Business Continuity Policy. Interim Governance Consultant. October Greenwich Executive Group

Transcription

1 Business Continuity Policy Author(s) Interim Governance Consultant Version 1.1 Version Date October 2016 Implementation/Approval Date October 2016 Review Date October 2017 Review Body Greenwich Executive Group Policy Reference Number 021

2 Version Author Date Reason for review 1.0 Hellen Makamure July 2015 New Policy: Statutory Requirement 1.1 Anna English October 2016 Address updated to The Woolwich Centre Greenwich CCG Business Continuity Policy Page 2 of 16

3 Glossary of Terms Term Acronym Definition Business Continuity Business Continuity Management Business Continuity Management System Business Continuity Plan Business Impact Analysis Civil Contingencies Act Incident Control Team BC BCM BCMS BCP BIA CCA ICT Strategic and tactical capability of the CCG to continue delivery of services at acceptable predefined levels following a disruptive event. A holistic management process that identifies potential threats to the CCG and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities. Part of the overall management system that establishes implements, operates, monitors, reviews, maintains and improves business continuity. This includes the organisational structure, policies, planning activities, responsibilities, procedures, processes and resources. Documented procedures that guide the organisation to respond, recover, resume and restore to a predefined level of operation following disruption. Typically, this covers resources, services and activities, required to ensure the continuity of critical business functions. The process of analysing activities and the effect that a business disruption might have upon them. Covers the responsibilities for Category 1 and 2 responders who provide strategic, tactical and operational response in emergencies. Comprises of senior managers/ directors who will manage an emergency/ disruption/ crisis International Organisation for Standardisation ISO The International Standard for business continuity management systems providing guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise. Prioritised Activities PA Activities to which priority must be given following an incident in order to mitigate impacts. Terms in common used to describe include: critical, essential, vital, urgent and key Greenwich CCG Business Continuity Policy Page 3 of 16

4 Contents Page Contents Glossary of Terms... 3 Contents Summary Introduction Aim Objectives Scope Processes for Undertaking Business Continuity Business Continuity Management System (BCMS) The Plan- Do-Check-Act Model Understanding the organisation Developing and Implementing BCM Response... 9 Figure 3: BC Incident Escalation procedure Accountability and Responsibilities Cascade Process Risk Analysis Incident Notification and analysis Communication Responsibilities for Communicating with Stakeholders Incident coordination facilities Business Continuity Recovery Packs BC Plan maintenance Training and awareness Testing Review Monitoring/Audit Sources of Evidence Appendix 1 - Equality & Equity Impact Assessment & EDS2 Checklist Greenwich CCG Business Continuity Policy Page 4 of 16

5 1. Summary Greenwich CCG is legally required to undertake Business Continuity Management (BCM) to ensure that in the event of disruption to its services, appropriate measures are in place to provide continuation of its services whilst limiting the potential for further disruption. This process is on-going and is the responsibility of the Chief Officer who is also the Accountable Officer (AO), to ensure that Business Continuity Management is undertaken within the CCG. BCM directly supports corporate governance and the requirement to produce and annual statement on Internal Control by helping to identify the continuity risks to the CCG, providing clear understanding of roles and responsibilities (accountability) and safeguarding of the CCG s assets. This policy provides a framework for establishing and maintaining Greenwich CCG BCMS capability to minimise the impacts of incidents. The BCM policy will reflect the nature of Greenwich CCG, its mission, culture and vision and will be subject to an annual review. This policy is built on current good practice and is intended to: Improve BCM resilience within Greenwich CCG Ensure through the adoption of resilience principles, the continuous operational delivery of critical CCG services when faced with a range of disruptive challenges such as staff shortages, denial of access and failures in key suppliers Help drive Greenwich CCG s compliance with the CCA and NHSE Assurance Framework Allow a unified and cohesive approach to BCM which parallels with ISO22301 and develop resilience within the CCG 2. Introduction This document sets out Greenwich CCG s policy for Business Continuity Management. The CCG s ability to provide services relies on a number of different components as identified in ISO22301:2012. When individual components begin to fail, service delivery and CCG business outcomes may be affected. For BCM to be successful, it must be an integral component of how Greenwich CCG manages, develops and improves its services. The Civil Contingencies Act (2004) covers the responsibilities of Category 1 and 2 responders who provide strategic, tactical and operational response in emergencies. Clinical Commissioning Groups are identified as Category 2 responders and are required by the CCA to cooperate, support and share information with other Category 1 and 2 responders during an incident. Services may be disrupted by a number of different reasons varying from A shortage of staff possibly due to pandemic flu, severe weather etc. Road fuel shortages Rail transport strikes Denial of access to CCG building/ premises due to flooding, fire, bomb threat and terrorist attacks Loss of IT / cyber-attacks and Loss of utilities such as water and electricity. Greenwich CCG Business Continuity Policy Page 5 of 16

6 Regardless of the disruption, the London community served by Greenwich CCG will still require services. It is essential that the CCG has mechanisms in place to ensure continue delivery of service occurs during such disruptions. Greenwich CCG also recognises the potential operational and financial losses associated with a major service interruption, and the importance of maintaining viable recovery strategies. During a disruption, it may not be possible for the CCG to continue delivering all of its services in the usual way. All CCG services are important, however, during an incident, services will be maintained based on their criticality and priority to the CCG and the needs of South East London community. Plans will be developed to ensure that resources and facilities are available to ensure critical service delivery at the pre-defined agreed level. 2.1 Aim The aim of this policy is to establish an appropriate framework to ensure that Greenwich CCG is able to plan for, prepare and respond to incidents or disruptions to the delivery of its services to the South East London community. 2.2 Objectives a) To identify those responsible for ensuring Business Continuity in the CCG b) To identify the key risk areas and ensure appropriate control measures are in place to reduce the severity of an impact on service delivery c) To identify response mechanisms and structures to be established to manage the disruption and allocation of tasks to recover CCG services d) To provide a guideline on appropriate training and exercising of procedures to be undertaken e) To provide assurance to external partners of the CCG s commitment to service delivery f) To ensure that service providers are able to provide assurance to Greenwich CCG of their ability to continue to operate during a disruption within their own organisation as well as within the CCG 2.3 Scope This policy applies to all staff employed by Greenwich CCG and for whom this CCG has a legal responsibility. For those staff covered by a letter of authority/ honorary contract or work experience, the organisation s policies are also applicable whilst undertaking duties for or on behalf of Greenwich CCG. Further, this policy applies to all third parties and others authorised to undertake work on behalf of Greenwich CCG. Section 4 of the policy outlines the specific roles and responsibilities of specific CCG staff. This policy does not detail the response to a business continuity incident; rather, it provides a set-up of activities for establishing a business continuity capability and the on-going management and maintenance, including planning, development, training and exercising of response arrangements. This policy will apply to disruptive events which may impact on Greenwich CCG s ability to deliver its business objectives to its commissioned services. The policy also applies to locations occupied by Greenwich CCG which is currently The Woolwich Centre, 35 Greenwich CCG Business Continuity Policy Page 6 of 16

7 Wellington Street, Woolwich, SE18 6ND. Should this change, amendments to the policy will be made to that effect. Business Continuity incidents may be isolated to Greenwich CCG, however, they may be part of a wider incident affecting the whole of London and other CCGs. Planning assumptions must therefore reflect such scenarios and interdependencies between Greenwich CCG and other CCGs. There is therefore, a need for high level networking with other CCGs and service providers in order to support Mutual Aid Agreements. 3. Processes for Undertaking Business Continuity Business Continuity is an on-going process. Plans and procedures must be continually reviewed against the changing environment of the CCG. By undertaking BC Planning, Greenwich CCG can expect that: a) Key services are identified, risk assessed and suitable control measures implemented ensuring their continuity b) An incident management capability is enabled to provide an effective response c) Greenwich CCG's understanding of itself and its relationships with its stakeholders is properly developed, documented and understood d) Staff are trained to effectively respond to an incident or disruption through appropriate exercising e) Stakeholder requirements are understood and able to be delivered f) CCG staff receive adequate communication and support in the event of a disruption g) Greenwich CCG s reputation is protected h) Greenwich CCG remains compliant with its legal and regulatory obligations 3.1 Business Continuity Management System (BCMS) The BCM programme forms the central component which dictates the CCG s approach and governance of its business continuity programme. This document serves as that structure and will provide assurances and evidence of continuing work with regards to the CCG s commitment to business continuity. Other documentation to be produced to support the BC process shall include: a) Business Impact Analysis (BIA) b) BC risk assessment c) Corporate BC Plan to include activation and recovery plans d) Training and awareness programme e) Exercise and debrief reports 3.2 The Plan- Do-Check-Act Model ISO22301:2012 applies the Plan-Do-Check-Act (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of the organisation s BCMS. Greenwich CCG Business Continuity Policy Page 7 of 16

8 Figure 1: The Plan-Do-Check-Act Model Continual improvement of Business Continuity Management Systems (BCMS) Interested parties Establish (Plan) Interested parties Requirements for Business Continuity Maintain and improve (Act) Monitor and review (Check) Implement and operate (Do) Managed Business Continuity Figure 2: Explanation of the PDCA Model Plan (Establish) Do (Implement and operate) Check (Monitor and review) Act (Maintain and Improve) Establish BC policy, objectives, targets, controls, processes and procedures relevant to improving BC in order to deliver results that align with the organisation s overall policies and objectives Implement and operate the business continuity policy, controls, processes and procedures Monitor and review performance against Business Continuity policy and objectives, report results to management for review and determine and authorise actions for remediation and improvement Maintain and improve the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and Business Continuity policy and objectives. 3.3 Understanding the organisation Effective planning and response plans must be underpinned by detailed identification and assessment of the different services that the CCG provides. This will be achieved by Greenwich CCG Business Continuity Policy Page 8 of 16

9 producing a Business Impact Analysis and risk assessments for services provided by the CCG. The CCG Business Impact Analysis will identify and document the impact of a disruption to the activities that support the key services of the CCG. The BIA will identify the following: a) How the impact will develop overtime during a disruption b) The interdependencies that are required for the delivery of the CCG service including staffing, resources and utilities/ infrastructure Services identified as having a short maximum tolerable period of disruption/ downtime, are those considered to be critical to the CCG. 3.4 Developing and Implementing BCM Response Greenwich CCG will develop a response plan that will detail the arrangements to be followed to ensure continuity of the critical services identified. The scope and potential for disruption to the CCG will vary according to the nature of the incident requiring varying level of response. The table below outlines the escalation procedure for dealing with incidents. Figure 3: BC Incident Escalation procedure Level Description Escalation 1 All services are operating normally None required 2 Disruption for a short period of time 3 Disruption to most CCG services affecting the ability to provide critical services Utilise Action Cards- Escalate if situation does not resolve On Inform Chief Officer and On call director- CCG Internal incident declared. CCG BC Plan invoked. The list below provides examples of what might be considered an event to invoke a BCP. The list is not exhaustive and judgement will be applied in each case Denial of access to work area- short or long term Loss of information technology infrastructure services for up to 5 days Loss of key staff, short and long term Significant national or international incident impacting on Greenwich CCG, such as a pandemic and Any requirement as identified by the BIA process 4. Accountability and Responsibilities In order for Greenwich CCG to develop a good long term business continuity capability, it is essential that all staff take on an appropriate level of responsibility. To that end, Greenwich CCG has identified a Business Continuity Lead for the organisation- Director of Integrated Governance. The Chief Officer (AO) for the CCG is ultimately responsible for the ownership of the Business Continuity Management System adopted. Greenwich CCG Business Continuity Policy Page 9 of 16

10 Directors will assess their specific area of expertise and plan actions for any necessary recovery phase, setting out procedures and staffing needs, as well as specifying any equipment or technical resource which may be required in the recovery phase. The Business Continuity Lead will be responsible for: Supporting directors to complete their BIAs Assisting directorates with identifying risks and controls Ensuring BC risks are recorded on Datix Change control, maintenance and testing of the BC Plan. Ensuring staff receive appropriate training The Accountable Officer will: Determine the criteria for implementing the Business Continuity Plan Provide overall management of a crisis, providing strategic direction and coordination of service recovery plans Directors and their appointed deputies will: Agree to the BIAs developed by directorates Validate the activities/ services which would have been derived as priority collectively, across the CCG Be responsible for the implementation of the Business Continuity Policy and standards Enforce compliance through assurance activities Review business continuity status and the application of the policy and standards in all business undertakings Provide appropriate levels of resource and budget to achieve the required level of business continuity competence and Ensure that information governance standards continue to be applied to data and information during an incident. It is intended that the one BC Folder should be stored off site in case there are difficulties in accessing the building. This folder will contain recovery procedures, contacts, and lists of vital materials or instructions on how to get these. All other CCG staff will be responsible for: Achieving an adequate level of general awareness regarding Business Continuity Being aware of the CCG s BC policy and its procedures Being aware of their own directorate contingency plans and any specific roles and responsibilities as set out in the Business Continuity Plan Cooperate in the implementation of incident response plans as part of their normal duties, when required to do so Participating actively in the business continuity programme when required and Ensuring information governance standards continue to be applied to data and information during an incident Greenwich CCG Business Continuity Policy Page 10 of 16

11 5. Cascade Process The Chief Officer and CCG directors make up the Incident Control Team (ICT). The BC ICT will provide immediate management functions required to handle an incident. A cascade structure will be developed in order to cascade incident notification to all staff within the CCG. 6. Risk Analysis Greenwich CCG is not responsible for the direct provision of health services; however, it is responsible for some functions that have direct impact on the providers of health services. Therefore, the risks to our stakeholders resulting from a catastrophic incident affecting Greenwich CCG could be significant. Where there is an incident involving the IT infrastructure, South East London Commissioning Support Unit (SELCSU) should be informed of the affected service and obtain an initial assessment. The CCG Business Continuity Lead will work with directorates to develop an asset list of locations, staff and services and this will be identified through the BIA. A series of robust plans and mitigations will be developed for the identified BC risks. 7. Incident Notification and analysis The CCG BC lead will develop procedures for incident notification which will be included in the CCG BC Plan. The response to an emergency does not necessarily or automatically translate into the declaration of a disaster and the implementation of a full recovery operation. Incidents may cause a temporary or partial interruption with limited or no office damage. It will then be the responsibility of the CCG BC lead in conjunction with the Chief Officer and or Directors available, to evaluate and declare the appropriate level of response. The CCG BC lead and CCG Chief Officer/ directors available will decide if temporary premises or alternative long-term premises are eventually to be required and will manage the acquisition. The severity or impact of an incident will be identified as follows: Minor Moderate Major Catastrophic The severity level will indicate the urgency of recovery the business service, and also the order in which services should be re-instated as identified in the BIA. 8. Communication Communication is crucial during a crisis. Processes of communication will be developed to ensure that there are appropriate statements for internal and external communication and processes for ensuring communication to all staff in the event of a BC incident. Greenwich CCG Business Continuity Policy Page 11 of 16

12 8.1 Responsibilities for Communicating with Stakeholders The CCG Associate Director for communications will receive information from the Chief Officer and or responsible director, which will be shared with external partners -including the media, other CCGs and staff members, providing assurances. 9. Incident coordination facilities Incident coordination facilities will be in place at the CCG location. This will be documented in the CCG BC plan. The BC ICT will state which of the locations is to be used to coordinate an incident when notifying managers that an incident has occurred. 10. Business Continuity Recovery Packs The CCG BC lead will develop BC recovery packs which will be located in the incident coordination facility detailing key information and contingencies. Copies will be held by directors and Chief Officer. The contents of these packs will be checked for completeness and updated regularly, whenever there is a change in the BCP which may affect its contents. 11. BC Plan maintenance The CCG BC Lead will be responsible for ensuring that the BCP is reviewed and updated at regular intervals to determine whether any changes are required to the procedures or responsibilities. A complete and revised BCP will be distributed annually to ach BC ICT member. 12. Training and awareness Training is a statutory requirement under the CCA. Once in place, the CCG Business Continuity lead will ensure that the CCG BCP is available for all staff on the intranet. All staff will receive BC awareness and training as part of induction. Directors and deputy directors will receive table top and walk through exercises for the BCP. Directors will continue to receive director on call training to enable them to manage BC incidents within the organisation. Loggist and communication training provided under EPRR arrangements will be applicable for BC incident management. 13. Testing The ongoing viability of the BC program can only be determined through continual tests and improvements. The CCG BC lead will be responsible for ensuring regular tests and revisions are made to the BCP to ensure they provide the level of assurance required. If there are any major changes to the role and structure of Greenwich CCG, plans will be tested again once a settling in period has been achieved, to allow for a confident level of recovery. It is vital as part of ongoing management for Greenwich CCG to: test the systems, test robustness, exercise plans and rehearse staff. Greenwich CCG Business Continuity Policy Page 12 of 16

13 14. Review This policy will be reviewed annually and earlier review may be required in response to exceptional circumstances, organisational change or relevant changes in legislation or guidance. Figure 4: Testing and Review Schedule Scope of review Frequency Responsible person Light touch ( call cascade)- Every 6 months CCG BC Lead checking contact details are up to date and correct Implementing change As required Directorate BC Leads programme Formal review- check to Annually and post incident/ CCG BC Lead ensure that all procedures are current and still applicable training Table top exercises Annually CCG BC Lead Live exercise Every 3 years CCG BC Lead Post incident/ exercise review After every exercise and incident CCG BC Lead 15. Monitoring/Audit Measurable Policy Objective Achievement of CCG BC requirements Regular review of Business Continuity Risks Training for on call staff Annual report on Business Continuity Monitoring/Audit NHSE Assurance Framework Corporate Register Risk Frequency of monitoring Yearly Quarterly or when new hazards are identified Responsibility for performing the monitoring Accountable Emergency Officer Director Integrated Governance Training record/ Annually Director of exercise programme Integrated Governance Annual report Annually Director of Integrated Governance of Monitoring reported to which groups/committees, including responsibility for reviewing action plans Quality Committee Quality Committee Quality Committee Governing Body Greenwich CCG Business Continuity Policy Page 13 of 16

14 16. Sources of Evidence BC (2013) Business Continuity Best Practice Guidelines, London: Business Continuity Institute BS ISO (2012) Societal Security. Business Continuity Management Systems- Requirements, BS ISO 22301:2012, London: British Standard Institute BSI (2006) Specification for Business Continuity Management, BS 25999, London: British Standard Institute. Civil Contingencies Act (2004). c. 36, London: The Stationery Office. Health and Social Care Act (2012), c.7, London: The Stationery Office PAS 2015 (2012) Framework for Health Service Resilience NHS Commissioning Board Business Continuity Management Framework (service resilience) (2013) NHS Commissioning Board Command and Control Framework for the NHS during significant incidents and emergencies (2013) NHS Commissioning Board Core standards for Emergency Preparedness, Resilience and Response (EPRR) Greenwich CCG Business Continuity Policy Page 14 of 16

15 Appendix 1 - Equality & Equity Impact Assessment & EDS2 Checklist This is a checklist to ensure relevant equality and equity aspects of proposals have been addressed either in the main body of the document or in a separate equality & equity impact assessment (EEIA)/ equality analysis. It is not a substitute for an EEIA which is required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to enable the policy lead and the relevant committee to see whether an EEIA is required and to give assurance that the proposals will be legal, fair and equitable. The word proposal is a generic term for any policy, procedure or strategy that requires assessment. Challenge questions Yes/No What positive or negative impact do you assess there may be? 1. Does the proposal affect one group more or less favourably than another on the basis of: Race No Pregnancy and Maternity No Sex No Gender and Gender Re-Assignment No Marriage or Civil Partnership No Religion or belief No Sexual orientation (including lesbian, gay bisexual and transgender people) No Age No Disability (including learning disabilities, physical disability, sensory impairment and mental health problems) No 2. Will the proposal have an impact on lifestyle? (e.g. diet and nutrition, exercise, physical activity, substance use, risk taking behaviour, education and learning) 3. Will the proposal have an impact on social environment? (e.g. social status, employment (whether paid or not), social/family support, stress, income) 4. Will the proposal have an impact on physical environment? (e.g. living conditions, working conditions, pollution or climate change, accidental injury, public safety, transmission of infectious disease) 5. Will the proposal affect access to or experience of services? (e.g. Health Care, Transport, Social Services, Housing Services, Education) No No No No Greenwich CCG Business Continuity Policy Page 15 of 16

16 By using evidence and insight to assess and grade our equality performance, NHS Greenwich can generate much of the information we will require to demonstrate compliance with the PSED. The checklist is to enable the policy lead and the relevant committee to see if a particular policy or project will provide the relevant evidence to assist NHS Greenwich CCG meet the set out EDS goals to achieve better outcomes for patients and staff. Please assess your policy, project or service against the following: The goals and outcomes of EDS2 Description of outcome Better health outcomes 1.1 Services are commissioned, procured, designed and delivered to meet the health needs of local communities 1.2 Individual people s health needs are assessed and met in appropriate and effective ways 1.3 Transitions from one service to another, for people on care pathways, are made smoothly with everyone well-informed 1.4 When people use NHS services their safety is prioritised and they are free from mistakes, mistreatment and abuse 1.5 Screening, vaccination and other health promotion services reach and benefit all local communities Improved patient 2.1 People, carers and communities can readily access hospital, community health or access and experience primary care services and should not be denied access on unreasonable grounds 2.2 People are informed and supported to be as involved as they wish to be in decisions about their care 2.3 People report positive experiences of the NHS 2.4 People s complaints about services are handled respectfully and efficiently A representative and 3.1 Fair NHS recruitment and selection processes lead to a more representative supported workforce workforce at all levels 3.2 The NHS is committed to equal pay for work of equal value and expects employers to use equal pay audits to help fulfil their legal obligations 3.3 Training and development opportunities are taken up and positively evaluated by all staff 3.4 When at work, staff are free from abuse, harassment, bullying and violence from any source 3.5 Flexible working options are available to all staff consistent with the needs of the service and the way people lead their lives 3.6 Staff report positive experiences of their membership of the workforce Inclusive leadership 4.1 Boards and senior leaders routinely demonstrate their commitment to promoting equality within and beyond their organisations 4.2 Papers that come before the Board and other major Committees identify equalityrelated impacts including risks, and say how these risks are to be managed 4.3 Middle managers and other line managers support their staff to work in culturally competent ways within a work environment free from discrimination Policy Author Signature: Anna English Date: Yes/ No Yes Equalities Lead Signature: Date: Greenwich CCG Business Continuity Policy Page 16 of 16