Clinical Commissioning Group (CCG) Governing Body 2014/2015

Size: px

Start display at page:

Download "Clinical Commissioning Group (CCG) Governing Body 2014/2015"

Benjamin Kelly
5 years ago
Views:

Clinical Commissioning Group (CCG) Governing Body 2014/2015 Date of Meeting: 17 October 2014 Agenda Item: 7 Subject: Business Continuity Management Policy Reporting Officer: Ian Mello Aim of Paper:

1 Clinical Commissioning Group (CCG) Governing Body 2014/2015 Date of Meeting: 17 October 2014 Agenda Item: 7 Subject: Business Continuity Management Policy Reporting Officer: Ian Mello Aim of Paper: The Governing body is asked to approve the Business Continuity Management Policy, Impact and Strategies Toolkit and Business Continuity Plan Governance route prior to this GB Meeting Date Objective/Outcome CCG Governing Body Select date of meeting. Click to Select Quality and Safety Committee Select date of meeting. Click to Select Clinical Commissioning Committee Select date of meeting. Click to Select Patient Experience Assurance Committee Select date of meeting. Click to Select Finance, Performance and Risk Committee Select date of meeting. Click to Select Audit Committee Select date of meeting. Click to Select Remuneration Committee Select date of meeting. Click to Select Locality Engagement Group Select date of meeting. Click to Select Health and Wellbeing Board Select date of meeting. Click to Select Other Click here to enter text. Governing Body Resolution Required: Approval/Decision Recommendation Governing Body is requested to approve the Business Continuity Management Policy Link to Strategic Objectives SO1: To secure additional years of life for people of the Borough with treatable mental and physical health conditions SO2: To improve the health related quality of life for people with long term condition(s) including mental health conditions SO3: To reduce the amount of time people spend avoidably in hospital through better and more integrated care in the community, outside hospital SO4: To increase the proportion of older people living independently at home following discharge from hospital SO5: To increase the number of people with mental and physical health conditions having a positive experience of hospital care and care outside of hospital (including General Practice and the Community) SO6: To make significant progress towards eliminating avoidable deaths in our hospitals, and all care settings, caused by problems in care. SO7: To develop integrated working and partnerships to ensure the best possible care for the borough SO8: To be a high performing CCG, deliver our statutory duties and use our available resources innovatively to deliver the best outcomes for our population. Contributes to: (Select Yes or No) No No No No No No No Yes Risk Level: (To be reviewed in line with Risk Policy) Comments (Document should detail how the risk will be Not Applicable The Business Continuity Management Policy and impact and strategies toolkit has been developed to minimise the risk to the CCG in the event of an incident affecting CCG core activities. Following this process of the

2 mitigated) Business Continuity Programme, the CCG Business Continuity Plan will be developed to detail how business continuity incidents will be managed. Content Approval/Sign Off: The contents of this paper have been reviewed and approved by: Clinical Content signed off by: Financial content signed off by: Director of Commissioning and Provider Management, Ian Mello Not applicable Not Applicable Clinical Engagement taken place Patient and Public Involvement Patient Data Impact Assessment Equality Analysis / Human Rights Assessment completed Completed: Not Applicable Not Applicable Not Applicable Not Applicable Executive Summary NHS HMR CCG is committed in developing and implementing a robust business continuity programme. The Business Continuity Programme has been developed by the North West Commissioning Support Unit Resilience Team in collaboration with HMR CCG to increase organisational resilience and ensure that the CCG is ready to respond to and recover from any disruption. As part of the business continuity management programme, there are three key documents 1. Business Continuity Management Policy (attached) 2. Business Continuity Impact and Strategies Toolkit (IST) (attached) 3. Business Continuity Plan (in progress) The Business Continuity Management Policy outlines the CCGs programme for Business Continuity Management (BCM). It is the framework for the development and operation of a business continuity management programme for HMR CCG describes how the Business Continuity Programme will be developed, implemented and maintained. It explains why business continuity is important, the aims and objective, the scope and approach of BCM. The Business Continuity Impact and Strategies Toolkit identify the CCG s key activities/functions; it details the risks on the likelihood of short and long term disruption and the potential impacts CCG key functions. The toolkit also details strategies for dealing with the disruptions such as loss of people, loss of premises, loss of resources and loss of suppliers. Following the completion of the Business Continuity Impact and Strategies Toolkit which analysed the CCGs critical activities, impact of disruption on them, and strategies for dealing with disruption, the CCG Business Continuity Plan will be developed. The Governing Body is asked to approve the content of the HMR CCG Business Continuity Management Policy, Impact and Strategies Toolkit and development of the Business Continuity Plan. The Business Continuity Plan documents the procedures for responding to disruptive incidents affecting it core activities.

3 Heywood, Middleton and Rochdale CCG Business Continuity Management (BCM) Policy Draft 0.3

4 Business Continuity Management Policy (Draft 0.3) Document Control Title: Status: Version: Draft 0.3 Issue date: Document owner: (Name, Title) Heywood, Middleton and Rochdale CCG Business Continuity Management (BCM) Policy Draft tbc Lesley Mort, Chief Officer Accountable Emergency Officer: (Name, Title) CCG BCM lead: (Name, Title) Document author: (Name, Title) Review cycle: As above Ian Mello, Director of Commissioning and Provider Management Linh Nghiem, Resilience Manager At least annually Change History Version Summary of Changes Document Status Date published Draft 0.1 Initial draft Draft Draft 0.2 Revised draft following EMT Draft Draft 0.3 Core standards update Draft Formal Approval Approved by Date Name Contact Number Lesley Mort, Chief Officer Lesley Mort NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 2

5 Business Continuity Management Policy (Draft 0.3) CONTENTS 1. INTRODUCTION 1.1 Context 1.2 Policy Aim 1.3 Definitions 1.4 Benefits of Business Continuity Management 2. SCOPE OF CCG BUSINESS CONTINUITY MANAGEMENT 2.1 Priorities 2.2 Disruptions 2.3 Activities and Locations within Scope 2.4 Exclusions 2.5 Interested Parties 3. CCG APPROACH TO BUSINESS CONTINUITY MANAGEMENT 3.1 Principles 3.2 Guidelines 3.3 Standards 3.4 BC Objectives 4. OPERATIONAL FRAMEWORK 4.1 Resources 4.2 Processes 4.3 Documents 4.4 Communication and Awareness 4.5 Governance 4.6 Audit and Review 5. KEY ROLES AND RESPONSIBILITIES 5.1 Chief Officer 5.2 Accountable Emergency Officer 5.3 CCG Staff 5.4 GMCSU Resilience Team APPENDICES LIST OF APPENDICES CCG Business Continuity Management Policy Appendix Title (01) The Business Continuity Management (BCM) Lifecycle (02) Outline of Implementation Process for CCG BCM Programme (03) CCG Business Continuity Objectives NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 3

6 Business Continuity Management Policy (Draft 0.3) REFERENCES Good Practice Guidelines 2013, A Guide to Global Good Practice in Business Continuity, Business Continuity Institute ISO 22301:2012, Societal security Business continuity management systems Requirements, International Organization for Standardization ISO 22313:2012, Societal security Business continuity management systems Guidance, International Organization for Standardization PAS 2015, Framework for Health Services Resilience, (2010) British Standards Institute NHS England Emergency Preparedness Framework 2013, NHS England NHS England Business Continuity Management Framework 2013 (Service Resilience), NHS England NHS England Core Standards for Emergency Preparedness, Resilience and Response, NHS England The Route Map to Business Continuity Management, Meeting the Requirements of ISO 22301, John Sharp, (2012) British Standards Institute NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 4

7 Business Continuity Management Policy (Draft 0.3) 1. INTRODUCTION 1.1 Context NHS Heywood, Middleton and Rochdale Clinical Commissioning Group (CCG) has a leading role in ensuring that healthcare services are provided for the people of Heywood, Middleton and Rochdale. Essentially, the role of the organisation is to buy in or commission services that meet the varying health needs of the local population. These services may be provided by NHS organisations, such as local NHS hospitals and Trusts, or other private and voluntary organisations. Commissioning is a key function of the NHS and CCGs spend about 80% of the NHS annual budget. Given the key role that Heywood, Middleton and Rochdale CCG plays within the local health system, it important that the organisation is able to continue its activities in the face of situations that might be, or could lead to, disruption, loss, emergency or crisis. Under the Civil Contingencies Act (2004), Clinical Commissioning Groups are identified as category two responders. Although the Act places a lesser set of duties upon category two responders than it does upon category one responders, Department of Health and NHS England expects all NHS organisations to plan for and respond to incidents in the same way as category one responders in a manner which is relevant, necessary and proportionate to the scale and services provided 1. Therefore, as well as seeking to maintain and protect its staff, stakeholders, reputation, information, sites, facilities and finances, Heywood, Middleton and Rochdale CCG, as an NHS body, also needs to establish effective business continuity arrangements in order to meet the requirements of the national programme for NHS resilience, under which NHS bodies must ensure they have in place appropriate incident response structures and business continuity plans. 1.2 Policy Aim The aim of this policy is to provide a framework for the development and operation of a business continuity management programme for Heywood, Middleton and Rochdale CCG. By implementing this policy, Heywood, Middleton and Rochdale CCG will demonstrate its commitment to establishing, implementing, reviewing and continually improving business continuity management. The policy sets out the scope of the CCG s arrangements for business continuity management and describes the approach and operational activities (the BCM programme) that Heywood, Middleton and Rochdale CCG will implement in order to develop, maintain and improve organisational readiness to respond to and recover from disruption. In the past, organisations in the UK developed their business continuity management in line with BS However, this standard has been replaced by ISO and this policy takes in to account the requirements of the revised international standard for business continuity. 1 NHS England Core Standards for Emergency Preparedness, Resilience and Response 2014 (Page 6 Para 5.3) NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 5

8 Business Continuity Management Policy (Draft 0.3) 1.3 Definitions Table 1 below provides definitions of key terms used within this policy and in relation to Heywood, Middleton and Rochdale CCG s business continuity arrangements. Table 1: Definitions BC BCM BCMP BCP Business continuity is the capability of the organisation to continue delivery of its products and services at acceptable levels following a disruptive incident. Business continuity management is a holistic management process that provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of key stakeholders, reputation, brand and value-creating activities. A business continuity management programme is the ongoing management and governance process supported by Top Management and appropriately resourced to implement and maintain BCM. A business continuity plan provides documented procedures that guide the organisation to respond, recover, resume and restore to a predefined level of operation following disruption. (Source: ISO223012) 1.4 Benefits of Business Continuity Management As well as allowing the organisation to fulfil its resilience requirements as an NHS body, implementation of BCM offers Heywood, Middleton and Rochdale CCG a range of benefits: effective business continuity arrangements allow the CCG to continue to meet the needs and expectations of interested parties; a properly implemented business continuity management programme helps the organisation to identify areas of weakness, duplication and inefficiency, which can offer the CCG the opportunity to become more resilient and more cost-effective; correctly implemented, BCM promotes greater staff engagement in the successful running of the CCG as it involves CCG staff in the efforts to enhance the resilience of the organisation; BCM can also be seen as part of the CCG s efforts to fulfil its duty of care to employees, stakeholders and the wider community as it supports the organisation to discharge its duties and maintain employment throughout a period of disruption. NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 6

9 Business Continuity Management Policy (Draft 0.3) 2. SCOPE OF CCG BUSINESS CONTINUITY MANAGEMENT 2.1 Priorities By implementing and maintaining a business continuity management programme, Heywood, Middleton and Rochdale CCG seeks to achieve the following priorities should a disruptive incident affect the CCG: protect the safety of people employed by or working with the CCG; maintain, recover, resume or restore the CCG s priority activities; protect the interests of CCG stakeholders; protect the CCG s finances, property, resources and reputation. 2.2 Disruptions Heywood, Middleton and Rochdale CCG s BCM policy seeks to address the following disruptions that may arise as a consequence of some form of incident, interruption or termination: Loss of people A range of possible scenarios (e.g. industrial action, severe weather causing transport disruption/closures, an influenza pandemic) could cause the CCG to experience loss of key personnel, knowledge, skills, relationships or contacts Loss of premises Fire, utility failure, civil disorder in a locality or a gas explosion are examples of scenarios that could lead to denial of access to buildings, facilities or accommodation and the inability to undertake CCG activities from a normal place of work Loss of resources Resources that support the CCG s activities, such as IT hardware, IT systems and networks, databases, telephony or other equipment may suffer failure, theft or malicious damage Loss of suppliers Third party providers of goods and services to Heywood, Middleton and Rochdale CCG may experience disruption themselves or may suspend or cease operations for some reason (e.g. bankruptcy, fraud investigation, statutory breach) 2.3 Activities and Locations within Scope This policy will apply to all activities that come under the operations of Heywood, Middleton and Rochdale CCG. However, it is acknowledged that some CCG activities, owing to their more time sensitive nature, will be more susceptible than others to the impacts of a disruptive incident. Therefore, Heywood, Middleton and Rochdale CCG will undertake analysis of its activities to establish the organisation s prioritised activities. Initial business continuity efforts will be focused on these prioritised activities with other activities falling within scope of the BCM programme in due course. In this way, Heywood, Middleton and Rochdale CCG will adopt the lifecycle approach to business continuity as recommend by good practice, which will allow the organisation to continually improve its BCM arrangements. NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 7

10 Business Continuity Management Policy (Draft 0.3) This policy will be applicable to the main site utilised by Heywood, Middleton and Rochdale CCG that is One Riverside, Rochdale OL16 1XU. All staff based within the CCG accommodation at One Riverside, including those from other organisations such as staff from Greater Manchester Commissioning Support Unit, should make themselves familiar with the business continuity arrangements that are applicable to One Riverside. 2.4 Exclusions This policy does not extend to other organisations that share premises with Heywood, Middleton and Rochdale CCG at One Riverside. However, Heywood, Middleton and Rochdale CCG may seek assurance about the business continuity of relevant third parties based in One Riverside e.g CSU. 2.5 Interested Parties Table 2 below provides a summary of individuals or organisations that have an interest in or may be affected by Heywood, Middleton and Rochdale CCG s business continuity management. The needs and expectations of these interested parties will be taken in to account within the operation of the CCG s business continuity management programme. This policy will be made available to all interested parties. Table 2: Interested Parties Interested party Other Clinical Commissioning Groups: Bury CCG Oldham CCG North Manchester NHS England (Greater Manchester) Area Team Partner Agencies: Rochdale MBC North West Ambulance Service (NWAS) Bury Council (NE Sector) Oldham MBC (NE Sector) NHS funded providers: Pennine Acute Hospital Trust Pennine Care NHS Foundation Trust GP Practices A range of private, voluntary and independent providers Greater Manchester Commissioning Support Unit Nature of interest in the CCG s BCMP NE Sector NE Sector NE Sector Performance Managers and specialist commissioners seeking assurance Partner agencies Provider contracts Service Provider NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 8

11 Business Continuity Management Policy (Draft 0.3) Table 2: Interested Parties Interested party Key third party suppliers: NHS Shared Business Services NHS Property Services Other GM NHS commissioners and providers GP Member Practices Nature of interest in the CCG s BCMP Mutual aid arrangement to support NHS organisations Commissioning members of Governing Body 3. CCG APPROACH TO BUSINESS CONTINUITY MANAGMENT 3.1 Principles The following principles underpin Heywood, Middleton and Rochdale CCG s BCM policy and are the norms to which the organisation aspires: to be successful, business continuity management must be introduced and supported by Heywood, Middleton and Rochdale CCG s Executive Management Team; business continuity is part of everyone s job and must be integrated into core CCG business processes; those that undertake the activities delivered by Heywood, Middleton and Rochdale CCG are best placed to understand the continuity requirements of those activities; Heywood, Middleton and Rochdale CCG s business continuity management programme is a continually evolving process; when a business continuity event occurs, CCG staff may need to work in different ways and/or in different locations than they would normally; business continuity procedures will be sufficiently detailed and clear so that somebody other than the person(s) primarily responsible for the work can follow them; Heywood, Middleton and Rochdale CCG will learn from business continuity events and disruptions; the CCG s business continuity management will integrate with the CCG s roles described within the health economy Incident Response Plan. 3.2 Guidelines This policy has been developed with reference to the Business Continuity Institute Good Practice Guidelines Heywood, Middleton and Rochdale CCG will operate a business continuity management programme that follows the lifecycle described within the Good Practice Guidelines 2013 (see Appendix 01). Heywood, Middleton and Rochdale CCG will also take in to account the business continuity guidance and toolkits on business continuity issued by the NHS England Business Continuity Working Group, coordinated by the National Support Centre. NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 9

12 Business Continuity Management Policy (Draft 0.3) 3.3 Standards Heywood, Middleton and Rochdale CCG will align its business continuity management arrangements with the requirements of the international standard for business continuity, ISO Implementation of this policy will allow Heywood, Middleton and Rochdale CCG to demonstrate its commitment to meeting the CCG business continuity requirements set by NHS England within the Core Standards for emergency preparedness, resilience and response (EPRR) 3.4 BC Objectives In order to implement and maintain an effective business continuity management programme, Heywood, Middleton and Rochdale CCG will establish and communicate relevant business continuity (BC) objectives. These objectives will be consistent with this policy, be measurable, take into account applicable requirements and be monitored and updated as appropriate. Appendix 03 of this policy provides a template for and examples of BC objectives. 4. OPERATIONAL FRAMEWORK 4.1 Resources In order to implement and sustain an effective business continuity management programme, Heywood, Middleton and Rochdale CCG will ensure there are suitable financial and operational resources available to the programme. These will include the nomination of an appropriately senior CCG business continuity champion and the approval by senior management for sufficient staff involvement in business continuity programme activities, such as business continuity plan preparation, testing and exercising. 4.2 Processes Heywood, Middleton and Rochdale CCG will implement appropriate processes for business continuity management to ensure that the organisation aligns with good practice and meets the relevant standards for business continuity. These processes will cover the full BCM Lifecycle and will include the following: business impact analysis and risk assessment, taking into account worst case scenarios and the Greater Manchester Community Risk Register; identification of continuity strategies and options; development and implementation of a business continuity plan; integration with existing incident response protocols; training, testing and exercising of business continuity arrangements; embedding business continuity within core CCG business processes, including processes for communication and awareness. NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 10

13 Business Continuity Management Policy (Draft 0.3) As a minimum, processes such as testing and exercising of business continuity arrangements will be undertaken at least annually. 4.3 Documents At the heart of Heywood, Middleton and Rochdale CCG s business continuity management programme will be three key documents: Business Continuity Management Policy: (this document) identifies what the CCG intends to do about BCM and outlines the organisation s programme for BCM; Business Continuity Impacts and Strategies Toolkit: identifies the CCG s key activities, the potential impacts and risks of disruption to them as well as the strategies/options for dealing with disruptions; Business Continuity Plan (BCP): documents the CCG s procedures for responding to disruptive incidents. Heywood, Middleton and Rochdale CCG will develop additional documents as required to support the business continuity management programme, such as training and exercising logs or incident debrief reports. All documents relating to the CCG s business continuity management programme will be appropriately identified and described (e.g. will include a title, date, author and version number) and will be available, as appropriate, electronically or as a paper copy. 4.4 Communication and Awareness This policy along with all supporting and associated business continuity information and documents will be placed in appropriate places on the CCG intranet and network drive. The business continuity management programme will be promoted in various ways (e.g. via CCG circulations, in CCG meetings, at meetings of the Heywood, Middleton and Rochdale Health Economy Resilience Group and during induction of new starters) and consideration will be given to the options for enhancing understanding and awareness of the programme through channels such as staff dropin sessions, seminars and e-learning. 4.5 Governance Heywood, Middleton and Rochdale CCG s business continuity management arrangements will link with the organisation s established governance and risk management processes. 4.6 Audit and Review Audit of Heywood, Middleton and Rochdale CCG s business continuity management arrangements will be in line with the CCG s established audit procedures and may be subject to additional internal or external audit as required. NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 11

14 Business Continuity Management Policy (Draft 0.3) This policy, as well as the BC Impact and Strategies Toolkit and the CCG Business Continuity Plan, will undergo formal review at least annually to ensure content remains applicable. Review of this policy will be undertaken, at least annually, by Heywood, Middlton and Rochdale CCG Governing Body. Additional review may be undertaken following incidents or disruptions. By undertaking regular review of the BCM programme, Heywood, Middleton and Rochdale CCG will seek to continually improve the suitability and effectives of its business continuity arrangements. 5. KEY ROLES AND RESPONSIBILITIES 5.1 Chief Officer will: Act as the strategic lead of Heywood, Middleton and Rochdale CCG s business continuity management programme Act as the Accountable Emergency Officer Ensure a policy and objectives are established for Heywood, Middleton and Rochdale CCG s business continuity management programme Ensure resources needed for Heywood, Middleton and Rochdale CCG s business continuity programme are available ensure Heywood, Middleton and Rochdale CCG meets the business continuity requirements set out within the NHS EPRR Core Standards direct and support Heywood, Middleton and Rochdale CCG staff to contribute to effective business continuity management promote the importance and need for continual improvement of business continuity management within Heywood, Middleton and Rochdale CCG provide an annual update to Heywood, Middleton and Rochdale CCG Governance Committee on business continuity management 5.2 CCG Business Continuity Lead will: seek business continuity management guidance from GMCSU Resilience Team contribute to the development, completion and implementation of relevant business continuity management processes, documents and activities for Heywood, Middleton and Rochdale CCG contribute to the continual improvement of Heywood, Middleton and Rochdale CCG s business continuity work closely with GMCSU Resilience Team in order to support Heywood, Middleton and Rochdale CCG with the development and delivery of appropriate business continuity management awareness raising, training, testing and exercising 5.3 CCG Staff will: contribute to the development, completion and implementation of relevant business continuity management processes, documents and activities for Heywood, Middleton and Rochdale CCG NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 12

15 Business Continuity Management Policy (Draft 0.3) review and update Heywood, Middleton and Rochdale CCG s business continuity management documents contribute to the continual improvement of Heywood, Middleton and Rochdale CCG s business continuity 5.4 CCG Governing Body Committee will: oversee the development, completion and implementation of relevant business continuity management processes, documents and activities for Heywood, Middleton and Rochdale CCG review and approve Heywood, Middleton and Rochdale CCG s business continuity management documents contribute to the continual improvement of Heywood, Middleton and Rochdale CCG s business continuity 5.5 GMCSU Resilience Team will: provide business continuity management guidance and advice to the Accountable Emergency Officer and to Heywood, Middleton and Rochdale CCG staff develop relevant business continuity management templates for use by Heywood, Middleton and Rochdale CCG support Heywood, Middleton and Rochdale CCG with the development and delivery of appropriate business continuity management awareness raising, training, testing and exercising NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 13

16 Business Continuity Management Policy (Draft 0.3) APPENDIX (01): The Business Continuity Management (BCM) Lifecycle The BCM Lifecycle shows the stages of activity that an organisation moves through and repeats with the overall aim of improving organisational resilience. Figure 1: The Business Continuity Management (BCM) Lifecycle Source: BCI Good Practice Guidelines 2013 Stage Purpose 1 Policy & Programme Management The start of the Business Continuity Management (BCM) Lifecycle. It is the stage that defines the organisational policy relating to business continuity (BC) and how that policy will be implemented, controlled and validated through a BCM programme that is underpinned by BCM objectives. 2 Analysis 3 Design The stage within the BCM Lifecycle that reviews and assesses the organisation in terms of what its key activities are, how it functions and the impacts of disruption to key activities. The stage within the BCM Lifecycle that identifies and selects appropriate strategies and options to determine how continuity and recovery from disruption will be achieved. 4 Implementation The stage within the BCM Lifecycle the implements the agreed strategies and options through the process of developing Business Continuity Plans (BCP). 5 Validation The stage within the BCM Lifecycle that confirms the BCM programme meets objectives established from the BCM policy and that the organisation s BCPs are fit for purpose. 6 Embedding Business Continuity The stage within the BCM Lifecycle that continually seeks to integrate BC into day-to-day business and organisational culture. NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 14

17 Business Continuity Management Policy (Draft 0.3) APPENDIX (02): Outline of Implementation Process for CCG Business Continuity Management Programme BCM Lifecycle Stages (1) Policy and Programme Management (2) Analysis (3) Design and (4) Implementation (5) Validation (6) Embedding Business Continuity Key Elements of BCM Programme Implementation Process Scoping Discussion Presentation to Executive Management Team BCM Initial Meeting BCM Initial Meeting BCM Exercise Meeting Business Continuity Exercise 1. Scope CCG BCM programme 2. Identify CCG BCM Champion 3. Draft a CCG BCM policy 4. Link with existing CCG Risk and Governance arrangements 1. Gain CCG EMT approval for BCM policy 2. Agree schedule of BCM meetings 3. Share and raise awareness of BCM policy 1. Agree BCM roles 2. Agree template BCM documents 3. Agree timeline and responsibilities for completion of BCM documents 1. Review completed BCM documents 2. Agree any amendments to BCM documents 3. Share BCM documents with interested parties 4. Establish BC procedures and relevant training 1. Establish BC exercise aim and objectives 2. Identify BC exercise roles and responsibilities 3. Agree date and details of BC exercise 4. Provide notification of BC exercise 1. Deliver BC exercise 2. Identify learning and follow up actions from the BC exercise 3. Implement follow up actions and amend BCM documents as required NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 15

18 Business Continuity Management Policy (Draft 0.3) APPENDIX (03): CCG Business Continuity (BC) Objectives In order to implement and maintain an effective business continuity management (BCM) programme, Heywood, Middleton and Rochdale CCG will establish and communicate relevant business continuity objectives. The BC objectives will be consistent with the CCG BCM policy, be measurable, take into account applicable requirements and be monitored and updated as appropriate. Date BC Objectives set: 22/08/2014 BC Objectives set by: (Name, Title) Ian Mello Director of Commissioning and Provider Management No. Objective Due by 01 Identify a CCG business continuity lead 31/03/ Draft a CCG BCM policy 31/07/ Gain approval for CCG BCM policy TBA 04 Undertake a CCG business impact analysis and risk assessment 23/09/ Identify CCG prioritised activities 30/09/ Draft BCM Plan 15/10/ Gain approval for CCG BCM Plan 29/10/ Prepare BCM Training plan 28/11/ Deliver BCM Training plan 30/01/ Test CCG BCM arrangements 30/03/2015 Completed In Progress Overdue NHS Heywood, Middleton and Rochdale Clinical Commissioning Group 16

19 Introduction Key to toolkit shading Lighter tan shading indicates text entry is required Darker tan shading indicates a field that will autofill or a dropdown menu Section Guidance CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Completion Notes The information collected in this toolkit will enable the CCG to determine how best it can prepare the organisation to be able to manage disruptions. Review and assesment of the activities undertaken by the CCG is the foundation upon which the organisation's BCM programme is built. Therefore, it is essential that those completing the toolkit, and those who own it, endeavour to make it an accurate description of the CCG's activitites and requirements. Part A CCG Facts Impacts & Strategies Toolkit (IST) Document Control Indicates who completed the toolkit, on what date as well as who the document owner is. It is the responsibility of the document owner to ensure the information about the CCG is accurate and appropriate. Service Facts Provides a brief overview of the CCG including an indication of its primary purpose, the main stakeholders, the number of staff and the locations from which staff work. Part B Main Functions Describes the main functions the CCG undertakes. Also provides estimations of the priority for recovery, the maximum tolerable period of disruption (MTPD) and the recovery time objective (RTO) for the functions listed. The main functions of the CCG should be limited to those undertakings that are central to the CCG's reason for operating. Examples include financial management and contract management. Further examples can be provided by your Local Resilience Manager. The main functions should be agreed and approved by the CCG Accountable Emergency Officer (AEO). Part C (1) Disruption Likelihood, (2) Impacts & Activities, (3) Risk Assessment C1. Disruption Likelihood Lists the key disruptions facing the CCG and provides an assessment of the likelihood of each occuring. Typical risks to plan for include Loss of People, Loss of Premises, Loss of Resources and Loss of Suppliers. For each type of loss, consideration should be given to the likelihood of both short term and medium to long term disruption. When considering the likelihood you can use the NPSA risk scoring matrix for guidance (provided with this toolkit). You should consider factors specific to your CCG including physical location i.e. your building may be in a flood area. Your Local Resilience Manager will be able to provide you with advice based on the Greater Manchester Community Risk Register. C2. Impacts of Disruption to Most Urgent CCG Functions Copyright Greater Manchester Commissioning Support Unit Completion Notes

20 CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Completion Notes The functions identified as 'Most Urgent CCG Functions' in Part B should be copied and pasted to this section of Part C so that an assessment can be made of the impacts over time that would result from their loss or disruption. When considering the level and types of impact you can use the NPSA risk scoring matrix for guidance (provided with this toolkit). Your Local Resilience Manager can also support you with this process. C2. Activities that support Most Urgent Functions Provides a summary of the activities that contribute to the delivery of processes and services identified as 'Most Urgent CCG Functions'. Part D C3. Risk Assessment The Risk Assessment is a calculation based on the likelihood (short term and medium to long term) multiplied by the highest impact over time. The Level of Risk will be automatically populated from the information entered in earlier tabs (Part C1 and Part C2). This should help with prioritising mitigation activities and inform the content of the Business Continuity Plan. The thresholds for Risk Assessment Levels (Red, Amber, Green) are based on the NPSA Model Matrix (provided with this toolkit). However, this is a suggestion only and can be adjusted to suit your CCG requirements as required. Your Local Resilience Manager can support you with this if required. Requirements & Dependencies Requirements to maintain activities supporting Most Urgent Functions Gives an indication of requirements in terms of people, premises, resources and suppliers that are needed to maintain the Most Urgent CCG Functions. Dependencies Describes the main activity dependencies, both external and internal. Part E Continuity Strategies Identifies possible options for reducing the impact of loss or disruption to people, premises, resources and suppliers and includes implications or considerations associated with the identified options. Copyright Greater Manchester Commissioning Support Unit Completion Notes

21 NHS Heywood, Middleton & Rochdale Clinical Commissioning Group (CCG) CCG Business Continuity Management (BCM) Programme Impacts and Strategies Toolkit Document Name: CCG BCM Lead: Toolkit Version: Assessment Date: HMR CCG BCM Impacts & Strategies Toolkit Ian Mello October 2014 Copyright Greater Manchester Commissioning Support Unit

22 CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Part A Document Name: CCG BCM Lead: Chief Officer HMR CCG BCM Impacts & Strategies Toolkit Ian Mello Lesley Mort Impacts & Strategies Toolkit (IST) Document Control Date IST completed: 03 October 2014 Name Ian Mello IST collated by: Title Director of Comminssioning and Provider Management ianmello@nhs.net Phone IST Version: 0.2 IST Status: Draft Name Lesley Mort IST owner: Title Chief Officer lesleymort@nhs.net Phone CCG Facts Purpose of the organisation: To commission high quality and cost effective healthcare services for the local population. CCG Stakeholders: NHS Other Member GP practices, Oldham CCG, Bury CCG, NHS England (Greater Manchester), Greater Manchester Commissioning Support Unit, NHS Property Services, Pennine Care Foundation Trust, Pennine Acute Hospital Trust Rochdale Metropolitan Borough Council CCG Headcount: CCG Locations: Main Other HMR CCG, Number One Riverside, 3rd Floor, Smith Street, Rochdale, OL16 1XU Incident Control Rool, Unit 2, Sherwood Business Park, Sherwood Street, Castleton, Rochdale, OL11 2PA Copyright Greater Manchester Commissioning Support Unit A. CCG Facts

23 CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Part B Document Name: CCG BCM Lead: Date of Assessment: HMR CCG BCM Impacts & Strategies Toolkit Ian Mello 03 October 2014 Main CCG Functions Key Ref Main functions undertaken = the responsibilities or areas of work undertaken by the CCG summed up in a few words Urgency = the priority for contininuing or recovering the identified function in the event of its loss, interruption or disruption MTPD (Maximum Tolerable Period of Disruption) = the time it would take for the adverse impacts of not providing the identified function to become unacceptable RTO (Recovery Time Objective) = the period of time following loss, interruption or disruption which within the function must be resumed to at least a minimum acceptable level Main CCG functions undertaken Urgency MTPD measured in e.g. Handling patient complaints Most urgent Weeks 1wk to 1 mnth 1 Commissioning - Strategic Planning Less urgent Weeks 1 wk to 1 mnth 2 Commissioning - Service Design & Spec (including non live tenders) Less urgent Weeks 1 wk to 1 mnth 3 Commissioning - Contract and Performance Management Less urgent Weeks 1 wk to 1 mnth 4 Commissioning - Procurement (inc live tenders) Most urgent Days 1 day to 1 wk 5 CCG - Performance Management Less urgent Weeks 1 wk to 1 mnth Commissioning - Quality and safety management 6 Most urgent Days 1 day to 1 wk of Healthcare Services (Inc investigation) Commissioning Health Needs assessments and 7 Most urgent Days 1 day to 1 wk idenification of care packages (CHC) 8 Maintain safety of staff and visitors Most urgent Hours within 24 hours RTO 9 full requirement as Category 2 responder under the CCA - appropriate on call arrangements Most urgent Hours within 24 hours 10 Involvement with our local population in decision making on services we commission Less urgent Weeks 1 mnth + 11 Mandatory reporting requirements Most urgent Days 1 day to 1 wk 12 Ensure Provision of resilient IT Clinical systems & telephony Most urgent Hours within 24 hours 13 Ensure the provision of resilient IT CCG system and telephony Less urgent Days 1 day to 1 wk 14 Handle Patient Complaints Less urgent Days 1 wk to 1 mnth 15 Support requirement for safeguarding Most urgent Hours within 24 hours 16 Ensure effective financial management including payment of invoices Most urgent Days 1 wk to 1 mnth Copyright Greater Manchester Commissioning Support Unit B. Main Functions

24 CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Part C1 Document Name: CCG BCM Lead: Date of Assessment: HMR CCG BCM Impacts & Strategies Toolkit Ian Mello 03 October 2014 Disruption Likelihood Key [ST] A Short Term disruption (i.e. disruption likely to last less than 4 weeks) [M-LT] A Medium - Long Term disruption (i.e. disruption likely to extend beyond 4 weeks) EXAMPLES - The examples below are provided for illustrative purposes only and are not intended to be an exhaustive list Loss of People: Loss of Premises: [ST] Staff unable to reach work because of severe weather and associated transport disruption; staff participation in industrial action [M-LT] Significant staff absence due to an influenza pandemic [ST] Denial of site access due to a time-limited event such as a police cordon or temporary evacuation [M-LT] Denial of site access for a prolonged period due to, for example, significant structural damage in a fire or flood Loss of Resources: Loss of Supplier: [ST] Resources unavailable due to a temporary power outage or a time-limited systems failure [M-LT] Resources unavailble due to catastrophic IM&T failure or theft of/crimimal damage to information/equipment [ST] Key supplier unavailable to provide service due an internal, time-limited disruption affecting operations [M-LT] Key supplier unavailble to provide service due to bankcruptcy or major breach of contract Likelihood Ratings: [1] Rare [2] Unlikely [3] Possible [4] Likely [5] Almost Certain Ref Disruption [ST] Likelihood [M-LT] Likelihood e.g. Loss of people Loss of People Loss of Premises Loss of Resources Loss of Supplier 4 3 Copyright Greater Manchester Commissioning Support Unit C1. Disruption Likelihood

25 CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Part C2 Document Name: CCG BCM Lead: Date of Assessment: HMR CCG BCM Impacts & Strategies Toolkit Ian Mello 03 October 2014 Impacts of Disruption to Most Urgent CCG Functions Key Duration of impact: Impact ratings: Range of impacts: [hrs] 1-24hrs [d-w] days to a week [w-m] weeks to a month [m+] months [1] Negligible [2] Minor [3] Moderate [4] Major [5] Catastrophic [a] welfare [b] operational [c] financial [d] reputational [e] legal [f] other *Highest Impact [HI]: Take the highest value from all impact scores and replicate in [HI] column Impacts over time Ref Most Urgent CCG Functions hrs d-w w-m m+ [HI] Range of impacts e.g Handling patient complaints d, e 1 Commissioning - Procurement (inc live tenders) a,b,c,d,e,f Commissioning - Quality and safety 2 management of Healthcare Services (Inc a,b,d,e investigation) 3 Commissioning Health Needs assessments and idenification of care packages (CHC) a,b,d,e 4 Maintain safety of staff and visitors a,b,c,d,e full requirement as Category 2 responder 5 under the CCA - appropriate on call a,b,c,d,e arrangements 6 Mandatory reporting requirements b,c,d,e 7 Ensure provision of resilient IT Clinical systems & telephony a,b,c,d,e 8 Support requirement for safeguarding a,b,d,e 9 Ensure effective financial management including payment of invoices b,c,d,e Activities that support Most Urgent CCG Functions Ref e.g Most Urgent CCG Functions Handling patient complaints Summary of supporting activities Answering calls, receiving s/letters, logging complaints, liaising with practitioners, writing reports, updating records, contacting patients. Copyright Greater Manchester Commissioning Support Unit C2. Impacts & Activities

26 Impacts and Strategies Toolkit - Part C2 1 2 Commissioning - Procurement (inc live tenders) Commissioning - Quality and safety management of Healthcare Services (Inc investigation) Delivering individual procurement and tender timescales. Maintain and work within key timescales - PQQ Stakeholder engagement. Ability to receive intelligence and data. Information gathering and analysis. Review and maintain reporting and management framework. Access to STEIS reporting. 3 4 Commissioning Health Needs assessments and idenification of care packages (CHC) Maintain safety of staff and visitors Receive information requesting screening and review of patients, Patient review, Undertaking individual patient clinical assessments, identification of health needs. Designing neccessary care packages, Application of CHC criteria to determine funding arrangements. Securing and monitoring care arrangements or placements Signing in sheet ensures that the CCG is aware of all CCG/CSU staff on site, Visitors on site are signed in via RMBC reception procedure Designated fire wardens in CCG, Designated first aiders on site (RMBC staff) All elements of safety are covered by the RMBC Facilities Management, Property and Highways Business Continuity Plan 5 6 full requirement as Category 2 responder under the CCA - appropriate on call arrangements Mandatory reporting requirements 24/7 NE Sector On call arrangement in place. Liaison with on call Director as required. Prompt initiation of pre-planned coordinated operational response including information dissemination and gathering. Set up of the Incident Control Centre. Review of guidance, Data collection for mandatory reports, internal reporting and sign off through CCG governance arrangements, liaison with CSU CCG reporting/data uploads to UNIFY and NHS England in line with mandatory timescales. 7 Ensure provision of resilient IT Clinical systems & telephony Liaison with CSU IM&T Managers, liaison with providers e.g. GPs, Acutes and Community Services 8 Support requirement for safeguarding Receive alerts and information from stakeholders i.e. LA and Care Homes, review potential issues around Safeguarding. Maintain effective systems and processes to receive and review all safeguarding alerts. Liaise and work with partners. 9 Ensure effective financial management including payment of invoices Liaison with CSU, implementation of manual processes to pay suppliers, liaison with providers, notification to NHSE GMAT Copyright Greater Manchester Commissioning Support Unit C2. Impacts & Activities

27 CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Part C3 Document Name: CCG BCM Lead: Date of Assessment: HMR CCG BCM Impacts & Strategies Toolkit Ian Mello 03 October 2014 Risk Assessment Key ST Short Term Disruption (i.e. disruption likely to last less than 4 weeks) M-LT Medium - Long Term Disruption (i.e. disruption likely to extend beyond 4 weeks) High Risk Score of 15 or More Moderate-Medium Risk Score of 4-12 Low Risk Score of 1-3 Risk score is calculated by multiplying disruption likelihood (ratings in Part C1) by the highest impact over time to Most Urgent CCG Functions (ratings in Part C2) PEOPLE Risk Assessment PREMISES RESOURCES SUPPLIERS Ref Most Urgent CCG Functions ST M-LT ST M-LT ST M-LT ST M-LT 1 Commissioning - Procurement (inc live tenders) Commissioning - Quality and safety management of Healthcare Services (Inc investigation) Commissioning Health Needs assessments and idenification of care packages (CHC) Maintain safety of staff and visitors full requirement as Category 2 responder under the CCA - appropriate on call arrangements 6 Mandatory reporting requirements Ensure provision of resilient IT Clinical systems & telephony Ensure effective financial management including payment of invoices Copyright Greater Manchester Commissioning Support Unit C3. Risk Assessment

28 CCG Business Continuity Management Programme Impacts and Strategies Toolkit - Part D Document Name: CCG BCM Lead: Date of Assessment HMR CCG BCM Impacts & Strategies Toolkit Ian Mello 03 October 2014 Requirements to maintain Most Urgent CCG Functions PEOPLE (knowledge, skills, relationships, contacts) Contact personnel in neighbouring CCG's with specialist skills. Seek support for temporary specialist 'cover' arrangements with neighbouring CCG's GM CSU support to secure short term supplementary support. GM CSU support to secure temporary or replacement personnel. PREMISES (buildings, facilities, accommodation) Office space to accommodate CCG personnel,associated CSU embedded staff and meeting room space. Accommodation includes operational utilities, toilets and kitchen. Secure document storage cupboards / facilities. Workstations RESOURCES (IT hardware, IT systems and networks, information, reference documents, databases, software, devices, equipment, materials) SUPPLIERS (third party providers of goods and services) Secure electronic information storage facilities including backup. Electronic information access arrangements for staff accessing intranet and CCG drive. IT workstations, desktop pc's and or portable devices. Electronic security software. Range of accessable standard pc software and specialist packages. Telephone landlines and mobile telephones. GMCSU range of product support. NHS Shared Business Services. NHS Property Company. Dependencies External Dependencies (organisations, agencies, individuals, regulators, government departments - outline of dependency) GMCSU range of product support including: comms & engagement, IM&T, Finance NHS Shared Business Services. Operation of ledgers and supporting financial systems. NHS PropCo. Provision of safe secure base premises. GMCSU support to maintain information systems. Orange to maintain portable communication systems (phones,laptops and tablets) Partnership for Health - Rochdale MBC Internal Dependencies (other CCG services or teams - outline of dependency) CCG Corporate Office providing central communication access into the CCG and full range of skilled administrative support for business activities. Copyright Greater Manchester Commissioning Support Unit D. Requirements & Dependencies