Business Continuity Management Policy and Plan 1
Page No: Contents 1.0 Introduction 3 2.0 Purpose 3 3.0 Definitions 4 4.0 Roles, Duties & Responsibilities 4 4.1 Legal And Statutory Duties, Responsibilities And Guidance 5 4.2 Specific Duties And Responsibilities Within The CCG 5 5.0 Business Continuity Management Plan 6 6.0 Initiating The Plan 7 6.1 6.1 Causes Of Service Interruption 7 6.2 6.2 Activating The Plan 7 7.0 Record Keeping 10 8.0 Communication 10 9.0 Training Requirements 10 8.0 Implementation, Monitoring And Review 10 9.0 Documentation 11 Appendices Appendix 1 Business Continuity Management Plan Template 12 Appendix 2 Business Continuity Action Plan 13 Appendix 3 Crisis Response Team Notes Template 15 2
1. INTRODUCTION. Business Continuity Management (BCM) is a statutory requirement for NHS West Lancashire Clinical Commissioning Group (CCG) to undertake. The Civil Contingencies Act 2004 and the NHS Emergency Planning Guidance 2005 requires the CCG to have a Business Continuity Management Policy (BCMP) to ensure that, in the event of a significant service interruption, critical day-to-day functions can be maintained whilst timely recovery and restoration of key services, systems and processes is also achieved. It is the policy of the CCG to take all reasonable steps to ensure that in the event of a service interruption, the organisation will be able to maintain essential services and restore normal services as soon as possible in the circumstances prevailing at the time. This Business Continuity Management (BCM) Policy aims to introduce the concept of BCM to the CCG. Alongside ensuring business continuity the CCG has to ensure emergency preparedness as a Category 2 responder. The CCG s main role will be to support Category 1 responders (main NHS providers which requires an escalation route to their commissioners and NHS England which may require support from CCGs). Details of the CCG s emergency preparedness can be found on the major incident plan. 2. PURPOSE This Policy sets out the general principles and corporate framework for the creation and revision of Business Continuity Management Plan relevant to the business activities of the CCG. These will be formulated in accordance with the strategic objectives for the CCG in place from time to time. This document aims to ensure that all business continuity processes carried out by the CCG are executed in an agreed and controlled manner. The business continuity management procedures described are separate from, but may operate in conjunction with, the Major Incident Response Plan in times of emergency or serious incident as per the definitions in the Major Incident Response Plan. It may also operate in conjunction with the CCG s Risk Management processes in place from time to time. In the event of service interruption, this policy sets out the framework for the CCG to: Manage and maintain the continuation of critical, core functions and services Manage the recovery and restoration of normal functions and services. 3
3. DEFINITIONS The following definitions apply to terms used in this Policy, in accordance with BS2599-1:2006: Activity: Processes or sets of processes undertaken by the CCG, or on behalf of the CCG, that supports delivery of services. Business As Usual: Pre-defined acceptable levels of service delivery Business Continuity Management (BCM): Process to identify potential threats, assess the impact of those threats on the CCG, and building a framework to support CCG resilience to those threats, including protecting patients and stake-holders interests and achieving strategic objectives. Includes strategic and tactical capability of the CCG to plan for and respond to business interruptions in order to support continued delivery of business as usual. Critical Activities: Those activities carried out by the CCG which are most timesensitive and important for ensured continued delivery. These will be mainly those services essential for immediate life and death of patients. These activities will typically suffer if delayed by more than one hour. Disruption: Any event, planned or unplanned, which causes an interruption to the CCG s ability to continue business as usual. Essential Activities: Those activities carried out by the CCG which are sensitive and important, but not critical to life and death of patients. These activities will normally suffer if delayed by more than one day. Major Incident: An event classified as a major incident according to the CCG Major Incident Response Plan. Non-Urgent Activities: Those activities carried out by the CCG which can be postponed or delayed most easily. These activities will begin to suffer if delayed by more than one month. Routine Activities: Those activities carried out by the CCG which support business delivery on a daily basis and are not critical or essential. These activities will typically start to suffer if delayed by more than one week. Service Recovery: The process through which business as usual is reached, following an interruption or disruption event 4
4. ROLES, DUTIES & RESPONSIBILITIES 4.1 Legal and Statutory duties, responsibilities and guidance The following general (Statutory) duties apply: 1. The Civil Contingencies Act 2004 places a duty on CCGs to have business continuity plans in place to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable. The duty relates to all functions, not just their emergency response functions. CCA Definition of an emergency is as follows: An event or situation which threatens serious damage to human welfare in a place in the UK, the environment of a place in the UK, or war or terrorism which threatens serious damage to the security of the UK. 2. Healthcare Standards require the organisation to be able to continue essential routine work during an incident or emergency situation and to provide essential supplies, with documented procedures for procuring additional or alternative supplies 3. British Standard 2599-1:2006 gives guidance for establishing a Business Continuity Plan and Process within an organisation and this policy is written accordingly. 4.2 Specific duties and responsibilities within the CCG The following specific duties and responsibilities apply within the CCG: a) Accountable Officer (AO): The AO has overall statutory responsibility for the strategic and operational management of the CCG, including ensuring that the CCG has in place robust arrangements for business continuity management and service recovery. b) CCG Governing Body: The CCG Governing Body is responsible for setting the strategic context in which business continuity and service recovery procedures are developed, and for the formal review and approval of this Policy. The Governing Body is also responsible for determining the accepted levels of business as usual, through monitoring service delivery and approving suggested developments. Through the commissioning and contract monitoring processes, the Governing Body is responsible for gaining assurance that providers commissioned by the CCG have adequate BCM systems and processes in place to ensure service continuity. 5
c) Head of Corporate Affairs: The Head of Corporate Affairs is responsible for ensuring that business continuity management plans to support the core business functions are completed and updated as necessary. d) CCG Senior Managers (Deputy Chief Officer, Senior Operating Officer and Chief Finance Officer) will: Ensure that their element of the BCM plan is reviewed at six monthly intervals and updated as necessary to maintain good quality control of document information Notify any BCM plan revisions to the Head of Corporate Affairs Support business continuity awareness and acceptance amongst staff and ensure that all of their staff are aware of their responsibilities within the BCM plan Encourage and participate in training or exercises. e) Public Health Lancashire will, via a memorandum of understanding with the CCG, will ensure that adequately tested emergency plans are in place to protect the health of NHS West Lancashire CCG population from threats ranging from relatively minor disease outbreaks to full-scale public health emergencies and will ensure that NHS West Lancashire CCG has access to, and is briefed on, relevant emergency plans. The Head of Corporate Affairs will liaise with Public Health Lancashire. f) All CCG Staff: All staff are responsible for co-operating with the implementation of this Policy and any relevant plans as part of their normal duties and responsibilities. 5. BUSINESS CONTINUITY PLANS The BCM plan will be written in accordance with the template attached to this policy (appendix 1). As the CCG is a small organisation an overarching plan will be developed that covers all work areas with exceptions for any work area highlighted. The BCM Action Plan is at appendix 2. The CCG senior manager leading that work area will be responsible for ensuring any exceptions relating to their work area are communicated to the Head of Corporate Affairs. The anticipated outcomes of completing the template and thus building the Business Continuity Management Plan includes: 6
1. Identification of critical, essential, routine and non-urgent activities of the CCG 2. Prioritising delivery of those activities in response to a disruption 3. Minimising the effects of any disruption and allowing return to business as usual as fast as possible 4. Increased staff awareness through of BCM principles and processes 5. Supporting the achievement of CCG strategic objectives and associated action plans 6. Ensuring legal compliance with planning obligations 7. Inform a response process which is flexible to meet changes in service delivery of the CCG As BCM plans are developed, the BCM policy may be adjusted as and when agreed by the CCG Governing Body to reflect the development of this strategy. 6. INITIATING THE PLANS The Business Continuity Management Plan will be initiated when any disruption to service delivery is experienced. 6.1 Causes of Service Interruption: There are many and varied possible causes of service disruption. As a general guide, service continuity planning should be carried out to minimise the effects of a number of potentially disruptive events: Major accident or incident, national disaster, epidemic, terrorist attack Fire, flood, extreme weather conditions Loss of utilities, including IT and telephone systems Major disruption to staffing; epidemic, transport disruption, industrial action, inability to recruit; mass resignations (e.g. lottery syndicate). It should be borne in mind that these events may not be mutually exclusive, e.g. extreme weather leads to loss of electricity, disruption to transport, staff unable to get to work. A cause of a service disruption event may also become an internal major incident for the CCG and invoke the CCG s Major Incident Response Plan. In this event, the BCM plans should be carried out simultaneously with the response to the major incident, as far as is possible. 6.2 Plan activation The senior manager in the work area concerned will decide with discussion with other senior managers and either the Chief Officer or Chief Finance Officer whether the plan or any part of it should be activated using the process in the following flowchart. Out of hours the decision will be made by the on-call manager. 7
Once the plan is activated the incident will be managed by the senior manager of the work area in which the incident occurred. The senior manager has responsibility for convening the crisis response team to ensure that essential services are maintained and that recovery plans are put into place. The crisis response team membership is at the discretion of the senior manager as each incident is different but at a minimum the team must include another senior manager, a governing body member (usually the Chief Officer or Chief Finance Officer), Head of Corporate Affairs and a Communications Manager. Anyone called to attend the crisis response team by the senior manager must attend. There are no exceptions. Records of all decisions and actions taken by the crisis response team will be made. See appendix 3 for the crisis response team notes template. 8
Process plan for activation Crisis occurs (emergency plan may already be in action) Consider if crisis able to be contained within usual resources Yes No No further action at this stage Discuss with CO or CFO and agree that business continuity plan should be activated Set up crisis recovery team Notify staff and any service or other organisation/ stakeholder that may be affected Initiate business continuity plan Progress and any further developments to be assessed daily as a minimum. It may need to be more frequent. 9
7. RECORD KEEPING Good record keeping is paramount if the BCM plan is initiated. The senior manager leading the crisis is responsible for ensuring that accurate records are kept of all decisions and actions taken in their area of work once the BCM plan is initiated. This includes the crisis recovery team record keeping see appendix 3. All records created during the implementation of the BCM plan will be kept by the Head of Corporate Affairs. These records will be stored in line with the CCG s Record Management Policy. 8. COMMUNICATIONS Good communication is essential at a time of crisis. A communication plan will be developed to ensure there are appropriate statements for internal and external communication and processes for ensuring communication to all CCG staff in the event of an emergency. 7. TRAINING REQUIREMENTS All Governing Body members and senior managers need to be aware of the contents of this policy, and ensure that they are acquainted with the CCG s Business Continuity Plan and have access to the appropriate templates. The Head of Corporate Affairs will, on request, provide support, assistance and advice, including instruction in the application of the process and use of the templates. Public Health Lancashire are also available to adequately test emergency plans and to provide briefings on relevant emergency plans. 8. IMPLEMENTATION, MONITORING AND REVIEW The Head of Corporate Affairs is responsible for ensuring that this document is reviewed, and, if necessary, revised in the light of legislative, guidance or organisational change. Review shall be at intervals of no greater than 6 months; this can be undertaken at team meetings. A full test of the Business Continuity Management Plan will be undertaken yearly. All senior managers will be expected to take part in these exercises. A cold debriefing session will take place following the exercise to establish if any changes need to be made as a result of the exercise. Senior managers will be asked to review their Business Continuity Management Plan at this stage and submit to the Head of Corporate Affairs to co-ordinate the CCG s overall plans. 10
9. ASSOCIATED DOCUMENTATION This document is separate from but complementary to: 1. The CCG Major Incident Response Plan 2. Risk Management Strategy 11
Business Continuity Plan Template Appendix 1 Priority for the Restoration of Services 1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an essential service/function 2. Urgent: Within 8 hours Will degrade to Critical if not addressed within this time band 3. Essential: Within 24 hours Major disruption no danger to staff and/or patients. Does not prevent provision of an essential service/function 4. Important: Within 3 days Will affect services without causing danger to patients 5. Necessary: Within 7 days Minor disruption to services 6. Routine: Within 14 days Will not directly disrupt services but will cause inconvenience 7. Non-Urgent: Within 28 days Will involve non-urgent repairs Threat Loss of staff Loss of telephone communication Loss of email Loss of internet Loss of network including all software packages and telephone system Fuel shortage Loss of building either due to fire or loss of utilities gas, electric and water Clinical or safety disaster Priority for restoring service Contingency measures required Actions required to restore service Risk if priority unable to be met 12
Business Continuity Action Plan Appendix 2 Priority for the Restoration of Services 1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an essential service/function 2. Urgent: Within 8 hours Will degrade to Critical if not addressed within this time band 3. Essential: Within 24 hours Major disruption no danger to staff and/or patients. Does not prevent provision of an essential service/function 4. Important: Within 3 days Will affect services without causing danger to patients 5. Necessary: Within 7 days Minor disruption to services 6. Routine: Within 14 days Will not directly disrupt services but will cause inconvenience 7. Non-Urgent: Within 28 days Will involve non-urgent repairs Threat Loss of staff Priority for restoring service 4 for critical staff 6 for non critical staff Contingency measures required Matrix working for critical staff to share learning Deputies for each critical area Defer meeting dates for statutory meetings to endeavour to meet quorums Actions required to restore service Formal appointment of successor Secure extra support from CSU Risk if priority unable to be met Impact on ability to conduct business, progress work plans and maintain governance including reporting of performance Loss of telephone communication Seek extra support from CSU for interim periods 3 Use of corporate mobile phones Use of email (assuming network is still operational) Loss of email 3 Use of telephone system (assuming system is still operational as linked to network) Use of corporate mobile phones Contact CSU IT department Contact CSU IT department Impact on timeliness of communication and ability to progress some areas of work at the speed required eg. querying invoices Impact on ability to maintain leadership Impact on ability to conduct business in a timely manner 13
Loss of internet 4 for general use Use of postal system Use of fax Use of courier for urgent documents Other research methods. Copies of key documents on the network. Contact CSU IT department Information governance risk concerning person identifiable information being sent via the postal system. Safe Haven fax arrangement to be used and registered mail to be used Inability to pay invoices on time 3 for integrated financial system Use of corporate 3G ipads and iphones for any urgent internet requirements Home working (assuming staff have access to internet at home) for urgent tasks Inability to receive performance report from web based packages Use of alternative NHS accommodation for urgent payment of invoices Loss of network including all software packages (resulting in loss of access to critical information) and telephone system 3 NA Contact CSU IT department Fuel shortage 5 Use of home working and VPN Use of alternative NHS accommodation Use of conferencing calling NA Impact on ability to performance core business, meet statutory requirements Impact on conduct of business and maintenance of statutory requirements Loss of building either due to fire or loss of utilities gas, electric and water Use of corporate ipads/iphones for Facetime 6 Use of home working and VPN Use of alternative NHS accommodation As appropriate to the threat Possible overload on alternative NHS accommodation Scan any critical information held in paper format only Risk over destruction of paper records if fire Clinical or safety disaster 1 Major incident plan to be implemented As appropriate to threat Impact on ability to deliver core business as incident takes priority 14
Crisis Response Team Notes APPENDIX 3 Reason for Invoking Plan: Date: Time: Brief Summary of Situation: Department/s Affected: Other Organisations Involved / Alerted: Name of note taker: Date: 15
Actions Required By Whom Immediate: Within 8 Working Hours: Within 1 Working Day: Within 3 Days: Within 1 Week: Situation to be reviewed every..hrs /.days Name of note taker: Date: 16