Annex A Business Continuity Management Programme Business Continuity Management Policy
1. Introduction This Business Continuity Management (BCM) Policy defines the scope of the SPCB s ability to maintain continuity of support for the conduct of Parliamentary business. 2. Business Continuity It is not possible for an organisation to prevent all unexpected incidents, however much effort and budget is directed at risk management. Therefore a generic response capability is required. Business Continuity (BC) provides a framework for creating resilience that will enable the SPCB to continue to fulfill its role under adverse conditions. It provides the capability for an effective response should a serious incident occur. Serious incidents include fires, floods, power cuts, industrial action, epidemics and pandemics. This resilience is delivered through a programme of work known collectively as Business Continuity Management (BCM). BCM increases the resilience of the organisation by: Maintaining a capability for responding to unexpected incidents, minimising the extent of financial and reputational damage by having a rehearsed recovery plan over a pre-agreed timescale. Setting priorities for threat minimisation measures to be implemented by identifying those processes, which if lost, would most rapidly damage the organisation BCM is an element of good corporate governance and the responsibility senior management. 3. Scope of the Parliament s BCM Policy 3.1 Principles The SPCB has a statutory duty to provide the Scottish Parliament with the property, staff and services required for the Parliament s purposes. The SPCB has a duty of care to all persons on its premises. Status: Final Page: 2 of 5
3.2 Parliament Building The BCM Policy covers all activities undertaken for the Parliament by: SPCB staff Contracted service providers 3.3 Members Parliamentary Offices The BCM Policy provides for; Support and accommodation for Members within the parliamentary complex Advice and guidance to Members local offices. 3.4 Parameters Time Following an incident which renders the Parliament building wholly or partially unusable the BCM Policy provides for the infrastructure and logistics to enable: an emergency meeting of the Parliament within a maximum of two days of the disruption limited parliamentary business (plenary and committee) within a maximum time period of two weeks of the disruption.. Geographical Incidents can vary in their severity and impact. The BCM Policy therefore includes the flexibility to allow decisions to be made on where to resume parliamentary business, based on a number of previously approved locations both within and outwith Edinburgh. Staff Resources The BCM Policy acknowledges that SPCB staff numbers and those of contracted service providers can fall below operational levels e.g. industrial dispute, epidemic/pandemic or transport disruption. The strategy identifies minimum levels of suitably qualified staff required to meet safety and security requirements and to support Parliamentary business. The possibility that SPCB staff may be prevented from responding to an incident because of a threat to their safety, the occurrence of extreme circumstances or Status: Final Page: 3 of 5
because of direction by civil or military authorities is taken into account in the BCM Policy. In these circumstances the Chief Executive and Directors will decide on an appropriate course of action. In all other circumstances the time and geographical parameters will apply. 4. Relationship of Parliament s BCM Policy to Risk Management A separate programme of work to manage risks is in operation at the Parliament. At a strategic level this includes business continuity. Many serious threats are not easy to identify. Their likelihood is impossible to measure and specific control measures are impractical. In addition therefore, it is necessary to have a separate Business Continuity Management structure and function to provide the means of delivering a rehearsed response to unexpected incidents. 5. Responsibility for the Parliament s BCM Programme All SPCB staff have ownership of BCM, but some personnel have specific responsibilities. These are; Chief Executive and Directors Members of Business Continuity Project/Programme Board Business Continuity Manager Heads of Office Business Continuity Coordinators Procurement Contract Managers The detailed responsibilities of these personnel are set out in the Parliament s Strategy for Incident Management. 6. Responsibility for Incident Response The Parliament s response to an incident is managed by the following teams; Strategic - Incident Management Team Tactical - Emergency Response Team, - Incident Communications Team,, - Business Continuity Team The composition, operation and responsibilities of these teams are outlined in the Parliament s Strategy for Incident Management. Status: Final Page: 4 of 5
7. Standards Applied 7.1 British Standard The BCM programme conforms to BS 25999-1: A Code of Practice for Business Continuity and follows the Business Continuity Institute s Good Practice Guide. 7.2 Business Continuity Exercises Comprehensive testing of Parliament s Business Continuity Plans will be carried out on an agreed four year rolling programme. 7.3 Audit An audit of the Parliament s BCM process will be undertaken internally and by an appropriately qualified external body at agreed regular intervals. Status: Final Page: 5 of 5