Business Continuity Policy

Transcription

1 Document Summary This policy ensures CPFT business continuity management (BCM) activities are developed and implemented in a safe, prioritised and structured manner with Boardlevel commitment. DOCUMENT NUMBER POL/002/072 DATE RATIFIED 27 April 2018 DATE IMPLEMENTED 27 April 2018 NEXT REVIEW DATE March 2019 ACCOUNTABLE DIRECTOR POLICY AUTHOR Director of Quality and Nursing (Accountable Emergency Officer) Resilience Manager Important Note: The Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and, as such, may not necessarily contain the latest updates and amendments.

2 TABLE OF CONTENTS 1.0 Scope Introduction Principles Strategic BCM aim Strategic BCM objectives /18 objectives for departmental plan Statement of intent Roles and responsibilities Incident reporting and management system Insurance Procurement Governance Training, awareness, exercising, maintaining and reviewing BCM Freedom of Information Human rights Monitoring compliance with this document...12 References/bibliography..12 Related Trust policy/procedure...15 APPENDIX A Definitions..16 Record of Amendments...18 Abbreviations April 2018 (Version 2.14) Page 1 of 19 Our Ref: POL/002/072

3 1.0 SCOPE 1.1 This document applies to all services including hosted services, activities and staff within Cumbria Partnership NHS Foundation Trust (hereinafter referred to as the Trust or CPFT ) with the exception of prison healthcare (see section 1.9 below). 1.2 The term patient will refer to any individual (service user, client) accessing Trust services. The BS ISO 22301:2012 term top management will refer exclusively to the Trust s Executive Directors. The terms stakeholder(s) and interested parties will be used interchangeably. Similarly NHS England s Emergency Preparedness, Resilience and Response (EPRR) is synonymous with the term emergency planning. Presentational conventions observed in this document include: the word must is used to express necessity. The word should is used to express recommendations, the word may is used to express permissibility and the word can is used to express possibility. The interchangeable use of shall and will is an acceptable part of standard British English. 1 The word not is underlined purely for emphasis. The phrase area(s) of responsibility refers to any geographical or functional responsibility assigned to an individual and/or documented in the corresponding job description. The term suppliers and partners refers to any third party upon which the Trust relies for the provision of goods and services, including but not limited to partners, associates and those engaged with specialist commissioned services. 1.3 Whilst the geographical extent of the Trust s business continuity management system (BCMS) will be the area covered by Cumbria Local Resilience Forum (LRF), which is coterminous with Cumbria County Council s boundaries, the responsibility of the continuity of any third-party service, particularly those supplied from outside, or operating beyond, Cumbria remains with the Trust. 1.4 Prioritised activities for essential services will be agreed by the Resilience Group and subject to annual review. Essential services include, but are not limited to nor in any particular order: district/community nurses, minor injury units (Primary Care Assessment Service (PCAS) Penrith and Keswick Minor Injuries Unit), palliative care nurses (and any allied healthcare professional engaged in either end-of-life or palliative care), children s community nursing, mental health in-patient wards, inpatient wards in community hospitals, the in-patient ward managed by Specialist Services, (mental health) crisis resolution and home treatment, community mental health teams, prison healthcare, ehealth, Pharmacy and Finance. 1.5 Each care group and corporate service will formulate their own scope for its business continuity plans (BCP(s)), taking into account this document and ISO22301:2012 Clause Subject to approval by the Resilience Group, each care group/corporate service may exclude parts of their operations that they consider fall outside of the scope for their BCPs provided that such exclusions are documented and do not negatively impact on the Trust s ability to deliver its prioritised activities. 1 The New Oxford Dictionary of English, p March 2018 (Version 2.14) Page 2 of 19 Our Ref: POL/002/072

4 1.6 The Trust has also obligations in relation to those aspects of information governance that relate to business continuity; however delivery of these requirements remains the responsibility of the information governance team This policy is not intended to be exhaustive or restrictive and does not preclude the innovative use of strategies, other plans which are lawful, human rights compliant and which have been adequately risk assessed. 1.8 This policy does not seek to replace or supersede existing relevant polices or planning (e.g. site-specific documents). Instead it advocates the use of existing incident reporting and risk registers and will link closely with policy on the Trust s Emergency Preparedness, Resilience and Response (EPRR) activities. 1.9 Prison healthcare staff will come under the jurisdiction of Her Majesty s Prison Service (HMPS) contingency planning and as such this policy will not apply to those members of staff on site at HMP Haverigg at the time of an incident. 2.0 Introduction 2.1 The aim of having a business continuity management system (BCMS) is to ensure that NHS organisations are able to maintain their prioritised activities (critical functions) in the face of disruptive challenges. Therefore all NHS organisations are expected to prepare, exercise, maintain and review BCPs, based on the principle that each organisation should be able to maintain its critical services for a period of seven days. 2.2 The Health and Social Care Act 2008 (Regulated Activities) Regulations 2009 provide the statutory basis for the Care Quality Commission s Essential Standards of Quality and Safety, ss 4B, 6D and 10E, which require healthcare providers to have arrangements in place for the management of emergencies and the development and maintenance of contingency plans to maintain services. 2.3 This policy document defines a broad framework for the implementation of the Trust s BCMS to minimise the impact of business continuity (BC) incidents/disruption. Full compliance with this policy will ensure procedures exist for recording, assessing and managing business continuity risk; identifying and prioritising essential services; responding to business disruptions or incidents, regardless of cause; and maintaining essential services (or restoring services to normal levels). 3.0 PRINCIPLES 3.1 The Trust s BC planning is devised to deal with the impact(s) of the event/situation/disruption as opposed to address the potential cause(s) and such BC arrangements are crucial to the successful management of the Trust. 2 Section , Information Governance Toolkit 27 April 2018 (Version 2.14) Page 3 of 19 Our Ref: POL/002/072

5 3.2 In addition to the responsibilities of the Executive Directors, for the Trust s business continuity management system (BCMS) to be viable it requires ownership by heads of service. 3.3 The Trust will ensure that appropriate BCPs are reviewed at least annually, or unless subject to significant change, and contingency arrangements are in place in order to achieve its strategic BCM objectives. 3.4 The Trust will ensure that any new system or function has documented business continuity procedures which detail how the function is to be provided in the event of a business continuity incident/disruption. 3.5 The Trust will provide adequate education and training as well as testing and exercising to validate plans at regular intervals to ensure awareness of the requirements of this policy. 3.6 The prioritisation for the restoration of services are identified in service/departmental/care groups business impact analyses (BIAs) which should be reviewed at least every six months or unless subject to significant change. On completion, each BCP should be stored securely with the respective service/department/care group and made available via the Resilience Portal using proper version control. It will be the responsibility of any CPFT incident management team including central incident support team (CIST), if convened, to ensure that the services/departments identified as critical within the respective business continuity plan(s) are restored as a priority. 3.7 BC planning is a dynamic, iterative, composite process which allows for further development and adaptation of BCPs as circumstances change and/or knowledge of a given risk or threat improves. 4.0 STRATEGIC BCM AIM 4.1 To develop, implement and manage a robust and effective business continuity management system (BCMS) to protect the Trust, its stakeholders (interested parties) including patients, staff, visitors and contractors where reasonably practicable. 5.0 STRATEGIC BCM OBJECTIVES 5.1 The Trust s strategic business continuity objectives are to: Identify, assess, minimise business continuity risk Provide a framework for the development, implementation and monitoring of the Trust s business continuity management system (BCMS) Ensure the three-tiered (operational/tactical/strategic) BCMS adequately addresses planning, processes, training and continuous improvement to manage operational incidents and disruption that may affect the Trust, its assets or its interests Support the delivery of the Trust s vision and values.

6 5.1.5 Safeguard the Trust s reputational integrity Raise awareness of business continuity in the context of patient safety and the interdependencies between care groups, local services and partners Comply with the requirements of the Civil Contingencies Act 2004 (the Act or CCA ) regime (its regulations, statutory and non-statutory guidance) and align with the new international standard for business continuity, BS ISO 22301:2012 and its guidance, BS ISO 22313: /19 OBJECTIVES FOR DEPARTMENTAL PLANS 6.1 Review current BC policy, objectives, targets, controls, processes and procedures to contribute to development/identification of further BCM planning. 6.2 Consolidate the three-tiered (operational/tactical/strategic) BC incident response structure for the Trust. 6.3 Review three-tiered (operational/tactical/strategic) BIAs using the revised NHS England BCM toolkit. 6.4 Further develop three-tiered (operational/tactical/strategic) BCPs across the Trust. 6.5 Test/exercise the Trust s incident response structure and functional areas of key Trust facilities including all mental health in-patient facilities and community hospitals. 6.6 Produce an analysis detailing risks presented by BC threats to the Trust. 6.7 Develop and implement mitigation strategies to combat identified BC threats. 6.8 Critically assess the overall readiness of Trust BC incident response structure, including formation of the central incident response team (CIST). 6.9 Align with the new international standard for business continuity management, BS ISO 22301: STATEMENT OF INTENT 7.1 The Trust is committed to developing, implementing and managing a robust and effective business continuity management system (BCMS) as a key mechanism to: a) ensure a formal, consistent, co-ordinated, cost-effective approach to the continuity of its civil protection functions and its ordinary core functions within Mental Health Services, Community Health Services, Specialist Services, Children and Families and its corporate services; b) identify its essential services, including their prioritised activities, supporting resources and interdependences; c) conduct business impact analyses and risk assessment on its key services; d) assist to safeguard its patients and staff; 27 April 2018 (Version 2.14) Page 5 of 19 Our Ref: POL/002/072

7 e) protect, maintain and, if necessary, recover its prioritised activities (critical functions), as identified in relevant business impact analyses; f) highlight responsibilities and business continuity risks in respect of each care group and functional area; g) BCMS takes into account the legal and contractual obligations of the Trust. h) ensure planning is proportionate to the risks identified and the cost/benefits of mitigation; i) develop appropriate BCPs to ensure continuity of essential services at a minimum acceptable level and within specified timeframes; j) determine when to invoke BCPs and communications with its patients, staff and other stakeholders; k) ensure plans are subject to ongoing exercising, maintenance, and review; l) comply with the requirements of the CCA regime and align with the new international standard for business continuity, BS ISO 22301:2012 and its guidance, BS ISO 22313:2012; m) develop a culture of business continuity management that feeds into the Trust s key planning and management processes; n) maintain the confidence of staff, patients, other interested parties including the public; o) protect and uphold the reputation of the Trust; and p) provide assurance to the Board that the BCMS remains up-to-date and relevant. 7.2 This policy should be read in conjunction with the Trust s BCM Strategy and business continuity process documents. 7.3 Ownership of this policy document will remain with the Executive Directors. 7.4 The Executive Directors will endorse and empower the development of a strong business continuity culture, which is an essential ingredient to providing an effective BCMS. All Executive Directors will ensure that nominated business continuity leads maintain business continuity management, including business continuity plans for prioritised activities within their area of responsibility. This will include assurance from external service providers. 7.5 The three-tiered approach for developing Trust (operational/tactical/strategic) business continuity plans will incorporate the following: (NHS England s) NHS Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response ( Core Standards ) BS ISO 22301:2012 Societal security Business continuity management systems Requirements BS ISO 22313:2012 Societal security Business continuity management systems Guidance PAS 2015: Framework for health services resilience Recognised standards of corporate governance.

8 7.6 Business continuity leads will maintain and review BIAs at least on a six-monthly basis and BCPs at least annually. 7.7 All staff working for and on behalf of the Trust must be aware of the BCP(s) appropriate for their business area(s) and their role in preparation for BC incidents/disruption. 7.8 The Trust will implement a programme of BCM training, exercises, maintenance and review, which will be delivered through an annual work plan. 7.9 Functional departments will provide professional support to improve the resilience of prioritised activities and critical resources that support the Trust s essential services Each care group will carry out an annual review of its business continuity processes the Resilience Manager will monitor this review and provide support where appropriate Each care group must exercise its BCPs at least annually and review BCM documentation in light of any lessons or issues identified. 8.0 ROLES AND RESPONSIBILITIES 8.1 This section outlines roles and responsibilities for relevant staff in respect of BCM. 8.2 Trust Board The Trust Board (the Board ) will be responsible for: a) ensuring appropriate structures are in place to implement effective business continuity arrangements; b) monitoring the implementation of this policy through the Resilience Group and other governance structures; c) committing resources necessary to adequately control identified business continuity risks. 8.3 Chief Executive The Chief Executive has overall responsibility for business continuity management within the Trust and is responsible on behalf of the Board for ensuring the implementation of this policy and for business continuity arrangements throughout the Trust. 8.4 Director of Quality and Nursing (Accountable Emergency Officer) The Director of Quality and Nursing has delegated responsibility from the Chief Executive and the Board to ensure that the requirements of this policy are met and that: a) the Board is provided with reasonable assurance or are kept informed of any significant business continuity risks, and any associated significant developments, concerns or issues; b) there is specialist advice on business continuity matters and that this is available to the Trust; c) in conjunction with the Director of Finance, ensuring financial support is available if business continuity arrangements are invoked; 27 April 2018 (Version 2.14) Page 7 of 19 Our Ref: POL/002/072

9 d) there is the production of relevant BCPs and mitigation strategies associated with this policy; e) s/he ensure regular attendance at the Cumbria Local Health Resilience Partnership (LHRP). 8.5 Executive Directors Executive Directors have a responsibility for ensuring that: a) this policy is implemented within their own directorate and in particular that each prioritised activity within the directorate is incorporated into a BIA and appropriate contingency arrangements are in place; b) they hold up-to-date copies of BCPs relevant to their directorates and circulate as appropriate to identified managers; c) managers and staff co-operate in applying this policy throughout their directorate with the involvement of relevant Trust managers; d) Trust staff are provided with appropriate business continuity management awareness training; e) they retain ownership and responsibility for the plans within their functional areas. 8.6 Deputy Director of Operations The Deputy Director of Operations will monitor and review effectiveness of the Trust s BCMS, ensure the continued and consistent use of the Trust s and procedures on a corporate basis, and promote the overall commitment of the Trust to BCM. 8.7 Resilience Manager The Resilience Manager is responsible for the development and the implementation of BCMS, advising on compliance with CCA and ensuring EPRR and IT resilience are coordinated in conjunction with this policy, and will: a) provide specialist advice and guidance in respect of BCM (and EPRR) issues including the co-ordination, development, implementation and review of BCPs, processes and procedures; b) meet with heads of service to review BIAs and BCPs on an annual basis or when necessary; c) conduct risk assessments based on current and future threats identified through horizon-scanning and intelligence-gathering; d) co-ordinating the annual update of departmental BCPs; e) embed a business continuity culture through communication and provision of awareness sessions, training and exercises to staff, according to their roles and needs; f) facilitate training, tests and exercises; g) audit compliance of BCPs; h) provide recommendations and other management feedback as appropriate. 8.8 Associate Directors, heads of service, team leads Associate Directors of Operation, heads of service and team leads are responsible for: a) implementing and supporting this policy;

10 b) understanding the requirements and responsibilities set out in relevant tactical and operational BCPs; c) supporting business continuity awareness and acceptance amongst staff at the operational level and ensuring that all of their staff are aware of their responsibilities within operational business continuity plans; d) maintaining relevant tactical and operational BIAs and BCPs as they are developed, ensuring that any significant service changes and/or risks are reflected in BIAs, BCPs and noted in the relevant risk register Associate Directors of Operation, Nursing and Medical Directors are jointly responsible within care groups for: a) supporting business continuity awareness and acceptance amongst staff at the operational and tactical levels and ensuring that all of their staff are aware of their responsibilities within both operational and tactical business continuity plans; b) encouraging staff participation in training and exercises; c) liaising with the Resilience Manager where appropriate. 8.9 All staff All staff are responsible for developing an awareness of BCM within their area(s) of responsibility and will participate in training and exercises as required Business continuity management group (BCMG) If deemed appropriate BCMG can be convened by the Chief Executive or other Executive Director. This is a strategic-level decision-making group Central incident support team (CIST) The central incident support team will provide a focal point for all communications, coordination, leadership and decision-making at the tactical level during a business continuity incident/disruption (e.g. industrial action). CIST will remain separate from any (emergency) incident response team in order to maintain/recover the Trust s prioritised activities during disruptive challenges. 9.0 INCIDENT REPORTING AND MANAGEMENT SYSTEM 9.1 Incident reporting and management system Business continuity incidents should be reported in line with Trust policy including, where appropriate, the Trust s Incident and Serious Incidents that Require Investigation (SIRI) Policy Care groups and corporate services are expected to provide quarterly reports to the Accountable Emergency Officer on the development and implementation of BCM. Exception reporting is required for all disruptive events or near misses. 27 April 2018 (Version 2.14) Page 9 of 19 Our Ref: POL/002/072

11 10.0 INSURANCE 10.1 In conjunction with the Joint Company Secretary, the Director of Finance will be responsible for liaising with the relevant Trust insurers The Trust should continually review whether to indemnify certain risks PROCUREMENT 11.1 The Trust has a number of suppliers and partners on whom it relies upon to provide a continued service. In order to minimise any risk of disruption to Trust services as a result of a BC incident involving failure to supply a critical product or service, suppliers and partners identified as critical in the relevant BIA will be requested to provide assurance that business continuity arrangements are in place. Any organisations tendering for Trust contracts may be asked to complete a business continuity planning questionnaire Managers responsible for commissioning or procuring goods and services from external suppliers or partners should consult both information governance and contract management colleagues to ensure that contracts and/or service level agreements contain appropriate clauses in respect of information governance and business continuity (and/or disaster recovery if applicable) Where products and services are outsourced the Trust will take steps, as far as reasonably practicable, to ensure that critical and key suppliers also have effective business continuity arrangements in place, along with exercising and maintenance programmes, to safeguard products and services required for the performance of its prioritised activities in line with the NHS Standard Contract GOVERNANCE 12.1 Resilience Group will convene at least quarterly to oversee the implementation and monitoring of the Trust s BCM Strategy. This group will be chaired by the Deputy Director of Operation, comprising senior representation from care groups and corporate services (as required) including but not limited to: the Head of Information Technology, the IT Technical Architect and Security Manager and the Resilience Manager The Accountable Emergency Officer will provide assurance on BCM (and EPRR) to the Board on at least an annual basis TRAINING, AWARENESS, EXERCISING, MAINTAINING AND REVIEWING BCM 13.1 BCPs are to be exercised, reviewed and updated at regular intervals to determine whether any changes are required to procedures and responsibilities. Plan review should not exceed 12 months. 3 For purposes of internal communications disaster recovery is seen by some IT colleagues as being distinct from business continuity.

12 13.2 The Resilience Manager will ensure that EPRR and BCM form part of Risky Business, the Trust s mandatory training package, and wider risk management training The Resilience Manager will identify levels of training and awareness for business continuity leads (to cascade to staff in their area(s) of responsibility) to ensure a strong business continuity culture throughout the Trust. BCM training may consist of either internally- or externally-hosted events. BCM exercises may involve multiagency colleagues, suppliers and other partners. Both training and exercises will be scheduled for the year in the annual resilience work plan The BCM training may include: instructional DVDs, in-house team or group training sessions and external courses Freedom of Information Act 2000 (FOIA) and Environmental Information regulations 2004 (EIR) requests 14.1 This document is publicly available HUMAN RIGHTS 15.1 The Trust must uphold the Human Rights Act 1998, which requires consideration of a range of factors including the dignity of individuals receiving treatment; end-of-life considerations; prioritisation of treatments and transparency in relation to decisionmaking as well as individual preferences During a significant incident or emergency preservation of life has primacy, which is the core of Article 2 of the Human Rights Act If for any reason, an emergency or business continuity incident necessitates restricting any human right, such as freedom of movement or freedom of assembly, this should be proportionate and only for the minimum duration possible. The reason for such a decision being taken should be communicated to the people affected and recorded accurately Monitoring compliance with this document 16.1 The table below outlines the Trust s monitoring arrangements for this policy/document. The Trust reserves the right to commission additional work or change the monitoring arrangements to meet organisational needs. Aspect of compliance or effectiveness being monitored Monitoring method Individual responsible for the monitoring Policy cohesion Annual review Resilience Manager Frequency of the monitoring activity Annually Group / committee which will receive the findings / monitoring report Trust Management Board Group / committee / individual responsible for ensuring that the actions are completed Deputy Director of Operations 27 April 2018 (Version 2.14) Page 11 of 19 Our Ref: POL/002/072

13 References/Bibliography The BCI Good Practice Guidelines 2013 Global Edition. A Guide to Global Good Practice in Business Continuity. Business Continuity Institute BRITISH STANDARDS INSTITUTE, ISO Societal Security - Business continuity management systems Guidance. BRITISH STANDARDS INSTITUTE, ISO Societal Security - Business continuity management systems Requirements. BRITISH STANDARDS INSTITUTE, PAS 2015: 2010 Framework for health services resilience. BRITISH STANDARDS INSTITUTE, PAS 200: 2011 Crisis management. Guidance and good practice. BRITISH STANDARDS INSTITUTE, PAS 555:2013 Cyber security risk Governance and management Specification. BRITISH STANDARDS INSTITUTE, PD 25111:2010 Business continuity management - Guidance on the human aspects of business continuity. BRITISH STANDARDS INSTITUTE, PD 25222:2011 Business continuity management - Guidance on supply chain continuity. BRITISH STANDARDS INSTITUTE, PD 25888:2011 Business continuity management Guidance on organizational recovery following disruptive incidents.. Version 2.0. East of England Ambulance Service NHS Trust Central Government Arrangements for Responding to an Emergency: Concept of Operations. [Accessed 7 March 2016]. Available at cl_revised_chapter_24_apr-13.pdf Civil Contingencies Act 2004 Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 Core Competencies Framework. The Emergency Planning Society. Issue number 2. June Corporate Manslaughter Act and Corporate Homicide Act Cumbria Community Risk Register 2014/15. Cumbria, Northumberland, Tyne and Wear Area Team Incident Response Plan. Version 1.0. NHS England November Data Protection Act 1998 Developing resilient organisations across the NHS in London. NHS London Emergency Preparedness - Guidance on Part 1of the Civil Contingencies Act 2004, its associated Regulations and non-statutory arrangements. Cabinet Office November Emergency Response and Recovery. Version 5. Cabinet Office Environmental Information Regulations 2004 Equality Act 2010 The Flood and Water Management Act 2010 Freedom of Information Act 2000 HBN Resilience Planning for the NHS Estate Health and Safety at Work Act 1974 Health and Social Care Act 2008 (Regulated Activities) Regulations Heath and Social Care Act 2012 HSG48 Reducing Error and Influencing Behaviour (1999).[Accessed 7 March 2016]. Available at Human Rights Act 1998

14 Information Governance Toolkit Version 12 (IGT v12) Management of Health and Safety at Work Regulations National Occupational Standards for Civil Contingencies. Skills for Justice. National Recovery Guidance. Cabinet Office. [Accessed 7 March 2016]. Available at National Risk Register for Civil Emergencies Cabinet Office [Accessed 7 March October] Available at 1_2015-NRR-WA_Final.pdf The New Oxford Dictionary of English. Oxford University Press (NHS England) NHS Commissioning Board Business Continuity Management Framework (service resilience). NHS England (NHS England) NHS Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response (EPRR). NHS England NHS England Business Continuity Management Strategy. NHS England August NHS England. NHS England August NHS England Emergency Preparedness, Resilience and Response Framework. NHS England National Emergency Preparedness, Resilience and Response Unit November NHS Resilience and Business Continuity Management Guidance. Department of Health NHS Standard Contract: updated January 2018 [Accessed 26 March 2018]. Available at: Preen, Jim, Business Continuity Communications Successful Incident Communications Planning with ISO Second Edition. British Standards Institute Preen, Jim, Business Continuity Exercises and Tests. Delivering Successful Exercise Programmes with ISO Second Edition. British Standards Institute 2012 Sharp, John, The Route Map to Business Continuity Management. Meeting the Requirements of ISO British Standards Institute Strategic Leadership in a Crisis. Health Resilience Stuart-Black, Sarah et al, Health Emergency Planning: A Handbook for Practitioners. TSO: London 2nd Edition (2008). Useful Abbreviations. Health Protection Agency UK Civil Protection Lexicon Version Cabinet Office 2011 Wallace, M and Webber, L. The Disaster Recovery Handbook. A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities and Assets. Second Edition. Amacom Workplace (Health, Safety and Welfare) Regulations 1992 Related Trust Policy/Procedures Business Travel Policy Capacity Policy Code of Conduct Communications with Media Policy Guidelines and Risk Assessment of new and expectant mother at work Equality and Diversity Policy Fire Safety Policy Health & Safety Policy/Procedure 27 April 2018 (Version 2.14) Page 13 of 19 Our Ref: POL/002/072

15 Incident and Serious Incidents that Require Investigation (SIRI) Policy Incident Response Plan Information Governance Policy Management Supervision Policy Medicines Policy Policy for Lone Working Policy for the Recruitment of Agency Staff Policy to Promote Flexible Working Policy on Prevention and Management of Violence and Aggression Policy for the Control of Contractors engaged in Construction and Engineering Works Risk & Safety Strategy & Policy Service Delivery Health & Safety Risk Assessment Policy Preparing for a Serious Security Occurrence (Lockdown) Policy Untoward Incidents/Formal Complaints/Claims Investigation Policy Special Leave Policy Standard and Enhanced Infection Control Precautions Outbreak of Communicable Infection (including Specific Alert Organisms) Aseptic Technique Policy Closure of Rooms, Wards, Departments and Premises to New Admissions. Prevention and Management of Occupational Exposure of Blood Bourne Viruses Isolation of Service Users/Clients Policy Disinfection Policy Decontamination Policy Hand Hygiene Policy Isolation Facilities Policy Packaging Handling and Delivery of Laboratory Specimens Policy Use and Care of Invasive Devices Policy Laundry Policy Waste Management Policy Intentionally left blank

16 APPENDIX A DEFINITIONS Unless a contrary intention is evident or the context requires otherwise, words or expressions contained in this document shall have the same meaning as set out in the National Health Service Act 2006 and the Health & Social Care Act 2012 or in any secondary legislation made under the National Health Service Act 2006 and the Health & Social Care Act 2012 and the following defined terms shall have the specific meanings given to them below: Activity: A process or set of processes undertaken by an organisation (or on its behalf) that produces or supports one or more products. Board: The chair, executive members and non-executive members of Cumbria Partnership NHS Foundation Trust collectively as a body. Budget: A resource, expressed in financial terms, proposed by the Board for the purpose of carrying out, for a specific period, any or all of the functions of Cumbria Partnership NHS Foundation Trust. Business continuity: The strategic and tactical capability of the Trust to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. Business continuity incident An event or occurrence that disrupts, or might disrupt, an organisation s normal service delivery, below acceptable predefined levels, where special arrangements are required to be implemented until services can return to an acceptable level. (This could be a surge in demand requiring resources to be temporarily redeployed). Business continuity management (BCM): The holistic management process that identifies potential threats to the Trust and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation and valuecreating activities. Business continuity management group (BCMG): A strategic-level group convened by the Chief Executive, or another Executive Director to maintain the Trust s prioritised activities during disruptive challenges. Business continuity management programme: An ongoing management and governance process supported by the Executive Management Team and appropriately resourced to implement and maintain business continuity management. Business continuity plan (BCP): A clearly defined and documented plan for use at the time of business continuity disruption, an event, an incident or a crisis. Typically a plan will cover all key personnel, resources, services and actions required to manage the BCM process. 4 Business impact analysis (BIA): The process of analysing business functions and the effect that a business disruption might have upon them. 4 Ibid. All other terms in this document are consistent with the Business Continuity Institute s definitions. 27 April 2018 (Version 2.14) Page 15 of 19 Our Ref: POL/002/072

17 Category 1 responder: A person or body listed in Part 1 of Schedule 1 to the Civil Contingencies Act. These bodies are likely to be at the core of the response to most emergencies. As such, they are subject to the full range of civil protection duties in the Act. Category 2 responder: A person or body listed in Part 3 of Schedule 1 to the Civil Contingencies Act. These are co-operating responders who are less likely to be involved in the heart of multiagency planning work, but will be heavily involved in preparing for incidents affecting their sectors. The Act requires them to co-operate and share information with other Category 1 and 2 responders. Command: The exercise of vested authority that is associated with a role or rank within an organisation, to give direction in order to achieve defined objectives. Control: The application of authority, combined with the capability to manage resources, in order to achieve defined objectives. Community risk register: A register communicating the assessment of risks within a Local Resilience Area which is developed and published as a basis for informing local communities and directing civil protection workstreams. Critical incident Any localised incident where the level of disruption results in the organisation temporarily or permanently losing its ability to deliver critical services, patients may have been harmed or the environment is not safe requiring special measures and support from other agencies, to restore normal operating functions. Essential service: A service that if disrupted, for any reason, would have a negative impact upon patients, the community, the wider health economy, and/or the Trust s reputation or finances. Executive member: A member of the Board who is appointed under paragraph 3 of Schedule A1 of the NHS Act Exercise: A simulation designed to validate the Trust s capability to manage incidents and emergencies. Specifically exercises will seek to validate training undertaken and the procedures and systems within emergency or business continuity plans. Hazard: An accidental or naturally-occurring (i.e. non-malicious) event or situation with the potential to cause death or physical or psychological harm, damage or losses to property, and/or disruption to the environment and/or to economic, social and political structures. Interested parties: See definition for Stakeholders below. Healthcare resilience: The Trust s ability to adapt and respond to disruptions, whether internal or external, to deliver agreed critical activities to a minimum level. (Plan) Invocation: The act of declaring that a Trust business continuity plan(s) needs to be activated to continue to deliver essential services. Likelihood: The chance of something happening, whether defined or measured or estimated objectively or subjectively or in terms of general descriptors. Major incident Any occurrence that presents serious threat to the health of the community or causes such numbers or types of casualties, as to require special arrangements to be implemented.

18 Maximum tolerable period of disruption: The point at which a service s viability will be irrevocably threatened if the prioritised activities(s) cannot be resumed. Prioritised activities: A service or operation the continuity of which a Category 1 responder needs to ensure, in order to meet its business objectives and/or deliver essential services. Recovery point objective (RPO): The point in time from which electronic files/data have to be recovered in order to resume activities. Recovery time objective (RTO): The target time for the resumption of a prioritised activity after an incident. Resources: Resources in this context mean the provision of human resources, equipment and supplies to meet the strategic, tactical and operational needs for BCM response and recovery. Risk: Measure of the significance of a potential emergency in terms of its assessed likelihood and impact. Risk assessment: The overall process of risk identification, analysis and evaluation. Stakeholders: Stakeholders or interested parties include patients, wider local communities, other NHS organisations, the emergency services, local authorities and suppliers. Further information on terms, definitions and abbreviations used in the Trust s BCM programme can be found in the Business Continuity Institute Glossary. RECORD OF AMENDMENTS This record should be completed following approval of each amendment. Changes to ownership must be written in bold. Date of request Version Page Section Description of change Requested by Approved by 08/01/ N/A N/A Policy was approved by the Business Continuity Steering Group, subject to amendment to 12.0 Governance which would be discussed further by DS, DT and RG at a separate meeting. 18/03/ N/A N/A Review at OMG [Operational Management Group]. Review of policy management process. 20/04/ Changed General Managers to Associate Directors of Operations. 20/04/ Changed Associate Director of Clinical Governance to Deputy Director of Quality and Nursing. 07/03/ N/A N/A No material change to the policy; minor amendments to the bibliography including amended reference for NHS England EPRR Framework (November 2015) and its definitions for critical incident and business continuity incident now used in APPENDIX A - DENFITIONS. Contracted term executive management team to read Executive Directors. Similarly contracted the term care delivery group to care group. [NOTE: Removed amendment history prior 08/01/15 to reduce document size, but available in previous versions.] Presented for review at Trust Management Group. 12/04/ Following TMG on 16/03/16, the original section has been split (8.8.1, 8.8.2) to give some responsibility to 27 April 2018 (Version 2.14) Page 17 of 19 Our Ref: POL/002/072 RG Business Continuity Steering Group RG OMG N/A RG N/A N/A Date re-issued 12/02/15 RG N/A 20/04/15 RG N/A N/A RG TMG 12/04/16

19 Date of request Version Page Section Description of change Requested by Approved by care groups leadership teams as opposed to referring solely to Associate Directors of Operations. Date re-issued 17/03/ N/A N/A Changed Business Continuity Steering Group to Resilience Group, but no other substantive changes (changes in job titles). 22/03/18 (v2.14) Policy owner: (CPFT) Director of Quality and Nursing. Removed: PCAS Kendal Director of Quality and Nursing Deputy Director of Operations Removed duplicate points e) and f as appear in section N/A Removed superfluous terms from Abbreviations RG N/A N/A RG (Forwarded to CPFT Resilience Group) ABBREVIATIONS BC Business continuity BCM Business continuity management BCMG Business continuity management group BCMS Business continuity management system BCP Business continuity plan BIA Business impact analysis BS British Standard CCA Civil Contingencies Act 2004 CIST Central incident support team CPFT Cumbria Partnership Foundation Trust CQC Care Quality Commission DPA Data Protection Act 1998 (NOTE: General Data Protection Regulations come into force on 25 May 2018) EIR Environmental Information Regulations (2004) EPRR Emergency Preparedness, Resilience and Response FOIA Freedom of Information Act 2000 HMPS Her Majesty s Prison Service ISO International Organization for Standardization ISO Societal Security - Business continuity management systems Requirements ISO Societal Security - Business continuity management systems Guidance IT Information Technology LHRP Local Health Resilience Partnership LRF Local Resilience Forum LSMS Local Security Management Specialist MTPoD Maximum tolerable period of disruption NOS National Occupational Standards (Skills for Justice) NRR National Risk Register (of Civil Emergencies) OOH Out of hours PAS Publicly Available Specification (British Standard Institute) PCAS Primary Care Assessment Service PHE Public Health England RPO Recovery point objective RTO Recovery time objective SIRI Serious Incidents that Require Investigation (Policy) SIRO Senior information risk owner SLA Service level agreement

20 Business Plan April 2018 (Version 2.14) Page 19 of 19 Our Ref: POL/002/072