Business Continuity Policy

Similar documents
Business Continuity Policy

Business Continuity Policy

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Business Continuity Management Policy

BUSINESS CONTINUITY POLICY RM03

Information Governance Policy

How To Ensure Information Security In Nhs.Org.Uk

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity Management

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

NHS Commissioning Board Business Continuity Management Framework (service resilience)

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

Business Continuity Management Framework

Data Protection Policy

Business Continuity Management Policy

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity Management

EPRR: BCP - Checklist

EPRR: Toolkit Facilitator Guide

Business Continuity Management

Business Continuity Policy and Business Continuity Management System

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

39 GB Guidance for the Development of Business Continuity Plans

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Business Continuity Policy

1.0 Policy Statement / Intentions (FOIA - Open)

University of Glasgow. Policy for. Business Continuity Management

Business Continuity Management. Policy Statement and Strategy

BUSINESS CONTINUITY POLICY

Business Continuity Management Policy and Plan

INFORMATION GOVERNANCE POLICY

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Risk Management Policy and Process Guide

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

Solihull Clinical Commissioning Group

Business Continuity Management Policy and Framework

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Business Continuity Policy

Business Continuity Management Policy and Plan

Business Continuity (Policy & Procedure)

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Business Continuity Policy

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Business Continuity Management (BCM) Policy

Business Continuity: NHS Workshop Appendix 1.1

Proposal for Business Continuity Plan and Management Review 6 August 2008

NHS Lancashire North CCG Business Continuity Management Policy and Plan

BUSINESS CONTINUITY POLICY

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Pandemic Influenza Plan 2015/2016

Business continuity management policy

Business Continuity Plan

I attach the following documents in response:

BUSINESS CONTINUITY MANAGEMENT POLICY

BUSINESS CONTINUITY & STRATEGY POLICY

The authority for approving the group s arrangements for business continuity and emergency planning is reserved to the Governing Body.

London Borough of Bromley. Executive & Resources PDS Committee. Disaster Recovery Plans for London Borough of Bromley

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Emergency Response and Business Continuity Management Policy

NHS England Emergency Preparedness, Resilience and Response (EPRR) Business Continuity Management Toolkit

NHS Commissioning Board: Information governance policy

Guidance for NHS commissioners on equality and health inequalities legal duties

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

Business Continuity Management Framework

How To Manage A Disruption Event

Business Continuity Policy and Framework and Business Continuity Plan

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

BUSINESS CONTINUITY STRATEGY

CORPORATE BUSINESS CONTINUITY AND SERVICE RECOVERY PLAN

BCP and DR. P K Patel AGM, MoF

Risk Management & Business Continuity Manual

Type of change. V02 Review Feb 13. V02.1 Update Jun 14 Section 6 NPSAS Alerts

Health and Safety Policy

COMCARE BUSINESS CONTINUITY MANAGEMENT

abcdefghijklmnopqrstu

EMERGENCY PREPAREDNESS POLICY

Trust Board Report. Review of the effectiveness of the IM&T Committee

Company Management System. Business Continuity in SIA

RISK MANAGEMENT STRATEGY

BS BUSINESS CONTINUITY MANAGEMENT

Version: 3.0. Effective From: 19/06/2014

LFRS Business Continuity Planning

Strategic Alliance. Business Continuity Policy

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

Transcription:

Business Continuity Policy 1

NHS England INFORMATION READER BOX Directorate Medical Commissioning Operations Patients and Information Nursing Trans. & Corp. Ops. Commissioning Strategy Finance Publications Gateway Reference: 02626 Document Purpose Policy Document Name Author Publication Date Target Audience Additional Circulation List Description Cross Reference Superseded Docs (if applicable) Action Required Timing / Deadlines (if applicable) Contact Details for further information NHS England Business Continuity Policy v2.0 NHS England / Business Continuity 04 December 2014 NHS England National Directors, NHS England Regional Directors, NHS England Area Directors, CSU Managing Directors, NHS Improving Quality Managing Director Business Continuity leads, NHS England staff, CSU & NHS IQ staff Policy and high level procedures for Business Continuity N/A NHS England Business Continuity Policy v1.0 N/A N/A Phil Goodfellow Business Management & Continuity Senior Manager Quarry House Leeds LS2 7UE 07900 715412 Document Status philip.goodfellow@nhs.net This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the intranet 2

Business Continuity Policy Version number: 2.0 First published: Aug 13 Updated: Nov 14 Prepared by: Business Management and Continuity Senior Manager 3

Contents 1 Introduction... 5 2 Scope... 5 3 Policy statement... 6 4 Objectives... 6 5 Business continuity management system guidance and standards... 6 6 Business continuity governance... 7 7 Business continuity management lifecycle... 7 8 Roles & responsibilities... 7 8.1 National Director: Transformation and Corporate Operations... 7 8.2 National, Regional, Area Team Directors and hosted body Managing Directors... 8 8.3 Business Continuity Team (National Support Centre)... 8 8.4 Business continuity leads (NSC directorates, Regional and Area Teams, CSUs and NHS IQ)... 9 8.5 NHS England, CSU and NHS IQ staff... 10 9 Business continuity plan (BCP)... 10 10 Business continuity incidents... 11 10.1 Incident response structure... 11 10.2 Incident response levels... 11 10.3 Incident co-ordination locations... 11 10.4 Incident response and recovery strategies... 11 11 Business continuity mutual aid... 12 12 Communication... 12 13 Training... 12 14 Exercising... 12 15 Performance evaluation... 13 16 Distribution & implementation... 13 16.1 Distribution plan... 13 16.2 Awareness plan... 13 17 Monitoring... 14 17.1 Compliance... 14 17.2 Equality impact assessment... 14 18 Reference documentation... 14 Appendix 1 Version control tracker... 15 Appendix 2 Terms and definitions... 16 Appendix 3 NHS England Business continuity operating model... 18 4

1 Introduction 1.1 Business continuity is defined as the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (ISO 22300) Under the Health and Social Care Act 2012, NHS England must be properly prepared for dealing with an emergency. NHS England is also a category one responder within the Civil Contingencies Act (CCA) 2004, under which NHS England must show that it can deal with disruptive incidents whilst maintaining services. NHS England must, therefore, be able to maintain prioritised activities when faced with disruption from identified risks such as severe weather, fuel or supply shortages, industrial action, loss of accommodation, critical information or information communication technology (ICT). In addition, NHS England must develop an effective Business Continuity Management System (BCMS) in order to effectively function during an incident and to continue working to secure the best possible outcomes for patients through delivery of the NHS England Business Plan 2014/15 2016/17 Putting Patients First. 1.2 This Policy defines the framework and implementation of the BCMS for NHS England and hosted bodies, including CSUs and NHS IQ, in order to minimise the impact of business continuity incidents. A key element in the development of a successful BCMS is embedding a strong business continuity culture throughout NHS England, endorsed by the NHS England Board and promoted by NHS England staff. 2 Scope 2.1 Staff within the scope of this document Members of staff of the following organisations are within the scope of this policy: NHS England, including: National Support Centre; Regional Teams; Area Teams. Hosted bodies, including: All Commissioning Support Units (CSUs); NHS Improving Quality (NHS IQ). 5

3 Policy statement 3.1 NHS England is committed to the delivery of a robust BCMS. This policy provides a clear statement of commitment to ensure that business critical activities can be maintained during a disruptive incident, such as denial of premises, staff absence, loss of utilities and ICT failure. 4 Objectives 4.1 The National Director: Transformation and Corporate Operations Directorate will maintain responsibility and accountability for the NHS England BCMS. NHS England s business continuity objectives are to: Provide a framework for the development of a robust and consistent BCMS throughout NHS England and hosted bodies; Identify and mitigate business continuity risks which NHS England and hosted bodies may be exposed to; Ensure that the BCMS provides planning, processes, training and continuous improvement to manage operational incidents throughout NHS England and hosted bodies; Ensure coordination between the business continuity and Emergency Preparedness, Resilience and Response (EPRR) functions of NHS England; Enable the successful delivery of the NHS England Business Plan and the associated NHS England ambitions, objectives and deliverables; Promote and maintain the reputational integrity of NHS England and the hosted bodies; Meet statutory requirements and align to ISO business continuity requirements and supporting guidance. 5 Business continuity management system guidance and standards 5.1 The NHS England BCMS will be based on the following guidance and standards: 6

ISO 22301: Societal security - Business continuity management systems Requirements; ISO 22313: Societal security - Business continuity management systems Guidance; NHS England Core Standards for EPRR; NHS England Business Continuity Management Framework (service resilience); PAS 2015 - Framework for Health Services Resilience. 6 Business continuity governance The NHS England Business continuity operating model and interaction with EPRR is at appendix 3. 7 Business continuity management lifecycle 7.1 BCM programme management NHS England will apply the Plan-Do-Check-Act (PDCA) cycle to planning, establishing, implementing, operating, monitoring, maintaining and continually improving the effectiveness of the NHS England BCMS. The PDCA approach is illustrated in figure 1. Figure 1: PDCA model applied to BCMS processes (ISO 22313:2012) 8 Roles & responsibilities 8.1 National Director: Transformation and Corporate Operations The National Director: Transformation and Corporate Operations has overall responsibility for the development and implementation of the BCMS within NHS England and the hosted bodies. 7

8.2 National, Regional, Area Team Directors and hosted body Managing Directors National, Regional, Area Team Directors and hosted body Managing Directors have responsibility for ensuring that they have adequate Business Continuity arrangements in place through: Nominating an appropriate business continuity lead; Ensuring the nominated business continuity lead has appropriate skills, knowledge, experience and training to conduct their role effectively; Supporting and co-ordinating the development of business continuity management with relevant EPRR leads; Embedding the business continuity culture within NHS England and hosted bodies; Implementation of the Business Continuity Policy; Supporting Business Impact Analysis (BIA), to identify prioritised activities, and the development of a Business Continuity Plan (BCP); Supporting the development and implementation of appropriate business continuity strategies to manage risks; Provision of resources to achieve the required level of business continuity in response to incidents; Developing robust business continuity incident response structures in coordination with existing operational structures; Developing local arrangements for the provision of mutual aid during a business continuity incident; Ensuring information governance standards continue to be applied during an incident; Ensuring assurance of business continuity management is provided through the NHS England EPRR assurance process, in accordance with the NHS England Core Standards for EPRR. 8.3 Business Continuity Team (National Support Centre) The Business Continuity Team is responsible for ensuring NHS England operates effective Business Continuity arrangements through: Reporting to the National Director: Transformation and Corporate Operations on the NHS England BCMS; 8

Providing annual assurance of business continuity management to the National Director: Transformation and Corporate Operations and to the Department of Health through the NHS England EPRR assurance process, in accordance with the NHS England Core Standards for EPRR; Co-ordinating with the national EPRR team to ensure the development of business continuity management within NHS England and the NHS in England is aligned, including the development of a joint NHS England EPRR and business continuity risk register; Providing direction and support to NHS England and hosted bodies in business continuity development, including BIA and BCP development, training, exercise and delivery; The development, exercising, maintenance and review of the BCMS and the BCP for the National Support Centre (NSC); Development and implementation of appropriate business continuity strategies to manage risks to NSC and corporate activities; Ensuring the provision of business continuity assurance from third party suppliers for the NSC and corporate services; Supporting the management and recovery of any NSC business continuity incident under the command and control of the nominated Incident Director; Maintaining an overview of business continuity incidents affecting NHS England and hosted bodies in order to identify learning and inform future arrangements. 8.4 Business continuity leads (NSC directorates, Regional and Area Teams, CSUs and NHS IQ) Business continuity and EPRR roles may be combined. When separate roles are allocated to staff business continuity leads are to ensure they co-ordinate the development of business continuity activity with EPRR colleagues. The business continuity leads will support their director through: The development, exercising, maintenance and review of the relevant BIAs and BCPs; Co-ordinating with local EPRR leads in identifying local risks to business continuity; Development and implementation of appropriate business continuity strategies to mitigate and manage local risks; 9

Providing annual assurance of business continuity management through the NHS England EPRR assurance process, in accordance with the NHS England Core Standards for EPRR; Ensuring that local third party suppliers provide business continuity management assurance to NHS England; Reporting incidents or potential incidents using the agreed incident response structure. This will include notification and escalation to regional BC leads and the NSC BC team of significant incidents requiring invocation of BCPs; The management of, and recovery from, relevant business continuity incidents under the command and control of the locally nominated Incident Director; Liaising with the National Support Centre BC team on the NHS England BCMS. 8.5 NHS England, CSU and NHS IQ staff All staff are responsible for: Contributing to the development of BIAs and BCPs; Maintaining awareness of the BCP that affects their teams and business areas, including their individual role following invocation; Reporting any business continuity incident in accordance with the relevant incident reporting system; Assisting with any business continuity response to an incident. 9 Business continuity plan (BCP) 9.1 BCP content A BCP will be produced by all organisations and teams listed within the scope (section 2) of this policy. The BCP will be based on: Risk assessments; BIA (The NHS England BIA template can be found here); Identification of prioritised activities, continuity requirements and recovery plans; Incident response structures. The NHS England BCP template can be found here. 9.2 BCP review The BCP will be reviewed annually or following an exercise or incident. Post exercise / incident debriefs shall be conducted to ensure that lessons are identified 10

and action plans developed to ensure continual improvements and relevance of the BCPs. 10 Business continuity incidents 10.1 Incident response structure The incident response structure will be defined within the relevant BCP to ensure effective incident response and recovery phases. Business continuity leads will support the designated incident manager and incident response team, as detailed in the relevant BCP. In addition, due to their role as category 1 responders the following guidance applies; NHS England regional / area teams: In hours reporting and response: Via BCP incident response structure Out of hours reporting and response: Via existing EPRR on call arrangements 10.2 Incident response levels The Incident Response Levels in table 1 will be used by NHS England and hosted bodies to ensure consistent notification, escalation and co-ordination of incidents. In addition, these levels are aligned to the NHS England EPRR Incident Alert and Response Levels to correlate area, regional and national response for both business continuity and EPRR. 1 2 3 4 A business continuity incident that can be locally managed without invocation of a BCP A business continuity incident that requires invocation of the area team BCP & notification to the regional team A business continuity incident that requires invocation of the regional team BCP & notification to the NSC. (This level includes invocation of CSU / NHS IQ and NSC directorate BCPs) A business continuity incident that requires invocation of the NSC BCP to provide incident co-ordination 10.3 Incident co-ordination locations Table 1: Incident response levels An appropriate incident co-ordination location and secondary location is to be identified to enable effective incident response. The Incident Manager and Incident Response Team will coordinate operations from the identified designated location. 10.4 Incident response and recovery strategies Business continuity incidents may occur due to both internal and external hazards and threats. Appropriate response and recovery strategies will be defined in BCPs. 11

11 Business continuity mutual aid 11.1 Mutual aid agreements (MAA) will be developed and maintained by NHS England national, regional, area teams and hosted bodies to ensure the continued delivery of prioritised activities during a business continuity incident. 12 Communication 12.1 Communication and consultation on the development of the BCMS will be undertaken with nominated BC leads, EPRR, all staff and interested parties by the NSC BC team. This will include variations to statutory requirements. 12.2 Communication strategies will be defined within relevant BCPs, defining appropriate guidelines for internal and external communication in the event of an incident. This will include plans and procedures for liaising with the NHS England Communications and Media Relations teams. 13 Training 13.1 BC leads and supporting roles within the NHS England BCMS will be provided with appropriate internal and external training for their role. 13.2 Appropriate skills and competence levels will be identified to highlight training requirements. 14 Exercising 14.1 In accordance with the NHS England Core Standards for EPRR, national, regional, area team and hosted bodies BCPs are to be exercised, reviewed and updated to determine whether any changes are required to plans, procedures or roles and responsibilities. As a minimum the exercise programme should include: Incident response structure communications test 6 monthly; BCP tabletop exercise annually; Live exercise every 3 years. 12

Within NHS England teams the business continuity exercise schedule should be coordinated with relevant EPRR leads. 15 Performance evaluation 15.1 Annual assurance of the BCMS for NHS England and hosted bodies will be undertaken as part of the EPRR assurance process, in accordance with the NHS England Core Standards for EPRR, and provided to the Department of Health. 15.2 An annual management review of the NHS England BCMS will be undertaken by the National Director: Transformation and Corporate Operations Directorate. This will include: Status of actions from previous reviews; Performance of the BCMS, trends, results of monitoring and audits; Changes to the organisation and its impact on the BCMS; Identifying opportunities for continual improvement. 15.3 The NHS England BCMS will be evaluated by internal audit. Appropriate action will be taken following an audit to ensure the BCMS conforms to NHS England requirements and complies with relevant standards. 16 Distribution & implementation 16.1 Distribution plan This document will be made available to all staff via the NHS England internet site, the NHS England intranet Policies and Procedures page and from the NSC BC team intranet page. 16.2 Awareness plan Awareness of this policy and the NHS England BCMS will be promoted to NHS England staff by the NSC BC team and BC leads. This will include an annual BC awareness week and e-learning training. 13

17 Monitoring 17.1 Compliance Compliance with this policy will be monitored by the NSC BC team. Non-compliance will be reviewed to determine corrective actions. The Business Management and Continuity Senior Manager is responsible for monitoring, revising and updating this policy. 17.2 Equality impact assessment This document forms part of NHS England s commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities. As part of its development this document and its impact on equality has been analysed and no detriment identified. 18 Reference documentation 18.1 Reference documents Civil Contingencies Act 2004 Health and Social Care Act 2012 ISO 22300: Societal security Terminology. ISO 22301: Societal security Business continuity management systems - Requirements. ISO 22313: Societal security Business continuity management systems - Guidance. NHS England Business Continuity Management Toolkit. NHS England Business Continuity Management Framework (service resilience). NHS England Core Standards for Emergency Preparedness, Resilience and Response (EPRR). NHS England Risk Management Strategy and Policy. NHS England Information Governance Policy. PAS 2015: Framework for Health Services Resilience. 14

Appendix 1 Version control tracker Version Date Author Title Status Reason for Issue Number V01.00 Aug 2013 Business Management & Approved Initial version Continuity Senior Manager V02.00 Nov 2014 Business Management & Continuity Senior Manager Approved Review 15

Appendix 2 Terms and definitions Unless a contrary intention is evident or the context requires otherwise, words or expressions contained in this document shall have the same meaning as set out in the National Health Service Act 2006 and the Health & Social Care Act 2012 or in any secondary legislation made under the National Health Service Act 2006 and the Health & Social Care Act 2012 and the following defined terms shall have the specific meanings given to them below: Board Budget Term Business Continuity Business Continuity Management (BCM) Business Continuity Management System (BCMS) Business Continuity Plan (BCP) Business Continuity Programme Business Impact Analysis (BIA) Emergency Preparedness, Resilience and Response (EPRR) Executive Member Definition means the Chair, Executive Members and Non-executive Members of NHS England collectively as a body. means a resource, expressed in financial terms, proposed by the Board for the purpose of carrying out, for a specific period, any or all of the functions of NHS England. Means capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Means a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities. Means part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes and resources. Means documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. NOTE: Typically this covers resources, services and activities required to ensure the continuity of critical business functions. means an ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. means a process of analysing activities and the effect that a business disruption might have upon them. means the programme of work to plan for, and respond to, a wide range of incidents and emergencies that could affect health or patient care means a Member of the Board who is appointed under paragraph 3 of Schedule A1 of the NHS Act 2006. 16

Incident National Director NHS England Prioritised Activities means a situation that might be, or could lead to, a disruption, loss, emergency or crisis. means an Executive Member or other Officer of NHS England who reports directly to the Chief Executive. NHS England is an executive non-departmental public body of the Department of Health. NHS England oversees the budget, planning, delivery and day-to-day operation of the NHS in England as set out in the Health and Social Care Act 2012. activities to which priority must be given following an incident in order to mitigate impacts. NOTE: Terms in common use to describe activities within this group include: critical, essential, vital, urgent and key. Risk Assessment overall process of risk identification, risk analysis and risk evaluation. 17

Appendix 3 NHS England Business continuity operating model and interaction with EPRR NHS England Business Continuity (BC) operating model & interaction with Emergency Preparedness, Resilience and Response (EPRR) Department of Health Emergency Preparedness, Resilience and Response Business Continuity team EPRR Partnership Group DH led, PHE and NHS England ALB Business Continuity Forum DH led Sarah Pinto-Duschinsky Director Operations & Delivery National EPRR Karen Wheeler, BC SRO Nat. Dir Transformation & Corp Ops NSC Business Continuity Team NHS England and the NHS in England EPRR and BC assurance EPRR and BC Core Standards NHS in England Business Continuity guidance NHS England and hosted bodies BC policy, strategy, guidance, support (training / exercise / audit ) NHS England and hosted bodies consultation on guidance documents and development of BCMS EPRR Oversight Group National Director Ops & Delivery Regional Directors Ops & Delivery Regional Heads EPRR NSC Head Corp Ops EPRR Business Group National EPRR Regional Heads EPRR BC Working Group Regional / area team & CSU representation BC Leads Regional / area teams CSUs NHS IQ KEY = BC / EPRR construct = Co-ordinating areas 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information