Policy for the Management of Business Continuity VERSION 2.1 Prepared by: Jeremy Cowen 29 January 2014 Page 1 of 7
1.0 Version Control Date Version Amendment Amended by 12 Jan 2011 1.0 Document created 28 Jan 2011 1.1 Amendments to text 21 Jun 2011 1.2 Amendments to text Addition of approval section Roles and responsibilities expanded Linked to Trust strategy defined Paragraphs and pages numbered 24 Jun 2011 1.3 Addition of BCM levels section Amendments to text 18 Jul 2011 1.4 Amendments to text J cowen Reformatting of section 10 Paragraphs numbered Pages numbered 25 Aug 2011 1.5 Amendments to text D McManus 01 Feb 2013 1.6 References to ISO22301 10 Oct 2013 1.7 Corrections to text Role of Assistant Directors added 24 Oct 2013 1.8 Amendments to text para 9.5 Amendments to text para 12.2 Para 12.3 added reporting lines 13 Nov 2013 1.9 Comments from CEx incorporated: 6.1 Amended text 8.1 Amended text 12.1, 12.2, 12.3 Clarified 23 Dec 2013 2.0 Equality screening template completed and reflected in section 3 29 Jan 2014 2.1 Amendment to Section 3.1 and insertion of Section 6.2 following presentation at Trust Assurance Committee 27 Jan 2014 D McManus 2.0 Approval Version 2.1 Approved by Trust Board Date approved 30 January 2014 Name of Author Jeremy Cowen Date issued Equality Impact Assessment completed Reviewed 19 December 2013 Page 2 of 7
3.0 Review 3.1 This Policy will be reviewed no later than one year from the date of implementation, i.e. by 31 December 2014. 4.0 Equality Screening 4.1 The equality screening template was reviewed on 19 December 2013 no impacts of any significance were identified during the screening process and that this policy was unlikely to have any adverse impact on equality of opportunity or impact on the patients and service users. It concluded that a full EQIA was not required. Page 3 of 7
5.0 Introduction 5.1 The Northern Ireland Civil Contingencies Framework (2005) document and the various associated Statutory Regulations and Guidance require the Northern Ireland Ambulance Service HSC Trust (The Trust) to produce and maintain a comprehensive Business Continuity Plan that will enable the Trust to continue to provide critical service to the population of Northern Ireland in the event of an emergency or other crisis as far as is reasonable practicable. 5.2 The Department of Health, Social Services and Public Safety, Northern Ireland (DHSSPSNI) have established a Health and Social Care Business Continuity Project. The project aims to ensure that: HSC organisations to have business continuity management plans in place to the British Standard BS25999 by the end March 2012. 5.3 The British Standards Institute have replaced the BS25999 standard with an international standard for Business Continuity, ISO22301. 5.4 The Strategy document for the Trust confirms that the Trust will adopt the principles of BS25999 and ISO22301 for the Business Continuity programme. 6.0 Policy Statement 6.1 The Trust will establish and maintain appropriate and relevant Business Continuity arrangements. 6.2 The Trust will ensure that adequate business continuity arrangements are in place in those organisations upon whom the Trust depends for the delivery of key functions and the provision of essential services to the Trust. 6.3 This Policy applies to all staff within the Trust, both permanent and non-permanent and for whom the Trust has legal responsibility. 7.0 Purpose 7.1 The purpose of this policy is to ensure that the Trust has robust Business Continuity arrangements in place, and that a defined structure for use by all staff is managed and maintained. 7.2 All Business Continuity arrangements within the Trust will be in accordance with this policy and in compliance of ISO22301. Page 4 of 7
8.0 Policy Objectives 8.1 The objectives of this Policy are to ensure that: The Roles and Responsibilities for Business Continuity for all Staff bound by this Policy are defined The Governance and reporting arrangements for Business Continuity Management are defined That Business Continuity is embedded within all levels and areas of the Trust Plans appropriate to the respective organisational levels are written Regular Risk and Threat assessments are carried out Critical activities are identified and mapped out Plans are developed, exercised, tested, reviewed and maintained Page 5 of 7
9.0 Roles and Responsibilities 9.1 Trust Board The Trust Board will be responsible for monitoring the continued effectiveness of the Trust s Business Continuity Management arrangements through the Assurance Committee. 9.2 Chief Executive The Chief Executive has overall responsibility for Business Continuity Management within the Trust. 9.3 Medical Director The lead Director for Business Continuity Management is the Medical Director who reports directly to the Chief Executive in relation to Business Continuity Management within the Trust. The Medical Director will discharge his responsibility through the Emergency Planning Officer who will work collaboratively with the nominated leads from each directorate and department. 9.4 Executive Directors The Executive Directors are responsible for Business Continuity within their own Directorate. They will ensure compliance with this policy within their area of responsibility. 9.5 Assistant Directors The Executive Directors normally discharge their responsibilities through their Assistant Directors. The Assistant Directors will be the functional lead for business continuity in their particular area of responsibility or speciality. 9.6 Emergency Planning Officer The Emergency Planning Officer is responsible for maintaining a central record of plans, testing, exercising, validating and reviews of such plans and ensuring that the linkages and interdependencies between departments, for example in the case of IT, are accurately reflected in the plans. 9.7 All other staff All other staff have a responsibility to comply with the Business Continuity arrangements as defined within the respective procedure(s) for their own work area. They are required to report all actual or potential Business Continuity risks or issues via the appropriate system of reporting. Page 6 of 7
10.0 Levels 10.1 Each plan will be identified clearly with the organisational level at which it is aimed. This level will be defined post completion of each of the respective departments Business Impact Analysis and will depend on whether the impact will affect NIAS either at a corporate level, or whether the impacts will be felt at a more local level. 10.2 The levels are identified in table 1 below: Area of Impact Corporate-wide impact 4 Directorate-wide impact 3 Division/Departmental-wide impact 2 Sub-departmental-wide impact 1 Plan Level 11.0 Activation 11.1 All staff are authorised to activate a LEVEL 1 plan as defined within the respective procedure(s). 11.2 Any other level of plan can only be authorised by the level of Management as defined within the respective procedure(s). 11.3 In each instance of activating a business continuity plan, the line manager above the level of the individual who activated the plan must be informed. Out of Hours, the EAC must be informed in the first instance. 12.0 Reporting 12.1 It is the responsibility of all staff to ensure that any actual or potential activation of any business continuity procedure or plan is reported to their directorate functional lead through their line manager and to the risk manager through the Trust s Untoward Incident reporting procedure. 12.2 The Risk Manager will inform the EPO in order to ensure that the incident is recorded. The EPO will then ensure that appropriate actions and reviews are undertaken. 12.3 The emergency preparedness and business continuity committee will consider all incidents as a standing agenda item and will then, in turn, report to the Trust s Assurance Committee. 13.0 Review 13.1 This Policy and all associated plans will be reviewed on at least an annual basis. Page 7 of 7