Title: Business Continuity Policy Document Author: Board Secretary/Emergency Planning Lead Document type: Policy Document library section: Corporate Document status: Final Approved by: Governance and Assurance Committee 10 October 2013 Can document be Yes with redaction of personal details and contact details published to the internet (publicly available) Brief Summary of document The document describes the key functions of the CCG and the arrangements in place to ensure these functions continue during an incident. This document replaces New document for CCG Approved Equality Impact Yes Assessment attached: Cross Referenced to: Incident Response Plan Ratified by: Governance and Assurance Committee Date of Ratification: 10 th October 2013 Date to be reviewed: 1 st October 2016 Version Control Table Date Version number Summary of changes Changes made by 27 June 2013 12 August 2013 10 October 2013 1.0 1.2 3.0 New draft Draft + Consultation Approval Terry Ancell Terry Ancell Terry Ancell Consultation Response received Comments Accepted Comments rejected SMT Directorate Leads Heads of Teams Y Y Head of IT strategy Y Y Representatives from Operations Division Y Y Disseminate to: Executives and All employees Dissemination methods: Communications Team to disseminate via Staff Bulletin Document Library NHS Kernow Clinical Commissioning Group website: Staff Zone This document should not be photocopied or otherwise produced. If you have any questions about this policy, please contact the Board Secretary on Telephone 01726 627865
Version 3.0 Final (Oct 2013) Page 2 of 22
Contents Section Page 1. Purpose 3 2. Policy Statement 4 3. Benefits 4 4. Policy Cross referencing 5 5. Definitions 5 6. 7. 8. 9. 10. Stage 1: BCM Programme Management 6.1 Business Continuity Key Messages 6.2 Roles and Responsibilities 6.2.1 KERNOW CCG Governing Body 6.2.2 Chief Executive 6.2.3 Executive Lead for BCM 6.2.4 Managerial Lead for BCM 6.2.5 Executive Directors 6.2.6 Directorate Business Continuity Leads 6.2.7 All Managers 6.2.8 All Employees Stage 2: Understanding Your Business 7.1 Business Impact Assessment 7.2 Risk Assessment 7.2.1 Threats and Hazards 7.2.2 Risk Matrices Stage 3: Determining a Business Continuity Strategy 8.1 Absence of Key Staff 8.2 Suppliers 8.3 Prioritisation of KERNOW CCG Activities 8.3.1 Category 1 Critical 8.3.2 Category 2 Essential 8.3.3 Category 3 Priority 8.3.4 Category 4 Support 8.4 Resources 8.4.1 Alternative Premises Stage 4: Developing and Implementing a Business Continuity Response Stage 5: Exercising, Maintaining and Reviewing 11.1 Incident Reporting 11.2 Training and Exercising 11.3 Audit, Monitoring and Review 7 7 7 7 8 8 8 9 9 9 9 10 10 11 11 13 13 14 15 15 15 15 15 16 16 16 17 17 17 17 Version 3.0 Final (Oct 2013) Page 3 of 22
1 Purpose This document sets out the general principles and processes for the creation and revision of business continuity and service recovery plans for the Kernow CCG. The policy follows the guidance and principles as set out in BS25999 for the Management of Business Continuity Planning. The business continuity plan is separate from but may operate alongside the Kernow CCG s Major Incident Plan and other such policies. This policy defines the activities required for establishing and maintaining a business continuity capability. In addition, the policy defines the organisational structure for the ongoing management of the programme. The setup activities incorporate the specification, end-to-end design, build, implementation and initial exercising of the business continuity plans. These plans must specify a predetermined level of continued business operation throughout an incident and the re-establishment of full business activities over a predefined period of time. It is therefore mandated by acceptance to this policy that the following stages of developing and implementing a BCM programme will be put in place, maintained and exercised on an ongoing basis: This business continuity policy provides a structure through which: A comprehensive BCMS (business continuity management system) is established and maintained; Key services, together with their supporting critical activities, processes and resources, will be identified; Business impact analysis and risk assessment will be applied to our key services and their supporting critical activities, processes and resources; Risk mitigation strategies will be applied to reduce the impact of disruption on key services; Plans will be developed to ensure continuity of key services at a minimum acceptable standard following disruption; Invocation of business continuity plans can be managed; Plans are subject to ongoing exercising and revision; The CCG Governing Body can be assured that the BCMS remains up to date and relevant. [Return to Contents] Version 3.0 Final (Oct 2013) Page 4 of 22
2 Policy Statement BCM is good business management practice and all public sector organisations in the UK have a legal obligation to ensure they monitor and control the organisational risks they face as defined by the Civil Contingencies Act 2004. Kernow CCG, depends upon a wide range of complex systems and resources and a well established reputation in order to perform its duty to the public. Inevitably, there is potential for significant disruption to normal business or damage to Kernow CCG s reputation through loss of those systems and resources. Kernow CCG s priorities to a significant disruption (whether actual or impending) will always be to: Ensure the safety and welfare of its personnel and patients in accordance with relevant sections of the Health & Safety at work act and other primary legislation Endeavour to meet its obligations under the Civil Contingencies Act 2004 and NHS Emergency Planning Regulations 2005 Protect its reputation; Minimise risks to its financial position and reputation Facilitate a return to normal operations as soon as practicable. Ensure the delivery of statutory functions and objectives 3 Benefits [Return to Contents] This policy provides a clear commitment to establish a business continuity management system within that will enable the organisation to: Continue to provide key services in times of disruption; Make best use of personnel and other resources in times when both might be scarce; Reduce the period of disruption to the organisation and the customers it serves; Resume normal working more efficiently and effectively after a period of disruption; Comply with standards of corporate governance; Improve the resilience of the organisation s infrastructure to reduce the likelihood of disruption; Reduce the operational and financial impact of any disruption. [Return to Contents] Version 3.0 Final (Oct 2013) Page 5 of 22
4 This Policy/Guidance/Strategy/Protocol is cross referenced to: Kernow CCG Incident Response Plan On call policy Flexible working policy Special Leave Policy Annual leave Policy Heatwave Plan Disciplinary Policy Risk Management Policy CITS Service Continuity Policies and Plans RMS Continuity Policies and Plans Kernow CCG Incident reporting and management policies Lockdown [Return to Contents] 5 Definitions The Civil Contingencies Act 2004 places a statutory duty on Kernow CCG to have a Business Continuity Plan. Clinical Commissioning Groups are A person or body listed in Part 1 or 2 of Schedule 1 of the Civil Contingencies Act 2004. Section 2 lists the duties placed on the listed organisations, where Section 2 (1) (c) states we shall: Maintain plans for the purpose of ensuring, so far as is reasonably practicable, that if an emergency occurs, the person or body is able to continue to perform his or its functions. The duty relates to all functions, not just our emergency response functions. Business Continuity Management is generically defined as a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities. (Business Continuity Institute, Good Practice Guidelines, June 2005) The Department of Health NHS Resilience and Business Continuity Management Guidance further defines BCM in the NHS as: The management process that enables an NHS organisation: To identify those key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation. To identify and reduce the risks and threats to the continuation of these key services. To develop plans which enable the organisation to recover and/or maintain core services in the shortest possible time. Version 3.0 Final (Oct 2013) Page 6 of 22
For the NHS, service interruption may be defined as: Any disruptive challenge that threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal operating functions which could be short, medium or long term. Business Continuity Management is a management process that accords with British Standards Institute BS 25999 and contains five process steps: 1. Programme Management 2. Understanding your business 3. Determining a BCM strategy 4. Developing and implementing a BCM response 5. Exercising, maintaining and reviewing The figure below demonstrates that steps 2-5 are cyclical and these should be repeated at least annually to ensure compliance, currency and quality. (Figure 1). Thus business continuity plans developed as a result of this policy will be living documents that will change and grow as incidents happen, exercises are held and risks are reassessed. Figure1: The BCM Lifecycle (Source NHS Interim Guidance June 2008) 6. Stage 1: BCM Programme Management [Return to Contents] Under the terms of the Civil Contingencies Act 2004 NHS Kernow, as a Category 1 responder is required to maintain plans to ensure it can continue to deliver essential services in the event of an emergency as far as is reasonably practicable. For this policy to succeed Business Continuity must become part of NHS Kernow s culture. It needs to influence strategy and business planning e.g. resilience and cost effectiveness decisions. Version 3.0 Final (Oct 2013) Page 7 of 22
6.1 Business Continuity key messages NHS Kernow expects all the following key messages to be applied across the organisation: Business Continuity is a mandatory management practice that must be carried out throughout NHS Kernow to plan in advance for business disruptions; Commissioning directorates and provider units must examine their core business, plan for and draw up business continuity plans using this Framework; Business continuity is to be managed at the lowest possible appropriate level within each commissioning directorate and provider unit; Business continuity plans should be consistent with and support other plans at each level within the organisation. Therefore plans should set out relevant links to other NHS Kernow business continuity plans; Business continuity plans should link into the Business Continuity and IT Service Continuity Management Plans of our key IT suppliers; and Business continuity leads have a responsibility for providing assurance on business continuity arrangements to NHS Kernow. Details of individual post holders will be held within directorate plans 6.2 Roles and Responsibilities All Directors, managers and staff are responsible for establishing, maintaining and supporting a holistic approach to business continuity management, in all areas of their responsibility. Some members of staff, business units and NHS Kernow Committees have particular specialist functions in relation to business continuity management as described below. 6.2.1 Kernow CCG Governing Body The Governing Body s main role is to set the strategic direction and to monitor performance over the year. It is the highest level decision-making body in Kernow CCG, accountable for overall performance and ensures that statutory, financial and legal responsibilities are met. These responsibilities fall both to all members of the Governing Body, which acts as the guardian of public interest, and is responsible for reviewing the effectiveness of internal controls financial, organisational and clinical. The Governing Body must satisfy itself that the management of the CCG is doing its reasonable best to ensure the efficient and effective discharge of its affairs. Authority for oversight of the Business Continuity Programme Management may be delegated to a Committee or Executive. 6.2.2 Managing Director Version 3.0 Final (Oct 2013) Page 8 of 22
The Managing Director is accountable for ensuring that effective systems of risk management and business continuity are in place. She/he delegates corporate responsibility for business continuity to an executive Lead for BCM, currently the Director of Operations. 6.2.3 Executive Lead for BCM The Executive lead is accountable via the Managing Director for implementing effective business continuity arrangements. During steady state this includes: Acting as an internal and external focal point for Business Continuity Management including liaison with other NHS bodies and partner organisations; and Developing, co-ordinating and improving Kernow CCG s BCM arrangements and the Business Continuity Plan. 6.2.4 Managerial Lead for BCM The managerial lead is accountable to the Executive Lead for BCM for providing assurance that business continuity is embedded within Kernow CCG. During steady state this includes; providing support for the Executive Lead Director on business continuity issues; representing the Kernow CCG at business continuity and resilience meetings providing corporate policy and guidance to business continuity leads across Kernow CCG; ensuring readiness to respond to appropriate incidents. 6.2.5 Executive Directors Directors are responsible for overseeing a programme of business continuity management activities for their particular directorate in accordance with this Policy. This includes identifying designated Risk Management and Business Continuity Leads within their areas that will be tasked with the development and maintenance of department/service business impact analyses (BIAs) and risk registers. This will include: Nominating a business continuity lead(s); Providing assurance that business can be maintained in the event of a disruption; Determine business priorities and planning required for business continuity purposes; Maintaining and steering Business Continuity Management in line with this Framework and agreed priorities; and Version 3.0 Final (Oct 2013) Page 9 of 22
Invoking their business continuity plan(s) in the event of a disruption. 6.2.6 Directorate Business Continuity Leads BCM leads have responsibility for day-to-day business continuity issues within directorate during steady state. Their role is to actively promote continuity planning and be responsible for: Ensuring appropriate continuity plans are in place within their area; Embedding Business Continuity Management into their area, Ensuring planning takes place in a co-ordinated and structured manner; Co-ordinating the development of business continuity and contingency arrangements; Liaising with other Business Continuity Leads to establish and agree assumptions in their plan that impact upon other directorates, e.g. movement of staff; Providing the focal point for business continuity issues for their area; Evaluating the arrangements during disruption and instigating a lessons learned exercise to improve procedures for the future; and Ensuring that business continuity plans are rehearsed annually and are updated to reflect relevant changes. 6.2.7 All Managers Each manager/service lead is operationally responsible for ensuring compliance with this policy within their area of responsibility. This includes promoting awareness of the Kernow CCG s Business Continuity Policy, Corporate and Directorate Business Continuity Plans and procedures as appropriate within their own teams. 6.2.8 All Employees Employees must familiarise themselves with and comply with all relevant policies and procedures for Business Continuity. Employees must make themselves aware of relevant emergency procedures e.g. evacuation and fire precaution procedures appertaining to their particular role. [Return to Contents] 7. Stage 2: Understanding Your Business A BCM strategy relies on understanding the organisation s functions and defining the essential processes to discharge those functions. Kernow CCG s Constitution details these in Section 6.1.1 and include: Version 3.0 Final (Oct 2013) Page 10 of 22
Commissioning certain health services not commissioned by the NHS England Area Teams to meet the reasonable needs of all local people registered with Members Practices and people normally resident in Cornwall or Isles of Scilly but who are not registered with a Member Practice; Commissioning emergency care for anyone present in Cornwall and Isles of Scilly; Pay its employees and reimburse their expenses in accordance with their terms of employment; Determine the remuneration and travelling or other allowances of Governing Body Members. With the exception of CCG Managed Services, the core business of Kernow CCG is reliant on external providers of healthcare and for some of its essential infrastructure such as premises, utilities, information and technology and telecommunications. 7.1 Business Impact Analysis BS25999 defines a BIA as the process of analysing business functions and the effect that business disruption might have upon them. The BIA will identify, quantify and qualify the impact and effect of a loss, interruption or disruption to the organisations processes. The BIA process will: Define the activity and its supporting processes Map the distinct stages of each activity and process; Determine the impacts of a disruption; Define the maximum tolerable period of disruption for each process and the recovery time objectives (where BS25999 defines Recovery Time Objective (RTO) as the target time set for the resumption of a service delivery after an incident) ; Determine the minimum resources needed to meet recovery objectives. 7.2 Risk Assessment The purpose of risk analysis is to help with the development of the business continuity plans and the identification choice of risk treatment options. The process of risk analysis is subjective, relying on judgements and assumptions but must follow the standard principles adopted by Kernow CCG for assessing risk and the guidance set out below in section 7.2.2. The Civil Contingencies Act 2004 places a duty on listed organisations, including CCG s to co-operate with other listed organisations in a local resilience area in maintaining a register, the Community Risk Register, of the risk assessments carried out by each organisation. The purpose of the Community Risk Register is to ensure organisations carry out their emergency planning and business continuity management taking account of the risk priorities identified collectively in the Register. Version 3.0 Final (Oct 2013) Page 11 of 22
7.2.1 Threats and Hazards Hazard An accidental or naturally occurring phenomenon with the potential to cause physical (or psychological) harm to members of the community (including loss of life), damage or losses to property or disruption to the environment or structures (economic, social, political) upon which a community s way of life depends Hazards can be split into a number of categories: Physical fire, temporary or permanent structural collapse. Environmental/Natural Severe weather i.e. flooding, snow or gales. Organisational/Infrastructure staff illness or loss of a key building. Social Industrial disputes or public order Health (Human & Animal) Pandemics in humans, highly contagious disease in cattle i.e. Foot and Mouth. Technological dam collapse, system failures on an industrial/ chemical site. Threat A malicious act resulting in adverse consequences to human welfare (including property and the supply of essential services and commodities), the environment or security. In the context of the Civil Contingencies Act, it will be very rare that Local Resillience Forums will identify threats as these will be communicated by Central Government or via the relevant lead government department in the form of Threat Assessments, e.g. terrorism the Home Office, animal diseases DEFRA or human health the Department for Health. These assessments will describe the threat, its scale and likelihood. 7.2.2 Risk Matrices The risk evaluation matrix is a simple approach to quantifying risk by defining qualitative measures of consequence (Impact) and likelihood (frequency or probability) using a simple 1-5 rating system. This allows the construction of a risk matrix, which can be used as the basis of identifying risk. The risk score is Consequence x Likelihood. For the purpose of Business Impact Analysis the following risk scoring system is recommended. (see overleaf) Version 3.0 Final (Oct 2013) Page 12 of 22
Consequence (Severity of Impact) 1 2 3 4 5 Descriptor Insignificant Minor Moderate Major Catastrophic Service / Business Interruption Loss / interruption < 1 hour Loss / interruption up to 8 hours Loss / interruption Up to 1 day Loss / interruption up to 1 week Permanent loss of service or facility Descriptor Frequency Probability Likelihood (Frequency or Probability) 1 2 3 4 5 Rare Unlikely Possible Likely Almost Certain Not expected Expected to Expected to Expected to Expected to to occur for occur at least occur at least occur at least occur at least years annually monthly weekly daily < 1% 1 5 % 6-20% 21-50% > 50% Unlikely to Likely to occur occur Will only occur in exceptional circumstances Reasonable chance of occurring More likely to occur than not C o n s e q u e n c e Insignificant Minor Moderate Major Catastrophic 1 2 3 4 5 1 2 3 4 5 Low Low Low Low Low 2 4 6 8 10 Low Low Medium Medium Medium 3 6 9 12 15 Low Medium Medium High High 4 8 12 16 20 Low Medium High High Extreme 5 10 15 20 25 Low Medium High Extreme Extreme 1 2 3 4 5 Rare Unlikely Possible Likely Almost Certain Likelihood Extreme Risks These are classed as primary or critical risks requiring immediate attention. They may have a high or relatively low likelihood of occurrence, but their potential consequences are such that they must be treated as a high priority. This may mean that strategies should be developed to reduce or eliminate the risks, but also that mitigation in the form of (multi agency) planning, exercising and training for these hazards should be put in place and the risk monitored on a regular frequency. Consideration should be given to planning being specific to the risk rather than generic. High Risks Version 3.0 Final (Oct 2013) Page 13 of 22
These risks are classed as significant. They may have a high or relatively low likelihood of occurrence, but their potential consequences are sufficiently serious to warrant appropriate consideration after those risks classed as very high. Consideration should be given to the development of strategies to reduce or eliminate the risks, but also mitigation in the form of at least (multi agency) generic planning, exercising and training should be put in place and the risk monitored on a regular frequency. Medium Risks These risks are less significant, but may cause upset and inconvenience in the short term. These risks should be monitored to ensure that they are being appropriately managed and consideration given to their being managed under generic emergency planning arrangements. Low Risks These risks are both unlikely to occur and not significant in their impact. They should be managed using normal or generic planning arrangements and require minimal monitoring and control unless subsequent risk assessments show a substantial change, prompting a move to another risk category The Executive Team of Kernow CCG will ensure that the risks identified as a consequence of the development of Directorate Business Continuity Plans are included within the corporate risk register and vice versa. Based on the outcomes of the risk assessment, Kernow CCG will explore the options that exist to minimise the level of risk faced by the organisation. Strategies will be devised for all risks identified from very high to low scores, based on the following proposed framework: Mitigation: identifying strategies, activities, modifications or controls aimed at reducing the risk Acceptance: ensuring the risk is owned at the appropriate level (normally director level) within the organisation. Transferring: changing the process, ceasing the practice, outsourcing the service or transferring the risk Eliminating: if possible removing the cause, avoiding the risk or introduce preventative measures Recovery: developing and testing recovery plans to deal with any threats and hazards identified. For significant risks (rated High or Extreme) this will involve developing specific contingency plans, if appropriate, as part of the corporate business continuity plan. Other risks (rated Medium or Low) will be managed at directorate level as part of directorate business continuity plans. [Return to Contents] Version 3.0 Final (Oct 2013) Page 14 of 22
8. Stage 3: Determining a BCM Strategy 8.1 Absence of Key Staff To improve the resilience of services and supporting resources it is important that steps are taken to cope with the absence of key staff. Measures will include documenting key tasks, roles and responsibilities; capturing contact names and numbers and producing standard operating procedures. Key individuals will be encouraged to take personal responsibility for nominating and training a deputy. This requirement should be reflected in an employee s annual objectives where applicable and will be subject to appraisal on an annual basis as a minimum. Data gathering will be conducted to collect information on services and supporting resources, key staff, skills, equipment and contact information. Key posts and post holders will be identified within individual directorate plans. 8.2 Suppliers Kernow CCG relies upon the products and services of other organisations in order to maintain effective operations. Suppliers include outsourcers and intermediaries who deliver services on the organisation s behalf. These suppliers (or partners) may be commercial, public or voluntary organisations. NHS Trusts and NHS Foundation Trusts must be able to demonstrate a robust internal system for the management of risk to the delivery of their services. They must be compliant or operating at the NHSLA s Risk Management Standards, and demonstrate active compliance with any risk or quality regime introduced by the Care Quality Commission. External providers will be required to undertake appropriate risk management and prepare business continuity management policies and procedures. If the product or service supplied is unique and essential to the organisation s service capability or if there is a long term outsource agreement that makes it difficult to make alternative sourcing arrangements then the supplier will be judged as key. The following is a list of questions which could be asked of key suppliers and CCG Managed Services: Have you identified the processes you need to ensure delivery of the products services we need for our critical processes? Have you identified the resources that support these processes? Have you developed Business Continuity Plans to maintain the processes if you have a disruption? Version 3.0 Final (Oct 2013) Page 15 of 22
Have you exercised these plans? What lessons have you learnt from the exercises? What steps have you taken to integrate the lessons learnt into your Business Continuity Plans? What other customers do you have for the key products/services you supply and what assurances can you give that we will receive preference of supply at the time of disruption? Answers to these questions should be supported by evidence from the supplier. Commissioning departments have essential roles to play in encouraging key suppliers to develop Business Continuity Plans. New contracts will contain appropriate business continuity clauses. When existing contracts are due for renewal the opportunity will be taken to discuss the need to include business continuity arrangements. Where appropriate performance measures will be added or reference made to appropriate BS BCM Standards. 8.3 Prioritisation of Kernow CCG Activities A data gathering exercise will be conducted to identify the critical, essential and routine processes in each directorate/business unit. These will be collated to form Kernow CCG s Business Continuity Plan. This information will be reviewed and updated either on an annual basis, or following incidents, exercises and organisational restructuring. 8.3.1 Category 1 Critical Activities Loss of a Critical Activity would immediately: Directly endanger life Endanger the safety of those individuals for whom NHS Kernow has a legal responsibility Prevent the operation of another activity in this category Prevent the delivery of a managed service Seriously affect NHS Kernow s finances or accuracy of critical records Prevent communication of vital information to partners or the public Category 1 activities must continue to be provided. 8.3.2 Category 2 Essential Activities Loss of a Category 2 Essential Activity would immediately: Present a risk to health or safety Prevent NHS Kernow fulfilling a statutory obligation Prevent the operation of another activity in this category Seriously adversely affect NHS Kernow s reputation In the event of disruption this activity must be recovered within 3 days. Version 3.0 Final (Oct 2013) Page 16 of 22
8.3.3 Category 3 Priority Activities Loss of a Priority Activity would lead to: NHS Kernow failing to meet its statutory obligations Seriously affect the operation of a Category 1 or 2 activity NHS Kernow s reputation being seriously adversely affected In the event of disruption priority activities should be recovered within 7 days. 8.3.4 Category 4 Support Activities All other activities which are required in order for NHS Kernow to go about its normal business are deemed to be support activities In the event of disruption these activities should be recovered as soon as possible 8.4 Resources In addition to critical, essential and routine processes it is important to consider the supporting resources which contribute to the normal operation of the organisation. This includes: Utilities: oil, gas, electricity, water, and sewerage. ICT: IT and telecommunications including third party suppliers, network and internet service providers. Logistics: including third party suppliers. In: supplies, transport. Out: transport, waste Finance: payroll, contracts. Workforce: skills, numbers, communications and resource mobilisation, standard operating procedures. Premises: buildings and infrastructure. Considerations to include new build (secure by design); old build (design constraints and risks); alternative premises for use by single department or concurrent use by multiple departments (larger premises required). The following which support the smooth running of Kernow CCG s business may also be considered under the resources heading: Facilities Management Reception Security Car Parking 8.4.1 Alternative Premises In the event that Kernow CCG premises are unavailable or inaccessible for an extended period, alternative accommodation will be sought to house all critical activities and as Version 3.0 Final (Oct 2013) Page 17 of 22
many essential activities as possible. As part of the data gathering exercise Directorate Business Continuity Management Leads will be asked to identify such processes in their department, and they will be asked to define minimum office amenities requirement (desks, phones, fax, PCs, etc.) necessary for them to maintain these activities. This information will be detailed in the Business Continuity Plan. [Return to Contents] 9. Stage 4: Developing and Implementing a BCM response In addition to a broad policy statement it is important to develop suitable business continuity plans. These will be operational plans containing the arrangements required to address generic and specific threats faced by Kernow CCG. The production of directorate plans will ensure that key stakeholders take responsibility for owning the BCM process and developing the arrangements required to respond to and recover from an incident. [Return to Contents] 10: Stage 5: Exercising, Maintaining and Reviewing Business continuity is a cyclical process. Risk registers, associated arrangements and plans need to be revisited on a regular basis. Kernow CCG will conduct incident or exercise debriefs and update plans and associated documentation based on the lessons identified. Risk registers will be reviewed and updated to allow for any change in circumstances and as new information becomes available. As part of the ongoing business continuity cycle Kernow CCG will periodically re-evaluate its arrangements, identify the most vulnerable processes, improve resilience and thereby reduce the level of risk faced by the CCG. At the very least business continuity plans will where possible be reviewed as part of a yearly audit cycle in line with current arrangements for the Major Incident Plan. 10.1 Incident Reporting Incident reporting is fundamental to the identification of risk and sound business continuity management and all staff are actively encouraged to use CCG s existing incident reporting mechanism which will be the CCG s primary mechanism for reporting of all incidents. 10.2 Training and Exercising In conjunction with the publication of the policy, a training needs analysis will be conducted to identify the training required within the organisation. Existing training currently meets some Business Continuity training requirements e.g. Fire Safety and Health & Safety training. Other training will include: Version 3.0 Final (Oct 2013) Page 18 of 22
Specific Training for Directorate Business Continuity Management Leads to help them develop Directorate Business Continuity Plans. Any supplementary training where a need has been identified 10.3 Audit, Monitoring and Review This policy statement contains largely static information which will not change significantly over time. However it will be reviewed at least annually and updated versions will be distributed to all relevant parties. The business continuity plans developed as a result of this policy will contain more dynamic information. Associated plans will be living documents that will change and grow as incidents happen, exercises are held and risks are re-assessed. At the very least all associated plans should be reviewed and updated on an annual basis. This will meet the requirement of Category 2 responder s under the Civil Contingencies Act 2004 to maintain business continuity plans to ensure the delivery of key services. The Governance and Assurance Committee will monitor progress on policy implementation and report regularly to the Governing Body. Financial implications may emerge as the policy is reviewed and updated and associated business continuity plans are developed. [Return to Contents] Version 3.0 Final (Oct 2013) Page 19 of 22
EIA Screening Form Section Officer responsible for the assessment Terry Ancell Name of Policy to be assessed Business Continuity Date of Assessment 15/8/2013 Is this a new or existing policy? New 1. Briefly describe the aims, objectives and purpose of the policy. 2. Are there any associated objectives of the policy? Please explain. 3. Who is intended to benefit from this policy, and in what way? This policy aims to ensure all staff are aware of their responsibilities in relation to business continuity. The objectives of the policy are to provide clear guidelines on the implementation of business continuity procedures across Kernow CCG. No Staff - it will provide clear guidance on the organisation s expectations and roles for all staff. Patients will benefit from this policy through continued commissioning and monitoring of services. 4. What outcomes are wanted from this policy? Fair and equitable application of business continuity management across the organisation. 5. What factors/forces could contribute/detract from Organisational change and pressures contributing to lower priority for BCM. the outcomes? 6. Who are the main stakeholders in relation to the policy? All Kernow CCG staff. 7. Who implements the policy, and who is responsible for the policy? The Executive Team will be responsible for implementing policy at the directorate level 8. Are there concerns that the policy could have a differential impact on RACIAL groups? Y N Please explain What existing evidence (either presumed or otherwise) do you have for this? The policy provides guidance for all staff on their roles and responsibilities for implementing BCM 9. Are there concerns that the policy could have a differential impact due to GENDER (including TRANSGENDER)? Y N What existing evidence (either presumed or otherwise) do you have for this? The policy provides guidance for all staff regardless of gender Version 3.0 Final (Oct 2013) Page 20 of 22
10. Are there concerns that the policy could have a differential impact due to DISABILITY? Y N What existing evidence (either presumed or otherwise) do you have for this? The policy provides guidance for all staff regardless of disability. 11. Are there concerns that the policy could have a differential impact due to SEXUAL ORIENTATION? Y N What existing evidence (either presumed or otherwise) do you have for this? The policy provides guidance for all staff regardless of sexual orientation 12. Are there concerns that the policy could have a differential impact due to their AGE? Y N What existing evidence (either presumed or otherwise) do you have for this? The policy provides guidance for all staff regardless of age 13. Are there concerns that the policy could have a differential impact due to their RELIGIOUS BELIEF? Y N What existing evidence (either presumed or otherwise) do you have for this? 14. How have the Core Human Rights Values of: Fairness; Respect; Equality; Dignity; Autonomy The policy provides guidance for all staff regardless of religious belief This policy has been developed to ensure all staff are treated equally and fairly during the implementation of business continuity management. This policy has been formulated to ensure that guidance for staff and line managers can be implemented in a timely and effective manner and that essential services are not unnecessarily disrupted. This policy has been widely circulated for comment and consultation ensuring that core human rights values are given due consideration. Been considered in the formulation of this policy/strategy If they haven t please reconsider the document and amend to incorporate these values. Version 3.0 Final (Oct 2013) Page 21 of 22
15. Which of the Human Rights Articles does this document impact? What existing evidence (either presumed or otherwise) do you have for this? The right: To life; Not to be tortured or treated in an inhuman or degrading way; To be free from slavery or forced labour; To liberty and security; To a fair trial; To no punishment without law; To respect for home and family life, home and correspondence; To freedom of thought, conscience and religion; To freedom of expression; To freedom of assembly and association; To marry and found a family; Not to be discriminated against in relation to the enjoyment of any of the rights contained in the European Convention; To peaceful enjoyment of possessions and education; To free elections Yes No 16. Could the differential impact identified in 8 13 amount to there being the potential for adverse impact in this policy? Y N Please explain 17. Can this adverse impact be justified on the grounds of promoting equality of opportunity for one group? Or any other reason? Y N 18. Should the policy proceed to a full equality impact assessment? Y N No adverse impact anticipated 18. If No, are there any minor further amendments that should take place? NO 19. If a need for minor amendments is identified, what date were these completed and what actions were undertaken. Signed (completing officer)..date..signed (Head of Section).Date. Please ensure that a signed copy of this form is sent to both the Policies Officer and the Equality and Diversity lead to be placed on the Primary Care Trust website. Version 3.0 Final (Oct 2013) Page 22 of 22