ESSEX FIRE AUTHORITY Essex County Fire & Rescue Service

Transcription

1 ESSEX FIRE AUTHORITY Essex County Fire & Rescue Service MEETING Essex Fire Authority AGENDA ITEM 14 MEETING DATE 5 September 2012 REPORT NUMBER SUBJECT REPORT BY Risk and Business Continuity Department - Annual Report The Chief Fire Officer David Johnson PRESENTED BY T/Assistant Chief Fire Officer Gary Fleming SUMMARY The purpose of this paper is to provide Members with the annual report from the Risk and Business Continuity Department covering activities between January September The report also outlines future expectations of the risk and business continuity function. RECOMMENDATIONS Members are asked to note the contents of the report. INTRODUCTION This years annual report only covers 8 months as it follows the February 2012 report, delayed from September In the period of the report the Service has had a number of tests of its business continuity arrangements. On their own they would have been difficult for most organisations and together provided a very significant test of the planned arrangements The largest sporting event in the world and the withdrawal of labour by a large part of the workforce led to a successful deployment of our arrangements. Previous annual reports have led to and included a direct revision of the Corporate Strategic Business Continuity and Recovery Plan and the Risk Policy Strategy and Implementation Plan. There are, as a result of on-going industrial action and closure activities for the Olympics delivery, a number of debriefs and delivery actions to complete that may provide learning outcomes that require input into these planning, governance and strategy documents.

2 Page 2 of 8 The Strategic Risk Register is formally reviewed annually and this process is due for completion before the end of the year. The Register and all amended Strategic documents will come forward to the Fire Authority together. A separate paper at this meeting describes the changes provided by the new Fire and Rescue Service National Framework, which was published in July. There are a number of major changes to the requirements of the Integrated Risk Management Plan (IRMP). The department is carefully considering the changes and the impact on the Services Strategic Assessment of Risk (SAOR), business and financial planning, pubic engagement, strategic direction, assurance mechanisms and work plan gap analysis. Outcomes of this work will include involvement of all parts of the Service including Members of the Fire Authority. Department This calendar year has included a number of workload generators that are outside our normal activities not least the Olympic Games (The Games). In September 2011, the Risk and Business Continuity Manager supported the Olympic Games Coordinator in the construction and completion of a comprehensive Olympics Risk Register. The register included consideration of our normal identification of risk and preventative and response activities. It also had to consider every stakeholder, from the local charity car boot sale next to the torch relay, the sleeping arrangements of the visiting athletes to the provision of officers imbedded in security services and terrorist response plans. The Special Operations 1 function of the Service has required a great deal of assistance in the last months, and this has been provided by the Risk and Business Continuity Support Officer. Initially this support only took 50% of her time, used for the emergency operational response to the movement of residents at Dale Farm, and subsequently for the preparation and delivery of the Games. The industrial action called by the Fire Brigades Union has meant that the GIAN contingency plan has been brought into play. That skeleton plan has needed to be populated with risk plans, assessments, judgements, mitigation assessed and risks re-assessed etc. As a result the department manager from Risk and Business Continuity was placed as a dedicated resource to work alongside operational colleagues in the planning and execution roles. The department manager has supported staff inductions, giving a brief to new staff on the roles of risk and business continuity in the workplace. He has attended an initial meeting of the Regional Protective Security Group, which intends to provide a common and collaborative path for security in general against the Chief Fire Officers Association and the Communities and Local Government expectations. He has also become more involved with the ICT management team in their periodic meetings to discuss ITC risks. Both he and his supporting officer have been active in the Risk Intelligence group of the Essex Resilience Forum. The department supports the business planning process. This includes: o Providing a risk management template to Business Planning colleagues for sending out with plans for completion, o Providing quality assurance to the fifteen departmental risk registers, each of which will have between six and seventeen risks, and their triggers and controls, on return of the template, o Supporting department managers in their risk management processes to assure their capacity and capability, and 1 The Special Operations function consists of one Divisional Officer; who is responsible for the Inter-Agency Liaison Officers and appropriate dissemination of intelligence from the police and security services. The role is partially embedded in other Services and is the conduit for a great deal of information, and for fostering significant partnerships.

3 Page 3 of 8 o General mentoring when called for. Risk Management and Risk Management Planning One impact of the work described above and the subsequent re-directing of effort is the postponement of the full commissioning of new risk management software (JCAD). The software is installed but still requires populating with data. This software will simplify the recording and managing of risk, improve access to risk information and registers and offer the Service a greater degree of assurance. Another casualty of the added workload was the full programme of exercising business continuity plans. Whilst the full programme was not completed, where high risk exists or there were significant organisational need, plans were tested. The new Fire and Rescue Service National Framework for England, published in July 2012, includes a number of new requirements. These new requirements will lead to a single document that captures: 1. Risks to which we could reasonably expect to respond. These might be in Essex or be in surrounding areas. a. The currently provided Strategic Assessment of Risk (SOAR) document requires some adjustment but will provide the majority of this information. b. Strategic, Community and Local Resilience Forum Risk Registers will also be considered. 2. The risk based inspection programme delivered by Fire Safety will demonstrate some of the actions delivered to reduce likelihood and reduce impact of realised risks. Community Fire Safety activity will also be included. 3. The operational response to a risk that is realised will also be articulated in the plan. 4. The plan will provide for at least 3 years and public consultation and engagement will be key to its shape and content. The Service will provide an annual statement of assurance on financial, governance and operational matters to show that due regard is paid to the content of the plan. (The National Framework informs fire and rescue authorities that Light touch guidance is expected as to the contents of the statement; it is likely that there will not be a departure from current arrangements ) Work on the SAOR for 2012, was paced to work with the publication of this new National Framework. The SAOR and the Services approach to the assessment of community risk means we are well placed to respond to the demands of the new Framework. Work is progressing to deliver this Plan for the period The outcomes of the Risk audit by RSMTenon last year identified a number of issues; Members were given a summary response in the previous report (EFA/012/12 refers). The increased workload in the department and the use of department resources to deliver external work has meant we have been unable to successfully resolve all matters; those outstanding include: Complete alignment of Strategic Risks with Corporate Objectives Assurance records in place and up to date for all areas Time based action planning to risk controls Early warning indicators to risks where appropriate

4 Page 4 of 8 The population of the risk management software (JCAD) with corporate and departmental risks will assist in the resolution of a number of these issues. The work will include aligning strategic risks with corporate objectives as the latter are a built in (bespoke) feature of the software. Another feature is the automated prompts to risk owners. These combined with risk and business continuity department supervision and support, will ensure that assurances are in place and actions on risk controls occur. Early warning indicators will be applied if appropriate. The other issues raised were: To capture a defined and agreed level of risk appetite A requirement that Departmental risk registers are to be reviewed at least quarterly To enhance the Terms of Reference of the Risk Management Committee to include a quorum, and rotational reviews of Departmental risk registers to provide assurances around scrutiny, taking action accordingly. The risk appetite of the Service and of departments is part of the discussion when developing risk registers and contingency plans, but will require some work to mature to the appropriate level of understanding and implementation. A regime for departmental risk registers to be reviewed quarterly, as for corporate risks, is planned. It has been explained to the Auditor that the Risk Management Committee, (RMC), is not a substantive Committee of the Fire Authority. Accordingly, a quorum is not appropriate, as it is currently set up. In noting the above, Members are assured that all risks to the functions and business of the Fire Authority and the Fire Service have continued to be protected by assessments, plans and assurance processes. Business Continuity The previous National Framework made it quite clear that fire and rescue services had to look at business continuity solutions for industrial action that did not include military personnel. The new National Framework continues this theme, referring again to the statutory requirements of the Civil Contingencies Act 2004, in order to meet the statutory requirements of the Fire & Rescue Services Act The recent periods of industrial action have demonstrated empirically that our planning is very effective. When the industrial action is ended lessons that have been learnt will be included into future plans. These changes will be incorporated into corporate and departmental business continuity plans over the next few months as part of normal review processes. Once plans are reviewed and amended business continuity arrangements will be tested by exercise. As a result of a reduced capacity to deliver the planned business continuity exercises a risk based approach was taken and the exercises completed were: Contingency Plan GIAN o To assess the impact of a strike during the Olympics, which turned into a very accurate planning assumption Service Control o A surprise and complete removal of the control facility as Hutton

5 Page 5 of 8 Organisational Command o surprise exercise of a major incident ICT Business Disaster Recovery plan o A planned assessment of the failure of the services main server room at Kelvedon Park Olympic site plans o A number of exercises across a number of sites and involving all stakeholders All exercises demonstrated an appropriate level of planning and an ability to continue the business and functions of the Service without inappropriate disruption; and lessons learned fed back into the plans. Contingency Plan GIAN and Organisational Command On 30 November 2011, and unreported in February, an exercise took place based on a national call for industrial action that day. At the instruction of the Chief Fire Officer, and with virtually only a day to prepare, a very small planning team arranged a no-notice exercise for the players. The Brigade Executive and Duty Officers were presented with a scenario at 0900 that took them immediately into setting up a Critical Incident Team to manage a number of incidents based on real and conjectural occurrences that day. This successful exercise also involved the redeployment of a number of the County Hall emergency planning team to Service Headquarters, who also had no notice. Service Control In mid May, Control conducted a successful exercise requiring a short-notice move to the secondary Control at Great Baddow (E33). All control functions moved without impact on operational mobilising, the loss of any emergency calls or any operational resources noticing any difference. The exercise will be repeated a number of times over the next year as we prepare for the new mobilising venue and systems. ICT disaster recovery plan In late May and with an Olympic focus, a successful disaster recovery exercise was held by ITC colleagues. This will be reported in more detail by the ICT function. Olympic planning and delivery During the lead up to the Olympics the Service developed and exercised plans for the Olympic events taking place within County including the Torch Relay. This has involved a dedicated resource and significant support from officers to develop and exercise these plans as well as resource them during Olympic events, Look Forward Planned work includes the annual support for delivery and integration of departmental business planning and associated risk registers designed to achieve IRMP objectives and to improve resilience. A planned change in structure is currently being implemented and a summary of the manner work will be delivered is described below: Risk and Business Continuity, including: Corporate Risk Management Planning Maintenance of Corporate Risk Register

6 Page 6 of 8 Risk Management Responsible for and maintenance of the Service Risk Register Support and guidance for department and functional risk registers Business Continuity The maintenance of Service business continuity planning Support and guidance for department business continuity planning Community Risk Management and Engagement Ensure that the planning of the Service is cognisant of the existing and likely future inclusions in community risk registers. To impact where appropriate on community risk registers. Strategic Assessment of Risk A record of the risks that are pertinent to the Service and which we endeavour to reduce or mitigate the impact. The record is presented annually and maintained throughout the year. Integrated Risk Management Planning The development of plans given direction from Fire Authority and Principal Management; consultation with stakeholders and governance arrangements that deliver final outcomes. Contingency Planning The development and maintenance of contingency plans that allow the Service to function in extraordinary circumstances. (e.g. Periods where there is a significant reduction of workforce or a significant building such as headquarters is not available.) The recent change in directorate structure will assist in the reinvigoration of risk and business continuity planning across the Service. Recent events have proven once again the importance and benefits derived from planning for foreseeable events. In order to support the change in direction the following priorities are identified: Completing the software project will ensure that all managers have access to appropriate information and plans We will develop an exercise programme that tests all business continuity plans. We will review the use of the GIAN plan and its appropriateness for use for a large loss of staff. We will work with regional partners to produce a Security Policy Framework. We will complete an audit and measure our current position against good practice described by CFOA. The Department will continue to provide ad hoc advice to the service where and when required. The full context can be seen with the other structural changes alongside the risk and business continuity department, as follows:

7 Page 7 of 8 Enhancements to community protection include: Event Planning o Large community events that cause the Service to make special provision (e.g. Olympics, V Festival, Air shows etc.) COMAH Sites (+) o To ensure that not only are the right plans are in place for all COMAH sites and other strategic risks in Essex; but there is sufficient exercising, all appropriate personnel are suitably knowledgeable and would be competent in their role if an incident did occur. Essex Resilience Forum o To represent Essex County Fire & Rescue Service at the forum in order that the needs of the Service are met; and also that the Service offers such support to the forum as is appropriate. Community Risk Register o To oversee (and react to and change) those parts of the Combined Authorities community risk register that impact on the Service. Community Protection o A new function that will engage the Service in the wider community risk management arena. The intention is to add value to the community mitigation of risk by the use of the Service position in that community and our branding that can support a reduction of risk. Crisis Management o To ensure that Service managers can implement their business continuity plans in all foreseeable circumstances. To include Training, Planning, Exercising and Reporting (assurance). Emergency Planning, including; Delivery of corporate preparedness to respond to any emergency in Essex through an integrated emergency management governance framework. To support the Service to meet the requirements of the Civil Contingencies Act. Delivery of Emergency Planning through the Emergency Planning and Community Protection Department. The conduit between the Local Authorities Emergency Planning (Essex County Council Emergency Planning now delivered by the Service and reports directly to the CFO) and the Service. Crisis Management In addition to the above, it is intended to make proposals for the consideration of a corporate standard for command and crisis response such as PAS 200:2011 Crisis Management, Guidance and good practice. This is a standard designed to help organisations take practical steps to improve their ability to deal with crises. It does this by giving organisations an operational structure (and recognised standard) to detect and prepare for such crises and hence prevent or survive them.

8 Page 8 of 8 By their nature most crises are abnormal and extreme, often occurring abruptly with little or no warning and they may not be fully covered by existing Business Continuity management planning. The process will include planning, training, exercising and reporting. The adoption of this approach will allow the department to report on assurance of preparedness more accurately in the future. RISK MANAGEMENT IMPLICATIONS Service Risk Management implications are the subject of this paper and not included separately under this heading. FINANCIAL IMPLICATIONS There are no direct financial implications associated with this paper. LEGAL IMPLICATIONS There are no legal implications to this report, other than the Authority and Service demonstrate appropriate and auditable risk management and business continuity procedures that will support Governance Statements. The requirement for this is imposed through the Civil Contingencies act 2004 and the National Framework EQUALITY IMPLICATIONS There are no direct Equality & Diversity implications associated with this paper. ENVIRONMENTAL IMPLICATIONS There are no direct Environmental implications associated with this paper. LOCAL GOVERNMENT (ACCESS TO INFORMATION) ACT 1985 List of background documents Proper Officer: Contact Officer: T/ACFO Gary Fleming T/ACFO Gary Fleming Essex County Fire & Rescue Service, Kelvedon Park, London Road, Rivenhall, Witham CM8 3HB Tel: gary.fleming@essex-fire.go.uk