Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies Operations Assistant Chief Constable Operations Support D358 Integrated Risk Management D32 Records Management 1.0 Policy Statement / Intentions (FOIA - Open) 1.1 Business Continuity Strategy Devon and Cornwall Police recognises the requirement for business continuity management to ensure that in the event of a business disruption the Force can continue to deliver adequate levels of policing to provide an appropriate emergency response. If the disruption is severe the Force may need to scale down non-critical activities and re-direct resources to critical activities to ensure its key services continue to be delivered. Led by ACC Operations the Force Business Continuity Champions are utilised to progress Business continuity across the Devon and Cornwall Police area. 1.2 Strategic Objective In order to achieve the strategy the following Force Business Continuity Strategic Objectives have been identified in priority order Protection of Life and Property Maintenance of Public Order 1.3 Key Services
The key services delivered by the Force to its stakeholders have been identified. It was agreed that they are all of equal importance and therefore the list is not indicative of priority. Responding to Emergencies Investigating and Detecting Crime Co-ordinating a Multi-Agency Response Supporting the Criminal Justice System Protecting the Health, Safety and Welfare of Staff Provision of Resources Warning, Informing and Public Reassurance Public Protection 1.4 In the application of this working practice staff are reminded of the need to comply with the standards and principles of the Code of Ethics for policing. 2.0 Introduction and Implications (FOIA - Open) 2.1 Business Continuity Management is a corporate process for building internal resilience to severe disruptions. By identifying potential problems before they occur and preparing for them, an organisation is more likely to be able to continue functioning, even whilst acting in emergency conditions. 2.2 The Civil Contingencies Act 2004 imposes a statutory duty on all Category One (core) responders to undertake Business continuity management prepare, maintain and exercise Business Continuity Plans. Category One Responders comprise of the Emergency Services, Local Authorities, Health Bodies and Government Agencies. 2.3 Strategic Policing Requirement places specific business continuity requirements on the Force. The College of Policing recommends Police Forces align themselves with the British Standard (BS) ISO 22301 and 22313. Future audits and business continuity inspections are likely to be based on BS ISO 22301and 22313. 2.4 The Business Continuity Institute has produced BCI Good Practice Guidelines 2013 which has been consulted in the production of this document. 2.5 The purpose of Business Continuity Planning within the Force is to protect Key Services of the Force and to enable their supporting critical activities to be maintained or restored quickly in the event of a business disruption. Business Continuity Planning minimises the risk of disruption to the organisation from identified threats and risks. It is important for all departments to consider their inter-dependencies and the need for co-operation and sharing of information to develop well co-ordinated plans. 2.6 Business continuity is a holistic process that looks at the organisation as a whole, as well as individual departments. 2.7 Finance
2.7.1 There is no central budget allocated for business continuity expenses. Each department will be expected to bear any business continuity related expense out of their existing budgets. 2.8 Training 2.8.1 It is recommended that those staff responsible for the production of Business Continuity Management (BCM) documentation receive a basic level of BCM training. The cost of this will be borne by individual departments. 2.9 Awareness 2.9.1 It is the responsibility of all staff to be aware of the location and content of their business continuity plans. 2.9.2 Senior Managers should be briefed on their role in Business Continuity Management within two months of starting in their role by the relevant Business continuity Champion. 3.0 Procedures (FOIA - Open) 3.1 Roles and Responsibilities 3.1.1 It is essential for Business Continuity Plans to be based on the requirement to provide continued front line policing services in times of crisis or exceptional demand. 3.1.2 For the Business Continuity Management process to be viable it must have ownership at the highest level within the organisation. Consequently, responsibility for Business Continuity planning across the Force will rest with ACC (Operations) who will be supported in this by the Operations Planning Unit. 3.1.3 Responsibility for the Business Continuity Plan (BCP) at the HQ site Middlemoor (outside of the strategic co-ordinating centre) will rest with the Director of Finance and Resources who will utilise the structure of the Site User Group to deliver this functionality. This responsibility of the site user group will support the work of the BCM Champion s meetings. 3.1.4 The Force BCM Champion s Forum supported by defined terms terms of reference will be the main practitioner grouping for Business Continuity Planning and will present recommendations and activity debrief etc. to ACC (Operations) for ratification. 3.1.5 Business Continuity planning is an ongoing evolving process and allows for development of the plan as the situation changes and knowledge of good practice or increased threat levels improves.
3.1.6 Business Continuity responsibilities have been assigned to specific roles within the Force. This information is retained on a spreadsheet and maintained by the Operations Planning Unit. 3.2 Process 3.2.1 Business Continuity Management is defined by the Civil Contingencies Act 2004 as a management process that helps manage the risks to the smooth running of an organisation or delivery of a service ensuring that it can operate to the extent required in the event of disruption. 3.2.2 Business Continuity Management follows a cycle supported by Business Continuity Programme Management. 3.3 Analysis 3.3.1 Identifying the Key Services and their Supporting Critical Business Activities 3.3.1.1 The Critical Activities are the core activities of the organisation, which support the key services. They should be clearly identified and prioritised, representing the order in which services will be reduced if circumstances causing disruption are forced upon the organisation. They should focus on the Force Key Services and Strategic Objectives and they should be those which score highly on the activity matrix. 3.3.2 Business Impact Analysis and Risk Assessment 3.3.2.1 Business Impact Analysis (BIA) is defined by the Civil Contingencies Act 2004 as a method of assessing the impacts that might result from an incident and the levels of resources and time required for recovery. The British Standard ISO 22301 describes business impact analysis as a process of analysing business functions and the effect that a business disruption might have upon them. 3.3.2.2 The findings from a Business Impact Analysis are used to make decisions and justify business continuity planning strategy and solution. The template for BIAs should be used. 3.4 Risks 3.4.1 Risk Assessment is defined by the Civil Contingencies Act 2004 as a structured auditable process of identifying potentially significant events, assessing their likelihood and impacts and then combining these to provide an overall assessment of risk as a basis for further decisions and action. 3.4.2 A further definition of Risk Management processes is contained in Force policy D358 - Integrated Risk Management Policy. This policy contains advice and guidance on generic risk management activity and defines the organisation s approach to Business Risk Management, of which Business Continuity is an important element. 3.4.3 Risk measures the significance of a potential event in terms of likelihood and impact.
Risk = Likelihood x Impact Likelihood = Threat + Vulnerability Official - Open 3.4.4 BS ISO 22301 defines a threat as something that may be described as events or actions which could at some point cause an impact to resources e.g.; fire, flood, power failure, staff loss, staff absenteeism, computer viruses, hardware failure. 3.4.5 BS ISO 22301 defines a vulnerability as something that may occur as weaknesses within the resources and can at some point be exploited by the threats e.g. single points of failure, inadequacies in fire protection, electrical resilience, staffing levels, IT security and IT resilience. 3.4.6 The scoring values identified in this policy are designed to meet the needs of Business Continuity Management. The values contained in the Integrated Risk Management Policy reflect a different scale and criteria. The two models are designed to be individual yet complimentary. Further advice and guidance can be obtained from OEPU. 3.4.7 The identified risks, calculated business impact and the identified strategy to reduce or mitigate the impact must be submitted for monitoring through the Force Continuous Improvement Programme on the Business Continuity Risk Register document. The identified measures to mitigate and control the risk and to fund the strategies will be managed through this process. 3.4.8 The Business Impact Analysis must be reviewed and amended in updated versions of the Business Continuity plan when risk levels have been altered. 3.5 Design (Previously Determining BCM Strategies ) 3.5.1 BS ISO 22301 defines business continuity strategy as the approach by an organisation that determines how continuity and recovery from disruption will be achieved, Information obtained. Decisions in design phase are used to provide solutions during future disruptions. 3.5.2 Strategies should be prepared for critical activities and the resources on which the activities depend. The most appropriate strategy will depend on many factors including the Maximum Tolerable Period of Disruption (MTPD), the cost and the consequences of inaction. 3.5.3 Strategies should be prepared, at a Force and Departmental level, for loss of the following resources, where a loss of one of these resources will have a high impact on the ability to deliver the critical activity. For example; People Premises Fuel Technology Information Suppliers
Telecommunication Fleet Finance 3.5.4 Strategies should define how a critical activity will be recovered within its Recovery Time Objective (RTO) and the resources required for its resumption. They should also take into account existing resilience or mitigation measures and those other activities that are not deemed critical. 3.6 Implementation (Previously Developing and implementing A BCM Response ) 3.6.1 The actions to be carried out to enable the processes affected to continue in respect of the critical activities must be detailed within the plan. 3.6.2 Completed Business Continuity plans together with the completed templates as appendices will be stored on the Devon and Cornwall Police shared P:/Business Continuity Management drive and maintained in accordance with Force policy D32 Records Management. 3.6.3 Invocation of Business Continuity Plans will only take place on the instruction of the Police Gold Commander, the relevant LPA Commander or Department Head or his or her deputy. 3.7 Validation 3.7.1 Business Continuity Management is an ongoing process and the Business Continuity Plans will be live documents, which will be strictly, version controlled. Out of date versions will be archived and retained for a period of 5 years to provide an audit trail of the development of the plan. 3.7.2 Every Business Continuity Plan will be reviewed on a yearly basis by the plan owner to ensure that they remain relevant and up to date. It may be necessary to carry out the review sooner if staff changes take place or business processes are modified or unexpected internal or external events occur. 3.7.3 Business Continuity plans will be exercised, on a three year rolling cycle as a minimum. The responsibility for managing the exercise programme for Business Continuity Plans is that of the OEPU. 3.7.4 Following review, exercise or activation, the plans will be updated accordingly in line with any lessons learned or good practice guidelines. 3.7.5 BC Champions should advise OPU of any incident in their area that could have led to use of BC Plan. Debrief will be sort to find out if there are any lessons to be identified. 3.7.6 All plans will be reviewed on an annual basis and this will include anything that has changed since the last update, any knock on effects of changes in other areas. If the plans have changed significantly new versions should be created.
3.8 Embedding BCM in the Organisation s Culture 3.8.1 The existence of Business Continuity Plans for each Department and LPA must be circulated to all relevant staff and training delivered to those who have a role to play within the Business Continuity Team. 3.8.2 Competence in Business continuity should be increased through training, Education and Awareness. 3.8.3 Communication of the plan is paramount. All staff should be aware of the risks, the strategies in place and the Business Continuity Plans. This will ensure the smooth implementation of the plan should an incident occur. Feedback from staff must be encouraged to ensure all threats have been identified. 3.8.4 Regular awareness events take place to raise awareness of the BC Process and increase awareness in an environment where role holders change jobs regularly. 4. Audit / Assessment Compliance (FOIA - Open) 4.1 This policy has been drafted and audited to comply with the principles of the Human Rights Act. Equality and diversity issues have also been considered to ensure compliance with equality legislation and policies. In addition Data Protection, Freedom of Information, Management of Police information and Health and Safety issues have been considered. Adherence to this policy will therefore ensure compliance with all relevant legislation and internal policies. 5. Review and Ownership (FOIA - Open) 5.1 The review of the contents of this policy is the responsibility of the Commander Operations. Review of the policy will be undertaken annually by OPU. 6.0 Useful links (FOIA Open) 6.1 D358 Integrated Risk Management D32 Records Management BCI Good Practice guidelines 2013 Appendix A Roles and responsibilities (FOIA Open)
Introduction Business Continuity Management within Devon and Cornwall Police will be the overall responsibility of ACC Operations. Business Continuity Overall Manager (Gold) (ACC.) Has overall strategic responsibility for the Business Continuity operation Is responsible for any decisions taken by the Business Continuity Management Team Is responsible for conducting an initial assessment following the invocation of the plan. To establish the nature of the incident and the impact on the critical function. To identify who needs to be informed/called in as part of his or her team. Is responsible for establishing an Incident Management Centre as a single point of contact for recovery of the critical function. Reports to the Incident Gold Commander or the Force Incident Manager as appropriate. Is responsible for ensuring that a Policy Book is initiated, maintained and preserved to ensure a clear audit trail. Is responsible for consulting with the Business Continuity Management Team and Incident Gold and the preparation of a publicity plan to warn and inform the public. Is responsible for the successful conclusion of the operation Ensure full debrief procedures are completed Ensure that the plan is updated if necessary following debrief. Is responsible for ensuring the management of the return to normal service as appropriate.
Operations Planning Unit The Emergency Planning Manager will have responsibility, as the Force Business Continuity Co-ordinator, to support ACC Operations in: identifying strategic priorities; maintaining or reinstating key functions within the Force; determining policy; directing the development of corporate plans; and co-ordinating the development of business continuity within the Force. The Operations Planning Unit will: provide a support function to those involved in business continuity management and planning within the Force; co-ordinate business continuity activities; and Assist plan owners with testing and exercising business continuity plans. Business Continuity Champions Forum The Business Continuity Champions Forum, comprising of relevant Departmental Heads, will assist the Force Business Continuity Co-ordinator in developing the business continuity management process and respond to any business continuity crisis, as required (see Business Continuity Champions Terms of reference). LPAs and Departments Departmental Heads and BCU Commanders will be responsible for preparing local business continuity plans with guidance from Local Business Continuity Champion and or Operations Planning Unit Business Continuity Champions Development of the Business Continuity Management planning process within their business area Act as BC SPOC for their relevant department (Unit managers will report through the BC Champion) Ensure that each Unit within their Department has an identified POC usually the Unit Manager Co ordinate and quality assure BC plans originating in their department to meet agreed timescales. In conjunction with the Operations Planning Unit (OPU), ensure that BC plans within their department are reviewed and exercised on pre agreed basis.
Ensure that members of staff identified as having responsibilities within Departmental/Unit plans, are aware of their role and the associated responsibilities with that role. Raise awareness of BCM, ensuring that staff know of the BC plans that affect their area of work, and what is expected of them in a disruption.