEP 4: EXERCISING, MAINTAINING AND REVIEWING BCM ARRANGEMENTS A programme of training, exercising and reviewing the BC plans in line with the normal resilience processes will be implemented. The BCM process also requires an audit and self-assessment process to work alongside the BCM process. Following an incident, a full debrief must be undertaken and action taken on any lessons identified. Changes to the BCP will need to be disseminated to all departments. The review programme will include: Reviewing and challenging assumptions made within the current BCP. Verifying compliance with the CCA and alignment with the ISO Reviewing the possible need to amend parts of the plan following debriefs, audits, exercises and formal reviews. Reviewing the plans of external partners and providers. Review of any input or feedback from external partners or stakeholders. Review of any preventative or corrective measures to improve the risk ratings. Review of the CCGs risks including any new threats not reviewed before. Review of any internal or external changes that could affect the BCP Review of recent good practice and current guidelines Review of results of incidents Review of available resources and funding. Business Continuity Policy Version

11 Any contact details within the plan will be reviewed six-monthly or as circumstances change. All staff have a responsibility to take note of their directorate Business Continuity Plans when making changes within their area of responsibility that might affect the response of the plan. 12. Responsibilities of CCG staff In each NHS organisation, the Accountable Emergency Officer is responsible for ensuring that their organisation has Business Continuity Plans in place. The plan will link into the organisation's arrangements for responding to emergencies detailed in the Incident Response plan as required by the Civil Contingencies Act The following outlines the responsibilities of staff in the CCGs. Accountable Officer The Accountable Officer will ensure that the Board receives regular reports, at least annually, regarding emergency preparedness, resilience & response including reports on exercises, training and testing undertaken by the organisation. Ensure an appropriate level of priority is given to resilience in all strategic planning. Accountable Emergency Officer Accountable for EPRR & BCM management Chief Officers Chief Officers are responsible for ensuring adequate business continuity arrangements are in place for their directorates. Chief Officers will; Promote a preparedness and resilience culture within their team, whilst encouraging activities that develop the resilience of the team and provision of their service Ensure resources are available to fulfil the CCGs commitment to resilience Ensure an appropriate response is made during an emergency or business continuity event. Resilience Leads Each Directorate should appoint a Resilience lead, who will be responsible for ensuring service areas / departments within their directorate are able to deal with disruptive events that will impact on their performance. They will; Attend training and lead on the production of the directorate BC plans Liaise with the CCG Resilience Lead to ensure all BC plans are updated upon publication of new guidance / duties. Support the CCG Resilience Lead in the role of corporate coordinator in responding to emergencies or business continuity events. Ensure all staff are aware of emergency management and business continuity issues that may impact on the service / department. Business Continuity Policy Version

12 Department Managers Departmental Leads will ensure that all resilience policies and programmes are implemented within their areas. They will; Promote a preparedness and resilience culture within their team, whilst encouraging activities that develop the resilience of the team and provision of their service. Implement, according to agreed processes response and recovery plans in the event of a disruption. Individual Employees Individual employees must; Ensure that they are familiar with the emergency and business continuity responsibilities of their department. Understand their individual role within an emergency and business continuity response for their directorate. Business Continuity Policy Version

13 BCM Roles and Responsibilities Flow Chart Strategy Officer Responsible to the Chief Development Officer. Manager for the implementation, development, training and exercising of the CCGs BCMS Deliver BCM training to Resilience Leads and support them in the development of BCPs within their service areas Identify the need for and initiate any change in BCM in line with corporate plans, organisational changes and any further identified risks, manage a programme of exercises and audits. Provide a template for Resilience Leads to record information in BCPs within their service areas Accountable Officer Responsible for providing Business Continuity (BC) leadership in the CCG Structure Create and maintain the organisational structure in the CCG through which BC will be implemented, delegating responsibility for the implementation of BC to the Chief Development Officer Implementation & Compliance Ensure that BCM is an integral part of the CCG and key objective of the management culture and that plans reflect this Development & Management Activation Adopt a lead role in the activation of the CCGs Corporate BCMS and the strategies of individual directorates Chief Officers Responsible and accountable to the Accountable Officer for the implementation and development of BCMS within their directorates Heads of Departments Responsible and accountable to their Chief Officer for the implementation and management of a BCMS within their service areas Resilience Leads Responsible and accountable to their Head of Service for the coordination of all matters regarding BC within their service area Within their service area nominate a Resilience Lead who will become the main point of contact for all matters relating to BC Ensure that service plans include the implementation of a BCMS and promote the importance of BC within their Directorate Ensure compliance with the directorate s service plan, Ensure that personal development plans include BC as a key element and promote the importance of BC within their service area Supported by the Strategy Officer and working with Departmental Managers facilitate the development of BCPs for their service areas Ensure that adequate time and resources are made available to Heads of Service and their teams in order to develop, exercise and maintain a BCMS within their service areas Ensure that adequate time and resources are made available to Resilience Leads, and staff to develop, exercise and maintain BCPs within their service area Maintain a record of BCPs within their service area which reflects progress of BCP development and reflects organisational changes Understand BC arrangements within their own service areas and those of other directorates, ensuring an effective contribution to the activation of the Corporate BCMS Understand BC arrangements within their own department areas. Authorise completed BCPs and those amended in line with the continual improvement process Using the record of BCPs initiate and record actions taken in line with the continual improvement process Activate the CCGs Corporate BCMS and the BCPs of their own and other directorates in direct response to any disruption Activate BCPs within their own and other department areas in line with the CCGs Corporate BCMS or in direct response to disruption CCG Officers Responsible and accountable to Heads of Service for the development and management of BCPs for their service area Ensure compliance with the Directorate s service plan, include BC in team and personal development plans and promote BC within their departmental area Ensure that BCPs are developed for their service areas. Ensure that all staff given the necessary training in BC. Ensure that any recommendations made as part of the BCM improvement process are completed and plans authorised following such action Activate BCPs within their own and other department areas in line with the CCGs Corporate BCMS or in response to disruption Business Continuity Policy Version

14 13. Training It is important that staff fully understand the need for BCM, as well as their role in response to any invocation. The CCGs will develop and deliver an initial training programme for members of staff with operational roles in the Business Continuity Plans make the BCM strategy available to interested parties through their websites make all BCM Policies and Plans available on the G drive for all staff to view Ensure that the lessons identified from exercises and incidents are implemented throughout the organisations. 14. Governance The CCGs will follow a structured business continuity programme that follows BSI best practice. This best practice will assist all departments in complying with the British Standards for Business Continuity. The Plan, Do, Check, Act Cycle establishes a process for continuous improvement that covers both preventive and corrective actions. Plan Do Check Act Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to managing risk and improving business continuity to deliver results in accordance with an organisation s overall policies and objectives. Implement and operate the business continuity policy, controls, processes and procedures. Monitor and review performance against business continuity objectives and policy, report the results to management for review, and determine and authorise actions for remediation and improvement. Maintain and improve the BCMS by taking preventative and corrective actions, based on the results of management review and re-appraising the scope of the BCMS and business continuity policy and objectives. Governance arrangements The BCM policy will be approved by the Governing Bodies of both CCGs to ensure sign up and corporate sponsorship of the BCM process. There will be a BCM workshop to train directorate or service resilience leads during the workshop they will identify critical activities and carry out a business impact analysis. Business Continuity Policy Version

15 This work will be used to produce a directorate BC plan which will be checked by each resilience or service lead Directorate plans will be approved by Chief Officers and any risks identified on the directorate risk register A BC strategy will then outline the CCGs response 15. The CCGs Business Continuity Process The processes laid down in this section are to be followed to develop BCPs for individual service areas. A flowchart is provided at the end of this section to demonstrate the process further Developing and implementing a BCM Response The process is as follows:- 1. Service Analysis which identifies service areas day to day functions including those which are statutory and may be carried out as a service areas planned response to incidents. The analysis will identify resources required to deliver those functions (such as but not limited to staff, accommodation, equipment, systems and ICT). 2. Process Mapping identifies key stakeholders associated with the functions detailed in the function analysis 3. Business Impact Analysis identifies the impact of failing to deliver those functions detailed within the service analysis. Financial and non-financial impacts are to be considered within the analysis as well as timescales within which the failure of delivery can be tolerated (Maximum Tolerable Period of Disruption; MTPD) 4. Risk Analysis using the matrix below identifies the likelihood and impact of specific disruption. This process uses information from the Business Impact Analysis to determine the level of risk associated with disruption of a function and should take into account any mitigation in place to reduce both likelihood and impact. HIGH IMPACT PLAN NO ACTION REDUCE MANAGE / CONTROL LOW LIKELIHOOD HIGH 15.2 BCM development process Business Continuity Policy Version

16 Function Analysis Identifies day to day functions within a service area Identifies statutory functions and those which may have demands placed on them as part of a planned response Identifies stakeholders and resources required Process Mapping Identifies stakeholders through stages of functions Business Impact Analysis Details the impact of failure to carry out functions States the minimum time period within which a service area cannot provide those functions Risk Analysis Plots the likelihood and impact of disruption Strategy Decision Table Records outcomes of the Risk Analysis Identifies risks requiring immediate mitigation (reduce) Records options for mitigation of such risks and details reasons for and against adopting such options Strategy Decision Table Outcomes No action required Manage / Control Develop and manage the BCP Accept Risk Business Continuity Policy Version

17 16. Producing the Business Continuity Plans Information gained by the completion of the processes detailed within determining the Strategy will be used to compile departmental / service Business Continuity Plans. These plans will become appendices to this document and also stand alone. The plans will include the following components; Activation Procedures Will include names, contact details and the immediate actions to be carried out by individuals on receipt of notification of activation Establishment of Critical Functions Using the outcome of the Business Impact Analysis and Strategy Decision Table this process will: Specify timescales within which critical functions should be established (Recovery Time Objectives; RTOs). Identify resources required (including but not limited to staff, accommodation, equipment, systems and ICT) to establish the critical functions Define roles and responsibilities for staff with an assigned BC role during the disruption Contacts Staff / Organisational Will provide contact details for all of the department s staff, including the Lead Officer and the contact details of stakeholders within and outside of the organisation Supplier List Detailing the name of the supplier, what service they provide, contact details (including out of hours contact information) and any relevant contract information. Additionally any potential fallback suppliers should be listed within this section Briefing Format Provides a template for use when briefing teams at service area level. The content of the aim and execution sections being taken from the Establishment of Critical Functions template (Annex B, 3). Pandemic Planning which will detail the service area s response to a pandemic, which could include a progressive implementation of BC arrangements in line with the Corporate BCM strategy Disaster Recovery Site activation procedures Will outline the actions to be followed in the event of a loss of premises. Business Continuity Policy Version

18 Stand Down will be a co-ordinated approach when returning to business as usual. This co-ordination will be carried out through (if activated) the Emergency Control Centre or, during the recovery phase, from the Recovery Management Group. This approach: Could be progressive and to predefined levels in response to a reduction in the impact of ongoing disruption Should take into account all related service areas and stakeholders and their ability to meet demands placed on them by a service area reinstating certain functions Should take into account the information provided in the completed Function Analysis to determine priorities, timescales, resources and staffing required to return to business as usual 17. Exercising, Maintaining and Reviewing Exercises will be planned and initiated by the Resilience Lead. Exercises will: Be consistent with the scope of the Corporate BCMS and individual BCPs For live exercises, be agreed between the Accountable Emergency Officer, Resilience lead and Chief Officers and Resilience Leads and carried out in such a way that the risk of an incident occurring as a direct result of the exercise is minimized Be subject to a Post Exercise Report completed by the Resilience lead or nominated individual within the service area Audits of BCPs will be initiated and carried out by the Resilience lead. Audits will: Be conducted by the auditor in a manner that will ensure objectivity and impartiality Determine whether the BCP is effective in meeting the organisation s BCM objectives Determine whether the BCP has been properly maintained, in particular that changes following the preventative and corrective action processes have been completed Take in to account the results of previous audits Be followed by a written report which details audit outcomes and includes required actions and is concluded Preventative and Corrective Action will be completed following reviews, exercises and audits. The Service Manager is to ensure that such action is taken. This process will: Ensure that any recommendations made as a result of Continual Improvement are completed and recorded as such Provide confirmation that BCPs have been amended following changes by completion of Continual Improvement Record and Preventative and Corrective Action Record. Business Continuity Policy Version

19 Reviews BCPs will be reviewed by the resilience lead and carried out, using the Review Report by the Service Manager or nominated individual within the service area and will include information on: The consistency between the scope of the BCMS, individual plans and, in the case of a review following plan activation, the response by the service area The effect of changes in the organisation, corporate plans, and legal, statutory requirements Level and variety of risk as identified through the risk identification process The validity of recovery time objectives, staffing and resources detailed in the Establishment of Critical Functions within the BCP Feedback and comment from plan users and stakeholders The adequacy and level of training, to understand that both are sufficient to meet the requirements of the strategy and that such training has been delivered Bibliography 1. Civil Contingencies Act 2004: London: The Stationary Office. 2. British Standard NHS 25999:2007: Business Continuity Management 3. Business Continuity Institute Good Practice Guidelines (2008): The Business Continuity Institute. 4. NHS Commissioning Board: Business Continuity Management Framework (2013) 5. Strategy Safari (2009): Mintzberg, H., Ahlstrand, B., Lampel, J., Prentice Hall (Harlow). 6. British Standard Institute: PAS 2015: 2010 Framework for Health Services Business Continuity Policy Version