Business Continuity Management Policy. Date Version Number Planned Review Date Oct 2014 Issue 1 Oct 2017

Transcription

1 Business Continuity Management Policy Document Code PtHB / CGP 001 Date Version Number Planned Review Date Oct 2014 Issue 1 Oct 2017 Document Owner Approved by Date Civil Contingencies Executive Team 08/10/2014 Manager Document Type Policy Bwrdd Iechyd Addysgu Powys yw enw gweithredol Bwrdd Iechyd Lleol Addysgu Powys Powys Teaching Health Board is the operational name of Powys Teaching Local Health Board PTHB acknowledge that this document is past the review date. A review is currently in progress and therefore an extension has been applied to this issue following discussion with the Accountable Director Page 1 of 15 Review Date: 2017

2 Contents Page Validation Form 3 Consultation 3 Equality Assessment 5 Relevant to 6 Introduction 6 Purpose 7 Scope 7 Business Continuity Objectives 7 Roles and Responsibilities 8 Business Continuity Management lifecycle 10 Business Continuity Management Programme Management 11 Business Continuity Management Procedures 11 Definitions 15 Appendices For Reviewed &/or Updated Policies Only: Relevant Changes Reference code changed to CGP 001 (previously CP 004) by Corporate Governance Department Date December 2017 Page 2 of 15 Review Date: 2017

3 VALIDATION FORM To be completed by the Author no policy, procedure or guidance will be accepted without completion of this section which must remain part of the policy Author: Donna Bale, Civil Contingencies Manager Directorate Reviewed/Updated by: EVIDENCE BASE Are there national guidelines, policies, legislation or standards relating to this subject area? If yes, please include below: Civil Contingencies Act 2004 Welsh Assembly Government Health Emergency Preparedness Unit NHS Wales Emergency Planning Guidance March 2010 NHS Resilience and Business Continuity Management Guidance (2008) BCI Good Practice Guidelines A Guide to Global Good Practice in Business Continuity ISO Societal Security Business Continuity Management Systems Requirements DOING WELL, DOING BETTER - STANDARDS FOR HEALTH SERVICES IN WALES Please state which Health Services Standards this policy will support / link to: Standard 4 Civil Contingencies CONSULTATION Please list the groups, specialists or individuals involved in the development & consultation process: Name Date Powys thb Management lists 1, 2 & 3 Apr 2014 Corporate Health & Safety Committee Apr 2014 Implications Please state any training implications as a result of implementing the policy / procedure. Training is required for all members of staff expected to be involved in the development and response element of the Business Continuity Plan. Please state any resource implications associated with the implementation. Involvement from all service areas of the organsiations in the development, review, training and exercising of plan.. Please state any other implications which may arise from the implementation of this policy/procedure. New risks may be identified. Page 3 of 15 Review Date: 2017

4 Equality Assessment Statement Please complete the following table to state whether the following groups will be adversely, positively, differentially affected by the policy or that the policy will have no affect at all Equality statement No impact Adverse Differential Positive Comments Age Disability Gender Race Religion/ Belief Sexual Orientation Welsh Language Human Rights Risk Assessment Are there any new or additional risks arising from the implementation of this policy? No. Individual departments may identify risks as a result of the BCM process Do you believe that they are adequately controlled? n/a Are there any Information Governance issues or risks arising from the implementation of this policy? Receiving annual reports on compliance. Page 4 of 15 Review Date: 2017

5 1. Relevant to Business Continuity Management Policy and Procedures All staff employed by Powys teaching Health Board (PtHB) 2. Introduction PtHB is responsible for planning, securing and providing healthcare services for the 130,000 or so people who live in Powys. PtHB needs to be able to plan for and respond to a wide range of incidents and emergencies that could affect health or patient care. These could be anything from severe weather, industrial action to an infectious disease outbreak. PtHB has a legal duty under the Civil Contingencies Act 2004 to have in place Business Continuity Plans to ensure that the organisation can: continue to exercise their civil protection functions.. to ensure the Health Board can deliver these capabilities when required, and: continue to perform their ordinary functions... ensuring that ordinary functions can be continued to the extent required. A Business Continuity Management System (BCMS) is a business-owned, business-driven process that establishes a fit-for-purpose strategic and operational framework that can: proactively improve PtHB s resilience against the disruption of its ability to achieve its key objectives; provides a rehearsed method of restoring the thb s ability to supply its key products and services to an agreed level, within an agreed time after a disruption; and delivers a proven capability to manage a business disruption and protect the thb s reputation. By focusing on the impact of disruption, business continuity management (BCM) identifies those critical activities i.e. products and services on which PtHB depends for its survival, and can identify what is required for PtHB to continue to meet its obligations (e.g. agree prioritised activities and the recovery requirements, timing and sequence to meet these). Through BCMS, PtHB can recognise what needs to be done before an incident occurs, to protect its people, premises, technology, information, supply chain, stakeholders and reputation. The benefits of implementing a BCM programme across the organisation are that PtHB: Page 5 of 15 Review Date: 2017

6 is able to proactively identify the impacts of an operational disruption; has in place an effective response to disruptions which minimises the impact on PtHB; encourages cross-team working; is able to demonstrate a credible response through a process of testing; could enhance its reputation; The outcomes of an effective BCM programme are that: critical services are identified and protected, ensuring their continuity; an incident management capability is enabled to provide an effective response; PtHB understanding of itself and its relationships with other organisations, relevant regulators or government departments, local authorities and the emergency services is properly developed, documented and understood; staff are trained to respond effectively to an incident or disruption through appropriate testing; stakeholder requirements are understood and able to be delivered; staff receive adequate support and communications in the event of a disruption; PtHB supply chain is secured; PtHB reputation is protected; PtHB remains compliant with its legal and regulatory obligations. The BCM Policy is complementary to the following PtHB Policies/Plans: Civil Contingencies Plan Strategic and Tactical Major Incident Response Plan Risk Management Policy and Procedures Pandemic Flu Framework (under development) 3. Purpose This document describes the BCMS approach for PtHB The purpose of this policy is to: establish a structure through which a comprehensive BCMS is established and maintained in an agreed and controlled manner, to build resilience into PtHB activities, services and systems and to ensure resilience is considered as part of PtHB operations. ensure that PtHB achieves a business continuity capability that meets the changing business needs and is appropriate to the size, complexity and nature of PtHB Page 6 of 15 Review Date: 2017

7 Puts in place a clearly defined framework for ongoing business continuity capability 4. Scope All healthcare provision and management provided by PtHB, including supporting dependencies are included within the scope of this policy. Contracts, suppliers and services that are commissioned by PtHB, but not directly managed by PtHB are not included within the scope of this document. 5. Business Continuity Objectives PtHB has identified its Business Continuity objectives as: protecting life; reducing the impact or harm to patients and Powys as a community arising as a result of disruption to patients, patient treatments, patient appointments and patient services provided by PtHB; maintaining critical infrastructure and facilities; maintaining normal business operations as far as reasonably possible; minimising any negative impact arising from either a financial perspective or on the reputation of PtHB or its employees as a result of a business continuity incident. 6. Roles and Responsibilities Chief Executive The Chief Executive has overall accountability for compliance with Civil Contingencies legislation. Director of Public Health The Director of Public Health is the delegated Executive Lead for compliance with Civil Contingencies legislation. Board of Directors All Directors are responsible for endorsing the Business Continuity Management Policy and for ensuring that BCMS is appropriately resourced and embedded within the culture of the organisation. Civil Contingencies Manager The Civil Contingencies Manager is responsible for: ensuring that an appropriate BCM policy for PtHB is produced and kept up to date. Page 7 of 15 Review Date: 2017

8 ensuring that the appropriate BCM procedures, practices and plans are formulated and adopted by PtHB in support of this policy. implementing an effective framework for BCM. providing support in matters relating to BCM to nominated PtHB Business Continuity Managers and others setting the standard of business continuity training for staff across the PtHB audit BCM processes in accordance with policy publish an annual report on compliance across the organisation to be presented at the Quality and Safety Committee and Board. Locality Manager/Head of Service Area Locality Managers/Heads of Service are the designated Business Continuity Owners within each of the localities/other service areas. They are responsible for signing off service level business continuity plans in agreement with the Executive Lead for the service. The Locality Manager/Head of Service may devolve the responsibility for Business Continuity Manager of the service area to other members of the team. Business Continuity Manager The nominated Business Continuity Manager is responsible for: assisting in the preparation and maintenance of procedures, protocols, plans in compliance with the BCM Policy ensuring that business continuity plans are reviewed no less frequently than annually ensuring that staff that have a role in the BCM team within their service area, have an awareness of their role and what they need to do to fulfill that role. ensuring that testing of the service area s business continuity plan is carried out no less frequently than annually. ensuring that a complete copy of the service area s business continuity plan is stored in a secure but accessible on-site location. ensuring that a copy of the business area s business continuity plan is submitted to the Civil Contingencies Manager for secure storage on PtHB s intranet site. All Line Managers All line managers are responsible for: ensuring that business continuity is a regular item on the agenda of their team meetings ensuring that business continuity is included in their department s formal induction process Page 8 of 15 Review Date: 2017

9 ensuring that their staff have had suitable business continuity management training (suitable business continuity management training for staff that do not have a role in the business continuity team for their service area, is to have an awareness of the existence of the service level business continuity plans and where these are located) ensuring that personal details are updated within the plan at frequent intervals All Staff All PtHB employees, including temporary and contract staff, are subject to this policy. All PtHB employees have a responsibility to inform their Locality Managers/Head of Service of any new product or service as soon as possible after it has been identified. 7. Business continuity management (BCM) lifecycle Fig 1 shows the lifecycle which is a series of business continuity activities that cover all aspects and phases of the business continuity management programme. Fig 1 Page 9 of 15 Review Date: 2017

10 8. BCM Programme Management PtHB will adopt the principles of the plan, do, study, act (PDSA) to establish, implement and for ongoing validation of the PtHB BCMS as demonstrated in figure BCM Procedures The relevant stages in the BCM process are: 9.1 Understanding the Business Understanding the business of PtHB is essential in developing an appropriate BCM programme. A detailed understanding of what processes are essential to ensure continuity of prioritised activities to at least the minimum level will be achieved by undertaking the business impact analysis (BIA). The BIA will incorporate a continuity requirements analysis for all key activities within individual service areas. To achieve this: each service area will be required to develop and maintain their own BIA; risks identified as part of the BIA will be managed in accordance with PtHB Risk Management Policy and Procedures; a BIA template will be made available to ensure a consistent in approach is undertaken. The following criteria will be adopted to prioritise service level activities: Critical Function: must be restored within 0-2 hours. Failure to do so will cause danger/distress to staff and/or patients - prevents provision of an essential service/function Core Function: must be restored with 2-24 hours. Failure to do so will cause disruption/discomfort to staff and/or patients - hinders or restricts normal business operations Reduced Function: can be restored within 5 working days. Will not directly disrupt services but will cause inconvenience to staff/and or patients Suspended Function: can be restored progressively after 5 working days. Will involve non-urgent repairs etc. Stage 2: Determining the BCM Strategy The BIAs will create a picture of the organisation s dependencies, vulnerabilities and business continuity risks. This information will be used to: to provide the information from which continuity options can be identified and evaluated; to assist the preparation of detailed business continuity plans. Page 10 of 15 Review Date: 2017

11 Decisions that determine business continuity strategies will be made at an appropriate level as described in the PtHB Risk Management Policy. Continuity strategies will be developed for the following resources Denial of access to premises - service areas will consider and document continuity options for an incident or situation that results in a PtHB facility being unavailable to ensure the continuity of priority activities. Loss of staff service areas will consider and document continuity options for an incident or situation that results in staff shortages; staff will be redeployed in order to ensure the continuity or recovery of priority activities Loss of ICT - BCMS will be supported by an effective Disaster Recovery regime. Disaster recovery is defined as a protocol and associated execution to recover lost computing-system usage (applications), data and data transactions committed up to the moment of system loss. Loss of utilities service areas will consider and document continuity options for an incident or situation which affects utilities. Loss of key suppliers this is a key issue for Powys thb as a commissioner of all acute healthcare services. The organisation s prioritised activities should not be disrupted by a failure of third party supplier of goods or services. If part or all of a service is outsourced, the responsibility for its continuity remains with the organisation. It is not necessary for the PtHB to mandate that all suppliers have business continuity programmes as part of the procurement process. However, attention will be focused on suppliers that are defined as critical in the BIA. Another strategy to increase the resilience of the organisation s supply chain is for service areas to identify alternative suppliers. Consideration should also be given to the impact of a Pandemic scenario on a service area. Stage 3: Developing and implementing a BCM response An incident reporting structure will be established to ensure that alerts are communicated appropriately across the organisation. The impact of incidents may vary. It is important that the response to an incident is appropriate to the level of impact and remains flexile as the situation develops. Business continuity plans will be based on different levels of response and escalation. A low level incident such as staff absence within a team or area may only require a local response involving a manager. A high level incident such as wide spread ICT outage may require an corporate response (strategic/tactical) response. A low level incident may escalate over time to become a high level response. Page 11 of 15 Review Date: 2017

12 The procedure to activate and respond to a business continuity incident will be detailed within the corporate and service level business continuity plans. Business Continuity Plans PtHB will have a hierarchy of plans with different command and controls levels and owners Business Continuity Management Policy; establishing a comprehensive BCMS across the organisation Corporate Business Continuity Plan; (strategic/tactical) providing an overarching structured approach to responding to a business continuity incident Service specific Business Continuity Plan (Operational) local level response and recovery arrangements The completed plan should be flexible enough to enable responses to a wide variety of potential generic disruptions and should always be based on the worstcase scenario, i.e. a major disruption will happen at the worst time on the worst day possible. Plans will be signed off by the Locality Manager/Head of Service with agreement from the Executive Lead for relevant service area. The development of the plan does not signify the end of the business continuity plan process. The process is dynamic. Nor does the plan provide BCM competence or capability, but rather it provides the approach to an effective capability to respond / recover. Stage 4: Exercise, maintaining and reviewing Exercises Exercising allows the evaluation of a plan, identifying any gaps or weaknesses. It provides an opportunity for key personnel to rehearse and gain familiarity with the business continuity processes. A full test of the business continuity Plan should be undertaken annually. The form of testing may be undertaken by discussion table top exercises telephone cascade tests, unannounced tests within service areas and live incidents. Business continuity plan owners and managers will be responsible for testing and exercising their business continuity plans with the support of the Civil Contingencies Manager where required. Debriefing A debrief to consider any lessons identified should be undertaken following any incident or exercise that requires the activation of a business continuity plan. Any changes to the plan should be recorded in the version control table at the Page 12 of 15 Review Date: 2017

13 front of each plan. The Civil Contingencies Manager will organise a structured debrief for incidents in which the corporate business continuity plan has been activated. The Civil Contingencies Manager will be responsible for the completion of a post exercise/incident report for corporate level incidents/exercise. The service level Business Continuity Manager will be responsible for the completion of a post exercise/incident report for service level incidents/exercise. A copy of the post exercise/incident report should be made available to the Civil Contingencies Manager. Embedding Business Continuity within PtHB The PtHB Executive Management Team, together with the Locality Management Team/Heads of Services and other senior managers should seek to develop a culture across the thb that considers BCM as part of day-to-day business processes. This will be achieved by: giving proactive support to the BCM process; encouraging training and awareness in BCM; ensuring ownership of BCM; demonstrating a commitment to the annual programme of audit, maintenance and review of the business continuity plans; communicating the importance of BCM to all staff and their roles and responsibilities. Training BCM training is a statutory requirement placed on the NHS under the Civil Contingencies Act (2004) and Welsh Government s Emergency Preparedness Guidance. Locality Management Teams and other Heads of Service, in conjunction with the Civil Contingencies Manager are responsible for ensuring that staff are given information and training to assist them in the implementation of their business continuity plan. This training will vary according to the content of the plans. Training records will be used as documented evidence of the completion of relevant and suitable training. The Civil Contingencies Manager will ensure that the Executive Management Team and Board receive appropriate training on the management of a business continuity incident. Maintenance and Review PtHB exists in a dynamic environment. It is subject to changes in people, processes, supplies, risk and environment. To remain current, BCM arrangements must be reviewed and updated, as well as being subject to audit and inspection. The Civil Contingencies Manager will ensure that the following Page 13 of 15 Review Date: 2017

14 processes are undertaken across the organisation to ensure that plans remain up to date: 1. Maintenance processes are implemented to ensure detection of changes in key areas. 2. Annual static review 3. Dynamic Reviews following exercises or incidents. The full review process will cover: review of audits, exercises and incidents (lessons learnt, may also be identified from incidents external to the health board). improving, reviewing and maintenance of BCM tools correcting internal and external changes to the BCM process, stakeholders and contacts feedback from education, promotion and awareness raising sessions incorporation of new guidance/standards Records All records created during the implementation of the BCM programme must be kept to ensure, if required an appropriate response at a later review. Records are required to be kept for a certain period either because of statutory requirements or because they may be needed for administrative purposes during this time. In line with the Records Management NHS Code of Practice (2nd Edition), business continuity plans should be retained for a period of 10 years. 10. Definitions For the purpose of the policy, the following definitions have been taken from ISO to mean: Business Continuity: the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business Continuity Management: a holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause. BCM provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating assets. Business Continuity Management System (BCMS): part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. Page 14 of 15 Review Date: 2017

15 Business Continuity Plan: documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. Business Impact Analysis: a process of analysing activities and the effect that a business disruption might have upon them. Prioritised Activities. those activities to which priority must be given following an incident in order to mitigate impacts. Maximum tolerable period of disruption: the time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable. Recovery Time Objective: the period of time following an incident within which a product or service must be resumed, or activity must be resumed, or resources must be recovered Page 15 of 15 Review Date: 2017