Community and Built Environment Localities and Safer Communities Business Continuity Management Policy Andrew Fyfe 4 Aug 14 Draft v4.4 TBC Resilience Team BCM Policy draft v4.4 1 4 Aug 2014
Statement of Intent In light of the duty placed on Buckinghamshire County Council under the Civil Contingencies Act 2004, Buckinghamshire County Council recognises and accepts its responsibility to develop and maintain a Business Continuity Management (BCM) programme and plans to safeguard the continuous provision of a high standard of critical public services in the event of anticipated or unexpected disruptive challenges. Rationale / Legislative Background The primary legislation for Business Continuity Management is the Civil Contingencies Act (2004) and associated statutory and non-statutory guidance. Buckinghamshire County Council (and the District Councils) is defined in this Act as a Category One Responder (C1R). The duty is summarised as follows: The Civil Contingencies Act (CCA) 2004 makes it a statutory duty for local authorities to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable. The duty relates to all functions, not just their emergency response functions. HM Government, 2005. Emergency Preparedness. Chapter 6, Summary The statutory duty also covers all contracted out services or capabilities: The duty also requires the authority to ensure that those organisations delivering services on behalf of the local authority (e.g. contracted-out services), or capabilities which underpin service provision (e.g. information technology and telecommunications) can also deliver to the extent required in the event of an emergency. This is because services remain part of an organisation s functions even if they do not directly provide them. HM Government, 2005. Emergency Preparedness. Paragraph 6.5 Furthermore, there is a requirement under the Council s Financial Regulations for Services to have BCPs and there is a requirement under the Annual Governance Statement for Services to confirm they have effective BCPs. Scope The BCM Policy underpins corporate support for the BCM programme, which defines how BCM will be structured, implemented and maintained throughout the authority. The BCM programme will be aligned to the British Standard (2007) for Business Continuity Best Practice: Part 1 (BS25999-1) while moving towards the International Standard, ISO22301, released in 2012. Ultimately the BCM programme will satisfy the Council s compliance with the Civil Contingencies Act 2004 and subsequent regulations and statutory guidance. The BCM programme will be a cyclical programme that reflects the current, organisation, structure and legislative responsibilities of the Council. This BCM policy covers all Buckinghamshire County Council functions at all levels as well as those functions that have been subcontracted to external suppliers, where the overall legal BCM Policy draft v4.4 2 4 Aug 2014
responsibility remains with the authority. The Council BCM Policy requires subcontractors to provide evidence to their contracting Service that they have effective Business Continuity Plans (BCPs) that will ensure the continuation of the contracted service in the event of a disruption to the subcontractor or supplier. Buckinghamshire County Council Business Continuity Management Programme Aim and Objectives The aim of the BCM programme is to establish a strategic and operational BCM framework that will ensure that the Council is able to continue to provide its identified mission critical activities in the event of a disruption to normal service delivery and be able to rapidly restore all activities as quickly as possible, in line with UK best practice. The objectives of the BCM programme are: To identify the BCM infrastructure within the Council. To specify the processes and criteria for the BCM process that will identify the Council s Mission Critical Activities. To identify the mechanism for assessing resources and risks and the subsequent identification of suitable Service contingency plans to mitigate the risks. To identify the process for identifying corporate Business Continuity (BC) strategies. To identify the process for Service BC planning. To identify specific training and exercising arrangements. To outline the method of enhancing awareness of BCM in the Council. Relationship with Risk Management Buckinghamshire County Council maintains a corporate Risk Register. Business Continuity Planning is found on the Risk Register as a legal requirement. Contingency planning is a control measure ( treat ) to mitigate the effects of an assessed risk. The BCM arrangements will mitigate the impacts and consequences of hazards as identified in the BCM Programme (under the risk analysis phase). The plan will also cater for those emerging risks identified by outside agencies, including the Civil Contingencies Secretariat and the Police / Security Services. Governance The BCM process is owned by the Chief Executive Officer. Member leadership is provided by the Cabinet Member for Communities and Built Environment. Service Directors are responsible for ensuring that they have an effective BCP. The requirement for each Service to have an effective BCP is written into the Finance Regulations. Service Directors are required to confirm they have a BCP in their Annual Governance Statement. Each current County Council Service (or Business Unit / Delivery Unit that replaces them in the Future Shape) will nominate a lead officer for BCM who will be responsible to the Service Directors for coordinating the preparation of an individual Service BCP. COMT will have oversight of the Business Continuity Management process in its day-to-day role. BCM Policy draft v4.4 3 4 Aug 2014
The Resilience Team will: Prepare a framework corporate BCP that will be incorporated into the County Emergency Plan. Assist Services in the preparation of their individual Service plans as well as assisting with the general coordination between Services. Assist Services with Service-level training and exercises and will prepare corporate exercises in conjunction with the exercise schedule of the Resilience Team. Support Commercial Services to ensure that platinum and gold contracts have appropriate and effective BCM arrangements in place. Support the delivery of BCM training within the context of the Contract Management Framework training. Competences The Resilience Team will have at least one officer with (or working to gain) an appropriate qualification (minimum Diploma) and experience in BCM. Other officers will be trained and experienced in BCM. The officer(s) will have a sound understanding of BCM and should be, or be aspiring to be, Member(s) of the Business Continuity Institute (BCI). Contract Management / Commissioned Services All Service Providers of contracted / commissioned services must be able to demonstrate that they can continue to deliver their contracted / commissioned activity to the expectations of the County Council. To this end, they must all have a BCM system including a BCP which is aligned to / compatible with the BCC BCM programme Continuity / recovery timeframes and levels of continuity / recovery required will be provided to the Service Providers by their County Council contract manager / commissioner. BCM must be included as a requirement in the Tendering / Procurement / Commissioning process. Contract Management of all contracts should be considered as a Critical Activity. They may be subsequently reclassified as Mission Critical. Contract Management of Platinum and Gold contracts should be considered as a Mission Critical Activity. Sub-contracted activities which are a critical interdependency for another Mission Critical Activity should themselves be considered Mission Critical Activities. Platinum and Gold Contract Managers must be suitably trained to assess the BCM arrangements of their Service Providers. Training & Exercising Service BCPs should be exercised at least once every year. Responsibility for arranging this lies with the Service Director. The format of such exercises may vary and advice should be sought from the Resilience Team. Corporate level BC exercises, arranged by the Resilience Team, should take place every other year (alternating with an Emergency Management exercise) unless there has been a significant real event that has tested the BCPs. BCM Policy draft v4.4 4 4 Aug 2014
Reviewing, Monitoring and Maintenance In line with Financial Regulations and the Annual Governance Statement, BCPs must be revised, complete, and current by the end of each Financial Year, with staff appropriately trained and exercised. Contact information must be updated quarterly. All BCPs (Corporate and Service) must be reviewed by their author / owner annually (to comply with the end of Financial Year timeline) or more regularly under the following conditions: Following reorganisation within the Council / Service / Teams. In response to a significant new hazard and risk assessment. In response to lessons learned from an incident or exercise, experienced either directly or indirectly. Policy Approval and Review This policy first came into effect on 23 rd November 2006 and was reviewed on 10 th March 2008 and 31 st August 2010. This revised version 4 comes into effect on and should be reviewed following the implementation of the Future Shape. BCM Policy draft v4.4 5 4 Aug 2014