BUSINESS CONTINUITY POLICY RM03 Applies to: All NHS LA employees, contractors, secondees and consultants, contractors and/or any other parties who will carry out duties on behalf of the NHS LA Version: Version 3 Date of Board Approval: March 2015 Review Date: March 2017 Author: Catherine O Sullivan Owner: Tom Fothergill 1
1. Introduction 1.1. Business continuity is defined as the The capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (ISO 22301) 1.2. The primary intention of the NHS LA s Business Continuity Plan (BCP) is to deal with major operating disruptions which would seriously impact the organisation s ability to conduct normal business operations for a significant period of time. These operating disruptions include, but are not limited to, major fire, inclement weather, deliberate sabotage, flood, explosion, building structure failure, and other unforeseen catastrophic events. 2. Aims 2.1. The aim of this Business Continuity Policy is to provide supportive business continuity management that ensures: A framework for building organisational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, and service activities is developed All reasonable steps are taken in the event of a disruption to normal business activities, so services will be restored as soon as practicable in a planned and controlled way The health, safety and welfare of NHS LA employees during any event affecting business continuity Sufficient assurance, through continual review, exercising and testing, that the continuity arrangements are robust and will work when required; Chances of breaches of statutory and regulatory requirements are minimised Contribution to the development of a proactive and integrated risk management culture throughout NHS LA 3. Statement of Intent 3.1. The NHS LA has a Three Year Plan for 2014 to 2017 which sets out three Strategic Aims Increasing operational effectiveness and valuing our people: Improving patient and staff safety by supporting the NHS to reduce harm through learning and effective incentivisation: Successfully integrate and develop the National Clinical Assessment Service (NCAS): 2
3.2. The Business Continuity Policy and Plan are means to ensuring minimal disruption to the achievement of these goals 4. Who this Policy applies to 4.1. This policy applies to all activities undertaken by the NHS LA and to all employees whether working from offices and/or at home. BCM must involve all levels of staff and partner organisations that contribute to the delivery of critical activities. Where critical activities are supported or delivered through the products and services of formal business partnerships, robust business continuity arrangements must apply at both the partnership interface and within the third-party organisation and its operating environment. 5. Business Continuity Management Systems 5.1. The NHS LA will follow the principles of IS0 22301 Societal Security Business continuity management systems, and apply the Plan-Do- Check-Act (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization s BCMS. Plan (Establish) Business Impact Analysis will be carried out on each business area to establish business continuity requirements. Do (implement and operate) 3
The NHS LA will develop and implement appropriate plans and arrangements to ensure continuity of critical activities, and the management of business disruptions. This includes: o Establishing a structure and allocating clear responsibilities for responding to incidents; o Preparing incident management plans to manage the immediate incident; Check (Monitor and review) NHS LA s business continuity and incident management arrangements will only be reliable if they are exercised and kept up to date. The NHS LA will implement appropriate regular review and exercising of the BCP and ensure that plans remain fit-for-purpose Act (maintain and improve) The Business Continuity Plan will be maintained and improved from the outcome of the check part of the model 6. Accountabilities and responsibilities 6.1. Responsibilities for BCM are as follows: The Chief Executive has ultimate responsibility for BCM; The Chief Executive with the Incident Management Team will determine whether an incident warrants invocation of the BCP The Chief Executive or, in their absence, the Director of Finance are responsible for the Incident Management Team (IMT) during a business disruption; The Chief Executive is responsible ensuring updates to the Chair, non Executives and the Department of Health as appropriate The IMT is responsible for the coordination of the response to an incident and business recovery actions, once the BCP is invoked; Heads of Department, as members of the Business Recovery Team (BRT), are responsible for specific actions as set out in the BCP All employees are responsible for making themselves familiar with the BCP arrangements and in the event of an incident, must follow instructions cascaded to them by their line manager 6.2. To continue to manage business activities whilst recovering from a major incident is a very demanding task. A clear and focused 4
management structure is required to maximise the effectiveness of corporate resources. This can be described as the Business Continuity Team structure for NHSLA, this can be seen in appendix 1. 7. Exercise and Testing 7.1. Exercising and testing is essential in providing confidence that the objectives of the BCP can be achieved. It also provides an ideal training opportunity for those involved in the key activities. All testing must be carefully managed and co-ordinated to ensure low risk to the business but with maximum return on effort 7.2. A schedule of testing will be developed and agreed each year with the main objectives being: Validation of emergency callout procedures and contact details contained in the recovery plans; Ensuring key staff are familiar with their emergency response, technical recovery and business recovery plans; Proving the ability to recover the IT and communications infrastructure; Proving the ability of critical staff to work from home or relocate to a nominated recovery site; Validation of the effectiveness and accuracy of the documented IT and business recovery plans; Identifying weaknesses in and improvements to processes, technical solutions and procedures; Exercising IMT and BRT members by allowing them to practise their activities; 8. Equality impact assessment 8.1. As part of its development, this policy and its impact on equality have been reviewed in consultation with trade union and other employee representatives in line with the Authority's Equal Opportunities Policy and the public sector equality duty. The purpose of the assessment is to minimise and if possible remove any disproportionate impact on employees and service users in relation to the protected characteristics: race, sex, disability, age, sexual orientation, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity. No detriment was identified. 5
Appendix 1 Business Continuity Team structure for NHSLA To continue to manage business activities whilst recovering from a major incident is a very demanding task. A clear and focused management structure is required to maximise the effectiveness of whatever corporate resources remain. This structure may be a little different from that found in normal day-to-day operations. The illustration below shows the Team structure that will be implemented in the event of a disaster or major incident which necessitates the invocation of the NHS LA s BCP. Strategic Response Co-ordination of high-level strategic response: dealing with the media, managing stakeholders and taking executive decisions. Responsible for protection of value and reputation of the NHS LA as a whole. IMT Chief Executive Leader Director of Finance - Deputy Leader Technical Claims Director Safety Learning & People Director NCAS Director Head of Human Resources Head of IT & Facilities Safety Learning & People Director NCAS Director Head of Human Resources Head of IT & Facilities Tactical Response Co-ordination of tactical response: dealing with the assessment and management of the incident. Key responsibilities include selecting appropriate recovery strategy, liaison with emergency services, staff welfare and communication. Operational Response Co-ordination of operational response. In the event of a disruption responsible for dealing with the recovery of core business processes, relocation of staff to alternative premises, co-ordinating recovery of data and ICT. Responsible for business recovery in the longer term. BRT Director of Finance - Leader Technical Claims Director Safety Learning & People Director NCAS Director Head of Human Resources Head of Clinical Claims Head of Non Clinical Claims Finance Manager IT & Facilities Manager Helpdesk Officer Head of FHSAU Head of Clinical Claims Head of Non Clinical Claims Finance Manager IT & Facilities Manager Helpdesk Officer Head of FHSAU 6
IMT Responsibilities The role of the IMT is to manage issues arising throughout the emergency situation and to provide support and direction to the BRT. This will be achieved by: IMT TASKS Invoking the BCP Setting policy and providing direction Providing budgetary authorisation Prioritisation and conflict resolution Contact with external organisations Monitoring and overseeing the recovery process Assessing the incident and its impact on the organisation Security management Damage assessment Recovery management Personnel and welfare issues PES claim and associated records Repairing & rebuilding Liaison with emergency services Managing the BRT 7
BRT Responsibilities To manage and co-ordinate the activities associated with the recovery of critical functions; to provide appropriate resources to ensure a safe, secure and efficient working environment (either within NHS LA premises or elsewhere). To investigate, plan and implement a return to the original site. This will be achieved by: PEOPLE Keeping staff informed Identifying key staff for relocation Defining responsibilities for operational staff Assigning tasks to available staff members to recover lost information BUSINESS PROCESSES Taking action that will maintain critical business processes Assisting with assessment of impact to the business Re-establishing critical functions Identifying activities for staff unable to access their normal place of work Assessing what work and data may have been lost and/or need to be recovered TECHNOLOGY Co-ordinating recovery of key data/software and user acceptance testing Installing equipment and software based on defined priority of business functions Ensuring user departments are aware of support arrangements 8
PREMISES Liaising with the IMT to help the salvage process Relocation of claims files and other paper records if required Protecting vital information Identifying and employing structural and engineering contractors as required Assigning resources to establishing alternative accommodation Acquiring furniture, equipment and software to meet recovery requirements Maintaining an inventory of losses SUPPLIERS Supplying and sourcing all necessary facilities Procurement of removal services 9