Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain its essential business functions during unexpected interruptions or incidents APPROVED BY ASSISTANT CHIEF EXECUTIVE 21/01/10 REVISED 22/11/10 REVIEW DATE: 21/01/12 To be read in conjunction with: EMERGENCY PLAN FLU PANDEMIC PLAN RISK MANAGEMENT STRATEGY< POLICY AND PROCEDURES Version 4.1 Revision Document Compliance with all PCT policies, procedures protocols, guidelines, guidance, standards and strategies is a condition of employment. Breach of policy may result in disciplinary action.
Policy Category: Relevant to (Staff Group): Governance All Version No: Date: Changes Made: 1.0 09/06/09 First draft Version History: 2.0 29/06/09 Revise draft follow consultation 3.0 08/12/09 Revise draft 4.0 10/10/10 Revised to reflect the change in Lead Director and Day to day Responsibility for Business Continuity to Emergency Planning 4.1 22/11/10 Updated and revised to comply with PAS 2015:2010 All reasonable steps have been taken to ensure that this Policy reflects the: Equality and diversity agenda Relevant articles of the Human Rights Act 1998 Philosophy of Clinical Governance, providing evidence for compliance with the requirements of the Standards for Better Health of the Department of Health and the NHS Litigation Authority Risk Management Standard for PCTs Health and Safety at Work Act 1974 and associated legislation Freedom of Information Act 1998 (amended 2000) Disability Discrimination Act 1995 (amended 2005) Sex Discrimination Act 1975 (amended 2003) Race Relation Act 2000 Age Discrimination Act 2006 An Equality Impact Assessment has been carried out to ensure that this policy is nondiscriminatory. Page 2 of 15
CONTENTS Introduction and Purpose and... 4 Scope..4 Objectives..4 Definitions...4 Requirements under Legislation and Standards..4 Policy Statement 5 Supporting Organisational Structures 5 Accountability and Responsibility for Policy and Implementation..6 Monitoring..6 Document Review.7 Testing and Exercising.7 Communication of Policy Method and Responsibility..7 Risk..8 Business Continuity Management System...8 References...10 Appendix 1: Business Impact Assessment Tool 11 Appendix 2: Business Continuity Plan Template (separate document for completion) Appendix 3: Business Continuity Plan Approval Form (separate document for completion) Page 3 of 15
1. Introduction and Purpose 1.1 The aim of business continuity is to ensure that core business functions are safeguarded by means of effective business continuity management and response, despite any unplanned or predicted interruptions to normal business. 1.2 It is fundamental that the organisation has the ability to adapt and respond to disruptions, whether internal or external to deliver organisationally agreed critical activities. 1.3 The organisation has a statutory responsibility to maintain a level of business continuity (see 5) 2.Scope 2.1 This policy sets out the management responsibilities for creating, maintaining, testing/exercising and reviewing business continuity management systems and plans. It establishes the principle that all Directorates are required to have documented business impact assessments (see Appendix 1) and plans based on the template shown in Appendix 2. 2.2 This policy describes the business continuity management system for the organisation which is aligned to the BS NHS 25999-1:2009 1 and PAS 2015:2010 2 3. Objectives 3.1 The objectives of this document are to:- Set out the legal requirements of NHS West Sussex to maintain business continuity. Establish the system by which NHS West Sussex will manage business continuity. Establish the responsibilities of NHS West Sussex staff and senior management for business continuity. Establish the training and exercising for business continuity within NHS West Sussex. Ensure that services commissioned or contracted to provide services to or on behalf of NHS West Sussex are resilient to an agreed level with NHS West Sussex during business continuity interruption. 4. Definitions 4.1 Business Continuity Management (BCM) A process that identifies potential threats to NHS West Sussex and the impact to business operations that those threats, if realised, might cause. It provides a framework for building and testing organisational resilience to safeguard the most important business functions. 4.2 Business Continuity Plan (BCP) A document and procedures maintained in readiness for use in an incident to enable NHS West Sussex to continue to deliver its core business function at an acceptable pre-defined level. 5. Requirements Under Legislation and Standards 5.1 Legislation NHS West Sussex is required to have in place effective BCM arrangements to meet the requirements of the Civil Contingencies Act 2004 3. The PCT must have Business Continuity Plans that are able to support any major emergencies related to its obligations as a Category One responder. 1 BSi, BS NHS 25999-1:2009 British Standard Business Continuity Management Part 1 Code of Practice 2 BSi, PAS 2015:2010 Framework for Health Service Resilience 3 HM Government 2004, Civil Contingencies Act 2004 Page 4 of 15
5.2 BS 25999-1 1 NHS West Sussex will be expected to meet the good practice standards set out in BS25999-1 (Business Continuity Management Code of Practice). 5.3 BS 25777 4 NHS West Sussex will be expected to work closely with Sussex HIS to ensure that the principles of BS25777 are being applied. 5.4 PAS 2015:2010 2 NHS West Sussex will comply with the standard and commission /contract services which aspire also to meet the standards. 6. Policy Statement 6.1 All Directorates and, where appropriate, departments, must complete a Business Continuity Plan using the template shown in Appendix 1. Guidance notes are available on the PCT Intranet All plans must be signed off by the responsible Director using the Business Continuity Plan Approval Form shown in Appendix 3. 7. Supporting Organisational Structures 7.1 Organisational arrangements and provision of resources. The Director of Public Health shall direct the Emergency Planning and Business Continuity Resilience Team to provide the following support: Establishing, implementing and overview of the Business Continuity Management Systems for NHS West Sussex/ Provision of templates, and guidance, both written and practical, for the completion of business continuity impact assessments and plans. Training to Directors and managers and their staff on the business management system and completion of business continuity impact assessments and plans. Management of Emergency Planning and Business Continuity Resilience Committee. As a point of expert advice to the Trust. Assist Commissioners assess the validity of business continuity management systems and plans of organisations tendering to provide services on behalf of NHS west Sussex. 7.2 Details of Associated Training The Head of Emergency Planning and Business Continuity Resilience will provide training and information to enable managers to gain an understanding of Business Continuity Management issues and to complete Business Continuity Plans. Attendance at training will be documented on Oracle Learning Managements System of the Electronic Staff Records. 7.3 Authority Each Director will have the authority to nominate a lead within their directorate for business continuity management for the directorate. Each Director will have the authority to request at any time the business continuity plan (as referred to in clause 4:10 of the Standard NHS contract for acute, community and mental health Services) of any service they are responsible for commissioning. The Director of Public Health and on their behalf the Head of Emergency Planning and Business continuity Resilience, will have the Authority to request any business continuity plan from any directorate. The Head of Emergency Planning and Business continuity Resilience will have the authority to update the Business Continuity Policy and Overarching Business Continuity Plan at any time to meet new guidance or as a result of review or change in the organisations circumstances. 4 BSi 25777 Information and Communications Technology Continuity Management Code of Practice. Page 5 of 15
8. Accountability and Responsibility for Policy & Implementation 8.1 The Chief Executive and Board of NHS West Sussex have the ultimate responsibility for ensuring that NHS west Sussex has in place robust Business Continuity Management System. 8.2 The Director of Public Health has overall accountability for ensuring NHS West Sussex puts in place the necessary Business Continuity Management systems to implement this policy. 8.3 Directors are responsible for ensuring an approved, up-to-date and fully tested Business Continuity Plan is in place in respect of the business functions for which they are accountable. 8.4 The Director of Public Health is responsible for reporting progress on BCM to the Executive Team and the Head of Emergency Planning and Business Continuity Resilience to the Emergency Planning Committee. 8.5 The Director of Public Health is responsible for compliance with all statutory and regulatory requirements via the Head of Emergency Planning and Business Continuity Resilience. 8.6 All staff will be expected to understand this policy and to cooperate with the maintenance, testing and implementation of the plan. 9. Monitoring 9.1 Monitoring The Head of Emergency Planning and Business Continuity Resilience will be responsible for monitoring compliance by NHS west Sussex with this policy by: Maintaining a central database of all approved plans Collecting evidence to ensure compliance with the statutory duty to assess, plan and advise in relation to emergencies and the risk of emergencies (Civil Contingencies Act 2000) and compliance with BS-NHS 25999 and PAS 2015:2010. Carrying out benchmark assessments in conjunction with the Strategic Health Authority Assisting the internal auditor to carry out an annual audit. Audit recommendations will be added to the audit recommendations tracker and reported to the Audit and Assurance Committee. 9.1 Monitoring Commissioned Services The responsible commissioner for each service commissioned by NHS West Sussex will be responsible for monitoring those commissioned services, compliance with business continuity in line with PAS 2015:2010 2 The responsible commissioner of each service commissioned by NHS West Sussex will ensure that the following (see Table 1) clause from the NHS standard contracts 2 is included in all contracts and SLAs. And that there are agreed critical services that are required to be maintained during an incident and to what level. The commissioner will also agree with the provider, maximum tolerable period of disruption (MTPD) for critical and non critical services. It is the responsibility of the Director responsible for commissioning each provider service to monitor the provider s compliance with business continuity. Table 1 extract from Standard NHS Multilateral Contract 5 5 NHS Standard Multilateral Contracts for Acute, Community and Mental Health http://www.dh.gov.uk/en/publicationsandstatistics/publications/publicationspolicyandguidance/dh_111203 Page 6 of 15
4.9 The Provider shall have and at all times maintain an up-to-date plan agreed with the Commissioner to ensure the continual availability to the Commissioner of the Essential Services in the event of any interruption or suspension of the Provider s ability to provide them, and in the event of any partial or entire suspension or termination of this Agreement (the Essential Services Continuity Plan ). The Provider shall, in consultation with the Commissioner, implement the Essential Services Continuity Plan as required in any such event. 4.10 The Provider shall maintain a Business Continuity Plan and shall notify the Commissioner as soon as reasonably practicable of its activation, and in any event no later than 5 Operational Days from the date of such activation. 4.11 In the event of any conflict between the Provider s obligation to notify the Commissioner of the activation of its Business Continuity Plan within 5 Operational Days and the requirements for notification and investigation of Serious Untoward Incidents set out in Schedule 12 (Serious Untoward Incidents and Patient Safety Incidents), then the requirements set out in Schedule 12 shall prevail. 10. Review 10.1 Review of Business continuity systems and plans This Policy will be reviewed every 2 years or more frequently if:- There is a business incident for NHS West Sussex. There is significant change within the organisation There are reports following incidents in other organisations that have relevance to NHS West Sussex There is relevant central government guidance issued There are lessons identified as a result of testing /exercising of plans 10.2 Review of Business Continuity Management System Directors are responsible for ensuring that Directorate s BCPs are reviewed every 6 months. The review programme will be monitored by the Head of Emergency Planning and Business Continuity Resilience. 11. Testing and Exercising The Head of Emergency Planning and Business Continuity Resilience will coordinate a programme of exercises to validate the full range of business continuity management capabilities. Exercises will be run in conjunction with Emergency Planning exercises wherever possible. 12. Communication of Policy Method and Responsibility 12.1 All new staff will be briefed on this policy as part of the PCT Induction process and via local Departmental Induction. All staff on Band 6 and above to be briefed on Business Continuity Planning as part of the mandatory Risk Management Training Course. 12.2 The Business Continuity Policy and Procedures will be posted onto the PCT intranet and internet for all staff to access as required. 12.3 Managers must ensure that all relevant staff within their directorate are made aware of their responsibilities towards this Policy. Page 7 of 15
13. Risk 13.1 Where a Business Impact assessment raises a risk to the trust this must be dealt with in accordance with the NHS West Sussex Risk Management Strategy, Policy and Procedures. 14. Business Continuity Management System 14.1 The Business Continuity Management System used by NHS West Sussex is aligned with BS NHS 25999-1:2009 1, BS NHS 25999-2:2009 6 and PAS 2015:2010 2 14.2 The Business Continuity Cycle (See Figure 1) forms the basis of the business continuity management system, this sets out the five stages of the system. Understanding the organisation Determining BCM Strategy Developing and implementing BCM response Exercising, maintaining and reviewing Embedding BCM in the organisational culture Figure 1 The Business Continuity Management Lifecycle 1 14.3 Understanding the organisation This involves anticipating what the organisation may face (horizon scanning) gaining an awareness of new threats or hazards and assessing those threats and hazards identified by using the business impact assessment tool (see Appendix 1). The business impact assessment will identify risks to the organisation these must be listed on the Directorates responsible risk register where treatment actions to prevent or mitigate the effects of the risk established. This will form the strategy for each business continuity impact raised. 6 BSi, BS NHS 25999-2 Business Continuity Management Part 2: Specification. Page 8 of 15
14.4 Determining the Business Continuity Management Strategy Determining the business continuity management strategy enables the assessor to consider a range of strategies:- Do nothing, if the likelihood and impact are so low that no action is required. Apply a range of actions, technical, practical, procedural or organisational to prevent or mitigate the impact. Prepare a business continuity plan to implement Insure against the impact 14.5 Develop and Implement a Business Continuity Management Response Developing and Implementing a Business Continuity Management Response will result in the creation of a business continuity plan which a management structure and detailed steps to take to respond should the identified business continuity disruption occur. These plans will be organisation wide as in an overarching business continuity plan or Directorate specific in a directorate and team business continuity plan. Plans must include the level at which critical services will be recovered within the maximum tolerable period of disruption, and the resources required for this to be achieved 14.6 Exercising, Maintaining and reviewing To successfully implement a business continuity plan at either level the plan must be exercised so that those responsible or affected by the plan know what they have to do and that the plan works. It has to be maintained so that the information within the plan is up-to-date and relevant to the organisation at the time it is needed to ensure the organisation can recover to the agreed level of service within the maximum tolerable period of disruption. Business continuity management plans and business continuity management systems will be reviewed at the stated time frames set out in section 10 above. 14.5 Embedding Business Continuity Management in the Organisation s Culture Embedding Business Continuity Management in the Organisation s Culture is paramount to the success of the organisation to anticipate, assess, prevent, prepare respond and recover to any business continuity incident. This is done by engaging with staff at all levels to ensure they are aware of the value of business continuity management and that they are involved in the process to add ownership of them of the plans that effect them. This is carried out by awareness training (see 12) and involvement in the development of their directorate specific plans PAS 2015:2010 links the business continuity management system with the Integrated Emergency Management approach that drives the Emergency Plan which is inextricably linked to the business continuity plans. (see Table 2 below) Page 9 of 15
Table 2 Comparison the integrated emergency planning approach and business continuity management life cycle. 15. References BS25999 - Business Continuity Management Code of Practice. BS25777 - Information and Communications Technology Continuity Management Code of Practice. Standards for Better Health Healthcare Commission/Care Quality Commission 2008. Civil Contingencies Act 2004. Page 10 of 15
Business Impact Analysis Tool Appendix 1 Key Function (Priority Order) 1. 2. 3. 4. 5. 6. 7. SHEET 1: SIMPLIFIED BUSINESS IMPACT ANALYSIS (BIA) 1. List your Team or Departments Key Functions in priority order. 2. Using the guidance set out below undertake a Business Impact Analysis of your Team or Department, filling in your answers to the following questions on the blank BIA Pro-forma (Sheet 2) under the relevant headings: PEOPLE PREMISES PROCESSES PROVIDERS PROFILE Building : IT : Reciprocal Arrangements Reputation : What locations do your What IT is essential to carry : Who are your key department s key functions out your key functions? Do you have any reciprocal stakeholders? operate from? (Primary agreements with other site, alternative premises) organisations? Key Staff : What staff do you require to carry put your key functions? Skills / Expertise / Training : What skills / level of expertise is required to undertake key functions? Minimum Staffing Levels : What is the minimum staffing level with which you could provide some sort of service? Facilities : What facilities are essential to carry out your key functions? Equipment / Resources : What equipment / resources are required to carry out your key functions? Documentation : What documentation / records are essential to carry out your key functions, and how are these stored? Systems & Communications : What systems and means of communication are required to carry out your key functions? Contractors / External Providers : Do you tender key services out to another organisation, to whom and for what? Suppliers : Who are your priority suppliers and whom do you depend on to undertake your key functions? Legal Considerations : What are your legal, statutory and regulatory requirements? Vulnerable Groups : Which vulnerable groups might be affected by failing to carry out key functions? SHEET 2: BIA PROFORMA FOR YOUR TEAM OR DEPARTMENT Function No: Having read through Sheet 1, please complete a BIA for each of the key functions identified using the pro-forma below. 11
PEOPLE PREMISES PROCESSES PROVIDERS PROFILE Key Staff : Building : IT : Reciprocal Arrangements : Reputation : Skills / Expertise / Training : Facilities : Documentation : Contractors / External Providers : Legal Considerations : Minimum Staffing Levels : Equipment / Resources : Systems & Communications : Suppliers : Vulnerable Groups : 12
Key Staff : SHEET 3: CONSIDERATIONS FOR INCREASING YOUR TEAM OR DEPARTMENT S RESILIENCE PEOPLE PREMISES PROCESSES PROVIDERS PROFILE Reputation : Can staff be contacted out of hours? Could extra capacity be built into your staffing to assist you in coping during an incident? Building : Could you operate from more than one premise? Could you relocate operations in the event of a premise being lost or if access was denied? IT : Is data backed-up and are back-ups kept off site? Do you have any disaster recovery arrangements in place? Reciprocal Arrangements : Do you have agreements with other teams, departments or organisations regarding staffing and the use of facilities in the event of an incident? How could reputational damage to your team, department or organisation be reduced? How could you provide information to staff and stakeholders in an emergency? Contractors / External Providers : Skills / Expertise / Training: Could staff be trained in other roles? Could other members of staff undertake other nonspecialist roles in the event of an incident? Facilities : Are any of your facilities multi-purpose? Are alternative facilities available in the event of an incident? Documentation : Is essential documentation stored securely (e.g. fire proof safe, backed-up)? Do you keep copies of essential documentation elsewhere? Do you know of alternative contractors or are you reliant on a single contractor? Do your contractors have contingency plans in place? Could contractors be contacted in the event of an incident? Legal Considerations : Do you have systems to log decisions, actions and costs in the event of an incident? Minimum Staffing Levels : Equipment / Resources : Systems & Communications : What is the minimal staffing level to continue to deliver your key functions at an acceptable level? What measures could be taken to minimise impacts of staff shortfalls? Could alternative equipment / resources be acquired in the event of an incident / disruption? Could key equipment be replicated or do manual procedures exist? Are your systems flexible? Do you have alternative systems in place (manual processes)? What alternative means of communication exist? Suppliers : Do you know of suitable alternative suppliers? Could key suppliers be contacted in an emergency? Vulnerable Groups : How could vulnerable groups be contacted/accommodated in the event of an incident? 13
SHEET 4: USING THE BUSINESS IMPACT ANALYSIS TO BUILD A PLAN PEOPLE PREMISES PROCESSES PROVIDERS PROFILE Business Impact Analysis Identifies your requirements for continuing your key functions Key staff Key skills Expertise / competence required Minimum staffing levels required to continue / recover key functions Key facilities Key equipment Key resources Specialist equipment Security / restrictions Alternative sites Alternative facilities Key processes Critical periods Key IT systems / applications Key documentation / data Record keeping requirements Key communication requirements Key dependencies (supply and receipt) Key suppliers Key contractors / service providers / suppliers Reciprocal arrangements in place with other organisations Key stakeholders Legal / statutory / regulatory requirements Vulnerable groups Communications Business Continuity Plan Documents how your requirements identified in the BIA can be achieved Notification / invocation procedure / protocol Management structure for dealing with an incident Information and advice to staff (response procedures) Key staff / contact list (including out of hours details) Multi skill training in key areas Reciprocal arrangements to cover staff short falls Home working Staff welfare issues Loss / damage assessment Site security Relocation arrangements / protocol Inventories of equipment / resources and details of how to recover these Salvage, site clearance and cleaning arrangements Action cards for recovery of key processes Checklists Copies / back-ups / safe storage (recovery procedure) Contingency procurement arrangements Documented manual procedures Data recovery procedures Contact details for key providers / contractors / suppliers / support services Alternative suppliers (required for key functions) Alternative providers (required for key functions) Alternative contractors (required for key functions) Resilience capability of suppliers / providers / contractors to business disruption Third party business continuity arrangements Communication strategy / plan / procedures Stakeholder liaison (regulator, clients, unions) Media liaison Public information / advice Notification of at risk groups / alternative care arrangements
15