NOMS BUSINESS CONTINUITY MANAGEMENT MANUAL

Transcription

1 NOMS BUSINESS CONTINUITY MANAGEMENT MANUAL This instruction applies to:- NOMS Agency HQ All prisons Reference:- AI 11/2014 PSI 13/2014 Issue Date Effective Date Expiry Date Implementation Date 03 April April April 2018 Issued on the authority of For action by Instruction type For information Provide a summary of the policy aim and the reason for its development/revision Contact NOMS Agency Board All staff responsible for the development and publication of policy and instructions NOMS HQ Public Sector Prisons Contracted Prisons* Governors Heads of Groups *If this box is marked, then in this document the term Governor also applies to Directors of Contracted Prisons Service Improvement All NOMS Agency staff To bring NOMS in line with the current ISO (formerly British Standard BS25999) NOMS Business continuity and resilience Phone: / / Associated documents Quantum Intranet Site PSO 1400 Incident Management Manual PSI 09/2014 Incident Management Manual MoJ Business Continuity and Incident Management Plans PSI 20/2009 Flu pandemic Clive House Business Continuity Plan NOMS Agency Business Continuity Risk Register Replaces the following documents which are hereby cancelled: Replaces PSO 1401 Audit/monitoring: To be monitored by Governors, Directors of Contracted Out prisons, Deputy Directors of Custody and Heads of Directorates using Local Assurance Frameworks (LAF). The PSI and LAF will be subject to independent review by Internal Audit and Assurance.

2 PAGE 1 CONTENTS Section Subject Applies to Executive summary Background Desired outcome Application Mandatory actions Resource impact An overview of Business Continuity Management Business Continuity Management Clarification of what is meant by a Disruptive Event All staff All staff involved in BCM 3 Responsibility for Business Continuity Management All staff involved in BCM Overview Responsibilities for NOMS Business Continuity and Resilience Team Responsibilities for Establishment Business Continuity/Resilience Lead Responsibilities for DDCs Business Continuity and Resilience Leads Responsibilities for other NOMS sites and business units Responsibility for HQ Annex A Simple Business Impact Assessment (BIA) template All staff involved in BCM Annex B Prison Establishments Business Impact Assessment Prison Establishment staff involved in BCM Annex C C.1 C.2 C.3 C.4 Guidance on Developing a Business Continuity Plan Business Impact Assessment Business Continuity Plan Features of Business Continuity Planning Local Resilience Forums All staff involved in BCM Annex D D.1 D.2 Annex E E.1 E.2 E.3 E.4 E.5 E.6 E.7 E.8 E.9 E.10 Guidance on Testing Reviewing and testing Debrief report National Operations Coordination Centres Introduction Coordination Committee Role of NOCC Liaison Operational Arrangements Convening a Coordination Committee Actions for DDCs (which includes DDC High Security Estate) Governing Governors, Heads of Groups and Directors and Controllers of Contracted-out Prisons Staffing of NOCC Communication with NOCC Contact Details All staff involved in BCM All staff Annex F Glossary All staff

3 PAGE 2 1. Executive Summary Background 1.1 This PSI 13/2014 AI 11/2014 replaces PSO 1401 (issued February 2006) and sets out the arrangements necessary to ensure Business Continuity Management (BCM) is performed in accordance with the current British Standard, BS25999 and ISO All parts of NOMS are required to maintain Business Continuity Plans (BCPs) to ensure critical business activities and sites remain operational while a prompt and efficient recovery of business as usual activities takes place in the event of an incident or other disruption affecting its premises or resources (including both staff and information). Some elements of BCM are already covered by PSI 09/2014-AI 06/2014 (Incident Management Manual) and at establishment level; governors must ensure the remaining BCM elements covered in this PSI are factored into their overall Business Continuity Plans. 1.2 It should be noted that this PSI refers to the management of staff, building premises, data and IT infrastructure, utilities and third-party suppliers after a disruptive event, and is intended to link risk assessments, resilience planning, incident management (PSI 09/2014 Incident Management Manual) and overall contingency arrangements to return to business as usual in a planned, controlled and effective manner. Desired outcomes 1.4 That all staff understand and comply with the BCM processes set out here and ensure that: Business Impact Assessments (BIAs) are completed at all levels of the organisation, including prison establishments (mandatory tool attached at Annex B), DDC offices (which throughout includes the DDC High Security Estate), other NOMS sites and business units (optional tool at Annex A), and HQ (BCM co-ordinated by MOJ, using Business Area Continuity plans, [BACPs]). The BIA tool attached at Annex B is designed for prison establishments, and must be used and submitted to the Business Continuity & Resilience team using the BC&R functional mailbox: NOMS Business continuity and resilience Potential local and national threats/risks to the critical operations are identified and proactively monitored, and where necessary a strategy should be developed for dealing with these eventualities should they materialise. Business Continuity Plans (BCPs) commensurate with the level of threat/risk are developed and implemented in establishments, DDC offices, HQ, and other NOMS sites and business units. There is increased awareness of what is meant by BCM and how BIAs and BCPs should be formulated. Application 1.5 All senior managers and appointed Business Continuity and Resilience Leads need to read, and where necessary implement, all sections of this policy. Mandatory actions 1.6 All mandatory actions are shown in italics.

4 PAGE 3 All staff involved with Business Continuity Management must be familiar with this PSI and understand the mandatory nature of the instructions. Chief Executives, Assistant Directors, Heads of Groups and Governors must ensure that all staff are made aware of this instruction. All staff must be given the opportunity to contribute towards the BIA (Business Impact Assessment) process and be aware of the BCP covering their area. For BCPs to remain effective they must be regularly reviewed and tested. Those with responsibility for maintaining BCPs at NOMS sites and business units must review and test their plans; as a minimum one risk/scenario every six months ensuring that they meet the requirements of ISO Further guidance on testing can be found in Annex D. Resource impact 1.7 There are costs in maintaining readiness across establishments, DDC offices, HQ, and other NOMS sites and business units. Time will have to be devoted to maintaining and amending plans and contract arrangements, and to deliver occasional desktop and live tests. It is assumed that most prison service establishments and DDCs offices are carrying out much of this work already as part of local contingency planning (PSO 1400 refers). HQ is already resourced for this work. Contacts Please refer to front cover. (signed) Digby Griffith Director of National Operational Services, NOMS

5 PAGE 4 2. An overview of Business Continuity Management Business Continuity Management 2.1 BCM is a continuous process of risk assessment and management with the purpose of ensuring that NOMS can continue to operate if risks materialise. These risks could be from the external environment (over which we have no control, such as power failure, pandemic flu or extreme weather) or from within the NOMS organisation, such as deliberate or accidental damage to systems. Business continuity is not just concerned with disaster recovery; it addresses anything that could impose a denial of service or facility (i.e. affect the continuity of service), such as staff shortages. 2.2 BCM centres on a BCP, which must be endorsed by senior management, maintained and subjected to rigorous testing. 2.3 BCM is about Policy and Programme Management of: Identifying Critical Activities; Understanding the business of NOMS and establishing what is vital for its continued operation. Increasing Resilience; Determining how best to decrease the likelihood of a disruptive event materialising and impacting critical activities Robust Planning to minimise the impact of an incident/disruptive event by developing and implementing a local, regional and/or HQ response to ensure critical activities and sites and services remain operational Proactively Monitoring arrangements by exercising, maintaining and reviewing arrangements 2.4 NOMS has many internal and external dependencies (these include providers, customers, other major stakeholders, IT systems and business processes). These dependencies must be identified at an early stage in the BCM process to ensure the effectiveness of the finalised BCPs. 2.5 To achieve the required standard, this must be embedded in the organisation s culture. Clarification of what is meant by a Disruptive Event 2.6 A disruptive event could be: A threat to staff, safety, buildings or the organisational structure of NOMS that requires a level of intervention to be taken to restore normal operations. 2.7 There are a number of different circumstances that may initiate a disruptive event, however the impact on the business is likely to be one of, or a combination of the following issues, which will vary in their degree of severity. Examples of the most likely impacts are: Loss of, or loss of access to buildings o environmental threats: flooding, storm or other severe weather conditions; o acts of offender/civil disruption or terrorism either aimed directly at sites or in the immediate vicinity or surrounding area; o fire or contagion affecting the site or nearby buildings Staff shortages o industrial action by staff o severe transport disruption o serious outbreak of flu or food poisoning

6 PAGE 5 o inability of staff to attend workplace due to environmental factors (flood/severe weather etc) Loss of utilities o electrical, heating, cooling, gas for cooking, water supply, lighting and IT systems etc; Loss of data/ IT systems o failure of IT systems/applications o damage to, or unavailability of paper records Disruptive events affecting third party suppliers, or o financial or contractual difficulties/collapse (including catering) o any of the above impacts affecting their premises

7 PAGE 6 3. Responsibility for Business Continuity Management 3.1 Although all staff must be given the opportunity to contribute to the BIA process, certain groups of staff have specific responsibilities for the formulation and maintenance of plans. 3.2 The staff and the activities they are responsible for are detailed below. Each responsibility must be recorded in the nominated lead s SPDR or equivalent. It is recommended that the Lead for DDC s offices and Prison establishments is conversant with the local contingency arrangements, Incident Management procedures and is able to represent the establishment/ddc at Local Resilience Forums. It is envisaged that these duties are performed by a member of the SMT or equivalent (current recommendation from Job Evaluation and Support team is minimum Band 7 final recommended grade to be confirmed). 3.3 Individual sites/business units must ensure a nominated person is given the responsibility of Business Continuity and Resilience Lead (BCRL), who must develop and proactively maintain a BCP and ensure that effective links are made with Local Resilience Forums (LRFs) and the NOMS Business Continuity and Resilience team (BC&R). Further guidance on developing a BCP is contained in Annex C 3.4 Staff who are based in shared accommodation, either with other Government departments and/or private organisations, must ensure that their requirements are included in the BCPs for their building. This must also include the arrangements for dealing with emergencies/incidents in the building, for example, fire evacuations. 3.5 National Business Continuity events that are likely to affect large parts of NOMS core business (e.g. Industrial Relations disputes, widespread environmental issues etc) are covered by the arrangements set out in Annex E (NOCC). 3.6 Any member of staff who has responsibility for introducing a new team or system (manual or IT based) or procedure, must consider the business continuity arrangements that need to be put in place and consult with their local Business Continuity and Resilience Lead if any of the tasks are assessed to be critical. 3.7 Responsibilities for NOMS Business Continuity and Resilience Team To act as a focal point at HQ for all BC matters To maintain the Initial Response Team arrangements for Clive House To act as a central resource for co-ordinating, mentoring and sharing of good practice to support NOMS sites and business units in achieving ISO To act as central liaison for MOJ Business Continuity Planning on behalf of NOMS To maintain the NOMS Agency level Business Continuity Risk Register To maintain a NOMS agency-wide register of BCRLs To disseminate relevant Business Continuity information via the network of BCRLs To collate the product of the BIA tool attached at Annex B To collate data in the event of a widespread disruption 3.8 Responsibilities for Prison establishment Business Continuity and Resilience Lead To carry out a BIA for their establishment using the tool attached at Annex B, and review at least annually Produce, maintain and test local BCP Provide their contact details to the NOMS Business Continuity and Resilience Team Feed individual prison BIAs/BCPs into DDC Continuity Plans Act as liaison with Local Resilience Forum Ensure lessons learned from establishment level tests and invoked plans are shared with NOMS Business Continuity and Resilience Team

8 PAGE 7 Notify the NOMS BC&R team (via functional mailbox) of any BC-related issues that may affect their establishment 3.9 Responsibilities for DDCs (including DDC High Security Estate) Business Continuity and Resilience Lead DDC level Business Continuity and Resilience Lead to produce DDC level BIA/BCP, and review annually. Hold copies of individual establishment s BIA/BCPs Provide their contact details to the NOMS Business Continuity and Resilience Team Ensure lessons learned from any regional tests and invoked plans are shared with NOMS Business Continuity and Resilience Team Notify the NOMS BC&R team (via functional mailbox) of any BC-related issues affecting the DDC s area of responsibility. The assurance responsibilities for Contracted Out prisons in terms of the Business Continuity PSI will be carried out by the Custodial Services Directors of each contracted provider Responsibilities for any other NOMS sites and business units (e.g. Newbold Revel, JSAC Training Centres in Wakefield and Birmingham, etc) To carry out a BIA for their site (optional tool at Annex A), and review on an annual basis Produce, maintain and test local BCP Provide their contact details to the NOMS Business Continuity and Resilience Team Feed individual BIAs/BCPs into relevant regional or national plans Act as liaison with Local Resilience Forums Ensure lessons learned from site level tests and invoked plans are shared with NOMS Business Continuity and Resilience Team Notify the NOMS BC&R team (via functional mailbox) of any BC-related issues that may affect their site 3.11 Responsibility for HQ NOMS HQ BCP s are managed by the MOJ. A copy of the Clive House BCP is available on request (note Protect marking).

9 PAGE 8 Annex A Simple Business Impact Assessment (BIA) template The table below could be used to identify critical activities which will impact the establishment s business. Each critical activity should have its own separate table. Critical activity Staff/role required Impact of loss 1-2 days (H/M/L) Impact of loss 3+ days (H/M/L) Resources required (eg. IT, desk accommodation etc) Dependencies Contact details (24/7) - internal Contact details (24/7) - external Contact details (24/7) stakeholders Contact details (24/7) - staff Any existing BC arrangements in place

10 PAGE 9 Annex B Prison Establishments Business Impact Assessment Prison tablishment BIA tool (NEW VERSION)

11 PAGE 10 Annex C Guidance on developing a Business Continuity Plan Developing a Business Continuity Plan C.1 Business Impact Assessment (BIA) NOMS sites and business units need to complete a BIA which identify critical activities, assess them against the business continuity risks, establish where necessary a strategy, leading to the development of a detailed BCP. C1.1 BIAs should focus on critical operations that will need to be continued in the event of business disruption. Plans may be invoked once it is known that the disruption will last for a pre-determined period of time. Consideration should also be given to the fact that a site may be reliant upon IT & telephony systems housed at another location, for example at a data centre, which if lost, will have a knock on effect. A simple BIA template is attached at Annex A which may be of assistance to non-prison sites. C1.2 The BIA tool attached at Annex B is designed for prison establishments, and must be used and submitted to the BC&R team using the BC&R functional mailbox: NOMS Business continuity and resilience C.2 Business Continuity Plan The aim of BCP is to ensure the organisation has in place documented plans that detail how the organisation will manage a disruptive event, maintain its critical activities to a predetermined level and recover its activities to business as usual. C2.1 Each plan shall: have a defined purpose and scope be accessible to and understood by those who use them be owned by the Director, DDC or Prison Governor who is responsible for their review, update and approval be aligned with NOMS Agency Level Risks contained on the NOMS Business Continuity Risk Register which can be obtained from: NOMS Business continuity and resilience; and must also incorporate other relevant locally identified risks. C2.2 Plans shall collectively contain: Key information and resourcing requirements Key tasks and reference information Defined roles and responsibilities and contact details for people and teams having authority during and following an incident A method for recording key information about the incident, actions taken and decisions made Details of actions and tasks that need to be performed Details of the resources required for business continuity and business recovery at different points in time Prioritised objectives in terms of the critical activities to be recovered, the timescales in which they are to be recovered and the recovery levels needed for each critical activity Implementation and communications Identified lines of communications Meeting locations with alternatives, and up to date contact and mobilisation details for any relevant agencies, organisations and resources that might be required to support the response A reference to the essential contact details for all key stakeholders

12 PAGE 11 Details for managing an incident including; (a) provision of managing issues during an incident; and (b) processes to enable continuity and recovery of critical activities. Details on how and under what circumstances the organisation will communicate with; a) employees and their relatives; b) key stakeholders; and c) emergency contacts. Details on the organisation s media response following an incident, including; (a) the incident communication strategy; (b) preferred interface with the media; (c) guideline or template for drafting a statement to the media; and (d) appropriate spokespeople. Escalation and execution of plan Guidelines and criteria regarding which individuals have the authority to invoke each plan and under what circumstances A method by which each plan is invoked. Recovery and stand down An outline plan of how a full recovery will be initiated. (This may be difficult to describe in detail as it will vary hugely depending on the disruptive event). A process for standing down once the incident is over. Lessons learned Arrangements for hot (immediate) and cold (after time for reflection) debrief sessions. Maintaining and exercising A documented process describing timescales for maintaining and formally exercising the plan. C2.3 Although the likelihood of a disruptive event occurring is low, they do happen and it is necessary to be prepared and have plans in place to restart critical operations with the minimum of delay. All staff should know whether they are a key member of staff and what may be expected of them both during and immediately after a disruptive event. C.3 Features of Business Continuity Management C3.1 Risk reduction: The management of risks to prevent a disaster Once BIAs have been used to identify critical activities, work can progress to assess the likelihood/probability and level of impact from a range of relevant threats/risks to vital operations. This is achieved by identifying and assessing the impacts of risks to NOMS at both an organisational level, for example, a widespread industrial dispute affecting the whole Service and at a Business Group/Unit/Local level, for example, localised high levels of staff sickness affecting the ability to carry out normal business. Once the impacts are understood, the probability of both local and national risks impacting each critical service will need to be identified and monitored. C3.2 The risks themselves and the probability/impact levels will fluctuate over time dependant on a number of variables e.g. time of year (when assessing the probability of severe snow) or when a threat of a fuel strike increases (when assessing likelihood of staff availability) therefore it is important to monitor risks regularly to ensure mitigation plans are prioritised, proportionate and up to date. C3.3 Planning: Robust Business Continuity Planning A BCP plan is used for the fast, efficient resumption of essential business operations by directing the recovery actions of specified recovery teams. You will need to consider the following:

13 PAGE 12 Building/office accommodation alternative relocation site; Information technology IT and telephony; Human and other resources ensuring that staff are aware of the alternative arrangements, have the resources they need and can be productively employed; Utilities; and Recovery of the whole business C3.4 It should be noted that one of the common causes of business continuity events are caused by environmental threats, e.g. flooding, severe weather etc. C3.5 Proactive reviewing of risks and mitigation plans will reduce the impact of any disruptive event and increase the service/business group/unit s resilience. C3.6 Plans will include developing and implementing a local, regional and/or HQ response to ensure critical activities and sites remain operational during a disruptive event. For example, if a flood alert is triggered, this may involve invoking local business continuity plans to deploy sandbags, request additional food/medicine/fuel supplies and refreshing staff levels/regimes (if access is likely to become an issue). Regional plans may include deploying additional resources to assist; while HQ plans may include reducing inter-prison transfers. C3.7 Incident/Crisis Management (PSO 1400) If a significant incident occurs, support arrangements (PSO 1400 refers) are designed to prevent incidents from developing into disasters and to lessen the impact. C3.8 Proactive Monitoring All BCM activities (prison, other NOMS sites and business units, HQ) need to be proportionately and proactively monitored by exercising/testing, maintaining and reviewing arrangements on a regular basis (see Annex D). C.4 Local Resilience Forums Your Local Resilience Forum (LRF) makes arrangements for the deployment between its members of mutual aid and resources such as fresh water in times of civil emergencies. They comprise of local community public-sector services and can assist Prisons and other NOMS sites and business units as part of their planning. They attempt to ensure available resources (for example, supplies of coaches for evacuation) in any given region are deployed in priority order and as such Prisons and other NOMS sites and business units are encouraged to make contact with their LRF to ensure their requirements have been taken into account should such an incident occur. All sites are also encouraged to consider the effects of their plans on other parts of NOMS and the wider CJS (eg Courts, NPS etc). The hyperlink below will direct the user to the Cabinet Office website page which lists the details of each LRF for each region of the UK and provides a name, contact telephone number and website link for further information. A guidance document from the Cabinet Office is also attached which sets out the role and areas of responsibilities of LRFs.

14 PAGE 13 Annex D Guidance on Testing Reviewing and Testing of Plans D.1 Reviewing and Testing D1.1 For BCPs to remain effective they must be regularly reviewed and tested. D1.2 One risk/scenario and associated plans must be tested every 6 months by means of desktop exercises to ensure they are coherent, logical and practical. It is recommended that prison establishments link the testing of business continuity plans to their contingency/incident scenario tests (PSO 1400 refers) to minimise disruption and make best use of resources. D1.3 To support testing, you should have prepared a suitably detailed, representative incident scenario which will include aspects such as date, time, current workload, accounting period end etc. D1.4 A full test needs to replicate as far as possible the way in which all stand-by arrangements would be invoked during the recovery of a critical business process/es and the involvement of external parties. This tests completeness of the plans and confirms: time objectives; for example to recover the key business processes within a certain time period; staff preparedness and awareness; staff duplication and potential over-commitment of key resources, during invocation of the BCP; and the responsiveness, effectiveness and awareness of external parties. D1.5 It should be noted that even the most comprehensive test does not cover everything. For example, where a disruptive event may result in an injury of a colleague/s, the reaction of staff to a crisis cannot be tested and the plans need to make allowance for this. D.2 Debrief Report D2.1 There should be minuted debrief sessions held immediately after the test has concluded, which will then form the basis of a debrief report. The report will provide a general minute of the discussions and include: performance against test objectives, agreed corrective action, who will take the action and within what timescales. Best practice would be for a follow-up, lessons learned meeting to be held within a week to consider issues once participants have had time to reflect.

15 PAGE 14 Annex E RESPONDING TO BUSINESS CONTINUITY EVENTS ON A NATIONAL SCALE (NATIONAL OPERATIONS COORDINATION CENTRES) E1 Introduction - This section applies to all establishments and other NOMS sites and business units. The Prison Service needs to have effective systems in place to deal with Business Continuity events on a national scale. These could be events that affect the country as a whole, for example, severe weather conditions, or events that are specific to the Service, for example, industrial disputes. In both cases these events will, to a greater or lesser degree, affect the Service s ability to carry out normal operations. These systems will: ensure the Service s operational capabilities remain intact; allow the potential impact of any nationwide Business Continuity event to be adequately assessed and responded to; and enable the Service to participate fully in any government-wide response. E1.1 National Operations Coordination Centre (NOCC) is situated in Gold Command 7 th Floor, Clive House. The suite acts as the focal point for the receipt, analysis and dissemination of information relating to any Business Continuity event. Information will be received into the suite primarily by the internal system. However contact can also be made by telephone or fax (see E10 for contact details). Arrangements for handling national Business Continuity events fall outside the scope of normal incident control procedures. E2 Coordination Committee - Dependant upon the nature of the Business Continuity event a Coordination Committee (CC) may or may not be set up. The role of the CC is to consider the impact assessment information being received into the centre and to decide upon the most appropriate strategy for responding, for example, if it clear that a situation is escalating to the point where there is a risk to the safe running of prisons then the CC would take the necessary steps to mitigate the risk, for example, invoking mutual aid arrangements. E2.1 Where prior warning has been received about an event and there is sufficient time to put in place contingency measures, thus reducing the impact on normal operations, there would normally be no need for a CC. In such circumstances the NOU and the NOMS BC&R team in conjunction with the lead business area, would monitor and report on the event. By contrast, a CC would oversee no-notice, longer term or high impact events, such as a fuel crisis or wide scale industrial unrest. E3 Role of NOCC Whatever the nature of a specific event, NOCC has five main aims: I. to obtain relevant information from across the Service, as well as from contractors and suppliers, about projected and actual problems caused by the Business Continuity event; II. III. to collate and analyse the data received to obtain an overview of the Service-wide position and to identify specific problems that require immediate action; to brief and present situation reports to senior staff, Ministers and, where appropriate, other Government departments, for example, the Cabinet Office, Department of the Environment, Food and Rural Affairs (Defra), Metropolitan Police and other police forces;

16 PAGE 15 IV. to commission and coordinate action to deal with problems caused by the Business Continuity event, for example, reallocation of resources between establishments; and V. to maintain accurate records of all relevant communications to and from the field. E4 Liaison - NOCC will handle initial liaison with contacts outside the Service. In cases where central coordination between government departments is required, the Cabinet Office usually takes the lead managing the process from its Cabinet Office Briefing Room (COBR). Officials from the main government departments, including the Home Office, attend COBR meetings. In turn, staff in MOJ will coordinate the activities of the Department as a whole, including its executive agencies, through its arrangements at 102 Petty France. E4.1 COBR and MOJ s respective reporting requirements will usually dictate the frequency of situation reports sought by NOCC from the field. E4.2 NOCC, either through the CC or NEMC will seek to ensure that the Service s concerns are given due consideration and that its interests are safeguarded. E5 Operational Arrangements - NOU must maintain NOCC in a state of operational readiness. The NOU must carry out regular checks of the IT and telephony systems (these are detailed in local NOU work instructions) and organise for an annual live test of the arrangements. E5.1 If there is sufficient time to prepare for a Business Continuity event i.e. notice is given of future events, then the NOU will work with key stakeholders to produce an impact assessment form. This form will then be sent out to the target audience, normally Governors and Heads of Group, ahead of time, for completion and return to NOCC at the time of the event. E5.2 In the event of a no notice Business Continuity event, contact will initially be made with either the NOU Duty Officer or the Duty Director who will then make contact with Gold Command/NOMS BC&R team. Any decision to open NOCC will, ordinarily, be taken by the Head of Operations, in consultation with the Duty Director and/or other members of NEMC. E5.3 NOU and NOMS BC&R team, in consultation with the Duty Director, will consider establishing a CC. E6 Convening a CC - The membership of any CC will reflect the specific Business Continuity event facing the service. In general however it will comprise: I. Head of Public Sector Prisons; II. III. IV. Head of Operational Services; Head of Security; Member(s) of NOMS BC&R team V. Legal Advisors representative; VI. VII. Humans Resources representative; Commissioning and Commercial representative;

17 PAGE 16 VIII. IX. Prisoner Escort and Custody services (PECS) representative; PS Press Office representative; and X. Other representatives depending on the nature of the event E7 Actions for DDCs, Governing Governors, Heads of Group and Directors and Controllers of contracted-out establishments all will be placed on notice and informed as to what information (usually in the form of an impact assessment) will be required from them. This information must be sent into the NOCC suite, usually as an attachment, in the correct format and by the time requested. E7.1 DDCs, Governing Governors, Heads of Group and Directors and Controllers of contractedout establishments must establish contingency plans to deal with NOCC s requirements. Most importantly this will include nominating an individual/s with responsibility for a) collating any information required by NOCC and b) acting as a liaison point for the duration of the event. NOU will be responsible for reporting on the performance of establishments to DDCs and the Deputy Director for Contracted-out Prisons i.e. whether or not they provided the required information and on time. E8 Staffing of NOCC E8.1 NOCC at Clive House - NOU will organise the staffing of the suite. They will maintain a call out list of trained personnel that can staff the suite 24/7. Other HQ Groups with vested interests in a specific Business Continuity event will also be expected to provide staff, for example, Human Resources have provided staff to monitor the impact of industrial disputes. E9 E10 Communication with NOCC - The normal means of communicating with NOCC will be by internal . If however, as result of a breakdown in the IT system communication cannot be made, then contact would be made by fax, phone or to a standalone Internet address. Contact Details - The main contact details referred to in this chapter are: NOCC A internal Nocc, 1 Nocc, 2 Nocc, 3 Nocc, 4 Initial Telephone Contact Number Advice Line

18 PAGE 17 ANNEX F Glossary BA Business Area BCM Business Continuity Management BC&R Business Continuity and Resilience BCP Business Continuity Plan BCRL Business Continuity and Resilience Lead BACP Business Area Continuity Plan BACT Business Area Continuity Team BCT Business Continuity Team BIA Business Impact Analysis (a systematic way of accessing the needs of an organisation prior to an incident) CA Critical Activities (as defined in your BIA) COBR Cabinet Office Briefing Room CRC Community Rehabilitation Company CSBCB Corporate Security and Business Continuity Branch DDC Deputy Directors of Custody EM Electronic Monitoring FICO Fire and Incident Control Officer IRT Incident/Initial Response Team LRF Local Resilience Forum NEMC NOMS Executive Management Committee NOCC National Operations Coordination Centre NOU National Operations Unit NPS National Probation Service PECS Prisoner Escort and Custody Services