Date Ratified 02/12/2010 Business Service Development Committee Review Date 01/12/2012 Director of Operations Expiry Date 01/12/2013 Withdrawn Date

Transcription

1 Policy No: RM66 Version: 2.0 Name of Policy: Business Continuity Planning Policy Effective From: 24/02/2011 Date Ratified 02/12/2010 Ratified Business Service Development Committee Review Date 01/12/2012 Sponsor Director of Operations Expiry Date 01/12/2013 Withdrawn Date This policy supersedes all previous issues. Business Continuity Planning Policy v2

2 Version Release Author/ Reviewer Version control Ratified by/ Authorised by 1.0 July 2009 A Colwell HR Committee /02/2011 A Colwell Business and Service Development Committee Major Incident Planning Group Date 16/03/ /12/ /02/2011 Changes (please identify page no) OP 27 format CQC requirements Updated risk assessment score matrix Business Continuity Planning Policy v2 2

3 Contents 1. Introduction Policy Scope Aim of this Policy Roles and Responsibilities Definitions Delivery of the Policy Major Incident Planning Group (MIPG) Notification of a disruption in buisiness continuity Business Continuity Plans Standard Template Threat Assessment Identification of Business Threats Business Impact Analysis Continuity Planning Review of Business Continuity Plans Risk Assessments Training Equality and Diversity Monitoring compliance with the policy Consultation and review of this policy Implementation of policy (including raising awareness) References Appendix 1 Example Business Continuity Pack Appendix 2 Business Continuity Pack Appendix 3 Training Programme Business Continuity Planning Policy v2 3

4 1. Introduction This Trust delivers a wide range of services to its local community. Failure to deliver these services could have a detrimental impact on the health of the public and the viability of our business. It is therefore essential that the Trust has robust business continuity plans (BCP) in place. The consequences of not having effective BCP in place could have serious implications, including: 2. Policy Scope failure to deliver key services possibility of loss of life or injury loss of Public Confidence exposure to the potential to legal action, leading to subsequent heavy financial penalties. This policy is applicable to all Trust functions, services, divisions departments within and provided by the trust. The policy covers the trusts responsibilities as Category 1 responders under the Civil Contingencies Act and respective Care Quality Commissions standards. 3. Aim of this Policy The aim of this policy is to build into the culture, that business continuity is embedded within the organisation, rather than fire-fighting any emergency so that business-as-usual is achieved in the quickest possible time. This will increase confidence in the organisation and the reputation of the Trust. 4. Roles and Responsibilities Director of Operational Services The Director of Operational Services leads on behalf of the Chief Executive and the Trust Board for Business Continuity Planning. Senior Managers, Heads of Service and Service Managers Senior Managers, Heads of Service and Service Managers will be responsible for undertaking appropriate risk assessment process which includes the completion of appropriate Business Continuity Plans as outlined in this policy and when required present Business Continuity Plans to the Major Incident Planning Group. In addition it is their responsibility to ensure that all risks are entered onto the Trust Risk Register Business Continuity Planning Coordinator The Business Continuity Planning Coordinator will be responsible for the coordination of the Trusts BCP Plan Register. In addition the Major Incident Planning Business Continuity Planning Policy v2 4

5 Group (MIPG) will ensure that plans are regularly reviewed and any actions identified within plans are progressed. The MIPG will present regular updates to the Trust Board on the Trusts Business Continuity Plans. 5 Definitions Business Continuity Management For the NHS, Business Continuity Management is defined as: The management process that enables an NHS organisation: to identify those key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation. to identify and reduce the risks and threats to the continuation of these key services. to develop plans which enable the organisation to recover and/or maintain core services in the shortest possible time. For the NHS service interruption may be defined as: Any disruptive challenge that threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal operating functions. Civil Contingencies Act Within the Civil Contingencies Act 2004, all acute Trusts have responsibilities as Category One responders. Category One responders are required to take up their civil protection duties and be able to perform their functions so far as necessary or desirable to respond to an emergency. Part of this responsibility is to produce Business Continuity Plans. Care Quality Commission In addition to our own internal performance monitoring the trust is also subject to Outcome 10 of the CQC standard which stipulates that People who work, visit or use our services can be confident that, in relation to maintenance and renewal: There are clear procedures, followed in practice, monitored and reviewed which cover, What will happen in the event of electricity, water o gas supply failure What will happen in the event of a fire or flooding Other emergencies that occur on the premises How the situation will be managed should IT or communication systems which are integral to the premises fail. Business Continuity Planning Policy v2 5

6 6. Delivery of the Policy Business Continuity Management can be seen as complementary to those involved in emergency management. Emergency management is carried out through the work of the Major Incident Planning Group. It is critical therefore that both processes are integrated and complementary to each other as a major incident may occur at the same time as a business continuity issue, or be triggered by it. 6.1 Major Incident Planning Group (MIPG) This Trust s MIPG is to have in place effective arrangements to maintain the most critical services and to ensure that these arrangements are regularly reviewed and practiced. The delivery of the policy will be undertaken by the MIPG. The Major Incident Planning Group will ensure that effective Business Continuity Planning is undertaken across all directorates through, a) Developing a Business Continuity Planning risk assessment process which will identify critical activities and critical dependencies, which need to be addressed to ensure continuation of a pre-determined level of service. b) Agree a training programme in Business Continuity Management. c) Ensuring that all Divisions produce Business Continuity Plans to overcome the critical risks identified in the shortest possible time. d) Ensure that the Divisions have considered the cost benefits between reducing the risk and the benefit achieved. e) Regularly reviewing the Business Continuity plans. f) Conducting exercise events to regularly test the effectiveness of the Business Continuity Plans. 6.2 Notification of a disruption in buisiness continuity The Major Incident Planning Group will clarify the internal procedures for the notification of an incident. It will describe the management procedures both in and out of hours, to determine the severity of the business interruption and to determine the trigger points for a Hospital Control Team to be assembled. Account will also be taken of other Trust policies relating to the management of untoward incidents. 6.3 Business Continuity Plans Standard Template The Trusts Business Continuity Plan Template is included at Appendix 1. The completion of the standard template will ensure that the methodology for Business Continuity Planning Policy v2 6

7 Business Continuity Plans is consistently applied across all Divisions. This methodology will include: 6.4 Threat Assessment A threat assessment will develop a framework to identify and validate the potential threat to clinical activity and business functions. The criticality of the risks may be assessed according to impact on the Trust in terms of the domains and consequences x likelihood as identified in the tables below. Not all services will be as critical as others. The framework will therefore identify the low, moderate, high, extreme risk factors using the tables below as a guide. Choose the most appropriate domain for the identified risk from the left hand side of the table Then work along the columns in same row to assess the severity of the risk on the scale of 1 to 5 to determine the consequence score, which is the number given at the top of the column. Business Continuity Planning Policy v2 7

8 Table 1 Consequence score (L) Consequence score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic Impact on the safety of patients, staff or public (physical/psychological harm) Minimal injury requiring no/minimal intervention or treatment. No time off work Minor injury or illness, requiring minor intervention Requiring time off work for >3 days Increase in length of hospital stay by 1-3 days Moderate injury requiring professional intervention Requiring time off work for 4-14 days Increase in length of hospital stay by 4-15 days RIDDOR/agency reportable incident An event which impacts on a small number of patients Major injury leading to long-term incapacity/disability Requiring time off work for >14 days Increase in length of hospital stay by >15 days Mismanagement of patient care with long-term effects Incident leading to death Multiple permanent injuries or irreversible health effects An event which impacts on a large number of patients Quality/complaints/audit Human resources/ organisational development/staffing/ competence Peripheral element of treatment or service suboptimal Informal complaint/inquiry Short-term low staffing level that temporarily reduces service quality (< 1 day) Overall treatment or service suboptimal Formal complaint (stage 1) Local resolution Single failure to meet internal standards Minor implications for patient safety if unresolved Reduced performance rating if unresolved Low staffing level that reduces the service quality Treatment or service has significantly reduced effectiveness Formal complaint (stage 2) complaint Local resolution (with potential to go to independent review) Repeated failure to meet internal standards Major patient safety implications if findings are not acted on Late delivery of key objective/ service due to lack of staff Unsafe staffing level or competence (>1 day) Low staff morale Non-compliance with national standards with significant risk to patients if unresolved Multiple complaints/ independent review Low performance rating Critical report Uncertain delivery of key objective/service due to lack of staff Unsafe staffing level or competence (>5 days) Loss of key staff Totally unacceptable level or quality of treatment/service Gross failure of patient safety if findings not acted on Inquest/ombudsman inquiry Gross failure to meet national standards Non-delivery of key objective/service due to lack of staff Ongoing unsafe staffing levels or competence Loss of several key staff Statutory duty/ inspections No or minimal impact or breech of guidance/ statutory duty Breech of statutory legislation Reduced performance rating if unresolved Poor staff attendance for mandatory/key training Single breech in statutory duty Challenging external recommendations/ improvement notice Very low staff morale No staff attending mandatory/ key training Enforcement action Multiple breeches in statutory duty Improvement notices No staff attending mandatory training /key training on an ongoing basis Multiple breeches in statutory duty Prosecution Complete systems change required Low performance Zero performance Business Continuity Planning Policy v2 8

9 Consequence score (severity levels) and examples of descriptors Domains Negligible Minor Moderate Major Catastrophic rating rating Critical report Severely critical report Adverse publicity/ reputation Business objectives/ projects Finance including claims Service/business interruption Environmental impact Rumours Potential for public concern Insignificant cost increase/ schedule slippage Small loss Risk of claim remote Loss/interruption of >1 hour Minimal or no impact on the environment Local media coverage short-term reduction in public confidence Elements of public expectation not being met <5 per cent over project budget Schedule slippage Loss of per cent of budget Claim less than 10,000 Loss/interruption of >8 hours Minor impact on environment Local media coverage long-term reduction in public confidence 5 10 per cent over project budget Schedule slippage Loss of per cent of budget Claim(s) between 10,000 and 100,000 Loss/interruption of >1 day Moderate impact on environment National media coverage with <3 days service well below reasonable public expectation Non-compliance with national per cent over project budget Schedule slippage Key objectives not met Uncertain delivery of key objective/loss of per cent of budget Claim(s) between 100,000 and 1 million Purchasers failing to pay on time Loss/interruption of >1 week Major impact on environment National media coverage with >3 days service well below reasonable public expectation. MP concerned (questions in the House) Total loss of public confidence Incident leading >25 per cent over project budget Schedule slippage Key objectives not met Non-delivery of key objective/ Loss of >1 per cent of budget Failure to meet specification/ slippage Loss of contract / payment by results Claim(s) > 1 million Permanent loss of service or facility Catastrophic impact on environment Business Continuity Planning Policy v2 9

10 Table 2 Likelihood score (L) What is the likelihood of the consequence occurring? The frequency-based score is appropriate in most circumstances and is easier to identify. It should be used whenever it is possible to identify a frequency. Likelihood score Descriptor Rare Unlikely Possible Likely Almost certain Frequency How often might it/does it happen This will probably never happen/recur Do not expect it to happen/recur but it is possible it may do so Might happen or recur occasionally Will probably happen/recur but it is not a persisting issue Will undoubtedly happen/recur,possibly frequently Table 3 Risk scoring = consequence x likelihood ( C x L ) Likelihood Likelihood score Rare Unlikely Possible Likely Almost certain 5 Catastrophic Major Moderate Minor Negligible For grading risk, the scores obtained from the risk matrix are assigned grades as follows 1-3 Low risk 4-6 Moderate risk 8-12 High risk Extreme risk 6.5 Identification of Business Threats It will identify the greatest threat/s that could disrupt the Trust s business. These threats could be external e.g. Natural or man-made disasters i.e. flooding, fire, Adverse weather conditions i.e. high winds (structural damage), snow Problems with the supply chain Power failure Water supply failure Fuel shortage They may be internally created e.g. Communication disruptions i.e telephone, Equipment failure Network or hardware failure. Staff / skill shortage Business Continuity Planning Policy v2 10

11 6.6 Business Impact Analysis The aim will be to analyse Critical activities Dependencies required delivering these activities. These may be internal and external. The impact of disruption to these activities, including the financial consequences The timescales for recovery Recovery profile, e.g. resources, equipment, etc. Recovery options 6.7 Continuity Planning The strategy will require Business Continuity and Recovery Plans to eliminate the high risk factors and attempt to reduce the medium risk factors, identified as part of the threat assessment referred to above. The strategy may accept the low risk factors. Planning considerations will include: People skills i.e. identify key staff and required skills; consider training requirements to strengthen staff flexibility, document processes, etc. Information regular computer back-ups, off-site storage, scanning key documents, battle-box! etc. Space internal solution, alternative sites, etc. Training requirements staff will need to be familiar with the Business Continuity Plan specific to their activity. In every instance there will be a need for managers to conduct a cost benefit analyses between the cost of reducing the risk, the benefit achieved and the effort involved in preparing a contingency plan. 6.8 Review of Business Continuity Plans To ensure a programme to regularly review the Corporate and Clinical Directorate Business Continuity Plans. Validation and maintenance of existing plans is essential and needs to be conducted on a regular basis to ensure that the plans remain fit for purpose Risk Assessments Business Continuity Planning and subsequent reviews focuses Managers attention to the risks that might impact on the delivery of their services. Managers should also take notice of indicators of risk identified through other internal mechanisms, such as: Adverse incident reporting Security reports Fire reports Business Continuity Planning Policy v2 11

12 7. Training Health and Safety reports Accident reports Adequate training will be provided for staff to effectively adhere to the requirements of this policy in accordance with the programme identified at Appendix Equality and Diversity The Trust is committed to ensuring that, as far is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. This policy has been appropriately assessed. 9. Monitoring compliance with the policy Standard process/ issue Monitoring and Audit Method By Committee Frequency The effectiveness of this policy will be monitored through the Major Incident Planning Group. Regular updates on business continuity planning, including any identifiable actions outstanding, will be presented when appropriate to do so. BCP Coordinator MIPG On going 10. Consultation and review of this policy This policy has been reviewed in consultation with the Equality and Diversity Coordinator, Counter Fraud Specialist and Risk Management Team. 11. Implementation of policy (including raising awareness) This policy will be circulated by the Trust Secretary via the Trust system and will be available on the trust intranet for all staff to access. The policy will also be made freely available to the public via the Trusts internet page. Managers will be made aware of the policy during subsequent BCP plan reviews. 12. References Planning for NHS resilience: interim strategic national guidance for NHS organisations issued June 2008 Business Continuity Planning Policy v2 12

13 APPENDIX 1 EXAMPLE BUSINESS CONTINUITY PACK Business Continuity Planning Policy v2 13

14 EXAMPLE Business Continuity Planning Pack Contents Part 1 Identify Threats and Critical Services / Processes affected Think about threats and the potential impact of them upon your service area. Identify your critical services or processes within your service area that would be affected if the threat were to happen. Part 2 Continuity Measures and Service Recovery To identify contingency strategies to mitigate the impact of threats Part 3 Outstanding Actions and Sign Off Note all outstanding actions from parts 1 2, agree an action plan then achieve full sign off of this pack Part 4 Summary Sheet Remember the aim of this pack is to prepare your service to cope with the effects of an emergency situation. It is not just important to complete this now but to ensure that you review annually and when there are any service changes. Business Continuity Planning Policy v2 14

15 Office use only EXAMPLE REF Division. Ward / Department.. Part 1: Identify the Threat and Critical Services / Processes affected. Objective: Think about threats and the potential impact of them upon your service area. Identify your critical services or processes within your service area that would be affected if the threat were to happen. = additional information to help with the completion of this document Office use only Threat Likelihood Consequence Outcome Identify Critical Services and Processes Affected >1 hour >8 hours IMPACT TIMESCALE > 1 day > 1 week Permanent loss of service Describe any threat that could affect your service. Refer to the Threat scoring Matrix for Liklihood and Consequence. Describe what service or process would be affected as a consequence of the threat (dependencies) Transfer to Part 2. Loss of consoles Catestrophic Using the Threat scoring Matrix categorise the impact on the Critical Service and Processes during the timescales below. Fire Possible Catestrophic Loss of switchboard room Loss of bleeps Catestrophic Loss of alram monitoring Moderate Major Catestrophic Business Continuity Planning Policy v2 15

16 REF EXAMPLE Division. Ward / Department.. Part 2: Contingency Measures and Service Recovery Objective: To identify contingency strategies to mitigate the impact of the identified threats. = additional information to help with the completion of this document Critical Services and Processes Affected Transferred from Part 1 Contingency Strategy/ Measure Describe what the Contingency measures will be. Timescale to implement Contingency Measure How long will it take to implement this contingency measure Cost (Low / Med / High) List the cost if the contingency measure still requires financial resource ( 1k low, 1-5k med, 5k+ high) Is This Entered onto Department and or Trust Risk Register N= NO D= Dept Only T= Trust B = Both Service Recovery Explain what recovery plan you have in place and the timeframe your service will be back to normal. Loss of consoles Maintenance Agreement, Power Back Up, Refer to Local Continuity Plan 1 HOUR N/A Equipment already in place B Refer to Telecoms Recovery Plan Loss of bleeps Maintenance Agreement, Power Back Up, Refer to Local Continuity Plan 1 HOUR N/A Equipment already in place B Refer to Telecoms Recovery Plan Loss of alram monitoring Maintenance Agreement, Power Back Up, Refer to Local Continuity Plan ( 1 HOUR N/A Equipment already in place B Refer to Telecoms Recovery Plan Business Continuity Planning Policy v2 16

17 EXAMPLE Office use only REF Part 3: Outstanding Actions and Sign Off Division. Ward / Department.. Objective: As a result of what has been identified during the completion of this pack describe any actions which still need to be taken to maintain business continuity. = additional information to help with the completion of this document Further / outstanding actions Person(s) responsible Detail of how action will be completed Date to be completed by use this part to list any further actions still to be taken use this part to note the persons name who is responsible for the particular action use this part to detail how the action will be completed use this part to note the date when the action will be completed by. Discuss Plans at next Team meeting GC Agenda item at next Telecoms staff meeting March 11 Pack Completed By (please print) Designation Signature Date.. Signature of Head of Service (if not the person completing this pack) Date.. Business Continuity Planning Policy v2 17

18 Part 4: EXAMPLE BUSINESS CONTINUITY PLANNING SUMMARY SHEET Division Ward / Department Departmental BCP Summary Sheet PLAN REF THREAT Outstanding Action Person Review Responsible Date 1 Discuss Plans at next Team meeting GC March Will be Loss of 5 automatically switchboard 6 generated room Complete Date When your pack/s are complete it/they must be copied and sent to the Trust BCP Coordinator,Trust Headquarters who will then monitor the actions still to be taken (if any) within Part 4. If there are no actions to be taken within Part 4 your pack will be documented and filed within the Trust BCP Register. 18

19 APPENDIX 2 BUSINESS CONTINUITY PACK 19

20 Business Continuity Planning Pack Contents Part 1 Identify Threats and Critical Services / Processes affected Think about threats and the potential impact of them upon your service area. Identify your critical services or processes within your service area that would be affected if the threat were to happen. Part 2 Continuity Measures and Service Recovery To identify contingency strategies to mitigate the impact of threats Part 3 Outstanding Actions and Sign Off Note all outstanding actions from parts 1 2, agree an action plan then achieve full sign off of this pack Part 4 Summary Sheet Remember the aim of this pack is to prepare your service to cope with the effects of an emergency situation. It is not just important to complete this now but to ensure that you review annually and when there are any service changes. 20

21 Office use only ref Division. Ward / Department.. Part 1: Identify the Threat and Critical Services / Processes affected. Objective: Think about threats and the potential impact of them upon your service area. Identify your critical services or processes within your service area that would be affected if the threat were to happen. = additional information to help with the completion of this document Threat Likelihood Consequence Outcome Identify Critical Services and Processes Affected > 1 hour > 8 hours IMPACT TIMESCALE > 1 day > 1 week Permanent loss of services Describe any threat that could affect your service. Refer to the Threat scoring Matrix for Liklihood and Consequence. Describe what service or process would be affected as a consequence of the threat (dependencies) Transfer to Part 2. Using the Threat scoring Matrix categorise the impact on the Critical Service and Processes during the timescales below. 21

22 Office use only ref Division. Ward / Department.. Part 2: Contingency Measures and Service Recovery Objective: To identify contingency strategies to mitigate the impact of the identified threats. = additional information to help with the completion of this document Critical Services and Processes Affected Transferred from Part 1 Contingency Strategy/ Measure Describe what the Contingency measures will be. Timescale to implement Contingency Measure How long will it take to implement this contingency measure Cost (Low / Med / High) List the cost if the contingency measure still requires financial resource ( 1k low, 1-5k med, 5k+ high) Is This Entered onto Department and or Trust Risk Register N= NO D= Dept Only T= Trust B = Both Service Recovery Explain what recovery plan you have in place and the timeframe your service will be back to normal. 22

23 Office use only REF Division. Ward / Department.. Part 3: Outstanding Actions and Sign Off Objective: As a result of what has been identified during the completion of this pack describe any actions which still need to be taken to maintain business continuity. = additional information to help with the completion of this document Further / outstanding actions Person(s) responsible Detail of how action will be completed Date to be completed by use this part to list any further actions still to be taken use this part to note the persons name who is responsible for the particular action use this part to detail how the action will be completed use this part to note the date when the action will be completed by. Pack Completed By (please print) Designation Signature Date.. Signature of Head of Service (if not the person completing this pack) Date.. 23

24 Part 4: BUSINESS CONTINUITY PLANNING SUMMARY SHEET Division Ward / Department Departmental BCP Summary Sheet PLAN REF THREAT Outstanding Action Will be automatically generated Person Responsible Review Date Complete Date When your pack/s are complete it/they must be copied and sent to the Trust BCP Coordinator,Trust Headquarters who will then monitor the actions still to be taken (if any) within Part 4. If there are no actions 24 to be taken within Part 4 your pack will be documented and filed within the Trust BCP Register.

25 Appendix 3 Training Programme Annual At the trust annual review training will be part of the standard agenda. This will provide an opportunity for Heads of Service and Departmental Managers to receive formal instruction on the Business Continuity Planning process including raising awareness of BCP, risk assessment processes and any relevant updates on BCP. Cascade Training Heads of Service/ Departmental managers are responsible for cascading relevant training to staff with responsibility for BCP. 25