BUSINESS CONTINUITY MANAGEMENT POLICY A GUIDE TO BUSINESS CONTINUITY AND SERVICE RECOVERY PLANNING Version 1.2 Ratified by BHR CCGs Governing Bodies Date ratified September 2016 Name of Director Lead Marie Price Name of author Lisa Wood Date issued September 2016 Review date October 2017 Target audience BHR CCGs Staff Version 1.2 Page 1 of 7
Contents Page 1. Introduction 3 2. Purpose 3 3. Causes of Service Interruption 3 4. Business Continuity and Recovery Planning 4 5. Process 5 Version 1.2 Page 2 of 7
1.0 Introduction 1.1 The NHS needs to be able to plan for and respond to a wide range of incidents and emergencies that could affect health or patient care. Under the Civil Contingencies Act (2004) NHS organisations must show that they can deal with such incidents while maintaining services to patients. This work is referred to as emergency preparedness resilience and response (EPRR). Emergency response organisations are classified by two types, Category One, primary responders and Category Two, supporting agencies. 1.2 While NHS England (NHSE), as a Category One responder, bears the majority of responsibilities in preparing and responding to incidents and emergencies, the CCG, as a Category Two responder, has a duty to participate in preparations and provide a cooperative and supportive role to NHSE should an incident occur. As a Category Two responder there are also a number of core standards that CCGs must meet and a business continuity management policy and business continuity plan are included. Specific obligations under EPRR are assigned to each category. Each CCG s Chief Operating Officer has been appointed as Accountable Emergency Officer (AEO) for EPRR and is responsible for ensuring that the CCG s roles and responsibilities around EPRR are adhered to. 1.3 As Category 2 responders under the Civil Contingencies Act 2004, Clinical Commissioning Groups (CCGs) are required to have a business continuity plan in place to manage the effects of any incident that might disrupt its normal business. It has always been a sensible precaution to have contingency plans in place to manage interruptions to normal business functions. These range from (for example) managing a power cut to arranging service provision during a major incident or epidemic. The BHR CCGs business continuity management strategy is based on our legal requirements, internal and external issues that could affect service delivery and the needs and expectation of interested parties. 1.4 Business Continuity plans may be required to support NHS England London s Major Incident Plan. National Risk Management requirements (Standards for Better Health, NHS Litigation Authority) necessitate that business recovery and service continuity plans are in place. 1.5 It is the policy of NHS Barking and Dagenham, NHS Havering and NHS Redbridge Clinical Commissioning Groups (BHR CCGs) to take all reasonable steps to ensure that in the event of a service interruption, the organisation will be able to respond appropriately. A service interruption is defined as: Any incident which threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions. 1.4 An appropriate response would aim to maintain critical activities and restore normal services as soon as possible in the circumstances prevailing at the time. Version 1.2 Page 3 of 7
2.0 Purpose 2.1 This Policy sets out the general principles and process for the creation and revision of the Business Continuity plans. This document aims to ensure that all Business Continuity processes carried out by the CCGs are done so in an agreed manner. 3.0 Causes of Service Interruption 3.1 There are many and varied possible causes of service disruption. As a general guide, service continuity planning should be carried out to minimise the effects of a number of potentially disruptive events: Major accident or incident, national disaster, epidemic, terrorist attack Fire, flood, extreme weather conditions Loss of utilities, including IT and telephone systems Major disruption to staffing; epidemic, transport disruption, industrial action, inability to recruit; mass resignations (e.g. lottery syndicate). 3.2 It should be borne in mind that these events may not be mutually exclusive, e.g. extreme weather leads to loss of electricity, disruption to transport, staff unable to get to work. 4.0 Business Continuity & Service Recovery Planning 4.1 Business Continuity: Core Business Functions 4.1.1 Identifying core business functions of the BHR CCGs that must be supported in any emergency situation. Core business planning is the responsibility of each Directorate or function within a Directorate (if necessary). 4.2 Service Recovery: 4.2.1 Planning for the restoration and support of utilities and services without which the core business functions would not be able to continue. Examples of these are: Gas, Water, Electricity Fire alarms, Security system IT system, Telephone / Communications Post services Estate services 4.2.2 Support planning is the responsibility of the Director responsible for each function. 4.3 Premises Recovery 4.3.1 Loss of individual premises (or parts of) may cause a significant disruption to the functioning of the BHR CCGs. Therefore, individual premises recovery plans need Version 1.2 Page 4 of 7
to be prepared for all premises operated (owned or leased) by the BHR CCGs. This will be the responsibility of the building landlords with co-operation of staff based in those facilities. These recovery plans will be incorporated into the BHR CCGs Business Continuity Plan. 4.4 IT Services 4.4.1 Loss of IT Services will again cause a significant level of disruption to the functioning of the BHR CCGs services. The Director who has responsibility for the IT provision needs to ensure that robust IT recovery plans of are incorporated into the BHR CCGs Business Continuity Plans. As of June 2016, the CCGs brought our IT service in house. 4.5 Staffing 4.5.1 The BHR CCGs will identify minimum staff levels for each key function to ensure that in the event of major disruption to staffing (such as illness, transport disruption, industrial action, severe weather) we can continue to maintain critical activities. 4.6 Surge Management 4.6.1 North East London Commissioning Support Unit (NEL CSU) provides this service on behalf of the BHR CCGs. NEL CSU have their own plan and systems in place for surge management and processes for escalation. Details of this will be included in the BHR CCGs Business Continuity Plan. 4.7 Contractor Services 4.7.1 Loss of Contractor Services in respect of NHS England s obligation to provide Primary Care Services e.g. response to unplanned loss of a Primary Care Contractor or Contractor Service is the responsibility of NHS England. 4.8 External Events 4.8.1 The BHR CCGs involvement in external events may have some Business Continuity implications, and these must be considered. 4.8.2 For example, a major terrorist strike in Central London may result in a mass evacuation to the outlying boroughs/counties. The BHR CCGs may find itself having to provide staff to Local Authority reception centres etc whilst having to maintain its own service provision as well as helping to provide support to NHSE to manage any surge pressures. 5.0 Process 5.1 A phased approach to producing the Business Continuity and Service Recovery Plan has been adopted. Version 1.2 Page 5 of 7
5.2 Phase 1 Identification of Functions and Category of each one 5.2.1 The BHR CCGs Joint Management Team have reviewed all functions and agreed which category each function is classed as from the following; Category A Activities which must be continued Category B Activities which can be scaled down Category C Activities which can be suspended if necessary 5.2.2 The next stage is for each team to identify specifically what is required for each function to be able to continue to operate. This will form the Directorate plan and become part of the organisation Business Continuity Plan. 5.2.3 A risk assessment of business continuity incidents occurring which may affect the ability of the CCGs to continue to function will be undertaken and included within the Plan. 5.3 Phase 2 Completion of Function Business Continuity Plans 5.3.1 Directors have identified what is required for each function to be able to continue to operate and have completed a template for each function they are responsible for and these will form part of the overall plan 5.3.2 Review and updating of templates is to be carried out at least annually, or where there is a significant change of circumstances. 5.4 Phase 3 Information gathering 5.4.1 Key contacts, documents and relevant information for each team have been identified within the templates and gathered together by team. 5.4.2 A list of identified critical Information Assets by team has been included in each Plan with specific detail around business continuity plans for each asset. 5.4.3 A separate process has been undertaken by the Senior Information Risk Owner (SIRO) and the Information Governance lead to identify and record each team s Information Assets as part of the Information Governance Toolkit requirements. The SIRO is responsible for ensuring the organisational information risk is properly identified and managed and that appropriate assurance mechanisms exist. The SIRO is supported by Information Asset Owners (IAOs) and Information Asset Administrators (IAAs). The IAOs provide assurance that information risk is managed effectively for the information assets that they own and understanding and addressing risks to those assets. The IAAs are delegated the responsibility for day to day management of information risk of an asset on behalf of the IAOs and provide administrative support as is required to ensure compliance. 5.2.4 All of the above has formed a Business Continuity Plan which has been approved by the each CCG governing body. Version 1.2 Page 6 of 7
5.5 The Plan 5.5.1 All of the above information has formed a Business Continuity Plan which was approved by each CCG Governing Body in December 2013. 5.5.2 The Plan has been issued in electronic format and hard copy to each team, along with all accompanying documentation. In addition each Directorate has been issued with an encrypted USB for emergency planning purposes where the Plan and relevant documentation has been saved. Each Directorate will be responsible for updating this as and when necessary and ensure a full review of the critical information on a quarterly basis. 5.5.3 Each Director has signed to confirm ownership of the plan and agreement that they will make their staff aware that they are responsible for cooperating with the implementation of this policy and relevant plans as part of their normal duties and responsibilities. 5.5.4 A hard copy of the full organisation Plan is kept at each of the 3 BHR CCGs sites. 5.5.5 The BCM policy and business continuity plans are available on the CCGs website and staff intranet. 5.5.6 A formal desktop review of the plans will be carried out annually and regular exercises, including a communications exercise every 6 months, undertaken to test the robustness of the plans, which may result in this policy or the plans being updated. Service-specific procedures and controls will be subject to regular reviews by the Information Asset Owners. 5.5.7 Following review of the plans,if necessary, training will be undertaken by the Directors to ensure that they are fully equipped to carry out their responsibilities around business continuity. 5.5.8 Should the Plan be invoked any lessons learnt will be reviewed and where necessary the plan will be updated by the Business Continuity Lead. 5.5.9 If changes are made to this policy or business continuity plans following a formal review these will go each CCG Governing Body for approval, or a delegated sub committee, and the process for distribution outlined above will be followed. 5.5.10 NHS England has published core standards for Emergency Preparedness, Resilience and Response (EPRR) and those standards specific to Business Continuity Management will be used to ensure the BHR CCGs Business Continuity Plan is fit for purpose. If requested by NHS England we will submit evidence of our conformity to these standards. Version 1.2 Page 7 of 7