Business Continuity Management Policy. Guidance

Transcription

1 Management Guidance Document Type: Guidance Parent Policy: Management Policy Policy Owner: Chief Supt Department: Document Writer: Co-ordinator Effective Date: 12 th March 2015 Review Date: 12 th March Guidance Aim 1.1 The aim of this document is to provide guidance on the procedures that provide detail of the responsibilities, processes and structures for delivering effective Management. 2. Objective 2.1 The objective is to manage business disruptions in a way that reduces their impact on the organisation to an agreed acceptable level and ensure the continued provision of the Force s critical services. North Wales Police Critical Services have been identified as follows: 1. To maintain effective communications both with the public and with staff 2. To answer all 999 calls 3. Maintain the ability to deal with and respond to immediate & priority incidents including major, critical and emergency incidents 4. To provide effective command and control of incidents 5. To provide custody facilities and associated criminal justice functions 6. Maintain critical IT service 3. Introduction 3.1 The Civil Contingencies Act 2004, places a statutory duty on the police to have Management (BCM) in place to ensure continued service delivery of essential services. BCM is also a regulatory requirement for compliance with the ACPO Community 002/3.0 Page 1 of 10

2 Security Policy and an integral part of the Force s risk management framework. 3.2 North Wales Police has aligned its BCM arrangements with International Standard ISO This sets out the process and principles of BCM and enables the Force to measure its BCM capability in a consistent and recognised manner. 3.3 The boundaries of the BCMS as implemented within North Wales Police are defined within the document entitled Context, Requirements and Scope (Appendix 1). 4. or Major Incident 4.1 All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. BCM provides the capability to adequately react to operational disruptions, while protecting the welfare and safety of staff. 4.2 However, it is important not to confuse BCM with the Force s operational response to major incidents. BCM focuses on internal issues to maintain the Force s organisational capabilities, whereas the Force s response to major incident focuses on external events. 5. External Suppliers 5.1 It is essential that suppliers of products or services that are critical to North Wales Police are able to deliver acceptable levels of service during a disruption that affects either the force or the supplier themselves. Please see the document entitled Supplier Business Continuity Evaluation Process, (Appendix 3). 6. Support & Training 6.1 Individuals who have responsibility for BCM will receive awareness training and support from the force Co-ordinator. This training will ensure that individuals have the knowledge to deliver and exercise an effective Plan (BCP). They will receive support and guidance throughout the year, particularly when a Plan is to be reviewed annually. 6.2 The skills required to ensure business continuity will be determined and reviewed on a regular basis together with an assessment of existing skill levels within North Wales Police. Training needs will be identified and a plan maintained to ensure that the necessary competencies are in place. 6.3 Records relating to business continuity support and information provided to relevant staff will be maintained by the Co-ordinator. 002/3.0 Page 2 of 10

3 7. BCM Process 7.1 BCM is proactive and concentrates on everything needed to continue the critical business processes in the event of an interruption. It focuses on the effects and not the cause of the disruption. 7.2 The relevant stages are: Policy & Programme Management - The Force s BCM Programme will provide a clearly defined and documented process for the coordination and governance of all BCM activity Embedding BC - BCM will become an integral part of the Force s strategic and day- to-day management activity by the introduction of awareness and training. This will be a continuous process Analysis The Force will identify all key business processes and activities, including interdependencies and other influences that might impact on them. These will be assessed and prioritised to enable the focusing of resources to ensure that the most critical are restored promptly in the event of a disruption Design - Having established its priorities the Force will identify and choose options for continuing the Force s critical processes and activities after an incident, to an agreed minimum level Implementation - Plans will provide an effective, predefined and documented framework and process to respond to disruptive incidents affecting the Force s critical processes and activities Validation No matter how well designed and thought out a BCP is, it must be exercised to ensure its effectiveness. Maintenance and auditing are essential to ensure the compliance with the standards 002/3.0 Page 3 of 10

4 adopted by the Force. The Force will continually review its arrangements and test the plans on an annual basis. 8. Policy and Programme Management 8.1 A fundamental element of the BCM Programme is the need to continually monitor, evaluate and assure its performance. Areas and Departments should ensure their plans meet the required standard by regularly measuring them against the Force s policy and guidance. 8.2 The force will ensure that its BCM arrangements are aligned with BCM International Standard ISO The Deputy Chief Constable is responsible for Executive oversight of the BCM programme. 9. Embedding 9.1 An essential element of developing a successful BCM is the proactive support of Senior Management. By demonstrating commitment and playing an active role in the BCM process they can ensure its successful implementation. 9.2 Service Leads and Department Heads should seek to develop a BCM culture in their Area or Department by: Giving proactive support to the BCM process. Encouraging training and awareness in BCM. Ensuring ownership of BCM. Demonstrating a commitment to the annual programme of audit, maintenance and review of BC Plans. Communicating the importance of BCM to all staff and clarifying their roles and responsibilities 9.3 The Force BCM Roles & Responsibilities are listed in the document entitled Management Roles, Responsibilities and Authorities at Appendix 2. However, two critical roles are detailed below: BCM Recovery Team Member Each BCP will include detail of the key personnel who would make up the BCM Recovery Team should a significant disruption occur The BCM Recovery Team should reflect all the processes and activities undertaken by the area or department The role of the recovery team is to : Assess the Impact of the Event or Occurrence on the District or Department and its ability to continue activities that support any of the Force Critical Functions 002/3.0 Page 4 of 10

5 Prioritise Departmental activities that support any of the Force Critical Functions Prioritise the allocation and distribution of resources Delegate authority Determine recovery timescales In the event of the Plan being invoked the BCM Recovery Team Leader will co-ordinate the responses and provide general support and instruction to those involved in the response. TheLeader of the BCM Recovery Team will provide a link to the Service Lead or Head of Department Whilst the Force is not prescriptive in who should conduct which role in the BCM Recovery Team, the Team Leader should have appropriate seniority and authority to be accountable for BCM implementation Appendix 5, Management (BCM) Recovery Team Procedure provides full details of the procedure to be followed by the BCM Recovery Team, the process for activating the team and the roles to be considered for the team Single Point of Contact (SPOC) The SPOC, has responsibility for the ongoing administration and maintenance of the BCM arrangements, including exercising, auditing and amending the plan, at an area or departmental level. The BC SPOC will liaise with and be supported by the Co-ordinator. 10. Analysis 10.1 Identifying Critical Business Processes The key to understanding the organisation is to identify the key business processes. This must be completed annually or on any occasion there is a significant change to business processes The objective of this stage is to identify and, using the Business Impact Analysis template, rank in priority order the critical processes and activities Business Impact Analysis (BIA) The BIA process will enable process owners to:- Identify key business activities Assess the impact of disruption to those activities Identify the Maximum Tolerable Period of Disruption (MTPD) and Recovery Time Objective (RTO) Define requirements (people, staff, estate, IT, equipment, dependencies) 002/3.0 Page 5 of 10

6 Identify impacts of disruption of this activity elsewhere in the organisation and externally Identify any single points of failure Assess business continuity risks and any action required to be taken Full details of the BIA process appear in the document entitled Business Impact Analysis Process, Appendix During the planning stage consideration ought to be given to the impact of clearing any backlog which develops during the disruption The BIA identifying the critical processes and the recovery prioritisation list must be submitted to senior management of department or division, for approval and sign off. 11. Design 11.1 The BCM options to be considered are those alternative methods and workarounds that enable the minimum level of service delivery. An example would be reverting to manual when IT is disrupted or moving to an alternative site. Alternative options might be required for the following resources: People; Workspace; Information & Communications Technology; Equipment / Resources: Critical Information / Documentation: Resources supplied by third parties / internal contracts It is crucial that the selected BCM options Ensure employee safety; Protect the viability of the organisation; Reduce or mitigate exposures, confusion or chaos; Position the organisation to respond to a disruption The options should be realistic. Consideration must be given to the challenges that staff will face during a disruptive event. The aim is to provide the minimum level of performance necessary, in the event of a significant disruption Options are required for three phases: 002/3.0 Page 6 of 10

7 Planning Phase Primary Goal Trigger Time Frame Emergency Response (Immediate) Continuity Response (Interim Processing) Recovery Procedure (Restoration) Protect life and property Resume critical processes and activities & suspend non critical functions The staged return to pre-disruption levels of operation or improved capability Initial disruption Completion of emergency response phase End of emergency, runs in parallel with the continuity response 0-24 hrs hrs (or until critical processes restored) 72 hrs 1wk (or until processes restored) 11.5 If specific reciprocal arrangements have been made regarding relocation to a back up site these should be clearly documented and signed off by both parties. The agreement should specify the terms of access, accommodation, transfer procedures, equipment, timescales, cost reimbursement and any constraints or special conditions, as well as any other mutual arrangement. 12. Implementation 12.1 Plans (BCPs) A BCP template has been developed for use throughout the Force. The completed plan should be flexible enough to enable responses to a wide variety of potential generic disruptions. The Full BCP template can be found in the Plan document at Appendix The BCP should always be based on the worst-case scenario, i.e. a major disruption will happen at the worst time on the worst day possible BCPs should be simple but comprehensive. Once an emergency situation develops no-one has the time to wade through page after page of instructions or endless lists of contacts or equipment inventories. The plans should be concise and practical, but at the same time provide the reader with enough information to understand and carry out their task There are a number of approaches that may be considered to address a business continuity requirement. These include: 1. Full availability plan to ensure that no impact is felt as a result of a major incident 2. Recovery within RTO business processes are restored within a time identified as being acceptable 3. Do nothing no attempt at recovery is made The approach that is adopted for each critical activity will depend primarily upon the impact of the activity not being available and the cost of providing the desired level of protection. 002/3.0 Page 7 of 10

8 The development of the plan does not signify the end of the BCM process. The process is dynamic. Nor does the plan provide BCM competence or capability, but rather it provides the approach to an effective capability to respond/recover SPOCs are responsible for version control of the completed BCP and providing a copy to the Coordinator, annually or after every amendment. The template can be obtained from the Co-ordinator Copies of the BCP and essential equipment required for its implementation should be stored off site Consideration should be given to establishing a grab-bag containing all information and portable equipment required in the early stages of a disruptive incident, which could be accessed in the event of an incident or easily transported to another site, if circumstances dictate. Content might include BCP, documentation for manual processing, IT back-up and recovery arrangements, staff lists, relocation maps etc BCPs Invocation & Escalation Procedure The detection of an event that could result in a critical disruption of service provision is the responsibility of whoever first discovers or receives information about an emergency situation Any member of staff who reasonably believes that such an incident has occurred or is likely to occur, shall immediately notify their supervisor and / or the Force Incident Manager (FIM). The SPOC should also be informed. Appendix 5 sets out the full process for activation of a BCP The apparent scale of the disruption will determine the notification procedure required. For example, a disruption may begin at a station but escalate to having implications for the Force In every case the responsible supervisor/manager, supported by the BC SPOC will conduct an initial assessment and notify the BCM Recovery Team Leader. If necessary the BCM Recovery Team Leader will authorise the call out of the remaining team members (see Appendix 5 for more information) In the event of a disruption or a near miss the SPOC has a responsibility to complete the governance report detailed at Appendix /3.0 Page 8 of 10

9 13. Validation 13.1 Exercise Programme Exercising allows the evaluation of the plan, identifying any gaps or weaknesses. It provides an opportunity for key personnel to rehearse and gain familiarity with the processes A schedule of testing and validation for High Priority Activities will be co-ordinated by the Co-ordinator, working with the BC SPOCs BC SPOCs, supported by the Co-ordinator, will manage the testing and validation of the BCPs for Medium Priority Activities There should always be some form of objective observation to any test as well as a formal debrief session. Staff taking part should be aware it is a test on the first few occasions they are run but unannounced tests may be run once there is a level of familiarity. It is not necessary to test a whole plan; sometimes parts of a plan can and should be tested. There are different types of tests from a desktop walkthrough to a full blown real-time exercise. The latter may involve shutting down some systems or closing buildings. If this is done duplicate facilities and functionality should have been put in place, to ensure that a testing procedure doesn t itself become a crisis or detrimental event to our service provision There are a number of fundamental principles that will be adhered to in creating and implementing a schedule of testing of business continuity plans in accordance with the ISO22301 standard for business continuity. These are: The tests must be based on appropriate scenarios that are well planned with clearly defined aims and objectives Taken over time they must validate the whole of the organisation s business continuity arrangements The exercise programme should be a progression of exercise types, each one building on the lessons of the previous exercise, finally culminating in a full test of the BCP Disruption to business operations should be minimised Post exercise reports should be produced They should be reviewed and improvements identified They must be conducted at planned intervals and upon significant change within the organisation or its operating environment As part of the BCMS each test that is carried out will be planned in detail on an individual basis and a post-test report produced in 002/3.0 Page 9 of 10

10 accordance with the above principles. Relevant templates can be obtained from the Co-ordinator Maintenance & Review Service Leads and Heads of Departments are responsible for the maintenance of their BCP and should ensure that: BCM is a standing item on the agenda for Senior Management Team Meetings; BCM is included in the BCU or Department s formal induction process; BCM should be aligned to the Risk Management arrangements; The SPOC regularly reviews the currency of the BCP and revises it as necessary; The components of the BCP are tested regularly and the full plan annually; BCU/Departmental BCM is subject to local audit by the BC SPOC; Governance Reports are forwarded to the Force BC Coordinator. 002/3.0 Page 10 of 10