NHS Hardwick Clinical Commissioning Group. Business Continuity Policy



Similar documents
South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Business Continuity Policy

Business Continuity Policy

Business Continuity Policy

BUSINESS CONTINUITY POLICY

BUSINESS CONTINUITY MANAGEMENT POLICY

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

BUSINESS CONTINUITY POLICY

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Solihull Clinical Commissioning Group

39 GB Guidance for the Development of Business Continuity Plans

Business Continuity Management (BCM) Policy

Business Continuity Management Policy

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Business Continuity Policy & Plans

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity Management

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

BUSINESS CONTINUITY POLICY RM03

Business Continuity Management Policy and Plan

Business Continuity Policy

TRUST POLICY FOR EMERGENCY PLANNING

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

NHS Lancashire North CCG Business Continuity Management Policy and Plan

Business Continuity Management

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

Pandemic Influenza Plan 2015/2016

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Business Continuity Management Policy and Plan

Risk Management & Business Continuity Manual

Business Continuity Management Framework

Business Continuity Management

1.0 Policy Statement / Intentions (FOIA - Open)

Business Continuity Plan

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Emergency Response and Business Continuity Management Policy

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

SUBJECT ACCESS REQUEST PROCEDURE

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy

CCG: IG06: Records Management Policy and Strategy

How To Ensure Information Security In Nhs.Org.Uk

NHS Commissioning Board Business Continuity Management Framework (service resilience)

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Continuity Plan

Business Continuity Policy

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

Strategic Alliance. Business Continuity Policy

EPRR: BCP - Checklist

Business Continuity Management. Policy Statement and Strategy

Business Continuity Policy. Version 1.0

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Type of change. V02 Review Feb 13. V02.1 Update Jun 14 Section 6 NPSAS Alerts

Appendix 1 - Leicester City Council s Business Continuity Management Strategy and Policy Statement

Business Continuity Management Framework

Business Continuity (Policy & Procedure)

NHS Sheffield CCG Business Continuity Policy

BUSINESS CONTINUITY & STRATEGY POLICY

NHS Durham Dales, Easington and Sedgefield Clinical Commissioning Group. Business Continuity Plan

BUSINESS CONTINUITY PLAN

Business Continuity Business Continuity Management Policy

Business continuity management policy

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Business Continuity: NHS Workshop Appendix 1.1

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Version: 3.0. Effective From: 19/06/2014

abcdefghijklmnopqrstu

The authority for approving the group s arrangements for business continuity and emergency planning is reserved to the Governing Body.

Information Governance Policy

How To Manage A Disruption Event

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

EPRR: Toolkit Facilitator Guide

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Business continuity management policy

BUSINESS CONTINUITY PLAN 1 DRAFTED BY: INTEGRATED GOVERNANCE MANAGER 2 ACCOUNTABLE DIRECTOR: DIRECTOR OF QUALITY AND SAFETY 3 APPLIES TO: ALL STAFF

Bring Your Own Device (BYOD) Policy

Coping with a major business disruption. Some practical advice

Business Continuity Policy and Framework and Business Continuity Plan

Business Continuity Management Policy

RISK MANAGEMENT AND BUSINESS CONTINUITY ANNUAL REPORT

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

The Royal Wolverhampton NHS Trust

Company Management System. Business Continuity in SIA

Temple university. Auditing a business continuity management BCM. November, 2015

Desktop Scenario Self Assessment Exercise Page 1

Update from the Business Continuity Working Group

Corporate Risk Management Policy

Transcription:

NHS Hardwick Clinical Commissioning Group Business Continuity Policy Version Date: 26 January 2016 Version Number: 2.0 Status: Approved Next Revision Due: January 2017 Gordon Stevens MBCI Corporate Assurance Developed by: Manager, NHS Arden and Greater East Midlands Commissioning Support Unit Sponsor: Chief Officer NHS Hardwick Clinical Commissioning Group Approved by: Governing Body NHS Hardwick Clinical Commissioning Group Business Continuity Policy v2.0

CONTENTS Page 1. Introduction... 3 2. Objectives... 4 3. Organisational Responsibilities for Business Continuity... 4 3.1 All Employees... 5 3.2 The CCG Chief Officer and Executives... 5 3.3 The CCG Business Continuity Lead... 6 3.4 Individual Managers... 6 4. Arrangements for Business Continuity... 6 4.1 Business Continuity Management Lifecycle... 7 4.2 Understanding the Organisation... 7 4.3 Risk Analysis... 8 4.4 Business Continuity Plan... 9 4.4.1 Business Continuity Plan content... 9 4.4.2 Business Continuity Plan review... 9 4.5 Business Continuity Incidents... 9 4.5.1 Incident response structure... 9 4.5.2 Incident response levels... 9 4.5.3 Incident co-ordination locations...10 4.5.4 Incident response and recovery strategies...10 4.5.5 Business Continuity Mutual Aid Agreements...10 4.6 Communications...10 4.7 Training...10 4.8 Exercising...11 5. Legal Liability...11 Appendix 1 Glossary of Terms...12 Appendix 2 Equality Statement...13 Appendix 3 Business Continuity Management System Guidance and Standards...14 Annexure 1 Policy Information Summary...15 Annexure 2 Document Controls...16 Page 2 of 16

1. INTRODUCTION 1.1 This document sets out Hardwick Clinical Commissioning Group s (the CCG ) Policy for Business Continuity Management. The CCG s ability to provide its services relies on a number of different components, as identified in the Business Continuity Standard ISO 22301:2012. When individual components begin to fail, service delivery and CCG business outcomes will be affected. 1.2 The Civil Contingencies Act (2004) (CCA) covers the responsibilities for Category 1 and 2 Responders who provide strategic, tactical and operational response in emergencies. Clinical Commissioning Groups (CCGs) are identified as Category 2 Responders and are required by the CCA to cooperate, support and share information with other Category 1 and Category 2 responders during an incident. 1.3 The Care Quality Commission Regulations and Outcomes (2010), Outcomes 4, 6 and 10, place an emphasis on Health and Safety for NHS service users, risk mitigation, cooperation with other providers. As such, CCGs are expected to have procedures in place for dealing with emergencies which are reasonably expected to arise from time to time and which if they arose, would affect the provision of services, in order to mitigate the risks arising from such emergencies to service users. 1.4 The CCG is required to undertake Business Continuity Management in accordance with the specification outlined in the International Standard ISO 22301:2012. It is essential that the CCG has mechanisms in place to ensure continued delivery of service occurs during a disruption. 1.5 Services may be disrupted by a number of different reasons varying from a shortage of staff due to flu pandemic, severe weather, road fuel shortages; loss of building access due to flooding, fire, bomb threat and terrorist attack; loss of IT and loss of utilities such as water and electricity. Regardless of the disruption, the Communities of Derbyshire will still require the services of the CCG. 1.6 The CCG recognises the potential operational and financial losses associated with a major service interruption, and the importance of maintaining viable recovery strategies. 1.7 During a disruption, it may not be possible for the CCG to continue delivering all of its services the usual way. Whilst all CCG services are important, during an incident services will be maintained based on their criticality and priority to the CCG and the needs of the Derbyshire health community. Plans will be developed to ensure that resources and facilities are available to ensure critical service delivery at the pre-defined agreed level. 1.8 For Business Continuity Management to be successful, it will become an integral component of how the CCG manages, develops and improves its services. Responsibility of Business Continuity Management lies with the CCG service areas to ensure that services continue in the event of a disruption. Page 3 of 16

1.9 The role of the CCG is to commission healthcare, both directly and indirectly, so that valuable public resources secure the best possible outcomes for patients. In doing so, the CCG will seek to meet the objectives of the NHS Outcomes Framework and to uphold the NHS Constitution. 2. OBJECTIVES 2.1 The overall aim of this policy is to set out the structure of the Business Continuity Management Framework to ensure that the CCG is able to plan for, prepare for and respond to disruptions to the delivery of its services to the Derbyshire health community. 2.2 Our general policy is to meet the following objectives: 2.2.1 to identify those responsible for ensuring Business Continuity in the CCG; 2.2.2 to identify the key risk areas and ensure appropriate control measures are in place to reduce the severity of an impact on service delivery; 2.2.3 to identify response mechanisms and structures to be established to manage the disruption and allocation of tasks to recover CCG services; 2.2.4 to provide a guideline on appropriate training and exercising of procedures to be undertaken; 2.2.5 to provide assurance to external partners and the Derbyshire community that the CCG serves, of its commitment to service delivery; 2.2.6 to ensure external service providers are able to provide assurance to the CCG of their ability to continue to operate during a disruption within their own organisation as well as a disruption within the CCG. 3. ORGANISATIONAL RESPONSIBILITIES FOR BUSINESS CONTINUITY In order for the CCG to develop a good long-term business continuity capability, it is essential that all staff take on an appropriate level of responsibility. The CCG has identified an Accountable Emergency Officer to lead the Business Continuity Management System and Emergency Preparedness, Resilience and Response for the organisation. The Chief Officer has overall responsibility for ensuring that the CCG has adequate Business Continuity arrangements in place. Page 4 of 16

3.1 All Employees All employees, contractors, sub-contractors and anyone working for the CCG in an unpaid or temporary capacity are included within the scope of this policy and are responsible for: 3.1.1 achieving an adequate level of general awareness regarding Business Continuity; 3.1.2 being aware of the CCG s Business Continuity Policy and its procedures; 3.1.3 being aware of the contents of their own business area s business continuity plan and any specific role or responsibilities as set out in the Business Continuity Plan (BCP); 3.1.4 cooperating in the implementation of incident response plans as part of their normal duties when required to do so; 3.1.5 participating actively in the business continuity programme where required; and 3.1.6 ensuring information governance standards continue to be applied to data and information during an incident. 3.2 The CCG Chief Officer and Executives 3.2.1 The CCG Chief Officer and Executives are responsible for: (a) (b) (c) (d) (e) (f) (g) (h) the CCG Chief Officer and the Executives make up the Incident Control Team (ICT); implementation of the Business Continuity Policy and standards; review of business continuity status and the application of the policy and standards in all business undertakings; enforcing compliance through assurance activities; provision of appropriate levels of resource and budget to achieve the required level of business continuity competence; ensuring information governance standards continue to be applied to data and information during an incident; determining the criteria for implementing the BCP; the overall management of a crisis, providing strategic direction and coordination of service recovery plans. 3.2.2 The Chief Officer and Executives of the CCG, and their appointed deputies, will hold two hard copies of the BCP allocated to them. It is intended that one copy Page 5 of 16

should be located at the holder s home address so it is easily accessible and the second in the BCP folder at their office base. The BCP folder will also contain recovery procedures, contacts, and lists of vital materials or instructions on how to obtain them. 3.3 The CCG Business Continuity Lead The CCG Business Continuity Lead with support from the NHS Arden and Greater East Midlands Commissioning Support Unit (Arden & GEM CSU) Business Continuity Manager commissioned by the CCG will be responsible for change control, maintenance and testing of the plan. 3.4 Individual Managers Individual Managers will assess their specific area of expertise and plan actions for any necessary recovery phase, setting out procedures and staffing needs and specifying any equipment or technical resource which may be required in the recovery phase. 4. ARRANGEMENTS FOR BUSINESS CONTINUITY This section contains the detail on what we are going to do in practice to achieve the objectives set out in our Business Continuity Policy. The CCG has Business Continuity Management System Guidance and Standards to support the arrangements for Business Continuity in Appendix 3. Page 6 of 16

4.1 Business Continuity Management Lifecycle The CCG will apply the Plan-Do-Check-Act (PDCA) cycle to planning, establishing, implementing, operating, monitoring, maintaining and continually improving the effectiveness of the NHS England Business Continuity Management System. The PDCA approach is illustrated in Figure 1 below. 4.2 Understanding the Organisation 4.2.1 Effective planning and response plans must be underpinned by detailed identification and assessment of the criticality of the different services that the CCG provides. This will be achieved by producing a Business Impact Analysis (BIA) and Risk Assessments for the CCG services. 4.2.2 A Business Impact Analysis will identify and document the impact of a disruption to the activities that support the key services of the CCG. The BIA will identify the following: (a) how the impacts would develop over time during a disruption; Page 7 of 16

(b) identify interdependencies that are required for the delivery of the CCG service including staffing, resources and utilities/infrastructure. 4.2.3 Services identified as having a short maximum tolerable period of downtime are those considered to be critical to the CCG. 4.3 Risk Analysis 4.3.1 The CCG is not responsible for the direct provision of health services; however it is responsible for some functions that have a direct impact on providers of health services. Therefore the risks to our stakeholders resulting from a large catastrophic incident affecting the CCG could be significant. 4.3.2 A series of robust plans and mitigation will be developed for the following priority incidents and the potential impact will be assessed through appropriate risk analysis: (a) (b) (c) (d) (e) (f) (g) (h) (i) (j) (k) (l) (m) unavailability of premises caused by fire, flood or other incidents; major electronic attacks or severe disruption to the IT network and systems; terrorist attack or threat affecting transport networks or the office locations; denial of access to key resources and assets; significant numbers of staff prevented from reaching CCG premises, or getting home, due to bad weather or transport issues; theft or criminal damage severely compromising the organisation s physical assets; significant chemical contamination of the working environment; serious injury to, or death of, staff whilst in the offices; illness/epidemic striking the population and therefore affecting a significant number of staff; simultaneous resignation or loss of a number of key staff; widespread industrial action; significant fraud, sabotage or other malicious acts; and violent incidents affecting staff. Page 8 of 16

4.4 Business Continuity Plan 4.4.1 Business Continuity Plan content The CCG Business Continuity Lead with support from the Arden & GEM CSU Business Continuity Manager will develop a business continuity plan which will be produced on completion of the following processes: (a) (b) (c) (d) BIA; Risk Assessment; identification of prioritised activities, continuity requirements and recovery plans; incident response structures. 4.4.2 Business Continuity Plan review The CCG s BCP will be reviewed annually or following an exercise or incident. Post exercise/incident debriefs shall be conducted to ensure that lessons are identified and action plans developed to ensure continual improvements and relevance of the BCP. 4.5 Business Continuity Incidents 4.5.1 Incident response structure (a) (b) The incident response structure will be defined within the relevant BCP to ensure effective incident response and recovery phases. The CCG Business Continuity Lead will support the designated Incident Manager and the ICT, as detailed in the BCP. The CCG Business Continuity Lead with support from the Arden & GEM CSU Business Continuity Manager will develop procedures for incident notification and communicate these to staff. 4.5.2 Incident response levels The Incident Response Levels in Table 1 below will be used to ensure consistent notification, escalation and co-ordination of incidents. 1 2 A business continuity incident that can be locally managed without invocation of a Business Continuity Plan. A business continuity incident that requires invocation of a Business Continuity Plan with notification to the NHS England areal team. Page 9 of 16

3 4 Table 1: Incident response levels A business continuity incident that requires invocation of the area team and notification to the NHS England Regional Team. A business continuity incident that requires invocation of the NHS England National Support Centre to provide incident co-ordination. 4.5.3 Incident co-ordination locations An appropriate incident co-ordination location and secondary location is to be identified to enable effective incident response. The Incident Manager and Incident Response Team will coordinate operations from the identified designated location. 4.5.4 Incident response and recovery strategies Business continuity incidents may occur due to both internal and external hazards and threats. Appropriate response and recovery strategies will be defined in the BCP. 4.5.5 Business Continuity Mutual Aid Agreements A Mutual Aid Agreement is an arrangement between organisations to lend assistance that exceeds local resources (e.g. building space/workstation) during a disruptive incident. Such agreements may be developed and maintained to ensure the continued delivery of prioritised activities during a business continuity incident. 4.6 Communications 4.6.1 Communication strategies will be defined within the BCP, defining appropriate guidelines for internal and external communication in the event of an incident. This will include plans and procedures for escalation internally and with the NHS England Area/Regional Teams. 4.6.2 The Chief Officer will be responsible for communicating assurances with the Derbyshire Community/Commissioned Services and the media. 4.6.3 The ICT will provide the immediate management functions required to handle an incident. A cascade structure will be developed to cascade key messages to all staff. 4.7 Training The CCG Business Continuity Lead with support from the Arden & GEM CSU Business Continuity Manager will identify appropriate levels of training and Page 10 of 16

awareness sessions for all CCG staff to ensure business continuity becomes part of the CCG culture and daily business routines, improving the organisation s resilience to the effects of emergencies. 4.8 Exercising 4.8.1 In accordance with the NHS England Core Standards, Business Continuity Plans are to be exercised, reviewed and updated to determine whether any changes are required to plans, procedures or roles and responsibilities. 4.8.2 Exercise arrangements are to be in line with NHS England requirements which include a six-monthly communications test, annual table-top exercise and a live exercise at least once every three years. 5. LEGAL LIABILITY The CCG will always assume vicarious liability for the acts and omissions of its staff including those on honorary contract. However, it is incumbent on staff to ensure that they: 5.1 have undergone any suitable training as identified as necessary under the terms of this policy or otherwise; 5.2 have been fully authorised to undertake any duties during a disruption by ICT; 5.3 fully comply with the terms of any relevant CCG policies and or procedures at all times; 5.4 only depart from any relevant CCG guidelines providing always that such departure is confined to the specific needs of individual circumstances. Page 11 of 16

APPENDIX 1 GLOSSARY OF TERMS Term Acronym Definition Business Continuity BC Strategic and tactical capability of the CCG to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business Continuity Management Business Continuity Management System BCM BCMS A holistic management process that identifies potential threats to the CCG and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Part of the overall management system that establishes implements, operates, monitors, reviews, maintains and improves business continuity. This includes the organisational structure, policies, planning activities, responsibilities, procedures, processes and resources. Business Continuity Plan BCP Documented procedures that guide organisation to respond, recover, resume, and restore to a pre-defined level of operation following disruption. Typically, this covers resources, services and activities, required to ensure the continuity of critical business functions. Business Impact Analysis Prioritised Activities BIA PA Process of analysing activities and the effect that a business disruption might have upon them. Activities to which priority must be given following an incident in order to mitigate impacts. Terms in common use to describe activities within this group include: critical, essential, vital, urgent and key Civil Contingencies Act (2004) Incident Control Team CCA Covers the responsibilities for Category 1 and 2 Responders who provide strategic, tactical and operational response in emergencies. ICT Comprises of Senior Managers/Executives who will manage an emergency/disruption/crisis. Page 12 of 16

APPENDIX 2 EQUALITY STATEMENT NHS Hardwick Clinical Commissioning Group (the CCG ) aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. The document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its function, Hardwick CCG must have due regard to the Public Sector Equality Duty. This applies to all activities for which the CCG is responsible, including policy development, review and implementation. Page 13 of 16

APPENDIX 3 Business Continuity Management System Guidance and Standards NHS England Business Continuity Management Framework (service resilience) NHS England Business Continuity Management Toolkit www.england.nhs.uk/ourwork/eprr/ NHS England Core Standard (Section 7, Business Continuity) for Emergency Preparedness, Resilience and Response (EPRR) PAS 2015: Framework for Health Services Resilience Civil Contingencies Act (2004) Companies Act (2006), c.174 www.legislation.gov.uk Health and Social Care Act (2012), c.7 ISO 22301: Societal security Business continuity management systems Requirements ISO 22313: Societal security Business continuity management systems Guidance www.iso.org Page 14 of 16

ANNEXURE 1 POLICY INFORMATION SUMMARY Reader information Reference Hardwick CCG Business Continuity Policy Document purpose Provide guidance on the implementation for Business Continuity Management across NHS Hardwick Clinical Commissioning Group Version 2.0 Title Business Continuity Policy Author & Lead Gordon Stevens MBCI Corporate Assurance Manager, NHS Arden and Greater East Midlands Commissioning Support Unit Approval Date 26 January 2016 Approving Committee Hardwick CCG Governing Body Assurance Committee Review Date January 2017 Review Frequency Annual Groups/staff consulted Executive Team Heads of Service Target audience All employees, contractors, sub-contractors and anyone working for the CCG in an unpaid or temporary capacity are included within the scope of this policy Circulation list All CCG staff Associated documents National DH Guidelines, CCA 2004, ISO22301, ISO22313, ISO (PAS) 22399, NHS England Core Standards for EPRR, NHS England Business Continuity Management Framework Superseded documents V1.0, 24/02/2015 Sponsoring Director The Chief Officer for NHS Hardwick Clinical Commissioning Group Page 15 of 16

ANNEXURE 2 DOCUMENT CONTROLS Version Number Date Author Title Status Comment/ Reason for Issue/ Approving Body Draft First draft (D Manager Brown) Draft Amended version Manager (D Brown) Live Amended version Executive (H Makamure) Corporate Secretary HCCG Live Amended version 0.1 25/07/2013 GEM Business Continuity 0.2 11/12/2013 GEM Business Continuity 0.3 14/01/2014 GEM Business Continuity 1.0 February 2015 2.0 06/01/2016 Corporate Assurance Manager, Arden & GEM CSU Draft (K Watkinson) For review by Hardwick CCG Page 16 of 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information