Tyne and Wear Fire and Rescue Authority Business Continuity Planning Policy
Index Section Item 1 Policy Statement 2 Introduction 3 Aims 4 Objectives 5 Continuity of Critical Functions 6 Command and Control 7 Business Continuity Management 8 Exercise and Validation 9 Monitoring and Review 10 Financial Implications Appendix one Appendix two Appendix three Events with the potential to cause disruption Continuity plan invocation record Continuity plan report S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 1
1 Policy Statement 1.1 The Civil Contingencies Act 2004 (the Act) has imposed a number of duties on Tyne and Wear Fire and Rescue Authority (the Authority). Business Continuity Planning is one of these duties. This policy will address how the Authority will deal with the issue of Business Continuity Planning and how it will implement specific strategic and departmental continuity plans in order to comply with the Act and contribute to the successful implementation of the Strategic Plan. 2 Introduction 2.1 The Act places a duty on the Authority to ensure that it is prepared, as far as reasonably practical, to continue to provide critical functions in the event of a disruption i.e. ensuring business continuity. This will be achieved by the development of an overall Business Continuity Management File, Department Continuity Plans (DCPs) and Strategic Continuity Plans (SCPs). 2.2 These continuity plans will identify the critical functions carried within departments; they will also identify the events (appendix one) that may impact upon critical functions. Lastly the plans will detail the recovery actions required should a function be disrupted following an event occurring. 2.3 The development of the Authority s Business Continuity Planning process will be carried out in accordance with current and new guidance as it emerges e.g. BS 25999 1 Code of practice for Business Continuity Management. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 2
3 Aims 3.1 To ensure that the Authority meets a key requirement of the Act by having plans in place to ensure that critical service functions can be maintained in the event of a disruptive event occuring. 4 Objectives 4.1 To identify those areas which are critical (directly or indirectly) to the achievement of the Authority s mission. 4.2 To identify and assess the likelihood of events occurring with the potential to disrupt critical functions. 4.3 To develop continuity plans that will ensure that the Authority can continue to operate effectively in times of crisis. 4.4 To exercise and validate the effectiveness of continuity to ensure that they are effective and provide value for money. 5 Continuity of critical functions 5.1 Critical functions are defined as those functions which, when disrupted, will have an adverse impact (directly or indirectly) on the Authority s ability to deliver its services. A Business Impact Analysis (BIA) of all critical functions will be carried out at strategic and department level within the Authority. This analysis will be carried out and recorded using the DCP & SCP frameworks and guidance which has been specifically developed for this purpose. All departments will carry out a BIA on those functions which are determined and agreed as critical to the Authority. 5.2 Each department will complete a risk assessment on events which are identified as having the potential to cause disruption to critical functions. The risk assessment will be carried out using RiskPro, the risk assessment software now in use within the Authority. 5.3 The ability to react positively to events is directly related to the prior identification of actions that can be invoked i.e. continuity plans. Each department will develop, as part of their continuity plan, an action plan detailing the continuance of critical functions in times of crisis. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 3
5.4 The action plan will identify three distinct recovery phases: 5.4.1 When an event has occurred, or is expected to occur, it will be necessary to consider invoking the Initial Action Plan. This plan will identify the actions required to prevent the situation from deteriorating by ensuring that some form of intervention is taken e.g. in the case of a pandemic influenza the cancellation of fire safety visits may prevent propagation of the virus within fire and rescue personnel. 5.4.2 As a direct follow-on from the initial actions the Partial Recovery Action Plan considers the actions that must be carried out in order to provide the required service in some limited or interim capacity e.g. Should a premise suffer some form of damage, a specific action could be the relocation of essential services utilising any spare capacity within the premise. 5.4.3 The final set of actions detailed in the Full Resumption Action Plan will identify what is required to return the department to the position it was in prior to any event occurring e.g. Ensuring that all remedial works have been completed to the required standard prior to allowing re-occupation of a premise, or part or a premise. 5.4 Following a subjective analysis of the critical functions carried out within the Authority the following departments have been identified as mission critical and, as a consequence, continuity plans covering them will be developed as a matter of priority. The departments are: Community Fire Stations Mobilising and Control Centre Information, Communication and Technology Finance Procurement Technical Services Strategic Management 5.5 Continuity plans will also be developed by the following departments: Territorial Divisions Operations Human Resources Learning and Development Fire Safety Corporate Planning 5.5 A service-wide continuity plan will also be developed for the following events: Pandemic Influenza Loss of Authority premises S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 4
6 Command and Control 6.1 The activation, notification and escalation procedure for a specific or several continuity plans will be carried out by the department manager or any of their nominees and will depend on whether the event causing disruption to a function is sufficiently serious to warrant the invocation of a plan. Figure 1 overleaf illustrates the typical sequence of actions required should an event occur, these are covered more comprehensively in specific guidance notes contained within the continuity planning procedure. 6.2 Where an event has occurred or is likely to occur then department managers must make an assessment of the event to determine if it will affect their function. The event may be specific to a geographical area or Authority wide. During normal working hours the Civil Contingencies Planning Officer (CCPO) may assist in assessing the event and in determining which continuity plans are likely to be invoked and by whom. 6.3 Continuity plans specific to departments will be held at those locations and will be made familiar to all staff. In addition to this the Authority s BCP will also be held at Control, Service Headquarters, North Division and South Division. The Authority s Corporate Business Continuity Plan will comprise of all continuity plans and implementation guidance. 6.4 Each continuity plan has a named responsible person and two deputies. If an event occurs any of the named persons can invoke the plan. In the event of a named person being unavailable then Control will inform the relevant principal officer who will nominate a duty officer/manager to invoke a plan. 6.5 The practical implementation of any continuity plans will be recorded on the Invocation Report (appendix two). The Invocation Report must be completed as soon as any plan has been invoked, all relevant details shall be recorded and the completed form should be forwarded to the department manager who owns the DCP and a copy sent to the CCPO, SHQ. 6.6 The DCP Report (appendix three) should be commenced immediately following the invocation of a plan. It should be used to record what actions have been taken and their success or otherwise. This will enable poor performance to be addressed and plans to be updated where necessary. At the point where normal services have been resumed the completed form should be forwarded to the department manager who owns the DCP and a copy sent to the CCPO, SHQ. 6.7 The day to day management of an active plan shall be carried out by the named person, nominate or duty officer/manager. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 5
S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 6 Figure 1
7 Business Continuity Management 7.1 Where an incident occurs that is outwith events that have been planned for, the Emergency Management Group (EMG) will convene, the make up of the group will be dictated by the type and scale of the incident. 7.2 The EMG will determine if any of the existing plans available are suitable for use, and its main consideration will be the maintenance of an operational response to fires and special services. 7.3 The EMG will meet at such times that an event has occurred or is imminent; the ongoing need for and frequency of meetings will be determined by the type and scale of event. 7.4 The EMG will be chaired by the Operations & Technical Services Manager or other Principal Officer. The Chair, AM Operations and Civil Contingencies Planning Officer will under normal circumstances determine who shall attend if an event occurs. 7.5 The EMG will consist of a Chair, and representatives from the following departments, deputy managers must be nominated to cover for absence etc: Chair Ops & Technical Manager (or other PO) Corporate Planning Civil Contingencies Planning officer Operations AM Operations and Technical Fire Safety AM Fire Safety Divisional Commander AM North Division Divisional Commander AM South Division Personnel AM Human Resources Control PFCO Control Corporate Planning Corporate Planning Manager ICT ICT Manager Transport Engineering Resource Manager Finance Finance Manager FBU Employee Representative Procurement Procurement Manager Strategic Property Asset Manager Property Services Officer Health and Safety Health and Safety Manager The composition of the group will reflect the event impacting on the Authority and not all representatives will be required to attend. 7.6 Familiarisation training in respect of Business Continuity Planning will be provided to all personnel responsible for the development and maintenance of departmental continuity plans. The responsibility for providing this training and providing any other support in respect of Business Continuity Planning will rest with the CCPO. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 7
8 Exercise and Validation of Plans 8.1 All continuity plans will be exercised by the most appropriate means. Specific exercises will allow the efficacy of each plan to be validated, and, where necessary, adjustments to be made. 8.2 The exercising of any continuity plans will be recorded using an Invocation Record (appendix two). The form will be started as soon as any plan has been invoked and all relevant details will be recorded and the completed form forwarded to the CCPO. The Continuity Plan Report (appendix three) will be used once normal working procedures have been reinstated, this form will identify the success or otherwise of the actions taken, the completed form will be returned to the CCPO. 8.3 An exercise schedule will be developed by the CCPO. Exercises will focus upon all actions that have been identified, this will include an audit of any documentation or guidance that has been referenced, external suppliers/contractors relationships will also be verified to ensure ongoing resilience where necessary. 9 Review and Monitoring 9.1 All continuity plans will be reviewed annually. Furthermore, when new and emerging risks to the critical functions of the Authority are identified, continuity plans will be amended to account for these new risks. Continuity plans should also be updated as and when key personnel transfer, or when key suppliers/contractors circumstances change. 9.2 In all cases it is the department manager who will instigate any changes to continuity plans. However, it is imperative that any changes made are communicated to the CCPO. This will ensure that there are no areas of conflict, the TWFRA Business Continuity Management File is updated and that all relevant personnel are aware of changes. 9.3 The CCPO will at all times monitor the Authority s BCP, any areas identified as inadequate will be raised to the relevant manager for amendment or otherwise. 10 Value for money 10.1 The cost of developing continuity plans is negligible as they will be completed by personnel during normal working hours. Moreover, the benefits of producing such plans far outweighs the time and resources utilised. 10.2 The benefits of business continuity in most cases are immeasurable until some event occurs, that without having a robust plan in place, would have caused significant damage. Moreover, the ability to continue with high quality essential services contributes directly to the attainment of the Authority s Mission. 10.3.1 For some recovery plans there will be a cost involved in implementing specific actions, these costs will be identified within the specific plans. These costs will be accommodated within the Authority budget, where appropriate. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 8
Appendix One Events with the potential to cause disruption to a function or department. Fire in all or part of a premises Flood affecting all of part of a premises Structural problems affecting all of part of a premises Access to stations or departments Essential service disruption i.e. gas, electric or water Communications failure e.g. radio network, mobile telephones etc Pandemic influenza Widespread industrial action ICT virus attack ICT main server failure ICT sabotage Transport infrastructure failure White powder incident Please note that this list is not exhaustive and other events may occur with the potential to disrupt departmental functions. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 9
Appendix Two DCP Invocation Report* Date (dd/mm/yy) Time (hh/mm) Event (brief description of event and potential/actual disruption to function) DCP invoked Action taken (brief overview of initial action taken) Person(s) responsible for actions if different from person completing form) Name Number Control informed Reported to *The completed form must be forwarded to the department manager who owns the DCP; a copy of the form must also be forwarded to the Civil Contingencies Planning Officer, SHQ. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 10
Appendix Three TWFRA DCP Report* Event (brief description of event and potential/actual disruption to function) DCP invoked Plan invoked by Number Date (dd/mm/yy) Time (hh/mm) Person(s) responsible for actions if different from person who invoked plan) Name Number *The completed form must be forwarded to the department manager who owns the DCP; a copy of the form must also be forwarded to the Civil Contingencies Planning Officer, SHQ. S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 11
Initial Recovery Plan Recovery action(s) taken Were the action(s) successful (yes/no) if no what went wrong S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 12
What could be improved Partial Recovery Plan Recovery action(s) taken Were the action(s) successful (yes/no) if no what went wrong S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 13
What could be improved Full Recovery Plan Recovery action(s) taken Were the action(s) successful (yes/no) if no what went wrong S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 14
What could be improved S:\Depts\Civil Contingencies\Draft Policy\BCP Policy v1.2 Page 15