Author(s) Interim Governance Consultant Version 1.1 Approval Date October 2016 Approving Body Greenwich Executive Group Review Date October 2017 Policy Category Operational Policy Reference Number 019 Public Sector Equality Duty Equality and diversity are at the heart of the NHS Strategy. Throughout the production of this document, due regard has been given to eliminate discrimination, harassment and victimisation, to advance equality of opportunity, and to foster good relations between people who share a relevant protected characteristic (as cited under the Equality Act 2010) and those who do not share it. This document therefore abides by the Equality and Diversity Act 2010.
Version Control Version Author Date Reason for review 0.1 Hellen Makamure September 2015 0.2 Hellen Makamure September 2015 0.3 Hellen Makamure September 2015 0.4 Hellen Makamure September 2015 New Plan, Statutory Requirement Updated Draft with comments from RBG colleagues Updated draft with comments from Datix Project Manager Updated Draft with comments from Head of Analytical Support 1.1 Anna English October 2016 Updated with new address The Woolwich Centre 1.2 Anna English March 2017 Updated in light of BIAs and new staff Page 2 of 42
Contents Page 1. Contents 2. Glossary of Terms... 5 3. Related Documents... 6 4. Summary... 6 5. Introduction... 6 6. Aim... 7 6.1 Objectives... 7 7. Scope... 7 8. Business Impact Analysis... 7 8.1 Business Critical Functions... 8 9. Risk Analysis... 8 10. Generic Roles and Responsibilities... 9 10.1 Specific Roles and Responsibilities... 9 10.2 Greenwich CCG Governing Body... 9 10.3 Chief Officer... 9 10.4 Director of Integrated Governance... 9 10.5 Director of Finance... 10 10.6 Director of Delivery and Service Transformation... 10 10.7 Business Continuity Operational Lead (Executive Business Manager)... 10 10.8 All CCG Directors and Heads of Services... 10 10.9 Associate Director of Communications... 11 10.10 Human Resources... 11 11. Activation Process and Incident Control Team... 11 11.1 Business Continuity Incident Activation Flow Chart... 12 11.2 Initial Actions... 13 12. Full details of the Incident Control Room... 13 13. Roles and Responsibilities of the Incident Control Team... 14 13.1 Alerting Process for staff... 14 14. Communication Cascade Tree... 15 15. Communications of Incidents... 15 15.1 Media Handling... 16 16. Response and Recovery... 16 Page 3 of 42
16.1 Handover... 17 16.2 Stand down... 17 16.3 Post Incident Actions... 17 17. Finance... 17 18. Incident Logs... 18 19. Debriefing and Reporting... 18 20. Disaster Recovery... 18 21. Health and safety... 19 22. Testing, Exercising and Maintenance... 19 Maintenance Training and Exercising Schedule... 19 23. Training... 19 24. Sources of Evidence... 20 Appendix 1: Business Critical Functions... 21 Priority A- Business Critical Functions: Same day of incident... 21 Priority A- Business Critical Functions: Next working Day... 21 Priority A- Business Critical Functions: Up to 3 working days... 22 Priority B- Business Critical Functions up to 1 week... 23 Priority C- Business Critical Functions up to 2 weeks... 24 Priority D-Business Critical Functions up to 1... 24 Appendix 2: Staffing Requirements to cover Prioritised/ Critical Activities... 26 Appendix 3: Suggested First Meeting Agenda... 27 Appendix 4: Business Continuity Incident Control Team Key Tasks... 28 Appendix 5 Action Cards... 29 Incident Control Manager Action Card... 29 Incident Recovery Manager Action Card... 30 BC Recovery Support Manager Action Card... 31 Communications Action Card... 32 Telephone Operator Action Card... 33 Loggist Action Card... 34 Appendix 6: Initial Response Checklist... 35 Appendix 7: Business Continuity Contingency Plan... 36 Business Continuity Risks and Action/ Contingency Plans... 37 Appendix 8: Key Contacts... 39 Appendix 9: CCG IT Requirements... 40 Appendix 10: Equality & Equity Impact Assessment & EDS2 Checklist... 41 Page 4 of 42
2. Glossary of Terms Term Acrony m Business BC Continuity Business Continuity Management Business Continuity Management System Business Continuity Plan Business Impact Analysis Civil Contingencies Act 2004 Business Continuity Incident Control Team Emergency Planning Resilience and Response International Organisation for Standardisation Maximum Tolerable Period of Disruption BCM BCMS BCP BIA CCA BC ICT EPRR ISO 22301 MTPoD Definition Strategic and tactical capability of an organisation to continue delivery of services at acceptable predefined levels following a disruptive event. A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities. Part of the overall management system that establishes implements, operates, monitors, reviews, maintains and improves business continuity. This includes the organisational structure, policies, planning activities, responsibilities, procedures, processes and resources. Documented procedures that guide the organisation to respond, recover, resume and restore to a predefined level of operation following disruption. Typically, this covers resources, services and activities, required to ensure the continuity of critical business functions. The process of analysing activities and the effect that a business disruption might have upon them. Covers the responsibilities for Category 1 and 2 responders who provide strategic, tactical and operational response in emergencies. Comprises of senior managers/ directors who will manage an emergency/ disruption/ crisis The programme of work in preparation for respond to, a wide range of incidents and emergencies that could affect health or patient care while maintaining services as required by the CCA. The International Standard for Business Continuity management systems providing guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organisations to prepare for, respond to and recover from disruptive incidents when they arise. The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable. This is the duration after which an organisation s viability will be irrevocably threatened... Recovery Time RTO The target time for resuming the delivery of a product or service to Page 5 of 42
Objective an acceptable level following its disruption. This could be a resumption of full service or a phased return over a period of time. 3. Related Documents Greenwich CCG Business Continuity Policy Greenwich CCG Emergency Planning Policy SE London Director on Call Handbook Human Resources Policy SEL CSU Business Continuity Plan 4. Summary Business Continuity is the capability of an organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business Continuity Management (BCM) is the process of achieving business continuity and is about preparing an organisation to deal with disruptive incidents that might otherwise prevent it from achieving its objectives. BCM involves: a) being clear on the organisation s key products and services and the activities that deliver them; b) knowing the priorities for resuming activities and the resources they require; c) having a clear understanding of the threats to these activities, including their dependencies, and knowing the impact of not resuming them; d) having tried and tested arrangements in place to resume these activities following a disruptive incident; and e) making sure that these arrangements are routinely reviewed and updated so that they will be effective in all circumstances. Through business continuity, an organisation can recognise what needs to be done to protect its resources (e.g. people, premises, technology and information), supply chain, interested parties and reputation, before a disruptive incident occurs. 5. Introduction The continued operation of Greenwich Commissioning Group (Greenwich CCG) depends on a given combination of people, space, processes and technology, in connection with a given set of current business assets. Greenwich CCG seeks to provide its services by following a strategic operational plan, the achievement of which is dependent on effective business operations. This plan is to be used to assist in the continuity and recovery of Greenwich CCG in the event of an unplanned disruption. A disruption would be any event that threatens personnel, buildings or operational capacity and requires special measures to be taken to restore normal service. Page 6 of 42
6. Aim This plan aims to define the strategic and tactical capability of Greenwich CCG, to plan for and respond to major business interruptions, to enable Greenwich CCG to continue its business critical functions at an acceptable pre-defined and agreed level. To achieve this aim Greenwich CCG will adopt a system of Business Continuity Management (BCM). This system is delivered following the structures outlined and agreed in Greenwich CCG s Business Continuity Policy. 6.1 Objectives To ensure the delivery of critical functions during a business continuity incident/interruption. To identify individual and organisation wide roles and responsibilities To identify the communication processes and platforms during incidents To identify the escalation and de-escalation procedures for BC incidents To set out the procedures and a framework to mitigate the effects of identified risk areas. 7. Scope This plan covers the alerting process, activation mechanism, roles and responsibilities of the Business Continuity Incident Control Team, guidance relating to command, control and recovery. This plan is flexible and meant to be used as generic guidance in the response to a business continuity incident/interruption. It provides suggested actions that might be effective in response. It does not cover all eventualities as is expected in Business Continuity Management. This plan applies to the functions provided by Greenwich CCG at the following sites: The Woolwich Centre 35 Wellington Street Woolwich SE18 6ND 8. Business Impact Analysis Activities are disrupted by a wide variety of incidents, many of which are difficult to predict or analyse. By focusing on the impact of disruption rather than the cause, business continuity identifies those activities on which the organisation depends for its survival, and enables the organisation to determine what is required to continue to meet its obligations. To this effect, all critical and non-critical functions have been assessed and documented using a Business Impact Analysis (BIA). This will be reviewed and updated on an annual basis based on the changes to the services provided by Greenwich CCG. The Business Impact Analysis was developed through use of Greenwich CCG s Risk Management Strategy based on impacts caused by loss of services/ activities to Greenwich CCG and its stakeholders. The impacts considered included Reputational impact Financial loss Page 7 of 42
Breach of statutory duty/ inspections Negative impact on safety of patients, staff, public Negative impact on quality/ complaints/ audit Staffing and culture (poor morale) The table below outlines the process of determining Greenwich CCG s critical services and their order of recovery priority. All departments assessed each of their activities using the following criterion which forms part of their local level planning. Figure 1: Priority Rating Priority Rating A Maximum Tolerable Period Of Disruption Up to next working day Up to 3 days Impact CCG services, which if disrupted would have catastrophic effects on Greenwich CCG s business objectives almost immediately but some services can operate with reduced resources for up to 3 days B Up to 1 week CCG services, which if disrupted would have major effects on Greenwich CCG s business objectives. Activities can be scaled back for up to a week. C Up to 2 weeks CCG services, which if disrupted would have moderate impact on Greenwich CCG s business objectives and can be scaled back 2 weeks. D Up to 1 and over 1 CCG services, which if disrupted would have negligible effects on Greenwich CCG s business objectives. They will have minimal impact on Greenwich CCG for longer than a. 8.1 Business Critical Functions These are processes and activities which, if interrupted, will cause a business or organisation to sustain a severe economic loss, or jeopardise the continued existence of the organisation or whose loss would cause an adverse outcome for patients. Greenwich CCG s Business critical functions derived from the BIA are listed in Appendix 1 in order of Recovery Time Objectives. The minimum staffing requirements for directorates/ departments are set out in Appendix 2. Due to the nature of Greenwich CCG s business cycle, the order of recovery may vary as the criticality of certain activities is time sensitive, depending on the time of the year. 9. Risk Analysis Possible and considered critical risks to Business Continuity for Greenwich CCG are: Loss of staff Loss of Information Technology and Telecoms Loss of Facilities/Utilities and Buildings Flooding/Severe Weather Page 8 of 42
Infectious Diseases (e.g. Pandemic Flu) Fire Disruption to Transport services (strike/ fuel shortage) Industrial Action 10. Generic Roles and Responsibilities The broad structure of roles and responsibilities within Greenwich CCG for business continuity management are detailed in Greenwich CCG s Business Continuity Policy. In both planning and response, a team approach to all aspects of business continuity is preferable. The lead for BCM with the overall responsibility for business continuity within Greenwich CCG will determine representation from all levels of staff to the adopted system. 10.1 Specific Roles and Responsibilities Specific Greenwich CCG staff will have roles and responsibilities to fulfil as below. A series of Action Cards (Appendix 5) have been produced for each of the potential risk areas that set out the specific roles and responsibilities of staff members, actions to take and in what order. 10.2 Greenwich CCG Governing Body The Governing Body is responsible for the following: Endorsing/ approving the BCM Plan Ensuring BCM is appropriately resourced and embedded into the culture of the organisation Scrutiny of the on-going review, maintenance and exercising of Greenwich CCG Business Continuity arrangements 10.3 Chief Officer The Chief Officer has overall accountability of BCM across the organisation and for meeting the requirements of legislation and guidance and is responsible for the following: Liaising with executive members Activating/ Invoking the Business Continuity Plan Authorising expenditure Receiving updates on service impact Requesting mutual aid Authorising communications strategy and media statements Identifying and briefing internal and external key stakeholders Agreeing future meetings, format and frequency of these 10.4 Director of Integrated Governance The Director of Integrated Governance is Greenwich CCG s Accountable Emergency Officer (AEO) for Business Continuity and Emergency Planning. Their responsibilities include: Page 9 of 42
Chairing the Business Continuity Meeting (Incident Control Team) Confirming resource availability across Greenwich CCG and any requirements Providing an overview of impact on Greenwich CCG Facilitating any mutual aid requests Offering advice on EPRR matters if directly related to the BC incident Advising on data protection issues with support from the Caldicott Guardian Facilitating debriefing post incidents At all other times, the Director of Integrated Governance should: Ensure the organisation has robust BCM plans in place (response and recovery) Report on BCM to the Governing Body Ensure robust strategies for managing any incident/ event 10.5 Director of Finance The Director of Finance is responsible for: Highlighting short/ medium and long term financial impact or requirements Authorising expenditures with Chief Officer s agreement Leading and managing emergency spending cost centres and prioritising urgent payment requests e.g. for equipment, staffing etc. Advising on Information security as the Senior Information Risk Owner (SIRO) Liaising with Head of Analytical Support to provide advice on impact on IT infrastructure, downtime, recovery time/point objectives 10.6 Director of Delivery and Service Transformation The Director of Delivery and Service Transformation is responsible for: Advising on impact or breaches on contractual agreements Advising on short/medium and long term risks with contracts 10.7 Business Continuity Operational Lead (Executive Business Manager) Greenwich CCG BC Operational Lead who is the Executive Business Manager is responsible for: Supporting and overseeing the production, maintenance, validation of the plan Participating in the implementation of, and review findings from BCM exercises Auditing the organisation's level of BCM preparedness 10.8 All CCG Directors and Heads of Services All Greenwich CCG Directors and Heads of services are responsible for: Having input into the Business Continuity Planning for their Directorates Ensuring all the staff are aware of their responsibilities / priorities regarding BCM Page 10 of 42
Facilitating communication cascades to their teams during an incident Report on overall resource issues 10.9 Associate Director of Communications The Associate Director of Communications and communications team are responsible for: Providing information to staff and external stakeholders Informing and advising members of the ICT of any potential reputational issues Dealing with external media enquires Highlighting any issues around communication and platforms Supporting Greenwich CCG media spokes person Multi-agency liaison to ensure a common and consistent message across partners Updating and liaising with other key stakeholders communications team such as NHS England, Department of Health and Local Authority 10.10 Human Resources Identified Human Resources representative is responsible for: Updating on staff absenteeism and overall resource issues Ensuring HR policies in relation to absence/ special leave are followed Advising and assist with urgent recruitment matters for short term staff and long term staff 11. Activation Process and Incident Control Team For the purposes of decision making in the event of a business continuity incident Greenwich CCG Chief Officer has the ultimate responsibility for activating the Business Continuity Plan. In the Chief Officer s absence, the Deputy Chief Officer, the Director of Integrated Governance or any member of the Senior Management team can activate this and request the Incident Control Team to meet. Greenwich CCG may be alerted of a Business Continuity Incident via the On Call Director or internally. Below is Greenwich CCG BC incident escalation procedure as detailed in the BC Policy. Figure 2: BC Incident Escalation Procedure Level Description Escalation 1 All services are operating normally None required 2 Disruption for a short period of time Utilise Action Cards- Escalate if situation does not resolve. Communicate the issue within Greenwich CCG and relevant partners in case there is a wider problem (small isolated problems when aggregated may show a bigger incident on Page 11 of 42
the horizon) 3 Disruption to most CCG services affecting the ability to provide critical services Inform Chief Officer and On call director- CCG Internal incident declared. CCG BC Plan invoked. 11.1 Business Continuity Incident Activation Flow Chart Source Internal/ External CCG Chief Officer Assess risk to individual Greenwich CCG services Is this a major Business Continuity Incident YES NO Activate Corporate Business Continuity Plan Routine Management Processes. No further BC response required Consult Action Plans in Service Level Plans to provide appropriate response following initial assessment LOW IMPACT No actions to be taken. Normal systems can cope MEDIUM IMPACT Alert key officers to put resources and staff on standby or activate the Business Continuity Plan HIGH IMPACT Declare Business Continuity Incident and activate Corporate Business Continuity Plan Page 12 of 42
Following activation of the Business Continuity Plan, the Incident Control Team (ICT) will convene in the Loft or available space. Other choices will be: Meet virtually using teleconference arrangements Use an alternative control room not previously identified but necessary due to the nature of the incident. This could be the Chief Officer s office or other suitable space. The composition of this team will vary depending on the type and scale of the business continuity incident and its actual/potential impact on the organisation. These Officers will include: The Chief Officer Deputy Chief Officer/ Director of Strategy and Performance Chief Finance Officer Director of Integrated Governance Director of Delivery and Service Transformation Business Continuity Operational Lead- (Executive Manger) The Head of Analytical Support may be included in the team where incident is IT related. A representative from Human Resources may be included where incident relates largely to staffing issues In the absence of these Officers, their deputies will have the authority to invoke the Business Continuity Plan. 11.2 Initial Actions On being alerted, the Chief Officer is responsible for: Directing the agreement of roles and initial tasks for members of the Incident Control Team Agreeing on the best location(s) for dealing with incident or whether the best option is a virtual one 12. Full details of the Incident Control Room 1a. Greenwich CCG Offices BG.02 The Woolwich Centre 35 Wellington Street SE18 6ND Business Continuity Accountable Officer : Director of Quality and Integrated Governance Main Incident Control Room number : 02030499091 Communications Number: 07468 716 393 Page 13 of 42
Communications Email: greccg.nhsgreenwichccg@nhs.net Contingency Plan: In the event of CCG Corporate Office being affected by the incident or because the control room needs to be nearer the incident a virtual meeting will suffice. 1b. Virtual meeting arrangements Teleconferencing arrangements 08447620762 Chair and Participant code : 41872# Alternative partner premises may be used with agreement where there is room available and also in case of multi- agency issues arising from Greenwich CCG BC issue 13. Roles and Responsibilities of the Incident Control Team The Business Continuity Incident Control Team is there to ensure the following (Key tasks detailed in Appendix 4 and initial response checklist in Appendix 6): Evaluate the extent of the situation and the potential consequences to business continuity Provide the Executive Members with reports of the scale/impact on normal services posed by the incident Maintain a decision log based on the response to the incident. Authorise the recovery procedures in order to maintain the strategic critical functions of Greenwich CCG Liaise with users and stakeholders who may be involved with the incident. Communicate with relevant partners and stakeholders Arrange for the order of new or replacement equipment to deliver critical services if required consulting with Finance regarding this (a log of expenses should be kept) Establish the return to normal working; (or new normality) after the incident response phase has concluded using recovery plans already established within each individual Service Level Business Continuity Plan. Ensure that any backlog created will be the responsibility of local service managers. 13.1 Alerting Process for staff Managers will verbally or by email or text, communicate information to staff on site or by telephone/mobile to staff away from the office. If it is out of hours, managers will send group text messages to staff (Please refer to Communication Cascade tree). Each line manager will hold their staff s telephone numbers for Business Continuity purposes. Page 14 of 42
14. Communication Cascade Tree On call Director communicates Business Continuity Incident/ Disruption Accountable Officer emails or telephones Chief Officer Deputy Chief Officer SEL CCGs Director on Call Associate Director of Communications All Directors Executive Manager -Operational BC Lead Head of Analytics Chief Officer emails/ Telephones GP Chair Directorate Leads to email/ telephone Associate Directors Head of Services Associate Directors or Heads and Heads of Service to telephone/ email All Directorate Staff Key contacts/ partners for directorate Operational Business Continuity Lead to email or telephone NHS England Other CCGs and providers/rbg SEL CSU Associate Director of Communications Will advise the public and other stakeholders via the CCG internet of the incident as appropriate Director on Call for SE London CCGs will inform other CCGs 15. Communications of Incidents The Communications Team will send accurate and consistent messages and advice to staff and other stakeholders regarding any BC Incident as agreed by the Chief Officer and the BC ICT. Page 15 of 42
Messages sent out during a BC Incident will be clear and advise that the incident is real (this is not a test/ exercise). Below is an example of a message which may be sent out during a Business Continuity Interruption. An incident has occurred at Greenwich CCG, which is affecting our service delivery. Greenwich CCG, in partnership with other organisations, is working to resolve the situation as quickly as possible. The Chief Officer or nominated deputy with support from Communications will: Be responsible for activating communications with other agencies including the emergency services (if necessary) Act as media spokesperson if this is required Agree the frequency of sending out messages and statements; press releases and platforms of communication internally and externally 15.1 Media Handling BC Incidents may attract media attention. The Communications team staff will liaise with the Incident Manager and prepare press releases as necessary. Out of Hours, Greenwich CCG communications function is provided by SE CSU. The Incident Manager (may nominate an alternative media spokesperson who will normally be a member of the BC ICT if the incident requires it. The media spokesperson will be supported by the Communications Team whose main duties will include: Advising and supporting the media spokesperson Fielding and dealing with initial media enquiries Organising media releases and other public statements Organising media briefings where appropriate Monitoring information reported in the public domain 16. Response and Recovery Once a Business Continuity Incident has been declared, the Incident Control Team will devise a phased recovery based on the time frames indicated in the Business Impact Analysis. Following an incident, Greenwich CCG may need to undertake a number of organisational recovery activities which may include but are not limited to the following: Identifying appropriate support mechanisms which can be made available to staff, recognising that staff may be affected directly by the incident Staffing and resources to address the new environment Reviewing key priorities for service provision and restoration Financial implications, remunerations and commissioning agreements Routine annual performance targets Equipment or restocking of supplies Page 16 of 42
The BC Incident Control Team will refer to the appropriate individual contingency action plans (see Appendix 7) in response to an incident where it relates to a risk or threat identified. 16.1 Handover In a prolonged incident it may be necessary for additional members to be brought in to cover the roles of the Incident Control Team. These will be the identified deputies and if unavailable additional suitable senior management can be called in. They will be briefed on key issues and actions taken up to that point. 16.2 Stand down The Chief Officer or Accountable Emergency Officer (AEO), in agreement with the other members of the Incident Control Team and appropriate operational managers and staff will decide when to stand down. After ensuring that the BC incident has been resolved, the AEO will be responsible for activating the cascade of the stand down message to all staff and agencies involved using communication cascade call trees. Prior to the stand down being agreed it is essential that all recovery issues and actions are agreed and activated to assist in the return to normal working arrangements. 16.3 Post Incident Actions It is advised that the AEO or Chief Officer arranges for the following post an incident: a. Ensure internal debriefs are conducted as soon as possible after the incident b. Contribute and participate in any debriefs led by NHS England c. Prepare reports such as: Incident logs from loggist staff Compile a short incident report to include learning points and recommendations Circulate lessons learned to Incident Control Team and BC Manager for assimilation into the revised corporate BC plan d. Ensure Directors implement Recovery Plans for areas where non-critical work was suspended to redeploy staff into critical services where necessary. e. Ensure there is a system in place to deliver the backlog of work along with current workload issues to assist in the return to normal working 17. Finance All decisions relating to Finance will be logged clearly especially where spending is incurred. This responsibility is managed by the Director of Finance as a member of the Incident Control Team. Page 17 of 42
18. Incident Logs A log of all Business disruptions/interruptions/incidents e.g. power, telecommunications, water etc. will be maintained. These will be recorded even if a Business Continuity Incident is not declared. All Business Continuity Incidents/Disruptions will be reported to Greenwich CCG Business Continuity Operational Lead (Executive Business Manager) by e-mail within 24 hours of a minor incident or immediately if a Business Continuity Incident is declared. 19. Debriefing and Reporting The AEO or Chief Officer is responsible for providing Situation Reports (SitREPs) to NHS England as required and providing a post incident report. Immediately after an incident has been stood down, the AEO or Chief Officer should coordinate Hot Debriefs. Hot Debriefs will allow: Staff to express any concerns they may have following the incident The identification of staff who may be in need of support or counselling The organisation to thank staff for their efforts Organisational learning in an honest and open way In addition to the Hot Debrief, a Full Incident Debrief should be called within 3 weeks of the incident. Any officer involved in the response to the incident may be called, as may any associated external agencies. A full debrief report will be submitted to the Chief Officer and to Greenwich CCG Governing Body. The debrief report should Summarise any findings and recommendations Identify lessons to be learnt, and Identify any amendments to the BC Plan Following the incident it will be necessary to review the BC Plan and implement any necessary changes in management methods/processes as well as identify any possible training needs. 20. Disaster Recovery The South East Commissioning Support Unit (CSU) provides Information Technology (IT) and telephony support to Greenwich CCG. In the event of any IT and telephony downtime, the CSU is contacted immediately. The Head of Analytical Support leads on this. Appendix 9 identifies the IT applications that are used within Greenwich CCG and the Recovery Time Objectives as set out by directorates through the BIA process. These have been categorised into Priority Levels, 1, 2 and 3 depending on the RTO. The main servers are located in Bermondsey and back up files are in the triangulation of Lower Marsh and Wimbledon. The CSU Disaster Recovery Plan can be located here: http://nww.southlondoncsu.nhs.uk/resources/pages/policies.aspx?rootfolder=/res ources/documents/ict%20policies&folderctid=0x012000dea48e982618e341b3 BBE6AC9CBB3062&View=%7b1B827514-4A0F-452B-8D1B-C8ACB9F611DB%7d Page 18 of 42
21. Health and safety Care should be taken to manage any additional risks created by staff performing roles they do not normally do during the incident or its aftermath. A risk assessment should be completed for any areas of work which may present additional risks to the welfare of staff. 22. Testing, Exercising and Maintenance This plan must be tested at least annually and the communications cascade should be tested every six s. (See schedule below) Following any exercise, incident or significant change to the organisation it will be necessary to review and update the plan with any lessons identified, gaps or changes. Maintenance Training and Exercising Schedule Scope of Review Frequency Responsible Lead Light touch (Call Cascade) check contact details are up to date and correct Implementing a change programme Table top discussion/ exercise (formal review) check to ensure that all procedures are current and still applicable Every 6 s As required Every 12 s CCG BC Operational Lead/ Executive Business Manager CCG BC Operational Lead/ Executive Business Manager CCG BC Operational Lead/ Executive Business Manager Live exercise Every 3 years CCG BC Operational Lead/ Executive Business Manager Post incident/exercise review After every exercise and incident CCG BC Operational Lead/ Executive Business Manager 23. Training Greenwich CCG Directors and senior managers will be involved in table top exercises annually to test Business Continuity arrangements for Greenwich CCG through various business continuity scenarios. This plan will be reviewed annually as required under the Business Continuity Management Standards ISO22301:2012. Page 19 of 42
24. Sources of Evidence BC (2013) Business Continuity Best Practice Guidelines, London: Business Continuity Institute BS ISO (2012) Societal Security. Business Continuity Management Systems- Requirements, BS ISO 22301:2012, London: British Standard Institute BSI (2006) Specification for Business Continuity Management, BS 25999, London: British Standard Institute Civil Contingencies Act (2004). c. 36, London: The Stationery Office Health and Social Care Act (2012), c.7, London: The Stationery Office PAS 2015 (2012) Framework for Health Service Resilience NHS Commissioning Board Business Continuity Management Framework (service resilience) (2013) NHS Commissioning Board Command and Control Framework for the NHS during significant incidents and emergencies (2013) NHS Commissioning Board Core standards for Emergency Preparedness, Resilience and Response (EPRR) Page 20 of 42
Appendix 1: Business Critical Functions CCG Business Critical Functions within 48hours of incident RTO= Recovery Time Objective / MTPOD= Maximum Tolerable Period of Disruption Priority A - Business Critical Functions: Same day of incident Directorate/ Dept. Activity RTO MTPOD Non Acute Commissioning Non Acute Commissioning Non Acute Commissioning Integrated Governance Integrated Governance Finance / IT Communicatio ns Management of EPRR issues e.g. surge and capacity issues Responding to operational issues in providers which impact service delivery to patients Responding to alerts regarding the quality of care (safeguarding) or of the environment for patients in receipt of CHC and fully funded Nursing Care Business Continuity (development of CCG arrangements and support during incidents) Emergency Planning (development of policies and resilience requirements) Supporting with guidance Maintenance of NDrive Supporting the Incident Control Team in the event of an EPRR or BC incident Same day of incident Same day of incident Same day of incident Immediately Immediately Same Day of Incident 4 hours Next working day Next working day Next working day Same day Same day of incident 2 days Next working day Priority A - Business Critical Functions: Next working Day Directorate /Dept Activity RTO MTPOD Non Acute Commissioning Finance Finance/IT Finance/ IT System resilience planning Financial Accounting (Statutory Accounts / Payments - invoices & payroll) Maintenance of YDD36M552- SQL Server Maintenance of YDD36M551- Reports server Communications Internal communications Communications Communications Maintain CCG website - external communications Receive and manage Media enquiries Next working day Next working day Next working day Next working day Next working day Next working day Next working day 1 week 3 days 1 day 1 day 3 days 3 days 3 days Page 21 of 42
Directorate /Dept Activity RTO MTPOD Medicines Management Advice to local health Professionals on Medicines Management Next working day 1 week Priority A - Business Critical Functions: Up to 3 working days Directorate/ Dept. Activity RTO MTPOD Non Acute Commissioning Commissioning Delivery Plan and operational implementation 3 days 1 week Non Acute Commissioning Point of contact for legal reactive work 3 days 1 week Integrated Governance Complaints, MP Letters and enquiries 3 days Integrated Governance Corporate services (Admin pool X7) provision of admin support to Directors and directorates 3 days 1 week Communications Annual General Meeting 3 days 1 week Communications Annual engagement report to NHS England 3 days 1 week Communications Maintenance of CCG intranet 3 days 1 week Medicines Management Medicines Management Medicines Management Medicines Management Safeguarding Adults and Children Safeguarding Adults and Children Clinical Engagement & Membership Maintain Database for Prescription Support Tool- Script Switch 3 days 1 week Regular Practice Visits to support in-house work (management and audit) 3 days 1 week Work with other stakeholders in agreeing guidelines and formulary regarding medicines Management 3 days 1 week Medicines Safety Officer Responsibility making sure there is a reporting mechanism to MHRA 3 days 1 week Providing safeguarding advice and support to GPs, providers and other agencies 3 days 1 week Responding to serious incidents, serious case reviews and safeguarding adults reviews 3 days 1 week Primary Care Transformation (Developing GP provider networks) 3 days 1 week Page 22 of 42
Priority B - Business Critical Functions up to 1 week Directorate/Dept. Activity RTO MTPOD Finance Financial Management (Budgeting/Budgetary Control/ Reporting) 1 week 1 week Finance Financial Strategy (Financial Strategy / Support to business cases) 1 week 1 Finance Performance (Activity Reporting / Statutory Returns / Business Case Support / Strategic Planning / QIPP 1 week 1 week Finance Risk Management 1 week 1 week Integrated Governance Managing Freedom of Information (FOI) requests 1 week 2 weeks Integrated Governance Management of the Corporate Risk Register 1 week 2 weeks Integrated Governance Management of Board Assurance Framework 1 week 2 weeks Finance/ IT Maintenance of 10.161.211.242- DISCRO Server (CSU) 1 week 2 weeks Non Acute Commissioning Timely and accurate payments of Providers of services commissioned by CCG 1 week 1 Non Acute Provision of data to support contract monitoring and management and forecasting of contractual position 1 Commissioning 1 week Non Acute Commissioning Undertaking legal assessments including CHC and reviews 1 week 1 Integrated Governance Equalities (EDS implementation) 1 week Integrated Governance Quality Services (Management of Quality Alerts) 1 week Integrated Governance Reviewing RCA Investigations/ Serious Incidents 1 week 1 Integrated Governance Management of the Incident Reporting System for CCG employed staff 1 week 1 Integrated Governance Managing reported HCAIs with Public Health 1 week 1 Finance Financial Strategy (Financial Strategy / Support to business cases) 1 week 1 Communications Publications - Annual reports/ Integrated reports 1 week 1 Communications Receiving and managing FOIs 1 week 1 Communications Media campaigns - winter campaign 1 week 1 Medicines Management Performance and Financial Reporting Practice Level and QIPP level 1 week 1 Strategy and Performance Quarterly meetings with NHS England 1 week 1 Strategy and Performance Responding to NHS England on Performance Assurance and Delivery 1 week 1 Strategy and Performance Monitoring Provider Performance 1 week 1 Clinical Engagement & Membership Managing CCG Primary Care Steering group 1 week 1 Non Acute Commissioning Deprivation of Liberty Assessments 1` week 1 Page 23 of 42
Directorate/Dept. Activity RTO MTPOD Non Acute 1 Commissioning Safeguarding and monitoring of compliance 1 week Priority C - Business Critical Functions up to 2 weeks Directorate/ Dept. Activity RTO MTPOD Strategy and Performance Programme and Project Management for individual work streams e.g. Better Care Fund 2 weeks 1 Clinical Engagement & Membership Organisational Development 2 weeks 1 Non Acute Commissioning Programme and performance management of QIPP and BCF 2 weeks 1 Strategy and Performance Monitoring and Development of QIPP 2 weeks 1 Priority D - Business Critical Functions up to 1 The Business Impact Analysis also identifies those functions that are less critical and could be suspended for a period greater than 1. These are documented in the table below: Directorate/ Dept. Activity RTO MTPOD Non Acute Commissioning Maintenance of robust contracting management 1 Non Acute Commissioning Commissioning of Non-Acute care 1 1 Non Acute Commissioning Project and programme management for service redesign 1 Non Acute Commissioning Quality Assurance Reporting to CCG Governing Body 1 Non Acute Review of Action Plans in place to review areas of noncompliance Commissioning with National contracts 1 Non Acute Commissioning Responding to NHS England on performance assurance and delivery - TOP 8 1 Non Acute Commissioning Procurement 1 Non Acute Commissioning Providing training support to care homes to build operational resilience and prevent LAS conveyance 1 Integrated Governance Contract Monitoring Meetings 1 Communications Facilitating Ministerial visits 1 1 Communications Facilitating public engagement events 1 1 Medicines Management Analysing Prescription data on behalf of practices and share quarterly 1 Page 24 of 42
Directorate/ Dept. Activity RTO MTPOD Medicines Management Develop and disseminate ly newsletter on prescribing including ad hoc news flash for very important messages from Department of Health and NHSE 1 Medicines Management Work with the CSU regarding contract issues 1 Safeguarding Adults and Children Safeguarding Adults and Children Safeguarding Adults and Children Safeguarding Adults and Children Safeguarding Adults and Children Safeguarding Adults and Children Providing assurance to Greenwich CCG on provider safeguarding performance 1 1 Developing policy, procedures and safeguarding strategies for Greenwich CCG and monitoring adherence to these Attending relevant provider safeguarding meetings - seeking assurance on behalf of Greenwich CCG 1 1 Supporting multiagency safeguarding boards and partnership working 1 1 Safeguarding training for CCG staff and providing training support to GP Lead for safeguarding Ad hoc training for providers on safeguarding 1 1 Strategy and Performance Providing Information to the Health and Wellbeing Board and Council 1 2 s Strategy and Performance Developing Organisational Direction/ Strategic Plans 1 3 s Strategy and Performance Supporting the Commissioning Cycle 1 3 s Strategy and Performance Monitoring of Constitution Standards 1 Clinical Engagement & Membership Workforce development in Primary Care 1 Clinical Engagement & Membership Facilitating GP Education and Training (PLT) 1 Clinical Engagement & Engagement with GP membership around Membership commissioning matters and getting feedback. 1 Clinical Engagement & Membership Clinical engagement and contracting commissioning project leads 1 Clinical Engagement & Membership Helping GP surgeries with OT solutions requirements 1 week 1 Clinical Engagement & Membership Developing Primary Care strategy 1 Clinical Engagement & Membership CCG representation for coordinated care 1 Page 25 of 42
Appendix 2: Staffing Requirements to cover Prioritised/ Critical Activities The following minimum staffing requirements were identified across the different directorates within Greenwich CCG for a short period of time lasting up to 1 week maximum. (These requirements will be dependent on the nature of the incident, the time of the year in relation to commissioning activities and duration; therefore may need to be scaled up). Directorate/ Dept. Integrated Governance Minimum Staffing Requirements Director of Integrated Governance Executive Business Manager Compliance Manager 3 Admin staff Safeguarding 1 Designated nurse for safeguarding Adults and Children Communications Associate Director of Communications Medicines Management 1 Associate Director of Medicines Management 2 Prescribing Advisors 1 Pharmacy Advisor 1 Nurse Finance Chief Finance Officer 2 Accounting managers Information Manager- Head of Analytical Support Strategy and Performance GP engagement and membership Non Acute Commissioning Care Home Support Team Continuing Health Care Associate Director of Strategy and Performance Performance Manager Staff should be able to communicate virtually where they are working in different locations due to denial of access Minimum staff of 4 over 2 weeks maximum Head of Clinical Engagement and Membership Development Primary Care Development Manager Director of Service Delivery and Transformation Associate Director of Service Delivery and Transformation 1 Commissioning Manager Head of Integrated Commissioning 3 staff (will focus on key areas of the programme identified at the particular time) 4 nurses (Mental Health; Learning Disability and 2 Adult Nurses) GARRI Project 1 Nurse Information Management Head of Analytical Support 1 Analyst Page 26 of 42
Appendix 3: Suggested First Meeting Agenda Incident Venue Date & Time 1. Confirm the chair (AEO) if not available Deputy AEO 2. Set aims and objectives 3. Create a common understanding of the emergency and impact on Greenwich CCG 4. Agree the matters for urgent attention 5. Agree tasks and who is to lead on them 6. Establish communication and information links with other stakeholders 7. Consider the media strategy and messages to staff and other stakeholders 8. Identify and prioritise the strategic/ tactical risks 9. Consider long term operational issues e.g. Team rota if incident likely to be over 8 hours 10. Agree frequency of meetings if future meetings are likely 11. Agree authorisation of expenditure 12. Any other Business 13. Date and Time of next meeting Page 27 of 42
Appendix 4: Business Continuity Incident Control Team Key Tasks 1 Activate the Incident Control Room plus agenda for first meeting 2 Risk assess the nature of the incident and its effects 3 Determine the size of the problem and establish the resources needed to deal with it 4 Ensure that arrangements are in place to ensure the safety of staff and clients; 5 Ensure all identified prioritised activities are able to continue throughout the disruption. Immediate focus on Priority A (Critical Functions with an RTO of up to 3 days) then Priority B onwards. 6 Agree if necessary which non prioritised activities can be suspended and when ensure that MTPoD s and RTOs are adhered to as per Service Level BIA information. 7 Take expert advice as appropriate; 8 Liaise with internal and external dependencies and stakeholders 9 Liaise with other organisation services and recovery teams if set up. 10 Agree communication arrangements between agencies 11 Consider who else needs to be notified / involved 12 Establish the second shift of members (post 8 hours) and notify as soon as possible. 13 Keep the Chief Officer informed on the management of the incident if not directly involved with the response 14 Maintain accurate records 15 Consider the need for special recovery measures e.g. document recovery in floods 16 Consider the welfare of all staff engaged in managing the incident and arrange appropriate relief Recovery Focused Tasks 17 Declare the incident over and stand down staff 18 Conduct debriefs 19 Produce a detailed report of the incident. Page 28 of 42
Appendix 5 Action Cards Incident Control Manager Action Card Nominated Person Role Chief Officer/ Deputy 1. To liaise with Chief Officer or others regarding incident 2. To implement an initial risk assessment 3. To activate the Incident Control Team 4. To act as a spokesperson for Greenwich CCG at strategic meetings and any possible media interviews Having been alerted of a Business Continuity Incident, you need to consider what actions to take. Use this action card as a checklist, but keep an accurate record of messages and decisions given on your personal log 1 On being alerted of BC incident, confirm detail with On call Director (if this is out of hours) 2 Obtain further information 3 Confirm steps being taken to mitigate effects/ impact 4 Implement risk assessment for scoping purposes 5 Alert others 6 Activate Incident Control Team 7 Act as a spokesperson for Greenwich CCG 8 Activate stand down following a response and inform Director On call 9 Initiate Debrief post incident Page 29 of 42
Incident Recovery Manager Action Card Nominated Person Role Director of Integrated Governance To lead and manage the recovery response to a business Continuity incident, establishing return to normal working Having been alerted you now need to consider what actions are needed. Use this action card as a checklist, but keep an accurate record of messages received or given on your personal log sheet. 1 Agree responsibility and immediate actions with the Incident Control Team Manager 2 Agree on operating base for the Incident Control Team 3 Alert incident team members - ask them to report to incident control room via Communications Cascade. 4 Ask the BC Manager to set up the Incident Control Room 5 Convene a meeting of Incident Control Team Agree Greenwich CCG Priorities (Prioritised activities continuity as per service level recovery plans) 6 Maintain Liaison with all relevant departments during the response 7 Second meeting - establish second shift of ICT members post 8hrs 8 Staffing considerations ( with Recovery Support Manager) 9 At the end of the incident - Ensure Post Incident Report is prepared Page 30 of 42