NOT PROTECTIVELY MARKED. Business Continuity Management Policy. Risk and Business Continuity Management

Transcription

1 Policy Title CCMT Sponsor Department/Area Section/Sector Business Continuity Management Policy Deputy Chief Constable Strategic Development Risk and Business Continuity Management 1.0 Rationale Thames Valley Police (TVP), as a Category 1 responder, is required by the Civil Contingencies Act 2004 to have Business Continuity Management arrangements in place. TVP must be able to continue to exercise its civil protection functions as well as continuing to perform its ordinary functions in the event of an emergency or a disruption. Business Continuity is defined in the ISO 22301:2012 as the capability of the organisation to continue delivery of products and services at acceptable redefined levels following a disruptive incident (paragraph. 3.3) 2.0 Intention The Business Continuity Management (BCM) process aims to deliver the following benefits: 3.0 General Principles Ensures that TVP can continue to deliver critical services to the public in the event of a disruption Proactively improves organisational resilience by developing strategies to minimise any disruption from identified threats and risks Minimises the impact on the organisation and the public in the event of any emergency or disruption Ensures resources are used more effectively Protects against reputational damage and increases public confidence This policy defines the methodology by which TVP will meet its statutory duties. The Continuity Management Lifecycle (see the diagram below) for BS25999 has been taken into account. However, Thames Valley Police will NOT PROTECTIVELY MARKED 1

2 align with ISO where possible and therefore will use the Plan, Do, Check, Act (PDCA) structure. The Business Continuity Management programme is a continual cycle of activity that is maintained and reviewed to reflect changes in Force priorities and lessons learned from incidents and exercises. Continual improvement in Business Continuity Management practice aims to embed it into the organisation s culture. Continual improvement of business continuity management system (BCMS) Interested Parties Establish (Plan) Clause 4,5,6,7 Interested Parties Maintain and improve (ACT) Clause 10 Implement and Operate (Do) Clause 8 Requirements for business continuity Monitor and Review (Check) Clause 9 Managed business continuity PDCA model applied to BCMS processes NOT PROTECTIVELY MARKED 2

3 TVP BCM programme of activity includes: Identification of critical functions and prioritisation of all associated activities Conducting threat and risk assessments Conducting a Business Impact Analysis Development and maintenance of business continuity plans Exercising business continuity plans to ensure effectiveness Audit, maintenance and review of business continuity arrangements Training and awareness of business continuity plans and requirements Learning from incidents, disruptions and exercises 4.0 Guidance, Procedures & Tactics Business Continuity is a force-wide responsibility. All staff and officers have a role to play in the effective embedding of BCM into the culture of Thames Valley Police. Civil Contingency Act 2004 provides that Category 1 responders may use generic plans, specific plans or a combination of the two. The guidance for TVP is this Policy. Procedures and Tactics are contained in the Force Business Continuity Plan and a set of specific Local Policing Area (LPA), Operational Command Unit (OCU), and Departmental Business Continuity Plans complement this. A concise business continuity strategy provides strategic actions planned for the next three years. A strategic business continuity plan will also be in place for the large non operational / limited operational sites. This will set out the Force response to any disruption, including activation procedures and action checklists for Gold. These plans will be supported by the more detailed plans in place within the Local Policing Areas, Operational Command Units and Departments. All these plans will be developed, maintained and exercised by the Business Continuity Unit in liaison with the appropriate contacts All Business Continuity Plans should be based on a Business Impact Analysis (BIA) and will be coordinated centrally, to manage interdependencies and ensure a common approach. The Civil Contingencies Act 2004 requires that arrangements are to be reviewed regularly to ensure validity in the event of any changes. This Policy, the Force Business Continuity Plan and the Local Policing Area/Operational Command Units/Departmental Business Continuity Plans, as well as Business Impact Analyses, exercises, training and all related activity, form the overall BCM arrangements for Thames Valley Police and are in place to fulfil its statutory duty. The requirements of the Civil Contingencies Act 2004 are that Category 1 responders may enter into collaborative arrangements with other responders NOT PROTECTIVELY MARKED 3

4 but Business Continuity Management must be owned and driven within the organisation itself in order to be effective. 4.1 Critical activities As category 1 responders Thames Valley Police will continue to deliver our civil protection functions. These functions and supporting activities are prioritised according to statutory requirements and by Force objectives determined by the Strategic Planning Process. The Business Impact Analysis process requires all activities to be prioritised based on a threat and risk assessment. Each critical activity identified in this process requires a recovery time to be set and resources and interdependencies to be recorded. The force critical activities endorsed by the Chief Constable are: Emergency Response Crime Investigation Custody Management Managing High Risk 4.2 Threats to service delivery. BCM arrangements take into account the threat and risks identified at a national, regional and community level. They will also take into account those risks identified through the internal Business Impact Analysis process and the organisational Risk Management process. The National Decision Model is a key part of the approach to the management of risk within TVP, and in particular recognises the need to take account of the Code of Ethics NOT PROTECTIVELY MARKED 4

5 BCM in TVP aims to address the impact of any incident in the following four areas: People: Loss of Staff/Officers (severe weather, pandemic, industrial action, abstractions) Premises: Denial of access or damage to premises (due to fire, flooding, police cordon/operational activity, power failure etc) ICT/Communications: Loss of critical systems (Local Area Network/Telephony failure, power or system failure or essential maintenance disruption) Suppliers/Stakeholders: Loss or failure of internal or external stakeholders/suppliers (LPA s/ocu s/departments, partner agencies, utilities, etc) In most circumstances the identification of a disruption is clear, such as denial of access to a building due to a fire or flood, but any incident identified as having an impact on service delivery or the potential to impact on service delivery should be notified according to the procedure set out in the Force Business Continuity Plan. Some disruptions may be more difficult to identify, such as the impact of a failure of a key supplier, system failure, lack of key staff. NOT PROTECTIVELY MARKED 5

6 4.3 Incident classification The BCM arrangements in place for TVP should be considered in the planning, response and recovery to any incident or emergency. When an incident is identified by any officer or staff member or stakeholder, that could adversely affect the capability of TVP to maintain normal service delivery, BCM plans should be activated in support of any operational response. In a similar way to when a Critical Incident is identified, any incident which requires a Business Continuity response can be categorised as defined in the Force Business Continuity Plan. 4.4 Plan activation LPA/OCU/Departmental BCPs should be activated by the Commander or Head of Department in consultation with the Gold Commander following identification of a High or Medium impact incident. The following incident grid follows the APP Tier 1 to 3 classification: High Impact (Tier 3) Medium Impact (Tier 2) Low Impact (Tier1) Potential A High Impact incident is when any incident, or preplanned event, has significantly impacted or has the potential to significantly impact on the force as a whole, across forces, or nationally, and Thames Valley Police s ability to perform its critical activities. This is managed at a GOLD level A Medium Impact incident is when any incident, or preplanned event, has impacted or has the potential to impact Thames Valley Police s ability to deliver its critical functions across multiple LPAs or Departments. This is managed by an LPA Commander or Department Head nominated by GOLD A Low Impact incident is when any incident, or pre-planned event, has impacted the force s ability to deliver its critical functions across a single LPAs or Departments. This is managed by an LPA Commander or Departmental Head An issue is identified that it is believed could potentially impact on critical activities the issue requires assessing and monitoring (e.g. industrial action, severe weather, a major event, building work etc). NOT PROTECTIVELY MARKED 6

7 Activation Process Member of staff with a responsibility for BCM is alerted to the incident i.e. CCMT member Steps taken to assess nature and impact of incident in order to guide the response Incident has little / no impact on critical functions Situation monitored Incident has significant impact on critical functions Plan not activated Gold informed impact & management level agreed plans activated as required Incident Management Actions Business Continuity Actions Recovery and Resumption Actions TIME TIME TIME TIME TIME This activation process is compatible with the process used by Hampshire Constabulary ensuring ease of use within areas such as the Joint Operations Unit. 4.5 Roles and Responsibilities The ultimate responsibility of ensuring Thames Valley Police comply with the Business Continuity requirements of the Civil Contingencies Act 2004 remains with the Chief Constable. All staff, officers and volunteers are responsible for being aware of the Business Continuity arrangements for their area in the event of a disruption. Specific roles are identified in the table below: Role The Deputy Chief Constable (DCC) Head of Change Responsibility Overall Force lead on Business Continuity Responsible for the line management of the Force Risk and Business Continuity Manager and Business Continuity Officer. NOT PROTECTIVELY MARKED 7

8 Force Risk and Business Continuity Manager Business Continuity Officer Senior Management Teams/Business Continuity Single Points of Contact (and Deputies) Senior Information Risk Owner Responsible at a strategic level for all Business Continuity Management activity in the Force. Support/advisor in a disruption when required. Must ensure a log of any disruption is captured. Responsible for implementation, coordination and support of all Business Continuity activity at a tactical and operational level. Support/advisor in a disruption when required. Must ensure a log of any disruption is captured. Responsible for the LPA/OCU/Departmental Business Continuity activity. Support/advisor in a disruption when required. Must ensure a log of any disruption is captured. In the event of a disruption, there may be a requirement to work outside normal information security policies and procedures. The SIRO should be responsible for authorisation. 5.0 Challenges & Representations To ensure transparency and accountability, any decisions made as a result of following this policy should be clearly documented. Challenges / representations in respect of decisions made in applying this policy should be addressed to: Deputy Chief Constable Thames Valley Police Headquarters Oxford Road Kidlington OX5 2NX 6.0 Communication 6.1 Links to Police National Legal Database/Other Due to the broad range of policies that this policy could link to such as HR policies, Critical Incident, Risk Management and many more it is recommended that all new and revised policies that may relate to BC should refer to this policy. NOT PROTECTIVELY MARKED 8

9 All policies will be published on the Policy Management Unit Intranet site. New and reviewed policies will be promoted in Managers Briefing. 6.2 Implementation Strategy (Policy Impact Assessment) Individuals will be informed of the new policy through weekly orders at the time of publication. The policy will be made available electronically via the Policy and Procedures intranet site and staff and managers portals This policy can be made available to the general public via the TVP internet site. 7.0 Compliance and Certification 7.1 Human Rights Certification (i) Legal Basis Civil Contingencies Act (ii) Human Rights Articles Engaged The Policy does not invoke Human Rights Articles. (iii) Prohibition of Discrimination Application of this policy could discriminate against individuals either directly or indirectly. Although Article 14 can only be engaged if another article is, this policy shall be applied in the spirit of article 14 and decisions taken as a result of it must not discriminate on any grounds, such as sex, race, colour, language, religion, political or other opinion, nation or social origin, association with a national minority, property, birth or other status. 7.2 Equality Impact Assessment This policy does not need to have due regard paid to it under s.149 Equality Act 2010 as its provisions are about managing assets to address the impact of any incident on People, Premises, ICT / Communications and Suppliers/Stakeholders. 7.3 Data Protection This policy does not have data protection implications 7.4 Freedom of Information Act This policy is suitable to be made available to the public and can be published on the Thames Valley Police Freedom of Information Publication Scheme. 7.5 Management of Police Information (MoPI) This policy does not affect any of the key business areas as identified by Management of Police Information (MoPI) However, any NOT PROTECTIVELY MARKED 9

10 information deemed for a policing purpose, or any data about an individual that is circulated or received by ; or published / downloaded via the intranet or internet or circulated in any other format must comply with MoPI guidelines. 7.6 Protective Markings This policy has been assessed for its correct level of protective marking and has been assessed as NOT PROTECTIVELY MARKED. 7.7 Health & Safety at Work The Health and Safety at Work Act imposes a duty of care upon the Chief Constable to ensure, as far as is reasonably practicable, the health, safety and welfare of all staff. There is a legal requirement to conduct a risk assessment based on the individual s role and capabilities, which should include consideration of assessments under specific legislation e.g. Manual Handling Regulations. 8.0 Monitoring and Review A full review will be carried out annually by the policy author and will examine: Changes in legislation Court rulings Domestic, European and Human Rights Examples of good practice from other Forces or other organisations Changes in Home Office Circulars Developments with ACPO Policy Unit Representations made by individuals and relevant organisations Relevant Equality data Date Version Comments 5 th January 2015 V1 NDM model inserted illustrating code of ethics at centre. New category table inserted moving cat ABC to 123. New activation process inserted. Head of Change no longer a Supt. Policy signed off by: For use by the Policy Management Unit Only Chief Officer Policy Authorisation Deputy Chief Constable Date NOT PROTECTIVELY MARKED 10