Business Continuity Management Policy and Procedure

Transcription

1 Business Continuity Management Policy and Procedure Reference No. P29:2006 Implementation date 30 April 2007 Version Number 2.5 Reference No: Name. Linked documents Emergency Preparedness (Chapter 6), Guidance on Part 1 of the Civil Contingencies Act 2004, its associated Regulations and non-statutory arrangements (HMG 2005), International Requirements Standard BS ISO 22301:2012 P27:2005 Risk Management Policy Policy Section Procedure Section Suitable for Publication Yes Yes Protective Marking Not Protectively Marked PRINTED VERSIONS SHOULD NOT BE RELIED UPON. THE MOST UP TO DATE VERSION CAN BE FOUND ON THE FORCE INTRANET POLICIES SITE.

2 Table of Contents 1 Policy Section Statement of Intent Aim and Rationale Our Visions and Values People, Confidence and Equality Standards Legal Basis People, Confidence and Equality Impact Assessment Any Other Standards Monitoring / Feedback Procedure Section Roles and Responsibilities Critical Functions/Activity and Business Impact Analysis Business Continuity Plans (BCPs) Training, Writing, Testing and Maintenance of BCPs Locations for keeping BCPs Emergencies and Disruptions Recovery General Issues Consultation and Authorisation Consultation Authorisation of this version Version Control Review Version History Related Forms Document History Dorset Police - Business Continuity Management Template Section 2 - Invocation Section 3 Activity Summary Section 4 - Resources required for each activity with Risk Category 3, 4 or Section 5 - Further Actions Section 6 Recovery Plan for all activities identified... 26

3 Appendix 1 - Key Contacts Appendix 2 Incident Log

4 1 Policy Section Not Protectively Marked 1.1 Statement of Intent Aim and Rationale Dorset Police has a statutory duty to deliver effective and efficient policing. Failure to deliver any of these functions could have a catastrophic effect on the communities of Dorset. Business Continuity Management (BCM) will ensure continued provision of the force s core functions and to enhance its ability to withstand any form of disruption. The potential for disruption to these core functions has been identified by Government and is addressed in the Civil Contingencies Act (2004) (Part 1.Para 2(1) (C). The Act requires Category 1 Responders to maintain plans to ensure that they can continue to perform their functions in the event of an emergency, so far as is reasonably practical. BCM supports emergency planning and is underpinned by the Force Risk Management policy, providing the framework within which the Force can comply with the Civil Contingencies Act. Aims The Business Continuity Management (BCM) policy aims to: Ensure that critical functions are maintained or reinstated on a risk based approach, as soon as reasonably possible, to meet the force strategic objectives while full restoration of service delivery is planned and implemented. Set out the roles and responsibilities for implementing and maintaining a BCM system that is compliant with the Civil Contingencies Act and is fit for purpose Promote and maintain an awareness of BCM within the force The implementation and maintenance of the BCM system will be based on the following guidelines and standards: HM Government Emergency Preparedness Manual (Chapter 6) International Requirements Standard BS ISO 22301: Our Visions and Values Dorset Police is committed to the principles of One Team, One Vision A Safer Dorset for You Our strategic priority is to achieve two clear objectives: To make Dorset safer To make Dorset feel safer

5 In doing this we will act in accordance with our values of: Integrity Professionalism Fairness and Respect 1.3 People, Confidence and Equality This document seeks to achieve the priority to make Dorset feel safer by securing trust and confidence. Research identifies that this is achieved through delivering services which: 1. Address individual needs and expectations 2. Improve perceptions of order and community cohesion 3. Focus on community priorities 4. Demonstrate professionalism 5. Express Force values 6. Instil confidence in staff This document also recognises that some people will be part of many communities defined by different characteristics. It is probable that all people share common needs and expectations whilst at the same time everyone is different. Comprehensive consultation and surveying has identified a common need and expectation for communities in Dorset to be:- - Listened to - Kept informed - Protected, and - Supported. 2 Standards 2.1 Legal Basis The Civil Contingencies Act 2004 (CCA) requires the Police Service, (as a Category 1 responder) to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable. The duty relates to all functions, not just their emergency response functions. 2.2 People, Confidence and Equality Impact Assessment During the creation of this document, this business area is subject to an assessment process entitled People, Confidence and Equality Impact Assessment (EIA). Its aim is to establish the impact of the business area on all people and to also ensure that it complies with the requirements imposed by a range of legislation.

6 2.3 Any Other Standards Not Protectively Marked The Business Continuity Management International Requirements Standard (BS ISO 22301:2012) BS ISO 22301:2012 is a standard that specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). It establishes the process, principles and terminology of BCM, providing a basis for understanding, developing and implementing business continuity within an organisation and to provide confidence in business-to-business and business-to-supplier dealings. BCM is defined in BS ISO 22301:2012 as 'a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. 2.4 Monitoring / Feedback The Business Continuity Programme Board and the Business Continuity Co-ordinator have specific roles in monitoring this process, the details of which can be found below in section 3.1 of this document. The role of BC Co-ordinator is held by a Planning Officer in the Operational and Contingency Planning Section (OCPS). The monitoring will be ongoing. Feedback relating to this policy can be made in writing or by to: OCPS, Poole Police Station ocps@dorset.pnn.police.uk Telephone:

7 3 Procedure Section 3.1 Roles and Responsibilities The Police and Crime Commissioner (PCC) and Chief Constable The PCC and Chief Constable are accountable to the public and central government for ensuring that the Force consistently follows the principles of good corporate governance and internal control. They will ensure that a BCM framework is in place to ensure the public receive an efficient and effective policing service in the event of an emergency Assistant Chief Constable (Operations) ACC (Ops) is responsible to the Chief Constable for the BCM programme Business Continuity Co-ordinator (OCPS) Business Continuity Co-ordinator (OCPS) is responsible for the development and implementation of the BCM programme, compliance with the Civil Contingencies Act and ensuring that Emergency Planning and information Systems resilience are co-ordinated in conjunction with the BCM strategy. OCPS will also Provide specialist advice and guidance in respect of BCM issues including the co-ordination, development, implementation and review of business continuity policies, plans and procedures. The Sharepoint BC site will provide a focal point. Interpret the requirements of the Civil Contingencies Act 2004 (CCA) and associated guidance to support business areas and to ensure that these are met. Conduct risk assessments based on current and future threats identified through environmental scanning. Review and develop the template to enable production of the individual plans to a consistent format and structure. Encourage a Business Continuity culture through marketing and the provision of awareness sessions and training to appropriate staff. Liaise with other police forces and external agencies as appropriate in respect of the CCA and in particular with regard to it s overall effect on Business Continuity. Audit compliance with business continuity plans, facilitating tests and providing recommendations and other management feedback as appropriate Operations Board The Operations Board is responsible for setting and monitoring the strategic direction, and management of the BCM implementation. The board is chaired by the ACC (Ops)

8 3.1.5 Commanders, Department Managers and Team Leaders BC plans should be owned by a Supt (or above) (or police staff equivalent). It is the plan owners responsibility to embed Business Continuity Plans (BCPs) into the workplace and ensure exercises are undertaken to develop understanding of the plan and ensure it is fit for purpose. Commanders, department managers and team leaders are responsible for implementing and supporting the BCM policy, developing and maintaining their own BCPs, ensuring sufficient training is given and running exercises where appropriate Police Officers, Police Staff, Extended Police Family, Volunteers and Contractors Police officers, police staff, extended police family, volunteers and contractors are required to maintain all relevant operational business continuity plans as developed ensuring that change management is reflected in the living documents and understand all requirements and responsibilities as detailed in the plans. 3.2 Critical Functions/Activity and Business Impact Analysis Critical functions/activities defined by National Police Chiefs Council (NPCC) are: Call Handling Command and Control Response Policing Community Policing Crime investigation Major Incident Response Public Order Custody Security and Protection Health Safety and Welfare of Staff (including training) Criminal Case Progression and Management Communications (internal and external) and Media Handling What are Dorset Police s Critical Activities? Dorset Police will adopt those functions/activities as defined by NPCC (see above) BS ISO 22301:2012 defines Critical Activity as:- those activities whose loss, as identified during the Business Impact Assessment, would have the greatest impact in the shortest time and which need to be recovered most rapidly may be

9 termed critical activities. Whether an activity is critical will be established by conducting a Business Impact Assessment (BIA) Business Impact Assessment (BIA) and Business Continuity Plan (BCP) All areas of police business will conduct a Business Impact Assessment (BIA) and subsequently develop a Business Continuity Plan (BCP). This is achieved by each Command Area/Department: Identifying all its activities. Categorising these activities in terms of criticality Developing and maintaining plans for the purposes of ensuring, so far as reasonably practicable, that the Force is able to continue to exercise its functions in the event of an emergency or disruption. 3.3 Business Continuity Plans (BCPs) Peel Template 1 In order to conduct a BIA and develop a BCP, the Peel template found at Appendix A will be used. Correct completion of this template amount to a BIA and forms the basis of a BCP. The Peel template includes a standardised process by which each activity s criticality can be measured. Furthermore, this template is designed to facilitate an ongoing programme of review, development and recording of exercises. It enables compliance with current good practice, guidance and legislation Generic and Specific Plans A generic plan is a core plan which provides a response to a wide range of possible scenarios and disruptions. These generic plans can form part of specific plans for dealing with particular risks, sites or services. 3.4 Training, Writing, Testing and Maintenance of BCPs Maintenance The Force Operational and Contingency Planning Section (OCPS) is responsible for the policy, guidance and the Force BCP template and will review and update it on an annual basis. Command areas and departments are responsible for the writing, training and exercising of their own plans and any changes to these plans must be notified to the OCPS. Distribution of the completed plans will be by intranet only and classified as restricted Exercising and Maintaining of Department Plans All plans will be exercised annually followed by a de-brief. (Real incidents amount to an exercise and may obviate the need to conduct an exercise). OCPS will be informed prior to any planned exercise in order to assist and monitor where necessary. All learning points raised during debriefs relevant to other departments will be published on SharePoint and it is the manager s 1 Template based upon that devised by George Cooper of Northamptonshire Police / Vista Training.

10 responsibility to update their plans if the learning points are relevant to their department. All plans will be reviewed annually by the plan owner unless due to their role it is required to be reviewed six monthly Debriefing After any plan invocation, whether local or Force level, a debrief will be held. The manager responsible for the invocation will be responsible for arranging a debrief. A hot debrief may occur during and will occur immediately after normality has been returned. A formal structured debrief will be held where the invocation has Force wide / national implications 3.5 Locations for keeping BCPs Storage Plans will be kept in the following locations Hardcopy: Electronically: Appropriate locally arranged sites, available to those who will need access (individual plans only) Force Command Centre SharePoint BC site W-drive under the folder BusinessContinuityPlans (W:\BusinessContinuityPlans) Local Police station drives, (precise addresses advised by IS) 3.6 Emergencies and Disruptions Invocation Invocation will proceed in accordance with the flow chart found within the Peel Template (appendix A) Initial Response Phase If there is a significant risk to the continuance of critical and essential police functions, the Gold, Silver and Bronze command structure will be invoked. Gold should consider assigning a Silver commander dedicated to Business Continuity. This would be in addition to the Silver commander dealing with the incident giving rise to the disruption. Gold should also consider invocation of the Business Continuity Team (BCT), reporting to the dedicated BC Silver.

11 3.6.3 Business Continuity Team (BCT) The BCT will comprise representatives of each affected department who are familiar with the daily functions of the respective area of business. This would ideally be a supervisor in the team and the BCP writer or manager. Using their BCPs, members of the BCT will be able to quickly identify the critical activities affected by the emergency or disruption and the contingencies in place The BCT s overall responsibilities are: Evaluating the extent of the situation and the potential consequences. Providing the Force with reports of the scale / impact on normal service of the incident. Logging the decisions made. Authorising recovery procedures in order to maintain its strategic critical functions. Liaising with users and stakeholders. Disseminating information through the media Ordering and acquiring new or replacement equipment. Maintaining financial information i.e. costs incurred. Organising the return to normality (or new normality) after the incident response phase has concluded Command and Control The invocation of a BCP is likely to run in tandem with a major incident. The Incident Commander and the Business Continuity Manager must agree their respective roles and responsibilities. These will depend upon the nature of the incident. The agreed responsibilities should be appropriately communicated to the force, (e.g. Intranet) to ensure all staff are aware of the individuals involved in the various processes Recording of Information/Decision Logs For the purposes of debrief, inquiry or legal proceedings all teams should ensure: Their decision/actions are recorded / logged. Where mobile phones are used and not recorded, the content of the conversations should be recorded where possible or use alternative means of communication i.e. airwave point to point. The completed forms and any original documentation should be kept securely.

12 3.7 Recovery Recovery It is important in the planning stage and during the invocation process to identify the implications for the departments, following the rectification of the problem that led to the invocation of the plan. Part of this will include Identifying that all the department s systems are fully functioning again Communicating the restoration to stakeholders / agencies, Identifying the potential for corrupted data in the dept s processes as a result of the incident and the process for overcoming this Inputting the backlog of information that has been recorded on paper during any outage. Identifying the financial implications on the department(s) Taking part in relevant debriefing processes to identify any learning points and update the plans 3.8 General Issues Finance Auditable records of all additional expenses incurred during the incident or recovery phase will be kept Welfare, Health and Safety, Crisis Care Management, Staff Associations Managers should carefully monitor staff for signs of stress and arrange periods of rest and counselling if necessary. An incident of this magnitude is likely to put increased demands on staff involved or who are asked to work long hours in difficult conditions with the resulting disruption to their personal routines. Similarly regard must be had for the working hours of commanders, whose decision making capability cannot be seen to be compromised by fatigue. Close liaison must be maintained with the force Welfare Support Dept concerning the additional psychological support that may be required by those involved. Staff associations and UNISON should be kept informed Health and Safety Care should be taken to manage any additional risks created by staff performing roles they do not normally do during the incident or its aftermath Special Constabulary Departments who have special constabulary officers who are also police staff are requested to release them where possible to support the force in the critical functions unless they are already performing such a role.

13 4 Consultation and Authorisation 4.1 Consultation Version No: Name Signature Date Police & Crime Commissioner Police Federation Superintendents Association UNISON Other Relevant Partners (if applicable) 4.2 Authorisation of this version Version No: 2.5 Name Signature Date Prepared: T Taylor-Habgood (8880) 14/04/16 Quality assured: Authorised: ACC Lewis 18/4/16 Approved: 5 Version Control 5.1 Review Date of next scheduled review Date: 17 May Version History Version Date Reason for Change Created / Amended by 1.0 Initial Document Mr G Brazier 2.0 1/6/11 Review of policy and Sgt 713 R Niemier implementation of new template /9/13 Interim Review. Review and update T Taylor-Habgood (8880) of policy due to change in standard from BS to BS ISO 22301: /03/14 Review of policy and minor template change within Invocation of Plan including new diagram T Taylor-Habgood (8880)

14 2.3 04/03/15 Review of policy. No changes required /03/15 The policy has been reviewed in preparation for NICHE (RMS) implementation (April 2015) no changes necessary /04/16 Review of Policy. Changed ACPO reference to NPCC T Taylor-Habgood (8880) Policy Co-ordinator (6362) T Taylor-Habgood (8880) 5.3 Related Forms Force Ref. No. Title / Name Version No. Review Date 5.4 Document History Present Portfolio Holder ACC Lewis Present Document Owner Tanya Taylor-Habgood 8880 Present Owning Department OCPS Details only required for version 1.0 and any major amendment ie 2.0 or 3.0: Name of Board: Operational Commanders Board Date Approved: Chief Officer Approving: ACC Glanville chair of Operations Board Template version January 2013

15 Dorset Police - Business Continuity Management Template Critical Functions 1. Call Handling 2. Command & Control 3. Response Policing 4. Community Policing 5. Criminal Investigation 6. Major Incident Response 7. Public Order 8. Custody 9. Security & Protection 10. Health, Safety & Welfare of Staff 11. Criminal Case Progression & Mgmt 12. Communication & Media Handling Plan details Area Department Plan Owner Plan Manager Plan Writer Version No. Version Date Plan review details Date of next review Version Control Version Date Author Reason for change The document signatory is responsible for informing all staff of its content, exercising this plan to confirm that it is still fit for purpose and maintaining it in relation to contact details. Records of where business continuity has been embedded into the department will be required during an audit process including minutes of meetings and the risk management process. It is expected the plan will be discussed at management meetings on a regular basis. The BC co-ordinator shall be informed of any invocation and lessons identified, planned exercises and any BC risks that may become organisational issues. OCPS reserves the right to exercise the plan without warning. Signature Plan Owner Date Based on Template designed by George Cooper of VistaTraining

16 Contents Section 1 page 2 Introduction Section 2 page 3 Invocation Procedure and Risk Assessment Criteria Section 3 page 5 Activity Summary (including any contingency arrangements) Section 4 page 6 Resource Summary Section 4.1 page 6 People Section 4.2 page 7 Equipment / Facilities Section 4.3 page 8 Documentation Section 4.4 page 9 Suppliers Section 5 page 10 Further Action Section 6 page 11 Recovery Plan Appendix 1 page 12 Contact Details Appendix 2 page 13 Example Incident Log Section 1 - Introduction Department role Please provide a brief description of what the department does: Staff resources day to day Police Officers Chief Inspector & above Inspector Sergeant Constable Managers Staff PCSO Police Staff Department core hours If other, please give details 24hour Mon-Fri Other

17 Section 2 - Invocation Invocation of plan The plan will be implemented in accordance with the Force Overarching Business Continuity Guide. The level of invocation will be determined by assessing the potential impact of the incident using the criteria defined in the Risk Assessment as described in the following diagram. Who is responsible for invoking the plan, and who should be consulted? Where the expected impact of the disruption is likely to fall into category 1 or 2 invocation of the plan and management of the incident will be the responsibility of **(insert title of senior departmental manager)** or in their absence **(insert title of deputy manager)**. If no departmental manager is available the Force Incident Commander (FIC) will be informed. If the expected impact is likely to fall into category 3 the FIC will be informed who will be responsible for the invocation of the plan and management of the incident, referring upwards and / or invoking a separate command structure as appropriate. What procedure is required to invoke the plan? Once the plan is invoked the staff that work in the area affected will be contacted, if not already aware, and asked to either remain on standby and be contactable by mobile phone or other means, or to report to an identified place. The managers of the department will have the current contact details of the staff with them as point of reference in case of IT failure. The manager of the department should also ensure that, where appropriate, any key stakeholders, as listed in section 3, are informed of the incident in order to minimise any impact on them.

18 Risk Assessment Category Potential or real impact assessment Consequence of Non Delivery Insignificant (1) Useful (2) Significant (3) Essential (4) Critical (5) No impact on the performance of any department Minor internal disruption to the department No specialist personnel issues Activity recovered within 30 days No impact on the organisation s service delivery Minor impact on the performance of the department Minor specialist personnel issues, but easily resolved Activity to be recovered within 14 days Potential for complaints from individuals Potential limited impact on the organisation s service delivery Internal performance disruption on one or more departments; department may require assistance from one another Activity must be fully recovered within 2-3 days Potential financial loss in excess of 50,000 Potential for adverse local publicity in an ongoing nature or effecting local opinion Potential for significant injuries or ill health Significant impact on the organisation s service delivery in one or more areas Significant impact on the performance of several departments Activity would require in force mutual aid assistance Full recovery must occur within 12 hours Potential loss in up to 2 million Potential for adverse national publicity or local publicity on a persistence nature affecting the local community Potential for fatality or serious injury to an individual Potential for major claims which would be outside the insurance cover Major impact on the organisation s service delivery in one or more areas Inability to effectively integrate with other key stakeholders Inability to meet critical service level demands Activity would rely on external mutual aid Major specialist personnel issues no resources/no resilience Recovery must occur within 1 hour Potential loss in excess of 2 million Will attract adverse national publicity or local publicity on a persistence nature affecting the local community Potential for fatality of one or more or serious injury to several people Potential for major claims which would be outside the insurance cover Insignificant Minor Moderate Significant Catastrophic Location Codes A copy of the most recent Property List and Location Codes as maintained by Dorset Police Estates and Building Services can be found on the Business Continuity Management SharePoint site under Documents. A hard copy of this list should be printed and retained with BCP at each BCP review.

19 Critical functions it supports 3 Risk Category 1 Activity No Section 3 Activity Summary Activity 2 Does the activity depend on, or influence the activities of other departments within the force or external agencies? If YES, list the departments 5 Contingency Arrangements 6 (To cover people, facilities, systems, suppliers, or any other arrangements) all activities should be risk assessed using the criteria in Section 2 list activities with highest scorings first in descending order 3 Any activity directly supporting a critical function should be scored 5 4 Recovery Time Objectives (RTO) should indicate the priority/timescale to restore a process to minimum service levels (for category 3, 4 or 5 activities only the remainder can be left blank). 5 the Risk Assessment should take into consideration the effect on any interlinked departments or outside agencies 6 contingency arrangements should include any actions that can be implemented locally - i.e. relocation to other premises, transfer of work to other department, manual workarounds - whether agreed or identified as the potential for good practice.

20 Activity No Not Protectively Marked Section 4 - Resources required for each activity with Risk Category 3, 4 or People Minimum number of staff required to start/maintain activity and rank if necessary Specialist skills/ training required by staff Can staff from outside the department support this activity and if yes, where from SPOF 1 Police Officers Police Staff Dept / Organisation 1 are any of these people regarded as a Single Points of Failure (SPOF)

21 Location Code (s) 2 Activity No 4.2 Equipment Not Protectively Marked Standard Equipment 3 Specialist Equipment 4 IT Software 5 Vehicles required6 SPOF 1 1 is any of this equipment regarded as a Single Points of Failure (SPOF) 2 location codes are listed in Section 2 3 identify number of workstations, phones, faxes, desktop or laptop computers, printers and any other standard IT hardware required 4 identify any specialist equipment required i.e. scanner, A3 printer etc 5 identify any software required over and above Generic Force Systems (Microsoft Word and Excel, , Forcenet, H drive and W drive) 6 identify liveried or unmarked and any specialist vehicle required

22

23 Activity No 4.3 Activity Documentation Not Protectively Marked Essential Documents/Records 2 Where are these stored? 3 How are they accessed? SPOF 1 1 is any of this documentation regarded as a Single Points of Failure (SPOF) 2 technical manuals, emergency plans etc 3 identify locations of physical documentation/records and locations on Force IT systems

24 Activity No 4.4 Supplier Details Not Protectively Marked Supplier Services Provided Essential Supplier Documents/Records 2 Where are these stored? 3 SPOF 1 1 are any of these suppliers regarded as Single Points of Failure (SPOF) 2 technical manuals, emergency plans, maintenance contracts etc 3 identify locations of physical documentation/records and locations on Force IT systems

25 Section 5 - Further Actions Actions arising as a result of any of the above Activity No Action Owner Timescale Have any Single Points of Failure (SPOF) been identified? Activity No What is the nature of the SPOF? Logged on Departmental Risk Register? Logged on Force Risk Register? Date to be reviewed? Exercises List any exercising of the plan with appropriate debrief information. This information should also be added to the Testing & Exercising page which can be found on the Business Continuity Management site on SharePoint Date Exercise Description Debrief Information Any other information that will assist in the implementation of this plan

26 Section 6 Recovery Plan for all activities identified Identify and develop a plan for dealing with any additional work that may be required once the cause of the invocation of the plan has been rectified in order to minimise any adverse effect on the restoration of day-to-day operations. Areas for consideration might include: - Inputting paper based information created as a result of the loss of I.T. Testing of systems to ensure that they are functioning normally Verifying information held on systems to identify any lost or corrupted data. Correction of any errors discovered Prioritised clearance of any backlogs of work that was suspended during the incident Notification of dependent departments, external agencies, suppliers etc.

27 Appendix 1 - Key Contacts Single Point of Contact These details are required in case of Forcewide IT failure and must be staffed during the normal working hours of the department. Extension No. or full mobile phone number and mobex Fax No. Department Airwave No. (if applicable) Key Departmental Contacts Name Title Telephone No. / Extension Mobile Mobex Airwave Other Key Contacts This should include any stakeholders, dependent departments or suppliers identified in Section 3. Name Stakeholder / Supplier Telephone No. Mobile Mobex Airwave

28 Appendix 2 Incident Log Department: Item No Time Details of Issue Action Taken / Decision Made Signature Date: