Business Continuity Management Plan. Policy

Transcription

1 Business Continuity Management Policy Document Number 007/002/028 Version: V 1.00 Approved by: Risk Management & Clinical Governance Committee Date approved: Name of originator/ author: Contingency Planning & Resilience Date issued: Date next review due: July 2017 Target audience: All Trust Staff Replaces: Business Continuity Management Plan Section 1:2 Business Continuity Policy

2 Document Control Manager Responsible Name: Andy Cashman Job Title: Head of Contingency Planning & Resilience Directorate: Clinical Operations Committee/Working Group RMCGC to approve Version No. 1 Final Date: 8 th September 2014 Draft/Evaluation/Approval (Insert stage of process) Person/Committee Comments Version Date RMCGC Approved V1 08/09/14 Anne Harvey RMCGC comments received V0.4 22/07/14 and amendments made to policy RMCGC For approval (Approved V0.3 3/7/14 subject to minor amendments) OPGWG Submitted for V0.2 23/5/14 recommendation for onward approval (Approved subject to minor amendments) SECAmb Resilience Circulated for review & V0.2 14/01/14 Group comment Anne Harvey Amendment to paragraph 8.1 V0.2 18/11/13 Head of Contingency For review & comment. V0.1 30/10/13 Planning & Resilience Anne Harvey Document Developed V0.1 24/10/13 Circulation Records Management Database Date: 28 October 2014 Internal Stakeholders External Stakeholders Active from (30 days after above signature): Date: 28 October 2014 Review Due Manager Head of Contingency Planning & Resilience Period Every three years or sooner if new legislation, codes of practice or national standards are introduced Date: July 2017 Record Information Security Access/Sensitivity Publication Scheme Where Held Disposal Method and date: Official - Sensitive Yes Records Management database In accordance with Records Management and Business Continuity Management Policy V1.00 Page 2 of 13

3 Retention & Disposal Policy Supports Standard(s)/KLOE NHS Care Quality Litigation Commission Authority (CQC) (NHSLA) Criteria/KLOE: Auditors Local Evaluation (ALE) N/A IG Toolkit Other Business Continuity Management Policy V1.00 Page 3 of 13

4 Contents 1 Introduction Aims and Objectives Definitions Policy Statement Arrangements Responsibilities Monitoring Audit and Review Equality Analysis Associated Documentation References Business Continuity Management Policy V1.00 Page 4 of 13

5 1 Introduction 1.1. Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organisation and the impact to the business operations that those threats, if realised, might cause. It provides a framework for building resilience and the capacity for effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities BCM includes the management of recovery or continuation of business activities in the event of a business disruption and the management of the overall programme through training, exercises and reviews to ensure the Business Continuity Plans are up to date The Civil Contingencies Act 2004 requires all Category 1 responders to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency, so far as is reasonably practicable An Emergency as defined in Section 1 of the Act is an event or situation which threatens serious damage to human welfare in a place in the United Kingdom an event or situation threatens human welfare only if it involves, causes or may cause loss of human life, human illness or injury, disruption of money, food, water, energy or fuel, systems of communication, facilities for transport or disruption to services relating to health, and other non-health related matters There are many threats that could impact on the ability of the South East Coast Ambulance Service NHS Foundation Trust (SECAmb), referred to in this document as the Trust, to maintain delivery of its core services. Examples may include: A mass casualty incident, either, spontaneous transportation accident, act of terrorism, civil disorder or natural event. A health emergency, e.g. an influenza pandemic, or an activity is identified that could lead to a surge in emergency calls or inservice sickness / absence. Severe weather when notice may or may not be received Loss of a strategic Headquarters (HQ) building and / or other significant parts of the Trust s estate such as the Emergency Operations Centre or Make Ready Centres. Information and Computer Technology (ICT) loss, including mobile communication systems. Logistic failures fleet, equipment, consumables. External contractual failures, including the loss of public utilities. A critical single point failure (internal or external) that threatens the operational ability of the service. Business Continuity Management Policy V1.00 Page 5 of 13

6 1.6. The Trust s Major Incident Plan details its response to an external Major Incident. Whereas, the Trust s Business Continuity Management Plan is geared towards reducing the impact of any interruption to specific resources by restoring critical functions, as quickly as possible, irrespective of the nature of the emergency. 2 Aims and Objectives 2.1. This policy sets out to deliver a policy framework for planning and managing incidents which are disruptive to the continuity of service provision, through which the Trust will; Provide continuation of priority functions and key services to stakeholders during a disruptive event, making best use of personnel and other resources Reduce the period of disruption to the Trust and our stakeholders and return to normal operating levels efficiently and effectively Improve resilience and reduce the likelihood of disruption occurring This will be achieved by the adoption of the recommendations as referenced in the following legislation and guidance: 3 Definitions Civil Contingencies Act NHS England Emergency Preparedness Framework NHS England Business Continuity Management Framework Business Continuity, ISO British Standard PAS For the purpose of this policy the following definitions will apply: Business Continuity Management System (BCMS) is part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves Business Continuity Business Continuity (BC) is maintaining service provision when that service is faced with disruption from internal or external factors Business Continuity Plan (BCP) is a plan documenting procedures that guide the organisation to prepare for and respond to a disruption to priority functions, maintaining service delivery and restoring service to acceptable predefined levels Business Impact Analysis (BIA) is a process of analysing an organisation s activities and the effects a disruption would have on each activity. Business Continuity Management Policy V1.00 Page 6 of 13

7 3.6. Critical Activities are those functions the Trust performs which, if they were to stop, would seriously affect the organisations ability to operate Critical Support Activities are those activities an organisation carries out which directly support its critical activities Stakeholder/ Interested Party person, group or organisation that can affect, be affected by or perceive themselves to be affected by, a decision or activity. 4 Policy Statement 4.1. The Trust is committed to establishing and maintaining an effective Business Continuity Management System that will enable the organisation to, so far as is reasonably practicable: Continue to provide critical services to the public following a disruptive event; Make best use of personnel and resources at times when both might be scarce; Reduce the period of disruption to both the organisation and the community; Comply with standards of governance; Improve resilience of our organisation s infrastructure to reduce the likelihood of significant disruption; Reduce the clinical, operational and financial impact of a disruptive event; and Manage the resumption of normal working efficiently This policy will apply to all members of staff employed by, or working on behalf of the Trust and to contractors and suppliers of services that support prioritised activities of the Trust. 5 Arrangements 5.1. The Trust has appointed the Head of Contingency Planning & Resilience as responsible for the maintenance of the Business Continuity Management System and Business Continuity Management Plan Each key activity within the Trust is to be owned by a designated directorate. The Executive Director will ensure, with their Heads of Department and nominated resilience representative that plans capable of maintaining a minimum acceptable standard of service delivery are in place for each key activity All departments will provide professional support to improve resilience of critical activities and resources that support the Trust s mission critical activities. Business Continuity Management Policy V1.00 Page 7 of 13

8 5.4. Contracts with suppliers of critical goods and services to the Trust must include a requirement to have in place a validated Business Continuity Plan All employees must be made aware of the plans that affect their directorate, unit, office and their role following invocation of business continuity plans Information on the Trust s business continuity arrangements will be available on the Trust s Intranet: ( g resilie.aspx ). It will be the responsibility of the Head of Contingency Planning & Resilience to ensure such information is updated regularly Trust Resilience Group The Trust Resilience Group will support the development of Business Continuity Management activity across the Trust, in line with the Terms of Reference for the group Business Continuity Plans The Trust s Business Continuity Management Plan (BCMP) is an overarching generic plan that may be implemented totally or in part The Trust s Business Continuity Management Plan will be supported by individual Business Continuity Plans produced by directorates or departments providing direct and vital support to the maintenance of core services All key functions including Accident & Emergency, NHS 111 and Patient Transport Services will ensure they have effective Business Continuity plans in place, to ensure service delivery and minimise any negative impact on the Trust There are a number of other Trust plans and policies which support Business Continuity. This policy is not intended to supersede them but will be co-ordinated alongside them Business Impact Analysis Business Impact Analysis is a process where each business area of the Trust identifies the priority functions they provide and the key services supporting these functions A Business Impact Analysis using the SECAmb Business Impact Analysis template documentation will be completed by all departments to aid the production of BC Plan(s) and Action Cards. Business Continuity Management Policy V1.00 Page 8 of 13

9 5.10. Risk Areas of risk vary greatly according to impact and likelihood. The Trust s Business Continuity risk assessments support the BIA process and will be carried out in line with the Trust Risk Assessment Procedure Risks that may prevent or reduce the ability of the Trust to maintain its priority functions may be identified through local risk registers and escalated to the appropriate group for review, monitoring and mitigation Risks may be recommended for addition to the Trust s Risk Register and will be managed in line with the Trust Risk Management Policy/Procedure Service Critical Activities The following have been identified by the Trust as being Service Critical Activities:- Emergency Operations Centres - Call Handling, Clinical Triage and Dispatch of Resources; Operational Response; Patient Transport Service - Renal and Oncology patients inbound/outbound journeys and NHS111 - Call handling and clinical triage Critical Support Activities Activities which have to be performed in order to deliver the key products and services of the organisation include:- Production (staffing and vehicle levels) IT Fleet Logistics Estates The restoration priorities for the critical activities of the Trust following a disruptive event are detailed in the Trust s BCMP Invoking the Business Continuity Management Plan In the event of any serious disruptive challenge which is likely to affect the ability of the Trust to deliver any of the core functions, the Business Continuity Management Plan will be implemented The Chief Executive or in his absence an Executive Director (Gold), or any Senior Manager in consultation with the duty Contingency Planning Business Continuity Management Policy V1.00 Page 9 of 13

10 & Resilience Tactical Advisor will have the authority to implement the plan. 6 Responsibilities 6.1. The Chief Executive has overall accountability for continuity of all service provision, in line with both statutory and contractual requirements The Director of Clinical Operations is responsible for ensuring the Trust puts in place the necessary Business Continuity Management systems to implement this policy The Head of Contingency Planning & Resilience is responsible for the maintenance of the BCMS and BCMP, and assisted by CP&R Managers will; Review and develop the policy in line with best practice and the needs of the organisation; Monitor standards and compliance with the policy; Provide support and guidance to directorate representatives/unit managers and Ensure that training and exercising of the plan is undertaken Executive Directors have a responsibility for ensuring that the Business Continuity Management Policy is implemented within their own directorate and in particular, that each critical function within the directorate has its individual BIA and appropriate contingency arrangements in place The Executive Director for NHS111 is responsible for ensuring that the Business Continuity Management Policy is implemented and that NHS111 has its individual BIA and appropriate contingency arrangements in place Department Heads will ensure a BIA is carried out and appropriate contingency arrangements are in place in respect of the business functions for which they are accountable All staff will be expected to understand this policy and to cooperate with the maintenance, testing and implementation of the plan. 7 Competence 7.1. All Trust staff and responsible senior managers should be aware of the Business Continuity Policy and their responsibilities within this policy Training Business Continuity Management Policy V1.00 Page 10 of 13

11 BC awareness and familiarisation is disseminated to all Trust staff through the induction process Additional Training will be incorporated into staff development programmes from time to time to ensure a continued awareness of roles and responsibilities Staff who have key responsibilities in relation to the Trust s BCM will aim to undertake additional BC training courses to attain competencies in line with best practice Upon deployment to a particular area of service delivery, all staff will be familiarised with the relevant business area Business Continuity Plans / Schedules. Should any changes to the BC Plans be made, staff will receive appropriate training and development to ensure the continued effectiveness of the BCM response Details of all Business Continuity training will be held on the Trust s Training database Exercising Guidance recommends that plans should be exercised at least annually; however, any live activations of a continuity plan can be recorded as part of the testing schedule Exercising of the BCM response to any element of service delivery will be held as a regular feature of the on-going management of the Trust s Business Continuity Management Plan Exercises will be held to validate any alteration, either in part or whole, to any element of the plans. 8 Monitoring 8.1. The Risk Management and Clinical Governance Committee (RMCGC) will approve this policy The effectiveness of this policy will be monitored by the Trust s Resilience Group. BCM arrangements will be assessed against national standards and best practice guidelines The Head of Contingency Planning and Resilience will report to the Operational Performance and Governance Working Group (OPGWG), In turn, the OPGWG will report into the RMCGC. 9 Audit and Review 9.1. Business Continuity Management arrangements within the Trust are subject to audit at any time. Audits will be carried out through a Business Continuity Management Policy V1.00 Page 11 of 13

12 programme of audits scheduled in line with the Trust s internal audit periodic plan Audit reports and recommendations will be reviewed by the Resilience Group and action plans produced where appropriate. Findings and learning outcomes from the audits will be discussed at OPGWG The policy will be reviewed every three years and/or after any invocation of the BCMP, or sooner if new legislation, codes of practice or national standards are introduced Each directorate will carry out an annual review/or sooner if there is a change of its business continuity process and plan(s). The Resilience Group will monitor the review process and provide support where necessary. 10 Equality Analysis Any disruptive event is likely to impact all groups in the same way however on-going equality monitoring will take place throughout any incident to ensure no specific staff or patient group is adversely impacted. 11 Associated Documentation SECAmb Business Continuity Plans SECAmb Communications Plan SECAmb Fuel Contingency Plan [NEP-F] SECAmb Major Incident Plan SECAmb Pandemic Flu Plan Risk Assessment Procedure Risk Management Strategy Policy and Procedure LRF Fuel Plans LRF Pandemic Flu Plans LRF Severe Weather Plans (Flood, Heat, Drought, Snow etc.) 12 References Civil Contingencies Act 2004, Emergency Preparedness Chapter 6; NHS England Emergency Preparedness Framework 2013 Business Continuity Management Policy V1.00 Page 12 of 13

13 12.3. NHS England Business Continuity Management Framework Business Continuity, ISO22301: British Standard PAS Business Continuity Management Policy V1.00 Page 13 of 13