Business Continuity Management Policy

Transcription

1 SH NCP 67 Business Continuity Management Policy Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: This Business Continuity Policy provides the strategic framework for Southern Health NHS Foundation Trust s (SHFT) Business Continuity arrangements and describes the SHFT Business Continuity Management programme that will ensure SHFT meets its legal obligations to ensure the organisations Prioritised Activities and Services are protected against potential disruption as a result of incidents and emergency situations and climate change adaption. Business Continuity Policy, Business Continuity Management, Emergency Planning, Business Continuity Plan, Organisational Resilience, Climate Change Adaption All employees of Southern Health NHS Foundation Trust. Non-Executive Directors, Volunteers, Governors and Contractors. Next Review Date: January 2017 Approved and ratified by: EPRR Working Group Date of meeting: 12 January 2015 Date issued: Author: Sponsor: Stuart Brown Business Continuity Advisor Helen Ludford Interim Head of Quality Governance 1

2 Version Control Document Change Record Date Author Version Page Reason for Change T Pettis 1 Changes to reflect NHS Commissioning Board, NHS England and Public Health England structures following the abolition of Strategic Health Authorities and Primary Care Trusts T Pettis 1 NHS Commissioning Board BC related documents S Brown 1 Replacement of reference to BS with ISO International Business Continuity Standard S Brown Replacement of reference to BS with ISO International Business Continuity Standard T Pettis 1 Review and update of entire document and Business Impact Analysis L Sawyer 1 Integration with Trusts Climate Change Adaption Plan S Brown 2 Review of completed document and inclusion of BIA and BC Plan templates for EPRR WG on 21 Nov S Brown 2 Inclusion of amended Business Impact Analysis (BIA) Reviewers/contributors Name Position Version Reviewed & Date Sharon Gomez Essential Training Lead 1 04 Feb 2013 Fiona Richey Head of Risk and Business Continuity 1 12 Feb 2013 Ricky Somal Equality and Diversity Lead 1 17 Feb 2013 Alida Towns Interim Business Manager 1 18 Feb 2013 Helen McCormack Chief Medical Officer 1 27 Mar 2013 Tim Pettis BCR Manager SHFT 1 01 Apr 2013 David Griffiths EPM (UHS) (External Reviewer) 1 01 May 2013 Libby Beesley EPM DUFT (External Reviewer) 1 01 May 2013 Tim Pettis BCR Manager SHFT 1 24 May 2013 Stuart Brown BC Advisor 1 02 Dec 2013 Stuart Brown BC Advisor 1 31 Jan 2014 Tim Pettis BCRM SHFT 1 29 May 2014 Louise Sawyer Environmental Sustainability Manager 1 10 June 2014 Stuart Brown BC Advisor 2 17 Nov 2014 Stuart Brown BC Advisor 2 05 Jan

3 CONTENTS Page 1. Introduction 4 2. Scope 5 3. Definitions: 3.1 Business Continuity Management 3.2 Business Impact Analysis 3.3 Emergency 3.4 Prioritised Activities 3.5 Maximum Tolerable Period of Disruption 3.6 Recovery Time Objective 4. Duties/responsibilities 4.1 Chief Executive and Board 4.2 Lead Director 4.3 Head of Risk and Business Continuity 4.4 Divisional and Service Managers 4.5 All Staff 5. Main policy content: 5.1 Business Continuity Lifecycle 5.2 Business Continuity Objectives 5.3 Business Impact Analysis 5.4 Risk Assessment 5.5 Recovery Plans 5.6 The Southern Health NHS Foundation Trust Business Continuity Plan 5.7 Incident Identification 5.8 Incident Declaration Normal working hours Out of Hours 5.9 Stand Down 5.10 Recovery and Debrief 5.11 Document Management 5.12 Exercising 6. Training requirements Monitoring compliance Policy review Associated documents Supporting references 16 Appendices A1 Policy Implementation Plan 17 A2 Business Impact Analysis Template 18 A3 Business Continuity Plan Template and Completion Guidance 38 A4 Business Continuity Plan Completion Guidance 49 A5 Training Needs Analysis (TNA) 56 A6 Equality Impact Assessment (EqIA) 58 3

4 1. Introduction 1.1 Business Continuity Management (BCM) is a legal requirement for all NHS, private and third sector organisations, which under NHS funded Provider status, provide care or services to patients. Business Continuity Management forms part of the Care Quality Commission s essential Standards of Quality and Safety, which all health providers must comply with as a condition of registration and the NHS Commissioning Board, Core Standards for Emergency Preparedness, Resilience and Response 2013 (EPRR). Business Continuity Management is an integral part of EPRR and this discipline sits within the EPRR Core standard Framework in both planning and assurance. Southern Health NHS Foundation Trust has services and facilities which cover a huge geographical area. The following hyperlink provides an interactive google map of the Trust s sites. 1.2 Statutory requirements under the Civil contingencies Act (2004) require all NHS Trusts to have in place Business Continuity Management arrangements that enable them to: Respond to incidents (major and other) and emergencies of any kind; Ensure the health, safety and well-being of its service users and staff; and Support partner agencies in extreme circumstances. 1.3 The Trust s Strategy for Organisational Resilience provides the strategic framework for Southern Health NHS Foundation Trust s (SHFT) Business Continuity arrangements and describes the SHFT Business Continuity Management programme that will ensure that the Trust s Prioritised Activities/Services are protected against potential disruption as a result of incidents, emergency situations, and climate change and ensures that its statutory obligations are met. 1.4 The SHFT Business Continuity Management programme described in this policy is based on the following standards: NHS Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response 2013; and International Standards Organisation ISO: 22301: Business Continuity Management (BCM) is an integral and critical part of the incident response planning process and helps build organisational resilience within an organisation. Business Continuity Management is about identifying an organisation s Prioritised Activities/Services, the appropriate resources required to deliver them, and planning how to maintain and reinstate them as soon as reasonably practicable or possible should an incident occur that causes disruption. Business Continuity Management achieves this by assessing the risks to an organisation s ability to deliver its services, then considering how these risks can be eliminated or reduced, the contingency plans that can be put in place to ensure that those services identified as critical or essential are maintained regardless of the disruption, and how the other services can best be recovered when the disruption ceases. 1.6 The Climate Change Act 2008 also places a mandatory requirement on health care organisations to put in place Climate Change Adaption plans. Our climate is changing and a consequence we are seeing more frequent and severe weather events, such as droughts, heat waves, storms and extremes of cold and hot weather bringing increased disruption to our services and activities. The Business Continuity Management forms part of the Trust s Climate Change Adaption plans by building in 4

5 organisational resilience within the organisation to deal with severe weather events and other climate change impacts. 1.7 This policy requires ALL Services in ALL Divisions to develop Business Continuity Plans which detail how a service will perform its functions in the event of disruption by defining and prioritising it s Prioritised Activities/Services, detailing contingency arrangements during the disruption and, when the disruption has passed, how all services will be restored (recovered) by. Undertaking a Business Impact Analysis (BIA) to identify Prioritised Activities/Services; Identifying the risks to the delivery of Prioritised Activities/Services and the likely impact if they are affected; Planning how to mitigate against risk to Prioritised Activities and improve the resilience; and Developing a Recovery Plan that details the Minimum Tolerable Period of Disruption (MTPD) to Prioritised Activities, their Recovery Time Objectives (RTO), and the minimum and appropriate resources required delivering them and the order of priority to in which these and other services should be restored to normal. 1.8 Other NHS, private and third sector organisations that provide services to NHS patients on behalf of the Trust, or equipment and goods, which will be used in the treatment of the Trust s NHS patients, are required and must have their own business continuity and resilience arrangements in order to meet the legal and contractual obligations with this Trust. 2. Scope 2.1 This Policy applies to: All Southern Health NHS Foundation Trust (SHFT) services in all Divisions; and All SHFT managers responsible for contracting, commissioning or purchasing goods or services from external organisation(s), defined as NHS Funded Providers. These SHFT managers are responsible for ensuring that contracts and/or service level agreements with providers of goods and/or services include arrangements to ensure that there are robust business continuity arrangements are in place so that the service or product they provide can be maintained thus supporting the Trusts own identified Prioritised Activities. 3. Definitions 3.1 Business Continuity Management (BCM) Business Continuity Management is an all-inclusive management process that identifies potential impacts that threaten an organisation and provides a framework for building organisational resilience readiness and resilience and the capability for an effective response that safeguards the interests of its service users, staff, key stakeholders, Trust brand and reputation. 5

6 3.2 Business Impact Analysis (BIA) Business Impact Analysis is the process of analysing ALL business functions and the effect that a business disruption might have upon them. 3.3 Emergency For the purposes of this policy an emergency is defined as: An actual or impending situation that may cause injury, loss of life, destruction of property, detrimental environmental impact or cause the interference, loss or disruption of the organisation s normal business operations to such an extent that it poses a threat. 3.4 Prioritised Activities/Services Prioritised Activities/Services are those services, which are necessary for the preservation of life or to ensure the health, safety and welfare of patients and staff. 3.5 Maximum Tolerable Period of Disruption (MTPD) Maximum Tolerable Period of Disruption is the time duration after which an organisation s viability will be irrevocably threatened if product and service delivery cannot be resumed. 3.6 Recovery Time Objective (RTO) Recovery Time Objective is a target time set for the resumption of a product, service, activity or resource after an incident. 4. Duties/Responsibilities 4.1 Chief Executive and Board The Chief Executive and the Board have a legal duty set under the Civil Contingencies Act (2004) and within NHS England Emergency Preparedness, Resilience and Response (EPRR) Core Standards (2014) to ensure Southern Health NHS Foundation Trust (SHFT) is prepared to respond to a major incident or civil contingency event within the local and wider health community, to maintain the public s protection, and maximise NHS in its overall response. Trusts are ultimately accountable to the public and the Secretary of State for Health for ensuring that the organisation consistently follows the principles of good corporate governance and internal control. This ensures that a EPRR programme, of which Business Continuity Management (BCM) is an integral part is in place to ensure that, in the event of a loss or major disruption to core functions, the public continue to receive the best quality and range of services it is reasonably practicable to deliver, and that Prioritised Activities/Services are maintained. 4.2 Accountable Emergency Officer (AEO) for Emergency Planning, Resilience and Response The Accountable Emergency Officer (AEO) for Emergency Preparedness, Resilience and Response (EPRR) has delegated responsibility from the Board to ensure that the 6

7 requirements of this policy are met, that the Board are provided with reasonable assurance, and are kept informed of any significant concerns. The AEO is supported where appropriate by a non-executive director, or appropriate other board member, to endorse assurance to the board that the organisation is meeting its obligations with respect to EPRR and relevant statutory obligations under the Civil Contingencies Act This will include assurance that the organisation has allocated appropriate resources to meet these requirements, which includes the support of trained and competent emergency planning and business continuity professional staff member(s) as appropriate. 4.3 Head of Risk and Business Continuity The Head of Risk and Business Continuity is responsible for the development and implementation of the Trust s Business Continuity Management programme, advising on compliance with the Civil Contingencies Act and NHS England EPRR Core Standards. The Head of Risk and Business Continuity may delegate some or all of the above to the Business Continuity and Resilience Manager, the organisation s designated Emergency Planning Manager. The Head of Risk and Business Continuity and designated Emergency Planning Manager will also: Develop a Trust wide Incident Response Plan (IRP) from which the Business Continuity element will list the Trust s Prioritised Activities/Services; Provide specialist advice and guidance in respect of Business Continuity Management issues including the co-ordination, development, implementation and review of the business continuity policies, programme, plans and procedures; Interpret the requirements of the Civil Contingencies Act 2004, NHS England EPRR Core Standards and ISO Societal Security - Business Continuity Management System Requirements, and associated guidance to support the Trust s Divisions and service areas and to ensure that these requirements are met; Conduct risk assessments based on current and future threats identified through environmental scanning and intelligence gathering; Embed an EPRR/ Business Continuity culture through communication in concert with the offices of the AEO and the Trust s EPRR Working Group, and through the EPRR WG make the provision of awareness sessions, training and exercises to staff, according to their roles and needs; and Liaise with other NHS organisations and the wider area external agencies as required Audit compliance via the EPRR WG relating to local Emergency Response and Business Continuity Plans, facilitating tests and providing recommendations and other management feedback as appropriate. 4.4 Environmental Sustainability Manager: The Environmental Sustainability Manager is responsible for developing and implementing the Trust s Climate Change Adaption plans, including responsibility for advising the Head of Risk and Business Continuity of any climate change risks and impacts that may affect the Trust s organisational resilience in business continuity. 7

8 4.5 Divisional and Area/Service Managers: Divisional and Area/Service Managers are responsible for: Implementing and supporting the Business Continuity Management policy; Ensuring a Business Impact Analysis for their services is undertaken; Developing, maintaining and reviewing at least annually or when a new service is undertaken their Divisional Business Continuity Plans, including the BIA; Testing and exercising at least annually the Divisional/Area/Service Business Continuity Plans (see section 5.12); Ensuring sufficient training is given; Participating in exercises where appropriate; and Maintaining all relevant operational Business Continuity Plans as they are developed, ensuring that any significant service changes or risks are reflected in plans, and for understanding all the requirements and responsibilities as detailed in the plans. 4.6 Departmental Managers/Team Leaders Departmental Managers/Team Leaders are responsible for: Ensuring all their staff are familiar with their Divisional/Area/Service business continuity arrangements and Business Continuity Plans; Testing and exercising at least annually Divisional/Area/Service Business Continuity Plans (see section 5.12); Ensuring sufficient training is given; and Participating in exercises where appropriate. 4.7 All Staff: Staff will make themselves aware of their department s Business Continuity Plans, and will participate in training and exercises as required. 5 Main Policy Content 5.1 Business Continuity Lifecycle To align with the required standards, and best practice, the Southern Health NHS Foundation Trust (SHFT) Business Continuity Management (BCM) process will follow the five stages of the BCM lifecycle. Those actions required to deliver this process are captured within the Policy Implementation Plan at Appendix 1. The five stages are: Understanding the organisation; Determining BCM Strategy; Developing and implementing the BCM Response; Exercising, maintaining and reviewing; and Embedding BCM in the organisation. 5.2 Business Continuity Objectives In any situation, the primary Business Continuity objectives for the Trust will be to: 8

9 Comply with legal, regulatory and contractual obligations; Ensure effective and competent incident management; Ensure Prioritised Activities/Services have been identified, are protected, and their continuity made certain; Ensure staff are trained to respond effectively to an incident or disruption through appropriate exercising; Understand the requirements of key stakeholders and maintain communication with them; Maintain the safety and well-being of service users, staff and estates; Deliver an enhanced level of service to meet the extraordinary demands of an evolving scenario; Ensure the supply chain is secured; and Contribute to whole System/Wide Area Resilience. 5.3 Business Impact Analysis ALL Trust services in ALL Divisions will undertake a Business Impact Analysis (BIA) using the SHFT Business Impact Analysis template (See Appendix 2). Support and training in the use of the template will be provided by the Business Continuity and Resilience Manager. The Business Impact Analysis element of the Business Continuity Management process will analyse the functions/activities of the service and/or Division on the basis of not performing that function. The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical). These are categorised using the Impact Matrix at Page 5 within the BIA. Only those identified as RED, AMBER and YELLOW will be captured within the BIA, as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director, whilst those GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager. This categorisation system will enable the Division/Area/Service to identify all Prioritised Activities and provides the Decision Maker, the Trusts Incident Gold Commander to determine from a Trust wide perspective those services which need to be Enhanced, Reduced or Suspended. The number and complexity of Prioritised Activities/Services identified will determine the subsequent level of support needed to be provided to Division/Area/Service during an incident. The necessary supporting resources for the delivery of the services will also be analysed and identified, and during an incident via a dynamic process. All services in all Divisions will review their BIA on an annual basis, on undertaking a new service or service provider, post exercise and post incident. 5.4 Risk Assessment All Trust services in all Divisions will undertake a Risk Assessment within the Trust s Business Impact Analysis template and guidance tools (See Appendix 2). 9

10 The Risk Assessment element of the process considers the services and supporting resources identified in the BIA stage. The likelihood and impact of a variety of risks that could cause disruption to these services is analysed with the focus being on the RED, AMBER and YELLOW Prioritised Activities/Services, allowing services and/or Divisions to prioritise their risk reduction activities. For the identified RED, AMBER and YELLOW Prioritised Activities/Services, ALL Divisions will analyse the impact of disruption and determine: The Maximum Tolerable Period of Disruption (MTPD) using the following Standard List: One hour Four hours One Day One Week One month The Recovery Time Objective (RTO) of a product, service or activity which must be less than its MTPD, using the following Standard List: One hour Four hours One Day One Week One month The minimum amount of appropriate resources (including staff, premises, IT, equipment and information) in order to maintain that Prioritised Activities/Services at a basic level and with the appropriate skills/level of expertise required, This must include processes to identify persons with skills which are not easily obtained from elsewhere, within the Trust; When key services supplied by another organisation, has in place any reciprocal arrangements, and whether they are available out of hours if required, and if there are mutual aid arrangements in place; The impact of particular resource losses and where appropriate, to reference this to the appropriate risk register; and Appropriate control measures that can be put in place to reduce the likelihood of disruption, shorten the period of disruption, and limit the impact. 5.5 Recovery Plans Having made the Business Impact Analysis and Risk Assessment, all services in all Divisions will formulate their Recovery Plan as to how RED, AMBER and YELLOW Prioritised Activities/Services will be restored in order to meet the determined RTOs. Recovery Plans will be: Comprehensive but easy understandable; Legal; Efficient; Achievable; Realistic; 10

11 Risk Assessments concise as possible and readily available when needed; and Easy to revise and update. Service, Area and Divisional Recovery Plans will form a key part of the Divisional Incident Response Plans. These plans will also detail the mechanism for escalating business continuity incidents to the Divisional Director and their On-Call Senior Manager to the Trust s On-Call Director to ensure incidents are managed at the appropriate level according to the level of risk posed. 5.6 Southern Health NHS Foundation Trust Directorate and Service Business Continuity Plans Each Directorate and Service Area will complete a specific Business Continuity Plan resulting from the Business Impact Analysis (BIA) carried out within their area of responsibility. The purpose of this document is to provide a framework for an appropriate response and therefore mitigate the impacts of business disruption on the operation and reputation of the organisation by: Responding to a disruptive incident (incident response); Maintaining delivery of Prioritised Activities/services during an incident (business continuity); and Returning to Business as Usual (resumption and recovery) 5.7 Southern Health NHS Foundation Trust Trust-wide RED, AMBER and YELLOW Prioritised Activities/Services The Head of Risk and Business Continuity and designated Emergency Planning Manager will compile from the Service/Area and Divisional Business Continuity Plans a Trust wide list of all SHFT s RED, AMBER and YELLOW Prioritised Activities/ Services and the planned responses to disruption. This will be held at the Trust Incident Co-ordination Centre (ICC) and form part of the On-Call Director s Pack. In the event of a major incident or emergency being declared the Trust s Incident Management Team (IMT) will use this plan during and after the event to support decision making in maintaining the organisations Prioritised Activities/Services and to bring back on line those services reduced or suspended as soon as reasonable practicable. 5.8 Incident Identification An incident or set of circumstances which might present a risk to the continuity of a service might be identified by any member of staff. When an incident or set of circumstances which might present a risk to the continuity of a service is identified, it is important that the staff member identifying the incident knows what to do. In the initial stages, this will involve making sure that the right people have been informed. In the event of a minor incident, or one that can be dealt with using normal services and resources available, then managers and staff will manage the incident, locally. The below table outlines the Levels of Incident and the required action of Trust staff and On-Call staff: 11

12 Level of Incident NEGLIGIBLE Limited local impact Action Take any remedial action it is safe to take Report to line manager Follow Service/Area/Divisional Business Continuity Plan MINOR Disruption to a GREEN Service MODERATE Disruption to a YELLOW Service (A service which could be suspended if necessary) MAJOR Disruption to an AMBER Service (A service which could be reduced/scaled down if necessary) CATASTROPHIC Disruption to a RED Essential Service (A service which must be enhanced/continued) Only notify Service/Area Manager/Divisional Director if this impacts upon a Priority Activity Take any remedial action it is safe to take Report to line manager Follow Service/Area/Divisional Business Continuity Plan Notify Service/Area Manager/Divisional Director who may notify the Director On Call & Accountable Emergency Officer (AEO) Follow Service/Area/Divisional Business Continuity Plan Notify Service/Area Manager/ Divisional Director who will notify the Director On Call & Accountable Emergency Officer (AEO) Out of Hours notify the Divisional Manager on Call who will notify the Director on Call Follow Service/Area/Division Business Continuity Plan Notify Service/Area Manager/ Divisional Director who will notify the Director on Call & Accountable Emergency Officer(AEO) Out of Hours notify the Divisional Manager on Call who will notify the Director on Call The Director on Call will determine whether to declare a Major Incident or Major Incident Standby(as appropriate) Follow Service/Area/Divisional Business Continuity Plan 12

13 5.9 Incident Declaration Normal Working Hours During normal working hours, in the event of an incident, or set of circumstances which might present a risk to the continuity of RED, AMBER and YELLOW Prioritised Activities/Services, an Incident would be declared and the local Business Continuity Plan invoked by the Divisional Director or Area/Service Manager with responsibility for the service affected. If appropriate the Accountable Emergency Officer will declare a Major Incident or Major Incident Standby in order to mobilise an effective response across the organisation and ensure the involvement of partners where required. Where more than one service is affected, any one of the responsible Divisional Directors or Area/Service Manager can decide to declare an incident and invoke the Trust s Incident Response Plan Out of Hours In the event of an incident, or set of circumstances which might present a risk to the continuity of RED, AMBER and YELLOW Prioritised Activities/Services occurring outside normal working hours, the Divisional On-Call Senior Manager would decide to declare an Incident and invoke the local Business Continuity Plan, informing the Trust On-Call Director. If appropriate the On-Call Director will declare a Major Incident or Major Incident Standby and invoke the Trust s Incident Response Plan in order to mobilise an effective response across the organisation and ensure the involvement of partners where required. Both during normal working hours and out of hours the responsible Divisional Director, Area/Service Manager or Divisional Manager on Call would: Start an incident log; Notify the Accountable Emergency Officer (in hours) and the On-Call Director of the incident and response at the earliest opportunity; Notify the Director of Communications and Engagement (in hours). Out of hours the Director on Call would notify the Communications on Call; and If out of hours, notify the Divisional Director, Area/Service Manager with line management responsibility for the service at the earliest possible opportunity the next working day. During in hours and out of hours the On-Call Director decides it is appropriate to either declare a Major Incident or Major Incident Standby the Trust s Incident Response Plan would then be followed Stand Down The responsible Divisional Director, Area/Service Manager and out of hours Divisional Manager on Call, would decide in consultation with the On-Call Director, and Accountable Emergency Officer when an Incident can be stood down. 13

14 5.11 Recovery, Debrief, Lessons identified to Lessons learnt The responsible Divisional Director or Area/Service Manager would be responsible for leading a debriefing and review process to ensure organisational learning, through identifying lessons to then be learnt: A review of the response by the service, area, division, organisation, partners/other agencies is evaluated, from which lessons that are identified can be highlighted and from which a timetable of how those lessons will be learnt. Staff receive appropriate support to ensure their health, safety and well-being at work; All areas of concern are addressed All relevant documents are collated and a report prepared; Any additional training needs are identified and a timetable of when that will delivered; Staff are kept fully informed; and The local Business Continuity Plans are reviewed and updated Document Management Every Business Continuity Plan will be version controlled, and sent to the Trust Head of Business Continuity and Resilience Manager who will collate a central register of Business Continuity Plans and make these plans, together with this Policy available on the Trust Intranet in the Emergency Planning section. The plan s author is responsible for ensuring the most up to date version is available on the Intranet and easily accessible within the Division and to its services Exercising Trust wide exercises (unannounced, planned or table top) will be conducted as described in the Trust s Incident Response Plan (IRP). Individual Divisions are responsible for ensuring that their Business Continuity Plans are exercised. The frequency of exercise will be dependent on the number of Prioritised Activities/Services and the risk to them, and will be at the discretion of the Divisional Director. However all Business Continuity and Recovery Plans should be exercised and reviewed annually by: Testing. Not all aspects of a plan can be tested, but crucial elements such as the contact list and the activation process can; Discussion. Staff are brought together to inform them of the plan and their individual responsibilities. Discussion allows problems and solutions to be identified; (Lessons identified to be Learnt) Table-top. Staff take decisions as a scenario unfolds in the same way they would in the event of a real Incident; and Live. Ranges from a small scale test of one component, such as evacuation, through to a full scale test of all the components of the plan. It is the responsibility of the Business Continuity Plan owner to implement the lessons identified into lessons learnt/any actions required as a result of exercise. 14

15 6 Training Requirements The Head of Risk and Business Continuity will ensure that Business Continuity Management (BCM) is included in the Trust s corporate induction risk management training. All managers will ensure that awareness of their Service/Area or Divisional Business Continuity Response Plans form a part of the local induction process. Staff with a Divisional lead role in BCM will be trained according to their level of need, as per the Trust s and Local Resilience Forum(s) Training Needs Analysis (TNA). See Appendix 5. Significant changes and updates to BCM requirements or processes will be notified through the Trust s Emergency Preparedness, Resilience and Response Working Group (EPRR WG). 7 Monitoring Compliance The Trust s Emergency Preparedness, Resilience and Response (EPRR) Working Group (WG) will monitor compliance with Trust s Business Continuity Management arrangements. Exceptions against the standards defined in this policy will be reported to the Assurance and Risk Committee. Business Continuity Management compliance will be included in the Annual Report for Business Continuity and Resilience to the Assurance and Risk Committee. Audits of Service/Area and Divisional Business Continuity Plans will be initiated and carried out in accordance with the Trust s Annual Audit programme. This Policy has been through an Equality Impact Assessment at Appendix 6. 8 Policy Review This policy will be reviewed annually of it being approved or at any point within this time to reflect organisational change, changes in legislation and/or guidance or following an Incident. 9 Associated Documents This document should be read in conjunction with the Trust s: Incident Response Plan, associated plans and action cards; An Emergency Event: Guidelines on Managing the Workforce Issues; Risk Management Policy; Risk Management Strategy; Incident Management Policy; Health & Safety Policy; Climate Change Adaption Plan; and Investigation, Analysis and Learning Policy. 15

16 10 Supporting References The following documents provide the regulatory and strategic context for this policy. They make Business Continuity Management a legal requirement for Southern Health NHS Foundation Trust, and describe expectations and good practice regarding emergency preparedness and business continuity: Civil Contingencies Act 2004 and the Civil Contingencies Act 2004 (Contingency Planning) regulations 2005; Humanitarian Assistance Guidance; Business Continuity Institute Good Practice Guidelines (2013); International Standards Organisation ISO: 22301: 2012; Health and Social Care Act 2008 (Regulated Activities) Regulations 2009; Care Quality Commission s Essential Standards of Quality and Safety Responding to Emergencies: The UK Central Government Response. Concept of Operations 2010; NHS Resilience PAS 2015: Guidance for NHS-funded organisations 2010 Health and Social Care Act 2012; National Occupational Standards for Civil Contingencies: Skills for Justice; British Standards Institute PAS 2015 Framework for Health Services Resilience; NHS Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response 2013; NHS Commissioning Board Emergency Preparedness Framework 2014; NHS Commissioning Board Business Continuity Framework (Service Resilience) 2013; NHS Commissioning Board Business Continuity Policy Guidance; and NHS England Business Continuity Management Toolkit. Climate Change Act

17 Appendix 1 Policy Title: Policy Implementation Plan Policy Author: Fiona Richey, Head of Risk and Business Continuity Action to be taken By who By when Progress to date Review of Corporate Induction Governance and Risk Management sessions to ensure inclusion of Business Continuity Management Review of Business Continuity and Resilience Group Terms of Reference Identification of Divisional Business Continuity Leads Business Continuity Training to Divisional Business Continuity Leads Development of Service, Area and Divisional Business Impact Assessments (BIA) Development of, or updating of, Service, Area and Divisional Business Continuity Plans Inclusion of Trust wide Business Continuity Plan in the Director on Call Information Pack and Trust Incident Coordination Centre (ICC) Annual review of Service, Area, Divisional and Trust Business Continuity Plans Head of Risk and Business Continuity/Business Continuity and Risk Manager + those responsible for delivering TQ21 and Medical Gov and Risk Induction training - tbc Completed Completed Head of Risk and Business Continuity/Business Completed Completed Continuity and Risk Manager Divisional Directors/Area/Service Managers Completed Completed Head of Risk and Business Continuity/Business Completed Continuity and Risk Manager Divisional Directors/Area/Service Managers February 2015 Divisional Directors/Area/Service Managers March 2015 Head of Risk and Business Continuity/Business Continuity and Risk Manager Divisional Directors, Area/Service Managers, and Head of Risk and Business Continuity/Business Continuity and Risk Manager 17 March 2016 Completed

18 Appendix 2 Directorate/ Service name Business Impact Analysis (BIA) Date: Version Number: 0.4 Page 1

19 Southern Health NHS Foundation Trust Business Impact Analysis: template Contents 1. Introduction Supporting information Department / team / service information Prioritised Activities Business Continuity Risks Continuity Requirements Analysis Staff Mapping Tool Beyond the BIA Version Number: 0.4 Page 2

20 Southern Health NHS Foundation Trust Business Impact Analysis: template 1. Introduction This document has been adapted from the NHS England Business Continuity Management Toolkit. The purpose of the original document is to assist those who are developing a Business Continuity Plan for their organisation. This version has been adapted for use within Southern Health NHS Foundation Trust and for our NHS Funded providers. This template is produced in the spirit of ISO & but focusses on the priorities in which the NHS England EPRR Core Standards are set around. Further guidance on the wider subject Business Continuity can be sort from: NHS England Region/Area/Directorate Business Continuity Leads The NHS England National Support Centre Business Continuity Team The NHS England Business Continuity Management Framework (service resilience) 2013 The NHS England Preparedness Framework 2013 ISO Societal Security - Business Continuity Management Systems Requirements ISO Societal Security - Business Continuity Management Systems Guidance PAS Framework for Health Services Resilience Business Continuity & Resilience Manager Southern Health NHS Foundation Trust Environmental Sustainability Manager Southern Health NHS Foundation Trust Southern Health NHS Foundation Trust will develop and maintain a Business Impact Analysis (BIA) for each service. Included within this document are fields which relate to environmental impacts. Please also complete these areas as this will in addition to supporting the BIA also support the Trust s Environmental Strategies. This document also contains a staff mapping tool that can be used to gather information to facilitate workforce capability and capacity management in the event of a business disruption. Version Number: 0.4 Page 3

21 Southern Health NHS Foundation Trust Business Impact Analysis: template 2. Supporting information This section provides some background information to assist the EPRR leads to complete Business Impact Analysis (BIA). NHS Mail Provided by the Health and Social Care Information Centre The disaster recovery solution is based on dual-site, geographically separated data centres with active and standby nodes of all infrastructures in the primary data centre. Data is synchronised across all three instances of the infrastructure so if a component fails in the primary data centre it will fail over to the standby node in the same data centre. If the data centre suffers a full outage, the service will fail over to the secondary data centre. Buildings Provided by SHFT or via NHS Property Services or Contracts with other providers SHFT Estates and facilities will work with NHS Property Services to explore potential strategies for managing a loss of building. EPRR leads are encouraged to discuss disaster recovery locations with their local Estates and facilities lead. There may be local arrangements already in place for providing alternative premises in the event of a building failure. Business Continuity Risk The key risks to the organisation achieving its objectives can be found in the Board Assurance Framework along with the Board papers. Operational risks will be held within directorates. Drawing on material from all directorates, an executive risk management group will have an overview significant risks, take actions where needed and bring the most significant strategic risks to the attention of the Board. Remember Contingency Plans under the CCA are based on local risks, for which the Trust must be aware and include within the Risk monitoring processes. Therefore those Risks that are identified as part of the business continuity management process should be managed in line with the organisation and directorates processes and procedures. Prioritised activities Prioritised activities are those to which priority must be given following an incident in order to mitigate impacts. It may be that an activity can be suspended initially but later it becomes a priority. For example a task that must be completed at certain intervals rather than on continuous basis. Examples of prioritised activities are: Incident Response Media communications Examples of activities that can be completed at certain intervals are:- Reporting to National Bodies Freedom of information requests Complaints Parliamentary questions Version Number: 0.4 Page 4

22 Southern Health NHS Foundation Trust Business Impact Analysis: template Examples of environmental impacts:- Pollution incident, for example spillage from oil storage tank Chemical spillage Noise pollution Examples of climate change impacts:- Extreme weather events: flooding, heat wave, severe cold spell, storms Version Number: 0.4 Page 5

23 Southern Health NHS Foundation Trust Business Impact Analysis: template 3. Department / team / service information Reference Number: 1. Name of author: 2. Job title of author: 3. Author telephone and 4. Date: 5. Business Continuity Lead: 6. Name and description of service and location: Version Number: 0.4 Page 6

24 Southern Health NHS Foundation Trust Business Impact Analysis: template 4. Prioritised Activities The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical). Step One: The first part of the Business Impact Analysis (BIA) process is to identify the core business and key deliverables of the Directorate/Service. These are your Prioritised activities. Prioritised Activities are those to which priority must be given following an incident in order to mitigate impacts. Step Two: Using those Prioritised Activities that you have identified above, use the Impact Matrix at Page 9 to identify what the impact score would be of each if they were affected. Step Three: Following the process at Step Two, now use Likelihood Matrix at Page 10 to identify what the Likelihood score is of each of the Prioritised Activities being affected. Step Four: Using the scores from both Step Two and Three, map the scores for each Prioritised Activity into the Likelihood x Impact Matrix at Page 11. Use this final score. Step Five: Only those identified as RED, AMBER and YELLOW will be captured within the BIA as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director. Those identified as GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager. The results from Step Four are then reflected in the table overleaf: Version Number: 0.4 Page 7

25 Southern Health NHS Foundation Trust Business Impact Analysis: template List the prioritised activities undertaken Tick as appropriate Red Amber Yellow Responsible Officer i. ii. iii. iv. v vi vii Version Number: 0.4 Page 8

26 Southern Health NHS Foundation Trust Business Impact Analysis: template Impact Matrix Qualitative Assessment of Impact Level Descriptor Descriptor 1 Negligible Minor first aid treatment. No environmental implications. No or very low financial loss i.e. under 1,000. No or very minor internal disruption to the overall service delivery or other services. No impact on the organisation s overall service delivery. No or very minor disruption to external services reliant upon them. 2 Minor 3 Moderate Injury requiring first-aid treatment or temporary minor illness (less than 3 days lost). Minimal environmental implications. Failure to meet (local) departmental standards. Minimal loss of reputation. Moderate financial loss ( 1k to 9k). Minimal business interruption. Break of minor bone or temporary minor illness (3-7 days lost). Moderate environmental implications. Moderate financial loss ( 10k to 49k). Moderate loss of reputation. Failure to meet organisational standards. Moderate business interruption. 4 Major Single death of any person/ Permanent serious illness/ disability. Extreme environmental implications. Extreme financial loss ( 250k to 499k). Intermittent failure to meet national professional standards and/ or statutory requirements. Extreme business interruption. 5 Catastrophic Multiple deaths involving any persons/ multiple permanent serious illness/ disability. Extreme financial loss ( 500k+). Catastrophic business interruption. Sustained failure to meet national professional standards and/ or statutory requirements. Version Number: 0.4 Page 9

27 Southern Health NHS Foundation Trust Business Impact Analysis: template Likelihood Matrix Qualitative Assessment of Likelihood Level Descriptor Likelihood (over 5 years) 1 Rare May occur in exceptional circumstances (less than 5% chance). 2 Unlikely Could occur at some time (6 25% chance). 3 Moderately unlikely The event should occur at some time (26 50% chance). 4 Likely The event will occur in most circumstances (51 75% chance). 5 Certain The event is expected to occur in the next 5 years. Version Number: 0.4 Page 10

28 Southern Health NHS Foundation Trust Business Impact Analysis: template Impact x Likelihood = Catastrophic Major Moderate Minor Negligible Impact/ Likelihood Rare Unlikely Moderately Unlikely Likely Certain Negligible Minor Moderate Major Catastrophic Use the table overleaf to record the impact of the loss of an activity for different lengths of time and identify where this length of disruption would be acceptable to the organisation and its stakeholders. Using the Descriptors above, add a Score to each and whether or not this will be tolerable. Version Number: 0.4 Page 11

29 Financial Service delivery Reputation Health and safety Environmental Information security Statutory or regulatory duty Business objective Supplier Southern Health NHS Foundation Trust Business Impact Analysis: template Impact of disruption to prioritised activities Category of Impact (please tick) Prioritised Activity Length of disruption Comment Score 1 Tolerable (Yes or No) Up to ½ day ½ day to 1 day i. 1 day to 1wk 1wk to 1mth 1mth to 3mths Up to ½ day ½ day to 1 day iii. 1 day to 1wk 1wk to 1mth 1mth to 3mths Up to ½ day ½ day to 1 day iv. 1 day to 1wk 1wk to 1mth 1mth to 3mths 1 1=Negligible, 2=Minor, 3=Moderate, 4=Major, 5=Catastrophic Version Number: 0.4 Page 12

30 Southern Health NHS Foundation Trust Business Impact Analysis: template Some activities will be of greater priority at different points in the year, for example, certain financial processes will be need to be prioritised at financial year end. Do your prioritised activities vary at different times of the month or year? Please explain Version Number: 0.4 Page 13

31 Southern Health NHS Foundation Trust Business Impact Analysis: template 5. Business Continuity Risks The table below is based on the NHS England Risk Register from the NHS Risk Management Policy and Procedures and includes a number of scenarios that present a risk to the organisation. Consider these scenarios and decide whether or not they present a risk to the prioritised activities that you provide. For example, if your service is paperless it is unlikely that a loss of paper records will have an impact. Please add any other scenarios that are relevant to your service. Which of the following hazards and threats are relevant to your department or service? Ref Hazard of threat Y or N Why? 1 Fire or flood 2 Loss of electronic records 3 Loss of paper records 4 IT systems/application failure 5 Mobile telephony failure 6 Major IT network outage 7 Denial of premises Terrorist attack or threat affecting the 8 transport network or office locations 9 Theft or criminal damage Chemical contamination or pollution 10 incident, such as oil spillage Serious injury to, or death of, staff whilst in the offices Significant staff absence or disruption to patient access due to severe weather or transport issues 13 Infectious disease outbreak 14 Simultaneous resignation or loss of key staff 15 Industrial action 16 Fraud, sabotage or other malicious acts 17 Violence against staff 18 Please add any other relevant threats The Civil Contingencies Act (CCA) regulations and guidance (chapter 6, 6.74) identifies five broad strategy options that could be considered when developing your risk reduction strategy: Do nothing: if the risk is deemed to be acceptable by senior management they may choose to do nothing. This may be suitable for an event with a very low probability of occurrence, such as an earthquake. Changing, transferring or ending the process: consideration must be given to fulfilling any statutory duties and any insurance or reputation ramifications as a result of a third party failing to deliver. Insurance: may provide some financial cover but cannot protect the reputation of the organisation and other associated losses. Loss mitigation: putting in place procedures to eliminate or reduce the risk, such as installing smoke alarms. Business Continuity Planning: putting in place arrangements that allow for the recovery and continuity of key business processes within a pre-identified time frame. Version Number: 0.4 Page 14