Public Governing Body Meeting 19 August 2014
|
|
|
- Merry Gibson
- 5 years ago
- Views:
Transcription
1 This paper is being submitted to the Governing Body for amendment and/or approval as appropriate. It should not be regarded, or published, as CCG Policy until formally agreed at the Governing Body meeting, which the press and public are entitled to attend. Public Governing Body Meeting 19 August 2014 Title: Number: Presented by: Business Continuity Policy PGB Eugene Sullivan, Consultant Why is this paper being presented to the Governing Body? Business Continuity policies and plans are essential tools to help the CCG identify and deal with the business impact of disruption to normal business functions. Nene CCG has recently refreshed its Business Continuity Policy which was approved on behalf of the Governing Body by the Audit and Risk Committee on 15 th July The attached policy is in line with NHS Guidance and international good practice. It forms the basis for the Business Continuity Plan. Key Points to note: The policy has been developed in conjunction with GEM CSU specialists in Business Continuity. It uses latest good practice and standards. It has been underpinned by detailed business impact assessment across the whole of Nene. The Policy is supported by a Business Continuity Plan, which was also approved by the Audit and Risk Committee on 15 th July, and should be read alongside the Emergency Resilience Planning and Preparedness (ERPP) plan. Desired outcome: (Approval / note / take action) Approval of the Business Continuity Policy. PGB Governing Body Meeting in Public 19 August of 20
2 Which of the risks on the Risk Register or on the Board Assurance Framework does this paper address? (please provide relevant reference number) BAF 015 Capacity and capability to deliver operational and strategic plans PGB Governing Body Meeting in Public 19 August of 20
3 NHS Nene Clinical Commissioning Group Business Continuity Policy Reader information Reference See page 17 Directorate Document purpose Provide guidance on the implementation for Business Continuity Management across NHS Nene Clinical Commissioning Group Version DRAFT 0.1 Title Business Continuity Policy Author & Lead Hellen Makamure GEM Business Continuity Executive Approval Date Tbc Approving Committee Tbc Review Date Xxx 2014 Review Frequency Yearly Groups/staff Consulted Target audience Circulation list Associated documents Superseded documents Sponsoring Director Staff responsible for Business Continuity Management in Nene NHS Clinical Commissioning Group All Nene CCG staff National DH Guidelines, CCA 2004, British Standard BS25999, ISO22301, ISO22313, ISO (PAS) 22399, NHS England Core Standards for EPRR, NHS England Business Continuity Management Framework N/A 1
4 Review History Version Date History /05/2014 H Makamure (GEM BC Executive) Reviewers: This document has been reviewed by: Name Title/Responsibility Date Version Related Documents: Ref No: Doc Reference Number: Title Version Page 2 of 18
5 Term Acronym Definition Glossary of Terms: Business Continuity Business Continuity Management Business Continuity Management System Business Continuity Plan Business Impact Analysis Prioritised Activities Civil Contingencies Act (2004) Incident Control Team BC BCM BCMS BCP BIA PA CCA ICT Strategic and tactical capability of the CCG to continue delivery of products or services at acceptable predefined levels following a disruptive incident. A holistic management process that identifies potential threats to the CCG and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. This includes the organisational structure, policies, planning activities, responsibilities, procedures, processes and resources. Documented procedures that guide the organisation to respond, recover, resume, and restore to a pre-defined level of operation following disruption. Typically, this covers resources, services and activities, required to ensure the continuity of critical business functions. Process of analysing activities and the affect that a business disruption might have upon them Activities to which priority must be given following an incident in order to mitigate impacts. Terms in common use to describe activities within this group include: critical, essential, vital, urgent and key Covers the responsibilities for Category I and 2 Responders who provide strategic, tactical and operational response in emergencies. Comprises senior managers/ directors who will manage an emergency/ disruption/ crisis. Page 3 of 18
6 Contents Glossary of Terms: Introduction Policy Aim Objectives Scope Processes for Undertaking Business Continuity Business Continuity Management System The Plan-Do-Check-Act Model Understanding the Organisation Developing and Implementing Business Continuity Management Response Accountability, responsibilities and training Cascade process Risk analysis Incident notification Incident analysis Communications strategy Incident co-ordination facilities Business continuity recovery packs Business continuity plan maintenance Training and awareness Testing Equality impact assessment Legal Liability References NENE CCG Business Continuity Policy: Draft V2 4
7 SUMMARY/POLICY STATEMENT Nene CCG is legally required to undertake Business Continuity Management to ensure that in the event of a disruption to its services, appropriate measures are in place to provide continuation of its services whilst limiting the potential for further disruption. This process is ongoing and is the responsibility for the Chief Executive and Accountable Officer [CE (AO)] to ensure that Business Continuity Management is undertaken within the CCG. BCM directly supports corporate governance and the requirement to produce an annual statement on Internal Control by helping to identify the continuity risks to the CCG, providing clear understanding of roles and responsibilities (accountability) and safeguarding of the assets of the CCG (accountability and effectiveness). This policy provides a framework for establishing and maintaining Nene CCG BCMS capability to minimise the impact of incidents. It will reflect the nature of Nene CCG, its mission, culture and vision and will be subject to an annual review. This policy is built on current good practice and is intended to: Improve BCM resilience within Nene CCG Ensure through the adoption of resilience principles, the continuous operational delivery of critical CCG services when faced with a range of disruptive challenges such as staff shortages, denial of access and failures in key suppliers. Help drive Nene CCG s compliance with the CCA and BC regulations Allow a unified and cohesive approach to BCM which parallels with ISO and develop a resilient healthcare system. Page 5 of 18
8 1. Introduction 1.1. This document sets out the Nene Clinical Commissioning Group Policy for Business Continuity Management. The CCG s ability to provide its services relies on a number of different components as identified in the Business Continuity Standard BS25999:2006 which has been replaced by ISO 22301:2012. When individual components begin to fail, service delivery and CCG Business outcomes will be affected The Civil Contingencies Act (2004) (CCA) covers the responsibilities for Category I and 2 Responders who provide strategic, tactical and operational response in emergencies. Clinical Commissioning Groups (CCGs) are identified as Category 2 Responders and are required by the CCA to cooperate, support and share information with other Category 1 and Category 2 responders during an incident The CQC Regulations and Outcomes (2010), Outcomes 4, 6 and 10 place an emphasis on Health and Safety for NHS service users, risk mitigation and cooperation with other providers. As such, CCGs are expected to have procedures in place for dealing with emergencies which are reasonably expected to arise from time to time and which, if they arose, would affect the provision of services, in order to mitigate the risks arising from such emergencies to service users. 1.4 Nene CCG is required to undertake Business Continuity Management in accordance with the specification outlined in the International Standard ISO 22301:2012. It is essential that the CCG has mechanisms in place to ensure continued delivery of service occurs during a disruption. 1.5 Services may be disrupted by a number of different reasons varying from a shortage of staff due to flu pandemic, severe weather, road fuel shortages; loss of building access due to flooding, fire, bomb threat and terrorist attack; loss of IT and loss of utilities such as water and electricity. Regardless of the disruption, the Communities of Northamptonshire will still require the services of the CCG. 1.6 Nene CCG recognises the potential operational and financial losses associated with a major service interruption, and the importance of maintaining viable recovery strategies. 1.7 During a disruption, it may not be possible for the CCG to continue delivering all of its services in the usual way. All CCG services are important. However, during an incident, services will be maintained based on their criticality and priority to the CCG and the needs of the Northamptonshire community. Plans will be developed to ensure that resources and facilities are available to ensure critical service delivery at the pre-defined agreed level. 1.8 For Business Continuity Management to be successful, it must be an integral component of how Nene CCG manages, develops and improves its services. Responsibility of Business Continuity Management lies with the CCG service areas to ensure that services continue in the event of a disruption. 1.9 The role of NHS Nene Clinical Commissioning Group is to commission healthcare, both directly and indirectly, so that valuable public resources secure the best possible outcomes for Page 6 of 18
9 patients. In doing so, Nene CCG will seek to meet the objectives in the NHS Outcomes Framework and to uphold the NHS Constitution. 2. Policy Aim 2.1. The aim of this policy is to establish an appropriate framework to ensure that Nene CCG is able to plan for, prepare for and respond to disruptions to the delivery of its services to Northamptonshire Community. 3. Objectives a) To identify those responsible for ensuring Business Continuity in the CCG b) To identify the key risk areas and ensure appropriate control measures are in place to reduce the severity of an impact on service delivery c) To identify response mechanisms and structures to be established to manage the disruption and allocation of tasks to recover CCG services. d) To provide a guideline on appropriate training and exercising of procedures to be undertaken e) To provide assurance to external partners and Northamptonshire community that the CCG serves, of its commitment to service delivery. f) To ensure external service providers are able to provide assurance to Nene CCG of their ability to continue to operate during a disruption within their own organisation as well as a disruption within the CCG. 4. Scope 4.1 This policy applies to all staff employed by Nene CCG and for whom this CCG has legal responsibility. For those staff covered by a letter of authority/honorary contract or work experience the organisation s policies are also applicable whilst undertaking duties for or on behalf of the Nene CCG. Further, this policy applies to all third parties and others authorised to undertake work on behalf of Nene CCG. Section 11 of the policy outlines the specific roles and responsibilities of specific CCG staff. 4.2 This policy does not detail the response to a business continuity incident; rather, it provides the set-up of activities for establishing a business continuity capability and the on-going management and maintenance, including planning, development, training and exercising of response arrangements. 4.3 This policy will apply to disruptive events that may impact on Nene s ability to deliver its business objectives to lead commissioned services such as Kettering General, Northampton General and Northamptonshire HFT, and other areas where Nene is Associate Commissioner. 4.4 This policy will cover locations occupied by Nene CCG which is currently Francis Crick House. Should this change, amendments to the policy will be made to that effect. 4.5 Business Continuity incidents can be isolated to Nene; however, they may be part of a wider incident affecting the whole of Northamptonshire Community and CCGs. Planning assumptions must therefore reflect such scenarios and interdependencies 1 between Nene 1 Interdependencies with other CCGs are reflected in Appendix 1 where Nene works with other CCG s Page 7 of 18
10 CCG and other CCGs. Therefore there is a need for high level networking with other CCGs and service providers in order to support Mutual Aid Agreements. 5. Processes for Undertaking Business Continuity 5.1 Business Continuity is an on-going process. Plans and procedures must be continually reviewed against the changing environment of the CCG. By undertaking Business Continuity Planning, Nene CCG can expect that: a) Key services are identified, risk assessed and suitable control measures implemented ensuring their continuity; b) An incident management capability is enabled to provide an effective response; c) Nene CCG s understanding of itself and its relationships with its stakeholders is properly developed, documented and understood; d) Staff are trained to effectively respond to an incident or disruption through appropriate exercising; e) Stakeholder requirements are understood and are able to be delivered; f) CCG staff receive adequate communication and support in the event of a disruption g) Nene CCG s reputation is protected h) Nene CCG remains compliant with its legal and regulatory obligations 6. Business Continuity Management System The BCM programme management forms the central component which dictates the CCG s approach and governance of its business continuity programme. This document serves as that structure and will provide assurances and evidence of continuing work with regards to the CCG s commitment to business continuity. Other documentation to be produced to support the business continuity process shall include; a) Business Impact Analysis (BIA); b) Risk and threat assessments; c) Plans; Corporate Business Continuity Plan Incident Management/ Activation Plan Recovery Plans d) Training and awareness programmes e) Exercise and debrief reports 7. The Plan-Do-Check-Act Model 7.1 ISO22301:2012 applies the Plan-Do-Check-Act (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the Page 8 of 18
11 effectiveness of an organization s BCMS. 8. Understanding the Organisation 8.1 Effective planning and response plans must be underpinned by detailed identification and assessment of the criticality of the different services that the CCG provides. This will be Page 9 of 18
12 achieved by producing a Business Impact Analysis and risk assessments for the CCG services. 8.2 A Business Impact Analysis will identify and document the impact of a disruption to the activities that support the key services of the CCG. The BIA will identify the following: a) How the impacts would develop over time during a disruption b) Identify interdependencies that are required for the delivery of the CCG service including staffing, resources and utilities/ infrastructure 8.3 Services identified as having a short maximum tolerable period of downtime are those considered to be critical to the CCG 9. Determining Business Continuity Strategy 9.1 Business Continuity Strategies will need to be established to identify any further measures required to reduce the likelihood of incidents occurring and or to reduce the potential impacts of those incidents. The strategy should provide continuity for critical services throughout an incident and to give consideration to those not classed as critical. 10. Developing and Implementing Business Continuity Management Response 10.1 Nene CCG will develop a response plan that will detail the arrangements to be followed to ensure continuity of the critical services 10.2 The scope and potential for disruption to the CCG will vary according to the nature of the incident requiring varying level of response. Table 2 outlines the escalation procedure for dealing with incidents. Level Description Escalation 1 All services are operating normally. None required 2 3 Disruption for a short period of time (affecting 25% of Nene CCG services) Disruption to more than 50% of CCG services affecting the ability to provide critical services Table 2: Escalation Procedure 10.1 The list below provides examples of what might be considered an event to invoke a BCP. The list is not exhaustive and judgement will be applied in each case: loss of workplace short and long term; Utilise Action Cards- Escalate if this does not resolve On Call Director Internal incident declared CCG Internal incident plan/ Business Continuity Plan Page 10 of 18
13 loss of information and communications technology infrastructure services for up to five days; loss of key staff short and long term significant national or international incident impacting on the Nene CCG, such as a pandemic; and any requirement as identified by the business impact analysis process; 11. Accountability, responsibilities and training 11.1 In order for the Nene CCG to develop a good long-term business continuity capability, it is essential that all staff take on an appropriate level of responsibility. To that end Nene CCG has identified a Business Continuity Manager to lead on BCMS for the organisation. The CE (AO) for the CCG is ultimately responsible for the ownership of the Business Continuity Management System adopted Individual managers will assess their specific area of expertise and plan actions for any necessary recovery phase, setting out procedures and staffing needs and specifying any equipment or technical resource which may be required in the recovery phase The Business Continuity Manager will be responsible for change control, maintenance and testing of the plan The CE(AO) and Directors of the Nene CCG, and their appointed deputies, will hold two hard copies of the Business Continuity Plan (BCP) allocated to them. It is intended that one copy should be located at the holder s home address so it is easily accessible and the second in the BCP folder at their office base. The BCP folder will also contain recovery procedures, contacts, and lists of vital materials or instructions on how to obtain them The CCG CE (AO) and Directors are responsible for: The CCG CE (AO) and the Directors make up the Incident Control Team (ICT) Implementation of the business continuity policy and standards; Review of business continuity status and the application of the policy and standards in all business undertakings; Enforcing compliance through assurance activities; Provision of appropriate levels of resource and budget to achieve the required level of business continuity competence; and Ensuring information governance standards continue to be applied to data and information during an incident All other CCG staff are responsible for: Achieving an adequate level of general awareness regarding Business Continuity; Being aware of the CCG Business Continuity Policy and its procedures Page 11 of 18
14 Being aware of the contents of their own business area s business continuity plan and any specific role or responsibilities as set out in the Business Continuity Plan. Cooperating in the implementation of incident response plans as part of their normal duties when required to do so Participating actively in the business continuity programme where required; and Ensuring information governance standards continue to be applied to data and information during an incident The Nene CCG Business Continuity Incident Control Team (BC ICT) and Business Continuity Manager will be responsible for: determining the criteria for implementing the BCP; the overall management of a crisis, providing strategic direction and co-ordination of service recovery plans; The Business Continuity Manager will: o Deliver training and awareness of the plan; and o Maintain the plan. 12. Cascade process The BC ICT will provide the immediate management functions required to handle an incident. A cascade structure will be developed to cascade key messages to all staff. 13. Risk analysis 13.1 Nene CCG is not responsible for the direct provision of health services; however it is responsible for some functions that have a direct impact on providers of health services. Therefore the risks to our stakeholders resulting from a catastrophic incident affecting Nene CCG could be significant Where there is an incident involving the IT infrastructure, GEM IT Helpdesk should be informed of the affected service and obtain an initial assessment The CCG Business Continuity Manager will work with directorates to develop an asset list of locations, staff and services A series of robust plans and mitigation will be developed for the following priority incidents and the potential impact will be assessed through appropriate risk analysis: unavailability of premises for more than five working days caused by fire, flood or other incidents; major electronic attacks or severe disruption to the IT network and systems; terrorist attack or threat affecting transport networks or the office locations; Page 12 of 18
15 denial of access to key resources and assets; significant numbers of staff prevented from reaching CCG premises, or getting home, due to bad weather or transport issues; theft or criminal damage severely compromising the organisation s physical assets; significant chemical contamination of the working environment; serious injury to, or death of, staff whilst in the offices; illness/epidemic striking the population and therefore affecting a significant number of staff; outbreak of a serious disease or illness in the working environment; simultaneous resignation or loss of a number of key staff; widespread industrial action; significant fraud, sabotage or other malicious acts; and Violent incidents affecting staff. 14. Incident notification The CCG Business Continuity Manager will develop procedures for incident notification and communicate these to staff. 15. Incident analysis 15.1 The response to an emergency incident does not necessarily or automatically translate into the declaration of a disaster and the implementation of a full recovery operation Incidents may cause a temporary or partial interruption of activities with limited or no office damage. It will then be the responsibility of the CCG Business Continuity Manager, in conjunction with CCG Chief Operating Officer and/or Directors, as available, to evaluate and declare the appropriate level of response The CCG Business Continuity Manager (and CCG CE (AO)/ Directors as available) will decide if temporary premises or alternative long-term premises are eventually to be required and will manage the acquisition Severity of an incident will be identified as follows: small; medium; large; and catastrophic The CCG Business Continuity Manager will develop definitions that classify incidents in accordance with the level of downtime expected. Page 13 of 18
16 15.6. The severity level will indicate the urgency of recovering the business service, and also the order in which services should be reinstated In particular, immediately upon notification of an incident involving the IT infrastructure, the GEM IT Helpdesk should be made aware of the affected service and obtain an initial assessment. 16. Communications strategy 16.1 Good communication is essential at a time of crisis. A communications strategy will be developed to ensure there are appropriate statements for internal and external communication and processes for ensuring communication to all staff in the case of an emergency. 17. Responsibilities for Communicating with Stakeholders 17.1 Business Continuity Lead is responsible for providing assurances and information to external partners and other CCGs throughout Northamptonshire and staff members The CE (AO) will be responsible for communicating assurances with the Northamptonshire Community/ Commissioned Services and the media. 18 Incident co-ordination facilities 18.1 Incident co-ordination facilities will be in place at the CCG location. This will be documented in the CCG BC Plan The BC ICT will state which of these locations is to be used to co-ordinate an incident when notifying managers that an incident has occurred. 19. Business continuity recovery packs 19.1 The CCG Business Continuity Manager will develop disaster recovery packs to be located in each Incident co-ordination facility. Copies will also be held by each CCG CE (AO)/Director at their home The contents of these packs will be checked for completeness and updated regularly, or whenever there is a change in the BCP which may affect its contents. Page 14 of 18
17 20. Business continuity plan maintenance 20.1 The CCG Business Continuity Manager will be responsible for ensuring the BCP is reviewed and updated at regular intervals to determine whether any changes are required to procedures or responsibilities. A complete BCP will be distributed annually to each BC ICT member In addition, any unscheduled changes, for example a change to an Incident co-ordination facility, will be conveyed to all areas concerned and updates circulated to each BC ICT member. 21. Training and awareness 21.1 Training is a statutory requirement under the CCA. Once in place, the CCG Business Continuity Manager will identify appropriate levels of training and awareness sessions for all CCG staff to ensure business continuity becomes part of the CCG culture and daily business routines, improving the organisations resilience to the effects of emergencies The BC ICT will also receive training to ensure team members can perform their role effectively and participate in testing. 22. Testing 22.1 The on-going viability of the business continuity program can only be determined through continual tests and improvements. The CCG Business Continuity Manager will be responsible for ensuring regular tests and revisions are made to the BCP to ensure they provide the level of assurance required If there is a major change to the role and structure of Nene CCG, plans will be tested and revised once a settling-in period has been achieved, to allow for a confident level of recovery It is vital as part of on-going management for Nene CCG to: test the systems, test robustness, exercise the plans and rehearse staff. Page 15 of 18
18 Table 3: BC Testing and Review Schedule Scope of review Frequency Responsible Lead Light touch (Call Cascade) check contact details are Every 6 months NCCG BC Manager up to date and correct Implementing a change As required Service BCM Lead programme Formal review check to ensure that all procedures Every 12 months NCCG BC Manager are current and still applicable Live exercise Every 3 years NCCG BC Manager Post incident/exercise review After every exercise and incident 23. Equality impact assessment Page 16 of 18 NCCG BC Manager 23.1 Nene CCG aims to design and implement services, policies and measures that are fair and equitable. As part of its development, this policy and its impact on staff, patients and the public have been reviewed in line with the CCGs legal equality duties. The purpose of the assessment is to improve service delivery by minimising and if possible removing any proportionate adverse impact on employees, patients and the public on the grounds of race, socially excluded groups, gender, disability, age, sexual orientation or religion/ belief An equality impact assessment has been completed and has identified impact or potential impact as no impact Nene CCG will endeavour to make sure that this policy will support a diverse workforce to continue to deliver the business of the organisation. 24. Legal Liability 24.1 Nene CCG will always assume vicarious liability for the acts and omissions of its staff including those on honorary contract. However, it is incumbent on staff to ensure that they: Have undergone any suitable training as identified as necessary under the terms of this policy or otherwise Have been fully authorised to undertake any duties during a disruption by ICT Fully comply with the terms of any relevant CCG policies and or procedures at all times
19 Only depart from any relevant CCG guidelines providing always that such departure is confined to the specific needs of individual circumstances 25. References BCI (2013) Business Continuity Best Practice Guidelines, London: Business Continuity Institute BS ISO (2012). Societal Security. Business Continuity management systems- Requirements, BS ISO 22301:2012, London: British Standard Institute BSI (2006).Specification for Business Continuity Management, BS 25999, London: British Standard Institute. Civil Contingencies Act (2004). c. 36, London: The Stationery Office. Companies Act (2006), c.174, London, The Stationery Office. Health and Social Care Act (2012), c.7, London, The Stationery Office. PAS 2015 (2012) Framework for Health Services Resilience Page 17 of 18
20 NENE CCG Business Continuity Policy: Draft V2 18