BUSINESS CONTINUITY MANAGEMENT POLICY AUTHORISED BY: DATE: Andy Buck Chief Executive March 2011 Ratifying Committee: NHS Rotherham Board Date Agreed: Issue No: NEXT REVIEW DATE: 2013 1 Lead Director John Radford Director of Public Health Author: Gaynor Young Emergency Planning Manager 1
BUSINESS CONTINUITY MANAGEMENT POLICY DATE AGREED BY BOARD ISSUE NO LEAD DIRECTOR TITLE 1 Director of Public Health AUTHOR TITLE Emergency Planning Manager 2
BUSINESS CONTINUITY MANAGEMENT POLICY INDEX 1 INTRODUCTION 4 2 PURPOSE 5 2.3 Aim 5 2.4 Objectives 5 3 THE RISKS OF NOT HAVING THIS POLICY IN PLACE 6 4 DEFINITIONS 6 4.1 Major Incident 6 4.2 Business Continuity Management (BCM) 6 4.3 A service interruption for NHS Rotherham 7 4.4 A service interruption only affecting one Directorate 7 4.5 A corporate interruption to services 7 4.6 Priority Functions (Class1,2,3,4,5) 7 5 PRINCIPLES 8 6 ROLES AND RESPONSIBILITIES 9 6.1 NHS Rotherham 9 6.2 NHS Rotherham Board 9 6.3 Chief Executive 9 6.4 Director of Public Health 9 6.5 Deputy Chief Executive Finance, Contract & Service 9 Improvement 6.6 Commissioned Provider Services 9 6.7 Chief Executive, Directors, and Deputy Chief Executives 9 6.8 Assistant Directors Heads of Service and Managers 10 6.9 Emergency Planning Manager 10 6.10 Employees 10 7 PROCEDURE 11 8 MONITORING COMPLIANCE AND EFFECTIVENESS OF THIS POLICY 8.1 NHS Rotherham Board 12 8.2 The Director of Public Health 12 8.3 The Deputy Chief Executive Finance, Contract & Service 12 Improvement 8.4 The Deputy Chief Executive Finance, Contract & Service 12 Improvement 8.5 The Emergency Planning Manager 12 9 REFERENCES 13 10 REVIEW OF THIS POLICY 13 APPENDIX 1 Policy Implementation Plan 14 12 3
1. INTRODUCTION 1.1 1.2 1.3 NHS Rotherham has a duty to protect and promote the health of the community, including in times of emergency. We are committed to complying with legislation and guidance in relation to emergency preparedness and business continuity management. The Civil Contingencies Act 2004 places a statutory duty on NHS organisations to put in place Business Continuity Management arrangements. This legislation is supported by Department of Health guidance and the Operating Framework for the NHS in England 2010/11 which requires we maintain a robust system to plan, train and test for a response to any business disruption. The Care Quality Commission assesses emergency preparedness of the NHS against compliance with these obligations. This Business Continuity Management (BCM) policy forms part of a BCM system to provide the framework to ensure resilience to any service interruption, to help ensure continuity of key services to stakeholders and the protection of the NHS Rotherham brand and reputation. 4
2. PURPOSE 2.1 NHS Rotherham is the local leader of the NHS. As such we plan and commission health services to maximise the health and well-being of the people of Rotherham. It is responsible for: 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 Assessing the health needs of local people. Improving the overall health of the local communities. Ensuring that services can be accessed by everyone. Listening to patients' views on services and acting on them. Making sure that the providers and partners are working together effectively. 2.2 This Business Continuity Management (BCM) Policy provides the framework to ensure resilience to maintain the above responsibilities. The policy has been developed in accordance with recommendations from the Business Continuity Institute Good Practice Guidelines 2010, the requirements of the British Standard BS 25999 and NHS guidance. 2.3 Aim: 2.3.1 To enable the response to business disruptions to take place in a co-ordinated manner, in order to continue key business operations at the highest level achievable in the circumstances. 2.4 Objectives: 2.4.1 2.4.2 2.4.3 To identify key services which, if interrupted for any reason, would have the greatest impact on the community, the health economy and the organisation. To identify and reduce the risks and threats to the continuation of these key services. To develop plans which enable the organisation to maintain and / or resume key services in the shortest possible time. 5
3. THE RISKS OF NOT HAVING THIS POLICY IN PLACE 3.1 If this policy is not in place and implemented, NHS Rotherham 3.1.1 Would be unable to effectively manage a widespread internal business disruption to the commissioning side of NHS Rotherham and recover/maintain key functions in priority order. 3.1.2 Would be unable to effectively oversee an integrated emergency management approach to coordinate commissioned provider services to efficiently recover/maintain overall key health functions in priority order. 3.1.3 Could adversely impact on the health and well being of stakeholders. 4. DEFINITIONS 3.1.4 Would fail in our statutory duty to maintain Business Continuity as far as reasonably practicable in compliance with the Civil Contingencies Act 2004. 3.1.5 Would not be aligned with relevant NHS guidance, specifically BS NHS 25999 2: 2009. 3.1.6 Would put at risk the reputation of the organisation in the perspective of the public and partner organisations. For the purpose of this policy the following terms will be used in the context of this policy 4.1 Major Incident: Any occurrence that presents a serious threat to the health of the community, disruption to the service or causes (or is likely to cause) such numbers or types of casualties as to require special arrangements to be implemented by hospitals, ambulance trusts or primary care organisations. [NHS Emergency Planning Guidance 2005] 4.2 Business Continuity Management (BCM): An holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. [BS NHS 25999 2] 6
4.3 A minor business interruption for NHS Rotherham may be defined as: A business interruption which affects part of one service area. 4.4 A significant business interruption only affecting one Directorate in its entirety: There is an expectation that each Director will be responsible for ensuring that their Directorate is able to maintain its own key functions in accordance with their own BCM plans. Corporate support should only be necessary when recovery is beyond their internal capabilities or routine escalation procedures. 4.5 A major interruption to services: An activation of the corporate BCM plan is only envisaged where a coordinated response is necessary when either: 4.5.1 A single NHS Rotherham Directorate is so severely affected that it is unable to maintain its key functions without support from other service areas. 4.5.2 The business interruption has affected more than one NHS Rotherham Directorate and has potential to severely affect the overall key functions of NHS Rotherham. 4.6 Priority Functions The Business Impact Analysis process will quantify the impact of a loss or disruption of each function carried out and identify the relevant priority order for resumption of these functions. 4.6.1 Class 1 Function Recovery Time Objective within 24 hrs 4.6.2 Class 2 Function Recovery Time Objective within 24-48 hrs 4.6.3 Class 3 Function Recovery Time Objective within 1 week 4.6.4 Class 4 Function Recovery Time Objective within 2 weeks 4.6.5 Class 5 Function Recovery Time Objective beyond 2 weeks to be recovered after the above priorities 7
5. PRINCIPLES 5.1 This BCM policy will cover all aspects of each Directorate within the commissioning side of NHS Rotherham. 5.2 Each Directorate will be required to develop business continuity plans to maintain key services and functions assessed as Class 1, Class 2 and Class 3 activities in their Business Impact Analysis. These will include any time sensitive services. 5.3 For functions assessed as Class 4 and 5 Directorates will only be expected to maintain appropriate control measures to minimise the likelihood of any interruption. No specific business continuity plan will be necessary for these functions at present. 5.4 All provider services commissioned by NHS Rotherham will be required through contract arrangements to provide assurance that their own BCM plans are capable of maintaining an acceptable level of service, as far as reasonably practicable. Specifically: 5.4.1 Rotherham NHS Foundation Trust 5.4.2 CareUK 5.4.3 General Practitioners 5.4.4 GP out of hours service 5.4.5 Community Pharmacies 5.4.6 Dental Practitioners 5.4.7 Opticians 5.4.8 Rotherham Community Health Services 5.4.9 RDASH 5.4.10 YAS 5.4.11 5.4.12 Hospice Any external suppliers of equipment, resources or services that are essential for the maintenance of our identified key services 8
6. ROLES AND RESPONSIBILITIES NHS ROTHERHAM 6.1 NHS Rotherham Where a corporate interruption to services is identified NHS Rotherham will assume a co-ordinating role in line with their BCM plan to provide a whole systems approach to continuing overall key business operations at the highest level achievable in the circumstances. 6.2 NHS Rotherham Board BCM is an important part of the Trust s risk management arrangements. The Board will ratify this Policy. 6.3 Chief Executive The Chief Executive has overall accountability for ensuring the successful implementation of a BCM system for the organisation. 6.4 Director of Public Health The Director of Public Health is the nominated Lead Director for emergency preparedness and business continuity management and has overall responsibility for the management of the BCM system for the organisation. 6.5 Deputy Chief Executive Finance, Contracts & Service Improvement Will be responsible for ensuring that commissioned provider services are required through contract arrangements to provide assurance of appropriate BCM arrangements. Will be responsible for ensuring that the BCM system is incorporated into audit systems 6.6 Commissioned provider services All provider services commissioned by NHS Rotherham will be expected to have their own robust BCM plans and where necessary, will be expected to co-operate and work flexibly to support the overall health response and divert resources to those areas in most need. 6.7 Chief Executive, Directors and Deputy Chief Executive All the above officers have the responsibility for implementing this policy for their Directorate in order to maintain their own key functions and should only seek corporate support when recovery is beyond their own capacity and resources. To enable this they should specifically: 6.7.1 Undertake a Business Impact Analysis using the corporate template to identify and prioritise key services 6.7.2 Implement appropriate control measures to minimise risk to key services and functions assessed as Class 1, Class 2 and Class 3 activities 6.7.3 Create business continuity plans to maintain key services and functions assessed as Class 1, Class 2 and Class 3 activities 6.7.4 Ensure awareness training in relation to BCM plans is carried out for nominated Directorate personnel 9
6.7.5 Ensure plans are validated through an exercise programme 6.7.6 Review and update plans at least annually or after any incident, exercise or organisational change 6.8 Assistant Directors Heads of Services and Managers Will support Chief Executive Directors and Deputy Chief Executives to implement the Policy and Procedures within their area of responsibility. 6.9 Emergency Planning Manager Is a competent person as required by BS NHS 25999 1 and is responsible for providing support to the Director of Public Health in relation to the overall management of the BCM system and will: 6.9.1 Provide specialist advice and guidance in relation to BCM issues 6.9.2 Conduct an Emergency Resilience Risk Assessment based on current and emerging risks and threats 6.9.3 Provide templates to enable production of the individual plans to a consistent standard 6.9.4 Provide a training and exercise programme as outlined in NHS guidance and the Operating Framework 6.9.5 Review and help maintain the corporate BCM system 6.10 Employees All employees will co-operate with managers in implementing the Policy within their area of responsibility. All employees have a responsibility to ensure they are familiar with their individual role and responsibilities during a business disruption. 10
7. PROCEDURE NHS ROTHERHAM 7.1 7.2 7.3 7.4 7.5 An Emergency Resilience Risk Assessment has been carried out and is routinely updated to identify potential causes of business interruptions. This assesses the likelihood of a range of threats and hazards that could affect the Rotherham community and the potential impact on NHS Rotherham and the services it commissions. Control measures to reduce the likelihood and mitigate the impacts of these identified risks are contained in various plans, policies, and in the risk registers. Each Directorate will undertake and routinely review, at least annually, a Business Impact Analysis using a corporate template to identify, in priority order, those services and functions which are the most urgent to maintain and / or resume. Each Directorate will create and routinely review, at least annually, their directorate business continuity plan to maintain as far as reasonably practicable their key services and functions assessed as Class 1 Class 2 and Class 3 activities. It is important that our business continuity plans are based on the consequences of such events rather than the cause and in particular should consider recovery in relation to: 7.5.1 7.5.2 7.5.3 7.5.4 7.5.5 7.5.6 7.5.7 Demand exceeding capacity and routine escalation procedures Lack of sufficient Personnel Loss of access to Premises Failure of Utilities Failure of information or communication technology Break in the Supply chain Failure of a Service provider 7.6 Where a coordinated response is required to effectively manage a widespread business disruption defined as a corporate interruption to services the NHS Rotherham Business Continuity Management Plan will be invoked. 11
8. MONITORING THE COMPLIANCE AND EFFECTIVENESS OF THIS POLICY 8.1 NHS Rotherham Board The effectiveness of these arrangements will be monitored and reviewed and the Board will require regular reports, at least annually regarding emergency resilience, including details of training and exercising undertaken. 8.2 The Director of Public Health Has overall responsibility for the management and monitoring of these arrangements and will provide a report, at least annually to the NHS Rotherham Board to cover developments including details of ongoing reviews, training and exercising. 8.3 The Deputy Chief Executive Finance, Contracts & Service Improvement Will be responsible for the monitoring of commissioned provider services to ensure compliance with contract arrangements in relation to providing assurance of appropriate BCM arrangements. Specifically: 8.4.1 8.4.2 8.4.3 8.4.4 8.4.5 8.4.6 8.4.7 8.4.8 8.4.9 8.4.10 8.4.11 8.4.12 Rotherham NHS Foundation Trust Care UK General Practitioners GP out of hours service Community Pharmacies Dental Practitioners Opticians Rotherham Community Health Services Rotherham Doncaster and South Humber Mental Health NHS foundation Trust Yorkshire Ambulance Service Hospice Any external suppliers of equipment, resources or services that are essential for the maintenance of our identified key services 8.4 Deputy Chief Executive Finance, Contracts & Service Improvement Will ensure that an internal audit report in relation to compliance with this policy is produced at least every 3 years 8.5 The Emergency Planning Manager 8.5.1 8.5.2 Will monitor compliance of the NHS Rotherham BCM system against BS 25999 2 using the self assessment Business Continuity Tool, if available. Will take any lessons learned and evidence of good practice to the Rotherham Health & Social Care Emergency Planning Group in order to continually develop and improve existing arrangements. 12
9. REFERENCES 9.1 Other Policies and Guidance that inter relate and should be read in conjunction with this Policy: 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5 9.1.6 9.1.7 9.1.8 9.1.9 9.1.10 9.1.11 9.1.12 9.1.13 Risk Management and Assurance Framework 2010 Incident and Near Miss Reporting Policy 2011 Health & Safety Policy Organisation and Arrangements 2009 Fire Safety Policy 2010 Estates Policies Information Management and Technology Security Policy 2007 HR Policies as applicable, e.g. Agenda for Change Cabinet Office Emergency Preparedness Guidance 2005 Chapter 6 & 7 BS NHS 25999 1: 2009 BS NHS 25999 2: 2009 Business Continuity Institute Good Practice guidelines 2010 Civil Contingencies Act 2004 NHS Resilience & Business Continuity Management Guidance 2008 10. REVIEW OF THIS POLICY 10.1 This policy will be reviewed every three years. However, the policy may need earlier revision should there be a new requirement to meet statutory, mandatory or good practice standards. 13
Appendix 1 Policy Implementation Plan for the Business Continuity Management Policy and Procedure Time Table This Policy was ratified by the NHS Rotherham Board on... 2011 and will become operational following newsletter. Promotion and Communication It will be cascaded through the Rotherham Health & Social Care Emergency Planning Group and via Intranet. Distribution The Policy will be distributed to members of NHS Rotherham Emergency Planning Groups, Governance Group and the intranet. Training No additional training identified with the implementation of this policy. Costs No costs associated with the implementation of this policy. 14