NHS FIFE INTERNAL AUDIT SERVICE BUSINESS CONTINUITY REPORT NO. B25/12

Transcription

1 DRAFT REPORT NHS FIFE INTERNAL AUDIT SERVICE BUSINESS CONTINUITY REPORT NO. B25/12 Issued To: [J Wilson, Chief Executive] [C Bowring, Director of Finance] [Dr E Coyle, Director of Public Health] [A Wilson, Director of Clinical Delivery] [Dr H Shearer, Quality & Clinical Governance Lead] I Orr, [G Cunningham, Acting Director of Acute Services] [S Manion, General, Dunfermline & West Fife CHP] [V Irons, General, Glenrothes & North East Fife CHP] [M Porter, Acting General, Kirkcaldy & Levenmouth CHP] [A McCreadie, Asst. Director of Finance (Management Accounting)] [S Laird, Follow-Up Co-ordinator] [Audit Committee] [External Audit] Date Draft Issued: [03 May 2012] Date Response Required: [10 May 2012] Target Audit Committee Date: [17 May 2012] Please do not print unless absolutely necessary Help your organisation reduce its carbon footprint

2 Internal Audit Service Report No. B25/12 INTRODUCTION & SCOPE 1. Civil contingency planning is part of the everyday business of Government and public and private bodies. The purpose is to ensure that flexible plans are in place to deal effectively with any emergency, major or minor, foreseen or unforeseen. Incidents may differ in scale and impact but the basic principles of assessing risks, identifying preventive measures, preparing and testing plans, responding to emergencies and assisting a rapid return to normality remains valid whatever the type of incident. 2. covers the period immediately after the emergency has been managed and is concerned with taking steps to restore functions so that an acceptable level of service can be maintained. Previous audit reviews have considered the overall business continuity framework and management arrangements NHS Fife has in place. In this review, completion of the business continuity management cycle at a sample of locations will be reviewed to determine whether the critical functions of the service have been identified, and through scenario testing, a robust and comprehensive Plan implemented, to enable the critical functions of the service to continue, should an exceptional incident occur. OBJECTIVES 3. Our audit work was designed to evaluate whether appropriate systems were in place and operating effectively to mitigate risks to the achievement of the objectives identified below. 4. The relevant service objective for this review was to determine whether NHS Fife: RISKS Complies with the requirement under the Civil Contingencies Act 2004 that all category one responders maintain plans to ensure they can continue to exercise their functions in the event of a disruptive event. 5. The following risks could prevent the achievement of the above objectives and were identified as within scope for this audit. A robust and comprehensive Plan has not been implemented at a departmental level to enable the critical functions of services to continue should an exceptional incident occur AUDIT OPINION AND FINDINGS 6. The audit opinion is Category B Broadly Satisfactory there is an adequate and effective system of risk management, control and governance to address risks to the achievement of objectives, although minor weaknesses are present. A description of all audit opinion categories is given in the final section of this report. 7. The is responsible, with input from Co-ordinators and Service Leads, for the preparation, maintenance, and updating of procedures. Senior management oversees the development, implementation and review of NHS Fife s resilience process, which includes Emergency Planning and, through the NHS Fife Resilience Forum.. This forum is chaired by the Director of Public Health and reports to the Strategic Management Team (SMT). 8. A sample of completed Impact Analysis (BIA) from various departments/wards was selected and checked to establish that all necessary aspect of the critical services were considered to provide a full assessment. This included critical periods, outage time, staffing, equipment, and records had been identified with all sections of the plan 1

3 Internal Audit Service Report No. B25/12 being fully completed to ensure business continuity arrangements are in place. For each of the BIAs selected further discussions were held with responsible leads and it was confirmed all aspects of critical services were included as part of the BIAs reviewed. 9. A review of a sample of Non-Critical BIAs confirmed that there were no critical services for these departments that should have a Plan. 10. A physical exercise was observed and all systems and processes required for a full Impact Analysis were seen to be completed. This included assessment of service delivery priorities, system and resource recovery timescales and priorities, and minimum staff numbers required. 11. Reporting and monitoring of activity and progress in implementing plans is overseen by the Resilience Forum, which reports into the SMT. There was no evidence of reports being circulated to the Community Healthcare Partnership or Operational Division standing committees for information, informing them of the completeness of planning relevant to their directorate. 12. A review of a sample of progress update reports that are presented to the Resilience Forum and SMT indicated that they contain no statistical information on the total number of departments requiring a Plan (BCP), those with a completed BCP and those still to finalise a plan. Such information would indicate what stage NHS Fife is at in establishing BCPs for all necessary departments. 13. Review of a sample of departments (5) recorded as not having BCPs in place, indicated that two of the five departments had not reflected the risk of not having a BCP within their departmental risk register. As a result, the importance of these risks will not be considered when departmental risk registers are reviewed and mitigating actions may not be considered. The remaining three departments in our sample did actually have a BCP in place, in contrast to the information held in the BCP database. The BCP database needs to be updated to reflect this. ACTION 14. An action plan [has been agreed with management] to address the identified weaknesses. A follow-up of implementation of the agreed actions will be undertaken in accordance with the audit reporting protocol. ACKNOWLEDGEMENT 15. We would like to thank all members of staff for the help and co-operation received during the course of the audit. David Archibald BAcc CPFA Regional Audit 2

4 - Report No. B25/12 Action Plan Ref. Finding Audit Recommendation Priority Management Response / Action Action by/date 1. Progress reports on activity do not incorporate statistics showing the overall position NHS Fife is at in embedding into the organisations culture e.g. statistics which show the percentage of departments with BCPs, those still to develop BCPs, etc. The content of update reports should be reviewed to include statistical information and other relevant key performance indicators on BCPs, allowing comparison of progress over time and showing potential problems. 3 Solutions enabling statistics to be collated will be investigated and after any necessary training appropriate reports will be produced. 31 Dec Progress reports on activity are presented to the Resilience Forum and the SMT, but not the Clinical Governance Committee, or the Operational Division and CHP Clinical Governance committees to keep these committees informed on progress being made and action still to be taken to fully implement BCPs. A review of the method of reporting BC activity and the committee s reports are distributed to should be completed to determine the best method of reporting activity and if reports should be more widely circulated to keep relevant committees informed. 3 Discussions will be held with the Executive Lead to determine the level of reporting that should be made to appropriate standing committees. 30 Nov2012 3

5 - Report No. B25/12 Action Plan Ref. Finding Audit Recommendation Priority Management Response / Action Action by/date 3. A sample of departments requiring BC plans but which do not have one, indicated that the risk posed by such is not recorded in their departmental risk register for further consideration when risks are being reviewed. All departments still to finalise a BCP should be reminded to record not having a BCP as a risk in their risk register. 3 A reminder will be issued to all leads for BCPs reminding them that if they do not have a BCP in place where one is required, this should be recorded in their risk register. Confirmation of this being completed will be requested. 31 Oct

6 - Report No. B25/12 Action Plan Ref. Finding Audit Recommendation Priority Management Response / Action Action by/date 4. Testing a sample (5) of Impact Analysis templates, Plans and Non Critical Impact Analysis templates indicated that: Responsible leads should be reminded to ensure that all necessary stages in the planning process are completed. 3 As part of the immediately above reminder, responsible leads will be advised to complete all stages in the planning process. 31 Oct 2012 None of the completed Impact Analysis templates were signed off by the responsible lead. This should include annual completion of BIAs for both critical and non-critical services. 3 out of 5 did not detail who had approved the business continuity plan The review date had lapsed for 2 of 5 checked. For Non-Critical BIAs reviewed (5) all had lapsed their review by date. 5

7 - Report No. B25/12 Action Plan Ref. Finding Audit Recommendation Priority Management Response / Action Action by/date 5. Review of a sample of departments (5), recorded as not having BCPs in place, highlighted that three departments did actually have a BCP in place, in contrast to the information held in the BCP database. The BCP database should be updated to accurately record the departments with BCPs, making it an effective management tool. 3 Recent changes to staff resources have resulted in difficulty in keeping the database up to date but efforts are being made to make use of additional resource within the existing Clinical Governance team. The database will be updated in line with action point 1 above. 31 Dec

8 Internal Audit Service Report No. B25/12 DEFINITION OF ASSURANCE CATEGORIES AND RECOMMENDATION PRIORITIES Categories of Assurance: A Good There is an adequate and effective system of risk management, control and governance to address risks to the achievement of objectives. B Broadly Satisfactory There is an adequate and effective system of risk management, control and governance to address risks to the achievement of objectives, although minor weaknesses are present. C Adequate objectives are likely to be achieved. However, improvements are required to enhance the adequacy/ effectiveness of risk management, control and governance. D Inadequate There is increased risk that objectives may not be achieved. Improvements are required to enhance the adequacy and/or effectiveness of risk management, control and governance. E Unsatisfactory There is considerable risk that the system will fail to meet its objectives. Significant improvements are required to improve the adequacy and effectiveness of risk management, control and governance and to place reliance on the system for corporate governance assurance. F Unacceptable The system has failed or there is a real and substantial risk that the system will fail to meet its objectives. Immediate action is required to improve the adequacy and effectiveness or risk management, control and governance. The priorities relating to Internal Audit recommendations are defined as follows: Priority 1 recommendations relate to critical issues, which will feature in our evaluation of the Statement on Internal Control. These are significant matters relating to factors critical to the success of the organisation. The weakness may also give rise to material loss or error or seriously impact on the reputation of the organisation and require urgent attention by a Director. Priority 2 recommendations relate to important issues that require the attention of senior management and may also give rise to material financial loss or error. Priority 1 and 2 recommendations are highlighted to the Audit Committee and included in the main body of the report within the Audit Opinion and Findings Priority 3 recommendations are usually matters that can be corrected through line management action or improvements to the efficiency and effectiveness of controls. Priority 4 recommendations these are recommendations that improve the efficiency and effectiveness of controls operated mainly at supervisory level. The weaknesses highlighted do not affect the ability of the controls to meet their objectives in any significant way. 7