Business Continuity Policy & Plans

Transcription

1 Agenda Item 8.3a SNCCG Governing Body Business Continuity Policy & Plans Ref Number: Version: 1 Status: Pending Approval Author: A Brown Approval body Governing Body Date Approved Date Issued Review Date March 2016 Contact for Review: Corporate Affairs 1

2 Prepared by Impact Assessment Consultation Authorised by What is it for? Who is it aimed at and which settings? This Policy has been reviewed by the Corporate Affairs team. Completed Pending approval by the CCG Governing Body This document sets out the aims and objectives to Business Continuity management with a business continuity action plan in the event of an incident. The Policy is for use by CCG staff which for the purposes of this policy includes but is not limited to governing body members, contractors, agency & temporary staff, student, honorary and volunteer staff. Evidence Other relevant approved documents References Civil Contingencies Act 2004 Training and competences All staff to be made aware of this policy through staff briefing and mandatory training Monitoring and Evaluation Appendix This policy will be monitored and reviewed for effectiveness by the Corporate Affairs team on a regular basis. 1. Impact Analysis Priority Table 2. Business Impact Analysis: Assessment Form 3. Recovery Action Plan 4. Initial Business Impact Assessment 5. Business Continuity Plan Authority to Invoke and Stand Down the Plan The following officers of the CCG have authority to invoke and subsequently stand down the plan: Position Name Tel Accountable Officer Ann Donkin [email protected] Chief Financial Officer (as Business Continuity Lead) Steve Ham [email protected] Chief Operating Officer Jocelyn Pike / [email protected] 2

3 1 Introduction The Civil Contingencies Act 2004 & NHS Emergency Planning Guidance 2005 requires CCG s to have a Business Continuity Policy. Business Continuity Planning (BCP) helps to reduce the risk of interruption to the delivery of NHS South Norfolk Clinical Commissioning Group (the CCG ) services in the event of a disruption to normal operations. These disruptions may be external, such as severe weather or loss of utilities, or internal such as IT system failures or the loss of key staff. BCP provides the framework to enable the CCG to identify its critical functions and maintain these during a disruption, allowing the deliver of services to continue whilst recovery is in progress. The generation of Business Continuity Plans ensures that the organisation fulfils its responsibilities in respect to BCP as both a Category 2 organisation as defined by the Civil Contingencies Act and as an NHS body. NHS England requires that: NHS organisations and providers of NHS funded care must therefore be able to maintain continuous levels in key services when faced with disruption from identified local risks such as severe weather, fuel or supply shortages or industrial action. BCP gives organisations a framework for identifying and managing risks that could disrupt normal service. An organisations business continuity plans in concert with the Major Incident Plan helps it to anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever part of the business they affect. 2 Policy statement & objectives NHS England requires the CCG to have prepared to continue to provide its critical services and functions in the event of an internal or external disruption The overall goal of the CCG BCP is to ensure that patient services are not unnecessarily interrupted by internal or external disruptions affecting the organisation This policy provides the framework for the CCG Business Continuity Plan to be developed, implemented tested and reviewed to ensure that any impact on patient care is reduced in the event of a disruption to CCG operations The anticipated outcomes of the Business Continuity Plan include: Identification of critical, essential, routine and non-urgent activities of the CCG Prioritising delivery of those activities in response to a disruption Minimising the effects of any disruption and allowing return to business as usual as fast as possible 3

4 Increased staff awareness of BCP principles and processes Supporting the achievement of the CCG strategic objectives and associated action plans Ensuring legal compliance with planning obligations Inform a response process which is flexible to meet changes in service delivery of the CCG 3 Scope 3.1 The scope of this document is limited to the activities of the CCG. Any staff directly employed by, or contracted to work for CCG are covered. It does not cover activities related to providers premises, processes, staff or systems where they are not related to a core contractual term with CCG. 3.1 Each area of CCG has responsibilities for managing its own business risk and business continuity arrangements. These are brought together under a corporate Business Continuity Plan which establishes how the Governing Body will oversee the response to and recovery from, any business interruptions. 4 Definitions Activity: Processes or sets if processes undertaken by the CCG, or on behalf of the CCG, that supports delivery of services. Business As Usual: Pre-defined acceptable levels of service delivery Business Continuity Planning (BCP): Holistic process to identify and assess the impact of potential threats, building a framework to support CCG resilience to those threats, including protecting patients and stake-holders interests and achieving strategic objectives. The strategic and tactical capability of the CCG to plan for and respond to business interruptions in order to support continued delivery of business as usual Critical Activities: Those activities carried out by the CCG which are most timesensitive and important for ensured continued delivery. These will be mainly those services essential for immediate life and death of patients. These activities will typically suffer if delayed by more than one hour. Disruption: Any event, planned or unplanned, which causes an interruption to the CCG s ability to continue business as usual. Essential Activities: Those activities carried out by the CCG which are sensitive and important, but not critical to life and death of patients. These activities will normally suffer if delayed by more than one day. 4

5 Major Incident: An event classified as a major Incident according to the CCG Major Incident Plan. Non- Urgent Activities: Those activities carried out by the CCG which can be postponed or delayed most easily. These activities will begin to suffer if delayed by more than one month. Routine Activities: Those activities carried out by the CCG which support business delivery on a daily basis and are not critical or essential. These activities will typically start to suffer if delayed by more than one week. Service Recovery: The process through which business as usual is reached, following an interruption or disruption event. Function: The purpose of a department of the CCG i.e. commissioning or quality that is a combination of activities and services. 5 Duties 5.1 Governing Body The Governing Body must act to ensure/monitor the overall strategic direction of Business Continuity Planning across the CCG The Governing body must ensure that the Business Continuity Policy and development plan is enforced and resourced appropriately In the event of a serious or widespread disruption to the activities of the CGG it may be necessary to invoke the (Major Incident Plan held by the Resilience Manager on behalf of Norfolk CCGs. Note that the Major Incident Plan will be moving to an Incident Response Plan during 2014/15 with the intention that it incorporates all Norfolk CCG Business Continuity Plans). In this case the Governing Body may need to lead the response or delegate incident management coordination to named officers. 5.2 Head of Corporate Affairs Undertake leadership and sponsorship of the Business Continuity Planning framework under the direction of the Governing Body Act as a point of tactical leadership in support of the staff Liaise with the Senior Managers to ensure that the Business Continuity Plans meet the needs of the CCG Ensure that where appropriate, sections of Business Continuity Plans and policies are published and accessible to the public The Head of Corporate Affairs will be responsible for ensuring the plan is reviewed and updated at regular intervals to determine whether any changes are required to procedures or responsibilities. 5

6 5.3 Senior Managers Undertaking of a Business Impact Analysis for their area of responsibility (see section 6.1 and appendix 2) Preparing a Recovery Plan for critical services and key activities in their area Report on service continuity performance as required. 6 Procedures 6.1 Business Continuity Management Plan The Business Continuity Management plan will consist of a series of business Impact Assessments produced for each function of the CCG The CCG will maintain a corporate business continuity plan to enable it to respond to business disruptions. This plan will be scalable, enabling an individual director to manage low level disruptions whilst also providing a framework for the Governing Body to manage disruptions that affect the whole organisation The CCG will undertake a Business Impact Analysis to determine which are its critical services and functions and to identify the Recovery Time Objective for each. The Business Impact Analysis will also identify key stakeholders for each activity The Business Impact Analysis and Business Continuity Plan will be reviewed at regular intervals to ensure that they continue to reflect the organisation s needs The Business Continuity Plan will be tested at regular intervals and training will be provided to staff where required to ensure that disruptions can be responded to effectively. 6.2 Business Impact Analysis A business Impact Assessment forms the foundation for the Business Continuity plan. Using appendix 1, follow the steps for conducting a Business Impact Analysis as set out below: Step 1: Identify the key activities for the service function that will have the greatest impact if disrupted and the type of disruption to which they are vulnerable (this will also help identify any inherent risks to the business) Step 2: Identify the critical resources required to undertake the key activities, the minimum level (trigger criteria) and the desired level for business as usual Step 3: Use the priority label (Appendix 1) to determine the tolerance for disruption of activities and set the priority for action Step 4: Generate an action plan for recovery and determine the cost per day of any disruption and recovery 6.3 Initiating the plans 6

7 6.3.1 The Business Continuity plan can be invoked by the Chair, the Chief Officer, the Governing Body or its committees, or the designated on call director The Business Continuity Plan will be automatically initiated when any disruption to service delivery is experienced that reaches the trigger criteria (See flow chart below) The trigger criteria are reached when the service requirements fall below minimum and should be described in the impact assessment form in appendix The minimum service requirements are not normally sustainable and should not be used as the business as usual recovery levels There are many and varied possible causes of service disruption. Such as: Major accident or incident, national disaster, epidemic, terrorist attack Fire, flood, extreme weather conditions Loss of utilities, including IT and telephone systems Major disruptions to staffing; epidemic, transport disruption, industrial action, inability to recruit; mass resignations (e.g. lottery syndicate) These events may not be mutually exclusive, e.g. extreme weather leads to loss of electricity, disruption to transport, staff unable to get work A cause of a service disruption event may also become an internal Major Incident for the CCG and invoke the Major Incident Plan. In this event, the plans should be carried out simultaneously with the response to the Major Incident, as far as is possible. 6.4 Succession and contingency planning 7

8 6.4.1 Normal succession planning for staff may not cover all critical activities for the CCG. Priority should be given to ensuring that key tasks can be undertaken by multiple individuals to mitigate the risk of dependency on single members of staff Contingency plans for on-going projects and strategic objectives should be taken into consideration when developing action plans. 6.5 Testing and Training The Head of Corporate Affairs is responsible for identifying appropriate levels of training and awareness sessions for all CCG staff to ensure business continuity becomes part of organisational culture and daily business routines, improving the organisations resilience to the effects of business disruptions The on-going viability of the business continuity program can only be determined through continual tests and improvements. The Head of Corporate Affairs will be responsible for ensuring regular tests and revisions are made to all plans to ensure they provide the level of assurance required If there is a major change to the CCG roles and/or structure, plans will be tested and revised once a settling-in period has been achieved, to allow for a confident level of recovery Testing should follow the plan, study, do, and act model and can be either: Discussion based exercises that involve stakeholders and team planning. Table top exercises involve testing the plan against a given scenario, rehearsing actions and responses. Live exercises will test a single or selection of components of an action plan where the other two types are not suitable (e.g. fire drills, generator testing) A full test of the Business Continuity Plans will be undertaken yearly. All senior managers and Heads of Service will be expected to take part in these exercises. A cold debriefing session will take place following the exercise to establish if any changes need to be made as a result of the exercise. All leads will be asked to review their Business Continuity Plans at this stage and submit them to the CCG s overall plans. 6.6 Debriefing, Evaluation and Lessons Learned Following a test or real activation of the business continuity plan, there should be a debrief for participants to identify areas that went well, and areas that require development An after action report will be produced following a test or real activation of the Business Continuity Plan by the appropriate director, highlighting recommendations from the debrief Lessons learned will be disseminated to all staff and stakeholders. 8

9 7 Monitoring and review of effectiveness The Business Continuity Plan will be reviewed by the Audit Committee and if necessary revised in the light of legislative, guidance or organisational change. NHSLA Monitoring Table Criteria Measurable Frequency Reporting to Action Plan/Monitoring Fit for purpose Business Continuity Plans 6 Months Audit Committee Effectiveness of plans Appropriate use of Business impact assessments Exercises Annually Audit Committee Audit Annually Audit Committee 7.1 Review of the policy A suitable assessment tool will be used to support review of the effectiveness of this policy This policy will be reviewed annually and a report brought to the Audit Committee 8. Business Continuity Plans The CCG will undertake the above actions to ensure robust Business Continuity Plans are in place. For completeness the existing Business Continuity Plans are set out at Appendices 4 and 5. 9

10 Appendix 1 Impact Analysis Priority Table 10

11 Appendix 2 Business Impact Analysis: Assessment Form 11

12 12

13 Business Continuity Function List 13

14 Appendix 3 Recovery Action Plan 14

15 8 Appendices Appendix Initial Business Impact Assessment In order to construct a Business Continuity Plan, the starting point is to undertake a Business Impact Assessment which identifies the essential functions and services which define the organisation and assesses, based on impact and risk, the maximum time (Recovery Time Objective) the organisation can be considered to be sustainable without the ability to deliver those functions and services. Purpose of Activity Actual Activity Carried out by Resources needed Dependencies (other teams, other agencies) Impact Recovery Time Objective Current Contingencies Proposed Contingencies Financial Management Budgeting & Reporting Finance Team Network access to ISFE PC access CSU Significant 2 weeks Home Working Financial Transitions Payroll Sales Ledger Cash Management CSU Finance Team Network Access PC Access Serco CSU SBS Bank Crucial 2 weeks CSU(s) and SBS Business Continuity Plans Dependent on CSU business continuity plan Activity and Contract Management Data Capture & Analysis CSU Network access PC access Providers data Major 1 Month CSU(s) B.C. Plan Dependent on CSU business continuity plan 15

16 Quality Management Monitoring SUI s Safeguarding (adult hosted by North Norfolk CCG, children by GY&W CCG) Corporate Affairs & Director of Quality & Patient Safety Internet access PC access Providers reports Crucial 3 days CSU Public Health Infection Control Medicines Management Benchmarking Best Practice Monitoring prescribing CSU Prescribing Data South Norfolk CCG Moderate 1 month South Norfolk Dependent on CSU Manpower Management Recruitment Appraisal CSU/ Head of Corporate Affairs Telecommunic ations CSU HR Team Moderate 6 Weeks Home Working CSU business continuity plan Commissioning On-going decisions Defining need for services System change Chief Operating Officer Network access Lead CCGs Moderate 2 months Home Working Public Engagement Website Press relations Surveys FOI requests Head of Corporate Affairs Internet Access CSU Moderate Major Minor Crucial 1 month 1 day 6 weeks 3 days CSU usexxx? Dependent on CSU business continuity plan Procurement Securing goods and services Commissioning Network access CSU Moderate 2 months CSU Governance & Compliance Maintenance of risk and GBAF Handling complaints Conducting Governing Body & Committees CO/Chair/Head of Corporate Affairs Admin Team Network Access None Significant 2 weeks, 3 days, 1 month Homeworking local facilities 16

17 Performance Monitoring & reporting QIPP AT/SHA liaison and performance regime Chief Operating Officer, CFO Network access CSU Moderate 1 month Homeworking Research & Development Access to PPIRES Database & research operational files Head of Research & Development Network access Research teams and PPIRES volunteers Significant 2 weeks Networks and homeworking Impact: Minor (1), Moderate (2), Significant (3), Major (4), Crucial (5) Recovery Time Objective: Immediate, 1 day, 3 days, 1 week, 2 weeks, 1 month, 6 weeks, 3 months 17

18 Appendix 5 Business Continuity Plan There are a number of threats to the continuity of business at South Norfolk CCG. The major ones are: Loss of access to office Loss of key to managers Loss of access to I.T. Office: Loss of access to the Head Office (Lakeside 400, Old Chapel Way, Broadland Business Park, Norwich, Norfolk, NR7 0WG) may occur due to the building being unavailable for use (fire damage, flood damage, loss of power) or access being denied to the building and immediate vicinity (Security alert). If the loss of access is expected to be short term (less than 2 working days), most staff can work from home or utilise space in GP practice. If the disruption is longer than 2 working days the CCG would seek to utilise space within neighbouring CCGs or the CSU if parts of Lakeside 400 were usable. If a temporary relocation of Head Office takes place, an alert will be placed on the CCG website by the Engagement Manager informing the public of the relocation and predicted length of disruption. Due to unforeseen circumstances, South Norfolk CCG has temporarily moved headquarters to XXXX. The telephone to be used for the time being is XXXX, s to XXX. ( address will not change, message is just to re-enforce that). It may be possible to divert telephones to the temporary address but it is likely that an enforced move would happen without sufficient notice to action this (e.g. incident in the building out of hours). The essential staff to relocate are: Chief Finance Officer Chief Operating Officer Director of Quality & Patient Safety Head of Corporate Affairs Head of Research and Development Other staff would be asked to work from home and report to their head of department for a daily update on work required and possible date to return to normal work. Maintenance and access of the shared drive is critical as it may not be possible to move paperwork to ACH, or that paperwork may be destroyed in fire or flood. 18

19 Excess travel costs to Aldershot will be met if claimed. Loss of key managers This may be considered lower threat to business continuity as there is already a high degree of close-knit working and covering roles within the senior team. It is preferable to formalise arrangements and ensure that each senior leader selects a shadow and invests time outlining their major objectives. It is also critical that shared drives for essential files are utilised and the file discipline shared with all staff. Loss of I.T. This is a critical risk. If there is a lack of access to IT the CCG will need to mobilise access via alternative sites such as other Norfolk CCG offices. Loss of access to data/information is mitigated by existing back-up arrangements for the CCGs data, carried out by the NHS CSU (South). The CCG must seek regular assurance and evidence that these back up arrangements re regularly undertaken. Authority to Invoke and Stand Down the Plan The following officers of the CCG have authority to invoke and subsequently stand down the plan: Position Accountable Officer Chief Financial Officer (as Business Continuity Lead) Chief Operating Officer 19