23 June 2014 Performance and Resources Board 19 To note Update from the Business Continuity Working Group Issue 1 The Business Continuity Working Group oversees the development, maintenance and improvement of our business continuity plans and the associated business continuity management system. We continue to work to align these plans with the relevant standard ISO 22301:2012. 2 The Business Continuity Management Policy document has been reviewed and updated to reflect the Corporate Strategy for 2014 2017, and the Business Continuity Policy Summary statement has also been amended to reflect these changes Recommendations 3 Performance and Resources Board is asked to: a Note the work of the Business Continuity Working Group. b Note the updated Business Continuity Management Policy and Business Continuity Policy Summary statement.
Update from the Business Continuity Working Group Issue Background 4 The Business Continuity Working Group (BCWG) is responsible for providing management direction and support during the creation of the Business Continuity Management System (BCMS) and its subsequent development and maintenance. This work is necessary to ensure that we can respond effectively in the event of a disruption to normal operations. 5 The Business Continuity Management Policy sets out the scope and wider framework within which we develop our existing plans and align them to the ISO 22301:2012 standard. It affirms our commitment to continual improvement of the BCMS and in its summary form is available to any external interested parties. The work of the BCWG 6 The BCWG meets bi-monthly and over the last 12 months has overseen a programme of work to improve the existing plans, enhance response strategies by reviewing past incidents, raise awareness of business continuity across the organisation and further develop a business continuity management system to align with the ISO standard. We have business continuity and pandemic plans in place which have both been updated and approved by the BCWG twice in the last twelve months. 7 As plans are created or updated they are tested. Scenario based exercises and workshops facilitated by external consultants Glen Abbot are run annually. These exercises provide an opportunity for training and form part of the checking process that documentation is fit for purpose. 8 In November and December 2013 exercises were held to test the Emergency Response Plans that were developed for the 3 Hardman Street in Manchester and 350 Euston Road in London sites. These plans provide detailed guidance for front line staff and managers in the event of a significant building evacuation. This guidance for St James s Buildings is also an integral part of the Medical Practitioners Tribunal Service (MPTS) Business Continuity Plan. These three plans were published on the intranet in December 2013. 9 On 6 June 2014 we held a planned offsite recovery test with selected Contact Centre advisers. This proved that the Contact Centre lines can be switched to the Phoenix recovery site and that the staff can relocate to take calls from there, and carry out any necessary actions on GMC systems. 10 This year, we also plan to prepare a comparison matrix setting out the availability of the GMC applications, call handling systems and management 2
information between Hardman Street, London office, the recovery site and other potential recovery locations for various incident scenarios. 11 The Group is planning, as part of its work programme this year, using the BCMS approach, to achieve a higher level of integration into the business at all levels and will be encouraging departments to review their Business Impact Assessments (BIA). These will then be used as the basis for the departmental plans which should document how local teams will respond if a significant incident seriously affects how we normally do business. 12 The Director of Resources and Quality Assurance, as Chair of the Group, has emailed all Assistant Directors and Heads of Section to set out our objectives for this year and ask for their support in making progress across the whole organisation. The Group will promote and monitor this as part of their work programme for 2014. 13 We are also taking this opportunity to explain to staff at all levels that we will be creating plans at local level. We have reminded them in an Inside Info article of mechanisms we have put in place to communicate with them in the event of an incident, and sources of information. We have in place: a A major incident line where staff can access recorded messages. b A system for sending a text message to all staff from a central point. c A printed leaflet about business continuity planning at the GMC with a pull off reference card which has recently been revised and is due to be reissued to all staff. HR also issues this to all new starters. d Intranet pages which contain links to our central plans and provide general information about our business continuity planning. 14 The Group identifies and reviews any external risks with the potential to disrupt operational activity or affect staff wellbeing. Where necessary actions to reduce any impact are implemented. Examples since the last update to the Performance and Resources Board at its meeting on 26 June 2013 have included: a A lightning strike on 3 Hardman St causing a power loss to part of the building, and subsequent lightning strikes in Manchester disrupting rail services. b Severe water damage at St James s Buildings following sprinkler system leak caused by contractors in another tenant s area. c Fire alarm system activations at 3 Hardman Street. 3
d Severe weather warnings both nationally and locally. e Suspect package in Euston Road underpass causing London office to be cordoned off by the Police. f Tube strikes. g Water supply issues for the London office following a water main burst on Euston Road. 15 The BCWG also has a standing agenda item where any incident that has, or could have, interrupted our business, or affected staff welfare is reviewed to see whether there are any lessons to be learned for future planning. 16 The group has noted that the widespread introduction of Scheduled Home Working and Ultrabooks has significantly enhanced the resilience we have in the event of such incidents. The post-incident reviews have enabled us to incorporate such changes in working practice to enhance our response strategies. Business Continuity Management Policy and policy summary statement 17 The Business Continuity Management Policy and policy summary statement, updated and approved by the Board in June 2013, has since been reviewed by the BCWG to take account of the current Corporate Strategy for 2014 2017 and the current 2014 Business Plan. 18 The most significant changes to the policy document have been made in the sections Organisational Objectives and Obligations of the GMC and Legal and Statutory Obligations where the policy referred to the strategic aims for 2013. These sections now reflect the new Corporate Strategy 2014 2017 and the 2014 Business Plan. 19 This document and the associated BC policy summary statement have been agreed by the BCWG under the terms of reference agreed by the Board at its meeting on 26 June 2013. The revised Business Continuity Management Policy is at Annex A, and the policy summary statement is at Annex B. The signed the policy summary statement can be issued to any external interested party. 20 These changes to documentation will not impact on the resource requirements. The Business Continuity Management Policy includes specific reference to our strategic aims, our legal and statutory obligations and ensuring that the interests of key stakeholders are supported. 4
Supporting Information How this issue relates to the corporate strategy and business plan 21 Core Activity: BAU_RQA_3: Ensure that the GMC can continue to deliver its primary services in the event of a significant disruption to its business. If you have any questions about this paper please contact: Steve Jones, Head of Facilities, sjones1@gmc-uk.org, 0161 923 6287. 5
19 Update from the Business Continuity Working Group Annex A Business Continuity Management Policy Purpose 1 The General Medical Council is committed to developing, maintaining and improving a Business Continuity Management System (BCMS) that enables it to deliver key services to stakeholders in the event of a disruption. This system will be developed with due regard to the GMC business objectives, statutory obligations and levels of risk acceptance. 2 The GMC Business Continuity Management (BCM) Policy sets out the framework within which the GMC develops sustainable business continuity plans and will develop its existing plans to align with the new standard ISO22301:2012. This is achieved through the development of a BCMS involving a process of continual improvement. This planning is necessary to ensure that the GMC can respond effectively in the event of a disruption to normal operations. Scope 3 This policy applies to all GMC and MPTS staff and their activities at the three main GMC sites listed below: a 350 Euston Road, London. b 3 Hardman Street, Manchester. c St James s Buildings, Manchester. 4 This policy also applies to services provided by GMC staff working at the devolved offices or elsewhere but for business continuity planning purposes the premises are excluded and staff will either transfer their work to the one of the larger sites or work from home until alternative premises can be sourced. A1
5 This policy provides guidance for the resumption and recovery of time sensitive business operations in accordance with their designated priority as critical activities in support of key services as well as ensuring that adequate plans are in place for the less time sensitive business operations. 6 Business Continuity Management System (BCMS) Objectives 7 The objective of the BCMS is to ensure the GMC s strategic aims are not compromised in the event of disruption. 8 In developing a BCMS the GMC will: Reduce the risks which otherwise could lead to business interruption Develop Business Continuity Plans which enable the GMC to maintain continuity of service following a business interruption and reduce the impact of such a disruption for our stakeholders in accordance with the agreed recovery time set out in business continuity plans. Exercise, maintain, review and improve the Business Continuity Plans to ensure they remain fit for purpose and are appropriate to the current aims and objectives of the GMC Provide the resource needed to establish, operate, maintain and improve the BCMS Business Continuity Requirements 9 The GMC s business continuity management policy provides a framework through which the following BC requirements will be met. A comprehensive Business Continuity Management Systems (BCMS) is established and maintained following the requirements of ISO 22301 Business impact analysis and risk assessment will be applied to our key services and their supporting activities systems, process and resources The GMC will maintain a Business Continuity Risk Register (BCRR) in order to reduce the likelihood of a disruption and improve resilience. The Corporate Risk Register and the Information Security Register will be monitored for any business continuity related risks which will be reviewed and if necessary included in the BCRR. Unresolved significant or critical risks will be escalated to the BCWG prior to each meeting. A Business Continuity Strategy will be developed which will determine the most appropriate methods by which to recover the critical activities and resources within the recovery time objectives following a business interruption. Based on the BC Strategy, operational and management plans will be developed that detail how critical activities and their supporting resources will be recovered A2
within their recovery time objectives. These plans will also detail how the incident will be managed. Plans are subject to an ongoing exercise programme, continuous review and improvement, so that all stakeholders, including senior managers, can be assured that the BCMS remains up to date relevant and effective. Each department will carry out reviews of their business continuity plans at least annually. This will be facilitated and monitored by the Facilities Manager who has the role of Business Continuity Manager. Contracts with suppliers of critical goods and services to the GMC must include a requirement for the supplier s business continuity process to be approved to the satisfaction of GMC All staff must be made aware of the plans that affect their Directorate or section and their role following a BCP invocation. Organisational Objectives and Obligations of the GMC 10 The strategic aims for the GMC for 2014 2017 set out below allow us to enhance and expand our core work: Make the best use of intelligence about doctors and the healthcare environment to ensure good standards and identify risks to patients. Help raise standards in medical education and practice Improve the level of engagement and efficiency in the handling of complaints and concerns about patient safety Work more closely with doctors, medical students and patients on the frontline of care. Work better together to improve our overall effectiveness, or responsiveness and the delivery of our regulatory functions Our continuing core work for 2014 includes: Delivering high quality registration, certification, revalidation and licensing services to our published service targets Dealing effectively and appropriately with concerns raised about doctor s fitness to practise Making sure that medical education and training meets our standards Working with others to develop effective relationships with employers, doctors and patients through our liaison services and with other UK and international organisations. A3
Risk Evaluation and Risk Appetite 11 The Business Continuity Risk Management procedure is complementary to the Risk Management Framework set out by the GMC as part of the internal control and corporate governance arrangements. 12 The procedure enables the organisation to understand the threats and vulnerabilities of its critical activities underpinning the key services and the potential impact caused by a business interruption. 13 Risk evaluation establishes whether risks are adequately mitigated and, if not, determines what additional action is required to reduce their impact or likelihood of occurrence. In each case, we define the level of residual risk that is acceptable. 14 Risk appetite is therefore established on a risk-by-risk basis by defining the level of residual risk that is tolerable and justifiable once mitigating action has been taken. 15 Using these factors, we identify risks that are not adequately mitigated and determine what additional measures are required. Where the residual risk is still considered significant or critical, the procedure details an escalation procedure for further evaluation. 16 Legal and Statutory Obligations 17 The GMC is the independent regulator for doctors in the UK We have four main functions. a Keeping up-to-date registers of qualified doctors. b Fostering good medical practice. c Promoting high standards of medical education and training. d Dealing firmly and fairly with doctors whose fitness to practise is in doubt. 18 Our legal purpose is to protect, promote and maintain the health and safety of the public by making sure that doctors meet our standards for good medical practice. 19 We do that by controlling entry to the medical register and setting the standards for medical schools and postgraduate education and training. We also determine the principles and values that underpin good medical practice and we take action when those standards are not met. A4
20 We have strong and effective legal powers designed to maintain the standards that the public have a right to expect from doctors. We are not here to protect the medical profession their interests are protected by others. Our job is to protect patients. 21 When any doctor fails to meet our standards, we will act to protect patients from harm if necessary we will remove the doctor from our register and remove their right to practise medicine. 22 We aim to secure a regulatory system that is independent and accountable and we: Put patient safety first. Support good medical practice. Promote fairness and equality and value diversity. Respect the principles of good regulation: proportionality, accountability, consistency, transparency and targeting. 23 The GMC was established under the Medical Act 1858 and over time legislation has been introduced that defines our powers and responsibilities in the various areas of our work. The GMC is a registered charity in England and Scotland and our governing body, the Council, makes sure that we fulfil our charitable purpose and statutory role. 24 The GMC is also committed to ensuring that it meets all the other legal obligations placed upon any business and employer for example in relation to health and safety, employment, data protection, equal opportunity legislation. 25 The GMC will use its usual communication channels to inform employees and other interested parties of any new or changed legal and regulatory requirements. Stakeholders 26 The interests of key stakeholders are supported by the BCM Policy. Stakeholders are defined as: Patients and public. Doctors. Educators. Medical Students. Other Regulators. Employers. Government A5
Employees Key Services 27 In the event of an incident which prevents us from fulfilling our full range of statutory functions we consider being available to the public and profession to advise, confirm registration status and receive any complaints as a key service and will recover the Contact Centre and GMC website as a priority. 28 We will also ensure that the registration of doctors, and where necessary their removal from the register where they are found unfit to practise, will continue. We will therefore restore the registration enquiry service, investigations function and the running of FTP review and IOP hearings as a priority. Management Commitment and Allocation of Responsibilities 29 The Director of Resources and Quality Assurance is responsible for Business Continuity and will be assisted in this role by the Business Continuity Working Group (BCWG). The BCWG is accountable to the Performance and Resources Board and the Director will refer matters as necessary. This board comprises the Chief Operating Officer, Directors and representative Assistant Directors. 30 The role and responsibilities of the BCWG are set out in the Business Continuity Working Group Terms of Reference document. 31 The role and responsibilities for the management of business continuity across the GMC are set out in the Business Continuity Roles and Responsibilities Document. Policy Review Date 32 This policy will be reviewed annually from the date of approval. Related Documents Business Continuity Working Group Terms of Reference. Business Continuity Roles and Responsibilities document. BC Risk Management Procedure. GMC Risk Management Framework. GMC Business Plan 2014. GMC Corporate Strategy 2014-2017. A6
Document Management Document storage, access and security 33 All documents comprising the BCMS will be stored securely and centrally on Livelink which is part of the electronic document management system of the GMC. Access to specific documents, ownership and version control will be applied as appropriate to each document. This system is compliant with the ISO27001 standard and managed in accordance with the GMC Information Security Policy. The BCM Policy should not be distributed or transmitted to any other parties without the express permission of the Business Continuity Manager Preservation 34 If the document is out of date (i.e. past its review date) it should be destroyed by secure shredding for paper versions and electronic versions should be deleted. Retrieval and Use 35 This Policy provides the framework and guidance for the Business Continuity Management System and can only be retrieved from Livelink by the Business Continuity Manager, Director of Resources and Quality Assurance or the BCWG. A pdf version is available to staff on the intranet. Control of Changes 36 Uncontrolled modification and revision of content is prohibited and revision procedures should be followed at all times. No changes should be made to the Policy without the agreement from the Business Continuity Manager either as part of the maintenance programme or during an incident. 37 When major revisions are made the document should be saved as the next version number. For minor revisions the version number should be updated by 0.1. Preservation of Legibility 38 The document should be legible at all times and company guidelines for the use of style templates should be followed. Prevention of the Unintended Use of Obsolete Information 39 The Policy should be published with the date on the front page and in the header. It should never be more than 12months old. Retention and Disposal A7
40 Old electronic versions of the BCM Policy should be retained for 3 years in Livelink. After this it should be deleted. Paper versions of the BCM Policy should always be current. Old versions should be securely shredded. Document Control Version History Revision Status* Author Reason for Issue 0.1 0.3 Drafts for S Tuffrey Creation and comment review by BCWG 1.0 Agreed S Tuffrey Final agreed version from BCWG 1.1 Draft STuffrey For review by BCWG/ Performance and Resources Board STuffrey 1.2 Issued see below Changes proposed by BCWG/AD R&QA 1.3 Agreed Stuffrey Updated to reflect GMC Corporate strategy 2014-2017 * e.g. Draft, for Comment, Agreed Date 7 March 2011to 15 April 2011 9 May 2011 April/May 2013 15 May 2013 4 June 2014 Review and Sign Off By Method Signature BCWG On circulation Sign off by Chair post circ Maintenance and Review Date of Review Action Required Year from approval Review content for consistency and currency in particular business objectives and management arrangements. Responsible Person STuffrey Distribution List Version Name Position/Organisation 1.3 All members of BCWG GMC staff members Method of Issue Livelink link by email A8
Notes All personnel listed above receive copies, or are notified, of updated versions of the document..any other copies provided to third parties are not subject to automatic update. Glossary British Standard Definitions BCMS: Business Continuity Management System is one that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. BCP: Business Continuity Plan is a documented set of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical activities at an acceptable predefined level. BCM Policy: The Business Continuity Management Policy sets out the GMC management s commitment to BC including the organisations objectives and BC Strategy is the approach by an organisation that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption. Recovery Time Objective is the target time set for the resumption of the service, or resumption of performance of an activity, or recovery of an IT system or application after an incident. (Note: The recovery time objective has to be less than the maximum tolerable period of disruption) Maximum tolerable period of disruption is the duration after which an organisation s viability will be irrevocably threatened if a service or activity cannot be resumed Other Abbreviations BCWG: Business Continuity Working Group this GMC group is responsible for the management direction and approval of the BCMS during development phase and subsequent management review once in place. See also terms of reference documentation for further detail. A9
19 Update From the Business Continuity Working Group Annex B Business Continuity Policy Summary Statement 1 The GMC exists to protect, promote and maintain the health and safety of the public by making sure that doctors meet our standards for good medical practice. 2 As an independent regulator for doctors in the UK our job is to ensure patients have confidence in doctors. In order to continue to provide the services which our key interest groups value we have identified the activities which support those services as a priority for recovery in the event of any business disruption. 3 The GMC s Business Continuity policy provides the framework within which we can assure the public that the management procedures in place ensure that we have effective plans which both ensure the safety and welfare of our staff in the event of an incident and that key services are recovered to an acceptable standard as a priority. 4 We consider being available to the public and profession to advise, confirm registration status and receive any complaints as a key service and will recover the Contact Centre and GMC website as a priority. 5 We will also ensure that the registration of doctors, and where necessary their removal from the register where they are found unfit to practise, will continue. We will therefore restore the registration enquiry service, investigations function and the running of FTP review and IOP hearings as a priority. 6 The plans will contain a clear incident management structure and escalation process for the invocation of the plan. 7 There will be a requirement within the plans that communication with key interest groups and staff, is centrally managed to ensure it is factual, appropriate and timely. 8 All members of staff who have a role in recovering critical business activities or management of the incident receive regular and appropriate training. B1
9 The plans which all form part of the overall BCP are exercised regularly to ensure they are fit for purpose and up to date. 10 Accountability for Business Continuity resides with the Business Continuity Working Group, comprising GMC senior management. 11 The BCMS is being developed, implemented, reviewed and maintained with the aim of alignment with the ISO 22301:2012 standard. Signed: Niall Dickson Chief Executive Date: 4 June 2014 B 2