1 INTRODUCTION
Business Continuity Management (BCM) is a management led process which identifies and mitigates risks and disruptions that could affect the capability of the organisation to continue to deliver its prioritised activities during a disruptive incident.
The Civil Contingencies Act 2004 and its associated statutory guidance places a duty on Hirett as a Category 1 responder to have Business Continuity Plans in place so that it can perform its critical activities in the event of an emergency or business interruption.
All NHS funded organisations are expected by the Department of Health (DoH) to ensure that their Business Continuity Management System (BCMS) conforms to the requirements laid out in International Standards Organisation (ISO) 22301: 2012 – Societal Security – Business Continuity Management and its associated guidance as well as the service specifications and Business Continuity NHS Core Standards.
2 PURPOSE
The purpose of this procedure is to describe the Trust’s BCMS, governance arrangements and its system of internal control.
This procedure applies to all parts of the Trust, there are no exclusions although emphasis is placed on those departments who are directly responsible for or directly support the Trust’s prioritised activities.
The following areas are those that need to be covered:
1. Business Levels:
What levels of business are acceptable, for what periods of time? E.g. a series of levels starting with ‘Business as Usual’, through one or more ‘emergency levels’ down to ‘no business’.
2. Locations:
What alternative locations are there? E.g. other offices of the organisation, hosted premises from a service provider, working from home.
3. Staffing:
Which critical functions could be done by staff other than those who would usually carry them out? Which critical functions are most vulnerable to key staff absence?
4. Infrastructure:
What backup systems exist? Which systems have fall backs in remote sites? What systems have backup’s offsite? Where can phone lines be diverted to? What other switchboard/reception facilities could be used?
5. Key Suppliers:
What alternatives are there?
The aims and objectives of the procedure are:
• To have an effective BCMS in place to meet our legal and statutory obligations, to ensure that that in the event of a business disruption we can continue to undertake our prioritised activities.
• To develop, maintain and continuously improve a Business Continuity Management System which satisfies the requirements of ISO 22301.
• To use the BCMS to identify, protect and maintain prioritised activities, in order to deliver and recover services to an acceptable level within the time detailed in the Business Impact Assessment.
• To develop appropriate plans, arrangements and processes which tolerate, treat, transfer or terminate the impact of any disruption to the BCMS identified prioritised activities.
• To maintain, exercise and test the plans, arrangements and processes so that they are current and effective.
• To embed Business Continuity into the culture of the organisation to all staff through training and education and raising awareness.
Externally the Trust will expect the same commitment to BCM to be present in the suppliers of critical goods and services.
Definitions
Category 1 Responder – Organisations at the core of a response to most emergencies. Responding organisations are divided into categories by the Civil Contingencies Act (2004). A foundation trust is a Category 1 responder.
Business Impact Assessment – Process of analysing activities and the effect that a business disruption might have upon them. (ISO 22301. 2012)
Business Continuity Plans – Documented procedures that guide organisations/ departments to respond, recover, resume and restore to a predefined level of operation following disruption. (ISO 22301. 2012)
3 ROLES AND RESPONSIBILITIES
Board of Directors
Will ensure overall accountability for developing a business continuity culture, providing leadership from the top of the organisation and ensuring that business continuity activities are carried out in line with the Emergency Preparedness, Resilience and Response policy.
Chief Executive
The Chief Executive is responsible for ensuring that the Trust complies with all statutory requirements of the Civil Contingencies Act 2004 including those regarding business continuity.
Accountable Emergency Officer (AEO)
The AEO, currently the Director of Human Resources and Workforce Development, must ensure that a business continuity strategy is in place and provide support to the Head of Security and Emergency Resilience. The AEO will provide updates to the Executive Board and the Board of Directors on matters relating to business continuity.
District and Deputy District Directors (DDD’s)
These are responsible for implementing the business continuity procedure within their divisions including nominating appropriate personnel as business continuity leads. They are also responsible for the approval of business continuity documents within their division such as business impact analysis (BIAs) and business continuity plans.
Head of Security & Emergency Resilience
Bring to the attention of the Director of Human Resources & Workforce Development any matter that has a bearing on the EPRR arrangements of the Trust.
Emergency Planning Adviser (EPA)
The Emergency Planning Adviser will work with and support business continuity leads to ensure BIA’s are completed and robust business continuity plans are written and in place. The EPA will also coordinate the electronic storage and access of these documents and archiving of these documents once they have been updated.
Departments will also be supported by the EPA with the testing of plans.
Business Continuity Leads
Business Continuity (BC) Leads will lead in coordinating and writing the business continuity plans and arrangements for the relevant department ensuring plans are in place, reviewed and tested as per the requirements of the Trusts Business Continuity Management Procedure. The BC Lead will work with colleagues at all levels of their own department and the BC lead for other departments to develop and deliver sound plans, processes and systems to mitigate the identified risks to the Trust/Departments prioritised activities.
The leads must ensure that BCP’s are reviewed as required.
4 PROCESS
The Trust will take the approach required by the ISO 22301:2012 standard and its associated guidelines dovetailed with the Business Continuity Institute Good Practice Guide (2013) which will ensure that the Trust develops a BCMS which is in line with the Civil Contingencies Act (2004) statutory requirements relating to business continuity. This approach, based on best practice, will ensure that SWYPFT can achieve its objectives for business continuity.
This procedure provides a strategic framework for the Trust which establishes how the organisation will drive its Business Continuity Management programme towards compliance with ISO 22301:2012.
It adapts the well-established Business Continuity Management lifecycle and applies it (shown in Figure 1).
The Trust is committed to working towards alignment to ISO 22301 as part of its continual improvement and assessment which is carried out by independent auditors. The BCMP guidance document supports the Trust BCMS by providing specific information, templates and guidance on the Trusts intention in relation to the BCMS and should always be utilised in the development of any new BC plans and arrangements.
BCMS process:
Compliance with ISO 22301 Business Continuity Standard.
The absence of Business Continuity may have critical consequences; therefore the Trust adopts the Plan, Do, Check, Act process as part of good management practice, contributing towards the reduction of risk, thus ensuring that the key strategic intentions and core values of the service are achieved.
The Trust is committed to an on-going management and governance process, fully supported by the Board which is appropriately resourced.
• Each department will have a current and up to date Business Impact Analysis (BIA).
• Each department will have a current and up to date Business Continuity Plan (BCP).
• Each department will have completed risk assessments in relation to its Business Continuity risks.
• All departments will test their business continuity arrangements via an exercise or debrief of a business continuity event and produce a report of the lessons identified
(See appendix 1). A target of 100% compliance will be achieved over a three-year period with a third being completed in each 12-month period.
5 TRAINING
The EPA will maintain the appropriate training, competencies and currency in relation to the BCMS.
Nominated Departmental BC Leads must meet the requirements of the BC Lead role profile; assessment of competence will be determined by the Assistant District Directors. Training and on-going support will be provided EPA.
6 MONITORING COMPLIANCE WITH THIS POLICY DOCUMENT
The effectiveness of this policy and the BCMS objectives will be monitored through:
• An annual top management review;
• A quarterly progress and exceptions report to the appropriate committee via the EPA;
• Business Continuity will be covered in the Emergency Preparedness, Resilience and Response annual report to the Executive Board and Board of Directors.
7 REFERENCES
• BRITISH STANDARDS INSTITUTE. 2012. ISO22301 Societal Security –
• Business Continuity Management Systems – Requirements. London’s BUSINESS CONTINUITY INSTITUTE Good Practice Guidelines 2013 available at; www.thebci.org
• CABINET OFFICE. 2004. The Civil Contingencies Act 2004, London: Cabinet Office
• CABINET OFFICE. 2011. PAS 200: Crisis Management-Guidance and Good Practice
• Care Quality Commission Standards
• DEPARTMENT OF HEALTH. 2005. Emergency Preparedness Division, The NHS Emergency Planning Guidance, London.
• DEPARTMENT OF HEALTH. 2005. Emergency Preparedness Division, The NHS Emergency Planning Guidance: underpinning material, The Ambulance Service. London.
• DEPARTMENT OF HEALTH. 2008. NHS Resilience and Business Continuity Management Guidance: Interim Strategic National Guidance for NHS Organisations
APPENDIX 1
Emergency Preparedness – Post Incident Report for use and testing of plans Initial Review of lessons Learned from [EVENT]
BDU:
Name:
Date:
Areas that went well in response to the [EVENT]
Areas that need to be strengthened
Were Business Continuity Plans Implemented?
Remarks