Business continuity management policy

Transcription

1 Business continuity management policy health.wa.gov.au

2 Effective: XXX Title: Business continuity management policy 1. Purpose All public sector bodies are required to establish, maintain and review business continuity plans on a regular basis, in accordance with Public Sector Commissioner s Circular Risk Management and Business Continuity Planning. WA Health s Business Continuity Management (BCM) policy aims to support and foster an organisational culture that proactively manages the impact of uncertainty and disruption-related risk on the organisation s strategic and operational objectives. 2. Scope This policy applies to all WA Health entities and shared services. 3. Background BCM is an element of the wider risk management discipline that prepares the organisation to respond to the unexpected. It is a management process that provides the framework for building resilience to business and service interruption risks, responding in a timely and effective manner to ensure continuity of critical business activities, and ensuring the long term viability of the organisation following a disruptive event. In the health context, BCM can be used to augment demand and surge management strategies, and supplement contingency plans. BCM allows decision-makers to delineate between essential business functions that must continue and less crucial business functions, which may be temporarily suspended, and whose staff and resources may be redeployed to higher priority services. BCM also supports evacuation and relocation plans by mapping the minimum staffing and resourcing requirements for essential business services to continue functioning, albeit at a reduced, but tolerable, level. 4. Definition Business continuity management is a discipline that prepares an organisation for the unexpected. It is a management process that provides the framework for building resilience to business and service interruption risks, responding in a timely and effective manner to ensure continuity of critical business activities, and ensuring the long term viability of the organisation following a disruptive event. Further definitions are available in Appendix A. 5. Delineation between risk management, emergency response, business continuity response and recovery response There is a close relationship between BCM, risk management and emergency response. This aligns with the comprehensive approach that focuses upon the four pillars of emergency management; prevention, preparedness, response and recovery (see figure 1). a. Risk management. Risk management is the practice of dealing with uncertainty and its effect on an organisation. Risk Management incorporates a systematic approach to identifying, 1

3 assessing and responding to risks, and interfaces with the principle of prevention. BCM can be utilised as a control for business disruption related risks. b. Emergency response Emergency response is the initial reaction to an incident or disruption, which aims to protect people and property from immediate harm. This may include the mobilisation of an Incident management and/or emergency response teams (however titled) and activation of contingency and/or emergency management plans, as detailed in colour-coded emergency procedure manuals. For example, the emergency response procedures for an infrastructure or other internal emergency is detailed in Code Yellow hospital emergency response plans. Other colour coded emergencies should be consistent with AS/NZS 4083:2010 planning for emergencies health care facilities and/or AS/NZS 3745:2010 planning for emergencies in facilities. c. Business continuity response Business continuity response refers to the actions taken to ensure that an organisation is able to resume and continue delivering critical business functions in a timely manner following a disruption. Depending upon the nature of the incident, the continuity response may last from hours to weeks. The business continuity response interconnects the period from where normal work practices are suspended to when recovery is affected. As a result, the continuity response bridges the principles of response and recovery. d. Recovery Recovery is the process of restoring normal work practices within the organisation. This may include re-establishing suspended activities, clearing of backlogs and repairing damaged infrastructure. Depending upon the nature of the disruption, the recovery response may take weeks to months. Prevention & Preparedness Planning, training & resiliencebuilding Response Business continuity response (hours / days / weeks) Recovery business-as-usual INCIDENT business continuity resumption of business-as-usual Risk management Emergency response (immediate) Recovery response (longer term) Figure 1: Relationship between risk management, emergency response, business continuity and recovery. 2

4 6. Roles and responsibilities Director General and State Health Coordinator (Tier 1) The Director General is the Accountable Officer and has overall responsibility for risk management and business continuity in WA Health. The Director General has delegated responsibility of State-level BCM to the Director, Disaster Management, Regulation and Planning Directorate, as the delegated State Health Coordinator. Executive sponsors (Tier 2 and 3) Executive sponsors are responsible for overseeing the BCM program; ensuring disruptionrelated risks are identified and adequately addressed by their risk management plans and BCPs; approving the service s BCP and allocating resources to ensure robust continuity strategies are in place. Senior managers (Tier 3 and 4) Senior managers in both corporate and clinical environments are to ensure BCM has been implemented and actively managed in their areas of responsibility. This should include identification of critical business activities through a Business Impact Assessment (BIA), identification of continuity strategies and resources, development of BCPs, and on-going training, exercising and maintenance of the BCPs 7. BCM process The process for developing and implementing a BCM program is to include the following steps: 7.1. Executive awareness and support Executive leadership is required to entrench an organisational culture that is proactive to BCM and organisational resilience. Executive support is required to endorse the establishment of BCM processes, and is to include the provision of human and physical resources to achieve organisational outcomes and establish sound business continuity preparedness and capacity Establishment of a BCM committee A committee should be established that is charged with responsibility for the ongoing maintenance, governance, education and training for BCM. This committee can be absorbed into pre-existing emergency or risk management committees, or established as a separate BCM-focused committee. The committee should report to the executive sponsor and have responsibility for BCM within the health service. The BCM committee should recommend to the Executive sponsor the number of plans required at a regional, hospital or departmental level for that health service Ongoing communication and consultation A stakeholder analysis should be performed prior to the commencement of the BCM planning process. Communication and consultation with internal and external stakeholders is essential in ensuring that staff, relevant stakeholders and interdependencies have input to the BCP and are aware of their role when the BCP is activated. A communication plan should be formulated to ensure all relevant parties are identified and actively involved in the BCP development, implementation and maintenance process Assumptions Assumptions are considerations, suppositions and inferences on which the BCM planning process is based. Assumptions may relate to accommodation, resource requirements, 3

5 interdependencies and cost justification or response or recovery strategies. For example, an organisation might assume that its suppliers (of particular crucial supplies) have their own BCPs. BCPs are to articulate the assumptions that were made during the BCM planning process. Assumptions should be communicated and agreed to by all stakeholders. Where assumptions relate to response and recovery strategies, they should be tested as part of the BCP exercise schedule Business impact analysis The objective of a BIA is to assess the potential impact severity (such as financial loss, impact on reputation, and non-compliance with regulations) to an organisation of a disruption to its activities, and prioritising the timeframes within which Critical Business Functions (CBFs) must be resumed following a disruption. The BIA identifies the Maximum Tolerable Period of Disruption (MTPD) of the CBF, and the dependencies and minimum resource requirements needed to continue the CBF at a reduced, but tolerable, level. Business function prioritisation assists in distinguishing CBFs from other non-urgent business functions and prioritising response and recovery strategies in the event of a disruption. The BIA should be undertaken using an all hazards approach, whereby the impact of a disruption to a CBF is consistent, regardless of the cause of disruption, or underlying hazard. It is essential that senior executives participate in the BIA process, as the analysis needs to take an organisation-wide perspective of the impact severity of a disruption. CBF prioritisation should be approved by the executive sponsor. There is no requirement to standardise the format of the BIA; however, health services and divisions may utilise the BIA template located at (currently under development) Business continuity strategy Once the CBFs have been determined, the next step is to identify business continuity response strategies to support the business functions, taking into consideration the requirements and alternate arrangements for people, systems, infrastructure, premises, information and work processes. Examples of response strategy include: temporarily suspending the activity / business process transferring the activity / business process to another service working from home relocating the service and/or resources to a back-up site Development of the plan A BCP outlines how the service will respond to a service disruption and is based upon the outputs from the BIA and agreed business continuity strategies. A series of BIAs for different service streams may feed into one BCP for the Health Service. The BCP should dovetail with existing emergency response, contingency and recovery arrangements and plans. A BCP is to ensure that: key organisational objectives and critical business functions are identified identification and linkage of the BCP with the service s contingency and emergency management plans occurs 4

6 alternate locations for critical services within a business unit / Health Service are identified, outlined, communicated, understood and formalised with owners where an alternate location is identified, which relies on another Health Service - service provider, they are aware of, and agree to, the assumptions of co-location where the transfer of CBFs to an alternative service is required, the BCP articulates to which service provider, and what the communication strategy is for this transfer. The receiving health service should be aware of, and agree to, the transfer strategy. interdependencies between business units and/or Health Services are identified there is an identified process for resuming normal business operations within all levels of WA Health all critical services or functions are recovered according to agreed priorities, as determined by the impact of their loss on the business (as identified within the BIA). the position with the authority and delegation to activate the BCP for the health service(s) is clearly identified the BCPs are approved by the executive sponsor(s). There is no requirement to standardise the format of the BCP; however, health services and divisions may utilise the BCP template (currently under development). The BCP should have an amendment certificate and version control. All BCPs are to be published via HealthPoint (or equivalent), in accordance with the policy publication process for the division or health service Establishment of business continuity teams BCPs are to articulate roles, responsibilities and membership of a crisis or Business Continuity Team (BCT), which is mobilised in a crisis to implement the continuity response strategies. BCT members are to have sufficient seniority and be empowered with an appropriate level of delegation to implement BCM strategies for the service they are representing. Consideration should be afforded to succession planning and sustainability of the BCT during prolonged disruptions Training and education of staff on the use of the plan Divisions and health services are responsible for providing education on the BCP and the BCM arrangements for their areas of responsibility. Education programs should be provided at staff induction and orientation programs as well as broader general awareness. Specialised education should be afforded to BCT members and other coopted staff members with prescribed roles and responsibilities Testing, exercise and maintaining the BCP Executive sponsors are responsible for ensuring the BCP is regularly tested, exercised and maintained, as part of a continuous improvement process. The BIAs are to be reviewed on a triennial basis, and the BCP is to be reviewed and updated annually. The effectiveness of the BCP should be regularly tested and exercised within a recognised exercise schedule. Following a test, exercise or real event, recommendations and lessons learned should be used to update the BCP. 8. Activation of business continuity plans A health service may activate their BCP in response to, or in anticipation of, a disruptive incident, such as a surge event or infrastructure failure. As BCM strategies may involve the suspension and/or transfer of critical business processes to alternate facilities, activation of a single hospital or health service s BCP can lead to system-wide ramifications, and the 5

7 requirement for service rationalisation in health services not directly affected by the disruption. Any activation of a metropolitan health service s BCP is to be communicated to the State Health Coordinator (SHC) to allow provision of system-wide coordination. In regional areas, notification, in the first instance, should be to the respective Regional Health Disaster Coordinator, who in turn may choose to escalate the issue to the SHC. This may include activation of relevant State-level emergency management plans. The SHC is to be contacted (via the On Call Duty Officer) on (08) (24 hour paging service). 9. Compliance Compliance with this policy is mandatory for all WA Health employees. 10. Evaluation Divisions and Health Services may be audited to ascertain adherence to this policy. 11. Legislative framework Insurance Commission WA Act 1986 Financial Management Act 2006 Public Sector Management Act 1994 Emergency Management Act 2005 Public Sector Commissioner s Circular Risk Management and Business Continuity Planning Treasurer s Instruction 825: Risk management and security. 12. References Australian Council of Healthcare Standards. EQuIPNational Guidelines. (2012) Criterion Emergency and Disaster Management. Australian Government. (2011). National Strategy for Disaster Resilience. Department of Health (WA). (2012). Redundancy and Disaster Planning in Health s Capital Works Projects, 2nd Ed. International Organisation for Standardisation. (2012). ISO22301:2012. Societal Security business continuity management system requirements. Standards Australia. (2009). AS/NZS ISO 31000:2009 Risk management principles and guidelines. Standards Australia. (2010). AS/NZS 5050: 2010 Business Continuity managing disruption-related risk. Standards Australia. (2010). AS/NZS 4083:2010 Planning for emergencies health care facilities. Standards Australia. (2010). AS/NZS 3745:2010 Planning for emergencies in facilities. Western Australian Government. (2009). Business Continuity Management Guidelines, 2 nd Ed: RiskCover. 13. Related documents and policies Operational Directive 0433/13 WA Health Risk Management Policy. Operational Circular (OP) 1877/04 IT Service Continuity as Related to the Management of Electronic Records Policy Operational Directive 0480/13 ICT Risk Management Policy WA Renal Dialysis Business Continuity Plan Information Circular 0150/13 Emergency Codes In Hospitals And Health Care Facilities 6

8 Appendix A Glossary Assumptions Business Continuity Management (BCM) Business Continuity Plan (BCP) Business Impact Analysis (BIA) Critical Business Function (CBF) Disruption Impact Interdependencies Maximum Tolerable Period of Disruption (MTPD) Response and recovery strategies Risk Risk Management State Health Coordinator Considerations, suppositions and inferences on which the BCM planning process is based Business Continuity Management is a discipline that prepares an organisation for the unexpected. It is a management process that provides the framework for building resilience to business and service interruption risks, responding in a timely and effective manner to ensure continuity of critical business activities, and ensuring the long term viability of the organisation following a disruptive event. A plan for responding to a disruption and resuming CBFs. The plan outlines the actions to be taken and resources to be used before, during and after a disruptive event to ensure the timely resumption of critical business activities and long term recovery of the organisation. The process of assessing the potential consequences to an organisation of an outage to its key business activities over varying periods of time, and prioritising the timeframes in which these activities must be resumed following a disruptive event. A business function that is crucial in achieving the organisational objectives, and without which the organisation cannot operate or remain viable. An event causing an interruption to, or loss of, key business activities The measurable consequence or outcome of a risk eventuating. A risk can have multiple impacts. Internal and external processes, resources, functions or organisations that are directly or indirectly critical to the continuity of business activities within an organisation. The maximum period of time that a key business activity can be suspended following a disruption, before the impact becomes unacceptable in intolerable to the organisation. Measures that are put in place to support the continuity and recovery of critical business functions in the event of a disruption. This includes alternate arrangements for people, systems, infrastructure, premises, information and work processes. A chance of something happening that will impact upon the objectives of an organisation. The practice of systematically identifying, understanding and responding to risks encountered by an organisation. See Operational Directive 0433/13 WA Health Risk Management Policy. A delegate of the Director General who has the authority to command and coordinate the use of all health resources within WA Health for responding to, and recovery from, the impacts of a disruption, emergency or disaster. 7

9 Title: Business continuity management policy Contact: Senior Policy Officer, Disaster Preparedness and Management Unit - (08) Directorate: Disaster Management, Regulation and Planning Directorate Version: Date Published: XX/XX/20XX Date of Last Review: XX/XX/20XX Date Next Review: XX/XX/20XX 8

10 This document can be made available in alternative formats on request for a person with a disability. Department of Health 2015 Copyright to this material is vested in the State of Western Australia unless otherwise indicated. Apart from any fair dealing for the purposes of private study, research, criticism or review, as permitted under the provisions of the Copyright Act 1968, no part may be reproduced or re-used for any purposes whatsoever without written permission of the State of Western Australia.