Essex Clinical Commissioning Groups. Business Continuity Management System. Business Impact Analysis Process



Similar documents
Essex Clinical Commissioning Groups. Business Continuity Management System. Business Impact Analysis Datasheet

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

Business Continuity Management Policy

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

BUSINESS CONTINUITY POLICY

Business Continuity Management Policy and Plan

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Business Continuity Policy

BUSINESS CONTINUITY MANAGEMENT POLICY

1.0 Policy Statement / Intentions (FOIA - Open)

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

NHS Lancashire North CCG Business Continuity Management Policy and Plan

Business Continuity Management Policy and Plan

EPRR: Toolkit Facilitator Guide

BUSINESS CONTINUITY PLAN 1 DRAFTED BY: INTEGRATED GOVERNANCE MANAGER 2 ACCOUNTABLE DIRECTOR: DIRECTOR OF QUALITY AND SAFETY 3 APPLIES TO: ALL STAFF

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

BUSINESS CONTINUITY MANAGEMENT POLICY

Version: 3.0. Effective From: 19/06/2014

BUSINESS CONTINUITY PLANNING

Business Continuity Policy

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy

Solihull Clinical Commissioning Group

Business Continuity Management

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

Hazard Identification, Risk Assessment and Management Procedure. Documentation Control

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Departmental Business Continuity Framework. Part 2 Working Guides

BUSINESS CONTINUITY PLAN

NHS Commissioning Board Business Continuity Management Framework (service resilience)

Business Continuity Plan Toolkit

Business Continuity (Policy & Procedure)

BUSINESS CONTINUITY PLAN

BUSINESS CONTINUITY MANAGEMENT POLICY

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

BUSINESS CONTINUITY PLAN

Business Continuity Management

Pandemic Influenza Plan 2015/2016

Business Continuity Policy

Business Continuity Management

BUSINESS CONTINUITY POLICY

Principles for BCM requirements for the Dutch financial sector and its providers.

Business Continuity Policy

Business Continuity: NHS Workshop Appendix 1.1

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Business Continuity Management

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

BUSINESS CONTINUITY STRATEGY

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

BUSINESS CONTINUITY PLAN

Tips and techniques a typical audit programme

Emergency Preparedness, Resilience and Response (EPRR)

Information Governance Policy

Business Continuity Management Policy and Framework

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Strategic Alliance. Business Continuity Policy

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Desktop Scenario Self Assessment Exercise Page 1

Guideline - Business Continuity Plan

39 GB Guidance for the Development of Business Continuity Plans

EPRR: BCP - Checklist

Business Continuity Management (BCM) Policy

Business Continuity Management For Small to Medium-Sized Businesses

Business Continuity Management Policy

BUSINESS CONTINUITY MANAGEMENT PLAN

NHS Durham Dales, Easington and Sedgefield Clinical Commissioning Group. Business Continuity Plan

SOMERSET COUNTY COUNCIL [NAME OF SETTING] BUSINESS CONTINUITY PLAN TEMPLATE

Incident Management Plan

Business Continuity Management Policy

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

NHS NEWCASTLE GATESHEAD CLINICAL COMMISSIONING GROUP

Update from the Business Continuity Working Group

BS BUSINESS CONTINUITY MANAGEMENT

BUSINESS CONTINUITY POLICY AND STRATEGY

London Borough of Bromley. Executive & Resources PDS Committee. Disaster Recovery Plans for London Borough of Bromley

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

abcdefghijklmnopqrstu

Core Infrastructure Risk Management Plan

Business Continuity Management. Policy Statement and Strategy

BUSINESS CONTINUITY POLICY RM03

Business Continuity Management Framework

Business Continuity Policy

Business Continuity Contingency Plan

Proposal for Business Continuity Plan and Management Review 6 August 2008

Risk Management Strategy

TRUST POLICY FOR EMERGENCY PLANNING

Business Continuity Plan

Checklist of ISO Mandatory Documentation

Update from the Business Continuity Working Group

Business Continuity Policy. Version 1.0

Bedford Group of Drainage Boards

Risk Management Policy and Framework

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Policy Document Control Page

Business continuity management policy

[INSERT NAME OF SCHOOL] BUSINESS CONTINUITY PLAN

Business Continuity Plan East & North Hertfordshire CCG

Creating a Business Continuity Plan for your Health Center

Council Policy Business Continuity Management

Transcription:

Essex Clinical Commissioning Groups Essex Clinical Commissioning Groups Business Continuity Management System Business Impact Analysis Process Policy Author: Daniel Hale - Head of Emergency Planning Version: 1.0 Date ratified: 03/07/2013 Ratifying Body: Essex CCG Integrated Emergency Preparedness Committee Review date: 03/07/2014 Impact Assessment N/A Date: Page 1 of 11

Board/Governing Body Approval CCG Approval Date Basildon and Brentwood CCG 07/12/2013 Castle Point and Rochford CCG 25/07/2013 Mid Essex CCG 25/07/2013 North East Essex CCG 30/07/2013 Southend CCG 25/07/2013 Thurrock CCG 31/09/2013 West Essex CCG 25/07/2013 Page 2 of 11

Essex Clinical Commissioning Groups Contents 1.0 Introduction... 4 2.0 Information... 5 2.1 Definitions... 5 2.2 Key Services... 5 2.3 Prioritised Activities... 5 2.4 Minimum Business Continuity Objectives... 5 2.5 Time Critical Periods... 5 3.0 Planning Assumptions... 5 4.0 Risk Management... 6 5.0 Initial BIA Method... 6 6.0 Full BIA Method... 6 6.1 Business As Usual Operations... 6 6.1.1 Staffing... 7 6.1.2 Location of Activity... 7 6.1.3 Information Technology Systems... 7 6.1.4 Equipment... 7 6.1.5 Key Dependencies... 8 6.2 Critical Time Periods/Service Priorities... 8 6.2.1 Minimum Business Continuity Objectives... 9 6.3 Minimum Business Continuity Objectives... 9 6.3.1 Staffing... 9 6.3.2 Location of Activity... 10 6.3.3 Information Technology Systems... 10 6.3.4 Equipment... 10 6.4 Risk Assessment... 10 6.5 Approval Process... 10 7.0 BIA Review Method... 11 7.1 Annual Review... 11 7.2 Ad-hoc BIA Review... 11 7.3 Emergency Planning Team Review... 11 7.4 Audit Programme... 11 8 Training... 11 Page 3 of 11

1.0 Introduction Essex Clinical Commissioning Groups (CCGs) are committed to implementing a robust Business Continuity Management System (BCMS) to ensure the continued delivery of safe and effective healthcare commissioning and management through alignment to ISO22301. Business Impact Analysis (BIA) is a vital process in achieving alignment, which will enable an understanding of the affects a business continuity incident may have on the operations of Essex CCGs. BIAs will be undertaken in support of Essex CCG Business Continuity Management System Scope and Policy (which provides the framework and purpose for implementing BCM) to enable the organisation to comply with the BC requirements of the Department of Health and the expectations of stakeholders, through the implementation of a BCMS. 1.1 Scope The scope for BIA is informed by the Essex CCG Business Continuity Management System Scope and Policy and will include: All business operations undertaken in the course of commissioning and managing healthcare services; and Any supporting dependency, which supports the prioritised activities and key services of the CCG. 1.2 Aim By undertaking BIA and regular review as per ISO22301, Essex CCGs aim to establish: Prioritised activities; Locations for prioritised activities; Resources required for prioritised activities; Dependencies for prioritised activities; Service level risk assessments; and Changes to business operations For the defined key services as documented within Essex CCG Business Continuity Management System Scope and Policy. To determine the impact of a disruption to prioritised activities which support Essex CCGs key services by; Assessing over time the impacts that would occur if an activity was disrupted Establishing the Maximum Tolerable Period of Disruption (MTPOD) identifying; - the maximum time period after the start of a disruption within which the activity needs to be resumed, - the minimum level at which the activity needs to be performed on its resumption (Minimum Business Continuity Objective - MBCO) - the level of time within which normal levels of operation need to be resumed (Recovery Time Objective- RTO) To document the impact of a disruption to prioritised activities, which support Essex CCGs key services, through the creation of completed and document controlled BIA datasheets. 1.3 Objectives Essex CCGs main objective for undertaking BIA is to: Undertake initial project work to meet the requirements of alignment to ISO22301; Page 4 of 11

Regularly review prioritised activities to maintain the BCMS; Capture change to Essex CCG operations; and Increase assurance of Essex CCGs resilience to respond to and recover from disruptive incidents. 2.0 Information 2.1 Definitions The Essex CCG Business Continuity Management System Scope and Policy outlines all definitions within the Business Continuity Management System, including the use of all ISO22301 descriptors. 2.2 Key Services The key services of Essex CCGs will be determined annually by Chief Operating Officers and approved by CCG Boards/Governing Body, in consultation with key stakeholders, and will be documented within the Essex CCG Business Continuity Management System Scope and Policy. 2.3 Prioritised Activities The prioritised activities will deliver the organisations key services and will be determined by the BIA Process. Prioritised activities will be approved annually by Chief Operating Officers and CCG Boards/Governing Body and will be documented within the Essex CCG Business Continuity Management System Scope and Policy. 2.4 Minimum Business Continuity Objectives The Minimum Business Continuity Objectives (MBCO) for each prioritised activity will be determined annually by Chief Operating Officers and approved by the CCG Boards/Governing Body, and will be documented within the Essex CCG Business Continuity Management System Scope and Policy. The following MBCO have been agreed: 2.5 Time Critical Periods The time critical periods for each prioritised activity will be determined annually by Chief Operating Officers and approved by CCG Boards/Governing Body and will documented within the Essex CCG Business Continuity Management System Scope and Policy. 3.0 Planning Assumptions The perceived disruptions and risks to the CCGs key services and prioritised activities are likely to be caused by, but not limited to the following scenarios; Loss of Staff - Increased staff sickness/absence due to pandemic influenza or infectious disease outbreak (including increased caring requirements through the closure of schools). - Increased union activity. - Inability of staff to travel to place of work caused by severe weather, major transport failure or disruption to road fuel network. - Increased vacancy rate due to high staff turnover. Page 5 of 11

Loss of facilities - Full or partial loss of CCG premises due to severe weather, for example flooding. - Full or partial loss of CCG premises due to loss of utilities, for example electricity, gas and water provision failure either internal or external. - Full or partial loss of CCG premises due to fire/explosion, flood or structural failure. Loss of Systems and Software - Full or partial loss of CCG networked computer systems (including hardware such as printers & photocopiers) for example power failure, corruption of data or systems failure. - Full or partial loss of CCG communications systems, for example systems failure either internal or external (including networked telephones, mobile telephones & pagers. Supply of external products and services - Inability of suppliers to deliver consumables or services, for example equipment maintenance, office supplies or services delivered through the Commissioning Support Unit (CSU) such as Information Technology. 4.0 Risk Management The Business Continuity Management System will fully integrate with CCG Risk Management Strategies as per Section 9.0 Risk Management of the Business Continuity Management System Policy and Scope. 5.0 Initial BIA Method Initial BIA s were undertaken by the Emergency Planning Team as part of the project work to align to ISO22301 following the Full BIA Method outlined in Section X and included the creation of datasheets for: Prioritised activities as per the Essex CCG Business Continuity Management System Scope and Policy; and Key dependencies provided by the Commissioning Support Unit as per the Essex CCG Business Continuity Management System Scope and Policy. 6.0 Full BIA Method Full BIAs will be undertaken using the Template BIA Datasheet (Appendix One) following the method outlined. It is recommended that they are undertaken in a workshop format led by the Head of Emergency Planning, with attendance from Heads of Service and a number of staff across pay bands. A variety of pay bands/roles from services should be represented to ensure that those familiar with undertaking prioritised activities are able to contribute. The BIA workshop should be led by the process set out in the Template BIA Datasheet and should focus on: 6.1 Business As Usual Operations The aim of this section is to document the routine business as usual working arrangements for the following; Page 6 of 11

6.1.1 Staffing The information provided should include the number of whole time equivalents, current work rota broken down by day, time and quantity of staff by pay band and any operational differences which may occur, such as work only undertaken by a morning shift, e.g. Service / Activity Corporate Services Total Number of Staff (WTE) Monday to Friday 0730-1500 Band 3x1 0900-1700 Band 7x1, Band 6x2, Band 4x2 1430-1830 Band 3x1 6.5 6.1.2 Location of Activity The information provided should detail the building location and owner, listing the physical areas used to undertake prioritised activities. The information should reflect the geographical locations for activities, e.g. Location of Services / Activities (inc Building Name & Address) Ground Floor, Swift House, Hedgerows Business Park, Colchester Road, Chealmsford CM2 5PF First Floor, Swift House, Hedgerows Business Park, Colchester Road, Chealmsford CM2 5PF Building owned by (Prop Co/Trust/Community Site/3 rd Party) Prop Co Owned Prop Co Owned Services / Activities Corporate Services, PALS, Reception, Strategy Finance, Performance Management 6.1.3 Information Technology Systems The information provided should list the IT hardware, software and telephony equipment including quantities used within the location to undertake prioritised activities listed alphabetically, e.g. Service / Activity IT Hardware IT Application / Software (inc version) Reception Desk Top Pc x2 Microsoft Office 2008 Internet Explorer Room Booking Client Landline x2 Telephony 6.1.4 Equipment The information provided should create a matrix of equipment including quantities for large/specialist pieces used to undertake the prioritised activities and listed alphabetically e.g. Equipment: Franking Machine Photocopier Binding Machine Service / Activity Corporate Services No Yes Yes Reception Yes Yes No Page 7 of 11

6.1.5 Key Dependencies The aim of this section is to define what key dependencies the department have during routine working, including departmental, internal and external e.g. Departmental The information provided should list any internal individuals within the department on whom there is a key dependency, such as specific skills, expertise or access not shared with others in the department, e.g user access to specific system. Name of individual/ Title of Role Nominated Deputy: Skills / expertise not shared with colleagues John Smith Anne Moore Full access/rights room booking client Suppliers The information provided should list any internal departments and external organisations which provide a service, product or goods listed alphabetically, e.g. Service / Activity Reception Internal Supplier Service/product or goods provided External Supplier DHL Royal Mail Service/product or goods provided Courier Services Postal Services Customers The information provided should list any internal departments and external organisations which receive a service, product or goods listed alphabetically e.g. Service / Activity Internal Customer Service/product or goods received Reception All Departments Reception Visitors Switchboard External Customer General Public Service/product or goods received Switchboard 6.2 Critical Time Periods/Service Priorities The aim of this section is to agree what impact a disruption to the delivery of a service/product would have over time, so that the priority for service restoration can be established. A rating for each of the impact priorities over time should be given for each of the services, products and activities using the following descriptors. Impact Level Description Patient Experience / Outcome and Quality 1 Insignificant Unsatisfactory patient experience not directly related to patient care 2 Minor Unsatisfactory patient experience - readily resolved 3 Moderate Mismanagement of patient care, short term effects (less than a week) Financial Cost/Loss Adverse Publicity/ Reputation Business Objectives Small loss Rumours No impact to delivery of business objectives Loss > 0.1% of budget Loss > 0.25% of budget Local Media - short term. Minor effect on staff morale. Local media - long Term. Significant effect on staff morale. Minor delay in delivering some non-core business objectives Inability to operate some non-core business Page 8 of 11

4 Major Serious mismanagement of patient care, long term effects (more than a week) 5 Catastrophic Totally unsatisfactory Patient outcome or experience Loss > 0.5% of budget Loss > 1% of budget National Media <3 days National Media >3 days. MP concern (questions in the House) objectives Ability to only operate/provide core business objectives only Inability to operate/provide some core business objectives NB: Descriptors were shared with governance, risk and executive leads across CCGS for comment/agreement. Service/Product /Activity Impact Priorities Patient Safety / Outcome Financial Cost/Loss Reputation Business Objectives Priorities 0 4 Hour Hours 1 Day 3 Days 1 Week 2 Weeks 3 Weeks 1 Mnth 1+ Mnths 6.2.1 Minimum Business Continuity Objectives This section will establish the Minimum Business Continuity Objectives for each service, based upon the Critical Time Periods and Service Priorities. Service Clinical Quality Minimum Business Continuity Objective Within 4 hours Clinical Quality will undertake all SUI reporting and investigation. 6.3 Minimum Business Continuity Objectives The aim of this section is to agree what resources would be required to fulfil the Minimum Business Continuity Objectives to be achieved for prioritised activities, during the recovery phase from a business continuity incident to ensure the safe and effective continuation of healthcare commissioning and management. The information gathered under business as usual operations (Section 7.1) should be reviewed to state the MBCO for each category. 6.3.1 Staffing The information provided should list the minimum number of whole time equivalents and any changes to work rotas broken down by day, time and minimum quantity of staff by pay band required to deliver MBCO, e.g. Service / Activity Corporate Services Total Number of Staff (WTE) Monday to Friday 0900-1700 Band 7x1, Band 6x1, Band 4x1 3 Page 9 of 11

6.3.2 Location of Activity The information provided should list the minimum physical areas required, listed alphabetically, to undertake the BCMO. Open plan areas should be broken down into areas by the activity undertaken and listed alphabetically, e.g. Location of Services / Activities (inc Building Name & Address) Ground Floor, Swift House, Hedgerows Business Park, Colchester Road, Chealmsford CM2 5PF Building owned by (Prop Co/Trust/Community Site/3 rd Party) Prop Co Owned Services / Activities Corporate Services, PALS, Reception, 6.3.3 Information Technology Systems The information provided should list the IT hardware, software and telephony equipment including quantities required by each to department to provide MBCO, alphabetically, e.g. Service / Activity IT Hardware IT Application / Software (inc version) Reception Landline x1 Telephony 6.3.4 Equipment The information provided should create a matrix of equipment including quantities for large/specialist pieces required to provide MBCO, listed alphabetically. Equipment: Franking Machine Photocopier Binding Machine Service / Activity Corporate Services No No No Reception No No No 6.4 Risk Assessment This section lists the disruptive events to prioritised activities using the likelihood descriptors of the Corporate Risk Register. Risk I L R Mitigation I L R Outcomes, evidence and residual risk Loss of Telephony 3 2 6 2 x Resilient phone lines with redundancy 3 1 3 SLA with BT for 4 hour resolve time 3 2 6 Ability to divert switchboard number 1 2 2 6.5 Approval Process The completed datasheet will be approved by the person with responsibility for the departmental/function at board level, who will be responsible for ownership of the datasheet, ensuring it is kept up to date with any changes to prioritised activities, key services or departmental resourcing, undertaking BIA reviews as required. BIA outcomes are recorded within the Business Continuity Management System Scope and Policy; as such this document receives formal approval at CCG Board/Governing Body level in line with Section 14.1 Document Approval, of the Scope and Policy Document. Page 10 of 11

7.0 BIA Review Method To ensure that datasheets for prioritised activities are maintained, to reflect the key services of Essex Clinical Commissioning Groups and their prioritised activities, a review programme will be implemented. All reviews will be carried out in line with this policy to ensure auditable records of these evaluations and to enable monitoring of any recommended changes. The purpose of BIA review is to ensure that datasheets remain up to date and correctly reflect the organisation and departments: Key products and services; Prioritised activities and resources; Key dependencies; Risk assessment; and Changes to business operations or processes. 7.1 Annual Review An annual review will be undertaken by the departmental manager with ownership for the datasheet, with the date determined by the ratification date. 7.2 Ad-hoc BIA Review As business and departmental structures and processes change, it may be necessary for the departmental manager with ownership of the datasheet to conduct ad-hoc review to ensure the information is correct and up to date. An ad-hoc review will be required for any operational or business change which affects or changes a departments current BIA. All completed BIA reviews will be required to receive approval from CCG Boards/Governing Body as per Section 14.1 Document Approval of the Business Continuity Management System Scope and Policy. 7.3 Emergency Planning Team Review To ensure the BCMS remains fit for purpose a table top review of all BIAs will be undertaken by the Emergency Planning Team in conjunction with the named datasheet owner every three years. The date for EP review will be determined by the original ratification date. 7.4 Audit Programme BIA datasheets will be included within the Business Continuity Management System Audit Programme and Schedule. 8 Training Training for individuals with Business Continuity responsibilities has been assessed within the Business Continuity Management System Training Needs Analysis. It is expected that all individuals within the organisation will have completed Mandatory Business Continuity Training. Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information