Business Continuity Management (BCM) Policy Reference number: Corporate 042 Title: Business Continuity Management (BCM) Policy Version number: Version 2 Policy Approved by: LLR PCT Cluster Board Date of Approval: 12 th April 2012 Date Issued: April 2012 Review Date: October 2012 Document Author: Robert Willott, Resilience Planning Officer Director: Dr Peter Marks Director of Public Health (NHS LCR)
Version Control and Summary of Changes Version Comments Date number (description change and amendments) Version 1 March 2009 NHS Leicestershire County and Rutland Business Continuity Planning Policy (PH003). Version 1 December 2010 December 2011 NHS Leicester City Business Continuity Management Policy (Corporate 032). Version 2 February 2012 Amendments made to reflect organisational changes across NHS Leicester City and NHS Leicestershire County and Rutland (including Clinical Commissioning Groups (CCGs), Commissioning Support Service (CSS)). This policy replaces all previous versions across Leicester, Leicestershire and Rutland (LLR) PCT Cluster. April 2012 Policy presented to and approved by LLR PCT Cluster Board. All policies can be provided in large print or Braille, if requested. Interpreting services are also available for individuals of different nationalities. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 2 of 20
Contents Page Equalities Statement 4 Policy Statement 4 Statutory Requirements 5 Communicating this Policy 5 Definitions 6 Business Continuity Management (BCM) 7 Developing Business Continuity Plans 9 Business Continuity Plans 10 Records Management 11 Accountability and Responsibility 11 Training, Exercising, Maintaining and Reviewing Business Continuity Management Arrangements 13 Monitoring, Compliance and Effectiveness of the BCM Policy 15 Reviewing the BCM Policy 17 Appendices Appendix 1: Equality Analysis template 18 Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 3 of 20
Equalities Statement 1. NHS Leicester City and NHS Leicestershire County and Rutland (collectively known as the Leicester, Leicestershire and Rutland (LLR) PCT Cluster) and the Clinical Commissioning Groups (CCGs) across LLR aim to design and implement policy documents that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account the provisions of the Equality Act 2010 and advances equal opportunities for all. This document has been assessed to ensure that no one receives less favourable treatment on the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. 2. In carrying out its functions, the LLR PCT Cluster and the CCGs must have due regard to the different needs of different protected equality groups in their area. This applies to all the activities for which the LLR PCT Cluster and CCGs are responsible, including policy development, review and implementation. See Appendix 1 for an Equality Analysis. Policy Statement 3. This policy relates to all employees of NHS Leicestershire County and Rutland and NHS Leicester City (hereafter referred to as the Leicester, Leicestershire and Rutland (LLR) PCT Cluster); but with the focus on all the key staff involved with business continuity management and recovery of key activities should the PCTs be faced with any type of business continuity incident. This policy also covers the three Clinical Commissioning Groups (CCGs) across Leicester, Leicestershire and Rutland: East Leicestershire and Rutland CCG West Leicestershire CCG Leicester City CCG. Until further guidance, the scope of the Policy also covers the LLR Commissioning Support Services (CSS). Business Continuity Plans are in place across both city and county Public Health Teams and are covered by the scope of this policy. Work will continue with both Local Authorities to ensure a smooth transition of business continuity arrangements. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 4 of 20
4. This policy is intended to establish and support business continuity planning processes as an integral component of LLR PCT Cluster s normal working practices. It will also ensure the existence of a response driven by command and control structures commensurate with the level of risk or seriousness of the event. Due to the changing landscape, it is recommended that this policy is regularly reviewed to reflect the organisational changes. 5. The objectives of the Policy are as follows: To identify, plan, resource and implement preventative actions that reduce the risk of disruption to key services across all areas that fall within the scope of this Policy. To establish arrangements to respond to serious disruption, allocating resources and priorities for action to recover critical functions and prepare for return to normal working as quickly as possible. To support effective communication during a service disruption. To ensure that LLR PCT Cluster, CCGs and the CSS can continue to exercise its core functions in the event of an emergency. To link where necessary with local resilience arrangements including strategic, tactical and operational commands. To provide assurance that LLR PCT Cluster, CCGs and the CSS have robust business continuity plans (BCPs) in place. To ensure that LLR PCT Cluster and CCGs have assurance that its providers have business continuity plans in place. Statutory Requirements 6. Business Continuity Management (BCM) is a statutory requirement for NHS organisations to undertake. The Civil Contingencies Act 2004, NHS Emergency Planning Guidance 2005 and the interim NHS Guidance on Business Continuity (2008) (for the purpose of the Act, LLR PCT Cluster is a Category 1 responder) requires that organisations have Business Continuity Management procedures and plans in place to ensure that, in the event of a significant service interruption, critical day-to-day functions can be maintained. Timely recovery and restoration of key services, systems and processes must also be achieved. Communicating the Policy 7. Communicating this policy will be conducted through multiple channels including induction and annual mandatory training. The policy will be available to staff via the intranet. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 5 of 20
Definitions 8. The following definitions will apply in the policy as shown in Table 1 below: Table 1: Term Business Continuity Major Incident Operational Command Service Interruption Service Recovery Strategic Command Tactical Command Meaning Business Continuity is the process of facilitating the recovery of critical business services, systems and processes within agreed timeframes, while maintaining the organisation s critical functions and delivery of vital services. Any occurrence, which presents serious threat to the health of the community, disruption to the service or causes (or is likely to cause) such numbers or types of casualties as to require special arrangements to be implemented by hospitals, ambulance trusts or primary care organisations. (NHS Emergency Planning Guidance 2005). The Operational Commander directly controls the organisation's resources at the incident and will be found with his/her staff working at the scene. Any incident which threatens personnel, buildings or the operational procedures of an organization and which requires special measures to be taken to restore normal functions. An appropriate response would aim to maintain essential services and restore normal services as soon as possible under the circumstances prevailing at the time. The restoration and support of utilities and services without which the core organisational functions would not be able to continue. The Strategic Commander is in overall control of the organisation's resources at the incident. They may not be on site, but at a distant control room, where they will formulate the strategy for dealing with the incident. The Tactical Commander manages the strategic direction from the Strategic Commander and makes them into sets of actions that are completed by Operational command. They are not located at the scene. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 6 of 20
Business Continuity Management (BCM) 9. The LLR PCT Cluster s business or the business of the CCGs or the CSS may at any time be interrupted by an emergency or other significant event. This may range from something that affects one area of operations, a more serious event affecting buildings/staff/service functions or an event affecting the wider community. Alternatively, while responding to an emergency, a serious business/service interruption may occur within the organisation s buildings or services. Any one of these scenarios requires a rapid, proportionate and efficient response to managing the incident in order to restore normal business functions as soon as possible. 10. There are many varied possible causes of service disruption. As a general guide, business continuity planning must be carried out to minimise the effects of a number of potentially disruptive events, for example: Major accident or incident such as national disaster, epidemic, terrorist attack; Fire, flood, extreme weather conditions; Loss of utilities, including IT and telephone systems; Major disruption to staffing; e.g. as a result of an epidemic, transport disruption, industrial action, inability to recruit or mass resignations. 11. Individual directorate level plans have been developed in line with the interim NHS Guidance for Business Continuity (2008) and to comply with British Standards Institute Specification (BS 25999). The process is widely accepted as industry standard. These plans will be modified to represent function level plans as the LLR PCT Cluster moves through transition. CCG plans will be developed on a functions basis. 12. The stages in the BCM Lifecycle process are: Understanding the organisation s business, i.e. defining the critical/core functions of the organisation. Identifying the risks and establishing how they are to be managed. Developing a response to risks. Raising awareness and embedding plans. Maintaining and auditing plans. 13. The BCM Lifecycle is shown in Figure 1 below. Further details of this can be found in BS25999. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 7 of 20
Figure 1: Business Continuity Management (BCM) Lifecycle 14. The benefits of an effective BCM programme are that the organisation: Can identify the impacts of an operational disruption; Has in place an effective response to disruptions which minimises the impact on the organisation; Is able to demonstrate a robust response through a process of training and exercises; Will be able to protect and enhance its reputation and competitive advantage with new and existing customers, with working partners and other stakeholders by demonstrating reliability and maintaining service delivery. 15. The outcomes of an effective BCM programme are that: Key products and services are identified and protected, ensuring their continuity; Incidents are managed to enable an effective response; The organisation understands its relationships and interdependencies with other organisations and stakeholders (e.g. local acute hospital, local authorities); Staff are trained to respond effectively to a disruption through appropriate training, education and exercises; Stakeholder requirements are understood and able to be delivered; Staff are supported by adequate communication strategies; Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 8 of 20
The organisation s supply chain is secured; The organisation s reputation is protected; The organisation remains compliant with its legal and regulatory obligations. 16. BCP leads or appropriate staff members are required to carry out a Business Impact Analysis (BIA) to identify key activities and then complete a business continuity plan for each risk identified. 17. BIA s and BCP s must be reviewed and amended where necessary but at least annually or sooner if there is a major service development. Developing Business Continuity Plans 18. Business continuity plans are in place for the LLR PCT Cluster at Directorate level; these will change into a plan which focuses on functions as the LLR PCT Cluster transitions into the Local Office towards the end of 2012 2013. Functions based business continuity plans are also being developed for each CCG and the CSS. It is important that each directorate/function: has ownership of the business continuity plans that relate to the services it commissions or functions it delivers; should allocate a plan owner, who will be responsible for reviewing, amending and updating their plan at least annually. Plan owners will advise the Resilience Planning Officer (RPO) of amendments to be made to the plans. To ensure this, each directorate/ department is responsible for completing a BIA and identifying risks to those functions. From this the directorates/departments have developed business continuity plans. 19. Elements involved in developing a Business Continuity Plan are as follows: Having the right team and management support; Contingencies planned for and in place; Risk evaluation and control measures are integral to overall risk assessment; Writing and testing the plan; Business impact analysis; Training and maintenance; Continuity Strategy. 20. Plans should be cascaded to all staff within directorates / across functions as appropriate. Plan owners and their deputies have access to their business continuity plan via S:\Business Continuity Plans. Support to Directors and Senior Managers will be provided by the RPO should any problems arise in Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 9 of 20
the development of business continuity plans. Each directorate/function is responsible for ensuring that staff are given training to assist them to implement business continuity plans. This training will vary according to the content of the plans. The RPO will take overall responsibility for ensuring a corporate plan is produced in a timely manner and is tested regularly. Business Continuity Plans 21. Plans should be concise and accessible to those with responsibilities defined in the plans. Plans should be fully understood by the staff and the teams responsible for specific actions within the plans. 22. Plans should clearly state any interdependencies and reliance s, both within the organisation and with other stakeholders. 23. Plans must also include: A description of the key activities identified and a RTO (recovery time objective); Detailed action plans to control the Key activity; Details of who is responsible for overseeing contingency planning and activating plans; Details of who is responsible for implementing action plans; Details of external organisations to be involved if appropriate; A description of escalation procedures if appropriate. 24. Plans should estimate the resources that each activity will need to get started again. These may include: People (workers) numbers, skills and knowledge; Work site (premises) and facilities; Supporting technology (pay close attention to software needs for IT), plant and equipment; Access to previous work or current work-in-progress information; External services and supplies; What are the needs of your stakeholders? This may have an effect on your resource levels. 25. The plan must document how it is to be invoked and how this is to be achieved in the shortest possible time following the occurrence of a business disruption. Criteria and clear guidelines to identify individuals with authority to invoke plans, and under what circumstances, will facilitate a timely, coordinated and consistent approach. 26. Plans must also contain information about how their implementation will be monitored and recorded. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 10 of 20
27. While it is difficult to predict the type of incident, it is assumed that these are likely to be associated with scenarios including fire, flood, building collapse, computer failure, telecommunication failures, loss of utilities, fuel shortages, staff shortages and terrorism. The list is not exhaustive and those dealing with business continuity within their department or directorate should assume that they might be called upon to provide an adequate level of their service in unusual circumstances and to varying degrees. Records Management 28. All records created during the implementation of a business continuity plan must be kept by the RPO. These records will be stored in line with the corporate Records Management and Lifecycle Policy. Accountability and Responsibility 29. Updates on business continuity will be provided to the LLR PCT Cluster Board and CCGs Boards annually or following invocation of the Business Continuity Plan. Detailed oversight and management of the Business Continuity Plan will be undertaken through the new BC Leads meeting that has representation from each directorate across the LLR PCT Cluster. 30. Those responsible for Business Continuity Planning must consider the following general points: Risk management and Business Continuity Planning work side by side. Business Continuity Planning must be supported by good management and not considered in isolation from other working practices. The first few hours after an incident are crucial and good management supported by robust Business Continuity Planning plans will considerably aid recovery. Business Continuity Planning is not simply about knowing the answers when an incident occurs, but knowing what questions to ask. Business Continuity Planning can improve existing procedures, improve services and assist in the prevention of disruption to service provision. It is essential to have shared risks covered in any Business Continuity Plan. Do not try to go it alone - remember to involve other agencies and similar organisations who will be only too willing to provide support if the appropriate plans are in place. 31. The duties and responsibilities of the LLR PCT Cluster Board and of key officers are shown in Table 2 below: Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 11 of 20
Table 2: Title LLR PCT Cluster Board Chief Executive CCG Board Director of Public Health (DPH) Resilience Planning Officer (RPO) Directors/Senior managers (some of these duties could be that of the business continuity lead) DPH/Consultant in Public Health All staff Duties/ Responsibilities Setting the strategic context in which the business continuity policy is developed. The direction for development of service recovery procedures and plans. The Chief Executive has overall responsibility for ensuring that LLR PCT Cluster has effective arrangements in place to respond to an incident that has the potential to affect service provision. The direction for development of service recovery procedures and plans for each CCG. The DPH Director has overall responsibility for ensuring business continuity management is developed and embedded within the PCT and our Primary Care contractors. The RPO supports the PH director in business continuity planning. Some of the RPO s responsibilities include: Development and maintenance of BIA s and BCP s Developing and running business continuity exercises Running business continuity training programmes Development of business continuity documents including policies and guidance documents Working with partners to enhance business continuity arrangements across Leicestershire. Directors and senior managers are responsible for ensuring that: Directorates and services complete an analysis of critical functions and risk assessments. Business continuity plans are completed for each risk identified. Activation of their business continuity plans Business continuity plans are cascaded to appropriate staff within the directorate and appropriate information and training is given. Plans and critical function analyses are reviewed annually or sooner as appropriate. Provide specialist public health support to Directors and Senior Managers. All staff must make themselves familiar with their individual roles as set out in this policy and within individual directorate business continuity plans. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 12 of 20
Training, Exercising, Maintaining and Reviewing Business Continuity Management Arrangements 32. Managers or staff tasked with Business Continuity Management must receive appropriate training to enable them to fulfil their management function. Those responsible for Business Continuity Management must ensure that training needs are identified and training records maintained. Staff should receive training during induction, refresher training, when changing appointment or department and when procedures are amended /changed. 33. Business Continuity Plans should be tested through exercises to develop teamwork, competency, confidence and knowledge which will be vital at the time of an incident of business disruption. 34. Exercises should be realistic and carefully planned with clearly defined aims and objectives appropriate to the organisation s recovery objectives. 35. Exercises should practice the organisation s ability to recover from a disruption and ensure that critical activities, their dependencies and priorities have been correctly identified. 36. Exercises should highlight assumptions which may need to be questioned, instill confidence amongst the participants, raise awareness of business continuity throughout the organizations and validate the effectiveness and timelines of restoration of critical activities. 37. Example of methods of exercising Business Continuity Management strategies and plans are shown in Table 3 below. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 13 of 20
Table 3 Complexity Exercise Process Variants Frequency Simple Desk Top Exercise. Review / amend content of plan. Update plan. Validate plan. At least annually. Challenge the content of the plan. Audit / verify the plan. Medium Walk through the service plan. Challenge the content of the plan. Validate participant s roles. Annually. Simulation Exercise critical activities Create an artificial situation to validate plan information and recovery arrangements. Incorporate/identify associated plans (dependencies) e.g. run the service from a different location. Alternate years. Invoke a plan in a controlled situation without jeopardising business as usual. Complex Exercise interdependent plans across a number of services. For example all services operating from one site. At 3 5 year intervals. Exercise frequency will depend on the needs of the organization and its stakeholders. Exercises should be flexible and should take into account the rate of organisational change and the outcome of previous exercises. Exercises may run to test individual plan components, single or multiple plans. Exercises may include third party providers. 38. The Business Continuity Management Policy and plans should be maintained to ensure that the organisation s competence and capability Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 14 of 20
remain fit-for-purpose and up-to-date. They should take account of any significant changes, whether internal or external, that may impact on the organisation and its arrangements. 39. BCM maintenance processes should seek to: Review and challenge assumptions made in plans; Document evidence of proactive management and governance in the way BCM is planned and embedded in the organisation. Identify that key people have been trained and are competent to implement plans; Ensure that updated business continuity policy, plans, and processes are made available to key personnel under a formal change / version control process. Monitoring, Compliance and Effectiveness of the Policy 40. The monitoring, compliance and effectiveness process is shown in Table 4 below. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 15 of 20
Table 4 Systems Monitoring and / or Audit Criteria Measurables Lead Officer Frequency Reporting to Systems in place to ensure the BCP leads follow the processes outlined within this policy Systems in place to ensure that the BCP links in with the trust s risk management strategy Systems in place to identify risks across the organisation and for which a BCP is needed Systems in place to ensure all staff tasked with BCM are appropriately trained All directorates and the departments have completed up to date BCP s The BCP policy is attached an addendum to the risk management strategy and is reported on the risk register Each directorate risk register identifies the risks and places them on the corporate risk register and a BCP is developed and reviewed accordingly Relevant staff receive training during corporate and directorate induction. RPO/ BCP Leads Company secretary Directors/ Heads of departments RPO/ Directors/He ads of department Annually or as necessary Ongoing Ongoing On appointmen t and ongoing. Board of directors Board of directors Board of directors / Executive Team Board of directors Monitoring / action plan Monitoring Monitoring / action Monitoring / Action plan Monitoring Training is refreshed periodically as and when necessary. Systems in place to conduct business continuity exercises Register of those trained is kept up to date. Joint exercising across county and city for all Primary Care providers. RPO Annually PCT s/ boards Monitoring Directorate exercises. LLR board Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 16 of 20
Reviewing the Policy 41. This policy will be reviewed annually. It will be amended, if necessary, to take into account new legal requirements and revisions and implementation of relevant British Standards. Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 17 of 20
C Name of Trust (LPT/LLR PCT Cluster): Equality Analysis Template LLR PCT Cluster Name of service, function or policy: Business Continuity Policy Directorate/Division: Authors directorate Public Health Purpose of service, function or policy: The PCT is a category one responder under the terms of the Civil Contingencies Act 2004. It is a statutory duty under this act for category one responders to have a business continuity management policy as part of their emergency preparedness responsibilities. The policy specifies the need for the organisation to identify its critical functions and to plan to be able to maintain these during an event that interrupts normal working. This policy is an update from LCR and Leicester City Policies which were previously approved in 2010 Equality Act 2010 General Duty o It is a requirement, when making any decisions relating to the shaping of policies, service delivery or as an employer, to have due regard to the need to: eliminate unlawful discrimination, harassment, victimisation, and any other conduct prohibited by the Equality Act 2010 (also to marriage and civil partnership) advance equality of opportunity and foster good relations between people who share any of the protected characteristics and people who do not share them Socio-economic deprivation is not a protected characteristic but included as best practice o It is a requirement for LPT/ LLR PCT Cluster to work towards equality objectives to help meet the General Duty and for staff to support and mainstream them Human Rights Act 1998 o It is a requirement for LPT/ LLR PCT Cluster to protect and promote human rights for service users and staff
Please ensure you are familiar with the Due Regard guidance before completing this equality analysis A number of hyperlinks have been added to assist you. What information have you used to analyse the effects on equality, particularly in relation to the protected characteristics? N/A (no impact on equality issues including protected characteristics) Provide details of the statistics, research or stakeholder engagement that you have analysed in order to assess the effect of the service, function or policy on equality Provide hyperlinks/references to any websites/documents (if analysis is already documented elsewhere, no need to repeat it here providing you can reference it). If there are any gaps in the information available how do you aim to address them? If not, why not? What has this information told you about the potential effect on equality, particularly in relation to access, experience or outcomes for the protected characteristics? There are no negative impact areas within the policy. Please note -The policy requires staff to work in different settings to maintain business continuity but any negative impact on staff can be avoided with appropriate planning (including risk assessments). Analysis should be as rigorous as possible, although the amount of analysis undertaken should be proportionate to the likely impact on protected groups. If you have made a judgment that there is no likely impact, can you justify why you have made this judgment? Provide hyperlinks/references to any documents where analysis is reported (if analysis is already documented elsewhere, no need to repeat it here providing you can reference it). Taking into account your equality analysis, and with the aims of the equality duties, Human Rights Act and Equality Objectives in mind, what is your overall assessment of the likely impact of the policy/decision on the protected characteristics listed below? Overall finding of equality analysis ( ) Go ahead as planned Adjust Continue regardless Stop What are the potential risks/costs (financial or otherwise) of not taking the actions below? N/A What are the potential savings/ benefits of taking the actions below? N/A Protected Characteristic Eliminate unlawful discrimination Advance equality of opportunity Issue/Risk Foster good relations Actions/ Outcomes Action Plan Target date Equality Objective/ s supported (1,2, ) Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 19 of 20
Age Disability Gender re-assignment Marriage & Civil Partnership Pregnancy and maternity Race Religion / Belief Sex (gender) Sexual Orientation Socio-economic deprivation Human Rights Date of analysis D D M M Y Y Action Plan Review Date D D M M Y Y Accountable Officer for actions Quality Assurance Policy Group ( ) Officer Leicestershire Partnership NHS Trust LLR Cluster Date D D M M Y Y Version 1.0 22 September 2011 Review date February 2012 Corporate 042 Business Continuity Management (BCM) Policy, Version 2 Page 20 of 20