Business Continuity Framework

Transcription

1 Business Continuity Framework Author: Simon Featherstone, Business Continuity Specialist and Chris Orr, Business Planning Manager Date: 11 November 2016 Version: 1a Publication/ Distribution: Executive Team Business Continuity Group Public Health Wales (all staff) Purpose and Summary of Document: The purpose of this paper is to describe the framework and design for Business Continuity within Public Health Wales. It provides the principles, approach and assumptions that drive the development, implementation and ongoing maintenance of business continuity arrangements within the organisation. Date: 11/11/2016 Version: 1a Page: 1 of 12

2 1 Introduction This document describes the framework and design upon which Public Health Wales Business Continuity implementation is based. It provides a formal statement of the fundamental principles that drive its development and presents the approach that Public Health Wales takes to mitigate and resolve the various risks that threaten normal business operation, especially critical functions and services. It is one of the Public Health Wales Business Continuity portfolio of documents and plans, which also includes the Business Continuity Incident Management Process, Business Impact Analyses, Business Continuity Plans and a variety of associated project, testing and administrative documents. The business continuity structure is fully outlined in appendix 1. The framework and design provides the context under which the business continuity implementation is undertaken by: Describing the processes used in the creation of business continuity arrangements for Public Health Wales Describing the high level principles that will be applied in the planning, provision and execution of Public Health Wales business continuity arrangements Identifying any strategies that may already have been adopted within existing plans, or any new ones that can be established, to enable the ongoing provision of the identified critical business functions within Public Health Wales Defining the overall structure and approach taken to implementing Business Continuity and associated activities within Public Health Wales. This document will be regularly reviewed, at least annually, to ensure that it continues to reflect: The critical operation of the business The operational risk profile associated with each Public Health Wales location/premises The changes, growth and development of the business over time. Public Health Wales is committed to demonstrating leadership in respect of implementation of Business Continuity processes and procedures. The purpose of these arrangements are intended to enable the organisation to continue to perform its functions, particularly those deemed essential, in the occurrence of an emergency and in the event of an incident occurring, to effectively manage a response through to resolution. Date: 11/11/2016 Version: 1a Page: 2 of 12

3 2 Approach At the core of any business continuity implementation are 3 key elements: The business impact analysis Production of the relevant business continuity plans The incident management process by which those plans are invoked and used 2.1 Business Impact Analysis The Business Impact Analysis has been undertaken to identify the critical functions (key services) and analyse the effect that a business disruption might have on them. It includes an analysis which examines the critical functions and what, by way of people, accommodation, services and resources, need to be made available, in what timescales, to avoid an interruption to these critical functions becoming intolerable. A Business Impact Analysis has been undertaken by each Directorate/Division by a nominated business continuity lead. The consolidated results act as a core reference source for the detailed planning required in the development of the individual business continuity plans for the identified critical functions and management of business continuity incidents. The Business Impact Analysis will be reviewed annually to ensure that plans, processes and any applied measures are still valid and together continue to offer a viable business continuity solution. 2.2 Business Continuity Plans There are innumerable risks that can threaten normal operation of Public Health Wales critical functionality. However, the impacts from all risks can be categorised into one of three different generic impacts: Denial of access Interruption to key service(s) Unavailability of personnel The business continuity planning process is structured to reflect these generic impacts and focuses on a number of pre-defined critical functions identified through the Business Impact Analysis, along with a more generic approach for our non critical services The content of the business continuity plans will be limited to relevant response and recovery activity, and associated reference material, only. Draft business continuity plans have been developed for each of our Directorates and Divisions. The assumption for their creation is that the Date: 11/11/2016 Version: 1a Page: 3 of 12

4 Tactical Management Team (see Business Continuity Incident Management Process) has full responsibility, including documented activity, for assessment of the incident and the restoration of operating environments, services and resources. This allows business continuity plans to be created that are focused on what each division, with respect to their critical functions, has to do (can do) whilst the Tactical Management Team undertake recovery. The Tactical Management Team will authorise the invocation of any business plan to ensure that any actions taken by the business a) do not compromise the recovery process, or b) become negated by any recovery process. Business continuity plans are structured according to the three generic business continuity impacts and created using data collected in the business impact analysis process (see section 2.1). 2.3 Business Continuity Incident Management The business continuity incident management process aligns to that developed for Public Health Wales Emergency Planning, including adopting a common structure of a Tactical Management Team with responsibility for responding to and resolving an incident. The business continuity Tactical Management Team, which will report to a Strategic Director, will comprise the Tactical Leader and assigned representatives from Facilities, Informatics, HR and Communications. Operational teams will be convened to provide a response and recovery process which reflects the scale and impact of the incident. Where appropriate, artefacts and processes already established will be adopted for use within the business continuity process. The key components of the business continuity incident management process are: The notification, invocation and escalation process Establishment of a Tactical Management Team Action cards Communication Closedown process The process aligns to the structure laid out in the Civil Contingencies Act 2004, thereby ensuring Public Health Wales involvement in, or responsibility for, any business continuity incident is compatible with the structure of any emergency services or other agencies similarly involved. Date: 11/11/2016 Version: 1a Page: 4 of 12

5 The overall process is described more fully in the Business Continuity Incident Management Process document. 3 Principles 3.1 Standards Public Health Wales Business Continuity will be implemented in stages. Each stage will adhere to the Business Continuity Institute s Good Practice Guidelines These standards will be adopted with full reference to, and compliance with, the Civil Contingencies Act 2004 requirements and expectations for Category 1 Responders. 3.2 Executive Lead The Deputy Chief Executive/Executive Director of Operations and Finance is the executive lead for business continuity for Public Health Wales. 3.3 Responsibilities Responsibility for ensuring the maintenance of up-to-date, assured business continuity plans for key services is devolved to the respective Director for each of those services. The Planning and Performance Division have responsibility for ensuring the effective implementation of business continuity arrangements within Public Health Wales. Responsibilities for implementation of business continuity measures and practices will be devolved across all directorates of Public Health Wales, as appropriate, supported by the relevant member of the executive team. 3.4 Relationship with external bodies Where any plan or document has either implied or explicit reference to either associated or external parties, Public Health Wales will liaise with those parties as an integral part of the planning and design process to ensure that any dependency or expectation, in either direction, is fully understood and together produce a consolidated solution. 3.5 Non-duplication of plan data Where there is a requirement for the same data to be accessible to more than one plan/scenario, that data will be recorded once and crossreferenced from other documents. This will decrease the maintenance effort and also limit the likelihood of out-of-date or misaligned documents. Date: 11/11/2016 Version: 1a Page: 5 of 12

6 3.6 Plan invocation Invocation of business continuity plans will follow an established process that ensures control of any incident from its occurrence (or from when the incident manifests itself and is formally notified) through to recovery of the normal service and subsequent closure. This process is an integral component of the business continuity implementation, taking any existing incident management processes into account. It is set out in the Business Continuity Incident Management Process. 3.7 New services and change management New systems and services, and changes to existing ones, shall be assessed for their business continuity/disaster recovery requirement and capability before being brought into service and/or applied. 3.8 Embedding business continuity into existing processes Public Health Wales will implement business continuity capability, where possible, into existing processes, thereby minimising the requirement for on-going specialised support or the establishment of a dedicated business continuity function. The individual business continuity plans are owned and maintained by the relevant business Directorate/division, taking advantage of the identified business representative. Completed business impact analysis are distributed back to the divisions for review and update on a regular cycle as part of the testing and assurance process. Whilst the Tactical Management Team is a specialised forum members are expected to have no more specialised knowledge than their business as usual role demands, so there is no specific requirement for embedding. 4 Governance and assurance A Business Continuity Group has been established to manage and oversee the development and ongoing management of business continuity within Public Health Wales. This group consists of representation from all Directorates/Divisions. A business continuity lead has been nominated from each Directorate/Division and they carried out the Business Impact Analysis for their respective areas, supported by the Business Continuity Specialist. Date: 11/11/2016 Version: 1a Page: 6 of 12

7 The Group will report to the Executive Team on a quarterly basis through the Deputy Chief Executive/ Executive Director of Operations and Finance. 4.1 Plan and document approval and sign-off Organisational level plans/document will be approved by the Executive Team, including annual refreshes. Directorate level, and operational documents, will be agreed by the Business Continuity Group. Documents will be circulated to peers for review as part of the development process. 4.2 Plan testing and assurance Since there is an inherent expectation in business continuity that plans will only be rarely used, it is imperative that a formal cycle of assurance takes place to ensure capability and effectiveness should invocation ever occur. This will be undertaken through an ongoing programme of exercising, rehearsal, training and awareness. Tests will be conducted according to a pre-agreed schedule to ensure that each critical component, process and plan is tested at least once per year and also tested in line with the Public Health Wales Emergency Response Plan. Each test will be documented throughout, from initiation of a test to production of results and recommendations for improvement. A full audit trail of all tests will be maintained. 4.3 Closedown procedure Following any business continuity event, a Closedown Report will be issued which will ensure the complexity of the various aspects of the event and all key issues are formally captured and recorded, and acted upon as required. 4.4 Document Management All business continuity documents will be dated and version-controlled. All business continuity documents will be stored securely online with access controlled to authorised personnel only. Hardcopy plans will be printed off and distributed to selected personnel to be able to provide adequate response to business continuity incidents that may result in soft-copy documents being unavailable. Date: 11/11/2016 Version: 1a Page: 7 of 12

8 Business continuity documents will be reviewed and updated in a cycle that reflects both their criticality to the overall business continuity solution and their tendency to change. 5 Assumptions Based upon business continuity work that has preceded this work, it is possible to make a number of assumptions that help define the structure that needs to be implemented and that describe the environments for which business continuity planning will take place. 5.1 Continued availability of staff The dispersed nature of Public Health Wales locations makes it highly improbable that there will never be any experienced staff available for involvement in any business continuity event. This drives, and indeed enables, business continuity plans to be sources of critical reference data required for invocation, response and recovery and not weighed down with detailed activity plans teaching people their day job. 5.2 Plan complexity With continued availability of experienced staff (as above), this allows for simple documents, eliminating complexity and preventing the inclusion of data for the sake of perceived completeness, but which is actually bulk. 5.3 The worst-case scenario It is common in business continuity terminology to plan against a worstcase scenario, which normally means that any particular resource (personnel, building, service) is unavailable. Incidents of such scale will inevitably demand escalation through agreed processes. 5.4 In-house solutions alternate work areas, IT By the inherent nature of the Public Health Wales operation, with a large number of locations and the availability of remote access working, Public Health Wales can provide internal alternate work area solutions. Similarly, IT Disaster Recovery capability will be provided through the Public Health Wales Informatics Team. 5.5 Working from home/remotely Public Health Wales already has in place the facility for staff to work from home, accessing any required IT service through a remote-access gateway. Date: 11/11/2016 Version: 1a Page: 8 of 12

9 6 Future Developments There are some specific aspects of the full business continuity solution that are out of scope for the initial implementation (at the date of issue of this document), which will be addressed under future developments. 6.1 Maturity of the Incident Management Process One of the key aspects of the implementation is the establishment of Tactical Management Team structure for the management of business continuity incidents. To work effectively, the team needs experience and since real incidents are not expected to be that frequent a programme of rehearsals using a variety of scenarios is essential, and must involve both primary and deputy team members. There should also be a standard format closedown report to record all details of the incident, and to formally structure a lessons-learned and recommendations capability. 6.2 Refreshing and further development of business continuity plans. Plans will be refreshed annually in line with best practice. Further work will also be undertaken in specific areas, which were identified during the initial process which will be overseen by the Business Continuity Group. 6.3 Unavailability of personnel Directorates and Divisions have considered personnel issues in the development of their plans. However, further work in needed, as part of the implementation of our revised emergency planning arrangements, to consider the mobilisation of additional resources to support these requirements. This will build on work undertaken in response to previous public health incidents. 6.4 Communication Whatever the business continuity incident, there is always a high possibility of needing to communicate with staff, whether it is actual direction or simply an awareness of what is happening. As a result, the development of a communication processes e.g. a call cascade should be considered. This needs to align with developments within the facilities and informatics functions. It is also essential that all staff are made aware of Public Health Wales business continuity its processes, responsibilities and its expectations of how staff should respond to an incident and how they keep themselves informed of any status. Date: 11/11/2016 Version: 1a Page: 9 of 12

10 The awareness exercise should be through an ongoing cycle of s, presentations, posters and presentations. These can be at a generic level to cover all staff or more targeted for specific groups. 6.5 Informatics and data back up The analysis stage, and subsequent planning sessions with the business representatives, has shown that there is a very high dependence across the organisation on informatics services. The comparatively long timescales identified during the analysis for tolerable business disruptions presents no real challenge to Informatics for recovery of lost systems in the required time. The key issues that remain in need of further investigation are security and availability of data, and system and network resilience. Public Health Wales shall ensure that data and system backups are taken according to the recovery requirements as specified by the various business departments and retained and stored off-site according to best practice recovery processes and available for retrieval as required. 6.6 Contingency Planning There are a number of foreseeable risks that demand additional specific mitigation activity above that supplied in the various business continuity plans (e.g. fuel shortage etc). A separate contingency plan will be produced for each and retained for update and use should the risk recur. An initial plan has been developed, and implemented, for Capital Quarter Supplier assurance Public Health Wales shall solicit suppliers of key services to ensure that the supplier has business continuity capability in place that assures the continued supply of the normally contracted service even during disrupted operation. Public Health Wales should also request involvement in their testing processes to provide the necessary assurance. 6.8 IT Disaster Recovery IT system and service availability and their respective recovery requirements, as identified during the Business Impact Analysis process, will be included in relevant IT plans as part of our future development and organisational implementation of business continuity work. Date: 11/11/2016 Version: 1a Page: 10 of 12

11 7 Appendix 1- Business Continuity Structure Document Business Continuity Framework Description This document sets out the framework (or policy) for Business Continuity within Public Health Wales, including the principles, approach, structure and assumptions that drive the development, implementation and ongoing maintenance of business continuity arrangements within the organisation. Business Continuity Incident Management Process Business Continuity Plans Business Continuity Plan for CQ2 This document describes the response and recovery process for the Public Health Wales management of business continuity incidents based on the model agreed by the Executive Team and sets out the more detailed operational arrangements for the Tactical Management Team. It aligns to the arrangements being put in place for Emergency Planning. High level directorate/divisional business continuity plans. Plans have been kept high level, as majority of reference material is kept within other documents set out within this table This document sets out the business continuity arrangements for managing an incident in Capital Quarter 2. Date: 11/11/2016 Version: 1a Page: 11 of 12

12