39 GB Guidance for the Development of Business Continuity Plans

39 GB Guidance for the Development of Business Continuity Plans Policy number: Version 2.2 Approved by Name of author/originator Owner (director) 39 GB Executive Committee Date of approval August 2014 Date of last review August 2013 Next due for review August 2015 Samantha Chalmers, Risk and Governance Manager Elaine Newton, Director of Governance and Compliance Page 1 of 20 39 GB Guidance for the Development of Business Continuity Plans

STOP IF A MAJOR INCIDENT HAS BEEN DECLARED AND YOU ARE READING THIS POLICY FOR THE FIRST TIME, DO NOT CONTINUE. GO DIRECTLY TO THE ACTION CARD SECTION OF THE EMERGENCY PLAN SEEK OUT YOUR ACTION CARD AND FOLLOW IT IF YOU DO NOT HAVE AN ACTION CARD THEN AWAIT FURTHER INSTRUCTIONS FROM YOUR MANAGER DO NOT CALL THE SWITCHBOARDS OF THE CCG OR ACUTE HOSPITAL TRUST DO NOT LEAVE WORK UNTIL YOU HAVE CONFIRMED THAT IT IS OK TO DO SO WITH YOUR MANAGER FOLLOW ANY EVACUATION PROCEDURES AS DIRECTED ENSURE THAT YOUR MANAGER OR WORK COLLEAGUES HAVE A CONTACT NUMBER FOR YOU DO NOT GO TO THE INCIDENT CONTROL CENTRE UNLESS YOU ARE REQUIRED TO KEEP YOUR ID CARD ON YOU AT ALL TIMES Page 2 of 20 39 GB Guidance for the Development of Business Continuity Plans

Version control sheet Version Date Author Status Comment 1.0 July 2013 Samantha Chalmers Draft For consultation at quality and governance meeting 1.1 October 2013 Samantha Chalmers Draft Amended front sheet and version control 1.2 October 2013 Samantha Chalmers Final Approved 2.0 June 2014 Samantha Chalmers 2.1 June 2014 Samantha Chalmers Draft Draft For consultation With amendments from Surrey County Council ensuring ISO 22301 aligned 2.2 August 2014 Samantha Chalmers Final Approved Page 3 of 20 39 GB Guidance for the Development of Business Continuity Plans

Equality statement NHS Guildford and Waverley aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. We take into account the Human Rights Act 1998 and promote equal opportunities for all. This document has been assessed to ensure that no employee receives less favourable treatment on the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Members of staff, volunteers or members of the public may request assistance with this policy if they have particular needs. If the member of staff has language difficulties and difficulty in understanding this policy, the use of an interpreter will be considered. We embrace the four staff pledges in the NHS Constitution. This policy is consistent with these pledges. Page 4 of 20 39 GB Guidance for the Development of Business Continuity Plans

Equality Impact Assessment tool Stage One: Screening for Relevance to Equality Strands and Prioritising. To be completed and attached to any procedural document as part of main document sited between version control sheet and contents page. 1 Name of the strategy / policy / proposal / service function 2 Who is the strategy / policy /proposal / service function aimed at? Guidance for the Development of Business Continuity Plans All CCG staff including temporary staff and contractors 3 What are the main aims and objectives? To provide the framework to enable the CCG to identify its critical functions and maintain these during a disruption, allowing the delivery of services to continue whist recovery is in progress. 4 Identify the data / information you have regarding the use of the strategy / policy / proposal / service function by diverse groups? Use qualitative, quantitative and anecdotal information e.g. Demographic data, results of consultations, research and surveys. Local authority monitoring data, PALS, complaints, public enquiries, audits & reviews. 5 Is the strategy / policy / proposal / service function relevant to any of the protected characteristics below? Please include negative and positive impact. If YES please indicate if the relevance is low, medium or high. (See description below) Equality strands Patient, carer or family Staff Age Low Low Sex (male, female, Low Low gender reassignment) Race / Ethnic Low Low communities / groups Disability learning Low Low disabilities, physical disability, sensory impairment and mental health problems Nationality Low Low Low The policy may not be relevant to the Equality Duty as stated by law Little or no evidence is available that different groups may be affected differently Little or no concern raised by the communities or the public about the policy etc when they are consulted (recorded opinions, not lack of interest) Medium The policy may be relevant to parts of the Equality Duty in the policy etc regarding differential impact Page 5 of 20 39 GB Guidance for the Development of Business Continuity Plans

Religious / other beliefs Marriage and civil partnership Pregnancy and maternity Sexual Orientation, bisexual, gay, heterosexual, lesbian Low Low There may be some evidence suggesting different groups are Low Low affected differently There may be some concern by Low Low communities and the public about the policy Low Low Human Rights Low Low Carers Low Low High There will be relevance to all or a major part of the Equality Duty in the policy regarding differential impact. There will be substantial evidence, data and information that there will be a significant impact on different groups There will be significant concern by the communities and relevant partners on the potential impact on implementation of the policy 6 Are there barriers which could inhibit access to the benefits of the strategy / policy / proposal / service function? E.g. Communication / information, physical access, location, sensitivity etc. No 7 Does the strategy / policy / proposal / service function relate to an area where there are known inequalities? If so which and how? No 8 Please identify what evidence you have used / referred to in carrying out this assessment. No 9 Identify any minor changes to the strategy / policy / proposal / service function which will reduce potential adverse impacts at this stage. 10 Please indicate if a Full Equality Impact Assessment is recommended. NO YES 11 If you are not recommending a Full Impact assessment please explain why. 12 Signature of lead or Director Date completed 22/07/13 13 Submitted to Head of Comms Date submitted for approval Names of people carrying out the assessment 1.Samantha Chalmers 2 3 Name of lead manager / director Lucy Botting Please leave blank to allow continuation of equalities impact assessment Page 6 of 20 39 GB Guidance for the Development of Business Continuity Plans

Contents STOP... 2 Contents... 7 1 Introduction... 8 2 Policy statement & objectives... 8 3 Scope... 9 4 Definitions explained... 9 5 Duties... 10 5.1 Governing Body... 10 5.2 Director of Governance and Compliance... 10 5.3 Directors... 10 6 Procedures... 10 6.1 Business Continuity Management Plan... 10 6.2 Business Impact Analysis... 11 6.3 Initiating the plans... 11 6.4 Succession and contingency planning... 13 6.5 Testing and training... 13 6.6 Debriefing, Evaluation and Lessons Learned... 14 7 Monitoring and review of effectiveness... 14 7.1 Review of the policy... 14 8 Appendices... 15 8.1 Appendix 1 Impact analysis priority table... 15 8.2 Appendix 2 Business Impact Analysis: assessment form... 16 8.3 Appendix 2 Business Continuity function checklist... 18 8.4 Appendix 3 Recovery action plan... 19 8.5 Appendix 4 IT and Information Requirements... 20 Page 7 of 20 39 GB Guidance for the Development of Business Continuity Plans

1 Introduction Business Continuity Planning (BCP) helps to reduce the risk of interruption to the delivery of NHS Guildford and Waverley CCG (CCG) services in the event of a disruption to normal operations. These disruptions may be external, such as severe weather or loss of utilities, or internal such as IT system failures or the loss of key staff. BCP provides the framework to enable CCG to identify its critical functions and maintain these during a disruption, allowing the delivery of services to continue whist recovery is in progress. The generation of Business Continuity Plans ensures that the organisation fulfils its responsibilities in respect to BCP as both a Category 2 organisation as defined by the Civil Contingencies Act and as an NHS body. NHS England requires that: NHS organisations and providers of NHS funded care must therefore be able to maintain continuous levels in key services when faced with disruption from identified local risks such as severe weather, fuel or supply shortages or industrial action. BCP gives organisations a framework for identifying and managing risks that could disrupt normal service. An organisation s business continuity plans in concert with the Major Incident Plan helps it to anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever part of the business they affect. 2 Policy statement & objectives NHS England requires CCG to have prepared to continue to provide its critical services and functions in the event of an internal or external disruption. 2.1.1 The overall goal of the CCG BCP is to ensure that patient services are not unnecessarily interrupted by internal or external disruptions affecting the organisation. 2.1.2 This policy provides the framework for the CCG Business Continuity Plan to be developed, implemented tested and reviewed to ensure that any impact on patient care is reduced in the event of a disruption to CCG operations. 2.1.3 The anticipated outcomes of the Business Continuity Plan include: Identification of critical, essential, routine and non-urgent activities of the trust Prioritising delivery of those activities in response to a disruption Minimising the effects of any disruption and allowing return to business as usual as fast as possible Increased staff awareness of BCP principles and processes Page 8 of 20 39 GB Guidance for the Development of Business Continuity Plans

Supporting the achievement of CCG strategic objectives and associated action plans Ensuring legal compliance with planning obligations Inform a response process which is flexible to meet changes in service delivery of the CCG 3 Scope 3.1.1 The scope of this document is limited to the activities of CCG. Any staff directly employed by, or contracted to work for CCG are covered. It does not cover activities related to providers premises, processes, staff or systems where they are not related to a core contractual term with CCG. 3.1.2 Each area of CCG has responsibility for managing its own business risk and business continuity arrangements. These are brought together under a corporate Business Continuity Plan which establishes how the Governing Body will oversee the response to, and recovery from, any business interruptions. 3.1.3 Business continuity plans should identify all critical functions of the CCG that depend on providers for delivery. 4 Definitions explained Activity: Processes or sets of processes undertaken by the CCG, or on behalf of the CCG, that supports delivery of services. Business As Usual: Pre-defined acceptable levels of service delivery Business Continuity Planning (BCP): Holistic process to identify and assess the impact of potential threats, building a framework to support CCG resilience to those threats, including protecting patients and stake-holders interests and achieving strategic objectives. The strategic and tactical capability of the CCG to plan for and respond to business interruptions in order to support continued delivery of business as usual Critical Activities: Those activities carried out by the CCG which are most timesensitive and important for ensured continued delivery. These will be mainly those services essential for immediate life and death of patients. These activities will typically suffer if delayed by more than one hour Disruption: Any event, planned or unplanned, which causes an interruption to the CCG s ability to continue business as usual. Essential Activities: Those activities carried out by the CCG which are sensitive and important, but not critical to life and death of patients. These activities will normally suffer if delayed by more than one day. Major Incident: An event classified as a Major Incident according to the CCG Major Incident Plan. Non-Urgent Activities: Those activities carried out by the CCG which can be postponed or delayed most easily. These activities will begin to suffer if delayed by more than one month Page 9 of 20 39 GB Guidance for the Development of Business Continuity Plans

Routine Activities: Those activities carried out by the CCG which support business delivery on a daily basis and are not critical or essential. These activities will typically start to suffer if delayed by more than one week. Service Recovery: The process through which business as usual is reached, following an interruption or disruption event Function: The purpose of a department of the CCG i.e. commissioning or quality that is a combination of activities and services. 5 Duties 5.1 Governing Body The Governing Body must act to ensure/monitor the overall strategic direction of Business Continuity Planning across the CCG. Ensure that the Business Continuity Policy and development plan is enforced and resourced appropriately. In the event of a serious or widespread disruption to the activities of the CCG may be necessary to invoke the Major Incident Plan (6.4.6). In this case the Governing Body may need to lead the response or delegate incident management coordination to named officers 5.2 Director of Governance and Compliance Undertake leadership and sponsorship of the Business Continuity Planning framework under the direction of the Governing Body. Act as a point of tactical leadership in support of the staff. Liaise with the Directors to ensure that the Business Continuity Plans meets the needs of CCG. Ensure that where appropriate, sections of Business Continuity Plans and Policy are published and accessible to the public. The Director for Governance and Compliance will be responsible for ensuring the plan is reviewed and updated at regular intervals to determine whether any changes are required to procedures or responsibilities. 5.3 Directors Undertaking of a Business Impact Analysis for their area of responsibility (see section 6.1 and appendix 2) Preparing a Recovery Plan for critical services and key activities in their area Report on service continuity performance as required 6 Procedures 6.1 Business Continuity Management Plan 6.1.1 The Business Continuity Management plan will consist of a series of Business Impact Assessments produced for each function of the CCG. Page 10 of 20 Plans 39 GB Guidance for the Development of Business Continuity

6.1.2 CCG will maintain a corporate business continuity plan to enable it to respond to business disruptions. This plan will be scalable, enabling an individual director to manage low level disruptions whilst also providing a framework for the Governing Body to manage disruptions that affect the whole organisation. 6.1.3 CCG will undertake a Business Impact Analysis to determine which are its critical services and functions and to identify the Recovery Time Objective for each. The Business Impact Analysis will also identify key stakeholders for each activity. 6.1.4 The Business Impact Analysis and Business Continuity Plan will be reviewed at regular intervals to ensure that they continue to reflect the organisation s needs. 6.1.5 The Business Continuity Plan will be tested at regular intervals and training will be provided to staff where required to ensure that disruptions can be responded to effectively. 6.2 Business Impact Analysis A Business Impact Assessment forms the foundation for the Business continuity plan. Using appendix 1, follow the steps for conducting a Business Impact Analysis as set out below: 6.2.1 Step 1: Identify the key activities for the service function that will have the greatest impact if disrupted, and the type of disruption to which they are vulnerable (this will also help identify any inherent risks to the business) 6.2.2 Step 2: Identify the critical resources required to undertake the key activities, the minimum level (trigger criteria) and the desired level for business as usual 6.2.3 Step 3: Use the priority table (appendix 1) to determine the tolerance for disruption of activities and set the priority for action 6.2.4 Step 4: Generate an action plan for recovery and determine the cost per day of any disruption and recovery 6.3 Initiating the plans 6.3.1 The Business Continuity plan can be invoked by the Chair, the Chief Officer, the Governing Body or its committees, or the designated on call director. Page 11 of 20 Plans 39 GB Guidance for the Development of Business Continuity

6.3.2 The Business Continuity Plan will be automatically initiated when any disruption to service delivery is experienced that reaches the trigger criteria (see flow chart below). 6.3.3 The trigger criteria are reached when the service requirements fall below minimum and should be described in the impact assessment form in appendix 2. 6.3.4 The minimum service requirements are not normally sustainable and should not be used as the business as usual recovery levels. 6.3.5 There are many and varied possible causes of service disruption. Such as: Major accident or incident, national disaster, epidemic, terrorist attack Fire, flood, extreme weather conditions Loss of utilities, including IT and telephone systems Major disruption to staffing; epidemic, transport disruption, industrial action, inability to recruit; mass resignations (e.g. lottery syndicate). 6.3.6 These events may not be mutually exclusive, e.g. extreme weather leads to loss of electricity, disruption to transport, staff unable to get to work. 6.3.7 A cause of a service disruption event may also become an internal Major Incident for the CCG and invoke the CCG s Major Incident Response Plan. In this event, the plans should be carried out simultaneously with the response to the Major Incident, as far as is possible. Diagram 1: Flow for activation of the business continuity plan. Page 12 of 20 39 GB Guidance for the Development of Business Continuity Plans

6.4 Succession and contingency planning 6.4.1 Normal succession planning for staff may not cover all critical activities for the CCG. Priority should be given to ensuring that key tasks can be undertaken by multiple individuals to mitigate the risk of dependency on single members of staff. 6.4.2 Contingency plans for ongoing projects and strategic objectives should be taken into consideration when developing action plans. 6.5 Testing and training 6.5.1 The Director for Governance and Compliance is responsible for identifying appropriate levels of training and awareness sessions for all CCG staff to ensure business continuity becomes part of organisational culture and daily business routines, improving the organisations resilience to the effects of business disruptions. 6.5.2 The on-going viability of the business continuity program can only be determined through continual tests and improvements. The Director for Quality and Governance will be responsible for ensuring regular tests and revisions are made to all plans to ensure they provide the level of assurance required. 6.5.3 If there is a major change to the CCG roles and/or structure, plans will be tested and revised once a settling-in period has been achieved, to allow for a confident level of recovery. 6.5.4 Testing should follow the plan, do, check and act model and can be either: Discussion based exercises that involve stakeholders and team planning. Table top exercises involves testing the plan against a given scenario, rehearsing actions and responses. Live exercises will test a single or selection of components of an action plan where the other two types are not suitable (e.g. fire drills, generator testing). 6.5.5 A full test of the Business Continuity Plans will be undertaken yearly. All senior managers and Heads of Service will be expected to take part in these exercises. A cold debriefing session will take place following the exercise to establish if any changes need to be made as a result of the exercise. All leads will be asked to review their Business Continuity Plans at this stage and submit them to the CCG s overall plans. Page 13 of 20 Plans 39 GB Guidance for the Development of Business Continuity

Training type Staff who should Location Mandatory attend General introduction to Business Continuity All Induction Y and Emergency Planning Business Continuity training for on call On call managers On call Y managers training PHE E-learning for Business Continuity All Online N 6.6 Debriefing, Evaluation and Lessons Learned 6.6.1 Following a test or real activation of the business continuity plan, there should be a debrief for participants to identify areas that went well, and areas that require development. 6.6.2 An after action report will be produced following a test or real activation of the Business Continuity Plan by the appropriate director, highlighting recommendations from the debrief. 6.6.3 Lessons learned will be disseminated to all staff and stakeholders. 7 Monitoring and review of effectiveness The Business Continuity Plan will be reviewed by the Executive Committee annually, and, if necessary, revised in the light of legislative, guidance or organisational change. NHSLA Monitoring Table Criteria Measurable Frequency Reporting to Action Plan/Monitoring Fit for purpose Business Continuity Plans Annually Executive Committee Effectiveness of plans Appropriate use of Business impact assessments Exercises Annually Executive Committee Audit Annually Executive Committee 7.1 Review of the policy 7.1.1 This policy will be reviewed annually and a report brought to the Executive committee Page 14 of 20 Plans 39 GB Guidance for the Development of Business Continuity

8 Appendices 8.1 Appendix 1 Impact analysis priority table Priority Description Function/Activity 1 Critical Immediate response 2 Urgent Within 8 hours 3 Essential Within 24 hours 4 Important Within 3 days Danger/distress to staff/patients Prevents provision of an essential function Will degrade to critical if not addressed within this time band Major disruption no danger to staff or patients. Does not prevent provision of essential service function Will affect services without causing distress to patients 1. 2. 3. 1. 2. 3. 1. 2. 3. 1. 2. 3. 5 Necessary Within 7 days Minor disruption to services 1. 2. 6 Routine Within 14 days or as agreed 7 Non-urgent Within 28 days or as agreed Will not directly disrupt services but will cause inconvenience Will involve non-urgent repairs 3. 1. 2. 3. 1. 2. 3. Page 15 of 20 Plans 39 GB Guidance for the Development of Business Continuity

8.2 Appendix 2 Business Impact Analysis: assessment form Services function: Priority: Strategic objective: Description of function: Key activities Priority 1. 2. 3. 4. 5. Vulnerability Risk Matrix Key activity Denial of Space Denial of Resources Staffing Other 1. High/Medium/Low High/Medium/Low High/Medium/Low 2. High/Medium/Low High/Medium/Low High/Medium/Low 3. High/Medium/Low High/Medium/Low High/Medium/Low 4. High/Medium/Low High/Medium/Low High/Medium/Low 5. High/Medium/Low High/Medium/Low High/Medium/Low Page 16 of 20 Plans 39 GB Guidance for the Development of Business Continuity

Function: Priority: Resource Type: Current Resource Minimum for continuity Recovery levels Critical function affected CSU support Staffing Information (activity/quality) Computer (fixed/ laptop) Printer (b&w/ colour) Server/internet access (including vpn) Telecoms (Fixed/mobile phone/pager/fax) Other office equipment Specialist equipment (e.g. medical) Other Key activity Loss per day Cost of recovery Total projected cost 1. 2. 3. 4. 5. Page 17 of 20 Plans 39 GB Guidance for the Development of Business Continuity

8.3 Appendix 2 Business Continuity function checklist Function: Question Y/N Description If the function had to relocate, would this present any problems or additional requirements Does the function require any specialist input (e.g. equipment, link to other functions) to operate effectively? Minimum Staffing Levels and Equipment Resources Required Consumables required to provide a minimum service: Have stakeholders been identified? Does this represent a risk to core CCG business? Is the risk on the risk register? Has an alternative location already been identified, does it require any additional resources? Page 18 of 20 Plans 39 GB Guidance for the Development of Business Continuity

8.4 Appendix 3 Recovery action plan Function: Key activity Recovery level Action Person responsible Priority: Timescale Page 19 of 20 39 GB Guidance for the Development of Business Continuity Plans

8.5 Appendix 4 IT and Information Requirements Function Priority Key activity IT system/ applications required Are they backed up and where? Essential information/ documents required Where are they stored Are they backed up and where? IG considerations Page 20 of 20 39 GB Guidance for the Development of Business Continuity Plans