The Newcastle upon Tyne Hospitals NHS Foundation Trust. Business Continuity Management Policy

The Newcastle upon Tyne Hospitals NHS Foundation Trust Version No: 4.0 Effective From: 02 December 2016 Expiry Date: 02 December 2019 Date Ratified: 27 October 2016 Ratified by: Clinical Policy Group 1 Introduction Business Continuity Management Policy 1.1 The Civil Contingencies Act 2004 imposes a statutory duty on the Trust to have in place Business Continuity Management arrangements which aim to ensure that essential functions are resilient to and can recover from any internal or external disruptive event that might impact on the Trust s ability to deliver its services. 1.2 The NHS England Business Continuity Management Framework (service resilience) 2013 requires NHS organisations to use the framework and the associated NHS England Core Standards for Emergency Preparedness Resilience and Response to put in place Business Continuity Management arrangements that align with ISO 22301 1.3 This policy describes the arrangements in the Trust for Business Continuity Management planning and response. 2 Policy Scope The policy applies to all Trust directorates and departments, premises and staff. 3 Aim of Policy The aim of this policy is to describe the Trust s Business Continuity Framework, plan, roles, responsibilities and processes which aim to ensure the continuity of services and business operations, protection of patients and staff and the organisation s reputation. This will be achieved by ensuring that:- Key services, priorities for service recovery and attitude to risk are agreed corporately. (The broad principle to be adopted is that lifesaving, life preserving and condition maintaining services and functions should be maintained as a priority during a disruption). Directorates and departments have considered threats and risks which have the potential to disrupt the smooth running of services and where economically appropriate, systems and processes are made sufficiently robust and resilient to withstand these threats. Business Impact Analysis is completed / reviewed on at least an annual basis. This will include identification and prioritisation of critical functions and essential services, assessment of the impact of disruption to those services Page 1 of 22

over time, definition of the time by which recovery is required and determination of the critical activities and resources necessary to achieve service recovery. Recovery strategies are developed and implemented to meet agreed recovery requirements according to the relevant Business Impact Analysis. Directorate and departments have robust Business Continuity plans in place. Business Continuity roles and responsibilities are reinforced through an ongoing education and awareness programme. Business Continuity plans for high priority services and service disaster recovery plans are tested on at least an annual basis. Incidents impacting normal business operations are identified, escalated, communicated and managed effectively with post incident review, reflection and organisational learning identified. 4 Related policies and plans This policy should be considered in conjunction with relevant Trust policies, plans and procedures including:- Corporate, directorate and departmental Business Continuity Plans Support services disaster recovery plans EPRR Training and Exercise Strategy Establishment of a Public Telephone Helpline Procedure Fire Policy and Fire Evacuation Policy Lockdown Policy Major Incident Plan North East Escalation Plan (NEEP) Pandemic Influenza Plan Press Enquiries and Public Relations Policy. Section One - Planning for a Business Continuity Disruption 5 Roles and Responsibilities in Business Continuity Planning 5.1 Chief Executive The Chief Executive has overall responsibility for Business Continuity, on behalf of the Board of Directors of the Trust. The Chief Executive is responsible for ensuring that the Trust is in a position to provide an overall assurance that the organisation has in place the necessary Business Continuity Framework. 5.2 Accountable Emergency Officer The Accountable Emergency Officer has delegated responsibility for ensuring that the Trust is in a position to provide assurance that the organisation has in place the necessary Business Continuity Framework and is also the chair of the Trust Board sub- committee, the Emergency Preparedness, Resilience and Response (EPRR) Strategy Group. Page 2 of 22

5.3 Emergency Preparedness, Resilience and Response (EPRR) Strategy Group. The Emergency Preparedness, Resilience and Response (EPRR) Strategy Group meets regularly to direct and oversee Business Continuity Planning on behalf of the Trust Board. 5.4 Lead Manager for Business Continuity The Lead Manager for Business Continuity in the Trust is responsible for:- Leading the planning and implementation of the Trust s Business Continuity Management Framework and System Developing and maintaining the Business Continuity Policy, plan and process Supporting directorates and departments with their Business Continuity responsibilities Ensuring there is appropriate alignment of directorates and departments individual Business Impact Assessments and Business Continuity Plans with corporate objectives Co-ordinating the production of necessary Trust or site wide Business Continuity Plans Implementing and maintaining a system for central storage and retrieval of Trust Business Continuity Plans Undertaking consistency checking of plans Leading evaluation of corporate or high impact incidents and identifying organisational learning points. Developing and maintaining the business continuity risks section of the EPRR risk register. 5.5 Directorate and departmental managers Directorate and departmental managers are responsible for leading and implementing the Business Continuity process for all areas within their control. They should ensure that:- A Business Continuity lead/s is designated for their directorate / department A Business Impact Analysis and Business Continuity plan is in place for the directorate / department. Business Impact Analyses and Business Continuity Plans are reviewed and updated as required at least annually and those plans are used to prioritise continuity of critical functions and minimise the effects of business continuity incidents on essential services. Each ward / department has an Emergency File containing details of business continuity plans, contingency, downtime plans and details of any testing and exercising of plans. Ward /department Emergency Files are reviewed and updated as required at least annually Business Impact Assessment and where appropriate Business Continuity planning should be undertaken ideally prior to or as soon as possible after any Page 3 of 22

material changes to a directorate / department s management or organisational structure / service portfolio or location of services Business Continuity Plans for new services should be reviewed after the first six months of service operation Business Cases and implementation plans for new IT systems should specifically address Business Continuity arrangements Business Impact Assessment is undertaken and recovery requirements and down time plans are developed for new IT systems Plans, contracts or service level agreements are developed and implemented to meet the agreed recovery time requirements identified in Business Impact Assessments for critical functions. Joint planning is undertaken where services overlap with other directorates /departments or have key interdependencies. Contingency and downtime plans for critical functions, in particular those with a Recovery Time Objective of up to 24 hours, are tested on at least an annual basis. Documented directorate / department down time plans are tested on at least an annual basis. Staff names and contact details essential to recovery of services are identified in contingency plans that can be contacted during an emergency The contents of the directorate / department Business Continuity Plans and invocation procedures are communicated to relevant staff at a minimum annually. Business Continuity Plans are stored in sufficient alternative locations and formats (paper and electronically) to ensure availability in a Business Continuity incident Staff are enabled to attend training to support the effective implementation of the Business Continuity Policy according to the needs of their specific roles and responsibilities in the Business Continuity Planning process. Threats and risks which have the potential to disrupt the smooth running of services are regularly considered and reviewed and where economically appropriate, systems and processes are made sufficiently robust and resilient to withstand these threats A plan is agreed and documented in response to identified directorate or departmental EPRR risks 5.6 Directorate/Department Business Continuity Leads 5.6.1 Business Continuity Leads are responsible to Directorate/departmental managers for Business Continuity in their directorate/department. 5.6.2 Business Continuity leads are responsible for:- Co-ordinating the completion, review and annual update of Business Impact Assessments and Business Continuity Plans Ensuring that ward/department Emergency Files are completed and reviewed and updated annually. Ensuring that Business Continuity Plans, downtime and contingency plans for their respective areas are tested annually. Page 4 of 22

Promoting awareness of Business Continuity principles and communicating directorate / departments plans Developing and implementation of the training programme for directorate and department staff on the Business Continuity Plan. As set out in the Trust s EPRR Training Strategy. 5.7 Support services managers 5.7.1 Support service managers are those responsible for providing the following services:- Estates building infrastructure (i.e. maintenance of buildings, access systems and routes) Utilities (i.e. water, gas, electricity and steam) Facilities support (for example, Catering, Porters and Security, Hotel Services). Information Technology Systems and other enabling infrastructure, for example telecommunications. 5.7.2 In addition to the responsibilities outlined above for directorate and departmental business continuity leads, support service managers are responsible for ensuring that:- Plans are in place to maintain support service/system availability to meet user requirements Disaster Recovery leads are designated for each key service/system Plans and processes are documented and tested to meet the recovery requirements of services in the event of a support service/system failure for in-house and external systems.. Information is provided to support the Trust Incident Response Team to assist with managing incidents and prioritisation of service recovery. Resiliency arrangements are fit for purpose and tested at least annually, for example, back-up generators, Disaster Recovery solutions). 5.8 Support service business continuity recovery leads The business continuity recovery lead will be responsible for: Agreeing and documenting a Disaster Recovery Plan for the support service to meet service users recovery requirements and Trust service priorities Agreeing and documenting the process for communication with service users about any service failure in their department/ directorate, including details of likely downtime and any action needed Reviewing and testing Disaster Recovery Plans for critical services on an annual basis. Ensuring service recovery in accordance with the Disaster Recovery plan and agreed recovery times and service priorities where there are Trust, site wide or multiple user / location service failures. Page 5 of 22

5.9 Internal Audit Internal audit is responsible for providing an independent view to the Trust Board of the business continuity arrangements in the Trust by periodically reviewing the implementation of the Trust s business continuity management framework, policy and plans. 6 Business continuity planning process 6.1 Documentation Directorate / department business continuity leads should use the current templates on the Trust software tool provided by the Trust business continuity lead to guide them through the business continuity planning process. The templates require entry of information to enable the processes of business impact analysis, risk assessment and business continuity planning. 6.2 Business impact analysis As part of the preparation for business continuity planning it is essential to undertake business impact analysis, this includes the following steps:- 6.2.1 Identify directorate /department services and critical functions The directorate / department should described services provided and locations. This can be split into sub-specialty / sub departmental services / functions as appropriate. 6.2.2 List critical functions for the directorate/department. These typically will include those functions that are provided either 24/7, out of hours via on call and those that would result in a statutory breach, major financial penalty or reputational damage. 6.2.3 Assess the impact of loss of each critical function For each directorate / departmental critical function identify the length of time a service interruption can be tolerated without a major impact on the Trust s services, reputation or finances should be identified. This is called the Recovery Time Objective. When assessing the Recovery Time Objective the focus should be on the impact of a disruption on the critical function provided and not the means of provision. The Recovery Time Objective should be selected from the following options:- Page 6 of 22

Table one Recovery Time Objective No fail Definition Service is lifesaving / life preserving and cannot be interrupted. Services should typically be provided 24/7 1 to 8 hours Service needs to be restored between 1 and 8 hours to provide urgent patient care / support services / to avoid breaches of targets and financial penalties. Services should typically be provided 24/7 or have access to an on-call response and / or are provided 7 days a week. Up to 24 hours Up to 5 days Over 5 days Service needs to be restored in hours (maximum 24) to provide urgent patient care / support services / to avoid breaches of targets and financial penalties. Services typically have access to an on-call response and / or are provided 7 days a week. Service needs to be restored in days (maximum 5) to provide timely diagnosis and care to patients / to avoid breaches of targets and financial penalties. Service disruption will not have a significant impact on patient care / targets / finance and restoration can be delayed until after 5 days. For each critical function identify the likely impact of a disruption. 6.2.4 Identify Resources Supporting Critical Functions For each identified critical function identify the key resources required to maintain that function. Critical resources include: Minimum staffing levels i.e. WTE, skill mix, specific skills/competencies to provide a service Specific infrastructure requirements, for example, essential location / colocation information, minimum space to provide service Essential equipment, for example, where there is only one piece of equipment or limited equipment in the Trust or a long lead time for supply Critical supplies, for example, those that are outside the NHS Supply Chain or with a long lead time Critical I.T and information systems, voice and data communication Other critical supporting services internal and external to the Trust where there are key service dependencies. Managers should identify minimum resource requirements to allow a basic service to be provided and those required for business as usual. Managers should consider any workload backlog when assessing the necessary resources to meet the Recovery Time Objective. Page 7 of 22

Managers should identify any seasonal variances or single points of failure i.e. where a critical function is provided by one / few staff, on one site, only on one site or by using one piece of equipment. Information on all ward and departmental equipment is available on the Trust s asset register and details are available from the Trust Finance department. Information on all ward and departmental medical equipment is available from the medical physics department. 6.3 Undertake risk assessment Typically the process of risk assessment involves scoring the estimated impact and likelihood of a potential disruption and multiplying those scores to calculate a total risk score. For business continuity planning purposes at directorate and departmental level the Recovery Time Objective identified for services should be used as a proxy for risk. The Recovery Time Objective score increases according to the impact on patient care / targets /finance. Table one defines the Recovery Time Objectives to be used in business impact analysis in the Trust. Business Continuity hazards and threats will be risk assessed and monitored corporately and shared with directorates and departments. Action plans will be developed to mitigate risks where feasible. Directorate/ department specific hazard / risk plans may be developed for directorates and departments as required where directorate/department risk exceeds identified corporate risk. 6.4 Determine business continuity management strategy A decision on the business continuity strategy should be made for each critical function based on the Recovery Time Objective identified. Options include:- The service must have full availability and cannot fail. In order to ensure this a downtime or contingency plan will need to be developed to ensure continuity of and an action plan to improve the resilience of the service. The service should be recovered within an agreed time at an agreed minimum level. In order to do this a downtime or contingency plan must be developed and an action plan may need to be developed to improve the resilience of the service Do nothing and accept the risk the risk is considered so low that no action will be taken and any action will be agreed in the event of a service disruption Cease the activity due to the level of risk or inability to mitigate or control. This is an unlikely measure. The above options should be considered in light of the Recovery Time Objective which is a proxy for risk. Consideration should also be given to Page 8 of 22

options for risk mitigation or transfer, for example, through maintenance support arrangements, insurance, service level agreements or contracts with other providers. 6.5 Develop the business continuity plan The next stage involves developing plans for the management and recovery of a disruption. This is fulfilled by the Trust in the following ways:- The Trust has a 24/7, 365 day a year Corporate On Call Team including an on call senior manager, director and medical director with responsibility for responding to and managing incidents in the trust with a significant or extensive impact. The Corporate on Call team have access to facilities, action cards, guidance and resources to assist them with their role. Trust directorates and departments have business continuity plans which include details of who can invoke the plan and escalation arrangements. Wards and sub-departments have Emergency Files that reference directorate or department business continuity plans and include local downtime and contingency plans. The Trust Business Continuity planning template includes prioritised critical functions, recovery time objectives and resources needed to provide those critical functions. This is generated from data in the completed business impact analysis. Generic guidance on the management and recovery of services in the event of a range of disruptions is provided by the Trust Business Continuity Team in the business continuity plan annex. This can be used by managers or where appropriate local plans can be developed to address the following standard scenarios:- Shortage of staff including a range of percentage reductions in staff or loss of key staff. Damage or denial of access to premises for a temporary or prolonged timescale. Loss or damage to equipment critical to service provision. Loss or damage to IT systems/voice networks / hardware/ software /data critical in service provision. Loss of critical supplies Loss of utilities Loss or damage to other critical resources including voluntary services, transport, partners, contractors and support services. Additional scenarios can be included as required. In putting together the plan it is important to document the actions to be taken to achieve service continuity as soon as the disruptive incident is discovered, Page 9 of 22

in the first 24 hours and at subsequent time intervals until the service is recovered. All plans and essential information should be available in more than one location and stored on paper and electronically. All appropriate staff should be informed about plans and how to access them. All staff should be made aware of the process for identifying and escalating an incident that is causing a service disruption. The directorate / department business continuity plans include the following:- 1. Description of service 2. Owner (directorate / departmental manager) and maintainer of plan (business continuity lead or delegate) 3. Details of staff roles who can invoke plan 4. The directorate / department contacts for invoking the plan and arrangements for escalating to the Corporate Team in and out of hours. 5. Essential staff, support service and supplies 6. Incident Management plan. In the context of the Trust plan, document the directorate / department action and tasks required to manage the initial phase of the incident. This should describe essential communications. 7. The plan to recover and continue the services. This should set out:- The critical activities to be recovered and the timescales in which they are to be recovered. For critical IT systems this should include the Recovery Point Objective i.e. the point at which the system data needs to be recovered back to. The resources needed to deliver these critical activities.this may vary over time. Details of actions and tasks needed to recover and continue services in the event of a disruption (see business continuity strategy). The details of alternative suppliers of critical supplies / equipment including contact details for loan equipment. The directorate / department downtime plan to be used in the event of loss of critical support services, for example, loss of diagnostic services, utilities and telecommunications. The date the plan was finalised. The signature of the plan owner. The business continuity plan is a combination of the Trust standard template and local directorate/department downtime and contingency plans. Page 10 of 22

7 Document Approval Directorate and departmental business impact analyses, risk assessments and business continuity plans should be approved by the relevant directorate manager / head of department. Corporate business continuity plans should be approved by the Business Continuity Operational Group. 8 Business continuity document storage 8.1 Directorates / departments should store business continuity documentation both electronically and on paper, ensure that the documents are up to date and can be located by directorate staff involved in the incident response and management process. 8.2 The Trust Lead for Business Continuity is responsible for arranging the storage of electronic and paper copies of business continuity documentation in the designated Trust business continuity incident rooms. 9 Contingency Planning for an expected service disruption In the event that directorates /departments become aware of a future disruption that has the potential to have a serious impact on Trust services the Trust Accountable Emergency Officer should be informed. The Accountable Emergency Officer will review the position and when appropriate designate an operational manager who will be responsible for co-coordinating contingency planning for the Trust in conjunction with relevant directorates and departments in preparation for management of the disruption. Section Two Business continuity incident response 10 Business Continuity Incident Response and Management Process 10.1 General Overview The aim of the business continuity incident management process is to ensure the effective identification, escalation, planning, management and communication of incidents which threaten or disrupt the Trust s strategic objectives or operations. The process will aim to ensure: The safety of patients and staff is given the highest priority. Quality of service is maintained as far as possible. Statutory and regulatory obligations continue to be met. The reputation of the Trust is protected. Contractual obligations are met. Revenue loss is minimised. All necessary actions are taken to ensure a successful recovery within the shortest possible time scale. Page 11 of 22

A disruption to service could take place as a result of many internal or external factors. The process is designed to have the flexibility to respond to all potential scenarios. 10.2 Major Incident In the event of a mass casualty resulting in the declaration of a major incident it may be necessary to consider declaring a business continuity or critical incident as the impact of using Trust resources to respond to the major incident may disrupt the provision of other Trust services. 10.3 Escalation of response and invocation process The process for response and escalation in the event of a service disruption is outlined in the major incident / critical incident / business continuity incident response flowchart below. Page 12 of 22

Page 13 of 22

There are three levels of incident response and command that are widely used in emergency planning and response:- Bronze - operational Silver - tactical Gold strategic 10.4 Action Cards Action cards provided should be referred to by the Corporate on Call Team in the event of a business continuity incident or disruption. The action cards are intended as a prompt for action. Action cards are available in the Trust Incident Control Rooms and via a shared drive. 11 Responsibilities: 11.1 Directorate and Departmental managers (Bronze Operational Response) Directorate and Departmental managers are responsible for ensuring that arrangements for escalating service disruptions / incidents within the respective directorate / department are in place and communicated to their staff. They are also responsible for ensuring that responsibilities are allocated both for in and out of hours for assessment and management of a service disruption / escalation within the directorate and department or further / communication / escalation to the Patient Services Co-ordinator or On Call Senior Manager as appropriate. Directorate and Departmental managers, including support services managers, should endeavour to initially manage and recover any service disruptions / incidents specifically in their directorate / department within routine arrangements and to escalate in accordance with the business continuity incident response and escalation process During incidents or disruptions managers of affected directorates and departments / their nominated deputies or delegated staff should:- Be prepared to be involved for the duration of the disruption as required and should ensure appropriate seniority of management cover is available. Work under the command of the Trust Gold Team if formed. Follow the guidance of the COG (Silver) team and work with them to continue and recover services. Ensure they have arrangements in place to keep informed about any Directorate / departmental issues arising as a result of the disruption. Keep the COG team informed of any unexpected issues or incidents associated with the disruption. Page 14 of 22

11.2 Patient Services Co-ordinator Patient Services Co-ordinator cover is provided to the Freeman and RVI sites 24 hours / 365 days a year. When the Patients Service Co-ordinator is notified of a service disruption / incident their role is to assess the situation and do one or more of the following as appropriate:- Note for information Advise/ support the manager Assist with the management of the disruption Manage the disruption Escalate the issue for information or action to the on call senior manager. 11.3 On Call Senior Manager There is a Senior Manager on call for the Trust 24 hours/ 365 days a year. When the On Call Senior Manager is notified of a service disruption / incident their role is to assess the situation and do one or more of the following as appropriate:- Note for information Advise/ support the PSC/ manager involved Assist with the management of the disruption Manage the disruption Convene the Continuity Operational Group (COG) Co-opt additional members to the COG Escalate the issue to the On Call Director for information or action. 11.4 On Call Medical Director There is a member of the Medical Directors team on call for the Trust 24 hours/ 365 days a year. When the On Call Medical Director is contacted by the On call Senior Manager to convene the Continuity Operational Group their role is to work in partnership with the On Call Senior Manager and do one or more of the following as appropriate:- Advise/ support the On Call Senior Manager Assist with the management of the disruption Manage the disruption if agreed that this is appropriate Co-opt additional members to the COG Escalate the issue to the On Call Director for information or action. Page 15 of 22

11.5 The Continuity Operational Group (Silver Tactical Response) The Continuity Operational Group is an ad-hoc group that will meet when an identified business continuity issue cannot be resolved locally within routine arrangements. The Continuity Operational Group comprises: The On Call Senior Manager The On Call Medical Director. The team may be expanded depending on the type of disruption. The Continuity Operational Group should be able to rectify the majority of business continuity disruptions occurring on Trust premises. Some disruptions may have wider ramifications beyond the capabilities of the COG, such as an internal emergency causing the evacuation of wards, a disruption requiring the reconfiguration of clinical services or issues with potentially serious reputation, financial or contractual ramifications. It is also possible that a business continuity incident could be triggered as a result of impact on services of the Trust responding to a mass casualty. In the event of activation of a business continuity or critical incident COG will be the main interface between the Gold Command Team (the team responsible for command and control of a business continuity incident) and operational managers and clinicians (bronze response). 11.6 The On Call Director When the On Call Director is notified of a service disruption / incident their role is to assess the situation and do one or more of the following:- Note for information Support the COG Command the COG Escalate the issue for information or action. This may result in the declaration of a business continuity or critical incident Brief / work under the Command of the Gold Command Team in the event of declaration of a business continuity or critical incident. 11.7 Switchboard manager and staff The switchboard manager is responsible for ensuring that switchboard staff are appropriately trained to follow the switchboard action card for calling the members of Gold Command in the event of a declared business continuity or critical incident. Page 16 of 22

The switchboard manager is responsible for ensuring that switchboard staff are provided with the most recently provided call out details for On Call Senior Managers, On Call Medical Directors, On Call Directors and contact details for Executive Director Members and the deputies of the Gold Command Team. Switchboard staff are responsible for calling the individual On Call staff and other staff identified when requested or for following the switchboard action card in the event of a declared business continuity or critical incident. 11.8 Information Technology Service Desk The Information Technology Service Desk staff are responsible for supporting those staff responsible for managing a business continuity incident or disruption with specific requests including sending out a global email on behalf of the relevant On Call Senior Manager, On Call Medical Director, On Call Director or member of the Gold Command Team. 11.9 Gold Command Team (Gold Strategic Response) The Gold Command Team is an ad-hoc team that will form in the event of the declaration of a business continuity or critical incident to:- Undertake Command and Control of the business continuity incident until it is resolved Agree the strategy to manage the business continuity incident Define the aims and objectives to meet the agreed strategy Direct the COG (silver tactical response). The core membership will comprise the following Directors or their nominated deputies. Core Membership Chief Executive Medical Director Director of Nursing Supported by a loggist The team may be expanded depending on the type of disruption. 11.10 Loggist The loggist is a person trained to record key decisions and actions taken during the response to and management of an incident. 12 Declaration of a business continuity or critical incident 12.1 A business continuity incident will be activated in the Trust if the incident results in or potentially results in severe difficulties in maintaining service provision and as a result requires special action outside of routine arrangements. Page 17 of 22

A critical incident will be activated in the Trust where the level of disruption results in the Trust temporarily or permanently losing the ability to deliver critical services, patients may have been harmed or the environment may be unsafe requiring special measures and support from other agencies to restore normal operating function. In the event of a decision to declare a business continuity or critical incident the On Call Director will activate the Trust business continuity incident response via switchboard advising them of the timing of a conference call to be initiated or details of a meeting time and venue. 12.2 Switchboard will contact the Gold Command Team and ask the members to dial in to a conference call or to meet in the most appropriate venue. The venues equipped for responding to a business continuity incident are:- Meeting room 74, located on the level two management corridor at the Freeman The business continuity room located in Peacock Hall, Royal Victoria Infirmary. 12.3 In the event of a business continuity or critical incident being declared the COG will remain in place and support the Gold Command Team. 12.4 The Gold Command Team will meet / engage in conference calls at intervals defined by the Incident Team chairman during the disruption to receive briefings from the tactical Continuity Operational Group (COG). Page 18 of 22

Section Three - General 13 Training Responsibilities for training are described under the specific role responsibilities. In addition the Lead Manager for Business Continuity will be responsible for facilitating the provision of training and support to those managers and staff with a designated corporate role in the planning for and responding to a business continuity incident. The Trust EPRR Training and Exercise Strategy provides more detail on the requirements. 14 Equality and Diversity The Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff and the public entering our premises reflects their individual needs and does not discriminate against individuals on any grounds. This document has been appropriately assessed. 15 Monitoring Standard / process / issue Trust Board assurance on Business Continuity arrangements Monitoring and audit Method By Committee Frequency Review by Emergency Preparedness, Resilience and Response (EPRR) Steering Group Accountable Emergency Officer Emergency Preparedness, Resilience and Response (EPRR) Steering Group Internal audit Quarterly Periodic Compliance with role responsibilities when planning for a business continuity disruption Check business continuity documentation is in place and complete. Review results of planned tests.. Lead Manager for Business Continuity Business Continuity Operational Group And Emergency Preparedness, Resilience and Response (EPRR) Steering Group As per timescale specified in policy for tasks Compliance with role responsibilities Evaluate reported business Lead Manager for Business Business Continuity Operational As required Page 19 of 22

Standard / process / issue When responding to a Business Continuity Incident Monitoring and audit Method By Committee Frequency continuity incidents Continuity Group And Emergency Preparedness, Resilience and Response (EPRR) Steering Group 16 Consultation and review Members of the Business Continuity Operational Group and The Emergency Preparedness, Resilience and Response (EPRR) Steering Group have been consulted on the content of this policy. The Lead Manager for Business Continuity will review this policy every two years or earlier as required. Page 20 of 22

Appendix One Glossary Business continuity management Business continuity management aims to ensure the continued running of an organisation and ongoing delivery of its services in the event of disruptions. This includes the identification and impact assessment of potential threats to an organisation, the development of a framework for building resilience and the ability to maintain and recover services quickly in order to protect the interests of the Trusts patients, reputation and services. Business Continuity Planning The development and documentation of plans for responding to and management of disruptions and business continuity incidents. Disruption A disruption is an event or issue that interrupts or affects the delivery of services or business functions. Business continuity incident A Trust Business Continuity Incident can be defined as an event or issue which results in or potentially results in severe difficulties in maintaining service provision and as a result requires special action outside of routine arrangements. Critical Incident A localised incident where the level of disruption results in the Trust temporarily or permanently losing the ability to deliver critical services, patients may have been harmed or the environment may be unsafe requiring special measures and support from other agencies to restore normal operating function. Major Incident An occurrence that presents a serious threat to the health of a community or causes such numbers or types of casualties as to require special arrangements to be implemented. Business impact analysis This involves identifying the key services that if disrupted for any reason would have the greatest impact on the Trust and its stakeholders. For each key service identified the following should be documented:- The impact over time The Maximum Tolerable Period of Disruption The Recovery Time Objective Critical activities required to deliver key services Resources required over time to maintain these activities at an acceptable level and to meet the Recovery Time Objective. The Maximum Tolerable Period of Disruption The maximum length of time the disruption can be tolerated without threatening organisational / key service viability. Page 21 of 22

Recovery Time Objective In the event of a disruption the Recovery Time Objective is the period of time identified by which key services need to be resumed. This will be less than the Maximum Tolerable Period of Disruption. Recovery Point Objective This is the point in time IT system data should be recovered from in the event of a service disruption. Risk Assessment Scoring and documentation of the likelihood and impact of a variety of potential service disruption scenarios after taking into account current preventative measures that are in place. For business continuity planning purposes at directorate and departmental level the Recovery Time Objective identified for services should be used as a proxy for risk. Business Continuity Strategy A strategy to address risks that includes decisions about whether risks should be addressed, tolerated, transferred or terminated. Disaster Recovery Plan The development, documentation and communication of plans to recover support services following a service disruption. Page 22 of 22

The Newcastle upon Tyne Hospitals NHS Foundation Trust Equality Analysis Form A This form must be completed and attached to any procedural document when submitted to the appropriate committee for consideration and approval. PART 1 1. Assessment Date: 05.09.16 2. Name of policy / strategy / service: Business Continuity Management Policy 3. Name and designation of Author: Theresa Glennie, Head of Business Continuity 4. Names & designations of those involved in the impact analysis screening process: Theresa Glennie, Head of Business Continuity, Christine Mathieson, Business Continuity and Emergency Planning Manager 5. Is this a: Policy x Strategy Service Is this: New Revised x Who is affected Employees x Service Users x Wider Community 6. What are the main aims, objectives of the policy, strategy, or service and the intended outcomes? (These can be cut and pasted from your policy) The aim of this policy is to describe the Trust s Business Continuity Framework, plan, roles, responsibilities and processes which aim to ensure the continuity of services and business operations, protection of patients and staff and the organisation s reputation. 7. Does this policy, strategy, or service have any equality implications? Yes No X If No, state reasons and the information used to make this decision, please refer to paragraph 2.3 of the Equality Analysis Guidance before providing reasons:

The policy describes how the trust should plan for and respond to incidents and disruptions such that impact to patient care and critical functions is minimised and that patient care and provision of essential patient care / critical functions can continue to be provided. These typically will include those services / functions that are provided either 24/7 / out of hours via on call are and those that would result in a statutory breach, major financial penalty or reputational damage. Services provided 24/7 and those covered by on call arrangements are required to maintain the care of existing patients and enable the provision of emergency services across the board. The underlying aim supported by legislation and NHS England guidance is to preserve the ability to continue to provide all patient care services and where there needs to be any prioritisation that critical services can continue to be provided to inpatients and emergency services can continue to be provided.

8. Summary of evidence related to protected characteristics Protected Characteristic Race / Ethnic origin (including gypsies and travellers) Sex (male/ female) Religion and Belief Sexual orientation including lesbian, gay and bisexual people Age Disability learning difficulties, physical disability, sensory impairment and mental health. Consider the needs of carers in this section Gender Re-assignment Marriage and Civil Partnership Maternity / Pregnancy Evidence, i.e. What evidence do you have that the Trust is meeting the needs of people in various protected Groups Does evidence/engagement highlight areas of direct or indirect discrimination? If yes describe steps to be taken to address (by whom, completion date and review date) Does the evidence highlight any areas to advance opportunities or foster good relations. If yes what steps will be taken? (by whom, completion date and review date) 9. Are there any gaps in the evidence outlined above? If yes how will these be rectified? 10. Engagement has taken place with people who have protected characteristics and will continue through the Equality Delivery System and the Equality Diversity and Human Rights Group. Please note you may require further engagement in respect of any significant changes to policies, new developments and or changes to service delivery. In such circumstances please contact the Equality and Diversity Lead or the Involvement and Equalities Officer. Do you require further engagement? Yes No 11. Could the policy, strategy or service have a negative impact on human rights? (E.g. the right to respect for private and family life, the right to a fair hearing and the right to education?

PART 2 Name: Date of completion: (If any reader of this procedural document identifies a potential discriminatory impact that has not been identified, please refer to the Policy Author identified above, together with any suggestions for action required to avoid/reduce the impact.)