NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20 th February 2013 Job Title: Human Resources Advisor Effective Date: 1 st April 2013 Approval At: CCG Governing Body Date: Job Title: Chief Officer Review Date: 20 th February 2014 Date Approved: 28 th February 2013 VERSION CONTROL Version Date Changes 1 20/02/13 First draft (amended)

CONTENTS Part Description Page 1 Executive Summary 4 2 Introduction 4 3 Scope 5 4 Key Responsibilities 5 4.1 Senior Management Team Responsibilities 5 4.2 Risk Management Lead Responsibilities 6 4.3 Staff Responsibilities 6 5 Embedding Business Continuity into the Organisation s Culture 6 6 Developing and Implementing a Business Continuity Management Response 6 7 Determining the Business Continuity Response Flowchart 7 8 Exercising, Maintaining and Reviewing 8 8.1 Exercising 8 8.2 Maintaining 9 8.3 Reviewing 9 9 Implementation / Training / Awareness 9 10 Monitoring / Key Performance Indicators 10 11 References 10 12 Links to Other Policies / Documents 10 13 Disclaimer 10 Appendix Description Page 1 Key Definitions for Documentation 11 3

1. EXECUTIVE SUMMARY 1.1 The Isle of Wight Clinical Commissioning Group (herein CCG) recognises the need for effective business continuity management to ensure quality, whilst increasing cost efficiency and productivity. 1.2 The CCG has legislative obligations in relation to resilience both in planning and responding under the Civil Contingencies Act 2004. Business continuity is a key component of resilience, and all NHS funded organisations have been asked to align their business continuity arrangements with the requirements of British Standard 25999. By using this framework the CCG is able to provide an assurance to stakeholders, that it is a resilient organisation that is able to rapidly adapt to disruptions to critical services in a timely and effective way. 1.3 To align with the required standards, and best practice, the CCG Business Continuity Management Process (BCMP) will follow the four stages of the business continuity management lifecycle. The four stages are as follows:- 1) Understanding the organisation 2) Determining Business Continuity Management Policy 3) Developing and implementing Business Continuity Management Response 4) Exercising, maintaining and reviewing 1.4 The aim of this document is to introduce the necessity for Business Continuity Plans to be prepared and maintained for all areas of the CCG. 1.5 The intention of this document is to inform all staff of the legal obligations in relation to business continuity and to establish a proactive culture around resilience. This document will also provide direction to ensure that arrangements are in place to enable the CCG to react efficiently and recover from an incident that involves a loss, total or partial, of functions and services. 2. INTRODUCTION 2.1 The Business Continuity Management (BCM) is a process that ensures that there is minimal disruption to critical services and core business in the event of a major interruption / breakdown / incident and assists departments to reinstate normal services as quickly as possible. Business continuity (BC) is a key component of resilience, and all NHS funded organisations have been asked to align their business continuity arrangements with the requirements of British Standard (NHS) 25999. 2.2 The benefits of an effective Business Continuity Management programme are: key products and services are identified and protected, ensuring their continuity an incident management capability is enabled to provide an effective response the organisation s understanding of itself and its relationships with other organisations, relevant regulators or government departments, local authorities and the emergency services is properly developed, documented and understood staff are trained to respond effectively to an incident or disruption through appropriate exercising stakeholder requirements are understood and able to be delivered staff receive adequate support and communications in the event of a disruption the organisation s supply chain is secured NHS Isle of Wight Clinical Commissioning Group 4

the organisation s reputation is protected; and the organisation remains compliant with its legal and regulatory obligations. 2.3 Code of Practice for Business Continuity Management (BS NHS 25999 1) 2.4 The CCG is also required to meet its statutory duties as defined within the Civil Contingencies Act (2004), these are: assess the risk of emergencies occurring and use this to inform contingency planning put into place emergency plans put into place Business Continuity Management arrangements put into place arrangements to make information available to the public about civil protection matters and maintain arrangements toward, inform and advise the public in the event of an emergency share information with other local responders to enhance co-ordination co-operate with other local responders to enhance co-ordination and efficiency 2.5 This policy is the first step of the initiation stage and clearly defines the framework which will ensure the Business Continuity process meets our statutory obligations. 2.6 Depending on the incident both the Major Incident and the Business Continuity plans may be activated to deliver the external and internal response. e.g. If the Isle of Wight was faced with a water contamination incident both the population of the Isle of Wight and the organisation would be affected. The activation of the plan ensures they fulfil their requirements as part of the Civil Contingency Function and also the organisation can continue to deliver its ordinary business. 3. SCOPE 3.1 This policy applies to all employees of the CCG. 4. KEY RESPONSIBILITIES 4.1 In the CCG, the Senior Management Team will be responsible for ensuring that their organisation has a Major Incident Plan in place that will be built on the principles of risk assessment, co-operation with partners, emergency planning, communicating with the public and information sharing. The plan will link into the organisation's arrangements for ensuring business continuity as required by the Civil Contingencies Act 2004. (NHS 2005 Emergency Planning Guidance) To comply with the requirements of Civil Contingencies Act the following actions are required to be undertaken by the following staff members: 4.2 The Senior Management Team responsibilities 4.2.1 The Senior Management Team will: authorise the provision of the resources needed to establish, implement, operate and maintain a Business Continuity System support the Emergency Planning Lead to be responsible for co-ordinating the implementation of the Business Continuity System irrespective of other responsibilities determine the acceptable level of risk in relationship to Business Continuity and management of business continuity risks NHS Isle of Wight Clinical Commissioning Group 5

receive annual reviews following management reviews of the Business Continuity System communicate the Business Continuity Management programme to its stakeholders communicate to the organisation via the Executive lead the importance of: meeting Business Continuity management objectives conforming to the continual improvement 4.3 Risk Management Lead responsibilities 4.3.1 The Risk Management Lead will: be responsible for ensuring an effective system is in place for monitoring, reviewing and exercising business continuity plans provide staff with support to develop their business continuity plans provide regular training to staff on business continuity provide reports on a quarterly basis to Risk management on business continuity planning 4.4 Staff responsibilities 4.4.1 Staff will: develop business continuity plans for their services be responsible for reviewing and monitoring business continuity plans be responsible for exercising their business continuity plans be responsible for attending relevant training on business continuity 5. EMBEDDING BUSINESS CONTINUITY INTO THE ORGANIATION S CULTURE 5.1 The CCG will ensure that Business Continuity Management becomes part of its core values and effective management. To provide this the CCG will: raise, enhance and maintain awareness by the implementation of an ongoing Business Continuity education and information programme for all staff via the Mandatory training. This awareness can be raised by workshop sessions or via individual team briefings an evaluation process will be established to monitor its effectiveness 6. DEVELOPING AND IMPLEMENTING A BUSINESS CONTINUITY MANAGEMENT RESPONSE 6.1 The process is as follows: 1) Function analysis, which identifies a service areas day to day functions including those which are statutory and may be carried out as a service areas planned response to incidents. The analysis will identify resources required to deliver those functions (such as but not limited to staff, accommodation, equipment, systems and Information and Technology). 2) Process Mapping identifies stakeholders associated with the functions detailed in the function analysis. 3) Business Impact Analysis identifies the impact of failing to deliver those functions detailed within the function analysis. Financial and non-financial impacts are to be considered within the analysis as will timescales within which the failure of delivery can be tolerated (Maximum Tolerable Period of Disruption) NHS Isle of Wight Clinical Commissioning Group 6

Impact 4) Risk Analysis using the matrix below identifies the likelihood and impact of specific disruption. This process uses information from the Business Impact Analysis to determine the level of risk associated with disruption of a function and should take into account any mitigation in place to reduce both likelihood and impact. High PLAN REDUCE NO ACTION MANAGE / CONTROL Low Likelihood High 7. DETERMINING THE BUSINESS CONTINUITY RESPONSE FLOWCHART Function Analysis Identifies day to day functions within a service area Identifies statutory functions and those which may have excessive demands placed on them as part of a planned response Identifies stakeholders and resources required Process Mapping Identifies stakeholders through stages of functions Business Impact Analysis Details the impact of failure to carry out functions States the minimum time period within which a service area cannot provide those functions NHS Isle of Wight Clinical Commissioning Group 7

Risk Analysis Plots the likelihood and impact of disruption Business Continuity Response Decision Table Records outcomes of the Risk Analysis Identifies risks requiring immediate mitigation (reduce) Records options for mitigation of such risks and details reasons for and against adopting such options Business Continuity Decision Table Outcomes No action required Manage / Control Develop and manage the BCP In accordance with Establishment of Critical Functions information; Accept Risk 8. EXERCISING, MAINTAINING AND REVIEWING 8.1. Exercising 8.1.1 All Business Continuity plans need to be exercised on an annual basis this may occur either through a table top exercise or through activation of a major incident or more localised service related incident. 8.1.2 The exercising of plans may be part of a wider major incident exercise across the CCG. The exercise programme will ensure all business continuity arrangements are validated and provide assurances that arrangements in place met the requirements of the CCG. The exercise programme has full support from the Senior Management team. 8.1.3 All exercises will be recorded on the business continuity management spread sheet. 8.1.4 All aims and objectives of the exercise will be fully documented and a report completed to the Commissioning Officers Group, which will demonstrate the organisations achievements of those aims and objectives. This report will include any relevant actions that are required and identify lessons learned and good emergency practice and any feedback from observers at an exercise or stakeholders involved in the incident. NHS Isle of Wight Clinical Commissioning Group 8

8.2. Maintaining 8.2.1 Audits of Business Continuity Plans will be initiated and carried out by the Commissioning Officers Group. Audits will: be conducted by the auditor in a manner that will ensure objectivity and impartiality determine whether the Business Continuity Plan is effective in meeting the organisation s Business Continuity Management objectives determine whether the Business Continuity Plan has been properly maintained, in particular that changes following the preventative and corrective action processes have been completed take into account the results of previous audits be followed by a written report which details audit outcomes and includes required actions to be concluded 8.2.2 Preventative and Corrective Action will be completed following reviews, exercises and audits. The Clinical Director is to ensure that such action is taken. This process will: ensure that any recommendations made as a result of Continual Improvement are completed and recorded as such provide confirmation that Business Continuity Plans have been amended following changes by completion of a Continual Improvement Record and Preventative and Corrective Action Record 6.3 Reviewing 6.3.1 All business continuity plans need to be reviewed on an annual basis. This may be via the exercise programme or post incident or as part of the annual review process. The Senior Management Team will manage the Business Continuity review process via the Business Continuity Plan spreadsheet. 6.3.2 This policy is not intended as a linear process. The validity of the strategy lies not in the clarity or rigorously maintained structure, but in its capacity to capture the initiative, to deal with unexpected events, to redeploy and concentrate resources as new opportunities and thrusts emerge, and therefore to use resources most effectively when selected. 9. IMPLEMENTATION / TRAINING / AWARENESS 7.1 The CCG will ensure that all staff who have been assigned responsibilities defined by the Business Continuity Policy are competent to perform the required tasks by: determining necessary competencies to enable staff to perform work related to Business Continuity Management provide training via a number of platforms e.g. workshops, external courses and inductions evaluate the effectiveness of the training provided, via Evaluation reports, one to one sessions conducted by management training needs analysis to be conducted on staff assigned BCM roles and responsibilities provide the Risk Management Committee with annual review of training that has taken place and the impact it has had 7.2 In addition training and education programmes need to highlight the importance of meeting Business Continuity Management objectives and conforming to the CCG policy. NHS Isle of Wight Clinical Commissioning Group 9

10. MONITORING / KEY PERFORMANCE INDICATORS 10.1 Key Performance Indicators include: monitoring of the programme by the Risk Management Committee with overall responsibility held by the Clinical Director reviews and lessons learned from any incidents where Business Continuity Plans have been invoked Risk Assessment Process to compliment Business Continuity Plans 11. REFERENCES The Civil Contingencies Acts 2004. London. The Stationary Office. British Standard 25999:2007, Business Continuity Management The Business Continuity Institute Good Practice Guidelines (2008). The Business Continuity Institute. NHS Emergency Planning Guidance (2005). Department of Health. Strategy Safari (2009)., Mintzberg, H., Ahlstrand, B., Lampel, J., Prentice Hall ( Harlow). Expectations and Indications of Good Practice. Cabinet Office (2006) 12. LINKS TO OTHER POLICIES / DOCUMENTS 12.1 This policy should be read in conjunction with: BS NHS 25999 Civil Contingencies Act (2004) 13. DISCLAIMER 11.1 It is the responsibility of staff to check the organisation intranet to ensure that the most recent version/issue of this document is being referenced. NHS Isle of Wight Clinical Commissioning Group 10

APPENDIX 1 KEY DEFINITIONS FOR DOCUMENTATION Business Continuity (BC) Strategic and tactical capability of the organisation to plan for and response to incidents and business disruptions in order to continue business operations at an acceptable predefined level. Business Continuity Management (BCM) Holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. Business Continuity Management Lifecycle series of business continuity activities which collectively cover all aspects and phases of the business continuity management programme. Business Continuity Management Programme ongoing management and governance process supported by tope management and appropriately resourced to ensure the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity or products and services through training, exercising maintenance and review. Business Continuity Plan (BCP) documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to delivers its critical activities at an acceptable predefined level. Business Impact Analysis (BIA) process of analysing business functions and the effect that a business disruption might have upon them. Critical Activities those activities which have to be performed in order to deliver the key products and services which enable an organisation to meet its most important time sensitive objectives. Disruption event, whether anticipated (e.g. labour strike or hurricane) or unanticipated (e.g. a blackout or earthquake), which causes an unplanned, negative deviation from the expected delivery or products or services according to the organisations objectives. Maximum Tolerable Period of Disruption (MTPD) duration after which organisations viability will be irrevocably threatened if product and service delivery cannot be resumed. Recovery Time Objective (RTO) target time set for resumption of product, service or activity delivery after an incident. NHS Isle of Wight Clinical Commissioning Group 11 Attendance Management Policy