BUSINESS CONTINUITY MANAGEMENT POLICY

Transcription

1 This document is uncontrolled once printed. Please check on the CCG s Intranet site for the most up to date version BUSINESS CONTINUITY MANAGEMENT POLICY

2 DOCUMENT CONTROL Type of Document Document Title Description: Location: Published version no. Policy Business Continuity Management Policy This policy and the supporting Business Continuity Management Plan are required to provide the Governing Body with reasonable assurance that the LCCG is meeting its obligations with regard to business continuity. File Location: S:/Lambeth Share/Lam/CCG/Governance and Development/Governance/Policy/ 1.0 Publication date December 2013 Review date December 2016 Author name, job title and contact details Consultation Body / Persons Marion Shipman Assistant Director Governance and Quality Marion.shipman@nhs.net Andrew Parker / Geraldine Hennighan Consultation date November December 2013 Approval Body Integrated Governance Committee Approval date December 2013 Ratification date (IGC) Readership / Audience: Information Governance Class (Restricted or unrestricted) 18 December 2013 All staff working for, and on behalf of the CCG Unrestricted Governance and NHS Lambeth CCG This document supersedes all pre-existing Business Continuity Management policies and protocols. This Policy applies to all staff of NHS Lambeth Clinical Commissioning Group. Details of the Equality & Equity Impact Assessment Checklist can be found in Appendix 3.

3 Version / Change History Version Date Author Approving Committee / Group Reason 0.1 3/12/13 Marion Shipman Initial draft version for consultation 1.0 6/12/2013 Marion Shipman Integrated Governance Committee New policy Consultation History Consultation Body / Persons Andrew Parker, Director of Governance and Development Area of expertise Date sent Date returned Comments / Changes made EPRR lead for LCCG 3/12/13 6/12/2013 Minor amendments policy is in line with NHSE requirements and similar CCG Business Continuity Management policies.

4 CONTENTS 1. Introduction Introduction Policy Statement Scope of Document Equality and Human Rights Statement Roles and Responsibilities CCG Governing Body Chief Officer Directors and Assistant Directors Commissioning / Contracting Managers All staff Governance Team Governance Arrangements Business Continuity Management Updating The Business Continuity Management Plan Definitions Business Continuity Business Continuity Management System Business Impact Analysis (BIA) Prioritised Activities Products and Services Maximum Tolerable Period of Disruption (MTPOD) Minimum Business Continuity Objective (MBCO) Recovery Time Objective (RTO) Incident Identification All other terms and definitions... 11

5 8. Policy Audit and Monitoring Compliance Policy Review Policy Monitoring and Audit Statement of evidence / references Implementation and dissemination of document Associated Documents Appendices Appendix 1 NHS Core Standards Appendix 2 The Plan-Do-Check-Act (PDCA) Model Appendix 3 Equality & Equity Impact Assessment Checklist... 18

6 1. INTRODUCTION 1.1 INTRODUCTION As Category 2 responders under the Civil Contingencies Act 2004, Clinical Commissioning Groups (CCGs) are required to have a business continuity plan in place to manage the effects of any incident that might disrupt its normal business. Following the reorganisation of the NHS under the Health and Social Care Act 2012, all current BCPs will need to be reviewed to take into account the changes and a re-evaluation of the criticality of functions and dependencies undertaken. An interim BCP was agreed for the CCG from 1 April 2013 and the following policy drafted after completion of a Business Impact Analysis. For CCGs duties as a Category 2 responder please refer to: POLICY STATEMENT The purpose of Lambeth Clinical Commissioning Group (LCCG) is to commission health services to improve the health of the citizens of Lambeth. It is the Policy of the LCCG to ensure, so far as is reasonably practicable, that the activities and assets of the LCCG which contribute to the achievement of that purpose are protected against potential threats, by the implementation of an effective programme of Business Continuity Management (BCM). This policy and the supporting Business Continuity Management Plan are required to provide the Governing Body with reasonable assurance that the LCCG is meeting its obligations with regard to business continuity. 2. SCOPE OF DOCUMENT This Policy applies to all LCCG directorates and staff and covers the activities and functions carried out by NHS Lambeth Clinical Commissioning Group (CCG) including: Strategic Finance Corporate Functions including Governance and provider quality monitoring Medicines Management Membership Services Engagement and support services Strategic commissioning, service redesign work and procurement Community and Mental Health Commissioning and contract monitoring Page 6

7 Primary Care Local Enhanced Service Commissioning and contract monitoring All CCG activities undertaken at 1 Lower Marsh, Lambeth, London SE1 7NT. This plan does not include the services commissioned or contracted by NHS Lambeth CCG including but not limited to: South London Commissioning Support Unit: HR functions; Information and Communications Technology; Information Governance; Patient PALS and Complaints; Acute contract monitoring; Out of Hours emergency communications function. Provider services: Contracted and commissioned services which provide services to NHS patients on behalf of the LCCG must have their own business continuity arrangements, which will be set out in contracts If the Lambeth Business Continuity Plan (BCP) is activated as part of a declared major incident NHS England London regional team will be strategically and tactically responsible for the management of the incident and the Lambeth BCP will be activated (as necessary) as part of the recovery process. 3. EQUALITY AND HUMAN RIGHTS STATEMENT Promoting equality, eliminating unfairness and unlawful discrimination, and treating colleagues, partners and the public with dignity and respect, are fundamental to successful performance by all staff in the CCG, including the Governing Body, who are all expected to actively promote equality and human rights and challenge racism, homophobia and other forms of discrimination through their activities, and support others to do the same. All staff are expected to work with others on effective approaches to ensure strategies, policies and activities promote and demonstrate equality and human rights. Equality Impact Assessment and Equality Analysis are to be used as part of developing and monitoring proposals and projects for their impact on equality and equity. All staff of Lambeth CCG, including the Governing Body are required to abide by all equality and human rights legislation and good practice, and will receive appropriate training and support to do so. 4. ROLES AND RESPONSIBILITIES Page 7

8 The authority and responsibility for the establishment, maintenance, support and evaluation of the BCM policy and strategy is vested in the LCCG Governing Body. 4.1 CCG GOVERNING BODY The LCCG Governing Body delegates the responsibility for the approval of the BCM policy and plan and overall implementation to the Integrated Governance Committee. 4.2 CHIEF OFFICER The Chief Officer is responsible under the Civil Contingencies Act 2004 for ensuring that a BCM system is in place and working satisfactorily. 4.3 DIRECTORS AND ASSISTANT DIRECTORS Directors (and Assistant Directors) of operational directorates are responsible for ensuring that the BCM programme is fully implemented within their areas of responsibility. 4.4 COMMISSIONING / CONTRACTING MANAGERS Commissioning / Contracting Managers are responsible for ensuring that contracts and or service level agreements with providers of goods and/or services include the requirement for BCM. 4.5 ALL STAFF All CCG employees will be responsible and accountable to their Line Manager for implementation of the BCM programme including having read this policy and the Business Continuity Management Plan. 4.6 GOVERNANCE TEAM The Governance Team is responsible to the Director of Governance and Development for developing and delivering the LCCG BCM programme. This includes ensuring there is a central register of Business Continuity Plans. 5. GOVERNANCE ARRANGEMENTS 5.1 BUSINESS CONTINUITY MANAGEMENT Page 8

9 BCM arrangements will be monitored through the Lambeth Integrated Governance Committee. Reports on BCM will be submitted to the LCCG Governing Body at least annually. 5.2 UPDATING This Policy will be deemed to have expired 3 years from its approval date, and will be subject to regular review and updating to reflect legislative, organisational or other significant change 6. THE BUSINESS CONTINUITY MANAGEMENT PLAN The BCMP will be based on the plan-do-check-act (PDCA) model and will: Establish the organisational context for BCM Set clear BC strategy and objectives Outline potential resource requirements Set out arrangements for communication to and with interested parties Contain business impact analysis Be based on risk assessment Describe the organisation s incident response structure Set out arrangements for recovery from an incident Set out arrangements for exercising and testing 7. DEFINITIONS 7.1 BUSINESS CONTINUITY ISO defines Business Continuity as the capability of the organization to continue delivery of products or services at acceptable predefined levels following [a] disruptive incident. 7.2 BUSINESS CONTINUITY MANAGEMENT SYSTEM ISO defines Business Continuity Management System as a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders reputation, brand and value-creating activities. 7.3 BUSINESS IMPACT ANALYSIS (BIA) Page 9

10 Business Impact Analysis (BIA) is defined as the process of analysing activities and the effect that a business disruption may have upon them. 7.4 PRIORITISED ACTIVITIES Prioritised Activities is defined as those activities to which priority must be given following an incident in order to mitigate impacts. 7.5 PRODUCTS AND SERVICES Products and Services is defined as the beneficial outcomes provided by an organization to its customers, recipients and interested parties. 7.6 MAXIMUM TOLERABLE PERIOD OF DISRUPTION (MTPOD) Maximum Tolerable Period of Disruption (MTPOD) is defined as the time it would take for adverse impacts, which might arise as a result of not providing a product / service or performing an activity, to become unacceptable. 7.7 MINIMUM BUSINESS CONTINUITY OBJECTIVE (MBCO) Minimum Business Continuity Objective (MBCO) is defined as the minimum level of services and /or products that is acceptable to the organisation to achieve its business objectives during a disruption. 7.8 RECOVERY TIME OBJECTIVE (RTO) Recovery Time Objective (RTO) is defined as the period of time following an incident within which: Product or service must be resumed; or Activity must be resumed; or Resources must be recovered The RTO must be less than the MTPOD. 7.9 INCIDENT IDENTIFICATION Incident Identification is defined as an incident or set of circumstances which might present a risk to the continuity of a service might be identified by any member of staff. Page 10

11 7.10 ALL OTHER TERMS AND DEFINITIONS All other terms and definitions used in this document are as found in ISO POLICY AUDIT AND MONITORING COMPLIANCE 8.1 POLICY REVIEW The Assistant Director Governance and Quality will collate a central register of Business Continuity Plans and will ensure that compliance is audited. Page 11

12 8.2 POLICY MONITORING AND AUDIT MONITORING / AUDIT REQUIREMENT Area in document for monitoring e.g. processes Note specifically any monitoring needed to assure equality and equity of delivery MONITORING / AUDIT METHOD (e.g. statistics, report) MONITORING REPORT / AUDIT PREPARED BY (job titles) MONITORING REPORT / AUDIT PRESENTED TO (name of Committee / group) FREQUENCY OF MONITORING REPORT / AUDIT (e.g. annually, sixmonthly) Implementation of BCM requirements for CCGs Report Assistant Director Governance and Quality Integrated Governance Committee At least annually Audit compliance against the CCG Business Continuity Plans Ensure robust monitoring and management of EPRR risks Reports Risk Register Assistant Director Governance and Quality Assistant Director Governance and Quality CCG Operations Group Integrated Governance Committee As required Monthly Page 12

13 9. STATEMENT OF EVIDENCE / REFERENCES This Policy and the supporting Business Continuity Management Plan are required to provide the Governing Body with reasonable assurance that the LCCG is meeting its obligations with regard to business continuity. This policy has been written with reference to: ISO Societal Security 1 The Civil Contingencies Act 2004 (as amended) The Health and Social Care Act NHS England (and former NHS Commissioning Board) EPRR documents and supporting materials including: NHS CB Emergency Preparedness Framework (2013) 3 ; NHS England Command and Control Framework for the NHS during significant incidents and emergencies (2013); and NHS England Core Standards for Emergency Preparedness, Resilience and Response (EPRR). BSI PAS Framework for Health Services Resilience 10. IMPLEMENTATION AND DISSEMINATION OF DOCUMENT Following ratification, the Business Continuity Management Policy will be uploaded onto the CCG intranet and the document location confirmed to all CCG staff launched at a Lower Marsh staff briefing included in all new staff induction sessions shared with SLCSU contracting leads In addition, all CCG staff will be required to confirm that they had seen and read the policy Staff with a role in BCM will be trained according to their level of need following a Training Needs Analysis (TNA). The Assistant Director Governance and Quality will ensure that BCM is incorporated into risk management, health and safety and emergency planning training. 1 This International Standard for business continuity management specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise Page 13

14 Significant changes and updates to BCM requirements or processes will be notified through the Senior Management Team Meeting and usual corporate routes. 11. ASSOCIATED DOCUMENTS This document should be read in conjunction with the LCCG Business Continuity Management Plan. 12. APPENDICES Appendix 1 Appendix 2 Appendix 3 NHS Core Standards The Plan-Do-Check-Act (PDCA) Model Equality & Equity Impact Assessment Checklist Page 14

15 APPENDIX 1 NHS CORE STANDARDS NHS Core Standards for Emergency Preparedness, Resilience and Response (EPRR) 1 2 All NHS organisations and providers of NHS funded care must develop, maintain and continually improve their business continuity management systems. This means having suitable plans which set out how each organisation will maintain continuity in its services during a disruption from identified local risks and how they will recover delivery of key services in line with ISO Organisations must: Make sure that there are suitable financial resources for their BCMS and that those delivering the BCMS understand and are competent in their roles. Set out how finances and unexpected spending will be covered, and how unique cost centres and budget codes can be made available to track costs. Develop business continuity strategies for continuing and recovering critical activities within agreed timescales, including the resources required such as people, premises, ICT, information, utilities, equipment, suppliers and stakeholders. Develop, use and maintain business continuity plans to manage disruptions and significant incidents based on recovery time objectives and timescales identified in the business impact analysis. Business continuity plans must include governance and management arrangements linked to relevant risks and in line with international standards. Each organisation s BCMS should be based on its legal responsibilities, internal and external issues that could affect service delivery and the needs and expectations of interested parties. Organisations should establish a business continuity policy which is agreed by top management, built into business processes and shared with internal and external interested parties. Organisations must make clear how their plan will be published, for example on a website. The BCMS policy and business continuity plan must be approved by the relevant board and signed off by the Chief Executive. There must be an audit trail to record changes and updates such as changes to policy and staffing. The planning process must take into account nationally available toolkits that are seen as good practice. Page 15

16 NHS Core Standards for Emergency Preparedness, Resilience and Response (EPRR) 3 4 Business continuity plans must take into account the organisation s critical activities, the analysis of the effects of disruption and the actual risks of disruption. Organisations must identify and manage internal and external risks and opportunities relating to the continuity of their operations. Plans must be maintained based on risk-assessed worst-case scenarios. Risk assessments should take into account community risk registers and at very least include worst-case scenarios for: severe weather (including snow, heat wave, prolonged periods of cold weather and flooding); staff absence (including industrial action); the working environment, buildings and equipment; fuel shortages; surges in activity; IT and communications; supply chain failure; and associated risks in the surrounding area (e.g. COMAH and iconic sites). Organisations must develop, use and maintain a formal and documented process for business impact analysis and risk assessment. They must identify all critical activities using a business impact analysis. This should set out the effect business disruption may have on the organisation and how this will be overcome, including the maximum period of tolerable disruption. Organisations must highlight which of their critical activities have been put on the corporate risk register and how these risks are being addressed. Business continuity plans should set out how the plans will be called into use, escalated and operated. Organisations must develop, use, maintain and test procedures for receiving and cascading warnings and other communications before, during and after a disruption or significant incident. If appropriate, business continuity plans should be published on external websites and through other information-sharing media. Plans should set out: the alerting arrangements for external and self-declared incidents, including trigger points and escalation procedures; the procedures for escalating emergencies to CCGs and the NHS CB area, regional and national teams; 24-hour arrangements for alerting managers and other key staff, including how up-to-date contact lists will be maintained; the responsibilities of key staff and departments; the responsibilities of the Chief Executive or Executive Director; how mutual aid arrangements will be called into use and maintained; where the incident or emergency will be managed from (the ICC); how the independent healthcare sector may help if required; and the insurance arrangement that are in place and how they may apply. Page 16

17 APPENDIX 2 THE PLAN-DO-CHECK-ACT (PDCA) MODEL Page 17

18 APPENDIX 3 EQUALITY & EQUITY IMPACT ASSESSMENT CHECKLIST The CCGs Equality and Human Rights Statement is included as Section 3 of this document. This information is also included in CCG job descriptions. This is a checklist to ensure relevant equality and equity aspects of proposals, policy or guidance have been addressed either in the main body of the document or in a separate equality & equity impact assessment (EEIA)/ equality analysis. It is not a substitute for EEIA/ equality analysis which is normally required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to enable the policy lead and the relevant committee to see whether the EEIA has covered the ground and to give assurance that the proposals will not only be legal but also fair and equitable and lead to reduced health inequality Challenge questions Does the document set out the health care needs of the groups intended to benefit from the proposal, including any differences in need in terms of the legally protected or other characteristics (such as socioeconomic position) Does the document set out any known existing inequality in access, quality, experience and outcome of care for populations relevant to the proposal (i.e. as defined in 1. and in relation to the existing health or care service)? Are there any particular public concerns about equality about the policy area than need to be addressed? Has the policy described any gaps in knowledge about 1-3, and any action taken to fill gaps (or recommendations for action) Does the document set out risks to equity of access, quality, experience and outcomes including risk of direct or indirect discrimination, and risk to good relations between people of different groups? Does the document describe any specific opportunities to promote equality and human rights, good relations between people of different groups, to enhance participation, etc? Does the document describe how the proposal, policy etc will address the identified inequalities, and Does the document make recommendations to mitigate risks and enhance the opportunities to promote equality and equity? Does the document describe how monitoring and reporting will take place to assure equality and equity in the future including to stakeholders? [audit and monitoring table may be used] Yes / No / DK / N/A N/A N/A No N/A N/A N/A N/A N/A N/A Comments * Race/ ethnicity, gender (including gender reassignment) age, religion or belief, disability, sexual orientation, marriage or civil partnership, pregnancy and maternity. This will include groups such as refugees and asylum seekers, new migrants, Gypsy and Traveller communities; and people with long term conditions, hearing or visual Page 18