Birmingham CrossCity Clinical Commissioning Group Business Continuity Management Policy Version V1.0 Ratified by Operational Development Group Date ratified 6 th November 2014 Name of originator / author David Morris Name of responsible committee Operational Development Group Date issued 18 th November 2014 Review date 1 st November 2015 Target audience All staff 1
1 SUMMARY Business Continuity Management (BCM) is part of a business resilience package that seeks to ensure that Birmingham CrossCity Clinical Commissioning Group (CCG) is always best placed to deliver its objectives, its agreed levels of service and to do so consistently. Figure 1 below describes the role and context of BCM within a business resilience model. Figure 1 BUSINESS RESILIENCE The ability to effectively prepare for, respond to and successfully recover from an event, whether large or small, that might compromise the delivery of objectives RISK MANAGEMENT The process of making and carrying out decisions that will assist in the control of potentially adverse events that could compromise the delivery of objectives BUSINESS CONTINUITY The activity performed to ensure that business critical functions are available and able to maintain acceptable levels of service and consistency EMERGENCY PLANNING The process whereby plans and preparations are made to deal with major emergencies and incidents resulting in potential or actual harm to people and to assist in the welfare and recovery of the community LIKELIHOOD CONSEQUENCE INWARD FOCUS OUTWARD FOCUS SMALL/MEDIUM SCALE MEDIUM/LARGE SCALE PREPARATION RESPONSE AND RECOVERY 2
2 CCG CONTEXT The Health and Social Care Act 2012 introduced reforms to the way that health care is commissioned in England. The clinically led commissioning system involved the formation of a number of types organisations which took control from April 2013. Patient NHS E Provider CCG NHS PS Local Authority CSU NHS England (NHSE) oversees the commissioning of health services in England. NHSE delegates responsibility for commissioning most hospital and community health services to a network of clinical commissioning groups (CCGs) although it commissions certain specialised services itself. CCGs are responsible for planning and developing local health services in England. They commission health and care services including: planned hospital care, urgent and emergency care, rehabilitation care, community health services and mental health and learning disability services. CCGs work with patients and health and social care partners to ensure services meet local needs. Commissioning Support Units (CSUs) support and advise NHSE and CCGs, allowing them to concentrate on improving clinical care pathways and improving efficiency. The NHS property portfolio of owned and leased buildings is managed by NHS Property Services (NHS PS). Local Authorities (LA) have responsibility for the public health responsibilities previously held by the NHS. 3 BIRMINGHAM CROSSCITY CCG MISSION/VALUES/AIMS Vision: Excellence in commissioning through excellent primary care.. Identity: Birmingham CrossCity CCG is a clinically led organisation with the aim of improving health and health care within our local communities and across the city of Birmingham, based on the best available understanding of the health needs of our population. Purpose: 1. Commission the best health care to give the best outcomes, whilst balancing the books. 2. Make services work better and more seamlessly both in health and social care. 3. Improving quality across the whole system. 4. Work across the City to identify and roll out good and innovative practice. 3
Our Values: 1. This is a membership organisation, it s you, it s us; not them. 2. Big enough to redefine the system, local enough to listen. 3. An NHS you are happy and confident for you and your family to use. 4. Wherever possible work smarter not harder. 5. Change delivered together, by creating a common understanding across primary and secondary care, patients and the public. Strategic Priorities: 1. Address health inequalities. 2. Innovative, high quality and safe healthcare delivered by practices and commissioned providers. 3. Mental health service users and other vulnerable groups receive the right care. 4. Support people to live a good quality life. 5. Patients report that providers treat them effectively, safely and with dignity. 6. Gain the engagement and support of our patients and public in making decisions that affect their health and local health services. The CCG will pursue the delivery of its objectives through the application of a robust risk management methodology. 4 DEFINITION OF BUSINESS CONTINUITY MANAGEMENT The CCG defines Business Continuity Management (BCM) as: The activity performed to ensure that business critical functions are available and able to maintain acceptable levels of service and consistency. BCM is, therefore, a process that identifies the key processes that an organisation undertakes and the impact of a disruption on business operations. It provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, brand and value creating activities. BCM is not just about dealing with big impact, low probability events. BCM is essential to organisational resilience and a business as usual approach. The CCG is intent on using BCM to identify and protect key sources of value. 4
5 SIX STEPS TO BUSINESS CONTINUITY PLANNING/MANAGEMENT The CCG will follow a six step BCM lifecycle approach to the implementation and continuous operation of BCM. Step One: Step Two: BCM Programme Management Enables the business continuity capability to be both established and maintained in a manner appropriate to the size and complexity of the CCG. Understanding the Organisation Providing information that enables prioritisation of the CCG s products and services, the identification of critical supporting activities and the resources required to deliver them. Step Three: Determining BCM [Recovery] Strategy Choosing an appropriate response for each product or service such that the CCG can continue to deliver those products and services at the time of disruption. Step Four: Step Five: Step Six: Developing and Implementing BCM Response Developing incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations. Exercising, Maintaining and Reviewing BCM Arrangements Ability to demonstrate the extent to which the CCG s BCM strategies and plans are complete, current and accurate and identify opportunities for improvement. Embedding BCM in the Organisation s Culture Enabling BCM to become part of the CCG s core values and instilling confidence in all stakeholders in the ability of the organisation to cope with disruptions. This series of activities collectively covers all aspects and phases of a BCM programme. The BCM programme will: Enable the CCG to continue to deliver its responsibilities to and meet the expectations of its stakeholders Protect and secure the wellbeing of its staff and its key assets Design and implement a process to identify the key activities undertaken by the CCG and ensure that these processes can be recovered to an agreed level of activity within an agreed timeframe in the event of a disruption Provide the necessary awareness and training to all CCG staff Create a governance framework to provide assurance 5
6 BUSINESS CONTINUITY FOCUS The CCG will seek to explore and measure its ability to embed and operate business resilience methods and activities. Business Resilience encompasses Risk Management and Business Continuity and supports the achievement of organisational goals or objectives. The CCG will seek to achieve a level of maturity commensurate with its aspirations. The CCG will focus its business continuity activities on the likely consequence and impact of an event on the business rather than plan for the cause of every possible disruption or disaster. The loss of: People Premises Resources (Technology and Data/Information) Suppliers and Partners Reputation will be critical to the ability to continue to deliver the aims and objectives. Business continuity focuses on the impact a disruption would have on the CCG. Senior management determine the likely period of disruption and communicate with line managers. Line managers look at the critical activities being compromised and determine how they can continue through the application of predetermined business continuity plans. A separate work stream concentrates on recovery. 7 BUSINESS CONTINUITY MANAGEMENT AND RESPONSIBILITIES BCM is recognised by CCG s senior management as a business discipline that is owned by the CCG and co-ordinated and facilitated centrally. The CCG will take a cross functional approach to BCM. The CCG s Governance Team will primarily adopt a programme management and facilitating role. The plans to ensure the continuity of the business will be owned and maintained by the CCG in order to protect the key value creating processes or assets. The resources necessary to develop and maintain the required level of preparedness will be provided from within existing means. The CCG s senior management will: Review the CCG s products and services against its strategy, objectives, culture, ethics, legal and regulatory requirements to consider the options for each product and service Consider the impact of loss of products and services Set BCM priorities (including recovery times and/or the maximum tolerable period of disruption) for its products and services - see section 14 for glossary of terms. Determine the level of redundancy and/or investment available to support business continuity activities Ensure that it continues to understand, support and participate in the continuity planning approach should it devolve any of the tasks required Agree the CCG s tolerance to risk 6
A Business Continuity Working Group will: Undertake an assessment of the CCG s readiness to embed business resilience activities as a normal way of working Produce an awareness campaign to keep CCG staff informed Facilitate the implementation and achievement of business continuity objectives across the CCG Teams. The CCG s Audit and Governance Committee will: Ensure that the CCG has effective processes in place to identify its critical functions Ensure that the CCG has an effective strategy in place to mitigate the effect of any business continuity disruption The CCG s Governing Body will: Assure itself that the CCG can continue to deliver its Aims in the event of a business continuity disruption Every manager will have a business continuity management responsibility. This will be part of the activity that ensures that aims and objectives can continue to be delivered. Minor issues may impact on day to day but should be considered a part of day to day management activities. 8 SCOPE OF THE BUSINESS CONTINUITY PROGRAMME Business Continuity Management in the CCG will be based on the identification of the key CCG processes and the assignment of a level of importance to each process. A Business Impact Analysis (BIA) will be the primary tool for gathering this information and assigning criticality through the recovery time objectives (RTO). The Business Impact Analysis (BIA) will be undertaken at a senior management level in the first instance. The BIA will map the departments, functions and processes to key activities. It will provide the data necessary to formulate a Business Continuity Strategy. The Business Continuity Strategy will use the output from the BIA to identify recovery and continuity options that will meet the CCG s requirements and will be used to select the most appropriate consolidated response that best reflects the resources available to the CCG for this purpose. The Business Continuity Plan will provide a procedure for the escalation and control of a disruption, communicating with all stakeholders and will set out a plan for the recovery of key interrupted activities. 9 GOVERNANCE ARRANGEMENTS This policy applies to all Birmingham CrossCity CCG staff regardless of status and should be observed by all staff from other organisations providing services on a contractual or embedded basis. The Officer with overall responsibility for Business Resilience is the Accountable Officer. The Accountable Officer has delegated this responsibility to the Assistant Accountable Officer. Senior Managers are responsible for the execution of this policy within their Teams. 7
The Business Continuity Management Policy is owned and maintained by Assistant Accountable Officer. Any changes made to this policy should be reviewed by the Business Continuity Working Group and the Operational Delivery Group then approved by the CCG s Audit and Governance Committee. A Business Continuity Working Group will be established, taking its membership from across the CCG s activities and levels of responsibility. This Group should be chaired by the Assistant Accountable Officer and will report directly to the Operational Delivery Group. Members of both the Business Continuity Working Group and the Operational Delivery Group will actively support the CCG s Business Continuity Management Programme and be advocates for the achievement of the Programme objectives. The Business Continuity Management Policy will be reviewed annually. The Business Continuity Management Strategy will be reviewed annually. The Business Impact Analysis will be reviewed at least every twelve months or whenever significant changes to the key internal processes, location or technology occur or whenever significant changes in the external operating setting, such as the health economy, system or regulatory change occurs or in the event of a deployment of the Business Continuity Plan. The Business Continuity Plan will be reviewed every twelve months or sooner in the event of a major change to the CCG s objectives or activities or a deployment of the Business Continuity Plan. Exercise reports will be reviewed by the Working Group and the Audit and Governance Committee. 10 TRAINING All staff will receive Business Continuity training. Staff in roles at Agenda for Change Band 5 or below: Awareness level training Staff in roles at Agenda for Change Band 6 or above: Practitioner level training This training should be revalidated at least every three years. 11 TESTING The CCG will ensure that its BCM arrangements are validated by exercise and review and that they are kept up to date. The CCG will consider four approaches to validation: testing, discussion, table-top and live exercise. The method chosen will be relevant, realistic and appropriate. BCM arrangements should be reviewed at least annually or after their deployment following an event. 12 STANDARDS, REGULATIONS, LEGISLATION, GUIDANCE AND GOOD PRACTICE 1. ISO 22301: 2012: Societal security - Business continuity management systems - Requirements 8
2. ISO 22313: 2012: Societal security - Business continuity management systems - Guidance 3. BS 25999-1: 2006: Business continuity management - Part 1: Code of practice 4. BS 25999-2: 2007: Business continuity management - Part 2: Specification 5. Business Continuity Institute: Good Practice Guidelines 2010 - A management guide to implementing global good practice in business continuity management 6. Chartered Management Institute: Planning for the worst - the 2012 business continuity management survey 13 ASSOCIATED POLICIES CCG Assurance Framework and Risk Management Strategy CCG Incident Management Policy 14 GLOSSARY: BIA: MTPD: RTO: Business Impact Analysis: The process of analysing business functions and the effect that a business disruption might have upon them. Maximum Tolerable Period of Disruption: The maximum length of time that an organisation can manage a disruption to each of its key products and services without it threatening the organisation s capability and/or viability. Recovery Time Objective: The target time within which the delivery of a product or service following its disruption is to be resumed. 9