Business continuity policy

Transcription

1 Document Author: Emergency Planning Lead Document type: Policy Document library section: Corporate Document status: Final Approved by: Governance and Assurance Committee - 10 October 2013 Can document be published to the internet (publicly available) Yes with redaction of personal details and contact details Brief Summary of document The document describes the key functions of the CCG and the arrangements in place to ensure these functions continue during an incident. This document replaces New document for CCG Approved Equality Impact Yes Assessment attached: Cross Referenced to: Incident Response Plan Ratified by: Governance and Assurance Committee Date of Ratification: 10 October 2013 Date to be reviewed: 1 October 2019 Version control Date Version Summary of changes Changes made by number 27/06/ New draft Terry Ancell 12/08/ Draft and consultation approval Terry Ancell 10/10/ Revised to reflect organisational Terry Ancell changes 24/04/ Approval (SMT) Drew Wallbank Consultation Response received Comments accepted SMT Y Y Directorate leads Heads of teams Y Y Head of IT strategy Y Y Representatives from Y Y operations division Comments rejected Disseminate to: Executives and all employees Dissemination methods: Communications team to disseminate via Staff Bulletin Document Library NHS Kernow website: Staff Zone This document should not be photocopied or otherwise produced.

2 Contents 1. Purpose Policy statement Benefits Policies cross referenced Definitions Stage 1: BCM programme management Business continuity key messages Roles and responsibilities NHS Kernow Governing Body Chief Officer Executive lead for BCM Managerial lead for BCM Executive directors Directorate business continuity leads All managers All employees Stage two: Understanding your business Business impact analysis Risk assessment Threats and hazards Risk matrices Stage three: Determining a BCM strategy Absence of key staff Suppliers Prioritisation of NHS Kernow activities Category two essential activities Category three priority activities Category four support activities Resources Alternative premises Stage four: Developing and Implementing a BCM response Stage five: Exercising, maintaining and reviewing Incident reporting Training and exercising Audit, monitoring and review

3 1. Purpose This document sets out the general principles and processes for the creation and revision of business continuity and service recovery plans for NHS Kernow Clinical Commissioning Group (NHS Kernow). The policy follows the guidance and principles as set out in BS25999 for the management of business continuity planning. The business continuity plan is separate from but may operate alongside the NHS Kernow major incident plan and other such policies. This policy defines the activities required for establishing and maintaining a business continuity capability. In addition, the policy defines the organisational structure for the ongoing management of the programme. The setup activities incorporate the specification, end-to-end design, build, implementation and initial exercising of the business continuity plans. These plans must specify a predetermined level of continued business operation throughout an incident and the re-establishment of full business activities over a predefined period of time. It is therefore mandated by acceptance to this policy that the following stages of developing and implementing a BCM programme will be put in place, maintained and exercised on an ongoing basis: This business continuity policy provides a structure through which: A comprehensive BCMS (business continuity management system) is established and maintained; Key services, together with their supporting critical activities, processes and resources, will be identified; Business impact analysis and risk assessment will be applied to our key services and their supporting critical activities, processes and resources; Risk mitigation strategies will be applied to reduce the impact of disruption on key services; Plans will be developed to ensure continuity of key services at a minimum acceptable standard following disruption; Invocation of business continuity plans can be managed; Plans are subject to ongoing exercising and revision; The Governing Body can be assured that the BCMS remains up to date and relevant. 2. Policy statement BCM is good business management practice and all public sector organisations in the UK have a legal obligation to ensure they monitor and control the organisational risks they face as defined by the Civil Contingencies Act NHS Kernow depends upon a wide range of complex systems and resources and a well established reputation in order to perform its duty to the public. Inevitably, there is potential for significant disruption to normal business or damage to NHS Kernow s reputation through loss of those 3

4 systems and resources. NHS Kernow s priorities to a significant disruption (whether actual or impending) will always be to: Ensure the safety and welfare of its personnel and patients in accordance with relevant sections of the Health and Safety at Work Act and other primary legislation; Endeavour to meet its obligations under the Civil Contingencies Act 2004 and NHS Emergency Planning Regulations 2005; Protect its reputation; Minimise risks to its financial position and reputation; Facilitate a return to normal operations as soon as practicable; Ensure the delivery of statutory functions and objectives. 3. Benefits This policy provides a clear commitment to establish a business continuity management system within that will enable the organisation to: Continue to provide key services in times of disruption; Make best use of personnel and other resources in times when both might be scarce; Reduce the period of disruption to the organisation and the customers it serves; Resume normal working more efficiently and effectively after a period of disruption; Comply with standards of corporate governance; Improve the resilience of the organisation s infrastructure to reduce the likelihood of disruption; Reduce the operational and financial impact of any disruption. 4. Policies cross referenced This policy is cross referenced to: NHS Kernow incident response plan On call policy Flexible working policy Discretionary leave policy Annual leave policy Heatwave plan Risk management policy NHS Kernow incident reporting and management policies 4

5 5. Definitions The Civil Contingencies Act 2004 places a statutory duty on NHS Kernow to have a business continuity plan. Clinical Commissioning Groups are: A person or body listed in Part one or two of Schedule One of the Civil Contingencies Act Section two lists the duties placed on the listed organisations, where Section two (2.1) (c) states we shall: Maintain plans for the purpose of ensuring, so far as is reasonably practicable, that if an emergency occurs, the person or body is able to continue to perform his or its functions. The duty relates to all functions, not just our emergency response functions. Business continuity management is generically defined as a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities. (Business Continuity Institute, Good Practice Guidelines, June 2005) The Department of Health NHS Resilience and Business Continuity Management Guidance further defines BCM in the NHS as: The management process that enables an NHS organisation: To identify those key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation; To identify and reduce the risks and threats to the continuation of these key services; To develop plans which enable the organisation to recover and/or maintain core services in the shortest possible time. For the NHS, service interruption may be defined as: Any disruptive challenge that threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal operating functions which could be short, medium or long term. Business continuity management is a management process that accords with British Standards Institute BS and contains five process steps: 1) Programme management 2) Understanding your business 3) Determining a BCM strategy 4) Developing and implementing a BCM response 5

6 5) Exercising, maintaining and reviewing The figure below demonstrates that steps two to five are cyclical and these should be repeated at least annually to ensure compliance, currency and quality (Figure 1). Thus business continuity plans developed as a result of this policy will be living documents that will change and grow as incidents happen, exercises are held and risks are reassessed. Figure1: The BCM Lifecycle (Source NHS Interim Guidance June 2008) 6. Stage 1: BCM programme management Under the terms of the Civil Contingencies Act 2004, NHS Kernow, as a category two responder, is required to maintain plans to ensure it can continue to deliver essential services in the event of an emergency as far as is reasonably practicable. For this policy to succeed, business continuity must become part of NHS Kernow s culture. It needs to influence strategy and business planning e.g. resilience and cost effectiveness decisions. 6.1 Business continuity key messages NHS Kernow expects all the following key messages to be applied across the organisation: Business continuity is a mandatory management practice that must be carried out throughout NHS Kernow to plan in advance for business disruptions; Commissioning directorates and provider units must examine their core business, plan for and draw up business continuity plans using this Framework; 6

7 Business continuity is to be managed at the lowest possible appropriate level within each commissioning directorate and provider unit; Business continuity plans should be consistent with and support other plans at each level within the organisation. Therefore plans should set out relevant links to other NHS Kernow business continuity plans; Business continuity plans should link into the business continuity and IT service continuity management plans of our key IT suppliers; Business continuity leads have a responsibility for providing assurance on business continuity arrangements to NHS Kernow. Details of individual post holders will be held within directorate plans. 6.2 Roles and responsibilities All directors, managers and staff are responsible for establishing, maintaining and supporting a holistic approach to business continuity management, in all areas of their responsibility. Some members of staff, business units and NHS Kernow committees have particular specialist functions in relation to business continuity management as described below NHS Kernow Governing Body The Governing Body s main role is to set the strategic direction and to monitor performance over the year. It is the highest level decision-making body in NHS Kernow, accountable for overall performance and ensures that statutory, financial and legal responsibilities are met. These responsibilities fall both to all members of the Governing Body, which acts as the guardian of public interest, and is responsible for reviewing the effectiveness of internal controls - financial, organisational and clinical. The Governing Body must satisfy itself that the management of the CCG is doing its reasonable best to ensure the efficient and effective discharge of its affairs. Authority for oversight of the business continuity programme management may be delegated to a committee or executive Chief Officer The Chief Officer is accountable for ensuring that effective systems of risk management and business continuity are in place. She/he delegates corporate responsibility for business continuity to an executive Lead for BCM, currently the Chief Operating Officer Executive lead for BCM The executive lead is accountable via the Chief Officer for implementing effective business continuity arrangements. During steady state this includes: Acting as an internal and external focal point for business continuity management including liaison with other NHS bodies and partner organisations; 7

8 Developing, co-ordinating and improving NHS Kernow s BCM arrangements and the business continuity plan Managerial lead for BCM The managerial lead is accountable to the executive lead for BCM for providing assurance that business continuity is embedded within NHS Kernow. During steady state this includes; Providing support for the executive lead director on business continuity issues; Representing NHS Kernow at business continuity and resilience meetings Providing corporate policy and guidance to business continuity leads across NHS Kernow; Ensuring readiness to respond to appropriate incidents Executive directors Directors are responsible for overseeing a programme of business continuity management activities for their particular directorate in accordance with this policy. This includes identifying designated risk management and business continuity leads within their areas that will be tasked with the development and maintenance of department/service business impact analyses (BIAs) and risk registers. This will include: Nominating a business continuity lead(s); Providing assurance that business can be maintained in the event of a disruption; Determine business priorities and planning required for business continuity purposes; Maintaining and steering business continuity management in line with this Framework and agreed priorities; and Invoking their business continuity plan(s) in the event of a disruption Directorate business continuity leads BCM leads have responsibility for day-to-day business continuity issues within directorate during steady state. They will typically be a deputy director or head of service. Their role is to actively promote continuity planning and be responsible for: Ensuring appropriate continuity plans are in place within their area; Embedding business continuity management into their area; Ensuring planning takes place in a co-ordinated and structured manner; Co-ordinating the development of business continuity and contingency arrangements; Liaising with other business continuity leads to establish and agree assumptions in their plan that impact upon other directorates e.g. movement of staff; 8

9 Providing the focal point for business continuity issues for their area; Evaluating the arrangements during disruption and instigating a lessons learned exercise to improve procedures for the future; and Ensuring that business continuity plans are rehearsed annually and are updated to reflect relevant changes; The Personal Assistant (PA) to each executive director will provide administrative support to business continuity Leads All managers Each manager/service lead is operationally responsible for ensuring compliance with this policy within their area of responsibility. This includes promoting awareness of NHS Kernow s business continuity policy, corporate and directorate business continuity plans and procedures as appropriate within their own teams All employees Employees must familiarise themselves with and comply with all relevant policies and procedures for business continuity. Employees must make themselves aware of relevant emergency procedures e.g. evacuation and fire precaution procedures appertaining to their particular role. 7. Stage two: Understanding your business A BCM strategy relies on understanding the organisation s functions and defining the essential processes to discharge those functions. NHS Kernow s Constitution details these in Section and includes: Commissioning certain health services not commissioned by the NHS England area teams to meet the reasonable needs of all local people registered with members practices and people normally resident in Cornwall or Isles of Scilly but who are not registered with a member practice; Commissioning emergency care for anyone present in Cornwall and Isles of Scilly; Pay its employees and reimburse their expenses in accordance with their terms of employment; Determine the remuneration and travelling or other allowances of Governing Body members. With the exception of CCG managed services, the core business of NHS Kernow is reliant on external providers of healthcare and for some of its essential infrastructure such as premises, utilities, information and technology and telecommunications. 9

10 7.1 Business impact analysis BS25999 defines a BIA as the process of analysing business functions and the effect that business disruption might have upon them. The BIA will identify, quantify and qualify the impact and effect of a loss, interruption or disruption to the organisations processes. The BIA process will: Define the activity and its supporting processes; Map the distinct stages of each activity and process; Determine the impacts of a disruption; Define the maximum tolerable period of disruption for each process and the recovery time objectives (where BS25999 defines Recovery Time Objective (RTO) as the target time set for the resumption of a service delivery after an incident) ; Determine the minimum resources needed to meet recovery objectives. 7.2 Risk assessment The purpose of risk analysis is to help with the development of the business continuity plans and the identification choice of risk treatment options. The process of risk analysis is subjective, relying on judgements and assumptions but must follow the standard principles adopted by NHS Kernow for assessing risk and the guidance set out below in section The Civil Contingencies Act 2004 places a duty on listed organisations, including CCG s to co-operate with other listed organisations in a local resilience area in maintaining a register, the community risk register, of the risk assessments carried out by each organisation. The purpose of the community risk register is to ensure organisations carry out their emergency planning and business continuity management taking account of the risk priorities identified collectively in the register Threats and hazards Hazard: An accidental or naturally occurring phenomenon with the potential to cause physical (or psychological) harm to members of the community (including loss of life), damage or losses to property or disruption to the environment or structures (economic, social, political) upon which a community s way of life depends. Hazards can be split into a number of categories: Physical: Fire, temporary or permanent structural collapse; Environmental/natural: Severe weather i.e. flooding, snow or gales; Organisational/infrastructure: Staff illness or loss of a key building. Social: Industrial disputes or public order; 10

11 Health (human and animal): Pandemics in humans, highly contagious disease in cattle i.e. foot and mouth; Technological: Dam collapse, system failures on an industrial/ chemical site. Threat: A malicious act resulting in adverse consequences to human welfare (including property and the supply of essential services and commodities), the environment or security. In the context of the Civil Contingencies Act, it will be very rare that local resilience forums will identify threats as these will be communicated by Central Government or via the relevant lead government department in the form of Threat Assessments, e.g. terrorism the Home Office, animal diseases DEFRA or human health the Department for Health. These assessments will describe the threat, its scale and likelihood Risk matrices The risk evaluation matrix is a simple approach to quantifying risk by defining qualitative measures of consequence (Impact) and likelihood (frequency or probability) using a simple one to five rating system. This allows the construction of a risk matrix, which can be used as the basis of identifying risk. The risk score is consequence x likelihood. For the purpose of business impact analysis, the following risk scoring system is recommended: Consequence (Severity of Impact) Descriptor Insignificant Minor Moderate Major Catastrophic Service / Business Interruption Loss / interruption < 1 hour Loss / interruption up to 8 hours Loss / interruption Up to 1 day Loss / interruption up to 1 week Permanent loss of service or facility Likelihood (Frequency or Probability) Descriptor Rare Unlikely Possible Likely Almost Certain Frequency Not expected to occur for years Probability < 1% Will only occur in exceptional circumstances Expected to occur at least annually 1 5 % Unlikely to occur Expected to occur at least monthly 6-20% Reasonabl e chance of occurring Expected to occur at least weekly 21-50% Likely to occur Expected to occur at least daily > 50% More likely to occur than not 11

12 Consequences Insignificant Minor Medium 8 Medium 10 Medium Moderate Medium 9 Medium 12 High 15 High Major Medium 12 High 16 High 20 Extreme Catastrophic Medium 15 High 20 Extreme 25 Extreme Rare Unlikely Possible Likely Almost Certain Likelihood Extreme risks: These are classed as primary or critical risks requiring immediate attention. They may have a high or relatively low likelihood of occurrence, but their potential consequences are such that they must be treated as a high priority. This may mean that strategies should be developed to reduce or eliminate the risks, but also that mitigation in the form of (multi agency) planning, exercising and training for these hazards should be put in place and the risk monitored on a regular frequency. Consideration should be given to planning being specific to the risk rather than generic. High risks: These risks are classed as significant. They may have a high or relatively low likelihood of occurrence, but their potential consequences are sufficiently serious to warrant appropriate consideration after those risks classed as very high. Consideration should be given to the development of strategies to reduce or eliminate the risks, but also mitigation in the form of at least (multi agency) generic planning, exercising and training should be put in place and the risk monitored on a regular frequency. Medium risks: These risks are less significant, but may cause upset and inconvenience in the short term. These risks should be monitored to ensure that they are being appropriately managed and consideration given to their being managed under generic emergency planning arrangements. risks: These risks are both unlikely to occur and not significant in their impact. They should be managed using normal or generic planning arrangements and require minimal monitoring and control unless subsequent risk assessments show a substantial change, prompting a move to another risk category. The executive team of NHS Kernow will ensure that the risks identified as a consequence of the development of directorate business continuity plans are included within the corporate risk register and vice versa. 12

13 Based on the outcomes of the risk assessment, NHS Kernow will explore the options that exist to minimise the level of risk faced by the organisation. Strategies will be devised for all risks identified from very high to low scores, based on the following proposed framework: Mitigation: identifying strategies, activities, modifications or controls aimed at reducing the risk; Acceptance: ensuring the risk is owned at the appropriate level (normally director level) within the organisation; Transferring: changing the process, ceasing the practice, outsourcing the service or transferring the risk; Eliminating: if possible removing the cause, avoiding the risk or introduce preventative measures; Recovery: developing and testing recovery plans to deal with any threats and hazards identified. For significant risks (rated High or Extreme) this will involve developing specific contingency plans, if appropriate, as part of the corporate business continuity plan. Other risks (rated Medium or ) will be managed at directorate level as part of directorate business continuity plans. 8. Stage three: Determining a BCM strategy 8.1 Absence of key staff To improve the resilience of services and supporting resources it is important that steps are taken to cope with the absence of key staff. Measures will include documenting key tasks, roles and responsibilities; capturing contact names and numbers and producing standard operating procedures. Key individuals will be encouraged to take personal responsibility for nominating and training a deputy. This requirement should be reflected in an employee s annual objectives where applicable and will be subject to appraisal on an annual basis as a minimum. Data gathering will be conducted to collect information on services and supporting resources, key staff, skills, equipment and contact information. Key posts and post holders will be identified within individual directorate plans. 8.2 Suppliers NHS Kernow relies upon the products and services of other organisations in order to maintain effective operations. Suppliers include outsourcers and intermediaries who deliver services on the organisation s behalf. These suppliers (or partners) may be commercial, public or voluntary organisations. NHS trusts and NHS foundation trusts must be able to demonstrate a robust internal system for the management of risk to the delivery of their services. 13

14 They must be compliant or operating at the NHSLA s risk management standards and demonstrate active compliance with any risk or quality regime introduced by the Care Quality Commission. External providers will be required to undertake appropriate risk management and prepare business continuity management policies and procedures. If the product or service supplied is unique and essential to the organisation s service capability or if there is a long term outsource agreement that makes it difficult to make alternative sourcing arrangements then the supplier will be judged as key. The following is a list of questions which could be asked of key suppliers and CCG managed services: Have you identified the processes you need to ensure delivery of the products services we need for our critical processes? Have you identified the resources that support these processes? Have you developed business continuity plans to maintain the processes if you have a disruption? Have you exercised these plans? What lessons have you learnt from the exercises? What steps have you taken to integrate the lessons learnt into your business continuity plans? What other customers do you have for the key products/services you supply and what assurances can you give that we will receive preference of supply at the time of disruption? Answers to these questions should be supported by evidence from the supplier. Commissioning departments have essential roles to play in encouraging key suppliers to develop business continuity plans. New contracts will contain appropriate business continuity clauses. When existing contracts are due for renewal the opportunity will be taken to discuss the need to include business continuity arrangements. Where appropriate performance measures will be added or reference made to appropriate BS BCM Standards. 8.3 Prioritisation of NHS Kernow activities A data gathering exercise will be conducted to identify the critical, essential and routine processes in each directorate/business unit. These will be collated to form NHS Kernow s business continuity plan. This information will be reviewed and updated either on an annual basis, or following incidents, exercises and organisational restructuring. 14

15 8.3.1 Category one critical activities Loss of a critical activity would immediately: Directly endanger life; Endanger the safety of those individuals for whom NHS Kernow has a legal responsibility; Prevent the operation of another activity in this category; Prevent the delivery of a managed service; Seriously affect NHS Kernow s finances or accuracy of critical records Prevent communication of vital information to partners or the public. Category one activities must continue to be provided Category two essential activities Loss of a category two essential activity would immediately: Present a risk to health or safety; Prevent NHS Kernow fulfilling a statutory obligation; Prevent the operation of another activity in this category; Seriously adversely affect NHS Kernow s reputation. In the event of disruption this activity must be recovered within three days Category three priority activities Loss of a priority activity would lead to: NHS Kernow failing to meet its statutory obligations; Seriously affect the operation of a category one or two activity; NHS Kernow s reputation being seriously adversely affected. In the event of disruption priority activities should be recovered within seven days Category four support activities All other activities which are required in order for NHS Kernow to go about its normal business are deemed to be support activities. In the event of disruption these activities should be recovered as soon as possible. 15

16 8.4 Resources In addition to critical, essential and routine processes it is important to consider the supporting resources which contribute to the normal operation of the organisation. This includes: Utilities: oil, gas, electricity, water, and sewerage; ICT: IT and telecommunications including third party suppliers, network and internet service providers; Logistics: including third party suppliers; In: supplies, transport; Out: transport, waste; Finance: payroll, contracts; Workforce: skills, numbers, communications and resource mobilisation, standard operating procedures; Premises: buildings and infrastructure. Considerations to include new build (secure by design); old build (design constraints and risks); alternative premises for use by single department or concurrent use by multiple departments (larger premises required). The following which support the smooth running of NHS Kernow s business may also be considered under the resources heading: Facilities management Reception Security Car parking Alternative premises In the event that NHS Kernow premises are unavailable or inaccessible for an extended period, alternative accommodation will be sought to house all critical activities and as many essential activities as possible. As part of the data gathering exercise directorate business continuity management leads will be asked to identify such processes in their department, and they will be asked to define minimum office amenities requirement (desks, phones, fax, PCs, etc.) necessary for them to maintain these activities. This information will be detailed in the business continuity plan. 9. Stage four: Developing and Implementing a BCM response In addition to a broad policy statement it is important to develop suitable business continuity plans. These will be operational plans containing the arrangements required to address generic and specific threats faced by NHS Kernow. 16

17 The production of directorate plans will ensure that key stakeholders take responsibility for owning the BCM process and developing the arrangements required to respond to and recover from an incident. 10. Stage five: Exercising, maintaining and reviewing Business continuity is a cyclical process. Risk registers, associated arrangements and plans need to be revisited on a regular basis. NHS Kernow will conduct incident or exercise debriefs and update plans and associated documentation based on the lessons identified. Risk registers will be reviewed and updated to allow for any change in circumstances and as new information becomes available. As part of the ongoing business continuity cycle, NHS Kernow will periodically re-evaluate its arrangements, identify the most vulnerable processes, improve resilience and thereby reduce the level of risk faced by the CCG. At the very least business continuity plans will, where possible, be reviewed as part of a yearly audit cycle in line with current arrangements for the Major Incident Plan Incident reporting Incident reporting is fundamental to the identification of risk and sound business continuity management and all staff are actively encouraged to use CCG s existing incident reporting mechanism which will be the CCG s primary mechanism for reporting of all incidents Training and exercising In conjunction with the publication of the policy, a training needs analysis will be conducted to identify the training required within the organisation. Existing training currently meets some business continuity training requirements e.g. fire safety and health and safety training. Other training will include: Specific training for directorate business continuity management leads to help them develop directorate business continuity plans; Any supplementary training where a need has been identified Audit, monitoring and review This policy statement contains largely static information which will not change significantly over time. However it will be reviewed at least annually and updated versions will be distributed to all relevant parties. 17

18 The business continuity plans developed as a result of this policy will contain more dynamic information. Associated plans will be living documents that will change and grow as incidents happen, exercises are held and risks are reassessed. At the very least all associated plans should be reviewed and updated on an annual basis. This will meet the requirement of category two responder s under the Civil Contingencies Act 2004 to maintain business continuity plans to ensure the delivery of key services. The Governance and Assurance Committee will monitor progress on policy implementation and report regularly to the Governing Body. Financial implications may emerge as the policy is reviewed and updated and associated business continuity plans are developed. 18