Castle Point & Rochford Clinical Commissioning Groups. Business Continuity Management System. Business Impact Analysis Process

Transcription

1 Item 10c Appendix 2 Castle Point & Rochford Clinical Commissioning Groups Business Continuity Management System Business Impact Analysis Process Policy Author: Daniel Hale - Head of Emergency Planning Version: 1.0 Date ratified: 03/07/2013 Ratifying Body: Essex CCG Integrated Emergency Preparedness Committee Review date: 03/07/2014 Impact Assessment Date: Page 1 of 11

2 Contents 1.0 Introduction Information Definitions Key Services Prioritised Activities Minimum Business Continuity Objectives Time Critical Periods Planning Assumptions Risk Management Initial BIA Method Full BIA Method Business As Usual Operations Staffing Location of Activity Information Technology Systems Equipment Key Dependencies Critical Time Periods/Service Priorities Minimum Business Continuity Objectives Minimum Business Continuity Objectives Staffing Location of Activity Information Technology Systems Equipment Risk Assessment Approval Process BIA Review Method Annual Review Ad-hoc BIA Review Emergency Planning Team Review Audit Programme Training Schedule of BIAs... Error! Bookmark not defined. 9.1 Basildon and Brentwood CCG... Error! Bookmark not defined. 9.2 Castle Point and Rochford CCG... Error! Bookmark not defined. 9.3 Mid Essex CCG... Error! Bookmark not defined. 9.4 North East Essex CCG... Error! Bookmark not defined. 9.5 Southend CCG... Error! Bookmark not defined. 9.6 Thurrock CCG... Error! Bookmark not defined. 9.7 West Essex CCG... Error! Bookmark not defined. Page 2 of 11

3 1.0 Introduction Castle Point & Rochford Clinical Commissioning Group (CCG) is committed to implementing a robust Business Continuity Management System (BCMS) to ensure the continued delivery of safe and effective healthcare commissioning and management through alignment to ISO Business Impact Analysis (BIA) is a vital process in achieving alignment, which will enable an understanding of the affects a business continuity incident may have on the operations of Castle Point & Rochford CCG. BIAs will be undertaken in support of Castle Point & Rochford CCG Business Continuity Management System Scope and Policy (which provides the framework and purpose for implementing BCM) to enable the organisation to comply with the BC requirements of the Department of Health and the expectations of stakeholders, through the implementation of a BCMS. 1.1 Scope The scope for BIA is informed by the Castle Point & Rochford CCG Business Continuity Management System Scope and Policy and will include: All business operations undertaken in the course of commissioning and managing healthcare services; and Any supporting dependency, which supports the prioritised activities and key services of the CCG. 1.2 Aim By undertaking BIA and regular review as per ISO22301, Essex CCGs aim to establish: Prioritised activities; Locations for prioritised activities; Resources required for prioritised activities; Dependencies for prioritised activities; Service level risk assessments; and Changes to business operations For the defined key services as documented within Castle Point & Rochford CCG Business Continuity Management System Scope and Policy. To determine the impact of a disruption to prioritised activities which support Essex CCGs key services by; Assessing over time the impacts that would occur if an activity was disrupted Establishing the Maximum Tolerable Period of Disruption (MTPOD) identifying; - the maximum time period after the start of a disruption within which the activity needs to be resumed, - the minimum level at which the activity needs to be performed on its resumption (Minimum Business Continuity Objective - MBCO) - the level of time within which normal levels of operation need to be resumed (Recovery Time Objective- RTO) To document the impact of a disruption to prioritised activities, which support Castle Point & Rochford CCG key services, through the creation of completed and document controlled BIA datasheets. 1.3 Objectives Castle Point & Rochford CCG s main objective for undertaking BIA is to: Page 3 of 11

4 Undertake initial project work to meet the requirements of alignment to ISO22301; Regularly review prioritised activities to maintain the BCMS; Capture change to Castle Point & Rochford CCG operations; and Increase assurance of Castle Point & Rochford CCG s resilience to respond to and recover from disruptive incidents. 2.0 Information 2.1 Definitions The Castle Point & Rochford CCG Business Continuity Management System Scope and Policy outlines all definitions within the Business Continuity Management System, including the use of all ISO22301 descriptors. 2.2 Key Services The key services of Castle Point & Rochford CCG will be determined annually by the Chief Operating Officer and approved by CCG Board/Governing Body, in consultation with key stakeholders, and will be documented within the Castle Point & Rochford CCG Business Continuity Management System Scope and Policy. 2.3 Prioritised Activities The prioritised activities will deliver the organisations key services and will be determined by the BIA Process. Prioritised activities will be approved annually by Chief Operating Officer and CCG Board/Governing Body and will be documented within the Castle Point & Rochford CCG Business Continuity Management System Scope and Policy. 2.4 Minimum Business Continuity Objectives The Minimum Business Continuity Objectives (MBCO) for each prioritised activity will be determined annually by Chief Operating Officer and approved by the CCG Board/Governing Body, and will be documented within the Castle Point & Rochford CCG Business Continuity Management System Scope and Policy. The following MBCO have been agreed: 2.5 Time Critical Periods The time critical periods for each prioritised activity will be determined annually by Chief Operating Officer and approved by CCG Board/Governing Body and will documented within the Castle Point & Rochford CCG Business Continuity Management System Scope and Policy. 3.0 Planning Assumptions The perceived disruptions and risks to the CCGs key services and prioritised activities are likely to be caused by, but not limited to the following scenarios; Loss of Staff - Increased staff sickness/absence due to pandemic influenza or infectious disease outbreak (including increased caring requirements through the closure of schools). - Increased union activity. - Inability of staff to travel to place of work caused by severe weather, major transport failure or disruption to road fuel network. Page 4 of 11

5 - Increased vacancy rate due to high staff turnover. Loss of facilities - Full or partial loss of CCG premises due to severe weather, for example flooding. - Full or partial loss of CCG premises due to loss of utilities, for example electricity, gas and water provision failure either internal or external. - Full or partial loss of CCG premises due to fire/explosion, flood or structural failure. Loss of Systems and Software - Full or partial loss of CCG networked computer systems (including hardware such as printers & photocopiers) for example power failure, corruption of data or systems failure. - Full or partial loss of CCG communications systems, for example systems failure either internal or external (including networked telephones, mobile telephones & pagers. Supply of external products and services - Inability of suppliers to deliver consumables or services, for example equipment maintenance, office supplies or services delivered through the Commissioning Support Unit (CSU) such as Information Technology. 4.0 Risk Management The Business Continuity Management System will fully integrate with CCG Risk Management Strategies as per Section 9.0 Risk Management of the Business Continuity Management System Policy and Scope. 5.0 Initial BIA Method Initial BIA s were undertaken by the Emergency Planning Team as part of the project work to align to ISO22301 following the Full BIA Method outlined in Section X and included the creation of datasheets for: Prioritised activities as per the Castle Point & Rochford CCG Business Continuity Management System Scope and Policy; and Key dependencies provided by the Commissioning Support Unit as per the Castle Point & Rochford CCG Business Continuity Management System Scope and Policy. 6.0 Full BIA Method Full BIAs will be undertaken using the Template BIA Datasheet (Appendix One) following the method outlined. It is recommended that they are undertaken in a workshop format led by the Head of Emergency Planning, with attendance from Heads of Service and a number of staff across pay bands. A variety of pay bands/roles from services should be represented to ensure that those familiar with undertaking prioritised activities are able to contribute. The BIA workshop should be led by the process set out in the Template BIA Datasheet and should focus on: Page 5 of 11

6 6.1 Business As Usual Operations The aim of this section is to document the routine business as usual working arrangements for the following; Staffing The information provided should include the number of whole time equivalents, current work rota broken down by day, time and quantity of staff by pay band and any operational differences which may occur, such as work only undertaken by a morning shift, e.g. Service / Activity Performance & Corporate Services Total Number of Staff (WTE) Monday to Friday Band 4x Band 5x1, , Band 5 x1 (Monday, Thursday & Friday) Band 8a (Tuesday Friday) 20 hrs spread over Wednesday & Thursday Band 8d Vacant Band 7 Corporate & Performance Officer 5 (1 Band 7 Post Vacant) Location of Activity The information provided should detail the building location and owner, listing the physical areas used to undertake prioritised activities. The information should reflect the geographical locations for activities, e.g. Location of Services / Activities (inc Building Name & Address) Performance & Corporate Services First Floor, Phoenix Place, Christopher Martin Road, Basildon, Essex, SS14 3HG Building owned by (Prop Co/Trust/Community Site/3 rd Party) Stock Place Holdings Limited Services / Activities Performance & Corporate Services Information Technology Systems The information provided should list the IT hardware, software and telephony equipment including quantities used within the location to undertake prioritised activities listed alphabetically, e.g. Service / Activity IT Hardware IT Application / Software (inc version) Performance & Corporate Services Desk Top Pc x1 (On order for hot desk) x5 laptops & additional monitors Microsoft Office 2010 Internet Explorer Adobe Reader Landline x6 Telephony Equipment The information provided should create a matrix of equipment including quantities for large/specialist pieces used to undertake the prioritised activities and listed alphabetically e.g. Page 6 of 11

7 Equipment: Franking Machine Photocopier Binding Machine Service / Activity Corporate Services No Yes Yes Reception Yes Yes No Key Dependencies The aim of this section is to define what key dependencies the department have during routine working, including departmental, internal and external e.g. Departmental The information provided should list any internal individuals within the department on whom there is a key dependency, such as specific skills, expertise or access not shared with others in the department, e.g user access to specific system. Name of individual/ Title of Role Nominated Deputy: Skills / expertise not shared with colleagues Michelle Angell Sara Tindell Suppliers The information provided should list any internal departments and external organisations which provide a service, product or goods listed alphabetically, e.g. Service / Activity Internal Supplier Service/product or goods provided External Supplier Reception CSU DHL Royal Mail Service/product or goods provided Courier Services Postal Services Customers The information provided should list any internal departments and external organisations which receive a service, product or goods listed alphabetically e.g. Service / Activity Internal Customer Service/product or goods received Reception All Departments Reception Visitors Switchboard External Customer General Public Service/product or goods received Switchboard Impact Level 6.2 Critical Time Periods/Service Priorities The aim of this section is to agree what impact a disruption to the delivery of a service/product would have over time, so that the priority for service restoration can be established. A rating for each of the impact priorities over time should be given for each of the services, products and activities using the following descriptors. Description Patient Experience / Outcome and Quality Financial Cost/Loss Page 7 of 11 Adverse Publicity/ Reputation Business Objectives 1 Insignificant Unsatisfactory patient experience not directly related to patient care Small loss Rumours No impact to delivery of business objectives 2 Minor Unsatisfactory Loss > 0.1% of Local Media - Minor delay in

8 patient experience - readily resolved 3 Moderate Mismanagement of patient care, short term effects (less than a week) 4 Major Serious mismanagement of patient care, long term effects (more than a week) 5 Catastrophic Totally unsatisfactory Patient outcome or experience budget Loss > 0.25% of budget Loss > 0.5% of budget Loss > 1% of budget short term. Minor effect on staff morale. Local media - long Term. Significant effect on staff morale. National Media <3 days National Media >3 days. MP concern (questions in the House) delivering some non-core business objectives Inability to operate some non-core business objectives Ability to only operate/provide core business objectives only Inability to operate/provide some core business objectives NB: Descriptors were shared with governance, risk and executive leads across CCGS for comment/agreement. Service/Product /Activity Impact Priorities Patient Safety / Outcome Financial Cost/Loss Reputation Business Objectives Priorities 0 4 Hour Hours 1 Day 3 Days 1 Week 2 Weeks 3 Weeks 1 Mnth 1+ Mnths Minimum Business Continuity Objectives This section will establish the Minimum Business Continuity Objectives for each service, based upon the Critical Time Periods and Service Priorities. Service Clinical Quality Minimum Business Continuity Objective Within 4 hours Clinical Quality will undertake all SUI reporting and investigation. 6.3 Minimum Business Continuity Objectives The aim of this section is to agree what resources would be required to fulfil the Minimum Business Continuity Objectives to be achieved for prioritised activities, during the recovery phase from a business continuity incident to ensure the safe and effective continuation of healthcare commissioning and management. The information gathered under business as usual operations (Section 7.1) should be reviewed to state the MBCO for each category Staffing The information provided should list the minimum number of whole time equivalents and any changes to work rotas broken down by day, time and minimum quantity of staff by pay band required to deliver MBCO, e.g. Page 8 of 11

9 Service / Activity Performance & Corporate Services Total Number of Staff (WTE) Monday to Friday Band 4x Band 5x1, , Band 5 x1 (Monday, Thursday & Friday) Band 8a (Tuesday Friday) 20 hrs spread over Wednesday & Thursday Band 8d Vacant Band 7 Corporate & Performance Officer Location of Activity The information provided should list the minimum physical areas required, listed alphabetically, to undertake the BCMO. Open plan areas should be broken down into areas by the activity undertaken and listed alphabetically, e.g. Location of Services / Activities (inc Building Name & Address) Performance & Corporate Services First Floor, Phoenix Place, Christopher Martin Road, Basildon, Essex, SS14 3HG Building owned by (Prop Co/Trust/Community Site/3 rd Party) Stock Place Holdings Limited Services / Activities Performance & Corporate Services Information Technology Systems The information provided should list the IT hardware, software and telephony equipment including quantities required by each to department to provide MBCO, alphabetically, e.g. Service / Activity IT Hardware IT Application / Software (inc version) Performance & Desk Top Pc x1 (On Microsoft Office 2010 Corporate Services order for hot desk) Internet Explorer x5 laptops & additional Adobe Reader monitors Landline x6 Telephony Equipment The information provided should create a matrix of equipment including quantities for large/specialist pieces required to provide MBCO, listed alphabetically. Equipment: Franking Machine Photocopier Binding Machine Service / Activity Corporate Services No No No Reception No No No 6.4 Risk Assessment This section lists the disruptive events to prioritised activities using the likelihood descriptors of the Corporate Risk Register. Page 9 of 11

10 Risk I L R Mitigation I L R Outcomes, evidence and residual risk Loss of Telephony x Resilient phone lines with redundancy SLA with BT for 4 hour resolve time Ability to divert switchboard number Approval Process The completed datasheet will be approved by the person with responsibility for the departmental/function at board level, who will be responsible for ownership of the datasheet, ensuring it is kept up to date with any changes to prioritised activities, key services or departmental resourcing, undertaking BIA reviews as required. BIA outcomes are recorded within the Business Continuity Management System Scope and Policy; as such this document receives formal approval at CCG Board/Governing Body level in line with Section 14.1 Document Approval, of the Scope and Policy Document. 7.0 BIA Review Method To ensure that datasheets for prioritised activities are maintained, to reflect the key services of Essex Clinical Commissioning Groups and their prioritised activities, a review programme will be implemented. All reviews will be carried out in line with this policy to ensure auditable records of these evaluations and to enable monitoring of any recommended changes. The purpose of BIA review is to ensure that datasheets remain up to date and correctly reflect the organisation and departments: Key products and services; Prioritised activities and resources; Key dependencies; Risk assessment; and Changes to business operations or processes. 7.1 Annual Review An annual review will be undertaken by the departmental manager with ownership for the datasheet, with the date determined by the ratification date. 7.2 Ad-hoc BIA Review As business and departmental structures and processes change, it may be necessary for the departmental manager with ownership of the datasheet to conduct ad-hoc review to ensure the information is correct and up to date. An ad-hoc review will be required for any operational or business change which affects or changes a departments current BIA. All completed BIA reviews will be required to receive approval from Castle Point & Rochford CCG Board/Governing Body as per Section 14.1 Document Approval of the Business Continuity Management System Scope and Policy. 7.3 Emergency Planning Team Review To ensure the BCMS remains fit for purpose a table top review of all BIAs will be undertaken by the Emergency Planning Team in conjunction with the named datasheet owner every three years. The date for EP review will be determined by the original ratification date. Page 10 of 11

11 7.4 Audit Programme BIA datasheets will be included within the Business Continuity Management System Audit Programme and Schedule. 8 Training Training for individuals with Business Continuity responsibilities has been assessed within the Business Continuity Management System Training Needs Analysis. It is expected that all individuals within the organisation will have completed Mandatory Business Continuity Training. Page 11 of 11