EPRR: Toolkit Business Impact

Similar documents
NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Business Continuity Policy

Business Continuity Policy

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

EPRR: BCP - Checklist

BUSINESS CONTINUITY POLICY

Business Continuity Management Policy

Essex Clinical Commissioning Groups. Business Continuity Management System. Business Impact Analysis Process

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

EPRR: Toolkit Facilitator Guide

1.0 Policy Statement / Intentions (FOIA - Open)

BUSINESS CONTINUITY MANAGEMENT POLICY

Solihull Clinical Commissioning Group

BUSINESS CONTINUITY POLICY

Business Continuity Policy

Temple university. Auditing a business continuity management BCM. November, 2015

BUSINESS CONTINUITY PLAN

Desktop Scenario Self Assessment Exercise Page 1

Business Continuity Management

Business Continuity Plan

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

Business continuity plan

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity: NHS Workshop Appendix 1.1

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Business Continuity Management

Business Continuity Policy

Business Continuity (Policy & Procedure)

Coping with a major business disruption. Some practical advice

Business Continuity Policy

abcdefghijklmnopqrstu

NHS Sheffield CCG Business Continuity Policy

Business Continuity Policy & Plans

Emergency Preparedness, Resilience and Response (EPRR)

PROCESS FOR RISK ASSESSMENT

Business Continuity Planning Guide

BUSINESS CONTINUITY PLANNING

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

RISK MANAGEMENT STRATEGY

Emergency Response and Business Continuity Management Policy

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

NHS Lancashire North CCG Business Continuity Management Policy and Plan

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

CORP RISK MANAGEMENT POLICY & METHODOLOGY

London 2012 Olympic Safety and Security Strategic Risk. Mitigation Process summary Version 2 (January 2011) Updated to reflect recent developments

Business Continuity Planning. Presentation and. Direction

PROCEDURES BUSINESS CONTINUITY MANAGEMENT FRAMEWORK PURPOSE INTRODUCTION. 1 What is Business Continuity Management? 2 Link to Risk Management

Business Continuity Management Policy and Plan

Version: 3.0. Effective From: 19/06/2014

Business Continuity Management Policy and Plan

Guideline on Business Continuity Management

Business continuity management policy

Business Continuity Plan

Bedford Group of Drainage Boards

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

RISK MANAGEMENT POLICY

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Management For Small to Medium-Sized Businesses

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Business Continuity Template

NHS Commissioning Board Business Continuity Management Framework (service resilience)

Business Continuity Management (BCM) Policy

BUSINESS CONTINUITY PLAN

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

39 GB Guidance for the Development of Business Continuity Plans

Interactive-Network Disaster Recovery

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

SAMPLE RISK MANAGEMENT PLAN

NHS 24 - Business Continuity Strategy

Proposal for Business Continuity Plan and Management Review 6 August 2008

V1.0 - Eurojuris ISO 9001:2008 Certified

Core Infrastructure Risk Management Plan

Confident in our Future, Risk Management Policy Statement and Strategy

TRUST POLICY FOR EMERGENCY PLANNING

Risk Management Policy and Framework

Business Continuity Planning

BUSINESS CONTINUITY PLANNING GUIDELINES

BUSINESS CONTINUITY PLAN

BUSINESS IMPACT ANALYSIS.5

SFJCCAD2 Promote business continuity management

Information Security Management System. Business Continuity and Disaster Recovery Plan Policy. The Smart Cube. Description Change

[INSERT NAME OF SCHOOL] BUSINESS CONTINUITY PLAN

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

Business Continuity Planning and Disaster Recovery Planning

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Business Continuity Management Framework

Transcription:

NHS England Business Continuity Management EPRR: Toolkit Business Impact Assessment (BIA) Template Appendix 3.1 0

[Intentionally Blank] 1

INTRODUCTION The purpose of this document is to assist those who are developing a business continuity plan for their organisation and includes a number of key areas they should consider. This template is produced in the spirit of ISO 22301 & 22313 but focusses on the priorities around which the NHS England EPRR core standards are set. It is also recognised that there is not a single one template that can fit the NHS, hence this template is generic and can be adapted as the organisation requires. BC Leads should use this information derived from the BIA and Risk Assessment to prioritised activities to inform the development of the business continuity plans. GUIDANCE Further guidance on the wider subject of Business Continuity can be sort from: www.england.nhs.uk/eprr NHS standard contracts 2013/4 the NHS England Planning Framework 2013 the NHS England Emergency Preparedness Framework 2013 ISO 22301 Societal Security - Business Continuity Management Systems Requirements ISO 22313 Societal Security - Business Continuity Management Systems Guidance PAS 2015 - Framework for Health Services Resilience DOCUMENT USE This BIA template should be used to summarise and document the work which had been undertaken in the workshop which discussed and explored wedthe NHS England Business Continuity Toolkit. For each critical activity or risk which the organisation faces, a copy of the BIA template is to be completed and used to assist in the development of the organisation s Business Continuity Response Plan.

Reference Number: (Business Continuity Lead to allocate unique number) 1 Name of author: 2 Job title of author: 3 Author telephone and e-mail:+ 4 Date: 5 Business Continuity Lead: 5 Name and description of building / service and location: 6 Essential / prioritized activities undertaken 1 Red 2 Amber 3 Green 4 Responsible Officer i. ii. iii. 7 Impact of disruption to essential activities Length of disruption Impact & Score 5 Tolerable (Yes or No) First 24 hours 24-48 hours Up to 1 week 1 Essential (prioritised) activities are those where priority must be given following an incident to mitigate impacts, 2 Red activities are those that must be continued. 3 Amber activities are those that which could be scaled down if necessary. 4 Green activities are those which could be suspended if necessary. 5 1=Insignificant, 2=Minor, 3=Moderate, 4=Significant, 5=Catastrophic 3

8 Risks to essential activities Risk Mitigation 9 Do you prioritized activities vary at different times of the month or year? Please explain 10 Maximum Tolerable Period of Disruption (MTPD): Length of disruption Impact Tolerable Y/N First 24 hours 24-48 hours Up to 1 week More than a week 10 Recovery time objective (RTO): 11 Category of activity (tick) A activities which must be continued B activities which could be scaled down if necessary C activities which could be suspended if necessary 12 People required to maintain / restore the service (WTE) and grades):

13 Premises required to maintain / restore the service 14 Technology required to maintain / restore the service 15 Information required to maintain / restore the service 16 Supplies required to maintain / restore the service 17 Stakeholders required to maintain / restore the service 18 Other notes 5

BUSINESS CONTINUITY RISKS Which of the following hazards and threats are relevant to your department or service? Hazard of threat Y or N Why? 1 Fire or flood 2 Loss of electronic records 3 Loss of paper records 4 IT systems/application failure 5 Mobile telephony failure 6 Major IT network outage 7 Denial of premises 8 Terrorist attack or threat affecting the transport network or office locations 9 Theft or criminal damage 10 Chemical contamination 11 12 Serious injury to, or death of, staff whilst in the offices. Significant staff absence due to severe weather or transport issues 13 Infectious disease outbreak 14 Simultaneous resignation or loss of key staff 15 Industrial action 16 Fraud, sabotage or other malicious acts 17 Violence against staff 18 Please add any other relevant threat

Date reviewed Impact Likelihood Date for review Residual risk RISK ASSESSMENT TEMPLATE Risk Assessment Ref Existing controls RAG status Senior Responsible Officer Mitigating Actions Risk Owner 7

RISK MITIGATION OVERVIEW Very high 5 High 4 Medium 3 Low 2 Very low 1 Impact Likelihood 1 Rare 2 Unlikely 3 Possible 4 Likely 5 Almost certain

CONTINUITY REQUIREMENTS ANALYSIS Prioritised Activity Recovery time objective (RTO)6 Premises required to restore the service Technology required to restore the service Information required to restore the service Recovery Point Objective (RPO) 7 Supplies required to restore the service Stakeholders required to restore the service Maximum Tolerable Period of Disruption (MTPoD) 8 6 The RTO is the period of time following an incident within which an activity must be resumed. 7 The RPO is the point to which information used by an activity must be restored to enable the activity to operate on resumption. 8 The MTPoD is the time frame during which a recovery must be affected before an outage compromises the ability of to achieve the organisation s business objectives and/or survival, also referred to as the Maximum Acceptable Outage. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information