Business Continuity (Policy & Procedure)

Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity Coordinator Force Ops Related Information Authorised Professional Practice: Decision Making Civil Contingencies Act 2004 British Standard Business Continuity Management System Requirements ISO 22301: 2012 Business Continuity Institute Good Practice Guidelines Date first approved at BMG 21/11/2007 This Version V 3.0 Created 06/06/2013 Date of Next Review 06/06/2016 June 2013

Business Continuity Force Ops Dept Policy Statement The ability of all organisations, large or small, to survive disruptions to everyday business practice is essential in the 21st Century. It guards the publics expectation of an acceptable standard of service and quality of life. For most organisations Business Continuity Planning just makes good business sense but for the police service it is an obligation imposed by the Civil Contingencies Act 2004. Merseyside Police has based its Business Continuity Management on the Guidelines issued by HM Government Emergency Preparedness Manual, the Business Continuity Institute and the British Standard Business Continuity Management System Requirements ISO 22301:2012 Through Business Continuity Planning, Merseyside Police is not only able to respond effectively to emergencies but also be in a position to continue normal policing functions to agreed minimum service levels. Aim This policy aims to ensure a formal, coordinated and consistent approach is adopted regarding all Business Continuity Management activities throughout the Force. The policy is underpinned by procedures that aim to detail responsibilities, processes and structures for delivering effective Business Continuity Management. Objectives The primary objective of the policy is to manage business disruptions in a way that reduces their impact on the organisation to an agreed acceptable level. Associated objectives are to: Improve our force wide Business Continuity Management Programme Improve the forces Business Continuity Planning Processes Improve our Business Continuity test, maintenance, audit and review processes Improve Business Continuity Management awareness within the organisation Status: V3.0 2 Last Update: 06/06/2013

Business Continuity Force Ops Dept Application & Scope All police officers and police staff, including the extended police family and those working voluntarily or under contract to Merseyside Police must be aware of, and are required to comply with, all relevant policy and associated procedures. This policy particularly applies to: - All officers and staff nominated as Business Continuity Champions All officers and staff attending Business Continuity meetings Outcome Evaluation Outcomes will reflect specific objectives and be measured against these objectives at least annually. Individual measures are set out in a separate Deployment Plan managed by the Business Continuity Manager. In broad terms, measurement will be done through observation and analysis of tests and exercises at Strategic, Tactical and Operational levels throughout the force. Review of the success of Business Continuity Management will be conducted via the Force Business Continuity Management Board. Overall, adherence to this policy should: Strengthen the forces ability to deal with internal/external disruptions to our key services and critical functions Protect the image and reputation of the Force Strengthen the forces Business Continuity Management Processes Improve Business Continuity awareness within the organisation. Status: V3.0 3 Last Update: 06/06/2013

Business Continuity Force Ops Dept Procedure Version History 06/06/2013 V 3.0 Amended to reflect requirements of ISO 22301 Status: V3.0 3 Last Update: 06/06/2013

Business Continuity Force Ops Dept Contents Introduction Business Continuity or Major Incident Support Training BCM Process BCM Infrastructure Analysis Design Implementation Embedding Business Continuity Validation Policy & Programme Management Appendix A - Force Roles & Responsibilities Appendix B - Invocation & Escalation Appendix C - Risk Notification Procedure Appendix D - Process Aide Memoir Status: V3.0 4 Last Update: 06/06/2013

Business Continuity Force Ops Dept 1. Introduction 1.1 The Civil Contingencies Act 2004, places a statutory duty on the police to have Business Continuity Management (BCM) in place to ensure continued service delivery of essential services. BCM is also a regulatory requirement for compliance with the ACPO Community Security Policy and an integral part of the Force s risk management framework. 1.2 Merseyside Police has aligned its BCM arrangements with the British Standard ISO 22301. This sets out the process and principles of BCM and enables the Force to measure its BCM capability in a consistent and recognised manner. 1.3 That document, which should be read in conjunction with the BCM Policy, provides high-level guidance on the methodology for developing and implementing BCM within Merseyside Police. For detailed practical application reference should be made to the BCM Guidance Manual. 2. Business Continuity or Major Incident 2.1 All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. BCM provides the capability to adequately react to operational disruptions, while protecting the welfare and safety of staff. 2.2 However, it is important not to confuse BCM with the Force s operational response to major incidents. BCM focuses on internal issues to maintain the Force s organisational capabilities, whereas the Force s response to major incident focuses on external events. 3. Support & Training 3.1 Individuals who have responsibility for BCM will receive training and support from the force Business Continuity Coordinator. This training will ensure that individuals have the experience to deliver an effective BCM Plan. They will receive support and guidance throughout the year, particularly when a Plan is to be reviewed annually. Status: V3.0 5 Last Update: 06/06/2013

Business Continuity Force Ops Dept 4. BCM Process 4.1 BCM is proactive and concentrates on everything needed to continue the critical business processes in the event of an interruption. It focuses on the effects and not the cause of the disruption. 4.2 The relevant stages are: 4.2.1 Analysis The Force will identify all key business processes and activities, including interdependencies and other influences that might impact on them. These will be assessed and prioritised to enable the focusing of resources to ensure that the most critical are restored promptly in the event of disruption. 4.2.2 Design Having established its priorities the Force will identify and choose options for continuing the Force s critical processes and activities after an incident, to an agreed minimum level. 4.2.3 Implementation Business Continuity Plans will provide an effective, predefined and documented framework and process to respond to disruptive incidents affecting the Force s critical processes and activities. 4.2.4 Validation No matter how well designed and thought out a BCM plan is, it must be exercised to ensure its effectiveness. Maintenance and auditing are essential to ensure the compliance with the standards adopted by the Force. The Force will continually review its arrangements and test the plans on an annual basis. 4.2.4 Embedding BC BCM will become an integral part of the Force s strategic and dayto-day management activity by the introduction of awareness and training. This will be a continuous process. 4.2.5 Policy & Programme Management The Force s BCM Programme will provide a clearly defined and documented process for the co-ordination and governance of all BCM activity. Status: V3.0 6 Last Update: 06/06/2013

Business Continuity Force Ops Dept 5. BCM Infrastructure 5.1 An essential element of developing a successful BCM is the proactive support of Senior Management. By demonstrating commitment and playing an active role in the BCM process they can ensure its successful implementation. 5.2 Before undertaking the various stages of the BCM process, BCU Commanders and Heads of Departments will need to establish a supporting infrastructure. 5.3 Consideration must be given to the necessity of maintaining business as usual, whilst dealing with a disruption requiring business continuity management and the potential for a major incident response should the disruption escalate or a separate event occur. 5.4 Therefore the BCM infrastructure should mirror existing arrangements, as far as possible, without assigning individuals more than one role. This should be integrated into the existing risk management and planning framework. 5.5 The Force BCM Roles & Responsibilities are listed in Appendix A. However, two critical roles in the BCU or departmental BCM infrastructure are detailed below. 5.6 Business Continuity Management Team (BCMT) Leader 5.6.1 The BCMT should reflect all the processes and activities undertaken by the BCU or department. 5.6.2 In the event of the Plan being invoked the BCMT leader will co-ordinate the responses and provide general support and instruction to those involved in the response. The Leader of the BCMT will provide a link to the BCU Commander or Head of Department. 5.6.3 Whilst the Force is not prescriptive in who should conduct which role in the BCMT, the Team Leader should have appropriate seniority and authority to be accountable for BCM implementation. 5.7 Business Continuity Champion 5.7.1 The Business Continuity Champion, has responsibility for the ongoing administration and maintenance of the BCM arrangements, including exercising, auditing and amending the plan, at a BCU or departmental level. The BCC is also the single point of contact with the force Business Continuity Coordinator. 6. Analysis 6.1 Identifying Critical Business Processes 6.1.1 The key to understanding the organisation is to identify the key business processes. This must be completed annually or on any occasion there is a significant change to business processes. 6.1.2 The objective of this stage is to identify and rank in priority order the critical processes and activities. Status: V3.0 7 Last Update: 06/06/2013

Business Continuity Force Ops Dept 6.1.3 Using the Business Plan and Strategic Assessment, BCU s and Departments should identify their core operational objectives and how they align with the Force s strategic objectives. Those critical processes and activities, which are crucial to achieving the objectives, should be identified and given the highest priority. 6.2 Risk Assessment & Business Impact Analysis (BIA) 6.2.1 Based on risk assessment the BIA determines, in specific timeframes, the impact on the Force s service delivery if critical processes were disrupted. It also details the minimum resource requirements to recover the critical processes within the timeframes. A Business Impact Analysis must be completed for each process identified. 6.3 Maximum Tolerable Period of Disruption (MTPD) 6.3.1 The BIA should identify the MTPD. Each critical process requires examination to establishing when (hours, days or weeks) an interruption to the process would become critical to its service delivery. The critical processes should then be ranked according to MTPD, with the shortest MTPD being given the highest priority for recovery. 6.4 Prioritisation 6.4.1 By combining the Risk Assessment priorities with the MTPD a prioritised matrix for recovery is established. This forms the basis of the business continuity plan (BCP). 6.5 Interdependency Requirements 6.5.1 Some processes might be dependent on activities elsewhere in the Force or on external dependencies such as suppliers, contractors, regulators and agency partners. It is essential that these interdependencies are included in the BIA. 6.6 Single Point of Failure 6.6.1 Consider whether any single point of failure exists. Examples include any piece of equipment, communication link, key document or even a person, which if lost or absent, would halt a critical process. If identified, an alternative or back up for this single point of failure should be introduced. 6.7 Backlogs 6.7.1 During the planning stage consideration ought to be given to the impact of clearing any backlog, which develops during the disruption. 6.8 Vital Equipment & Backup Procedures 6.8.1 The BIA should record details of vital equipment, records and systems essential to the critical process, together with any back up procedures or other special arrangements. Status: V3.0 8 Last Update: 06/06/2013

Business Continuity Force Ops Dept 6.9 Senior Management Sign Off 6.9.1 The BIA identifying the critical processes and the recovery prioritisation list must be submitted to senior management for approval and sign off. 7. Design 7.1 The BCM options to be considered are those alternative methods and workarounds that enable the minimum level of service delivery. An example would be reverting to manual when IT is disrupted or moving to an alternative site. Alternative options might be required for the following resources: People; Workspace; Information & Communications Technology; Equipment / Resources: Critical Information / Documentation: Resources supplied by third parties / internal contracts. 7.2 It is crucial that the selected BCM options: Ensure employee safety; Protect the viability of the organisation; Reduce or mitigate exposures, confusion or chaos; Position the organisation to respond to a disruption. 7.3 The options should be realistic. Consideration must be given to the challenges that staff will face during a disruptive event. The aim is to provide the minimum level of performance necessary, in the event of a significant disruption. 7.4 Options are required for three phases: Planning Phase Primary Goal Trigger Time Frame Emergency Response (Immediate) Continuity Response (Interim Processing) Recovery Procedure (Restoration) Protect life and property Resume critical processes and activities & suspend non critical functions The staged return to pre-disruption levels of operation or improved capability Initial disruption Maximum Tolerable Period of Disruption exceeded End of emergency, runs in parallel with the continuity response 0-24 hours 24 hours 1 week (or until critical processes restored) Beyond 1 week (or until processes restored) 7.5 If reciprocal arrangements have been made regarding relocation to a back up site these should be clearly documented and signed off by both parties. The agreement should specify the terms of access, accommodation, transfer procedures, equipment, timescales, cost reimbursement and any constraints or special conditions, as well as any other mutual arrangement. Status: V3.0 9 Last Update: 06/06/2013

Business Continuity Force Ops Dept 8. Implementation 8.1 Business Continuity Plans 8.1.1 Merseyside Police has a hierarchy of plans with different command and control levels and owners. Plan C&C Level Control Document Tier 3 Strategic Force Business Continuity Plan - Corporate Framework Tier 2 Tactical Business Continuity Plans for BCU s Departments Geographical Sites Tier 1 Operational Specific work area recovery plan Purpose Provides overarching structured approach to BCM Pre-determined responses to restore service capability, according to force priorities Station/Work Units Local recovery arrangements Owner ACC Operations Business Continuity Management Team (BCMT) BCU Commander or Head of Dept s Local OIC/Manager 8.1.2 A BCP template has been developed for use throughout the Force. The completed plan should be flexible enough to enable responses to a wide variety of potential generic disruptions. 8.1.3 The BCP should always be based on the worst-case scenario, i.e. a major disruption will happen at the worst time on the worst day possible. 8.1.4 The development of the plan does not signify the end of the BCM process. The process is dynamic. Nor does the plan provide BCM competence or capability, but rather it provides the approach to an effective capability to respond/recover. 8.1.5 Business Continuity Coordinators are responsible for version control of the completed BCP and providing a copy to the Business Continuity Department, annually or after every amendment. The template can be obtained from the Business Continuity Department. 8.2 Off-Site Storage & Battlebox 8.2.1 Copies of the BCP and essential equipment required for its implementation should be stored off site. 8.2.2 Consideration should be given to establishing a battlebox containing all information and portable equipment required in the early stages of a disruptive incident, which could be accessed in the event of an incident or easily transported to another site, if circumstances dictate. Content might include BCP, documentation for manual processing, IT back up and recovery arrangements, staff lists, relocation maps etc. Status: V3.0 10 Last Update: 06/06/2013

Business Continuity Force Ops Dept 8.3 BCPs Invocation & Escalation Procedure 8.3.1 The detection of an event that could result in a critical disruption of service provision is the responsibility of whoever first discovers or receives information about an emergency situation. 8.3.2 Upon discovery the Business Continuity Champion should be informed. If necessary the departmental duty manager or BCU duty officer should also be notified. If out of hours, the Force Duty Officer must be informed. 8.3.3 A tiered approach to escalation is in place and the apparent scale of the incident will determine the notification procedure required. For example, a disruption may begin at a station but escalate to having implications for the Force. In every case the BC Champion will conduct an initial assessment and notify the BCMT Leader. If necessary the BCMT Leader will authorise the call out of the remaining team members. 8.3.4 Appendix B sets out the notification, invocation and escalation procedures for a disruption that may escalate from a station to having force implications. 8.3.5 In the event of a disruption or a near miss the BCC has a responsibility for completing the governance report as detailed in Appendix C. 9. Embedding Business Continuity 9.1 BCU Commanders and Heads of Departments should seek to develop a BCM culture in their BCU or Department by: Giving proactive support to the BCM process; Encouraging training and awareness in BCM; Ensuring ownership of BCM ; Demonstrating a commitment to the annual programme of audit, maintenance and review of the BCM plans; Communicating the importance of BCM to all staff and their roles and responsibility. 10. Validation 10.1 Exercise Programme 10.1.1 Exercising allows the evaluation of the plan, identifying any gaps or weaknesses. It provides an opportunity for key personnel to rehearse and gain familiarity with the Business Continuity processes. 10.1.2 The Exercise Programme should be a progression of exercise types, each one building on the lessons of the previous exercise, finally culminating in a full test of the BCP annually. The component parts of the plan should be exercised more frequently. The BC Champion is responsible for organising the component tests. 10.1.3 The force Business Continuity Coordinator will manage the Force BCM Exercise Programme. Support and guidance in preparing for the annual BCP test will also be provided. Status: V3.0 11 Last Update: 06/06/2013

Business Continuity Force Ops Dept 10.2 Maintenance & Review 10.2.1 The Force exists in a dynamic environment. It is subject to changes in people, processes, supplies, risk and environment. To remain current, BCM arrangements must be reviewed and updated, as well as being subject to audit and inspection. 10.2.2 BCU Commanders and Heads of Departments are responsible for the maintenance of their BCP and should ensure that: BCM is a standing item on the agenda for Senior Management Team Meetings; BCM is included in the BCU or Department s formal induction process; BCM should be aligned to the Risk Management arrangements; The BCMT meets to review the BCU/Department BCM arrangements at least once every 12 months; The Business Continuity Champion regularly reviews the currency of the BCP and revises it as necessary; The components of the BCP are tested regularly and the full plan annually; BCU/Departmental BCM is subject to local audit by the BC Champion; Governance Reports are forwarded to the Force BC Coordinator. 11. Policy & Programme Management 11.1 A fundamental element of the BCM Programme is the need to continually monitor, evaluate and assure its performance. BCU s and Departments should ensure their plans meet the required standard by regularly measuring them against the Force s policy and guidance. 11.2 The force will ensure that its BCM arrangements are aligned with BCM British Standard ISO 22301. 11.3 The Assistant Chief Constable (Operations) is responsible for Executive oversight of the BCM programme. 11.4 Appendix D summarises the entire process and is a useful aide memoir. Status: V3.0 12 Last Update: 06/06/2013

Business Continuity Force Ops Dept Chief Constable APPENDIX A FORCE ROLES & RESPONSIBILITIES a) Ensure that BCM is effectively implemented in line with agreed policy and strategy; b) Monitor and review effectiveness of the Force s BCM; c) Ensure the continued and consistent use of the Force's BCM policy and on a corporate basis; d) Promote the overall commitment of the Force to BCM. Assistant Chief Constable (Operations) Responsible for Executive oversight of the BCM programme. BCU Commander & Head of Department a) Implement the requirements of BCM on a local basis; b) Ensure the production of Business Continuity Plans on a BCU or departmental basis; c) Maintain and review BCM arrangements to ensure they remain current; d) Promote BCM awareness at a local level; e) To monitor any trends and patterns occurring under the seven strands of diversity. Force Business Continuity Manager a) Support staff on aspects of BCM policy; b) Monitor and report the results of BCM activity to the Force Executive; c) Promote BCM best practice across the Force; d) To monitor any trends and patterns occurring under the seven strands of diversity.. BCU / Department Business Continuity Champions a) Promote procedures and practices that comply with the BCM Standard Operating Procedures b) Provide advice on business continuity situations through a process of risk assessments, impact analysis and resource implications, producing recommendations to senior management when required c) Facilitate exercises throughout the year to test component parts of the BCP d) Liaise with the Force BC Coordinator e) Review, maintain & update each section within the BCP f) Carry out any other task necessary for the efficient functioning of Business Continuity Plans Force Business Continuity Coordinator a) Support staff on aspects of BCM; b) Monitor and report the results of BCM activity to the Force BC Manager; c) Provide staff with advice and training in BCM; d) Develop and coordinate the Force s BCM exercise programme; e) Promote BCM best practice across the Force; f) To monitor any trends and patterns occurring under the seven strands of diversity.. Status: V3.0 13 Last Update: 06/06/2013

Business Continuity Force Ops Dept Independent Assurance Internal Audit a) Carry out an independent examination of the BCM arrangements and processes, with the objective of providing assurance to the Force Executive. b) The nature and extent of audit coverage will be determined via the Internal Audit planning process. Information Security Officer Ensure that the BCM policy and related activity, including amendments, meets the compliance requirements of BS 7799 & ISO 1799:2000(E). Individual Officers and Support Staff a) Awareness of the BCM policy and procedure, including the implications for their activities; b) Undertake BCM processes as required by Force policy; c) Ensure that BCM arrangements are kept current and effective, reflecting changes in working practices or processes. Status: V3.0 14 Last Update: 06/06/2013

Business Continuity Procedure Force Ops Dept ALERT, INVOCATION & ESCALATION DIAGRAM APPENDIX B Unit / Section / Work Area BCU / Department Force Incident Affects BCU / Dept only? N Notify Force BC Coordinator Does it affect only the Unit? N Force BCC will inform Head of BC & ACC Ops Support Y Y BC Strategic Command Team formed if required Can it be resolved Locally with existing control measures N Disruption believed could go beyond MTPD Notify BCU / Dept Head Affects Force only? N Y DO NOT invoke BCP DO submit Governance report to Force BC Coordinator Y Notify BC Champion & Invoke BCP Does it impact at BCU / Dept Level N Y Can it be contained within BCU / Dept? Y N Y Notify CC Follow BCP & resolve Follow BCP & resolve Follow BCP & resolve Service resumed BC Procedure ends Submit Governance Report Service resumed BC Procedure ends Submit Governance Report Service resumed BC Procedure ends Submit Governance Report Status: V3.0 15 Last Update: 06/06/2013

Business Continuity Procedure Force Ops Dept Background APPENDIX C RISK NOTIFICATION PROCEDURE Part of the responsibility of the Force BC Coordinator is to assess the business continuity risks faced by the Force. In order to do this the BC Coordinator needs to know of any events occurring throughout the Force, which may indicate a risk that requires to be monitored. This document identifies the factors that should be considered when assessing if an incident should be reported to the Force BC Coordinator. Notification Process The decision to notify should be based on three factors:- Time how long the incident lasts for or how long the outage is for; Effect the effect the incident has on service, process or system; Scale does the incident impact upon the Force, BCU/Department or work area. To calculate the score the following applies: Time + Effect + Scale These factors should be graded and scored, and incidents or occurrences that attract a score on or above the designated benchmark, must be notified to the Force BC Coordinator using the attached reporting form (BCM Incident Record/Governance Report). Score Time (outage) Effect Scale 3 4 hours + Total system failure High - Force wide or above 2 1-4 hours Substantial or Medium - Confined to a BCU or significant failure department 1 0-1 hour No or limited failure Low - Local effect only Should the incident or occurrence concerned attract a combined added score of 5 or more, it will be required to be notified to the Force BC Coordinator. Incidents such as, but not limited to, the following should be reported to the Force BC Coordinator: Power outage IT outage System failure An incident that impacts on your ability to deliver a key service should be reported. The following shows some examples of incidents laid out in a table format. These are shown for guidance purposes using the criteria listed above. Incident Time Effect Scale Total Report Loss of email system within force 3 3 3 9 Yes Total loss of power to Lea Green for 45 1 3 1 5 Yes mins High sickness level of staff e.g. 30% 3 2 3 8 Yes involving more than one BCU. Loss of Niche system at BCU for 30 mins 1 1 1 3 No _ Status: Draft V3.0 16 Last Update: 06/06/2013

Business Continuity Procedure Force Ops Dept Incident Reporting Responsibilities Any incidents meeting the above criteria should be reported to the BC Coordinator as soon as is reasonably practical following the event. BCU Reporting Head of BCU Duty Officer Business Continuity Champion Ensure a Copy is forwarded to BCU Admin Manager Departmental Reporting Head of Department Business Continuity Champion There is a possibility that this could result in duplicate reporting following the initial implementation of this procedure. This process will be reviewed after six months to ensure that it is effective and efficient. _ Status: Draft V3.0 17 Last Update: 06/06/2013

Business Continuity Procedure Force Ops Dept BCM INCIDENT RECORD/GOVERNANCE REPORT Time & Date of Incident Location Discovered By Contact No. OIC of Incident Contact No. State whether: Near Miss, Local Resolution or BC Plan Invoked Type of Incident (tick appropriate box) Total Loss of Building Significant / Partial failure of IT / Comms Loss of / damage to Primary Utilities Loss of Suppliers Significant / Partial Damage to Building Loss of / damage to Information / Data Loss of Staff Other (specify) Summary of Circumstances Initial Actions Lessons Learned Reported sent to BC Coordinator by: Date: _ Status: Draft V3.0 18 Last Update: 06/06/2013

Business Continuity Procedure Force Ops Dept Appendix D BCM PROCESS AIDE MEMOIR This diagram outlines in more detail how to conduct the various stages of the BCM process. It also highlights the key questions that should be asked. Start Up: Senior management support Establish a BCM team Identify Business Continuity Champion What is important to the business of my BCU/Department? What else could affect those critical processes? Monitor & Review Risk Assessment: Determine critical processes of BCU/Department Identify what assets are essential to deliver these processes Conduct Business Impact Analysis Determine Business Processes Determine Critical Functions Determine MTPD Prioritise Critical Functions Response Options For emergency phase For continuity phase, and For recovery phase What or who else does the critical process depend on i.e. the interdependencies? What are the minimum critical business resources? What threatens the BCU/Department s ability to operate? When would a disruption critically impact on the BCU/Department s ability to operate? Are there any single points of failure? What alternative workarounds are there? Develop Business Continuity Plan Complete the template with a set of easy to follow, easy to understand steps Exercise & Maintain Plans Provide a regular training schedule that tests understanding & use of the plans. Update accordingly. What strategies or workarounds could deal with each phase, e.g. manual rather than IT? What other information should be in the plan? Governance Reporting Notify BC Coordinator of all What can others learn from your experience? _ reportable inciden Status: Draft V3.0 19 Last Update: 06/06/2013

Business Continuity Procedure Force Ops Dept _ Status: Draft V3.0 20 Last Update: 06/06/2013