Business Continuity Policy and Plan

Transcription

1 Agenda item 17 Attachment 11 Business Continuity Policy and Plan Title NHS Surrey Heath CCG Business Continuity Policy and Plan Version 1 Publication Date 3 August 2013 Review Date April 2014 References Civil Contingencies Act 2004 BS25999 British Standard for Business Continuity Audience NHS Surrey Heath staff Method of Printed copy and shared drive Publication Author Robert Kirton CFO & Business Continuity Lead Signed off by/date Contents: Introduction Definitions Roles, Duties and Responsibilities Outcomes of the Plan Testing and Review Appendix 1 Business Impact Assessment Appendix 2 NHS Surrey Heath Business Continuity Plan Page 1

2 Introduction The Civil Contingencies Act 2004 and the NHS Emergency Planning Guidance 2005 requires Clinical Commissioning Groups to have a Business Continuity Policy which will ensure that, in the event of a significant service interruption, critical day to day functions can be maintained whilst timely recovery and restoration of key services, systems and processes is also achieved. It is the policy of NHS Surrey CCG to take all reasonable steps to ensure that in the event of a service interruption, the organisation will be able to maintain essential services and restore normal services as soon as possible in the circumstances prevailing at the time. This document combines the general principles and corporate framework of a Business Continuity Policy together with the initial which the CCG will follow in the event of need to mobilise a response to an incident threatening business. The business management procedures described are separate from, but may operate in conjunction with, the Emergency Response Plan. It also operates in conjunction with the CCG s Risk processes. This policy does not address or represent the CCG s responsibilities relating to emergency ning and response nor as a responder to mobilisation of a local emergency. Definitions The following definitions apply to terms used in this document, in accordance with governing standards, British Standard for BCM, BS2599-1:2006 and International Standard 23001: Business As Usual : Pre-defined acceptable levels of service delivery Business Impact Assessment: The process of analysing business functions and the effect that a business disruption might have upon them Business Continuity : Holistic process to identify potential threats, s the impact of those threats, including protecting patients and stakeholders interests and achieving strategic directives. Disruption: Any event, ned or unned, which causes an interruption to the CCG s ability to continue business as usual. Service Recovery Objective: The desired level to which essential services will be restored and the desired maximum time between loss of service and recovery. Page 2

3 Roles, Duties and Responsibilities Legal and Statutory The following general (statutory) duties apply: The Civil Contingencies Act 2004 places a duty on public bodies to have business s in place to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable. The duty relates to all functions, not just emergency response functions. Healthcare Standards require healthcare organisations to have documented procedures which dictate how they will be able to continue essential routine work during an incident or an emergency situation and to provide essential supplies. British Standard :2006 gives guidance for establishing a Business Continuity Plan within an organisation and this policy is written accordingly. Specific duties and responsibilities within the CCG The following specific duties and responsibilities apply within the CCG Accountable Officer (AO): The AO has overall responsibility for the strategic and operational management of the CCG including ensuring that the CCG has in place robust arrangements for business management and service recovery. CCG Governing Body (GB): The GB is responsible for setting the strategic context in which business and service recovery procedures are developed, and for the formal review and approval of the BCM policy and. This function may be delegated to the Audit Committee. The GB is also responsible for gaining assurance that providers commissioned by the CCG have adequate BCM systems and processes in place to ensure service. Business Continuity Lead Officer: This role has been delegated to the Chief Financial Officer: The Lead Officer is responsible for ensuring that business s to support core business functions are completed and updated as necessary. The Lead Officer has responsibility for advising on business in the event of the need to mobilise being declared. The Lead Officer will lead test exercises. Page 3

4 Outcomes of the BCM Plan All BCM s will be written in accordance with this policy. The anticipated outcomes of the BCM are: Identification of the activities of the CCG Prioritising those activities in response to a disruption Minimising the effects of any disruption and allowing return to business as usual as fast as possible Increased staff awareness of BCM principles and processes Supporting the achievement of CCG strategic objectives Ensuring legal compliance with emergency ning obligations As BCM s are developed, the BCM policy may be adjusted as required and resubmitted to the GB for approval to the changes. Testing and Review The Business Continuity Policy and Plan will be reviewed by the Operational Leadership Team and resubmitted to the Governing Body on an at least an annual basis. The Plan will be tested through a mock mobilisation on an annual basis, followed by a debriefing session to establish if any changes need to be made to the. Page 4

5 Appendix 1 Business Impact Assessment In order to construct a Business Continuity Plan, the starting point is to undertake a Business Impact Assessment which identifies the essential functions and services which define the organisation and assesses, based on impact and risk, the maximum time (Recovery Time Objective) the organisation can be considered to be sustainable without the ability to deliver those functions and services. Purpose of activity Financial Financial Transactions Activity and Contract Quality Actual Activity Budgeting & Reporting Payroll Sales ledger Purchase ledger Cash management Data capture & analysis Handling complaints Monitoring SUIs Safeguarding Carried out by Finance team FPHnhsft Finance Team D of N & Q Medical Director Resources needed to IFSE PC PC PC Internet PC Dependencies (other teams, other agencies) Impact Recovery Time Objective Current Contingencies Significant 1 month Home working FPHnhsft SBS Bank Providers data Providers reports Crucial 1 week FPH, CSU(S) and SBS business s Major 1 month CSU(S) B.C. Plan Crucial 3 days Access to space at Centre for Health Proposed Contingencies Dependent on FPH & CSU business Dependent on CSU business Medicines Manpower Commissioning Public Engagement Procurement Benchmarking Best practice Monitoring prescribing Recruitment Appraisal Defining need for care services System change Website Press relations Surveys FOI requests Securing goods and Chief Officer Finance Team Prescribing data Surrey Downs CCG Crucial 1 month Surrey Downs Dependent on Surrey Downs CCG Telecomms FP HR team Moderate 6 weeks FPH FPH PC Internet Lead CCGs Moderate 2 months Home working Moderate Major Minor Crucial 1 month 1 day 6 weeks 3 days Moderate 6 weeks CSU CSU(S) use Media on call Dependent on CSU business Page 5

6 Governance & Compliance Performance services Maintenance of risk and baf Conducting Boards & Committees Monitoring & reporting QIPP AT/SHA liaison and performance regime CFO CO/Chair/ Admin team CFO Access None Available meeting facilities (St Pauls/St Cross) AT/SHA Significant 1 week Homeworking Local facilities Alternative local facilities Major 1 week Homeworking Impact: Minor (1), Moderate (2), Significant (3), Major (4), Crucial (5) Recovery Time Objective: Immediate, 1 day, 3 days, 1 week, 2 weeks, 1 month, 6 weeks, 3 months Page 6

7 Appendix 2 Business Continuity Plan There are a number of threats to the of business at Surrey Heath CCG. The major ones are: Loss of to office Loss of key managers Loss of to I.T. Office: Loss of to the Head Office (Surrey Heath Borough Council Offices, Knoll Road, Camberley) may occur due to the building being unavailable for use ( fire damage, flood damage, loss of power) or being denied to the building and immediate vicinity (security alert). If the loss of is expected to be short term (less than 2 working days), most staff can work from home or utilise space in a GP practice. If the disruption is likely to be longer than 2 working days, the CCG has agreed with North East Hampshire & Farnham CCG that it can have to desk space for three core staff (more with hotdesking) at Centre for Health (ACH). This is a reciprocal arrangement under which NEH&F staff can have to desks at Surrey Heath House. (action: check that the landlords liability insurance remains valid). If a temporary relocation to ACH takes place, an alert will be placed on the CCG website by the Administration Manager informing the public of the relocation and predicted length of disruption. Due to unforeseen circumstances, Surrey Heath CCG have temporarily moved headquarters to Centre for Health. New telephone is, s to. ( address will not change, message is just to re-enforce that). It may be possible to divert telephones to ACH, but it is likely that an enforced move would happen without sufficient notice to action this (e.g. incident in the building out of hours). The essential staff to relocate are: Business Manager (Fiona Andrews), Nursing & Quality (Alison Huggett) Business Continuity lead (Robert Kirton). Other staff would be asked to work from home and report to the director at ACH for a daily update on work required and possible date to return to normal work. Maintenance and of the shared drive is critical as it may not be possible to move paperwork to ACH, or that paperwork may be destroyed in fire or flood. Excess travel costs to will be met if claimed. Loss of key managers Page 7

8 This may be considered lower threat to business as there is already a high degree of closeknit working and covering roles within the senior team. However, it would be better to formalise arrangements and ensure that each senior leader selects a shadow and invests time outlining their major objectives. It is also critical that shared drives for essential files are utilised and the file discipline shared with all staff. Loss of I.T. This is a critical risk. If there is a prolonged lack of to I.T. specifically related to operation from Surrey Heath House, the CCG would mobilise the same arrangements as for lack of to the building, i.e. convene to centre for Health. Loss of to data/information is mitigated by existing back-up arrangements for the CCGs data, carried out by the NHS CSU (South). The CCG must seek regular assurance and evidence that these backing up arrangements re regularly undertaken. Authority to Invoke and Stand Down the Plan The following officers of the CCG have authority to invoke and subsequently stand down the : Accountable Officer Chief Financial Officer (as Business Continuity Lead) Page 8