NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Transcription

1 NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY 1

2 AUTHOR/ APPROVAL DETAILS Document Author Written By: Phil Hartwell Authorised Signature Authorised By: Helen Shields Date: 06 December 2016 Job Title: Head of Corporate Governance Effective Date: 15 December 2016 Approval At: CCG Clinical Executive Date: 15 December 2016 Job Title: Chief Officer Review Date: 14 December 2017 Date Approved: 15 December 2016 VERSION CONTROL Version Date Changes 1 20/02/13 First draft (amended) 2.0 Oct 16 Updated and reviewed 2.1 Dec 16 Amendments after IWC BC manager recommendations 2.1 Dec 16 FINAL NHS Isle of Wight Clinical Commissioning Group 2

3 CONTENTS Part Description Page 1 Introduction 4 2 What is Business Continuity Management? 4 3 Benefits 5 4 Key Responsibilities Senior Management Team Responsibilities Accountable Officer/Accountable Emergency Officer CCG Officers Department resilience leads Employees 6 5 Developing and Implementing a Business Continuity Management System Business Impact Analysis & risk assessment Business Continuity Strategy Establish policies and controls Exercising and testing Maintaining Business Continuity 9 6 Determining the Business Continuity Response Flowchart 10 7 Exercising, Maintaining and Reviewing Exercising Maintaining Reviewing 12 8 Implementation / Training / Awareness 13 9 References 13 Appendix Description Page 1 Key Definitions for Documentation 14 NHS Isle of Wight Clinical Commissioning Group 3

4 1. INTRODUCTION 1.1 The Isle of Wight Clinical Commissioning Group (herein referred to as CCG) recognises the need for effective business continuity management. Business continuity management gives organisations a framework for identifying and managing risks that could disrupt normal service. 1.2 The CCG has legislative obligations in relation to resilience both in planning and responding under the Civil Contingencies Act Business continuity is a key component of resilience, and all NHS Organisations and NHS funded organisations have been asked to align their business continuity arrangements with the requirements of Standard ISO The CCG Business Continuity Management System (BCMS) recognises the importance of understanding the organisation's critical services and the necessity for establishing a business continuity management strategy, implementing an incident response plan to manage disruptive incidents, monitoring and reviewing the performance and effectiveness of the BCMS, and continual improvement based on learning from incidents and exercises. 1.5 The intention of this policy is to inform all staff of the legal obligations in relation to business continuity and to establish a proactive culture around resilience. 1.6 The CCG is also required to meet NHS England Emergency Preparedness, Resilience and Response (EPRR) Core Standards: Arrangements include how to continue your organisation s prioritised activities (critical activities) in the event of an emergency or business continuity incident insofar as is practical. Organisation has undertaken a Business Impact Assessment Organisation has explicitly identified its Critical Functions and set Minimum Tolerable Periods of disruption for these There is a plan in place for the organisation to follow to maintain critical functions and restore other functions following a disruptive event. Within the plan there are arrangements in place to manage a shortage of road fuel and heating fuel The Accountable Emergency Officers has ensured that their organisation, any providers they commission and any sub-contractors have robust business continuity planning arrangements in place which are aligned to ISO or subsequent guidance which may supersede this. 1.7 This policy is the first step of the initiation stage and clearly defines the framework which will ensure the Business Continuity process meets our statutory obligations. 1.8 Depending on the incident both the Major Incident and the Business Continuity plans may be activated to deliver the external and internal response. 2. WHAT IS BUSINESS CONTINUITY MANAGEMENT? 2.1 Business Continuity Management is a process owned by the organisation and driven by the senior management that identifies potential risks to an organisation and the impacts to daily operations that those risks might cause. An organisation s business continuity management system (BCMS) helps it to anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever part of the business they affect. NHS Isle of Wight Clinical Commissioning Group 4

5 It provides a framework that: Improves an organisation s resilience against the disruption of its ability to achieve its key objectives; Provide a rehearsed method of restoring an organisation s ability to supply its key services to an agreed level within an agreed time frame after a disruption; Delivers a proven capability to manage a business disruption and protect the organisations reputation. The consequences of an incident may vary and could include loss of life, loss of assets, income or the ability to deliver services. BCM needs to recognise the strategic importance of key stakeholders to the delivery of its services. 3. BENEFITS OF BCM 3.1. The benefits of an effective Business Continuity Management programme are: key services are identified and protected, ensuring their continuity; an incident management capability is enabled to provide an effective response; the organisation s understanding of itself and its relationships with other organisations, relevant regulators or government departments, local authorities and the emergency services is properly developed, documented and understood; staff are trained to respond effectively to an incident or disruption through appropriate exercising; stakeholder requirements are understood and able to be delivered; staff receive adequate support and communications in the event of a disruption; the organisation s supply chain is secured; the organisation s reputation is protected; and the organisation remains compliant with its legal and regulatory obligations. 4. KEY RESPONSIBILITIES 4.1. In each NHS organisation, the Accountable Emergency Officer is responsible for ensuring that their organisation has a Business Continuity Plan in place. The plan will link into the organisation's arrangements for responding to emergencies detailed in the Incident Response plan as required by the Civil Contingencies Act The following outlines the responsibilities of staff in the CCGs 4.2. Accountable Officer The Accountable Officer will ensure that the Board receives regular reports, at least annually, regarding emergency preparedness, resilience & response including reports on exercises, training and testing undertaken by the organisation. Ensure an appropriate level of priority is given to resilience in all strategic planning Accountable Emergency Officer Board level officer accountable for Emergency Preparedness, Resilience and Response including BCM management NHS Isle of Wight Clinical Commissioning Group 5

6 4.4. CCG Officers Chief Officers/Directors are responsible for ensuring adequate business continuity arrangements are in place for their directorates. Chief Officers will; Promote a preparedness and resilience culture within their team, whilst encouraging activities that develop the resilience of the team and provision of their service; Ensure resources are available to fulfil the CCGs commitment to resilience; Ensure an appropriate response is made during an emergency or business continuity event; Promote a resilience culture within their teams Departmental resilience Leads Each Directorate should appoint a Resilience lead, who will be responsible for ensuring services areas / departments within their directorate are able to deal with disruptive events that will impact on their performance. They will; Attend training and lead on the production of the directorate BC plans; Liaise with the Head of Corporate Governance to ensure all BC plans are updated upon publication of new guidance / duties; Support the CCG Resilience Lead in the role of corporate coordinator in responding to emergencies or business continuity events; Ensure all staff are aware of emergency management and business continuity issues that may impact on the service / department Individual Employees Individual employees must; Ensure that they are familiar with the emergency and business continuity responsibilities of their department. Understand their individual role within an emergency and business continuity response for their directorate. 5. DEVELOPING AND IMPLEMENTING A BUSINESS CONTINUITY MANAGEMENT SYSTEM ISO22313 (2012) NHS Isle of Wight Clinical Commissioning Group 6

7 5.1 Business Impact Analysis & risk assessment Effective Business Continuity Management (BCM) starts with identifying all functions within and services delivered by the organisation. A business impact analysis (BIA) is the primary tool for gathering this information and then assigning each with a level of criticality. It achieves the following; Prioritisation of activities including Recovery Time Objectives (RTO) and Maximum Tolerable Period of Disruption (MTPD) Identify resources required for maintenance of priority services Risk assessment and treatment Services requiring immediate restoration Services that can survive short periods of disruption (eg 4 hrs, 24 hrs) Service that need to be restored with days Services that can be suspended for a period of time 5.2 Business Continuity Strategy This is a senior management responsibility that: Is appropriate to the organisation Provides a framework for setting business continuity objectives To continual improvement of the business continuity management system The strategy should reflect decisions regarding the following areas and how they could best be deployed in response to a business continuity incident Stakeholders People Suppliers Premises Information Technology Adapted from PAS 2015 NHS Isle of Wight Clinical Commissioning Group 7

8 5.3 Establish policies and controls The CCG then needs to take information from the Business Impact Analysis and risk assessments, the strategy to develop the business continuity plans for each department which determine which services or functions that need to be prioritised after an incident and what levels of staffing, equipment, technology and access to information they require to restore the critical service. The plans identify how quickly the service needs to be restored to meet the recovery time objective. RTO Recovery Time Objective Definition: period of time following an incident within which; service must be resumed, or activity must be resumed, or resources must be recovered NOTE: For services and activities, the recovery time objective must be less than the time it would take for the adverse impacts that would arise as a result of not providing a service or performing an activity to become unacceptable. MTPD- Maximum Tolerable Period of Disruption Definition: time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable PEOPLE PREMISE TECHNOLOGY INFORMATION PARTNERS/SUPPLIERS What number of staff do you require to carry out critical activities? What is the minimum staffing level you will need to deliver these What skills/level of expertise are required to undertake these activities? What locations do your prioritised activities operate from? What alternative premises do you have? What machinery, equipment and other facilities are essential? Is the service dependant on electrical medical equipment? What IT is essential to carry out your prioritised activities? What systems and means of communication are required to carry out your prioritised activities What Information is essential to carry out your prioritised activities? How is this information stored? Who are your priority suppliers? Are key services contracted out? Do both you and your suppliers/ partners have mutual aid arrangements in please 5.4 Exercising and Testing Why exercise? Exercises are there to test plans to give an idea how our plans would stand up in a disruption Ensures that plans are fit for purpose Identify gaps and learning actions Continuous updating of core information i.e. contact lists There are five main types of exercise and these are summarised below: Discussion based exercise Table top exercise Command post exercise Live exercise Test NHS Isle of Wight Clinical Commissioning Group 8

9 5.4.2 Exercises are undertaken with three main purposes: Validation - to validate and identify improvement opportunities in existing arrangements Training - to develop staff competencies and confidence by giving them practice in carrying out their roles in an incident Testing - to test existing procedures, plans and systems to ensure they function correctly and offer the degree of protection expected Review of Plans Plans should be reviewed and updated when: Changes to key staff or partners take place The organisation is restructured Prioritised activity is delivered differently Change to the external environment e.g. statutory change, NHS England requirements Following lessons identified from an incident or exercise 5.5 Maintaining Business Continuity A clearly defined and documented maintenance programme for the business continuity management should be established. This programme should: Ensure that there is an on-going programme for business continuity training and awareness ensure that any changes that impact on BC are reviewed identify any new products and services, and their dependent activities that need to be included in the BCMS; ensure that the business continuity plans remains effective, fit-for purpose and up-to-date; and enable existing exercise schedules to be modified when there has been a significant change in any of the business continuity processes. The ISO standards and uses a Plan-Do-Check-Act Cycle in planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organisation s Business Continuity Management System. NHS Isle of Wight Clinical Commissioning Group 9

10 6. DETERMINING THE BUSINESS CONTINUITY RESPONSE Function Analysis Identifies day to day functions within a service area Identifies statutory functions and those which may have excessive demands placed on them as part of a planned response Identifies stakeholders and resources required Process Mapping Identifies stakeholders through stages of functions Business Impact Analysis Details the impact of failure to carry out functions States the minimum time period within which a service area cannot provide those functions Risk Analysis Plots the likelihood and impact of disruption Business Continuity Response Decision Table Records outcomes of the Risk Analysis Identifies risks requiring immediate mitigation Records options for mitigation of such risks and details reasons for and against adopting such options Business Continuity Decision Table Outcomes No action required Manage / Control Develop and manage the BCP In accordance with Establishment of Critical Functions information; Accept Risk NHS Isle of Wight Clinical Commissioning Group 10

11 7. EXERCISING, MAINTAINING AND REVIEWING 7.1. Exercising All Business Continuity plans need to be exercised on an annual basis this may occur either through a table top exercise or through activation of a major incident or more localised service related incident The exercising of plans may be part of a wider major incident exercise across the CCG. The exercise programme will ensure all business continuity arrangements are validated and provide assurances that arrangements in place met the requirements of the CCG. The exercise programme has full support from the Senior Management team All aims and objectives of the exercise will be fully documented and a report completed to the CCG Officers Group, which will demonstrate the organisations achievements of those aims and objectives. This report will include any relevant actions that are required and identify lessons learned and good emergency practice and any feedback from observers at an exercise or stakeholders involved in the incident Maintaining Audits of Business Continuity Plans will be initiated and carried out by the CCG Officers Group. Audits will: be conducted by the auditor in a manner that will ensure objectivity and impartiality determine whether the Business Continuity Plan is effective in meeting the organisation s Business Continuity Management objectives determine whether the Business Continuity Plan has been properly maintained, in particular that changes following the preventative and corrective action processes have been completed take into account the results of previous audits be followed by a written report which details audit outcomes and includes required actions to be concluded Lessons identified will be logged and an action plan will be completed following reviews, exercises and audits. The Head of Corporate Governance is to ensure that such action is taken. This process will: ensure that any recommendations made as a result of Continual Improvement are completed and recorded as such provide confirmation that Business Continuity Plans have been amended following changes by completion of a Continual Improvement Record and Preventative and Corrective Action Record 7.3 Reviewing All business continuity plans need to be reviewed on an annual basis. This may be via the exercise programme or post incident or as part of the annual review process. 8. IMPLEMENTATION / TRAINING / AWARENESS 8.1 The CCG will ensure that all staff who have been assigned responsibilities defined by the Business Continuity Policy are competent to perform the required tasks by: NHS Isle of Wight Clinical Commissioning Group 11

12 determining necessary competencies to enable staff to perform work related to Business Continuity Management provide training via a number of platforms e.g. workshops, external courses and inductions evaluate the effectiveness of the training provided, via evaluation reports, one to one sessions conducted by management training needs analysis to be conducted on staff assigned BCM roles and responsibilities provide the Audit Committee with annual review of training that has taken place and the impact it has had 8.2 In addition training and education programmes need to highlight the importance of meeting Business Continuity Management objectives and conforming to the CCG policy. 8.3 The policy when approved will be published on the CCG extranet and intranet and all staff will be made aware of its content 9. REFERENCES The Civil Contingencies Acts London. The Stationary Office. ISO 22301, Societal Security - Business Continuity Management. The Business Continuity Institute Good Practice Guidelines (2008). The Business Continuity Institute. Business Continuity Framework (2013). NHS Commissioning Board BSI PAS Framework for Health Services Resilience NHS England Emergency Preparedness, Resilience and Response Guidance NHS England Business Continuity Framework Health and Safety at Work etc. Act 1974 NHS Standard Contract IW CCG Incident Response Plan IW CCG Corporate risk register IW CCG directorate business continuity plans NHS Isle of Wight Clinical Commissioning Group 12

13 APPENDIX 1 KEY DEFINITIONS FOR DOCUMENTATION Business Continuity (BC) Strategic and tactical capability of the organisation to plan for and response to incidents and business disruptions in order to continue business operations at an acceptable predefined level. Business Continuity Management (BCM) Holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. Business Continuity Management Lifecycle series of business continuity activities which collectively cover all aspects and phases of the business continuity management programme. Business Continuity Management Programme ongoing management and governance process supported by tope management and appropriately resourced to ensure the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity or products and services through training, exercising maintenance and review. Business Continuity Plan (BCP) documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to delivers its critical activities at an acceptable predefined level. Business Impact Analysis (BIA) process of analysing business functions and the effect that a business disruption might have upon them Critical Activities those activities which have to be performed in order to deliver the key products and services which enable an organisation to meet its most important time sensitive objectives. Disruption event, whether anticipated (e.g. labour strike or hurricane) or unanticipated (e.g. a blackout or earthquake), which causes an unplanned, negative deviation from the expected delivery or products or services according to the organisations objectives. Maximum Tolerable Period of Disruption (MTPD) duration after which organisations viability will be irrevocably threatened if product and service delivery cannot be resumed Recovery Time Objective (RTO) target time set for resumption of product, service or activity delivery after an incident. NHS Isle of Wight Clinical Commissioning Group 13