Business Continuity Management Policy Statement & Strategy July 2009
Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective Business Continuity Management as a key mechanism to restore and deliver continuity of key services in the event of a disruption or emergency. One component of the Council s corporate governance framework is to manage risks effectively in order to make a positive contribution towards the achievement of the Council s corporate aims and objectives and to maximise the opportunities to achieve it s vision. The capability for delivery of these services must be safeguarded, to the extent that agreed critical services continue to be delivered regardless of any interruption to the normal day to day working of the Council. This capability must also be sufficiently resilient to allow provision of critical services in emergency situations. The Council s Business Continuity Management Strategy and framework will apply best practice as contained within British Standard 25999-Part 1 2006 to the identification, evaluation and mitigation of key risks that could interfere with the delivery of the identified critical services. This will be achieved through: Adopting an effective and transparent corporate approach to proactive Business Continuity Management by the Council and the work of key external partners Integrating Business Continuity Management into the operational and management practices and procedures of the Council to promote a culture of resilience to underpin continuous delivery of services Providing evidence to demonstrate the Council s compliance with the statutory duties imposed by the Civil Contingencies Act 2004. Ensuring that all staff are fully familiar with plans that affect their service areas and their role following the invocation of these plans. A programme of plan testing exercises to include crisis management and workspace recovery tests. Basildon District Council will achieve these aims by implementing a Business Continuity Management Strategy and supporting framework that meets the statutory requirements of the Civil Contingencies Act 2004 and local requirements. The policy statement and strategy will be annually reviewed to ensure their continued relevance to the Council. Councillor Tomlin Cabinet Member for Housing Mick Nice Executive Director 1
Basildon District Council Business Continuity Management Strategy Introduction This strategy has been developed with reference to the best practice guidelines contained within BS 25999-Part 1:2006. Basildon District Council recognises the importance of effective identification and management of all key strategic and operational risks. It also recognises the importance of ensuring continued delivery of critical services to the community, even during a period of disruption, or in the event of an emergency situation. The Council has statutory responsibilities under The Civil Contingencies Act 2004 and The Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005, which require the Council to: 1. Maintain plans to ensure that they can continue to exercise its critical functions in the event of an emergency as far as reasonably practicable. 2. Include within the Business Continuity Plan (BCP) arrangements for exercises, for the purpose of ensuring the plan is effective, and arrangements for the provision of training to those involved in implementing the plan. 3. Review its BCP and keep up to date. 4. Have regard to assessment of both internal and external risks when developing and reviewing its BCP. 5. Have a clear procedure for invoking the BCP. 6. Publish aspects of the BCP insofar as making this information available is necessary or desirable for the purposes of dealing with emergencies. 7. Promote BCM to local businesses Business Continuity Management is an all-inclusive process that must cover all areas of the Council. It is a management process that helps manage the risks to the smooth running of the Council and delivery of a service, ensuring it can continue to operate to the extent required in the event of a disruption. These risks could be from the external environment (e.g. power outages, severe weather) or from within the Council (e.g. systems failure or major staff unavailability). This Strategy provides a basis for a detailed framework to improve the Council s resilience to business interruption. Its purpose is to facilitate the recovery of key business systems and processes within agreed time frames, while maintaining the council s critical functions and the delivery of its vital services. Business Continuity Management is an ongoing process that will help the Council anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever aspect of the business they affect. This document (and the related Policy Statement) should be used as a basis to permanently establish and embed Business Continuity Management, to ensure that the Council can continue to operate and deliver essential services to the community. In this regard all elected Members and every employee of the Council have both a responsibility for, and a contribution to make in terms of Business Continuity Management. 2
Aims and Objectives The Council s aims and objectives with respect to business continuity management are as follows: Aim The aim is to ensure that the Council complies with its statutory duties for Business Continuity Management and Promotion as required by the Civil Contingencies Act 2004. Objectives This will be achieved by: Continually reassessing the implications to service delivery of a business interruption Identifying alternative strategies and management structures to enable continuity of service delivery Development of Corporate and individual service BC plans for use in the event of a business interruption Ensuring that a programme for exercising and review of all BC plans is in place to enhance their effectiveness Promotion of Business Continuity to local businesses Definition of Business Continuity Management Business Continuity Management (BCM) A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. BS 25999 Business continuity management Part 1 2006: Code of Practice British Standards Institute It is therefore about the Council preparing for a disaster, incident or event that could affect the delivery of services. The aim being that at all times key elements of previously identified critical service continues to function, albeit at an emergency level, and brought back up to full service provision as soon as possible. Business Continuity Plan (BCP) Is a documented set of procedures and information intended to restore and deliver continuity of predetermined critical functions in the event of a disruption. 3
The Benefits of Business Continuity Management Effective Business Continuity Management delivers a number of tangible and intangible benefits to individual services and to the Council as a whole, including: Develop a clearer understanding of how the organisation works To ensure the continuity of the Council, we must understand how it works. Protect the Council, ensuring that we can respond and help others in an emergency For the Council to help others, we must first be able to ensure continuity of our own key services in the face of a disruption. BCM will help ensure that we can mobilise the capabilities needed to deal with an emergency. It will also help ensure that the impact of the emergency on the day-to-day functions of the Council is kept to a minimum, and that disruptions to vital services do not increase the impact of the emergency on the wider community. Produce clear cost benefits Identifying, preventing and managing disruptions in advance can reduce the costs to the Council in terms of financial expenditure and management time. Ensure compliance and corporate governance The Council is subject to a variety of performance standards, corporate governance requirements and regulatory requirements. Establishing clarity of BCM arrangements helps ensure compliance with the wider framework of responsibilities and expectations of key stakeholders. 4
Delivering The Strategy The strategy to deliver BCM arrangements comprises the following elements: The process being used within the Council is based on the BCM model outlined in BS 25999 Business continuity management Part 1: Code of practice published by the British Standards Institute see figure 1. This process involves the following activities: BCM programme management This includes: Assigning responsibilities for implementing and maintaining the BCM programme within the Council Implementing business continuity in the Council including the design, build and implementation of the programme The ongoing management of business continuity including regular review and updates of business continuity arrangements and plans. Understanding the organisation The use of business impact and risk assessments (see below) to identify critical deliverables, evaluate priorities and assess risks to Council service deliveries: Business Impact Analysis (BIA) identifying the critical processes and functions and assessing the impacts on the Council if these were disrupted or lost. BIA is the crucial first stage in implementing BCM, and helps measure the impact of potential disruptions on the Council. Risk assessment once those critical processes and functions have been identified, a risk assessment can be conducted to identify the potential threats to these processes. 5
Determining BCM strategy This is the identification of alternative strategies to mitigate loss, and assessment of their potential effectiveness in maintaining the Council s ability to deliver critical service functions. The Council s approach to determining BCM strategies will involve: Implementing appropriate measures to reduce the likelihood of incidents occurring and/or reduce the potential effects of those incidents; Taking account of mitigation measures in place; Providing continuity for critical services during and following an incident; and Taking account of services that have not been identified as critical. Considering impact of the Council s change agenda on its ability to continue business in the event of interruption. Developing and implementing a BCM Response Development of a Corporate BCM plan and individual Service BCM plans to prescribe appropriate responses to business continuity challenges. These Business Continuity Plans ensure that actions are considered for: The immediate response to the incident Interim solutions for maintaining an emergency level of service, leading on to Reinstating full services. Exercising, maintaining and reviewing Ensuring that the Business Continuity Plans are fit for purpose, kept up to date and quality assured. The Exercise and Review Programme will enable the Council to: Demonstrate the extent to which strategies and plans are complete, current and accurate and Identify opportunities for involvement Embedding BCM in the organisation s culture The embedding of a continuity culture by raising awareness throughout the Council and offering training to key staff on BCM issues. This will also include: Incorporating BCM in the staff induction process Items in staff newspapers E-mail bulletins Intranet pages Booklets and prompt cards Maintaining and Auditing BCM All plans must be validated by exercises to ensure they are fit for purpose. This will be a dynamic process to ensure that changes within the Council organisation are considered within the BCP and its processes. In order to comply with best practice and the requirements of the CCA 2004 it is essential that all Council BCP`s are validated by a programme of exercises. Whichever type of exercise is chosen it must focus on the impacts and test capabilities. The key impacts and capabilities are shown below: 6
Impacts Denial of access or damage to facilities Loss of key staff / skills Loss of critical systems Loss of key resources Capabilities Mobilisation e.g. invoking plan Command & control Communications All plans will need to be revised as a result of revisions to the structure of the council and in the light of outcomes from exercises. In order for BCM to be successfully incorporated within the Council it must be regarded as an integral part of the normal management process. It is vital that the Council has Champions to sponsor and promote BCM. The Head of Service for Emergency Planning and Business Continuity is responsible for overseeing the strategy and framework. The delivery and review of the work streams within the strategy is the responsibility of the Emergency Planning and Business Continuity Service in conjunction with all managers, plan owners and deputy plan owners. The BCM Process The following steps will be undertaken: 1. Identification of critical functions within the Council 2. Agreement as to the acceptable level of service provision 3. Identification of the suppliers or services that may affect the critical functions 4. Consideration of external influences e.g. Government bodies 5. Determine the potential impact on the Council s ability to provide services to the public from disruption of any critical function 6. Undertake a risk assessment of the potential threats to the above processes 7. Determine the time that a particular function or service can be disrupted for and consider recovery objectives for each Relevant Supporting Documents and Processes The Council has in place the following supporting documents and processes: 1. Business Continuity Management Corporate Plan 2. Review and Exercise Programme 3. Business Continuity Planning Database Management Links The Council has an SLA in force with St Georges Community Housing (SGCH), under this agreement the Council provides a similar process of Business Continuity Management to SGCH, inasmuch a Policy and Strategy, Corporate Plan and individual Service Plans for Critical services have been created. In the event of a major disruption to services provided by SGCH, the SGCH Corporate plan will be activated, which will provide advice and guidance for the management team of SGCH to effectively manage the incident. If there are cross cutting issues relating to services provided by BDC, the Council s Corporate BCM plan will also be activated and regular liaison will operate between the two organisations to ensure a swift return to normal service provision. 7
Diagram showing delivery of BCM within Basildon Council Cabinet Member for Housing Executive Director BCM Champions Head of Service responsible for Emergency Planning And Business Continuity Strategy and Framework Emergency Planning and Business Continuity Service Key Partners & Contractors All Managers, Plan Owners and Deputy Plan Owners Delivery All Staff 8
Roles and Responsibilities In order to ensure the successful implementation of the strategy clear roles and responsibilities for business continuity framework and process have been established as detailed below: Leader of Council Ultimate Member responsibility for embedding Business Continuity Management throughout the Council. The Cabinet Member for Housing The Cabinet Member for Housing to be the Member Business Continuity Champion with overall responsibility for embedding BCM throughout the council. The Cabinet Member for Housing to attend awareness training as appropriate. Elected Members (Individually or collectively) Approving and adopting the Business Continuity Policy Statement and Strategy Contribute towards identification of critical functions Receive reports on key strategic issues, including as part of the annual statement of assurance, to ensure that corporate business continuity risks are being actively managed. Give robust consideration to the Business Continuity Management risks contained within the Risk Management Implications paragraph within reports to committee as part of the decision making process. Chief Executive Ultimate officer responsibility for embedding Business Continuity management throughout the Council. Executive Director with responsibility for Business Continuity Management Executive Directors (Individually or Collectively) Head of Service responsible for Emergency Planning & Business Continuity The Executive Director to be the officer Champion with overall responsibility for embedding Business Continuity Management throughout the Council. Adopt and implement the Business Continuity Policy Statement and Strategy Contribute towards the identification and management of strategic and cross cutting critical functions of the Council Receive and consider reports on key strategic Business Continuity issues For key issues / projects to determine the Council s risk appetite To promote the integration of Business Continuity Management principles into the culture of the Council and it s partners via all Heads of Service. The Head of Service to be the officer responsible for directing the Business Continuity Strategy and Framework. All Heads of Service Identify, analyse and profile service critical functions To provide assurance on the effectiveness of controls in place to mitigate/reduce disruptions within their service To maintain awareness of and promote the approved Business Continuity Management Policy Statement and Strategy to all staff. 9
All other Service Managers Identify, analyse and profile service critical functions Prepare BC Plans for their area of responsibility in liaison with BCMT Prepare local department action plans (disaster recovery plans) for agreed critical functions within their area of responsibility Ensure Business Continuity Management is a regular item on team meetings To maintain awareness of and promote the approved Business Continuity Management Policy Statement and Strategy to all relevant staff. Ensure that Business Continuity Management is incorporated into service plans. Business Strategy, Policy & Performance - Business Continuity Advisor Develop Business continuity Management Policy Statement and Strategy with arrangements for annual review. Corporate advice on BCM at strategic and operational level Promote a culture of business continuity awareness within the organisation Co-ordinating the various Business Continuity Management initiatives within the organisation Provision of corporate and service based advice, support and facilitate training as required Promote the principles of Business Continuity Planning (BCP) for implementation at service level. Regular reporting to Members. To actively promote Business Continuity throughout the Council To attend necessary training in Business Continuity Management to remain fully competent and aware of developments within the specialism Coordination of the BCM database Internal Audit Monitor all aspects of BCM within the Council by periodic audit Provide independent review of corporate approach to Business Continuity Management and compliance therewith All Employees Maintain awareness of business continuity and contribute where appropriate 10
Glossary of Terms Business Continuity Management is a holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities Business Impact Analysis is a method of assessing the impacts that might result from an incident and the levels of resources and time required for recovery. The Civil Contingencies Act 2004 sets the framework for civil protection at the local level in the UK Corporate Governance is the system by which local authorities direct and control their functions and relate to their communities i.e. the way in which organisations manage their business, determine strategy and objectives and go about achieving these objectives within the underlying principles of openness, integrity and accountability. Critical Function is a service or operation the continuity of which the Council needs to guarantee, in order to meet its business objectives. Risk is the threat that an event or action will adversely affect an organisations ability to achieve stated objectives and to successfully deliver approved strategies. This will include both external and internal risks. Risk Assessment is a structured process of identifying potentially significant events, assessing their likelihood and impacts, and then combining these to provide an overall assessment of risk, as a basis for further decisions. Risk Appetite is the willingness of an organisation to accept a defined level of risk. 11