Business Continuity Policy Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain its essential business functions during unexpected interruptions or incidents APPROVED BY ASSISTANT CHIEF EXECUTIVE 21/01/10 REVISED 14/10/10 REVIEW DATE: 21/01/12 To be read in conjunction with: EMERGENCY PLAN FLU PANDEMIC PLAN Version 4 Compliance with all PCT policies, procedures protocols, guidelines, guidance, standards and strategies is a condition of employment. Breach of policy may result in disciplinary action.
Policy Category: Relevant to (Staff Group): Governance All Version No: Date: Changes Made: 1.0 09/06/09 First draft Version History: 2.0 29/06/09 Revise draft follow consultation 3.0 08/12/09 Revise draft 4.0 10/10/10 Revised to reflect the change in Lead Director and Day to day Responsibility for Business Continuity to Emergency Planning All reasonable steps have been taken to ensure that this Policy reflects the: Equality and diversity agenda Relevant articles of the Human Rights Act 1998 Philosophy of Clinical Governance, providing evidence for compliance with the requirements of the Standards for Better Health of the Department of Health and the NHS Litigation Authority Risk Management Standard for PCTs Health and Safety at Work Act 1974 and associated legislation Freedom of Information Act 1998 (amended 2000) Disability Discrimination Act 1995 (amended 2005) Sex Discrimination Act 1975 (amended 2003) Race Relation Act 2000 Age Discrimination Act 2006 An Equality Impact Assessment has been carried out to ensure that this policy is nondiscriminatory. Page 2 of 29
CONTENTS..3 1. Introduction and Purpose.. 4 2. Definitions....4 3. Requirements..4 4. Policy Statement.4 5. Supporting Organisational Structures.5 6. Accountability and Responsibility for Policy and Implementation...5 7. Monitoring, Review and Testing 5 8. Communication of Policy Method and Responsibility. 6 9. References...6 Appendix 1: Business Continuity Plan Template Appendix 2: Business Continuity Plan Approval Form Page 3 of 29
1. Introduction and Purpose 1.1 The aim of business continuity is to ensure that the PCT s core business functions are safeguarded by means of effective business continuity management despite any unplanned or predicted interruptions to normal business. 1.2 Scope of this policy This policy sets out the management responsibilities for creating, maintaining, and testing business continuity plans. It establishes the principle that all Directorates and Business Units are required to have documented plans based on the template shown in Appendix 1. 2. Definitions 2.1 Business Continuity Management (BCM) A process that identifies potential threats to an organization and the impact to business operations that those threats, if realized, might cause. It provides a framework for building and testing organizational resilience to safeguard the most important business functions. 2.2 Business Continuity Plan (BCP) A document and procedures maintained in readiness for use in an incident to enable the PCT to continue to deliver its core business function at an acceptable pre-defined level. 3. Requirements 3.1 Legislation The PCT is required to have in place effective BCM arrangements to meet the requirements of the Civil Contingencies Act 2004. The PCT must have Business Continuity Plans that are able to support any major emergencies related to its obligations as a Category One responder. 3.2 BS 25999-1 The PCT will be expected to meet the good practice standards set out in BS25999-1 (Business Continuity Management Code of Practice). 3.3 BS 25777 The PCT will be expected to work closely with Sussex HIS to ensure that the principles of BS25777 (Information and Communications Technology Continuity Management Code of Practice) are being applied. 4. Policy Statement 4.1 All Directorates and, where appropriate, departments, must complete a Business Continuity Plan using the template shown in Appendix 1. Guidance notes are available on the PCT Intranet (hyperlink). All plans must be signed off by the responsible Director using the Business Continuity Plan Approval Form shown in Appendix 2. 5. Supporting Organisational Structures 5.1 Organisational Arrangements and Support The Director of Public Health shall direct the Emergency Planning and Business Continuity Resilience Team to provide the following support: Templates and guidance for the completion of business continuity plans. Training to Directors and managers and their staff on the completion of business continuity plans. Page 4 of 29
Attendance by the Business Continuity and Assurance Manager at the Emergency Planning Committee meeting. 5.2 Details of Associated Training The Business Assurance Team will provide training and information to enable managers to gain an understanding of Business Continuity Management issues and to complete Business Continuity Plans. 6. Accountability and Responsibility for Policy & Implementation 6.1 The Director of Public Health has overall accountability for ensuring the PCT puts in place the necessary Business Continuity Management systems to implement this policy. 6.2 Directors are responsible for ensuring an approved, up-to-date and fully tested Business Continuity Plan is in place in respect of the business functions for which they are accountable. 6.3 The Director of Public Health is responsible for reporting progress on BCM to the Executive Team and the Head of Emergency Planning and Business Continuity Resilience to the Emergency Planning Committee. 6.4 The Director of Public Health is responsible for compliance with all statutory and regulatory requirements via the Business Assurance Team. 6.5 All staff will be expected to understand this policy and to cooperate with the maintenance, testing and implementation of the plan. 7. Monitoring, Review and Testing 7.1 Monitoring The Business Assurance Team is responsible for monitoring compliance with this policy by: Maintaining a central database of all approved plans Collecting evidence to ensure compliance with the statutory duty to assess, plan and advise in relation to emergencies and the risk of emergencies (Civil Contingencies Act 2000). Carrying out benchmark assessments in conjunction with the Strategic Health Authority Assisting the internal auditor to carry out an annual audit. Audit recommendations will be added to the audit recommendations tracker and reported to the Audit and Assurance Committee. 7.2 Review This Policy will be reviewed every 2 years. Directorates are responsible for reviewing BCP every 6 months. The review programme will be monitored by the Business Assurance Team. 7.3 Testing and Exercising The Business Assurance Team will coordinate a programme of exercises to validate the full range of business continuity management capabilities. Exercises will be run in conjunction with Emergency Planning exercises wherever possible. 8. Communication of Policy Method and Responsibility 8.1 All new staff will be briefed on this policy as part of the PCT Induction process and via local Departmental Induction. All staff on Band 6 and above to be briefed on Business Continuity Planning as part of the Page 5 of 29
mandatory Risk Management Training Course. 8.2 The Business Continuity Policy and Procedures will be posted onto the PCT intranet and internet for all staff to access as required. 8.3 Managers must ensure that all relevant staff within their directorate are made aware of their responsibilities towards this Policy. 9. References BS25999 - Business Continuity Management Code of Practice. BS25777 - Information and Communications Technology Continuity Management Code of Practice. Standards for Better Health Healthcare Commission/Care Quality Commission 2008. Civil Contingencies Act 2004. Appendix 1 Page 6 of 29
Business Continuity Plan Template (Insert Team or Department name and Location) APPROVED BY RISK MANAGEMENT COMMITTEE: 10/03/2008 RATIFIED BY PCT EXECUTIVE TEAM: 18/03/2008 Page 7 of 29
Contents Guidance Note 9 Department or Team Details 10 People 11 Premises 15 Processes 19 Providers 23 Profile 25 Contacts List 26 Page 8 of 29
Guidance Note Before completing your team or department Business Continuity Plan please consider the following information that should help you to complete the Plan to the highest degree of resilience. Supporting documents Please use the Guidance document that has been provided to sit along side this template. It may answer questions that you have in terms of content and the level of detail that should be included in your Team or department Plan. To further support this is the Business Impact Analysis (BIA) Tool which has been added to the back of the Plan (Appendix). Working through this and looking at the information it contains should further help you to detail the most relevant information. When compiling this Plan, as well as considering your Team or Departments key Functions, you need to consider the Key Stakeholders with whom you supply services to or have close links with. They will need to be contacted in the event of severe disruption to services. There is a section in Profile for you to list these Key stakeholders. Mutual Aid is an area that can help cope with disruption. See the Guidance if you wish to set up any Mutual Aid Arrangements. If any further help is required the Business Assurance Team are there to facilitate and help. Contact through the Corporate Affairs Department at The Causeway Building, Goring by Sea or via email. Team Remember this is your Team or Departments Plan and is aimed at making you resilient in times of disruption to any of the services or functions you perform. The disruption may be caused by a number of factors all of which can be mitigated against in this template. If you have any further areas you wish to add in then feel free to do so. Put in as much detail as possible; add areas that are unique to your Team if they are not covered in the Template. In terms of personal information for your Team or Department, we leave this to your discretion. It should be noted this plan is for your Team or Department, and shouldn t be shared externally. Page 9 of 29
Department or Team Details (Section 2 of the Guidance) Please detail the team for whom this Plan applies and where they are located. Any further details in terms of Building and work area are also required. Department/Service: Directorate: Location: 2 nd Building (if applicable): 2 nd Work Area: Location: Telephone: Fax: Telephone: Fax: Telephone: Fax: Key Department or Team Functions Please insert the Key Functions or Roles which this Team or Department undertakes on behalf of the PCT. These functions are what you are basing the plan around and therefore need to be all inclusive. Priority of Functions For the areas of work listed above please ensure that the most critical functions are given the highest priority. There may be Functions that will be ignored in times of disruption. 1. 2. 3. 4. 5. Major Incidents (Section 3 of the Guidance) For the (name of Department, Team or Practice) the PCT coordinating the response is West Sussex PCT. In the event of a Major Incident the contact(s) will be (insert appropriate name(s) and number(s)). Page 10 of 29
People (Section 4 of the Guidance) Team cover plan This needs to include all Team or Department members for whom the plan applies. More than one cover staff can be listed in the third column. Post Holder Post 1 st Cover Minimum Staffing Levels Provide an indication of the Minimum Staffing Level your Team or Department would require for Short / Medium / Long Term Disruptions to perform your functions effectively. Short Term Medium Term Long Term Staff Requirements in the Event of Absence This table needs to have a detailed account of the Responses and Actions that need to be taken in the event of losing certain Levels of Staff for Specified periods of time. Examples: Impact Minor / Minimal Response/Mitigation Access emails of absent staff; respond where necessary Actions Establish cover arrangements (training if needed); adapt working to cover priority work or functions; respond to urgent emails; check calendar and inform any interested third parties of the absence. Page 11 of 29
Loss of Staff at Certain Levels (as a whole time equivalent) 0-10% IMPACT RESPONSE/ MITIGATION ACTION REQUIRED For 1 day For up to one week For longer than one week 10-50% For 1 day For up to one week Page 12 of 29
For longer than one week 50-100% For 1 day For up to one week For longer than one week Key Personnel Cover Arrangements Certain members of a Team or Department may have a specific knowledge or fields of expertise which need special mitigation when it s no longer available. If there is a Key Function, of the team, that only one person can carry out then you have a Single Point of Failure that needs to be addressed by sharing knowledge and give training, if required. Page 13 of 29
Loss of Key Personnel/ Specialists (please identify): IMPACT RESPONSE / MITIGATION ACTION REQUIRED Page 14 of 29
Premises (Section 5 of the Guidance) The section may require information from the Building Business Continuity Plan, if this is the case then you will be provided with this information. Relocation Arrangements for Building and Work Area These need to detail the arrangements that have to be followed in the event of a disruption to the Building within which you work. They may be covered by a Building Business Continuity Plan and should be readily available. Alternative working arrangements may be Team Specific, e.g. Work from home / Alternative Location and apply to both Building and Work Area disruptions. Building: The specific area of the Building within which you work may be disrupted in isolation. Please detail the procedure and actions that need to be followed. Work Area (Team/Departments): Fire drill procedure Short bullet points of the Buildings Fire Procedure and any specific work arrangement for prolonged disruption (as above). This information should be available on wall posters or through the Building Business Continuity Plans. Actions: Security Details These are likely to be covered in the Building Business Continuity Plans. If not available contact the facilities department for the buildings security arrangements. Page 15 of 29
Building: This sub-section will be any specific security arrangements you may have for the Team or Department. E.g. locking away equipment; location of cabinet keys; the location of confidential documents. Work Area (Team/Departments): List of equipment This is the vital equipment that is used. E.g. special clinical equipment / computers / filing cabinets / department specific equipment. List for the re-order or how to acquire the equipment For the items listed above you are required to detail where replacements are available from. E.G. Laptops; Sussex HIS. Please include the suppliers contact details in the Contacts Section at the back of the plan. Page 16 of 29
Supplier / Source Equipment Toilet facilities Please detail the actions in case of a disruption to the toilet facilities. This may well be covered in the Building Business Continuity Plans. Alternative toilet arrangements: Portable toilet details (if required): Parking facilities Please detail the actions in case of a disruption to the parking facilities. Again this may well be covered in the Building Business Continuity Plans. Alternative parking arrangements: Any further Facilities (Team or Department specific) All the facilities that are specific to the building or department in which you work and the details of alternatives or actions if they should become disrupted. E.g. meeting rooms; Treatment rooms; Store rooms Page 17 of 29
Facility Disruption Arrangements Page 18 of 29
Processes (Section 6 of the Guidance) IT Details Detail the supplier of the IT systems which your Team or Department use. This may be covered in the Building Business Continuity Plans. Provider of Information Management and Technology Systems: Services they provide: List the actions to be taken in the event of a building wide IT service failure. Action Plan for a Building IT system failure List the actions in the event of a disruption to an IT system or computer that only affects one or more specific individual within your team. It may well be similar to the above arrangements. Action Plan for a Team IT system failure Software Systems Your Team or Department may use specific software that only relate to the teams function. These may be provided by another source other than your IT Provider. E.g. Safeguard / Ulysses. Please detail any Team Specific Software and the actions in the event of a disruption. Page 19 of 29
Software and Supplier Disruption Arrangements (contacts) Email disruptions This may be similar to the IT disruption arrangements in terms of supplier. Please detail possible arrangements if external email is not an option and ensure that key contacts that relate to team functions are considered in the event of a disruption. Provider of Email Systems software: Contact Number(s) in the event of disruption: Can staff use secondary / Private email accounts (arrangements) : Can staff contact ALL key business contacts in the event of a computer disruption: Telephone disruptions Detail your telephone supplier and any possible alternative options if this service is unavailable. Provider of Telephone Communications: Contact details in the event of disruption: Estates Manager and contact details: Page 20 of 29
Details of alternative communication in the event of a disruption: Other Communication Methods Any further communication methods you use that may be disrupted need to be detailed and alternatives may be required. E.g. Fax; Postal services Form of Communication Details for recovery Alternative(s) Documentation This section is important in terms of the Team or Departments key functions and any documentation that supports these. For example, guidance documents on how to perform the functions; specific databases; important work documents. It is important to note that only having a paper or electronic copy is a weakness and you should have the document in both forms, where appropriate. Item Any other information (specific details / location of copies etc) Page 21 of 29
Providers (Section 7 of the Guidance) Disruptions to the areas covered below may result in implementing alternative working arrangements, for example changing location. Water Disruptions The mains water supply Stopcock is located: Water supplier for your location, team or department: Action if there is a loss of drinkable water Heating disruptions The Building may have a specific or number of different forms of heating, please detail. These may be covered in the Building Business Continuity Plans. There may be cross over with the boxes below around Electricity, Gas and Oil Suppliers. Heating Supplier or System Contact Information Actions in the event of a disruption Electricity Disruptions Detail the actions that need to be taken in the event of a disruption to the Buildings electricity supply. Page 22 of 29
Electricity Supplier Emergency contact details Current contingencies in place Actions in the event of a loss in Electricity Gas Disruptions Detail the actions that need to be taken in the event of a disruption to the Buildings gas supply. This is likely to affect the heating of the building so may be covered above. Gas Supplier Emergency contact details Current contingencies in place Actions in the event of a loss in Gas supply Oil Disruptions Detail the actions that need to be taken in the event of a disruption to the Buildings oil supply. Oil Supplier Emergency contact details Current contingencies in place Actions in the event of a loss in Oil supply Specific Fuel Shortage Plans The information below should sit along side the West Sussex PCT Fuel Crisis Contingency Plan that will be implemented in the event of a fuel crisis. This information should be specific team arrangements that can be made in the event of a fuel (petrol / diesel) shortage. E.g. work from home; Car share. Page 23 of 29
Supplier for day-to-day Equipment Unlike the equipment mentioned above in the template, this section is for the smaller scale equipment but has the same importance for continuity of service, for example paper / stationary / medicines. Please include the arrangements for disruption. Key Suppliers Equipment / Disruption arrangements Contact details: Contact details: Contact details: Contact details: Page 24 of 29
Profile (section 8 of the Guidance) Key Stakeholders When compiling your plan you have been asked to consider your key stakeholders. Please list these Stakeholders and the reason for inclusion. Also ensure you include them in the Contacts List below if they aren t included elsewhere within the plan. Examples: Senior Management; Certain Boards or Committees; External Organisations. Vulnerable People / Groups This is mainly linked with patient contact but would include any vulnerable people you may come in contact with. List or Location of the List: Communications In the event of a major disruption to certain key functions your Team or Department perform it may be necessary to inform the organisation as a whole. Please detail your method of disseminating this information. E.g. Global Email / Contact Communications Department Page 25 of 29
Contacts List Please include any names or contacts that you have listed in your plan for quick and easy contact. Include more than one number where available. Add boxes where you require them. Activation of the Plan People who will be required contacts in the even of a disruption to the areas mentioned in the plan. Role Name Contact Lead Officer For the Plan Deputy Department / Team Manager Facilities / Estates Manager Staff Contacts It is your decision whether the contact you include will be personal / home numbers for staff. But it should be noted that the plans are for the use for the Team or Department members only and should not be made available for the external sources. Name Position Contacts PCT Contacts Add any further PCT contacts you feel are required for emergencies. Reason for contact Emergencies Emergencies (See On Call Info Sheet on main plan) Emergencies Harmoni Department PCT HQ Director On Call Provider Services Operational On Call PCT Switchboard External (out of hours services) Contacts Page 26 of 29
Key Stakeholders Should contain the Stakeholders listed above in the Profile section. Stakeholder Reason Contact Utilities / Services Contacts The Utilities listed in the Processes and Providers sections. Service IT / Email Provider Contacts Water Heating Electricity Gas Oil Tradesmen Any specific tradesmen that you feel need to be detailed. E.g. Plumber Trade Provider Contacts Mutual Aid Arrangements See Guidance on the use and establishment of Mutual Aid but it is an area that may be considered by your Team or Department I cope better in times of disruption. If you set up any Mutual Aid Arrangements please list the contacts. Page 27 of 29
Mutual aid available Department / Team Contacts Suppliers Any suppliers that have been listed within your Plan. Product Supplier Contacts Page 28 of 29
Appendix 2 Business Continuity Plan Approval Form Title of Plan Directorate or Business Unit Name of approving Director Signature of approving Director Date of Approval Page 29 of 29