BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency...

58
OFFICIAL - SENSITIVE Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group Page 1 of 58 BUSINESS CONTINUITY PLAN Additional copies of this plan can be found in the Incident Control Room located in the office next to the Boardroom, second floor, Charter House and also the on-call pack issued to Directors and Managers.

Transcript of BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency...

Page 1: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 1 of 58

BUSINESS CONTINUITY PLAN

Additional copies of this plan can be found in the Incident Control Room located in the office next to the Boardroom, second floor, Charter House and also the

on-call pack issued to Directors and Managers.

Page 2: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 2 of 58

DOCUMENT CONTROL SHEET Document Owner: Director of Operations Document Author(s): Director of Operations Version: 5.8 Final Directorate: Operations Approved By: Governing Body

Date of Approval: 21 July 2016

Date of Review: July 2017 Change History:

Implementation Plan:

Development and Consultation

EPRR Consultant Executive Team

Dissemination Staff can access this policy via the intranet and will be notified of

Version Date Reviewer(s) Revision Description

1.0 July 2013 Valerie Penn Updated following JW comments

2.0 August 2013 Valerie Penn General update following Draft Business Impact Assessments

3.0 October 2013 John Webster Whole Document Review – Updates to Plan, Business Impact Assessments and Policy Statement in line with EPRR Core Standards

4.0 November 2013

Valerie Penn Updated following Exec Comments

4.1 Draft January 2015 Oskan Edwardson Annual Update – for approval

5.0 Final January 2015 Jas Dosanjh Formatting

5.1 Final April 2015 Jas Dosanjh

Sharn Elton

Appendix 3 updated.

Critical Functions of the Operations Director added to Appendix 4

5.2 Final June 2015 Anne Ephgrave Critical Functions of HR added to Appendix 4

5.3 Final July 2015 Phil Turnock Addition of ‘Objectives for the Recover of Services’ and updated Appendix 4 Critical Functions of HBL ICT Shared Service

5.4 Draft September 2015

Jas Dosanjh

Sharn Elton

Update in line with NHSE EPRR Framework and Toolkit requirements

5.5 Draft February 2016 Jas Dosanjh Formatting and updated Business Impact Assessment included

5.8 Draft July 2016 R Steadman Review of Business Impact assessments to ensure consistent methodology used. Minor text changes

Page 3: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 3 of 58

new/revised versions via the staff briefing.

This policy will be included in CCG Publication Scheme in compliance with the Freedom of Information Act 2000.

Training Staff will be made aware of the emergency and business continuity response arrangements within the plan at their corporate induction training, and will also be made aware of where the overarching and departmental plans can be located.

The skills and knowledge of Incident Commanders and staff at an operational level will be achieved and maintained through regular training and exercising as documented in the training and exercising annual programme which covers:

Awareness training, including roles/responsibilities,

Incident coordination centre training,

Communications testing and exercising.

If there are any significant changes to the plan, then this will be communicated to departmental leads to cascade to all staff. Business Continuity arrangements w i l l be exercised at least once a year in order to validate the effectiveness and highlight any gaps which can then be corrected.

Monitoring and

Review

This document will be reviewed on an annual basis or when there are changes in the working systems of the organisation; or major changes to the contact arrangements of staff or suppliers that affect the content.

It is the responsibility of the identified departmental leads to update local departmental plans on an ongoing basis and the Business Continuity Lead to ensure the generic section of this document is kept update.

The plan will be used/deployed when the ability of the CCG to carry out its statutory duties are compromised.

The plan will be exercised and tested every two years; incident management will account to testing and exercising, in accordance with the processes defined within the Major Incident Plan (including testing with dependent stakeholders).

Equality and Diversity

January 2015 - Equality Impact Assessment (Appendix 5)

January 2015 - Privacy Impact Assessment (Appendix 6)

Associated CCG Documents

Major Incident Plan

System Escalation Plan

Major Incident Action Cards

Incident Control Centre Plan

CCG Strategic Risk Register / Risk Controls and Assurance Dashboard

References The ISO Standard for Business Continuity (ISO 22301) British Standard NHS Business Continuity Management

(BS25999)

Page 4: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 4 of 58

Contents

Section No.

Section Name Page No.

1.0 Introduction 5

2.0 Scope 6

3.0 Purpose 7

4.0 Definitions 7

5.0 Role and Responsibilities 8

6.0 Plan Activation 8

6.1 Business Continuity Management Team (Crisis and Recovery Team)

9

6.2 Continuing Services in the Event of a Disruption 10

6.3 Insurance/Incident Costs

14

6.4 Communications and Alerts

14

6.5 Record Keeping

15

Appendix 1 Business Continuity Management – CCG Policy Statement

17

Appendix 2 Business Recovery Template 18

Appendix 3 Key Contacts List 20

Appendix 4 Business Impact Assessment

- Template and Summary

21

Appendix 5 Equality Impact Assessment 57

Appendix 6 Privacy Impact Assessment 58

Page 5: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 5 of 58

1.0 Introduction

The Civil Contingencies Act 2004 came into force in November 2005 and focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders (such as CCGs) as Category 2 Responders. It is a requirement of the Act that the CCGs have Business Continuity Plans in place to support the CCG’s Major Incident Plan.

1.1 Policy statement

It is the policy of East and North Hertfordshire Clinical Commissioning Group (CCG) to develop, implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.

It is the policy of the CCG to take all reasonable steps to ensure that in the event of a service interruption, the organisation will be able to respond appropriately and continue to deliver its essential functions and that we are able to respond to the needs of our local population. A service interruption is defined as:

‘Any incident which threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions.’ (www.cabinetoffice.gov.uk/ukresilience).

The CCGs Policy Statement is provided at Appendix 1.

1.2 Resources

The CCG recognises its obligations with regards to emergency planning, resilience, responding to major incidents and business continuity. Funds, as identified as being necessary, will be made available in the event of a major incident to ensure the CCG meets its obligations with respect to these.

1.3 Emergency Planning - Business Continuity The Cabinet Office’s “Expectations and Indicators of Good Practice Set for Category 1 and 2 Responders” describes seven expectations regarding the Civil Contingencies Act (2004), Regulations (2005) and guidance:

1. Duty to assess risk

2. Duty to maintain plans – Emergency Plan

3. Duty to maintain plans – Business Continuity

4. Duty to communicate with the public

5. Business Continuity Promotion

6. Information sharing

7. Cooperation

Clinical Commissioning Groups are Category 2 Responders and as such will be required to co-operate with Category 1 Responders in the event of an emergency. They are also required to have Business Continuity Plans and Major Incident Plans. These requirements will be achieved in three stages:

Page 6: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 6 of 58

Stage 1 – A Business Impact Assessment: The impacts of the loss of staff, communications, data systems, transport and buildings. Appendix 4 provides details of the Business Impact Assessments undertaken at Departmental level within the CCG. Some functions are hosted by or delivered through contracts with other organisation’s, and where applicable details have been included within the assessments..

The Business Impact Assessments include prioritized activities that have been linked to the Business Continuity Corporate Risks. The Business Impacts Assessments detail: - Responsibilities of key staff and departments, - Responsibilities of the appropriate Accountable Emergency officer or Executive

Director, Stage 2 - A Business Continuity Plan: The measures to be taken internally in the event of such a loss. The Business Continuity Plan will comprise the mitigating actions arising from the Business Impact Assessments, taking into consideration the key risks that could potentially cause service disruption resulting in the plans being evoked. Information of the key contacts that will instigate the relevant mitigating actions and the contact details of all staff that might have to undertake those actions are also included - be it communicating with others or changing their way of working. Stage 3 – A Major Incident Plan: The measures to be taken in support of Category 1 responders in the event of an ‘Emergency’. This details the organisation’s response to:

an event or situation which threatens serious damage to human welfare;

an event or situation which threatens serious damage to the environment;

War, or terrorism, which threatens serious damage to the security of the UK. The CCG is required to equip nominated staff with the Major Incident Plan, the Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans have been built on experience and will be subject to a desktop test, as part of best practice, in order that they are further refined. The result of the desktop testing will be reported to the CCG Governing Body.

2.0 Scope

The scope of this plan is to provide overarching organisational guidance of business continuity management and the invocation process within the CCG,

Page 7: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 7 of 58

and an outline of responsibilities. The following table indicates the links with other CCG and System Resilience Plans:

Document

Community Risk Register The CCG is a Level 2 responder for Emergency Preparedness Resilience and Response which will be led by the NHS England Midlands and East (Central Midlands) Area Team. These plans will be owned by the Local Resilience Forum with input from the Local Health resilience Partnership. However, the CCG will have a role in planning for and responding to the relevant incident.

LRF Flood Plan

LRF Pandemic Influenza Plan

LRF Severe Weather Plan

3.0 Purpose

The purpose of the Business Continuity Plan is to outline the responsibility of the CCG and their staff in the event of a crisis in order to maintain as normal a service as practically possible. The over-riding aim is to ensure a prompt and efficient recovery of critical activities from any incident or physical disaster that may affect the CCG’s ability to operate and deliver their commissioning service in support of the NHS economy. It must be recognised that any event not only impacts on staff, premises, technology and operations, but also on the CCG’s brand, status, relationships and reputation and that all business continuity arrangements should ensure that the CCGs meet their legal, statutory and regulatory obligations to both their staff and dependent stakeholders.

4.0 Definitions

4.1 Business Continuity Management: Business Continuity Management is the process that helps manage the risks to the

smooth running of the organisation in the delivery of its services, ensuring that essential business can continue in the event of a disruption and can be sustained in the event of an emergency. It is aimed at reducing or eliminating the risks of business interruption and it is necessary to have contingency plans in place to ensure normal business functions can be resumed as soon as possible.

For the NHS, Business Continuity Management is defined as the management process that enables an NHS organization to:

Identify those key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation.

Identify and reduce the risks and threats to the continuation of these key services.

Develop plans which enable the organisation to recover and/or maintain core services in the shortest possible time.

There are many and varied possible causes of service disruption; these may range from the loss of infrastructure e.g. offices; buildings; IT systems; managing a power cut or extreme weather to arranging service provision during an emergency or epidemic. These events may not be mutually exclusive i.e. extreme weather can lead to loss of electricity or staff being unable to get to work.

4.2 A Service Interruption can be defined as ‘Any incident which threatens

personnel, buildings or the operational procedures of an organisation and which

Page 8: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 8 of 58

requires special measures to be taken to restore normal functions’ 5.0 Roles and Responsibilities

Overall accountability for the smooth running of the organisation lies with the CCG’s Accountable Officer. The Director of Operations is the lead director for Business Continuity and will be responsible for providing positive assurance to the Governing Body on the CCG’s plans.

5.1 Executive Directors The Executive Directors are responsible for maintaining their individual services,

and for alerting the need to activate Business Continuity Plans if such an event occurs within their directorate.

5.2 Designated Associate Directors and Assistant Directors

The Designated Associate Directors and Assistant Directors must ensure that any changes of contact details of key staff noted in their plans are updated as required, that their Directorate plans are reviewed at least annually and that any new services that are developed are included in the plans.

5.3 Lead for Emergency Preparedness, Resilience, Response and Business

Continuity

The Director of Operations takes the role of lead for Emergency Preparedness, Resilience, Response and Business Continuity and will provide specialist guidance during the invocation of the Business Continuity Plans. The Chief Finance Officer takes the lead for Business Continuity arrangements within the CCG, which is a critical function of the organization.

5.4 Communications Team The Communications Team will be responsible for informing the public of events

where necessary, following agreement of the Accountable Officer or Director of Operations (designated deputy), and will also keep staff informed of developments as appropriate.

5.5 CCG Staff All CCG employed staff are responsible for co-operating with the implementation of

the Business Continuity Plans as part of their normal duties and responsibilities. 6.0 Plan Activation

A nominated post holder from each department will decide in discussion with the Heads of Department and the Director of Operations whether the plan or any part of it should be activated using the process in the following flow chart. Out of hours the decision will be made with the direction of the on call CCG director/manager

Page 9: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 9 of 58

6.1 Business Continuity Management Team (Crisis and Recovery Team)

A team will be convened t o oversee the process of ensuring essential services are maintained and that recovery plans are put into place, Membership may include the following:

Director of Operations or nominated Deputy

Associate Director where incident has occurred

Assistant Director of Communications

Estates representation (as required)

Any other personnel deemed necessary, i.e. representative of HR, specialist advice, etc.

The team will meet initially on a daily basis and will keep notes of the meeting, actions taken, resources committed, and progress made using the template a t Appendix 3.

Incident Control Centre location and resources: located in the Office next to the Boardroom, Second Floor, Charter House, WGC. Includes additional paper copies of

Page 10: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 10 of 58

this Plan.

The Major Incident Plan includes the scalable plan setting out how the command and control arrangements will be managed and by whom.

6.2 Continuing Services in the event of a Disruption

As part of the Business Impact Assessment process, a critical function analysis has been carried out to determine those parts of the service that are a priority to maintain or reinstate. The CCG is responsible for commissioning a wide range of patient services to the local population and the following will be restored and maintained as soon as is practically possible.

Maintaining an emergency response and support to Category 1 responders;

Incident investigation;

Mobilisation of the workforce, and support for staff safety and welfare;

Provision of IT (through a shared service (called Herts Beds and Luton ICT Shared Service) with ENHCCG as the host for this service);

Maintaining communications with the general public and CCG staff;

Essential Finance functions; including the making and receiving of payments;

Essential HR processes;

Safeguarding adults and children; and

Continuity of contract management responsibilities

System leadership role.

Objectives for the Recovery of Services

The recovery of Services in a Disaster Recovery or Business Continuity scenario is defined by two Objectives:

Recovery Time Objective (RTO): is defined as the time period after a disaster at which business functions need to be restored.

Recovery Point Objective (RPO): is the maximum period of time based data loss (relative to the disaster) which cannot be recovered.

The Business Impact Assessments include details of the activity surge plan to ensure that critical services are maintained in periods of peak activity, including the maximum periods of tolerable disruption for all critical activities, and how the recovery/restoration principles will be managed and by whom. The critical function analysis also identifies those functions that are less critical and could be suspended, in light of the RTO and other timescales that may be identified within the Business Impact Assessments.

Service Function Length of time function can be suspended

Financial management 7 days

Planning services - preparing commissioning plans 28 days

Commissioning services through pathway development and redesign

28 days

Contract management – acute contracts 14 days

Page 11: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 11 of 58

Contract management – community and third sector 14 days

Performance and data analysis 14 days

Governance duties to ensure continuous compliance with statutory duties

14 days

Partnership working to ensure joined up working to improve the health and wellbeing of patients

14 days

Support and guidance to member practices 14 days

Quality and safety 14 days

Administration 14 days

If an incident occurs and this plan is activated, permission will be sought from the Accountable Officer, or in their absence the Director of Operations (or nominated Deputy) to suspend the mainstream service functions detailed above and release the CCG staff who cover these functions to provide support to critical functions provided in other areas of the CCG.

The plan will be activated in accordance with the processes outlined in the Major Incident Plan and the Incident Control Centre Plan, including the escalation system in place and who assumes responsibility at each stage (as well as action cards and aide memoirs for use by key team members). Through the Business Impact Assessments, each department has identified its own critical functions that are required to maintain its service and have their own local departmental plans which a r e accessible in both paper copy and electronically. It is the responsibility of designated Associate/Assistant Directors to communicate the location of these plans to their staff.

In the event of an emergency, or business interruption, the CCG will endeavor to maintain services as usual or as close to the usual standard as possible. However, where it is clear that this is not achievable, the Head of Service in conjunction with the Director of Operations (or on-call Director/Assistant Director if out of hours) will decide which priority functions of the department must continue, depending on the nature of the business interruption.

There are some generic areas that could potentially affect all departments and these are described below:

6.2.1 Failure of IT Systems

The CCG, like many organisations, rely upon IT systems for their day to day business. A disaster that prevents the organisation from accessing these systems whether caused by the failure of the systems themselves, or being due to an incident such as fire or flooding will potentially have a serious impact on the continuation of the CCG’s functions. IT system failures may include:

Loss of email,

Loss of internet,

Loss of Microsoft Office Applications,

Loss of access to stored documents (shared server),

Loss of individual IT systems/applications,

Page 12: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 12 of 58

Major IT network outage.

While it is impossible to consider and document a recovery plan for every disaster that may occur the impact of the loss of IT systems to each department is covered in the individual departmental plans and it is expected that they can be adapted to cater for any specific incident. If there is a failure in the IT system or any stand-alone computer for important data for a prolonged period of time, staff will need to change to a paper back-up system where possible to capture the data so that this can be recorded on the system retrospectively.

The development of telecommunications that are reliant upon the IT network makes it likely that telephone failure will also result from any IT network failure. The priority in which restoration is required will depend on the service area and is detailed in individual departmental plans.

If there is a loss of hardware or software through theft or damage then advice should be sought from the IT provider and the incident reported to the CCG’s Governance and Corporate Affairs (via the Company Secretary).

The maintenance of the CCG IT systems is provided by the Herts Beds and Luton ICT Shared Service (HBL ICT) under a Service Level Agreement (SLA). Under the terms of this SLA, HBL ICT will invoke their Emergency Disaster and Recovery Plan to cope with any event causing prolonged interruption of service.

The standard RPO and RTO within the agreed partnership service agreements is:

RPO – 1 day from date of failure

RTO = 24 hours from the time of failure

Restoration of services will be managed through the agreement ICT Major Incident processes which will include full engagement of the CCG executive. Whereby the standard RPO or RTO cannot be achieved, this will be brokered with the CCG Executive during the respective phases of the Major Incident process.

6.2.2 Failure of Telecommunications

The telephone lines are provided under contract with BT, and the system is under a maintenance contract with Vodafone.

Each departmental plan identifies in more detail the actions required should the telephone systems (including mobile telephony) be inactive. The priority in which restoration of phone lines are required will depend on the service area and if crucial will be detailed in individual departmental plans.

CCG contact in the first instance: HBLICT Service Desk on 07799 895274* (Note:- this number is only activated if the Phone System is down at Charter House).

If electricity has failed then prior consideration needs to be given to the ability to recharge mobile phone batteries.

6.2.3 Loss of Records

Where there has been a loss of records (electronic and paper), the processes

Page 13: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 13 of 58

defined within Records Management Policy will be followed. Each departmental plan identifies in more detail the actions required should there be a loss of electronic/paper records.

6.2.4 Failure of Utilities – Electricity / Gas / Water Supplies

Resolution is via NHS Property Services, the CCG contact in the first instance is NHS Property Services.

The fault should be reported and a request made as to whether they are able to give an indication of the length of time the supply will be unavailable.

If heating is lost an assessment should be made to the effect of the loss of the heating related to the time of year and the forecast temperature as to whether services can continue from the affected location.

For plumbing emergencies: contact NHS Property Services

In the event that the water supply fails the impact of the following must be assessed:

Toilets

Hand hygiene

Drinking water 6.2.5 Loss of Building

If premises are unable to be used then services may need to be suspended or relocated. Local departmental plans detail who to contact and measures to be taken where there is a denial of premises (including actions taken in the event of a fire or flood).

Alternative locations for staff will include HCT HQ at Howard Court, HPFT HQ at Waverley Road, St Albans and HVCCG HQ at Hemel Hempstead. Initiation of these arrangements will be agreed by the Director of Operations (or nominated Deputy) or by agreement with the on-call Director/Manager. The Incident Control Centre Plan includes information on alternative locations where the service/activity could be delivered from in case of denial of access to Charter House and Fountain House. The plan also includes details of any provisions for staff to be accommodated overnight if the incident dictates and how this would be activated via pre-agreed arrangements.

6.2.6 Fuel Shortages

In the event of a fuel shortage the ability to maintain services may be affected. If it has been necessary for the invocation of the National Fuel Plan then the Business Continuity Management Team will be convened to oversee the management of the situation within the CCG

It is unlikely there will be provision of fuel for staff to get to their work base and the responsibility for alternative travel arrangements is with the individual members of staff in discussion with their line manager.

6.2.7 Staff Shortages

Page 14: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 14 of 58

The absence of staff will have a varying effect depending on their role. In some cases roles can be covered by other staff but others may be highly specialised and necessary arrangements will be detailed in departmental plans as to whether a service can continue particularly if the service depends on that person alone. Potential threats related to staff shortages include;

Loss of staff (>25%),

Serious injury to, or death of, staff whilst in the office,

Significant absence due to severe weather or transport issues,

Pandemic flu,

Simultaneous resignation or loss of key staff.

There may be a scenario when a number of staff are all incapacitated at the same time such as pandemic influenza. The departmental manager will be responsible for assessing the impact on the ability to continue to provide a service and what contingencies can be put in place, and whether some non- critical services can be cancelled as detailed in the individual departmental plans.

6.2.8 Other

Other areas that could potentially affect departments may include the following, this list is not exhaustive:

Terrorist attack or threat affecting the transport network or office locations

Theft or criminal damage

Chemical Contamination

Infectious disease outbreak

Industrial action

Fraud, sabotage or other malicious acts The Severe Weather Response Plan includes details regarding the impact of severe weather (including snow, heat wave, prolonged periods of cold weather and flooding), and should be referred to in such circumstances.

6.3 Insurance/Incident Costs The insurance arrangements in place which may apply to incidents are:

Corporate Liability Insurance

NHS Litigation Authority The incident costs will be tracked by use of unique cost centres to assist and supplies/replacement equipment will be managed/maintained throughout the disruptive incident via a specific EP cost centre.

6.4 Communications and Alerts

The CCG will respond to a significant incident in line with the formal organisation Communications Strategy and processes defined within the Major Incident Plan.

The Major Incident Plan sets out the alerting mechanism for external and self-declared incidents, including trigger points and escalation procedures.

Page 15: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 15 of 58

If an event occurs that is so severe that alternative arrangements for the provision of care commissioned by the CCGs need to be communicated to internal and external stakeholders, as well as the local population, this will be carried out via the Assistant Director of Communications after discussion with the Director of Operations.

The internal (Appendix 3) and external stakeholders that could be affected by the disruptive incident, especially around service delivery, could include the following and specific details have been included within the Business Impact Assessments:

Providers including Primary Care,

Neighboring CCG’s,

Social Care, County and Borough Council.

The process for receiving and cascading warnings, and other communications before, during and after a disruption or significant event, and any resilient communication systems used is as follows:

Alerts (i.e. Met Office) received into the CCG’s EPRR mailbox ([email protected]) are cascaded by the Operations Team to all Senior Managers, AD’s and Directors on-call,

For incident management, the CCG has a secure nhs.net email account,

The Incident Control Centre Plan documents how Senior Managers, AD’s and Directors can remotely access the account.

Mechanisms for informing the relevant partners including, but not limited to, other CCG’s, NHS care providers, and NHSE detailed in the Major Incident Plan. There is also a Hertfordshire Communications Group in place to support the management of consistent messaging to the public.

6.4.1 CCG On-Call Arrangements

The 24-hour arrangements for alerting managers and other key staff are in place as per the CCG on-call system arrangements in/out of hours, which are as follows:

All calls centrally received to the CCG on-call phone to be answered by the allocated Senior Manager/AD/Director on-call as per the centrally agreed rota

09:00 – 17:00 Monday to Friday (in hours) – Day Manager on-call acts as first point of contact.

The contact details (including relevant key stakeholders) are updated on a 6-monthly basis as part of the review of the CCG on-call folder, and HR hold a list of all staff contacts which can be accessed remotely via the intranet.

6.4.2 Local Cooperation

The Major Incident Plan documents how the independent healthcare sector may be used in a disruptive incident to assist in service delivery. It also outlines how mutual aid from other NHS providers can be requested if a disruptive incident occurs.

6.5 Record Keeping

The processes for the listed actions below will be managed in accordance with the guidance as outlined in the Major Incident Plan, including details on how the;

Page 16: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 16 of 58

organisation will maintain their incident logs, and minutes of meetings during and after the meeting,

post incident report will be produced including how a debrief will be held to identify lessons,

lessons identified from the incident will affect future plans.

Page 17: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 17 of 58

Appendix 1

Business Continuity Management Policy Statement “Business Continuity Management (BCM) is an important part of NHS East and North

Hertfordshire CCG’s risk management arrangements. The Civil Contingencies Act (CCA)

20041

identifies all CCGs as ‘Category 2 Responders’, and imposes a statutory

requirement on each CCG to have robust BCM arrangements in place to manage

disruptions to the delivery of services.

It is the policy of NHS East and North Hertfordshire CCG to develop implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.

The aim of Business Continuity Management is to prepare for any disruption to the continuity of the business, whether directly - i.e. within the responsibility control or influence of the business, or indirectly - i.e. due to a major incident occurring to a partner, supplier, dependent or third party, or from a natural disaster.

It is recognised that plans to recover from any disruption must consider the impacts not only to our staff, premises, technology and operations, but that NHS East and North Hertfordshire CCG must also plan to maintain its brand, status, relationships and reputation.

Business Continuity arrangements should ensure that the CCG continues to meet i t s legal, statutory and regulatory obligations to its staff and to its dependent stakeholders. All NHS East and North Hertfordshire CCG departments are to continue to develop and implement BCM for their areas of business.

In order for this to be achieved, members of each department have been nominated as Business Continuity Leads to represent their part of the business for Business Continuity Management. These individuals are responsible for reviewing and maintaining the departmental Business Continuity arrangements within the CCG. To ensure that the BCMS fully meets the changing needs of the business all Business Continuity Plans will be exercised, reviewed and audited annually.

In accordance with the NHS England Guidance2, NHS East and North Hertfordshire CCG

BCMS will be in accordance with and aligned to the ISO 223013.”

…………………………………………………… …………………………… Beverley Flowers Date Accountable Officer

1 NM Government (2004) Civil Contingencies Act 2 NHS England (2013) Board Business Continuity Framework 3 ISO 22301 Societal Security - Business Continuity Management Systems – Requirements

Page 18: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 18 of 58

Appendix 2

Business Recovery Template

Reason for Invoking Plan: Date: Time:

Brief Summary of Situation:

Department/s Affected:

Other Organisations Involved / Alerted:

Date:

Page 19: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 19 of 58

Actions Required (including Resources)

By Whom Communication requirements

Status update

Immediate:

Within 8 Working Hours:

Within 1 Working Day:

Within 3 Days:

Within 1 Week:

Situation to be reviewed every ……….. hrs / ……. days

Page 20: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 20 of 58

Appendix 3 Key CCG Contacts

Page 21: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 21 of 58

Appendix 4 Business Impact Assessments

Version:

Ratified by: Governing Body

Date ratified: 21 July 2016

Job title of originator/author: Director of Operations

Name of responsible committee/individual: Accountable Officer

Date issued: July 2016

Review date: July 2017

Target audience: All CCG staff

* The full Business Impact Assessments can be accessed via the local network drive: Click here -->

CRITICAL FUNCTIONS*:

Operations Directorate

Operations and Resilience p.22

Continuing Healthcare p.22

Nursing and Quality Directorate:

Quality Team p.23

Human Resources p.24

Finance Directorate:

Finance (including Financial Services, Contracting, Information Team) p.25

Governance and Corporate Affairs p.26

Commissioning Directorate

Commissioning Team p.27

Pharmacy and Medicines Optimization p.28

Strategic Planning (including Programme Office) p.29

Chief Executives Office:

Communications (including Engagement) p.29

HBL ICT p.32 Contingency - Priority for the Restoration of Services [Recovery Time Objective (RTO)]:

1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an

essential service/function 2. Urgent: Within 8 hours – Will degrade to ‘Critical’ if not addressed within this time band 3. Essential: Within 24 hours – Major disruption – no danger to staff and/or patients. Does not

prevent provision of an essential service/function 4. Important: Within 3 days – Will affect services without causing danger to patients 5. Necessary: Within 7 days – Minor disruption to services 6. Routine: Within 14 days – Will not directly disrupt services but will cause inconvenience 7. Non-Urgent: Within 28 days – Will involve non-urgent repair

Page 22: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 22 of 58

Directorate/Team: Operations Directorate:

Operations and Resilience Team

Key Contacts: Sharn Elton – Director of Operations

Jo Burlingham – Assistant Director of Operations and Resilience

Phil Lumbard – Assistant Director Urgent Care

Gerry Moir – Assistant Director Performance

Jo Field – Head of Performance

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – Provide System Leadership Quality of services and experiences of our patients

System oversight

A2 – Maintain emergency and day to day operational management

Quality of services and experiences of our patients

System oversight

A3 – Maintain on call response in and out of hours

Quality of services and experiences of our patients

System oversight

A4 – Maintain category 2 responder role Quality of services and experiences of our patients

System oversight

B – Activities which could be scaled down if necessary

B1 – Performance oversight and delivery Quality of services and experiences of our patients

System oversight

C – Activities which could be suspended if necessary

C1 – Attendance at external meetings where the CCG is a partner

Partnership working

Service developments/Decision Making

Directorate/Team: Operations Directorate:

Continuing Healthcare

Key Contacts: Sharn Elton – Director of Operations

Alison Sansom – Assistant Director CHC

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – Ensuring CHC functions are performed in relation to procurement of care to support patient flow through system

A2 – Responding to new fast track referrals (adults and children case management of care packages) to ensure safeguarding

If not responded to on the same day there could be a risk to patient care as these are urgent cases

B – Activities which could be scaled down if necessary

B1 – Ensuring CHC functions are performed in relation to agreeing funding for children with complex care and contract management

Page 23: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 23 of 58

B2 – Responding to new non-fast track referrals (adults and children case management of care packages)

B3 – Ensuring eligibility and maintenance of Funded Nursing Care process

Local authority my not be reimbursed with the fees in a timely manner

C – Activities which could be suspended if necessary

C1 – Case management/review to ensure appropriate patient placement and allocation of CHC funding

Patients may not be appropriately placed, or continued payment for CHC where not/no longer eligible

Directorate/Team: Nursing and Quality Directorate:

Quality Team

Key Contacts: Sheilagh Reavey – Director of Quality and Nursing

Cath Slater – Associate Director, Quality and Patient Experience

Jessica Linskill – Lead Nurse, Quality

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – Responding to urgent safeguarding alerts, issues

If alerts, issues not actioned potential safety risk to patients

A2 – Complaints and PALS; responding to and actioning urgent concerns raised

If urgent issues not addressed, potential harm to patients could occur

A3 – Hotline enquiries relating to patient safety or urgent issues

If urgent issues not addressed, potential harm to patients could occur

A4- Serious Incidents; any new SIs identified to be shared with providers for immediate action and investigation

If urgent issues not addressed, potential harm to patients could occur

B – Activities which could be scaled down if necessary

B1 – To ensure statutory functions are maintained for safeguarding adults and children

Statutory requirements may not be met

B2 – Complaints and PALS; routine processing of enquires received

Local and national targets may not be met, patients dissatisfied with service provided and concerns remain unresolved.

B3-Serious Incidents; co-ordination and review of provider SIs

National timescales may not be met. Risk that quality issues in provider RCAs may not be identified, affecting learning from SIs

B4- Hotline; processing of routine enquiries

Risk that local targets will not be met. GPs dissatisfied with service and key themes not identified.

B5- Quality Assurance; undertaking Quality Review Meetings, Quality Visits, analysing and monitoring providers in relation to quality standards

Lack of assurance to CCG, may be delay in identifying quality issues.

B6- Individual Funding Requests, Prior Approval and Choice; processing of funding requests and providing patient choice service

Risk that procedures will be undertaken that would not have been approved for funding. Risk that patients will not be offered choice.

C – Activities C1 – CQUIN/ Quality Schedules; on- Lack of development of schemes

Page 24: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 24 of 58

which could be suspended if necessary

going monitoring and contract negotiation cycle

could affect future provider contracts. Performance issues may not be identified in a timely way, however key issues would be identified via alternative functions.

C2 – Regular reporting to Quality Committee, Board, localities etc.

Low risk, key issues and headlines would be shared with committees and Board as required.

Directorate/Team: NURSING AND QUALITY DIRECTORATE:

Human Resources

Key Contacts: Sheilagh Reavey – Director of Nursing and Quality

Anne Ephgrave – Head of Human Resources

Jenny Holland – Senior HR Advisor

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – Delivering statutory functions, including staff pay

If staff are not paid on time, it may result in difficulties regarding their personal situation and/or non-/limited working

A2 – Performing HR functions ensuring ability to respond to basic HR issues and concerns, including staff wellbeing

Risk of employment tribunal if could not perform HR functions.

A3 – Maintenance of HR compliance for safety of the organisation and staff

Risk of litigation and fines from violation of regulations and lack of compliance.

A4 – Management of formal ER cases/issues

Legal challenge where management is not within set timescales.

B – Activities which could be scaled down if necessary

B1 – Recruitment of staff to core functions

Potentially a gap if critical core functions not recruited to (clinical safety, staff wellbeing)

B2 – Reporting to the Executive regarding adherence to statutory governance arrangements

Risk of being unable to roll out a statutory change within required timeframe.

B3 – Informal ER cases/issues Potential to escalate to a formal review where not managed within set timescales

C – Activities which could be suspended if necessary

C1 – Corporate Induction training programme

Risk new starters wouldn’t receive some of their mandatory training and not gain the understanding of how the CCG operates.

C2 – Policy reviews Risk that they would not be

Page 25: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 25 of 58

conducted within required time frame.

C3 – Mandatory Training such as IG training & Learning and Development.

Risk of IG breach due to lack of training and non-compliance with regulations.

C4 – Joint partnership forum Risk of industrial action.

Directorate/Team: Finance Directorate:

Financial Services, Contracting, Information Team

Key Contacts: Alan Pond – Chief Finance Officer

Noreen Coles – Deputy Chief Finance Officer

Edward James – Assistant Director Financial Services

Holly Fairhurst – Assistant Director of Contracts

David Hodson – Head of Information

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – Management of the DoS DoS unable to be re-profiled

A2- Authorisation for patient transport Delays to authorising transport requests

A3 – Payments to key suppliers / NHS Trust and other healthcare providers

Payments to staff, key supplies to services & service disruption

B – Activities which could be scaled down if necessary

B1 – Access to invoicing and payments system within 3 days

Impact on ability to manage the CCG with risk of statutory requirements not being met and other financial objective not being achieved

B2 – Monitoring financial position within 3 days (within 1 day if within first week of month)

Unable to provide support to provider organisations

B3 – Monthly reports to NHSE and Annual Accounts (if the latter in March or April)

Loss of reputation, failure to achieve CCG statutory duty

B4 – Finance support to commissioning Loss of financial control/delays in agreeing contracts if January/February/March

B5 – Financial planning Delays in agreeing investments/savings/contracts

B6- Response to FOIs Delay in responding to FOIs

B7- Sending monthly validations to Providers

Financial loss to CCG if providers are not in agreement to revise deadlines for validations to be submitted

B8- Contract sign off No contract in place between CCG and Providers

B9- Enacting Contract Levers (Information Breach Notices and Contract Performance Notices)

Delays to implementing contract levers

B10 Scale down payments frequency Loss of Reputation. Cash flow issues to small suppliers. Possible

Page 26: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 26 of 58

and move to urgent payments only impact on delivery goods and services.

B11 Extend the time between reviewing and reconciling ledger to key control accounts

In the short term ledger may not be a true reflection of spend. Cash forecast targets may not be achieved

C – Activities which could be suspended if necessary

C1 – Monthly reports to Governing Body and localities

Loss of financial control if long period

C2 – Finance support to business cases and localities

Delays in proceeding with investments or wrong decisions taken

C3 – Production of monthly budget statements re running costs

Loss of financial control if long period

C4 – Attendance at Contract Review Meetings with Providers

Unable to hold Providers to account and implement contractual levers where required

C5 – Credit control Short term cash issues

Directorate/Team: Finance Directorate:

Governance and Corporate Affairs Team

Key Contacts: Alan Pond – Chief Finance Officer

Sarah Feal – Company Secretary

Richard Steadman – Interim Head of Risk Management

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 –) Day to day management of On-call rota

Risk that in and out of hours response will not be available centrally

A2 – Letter of claim related to C3 needs to be sent to NHSLA within 24 hours

Risk that CCG will not be adequately protected from legal claims

B – Activities which could be scaled down if necessary

B1 – Coordination of FOI responses (target of 85% within 20 days)

If target not met, action could be taken by Information Commissioners Office

B2 – Reporting of IG breeches (need to notify ICO within 48 hours)

If target not met, action could be taken by Information Commissioners Office

B3 – Administration of meetings – minutes/ papers for the Governing Body, Governance and Audit Committee, Quality Committee, IG Forum

Loss of record of accountability / decision making/ record keeping / public record

B4 – Managing Conflicts of Interest Requirement to declare in accordance with Health and Social Care Act.

CCG Constitution requirement to keep register up to date.

C – Activities which could be suspended if necessary

C1 – Provision of Training (Risk Management, including Health and Safety)

Statutory and Mandatory training requirement may not be met

C2 – Managing Gifts and Hospitality Reporting requirement to

Page 27: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 27 of 58

Register Governance and Audit Committee

C3 – Coordination of Clinical Negligence Cases from Solicitors to enable reporting to NHSLA

14 day turnaround with NHSLA

C4 – Updating of policies/procedures Staff wellbeing - access to current guidance

C5 – Coordination of the Strategic Risk Register and Risk Controls Assurance Dashboard updates

Information may not be current, however updated three times/year , low risk

C6 – Coordination of Internal Audit reports/recommendations

Head of Internal Audit opinion, if the CCG can’t provide assurance for implementation of recommendations

Directorate/Team: Commissioning Directorate:

Commissioning Team

Key Contacts: Harper Brown - Director of Commissioning

Trudi Southam - Interim Associate Director Planned Care

Helen Edmondson - Associate Directorate Commissioning and Locality Development

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – Coordination of Primary Care Capacity and Liaison with Area Team (NHSE)

Managing access to primary care and impact on secondary care, A&E etc.

A2 – Responsiveness to commissioned services for urgent patient specific queries/clinical management

Impact on timeliness in providing advice

A3 – Urgent communications to Primary Care

Public Health Communications / Significant Service Provision Failure / Serious Incidents

A4 – Primary Care Quality Assurance

Delay in investigating / resolving patient safety concern.

B – Activities which could be scaled down if necessary

B1 – Approval mechanism to authorize payments by finance directorate

Impact on ability to meet financial obligations re payments and risk of Primary Care service disruption

B2 – Management of Locality Meetings and Target Events

Impact on ability to maintain clinical engagement and locality focused commissioning/decision making

B3 – Service Redesign/Development Programmes

Delay in delivery of quality and performance improvements

B4 – Performance monitoring for CF /Enhanced Services

Risk that local targets will not be monitored against agreed timescales.

B5 – Research management and development

Failure to discharge statutory duties with resultant loss of income/ delay to clinical studies.

C – Activities C1 – Non urgent meetings Disruption to CCG/Directorate

Page 28: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 28 of 58

which could be suspended if necessary

programme of work

C2 – Strategic healthcare estates planning

Failure to meet DH Target dates and missed opportunities to secure national funding.

Directorate/Team: Commissioning Directorate:

Pharmacy and Medicines Optimisation Team

Key Contacts: Harper Brown – Director of Commissioning

Pauline Walton - Interim AD & Head of Pharmacy & Medicines Optimisation

Sue Russell - Lead Pharmacist (CCG Localities)

Stacey Golding - Lead Pharmaceutical Advisor - Governance

Maxine Davis - Lead Pharmaceutical Advisor - Care Prescribing

Colin Sach - Lead Pharmaceutical Advisor - Acute Commissioning

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – The provision of clinical support and personnel for ‘front line’ patient facing services at times of pandemic and/or other public health emergencies

Inappropriate/delayed clinical advice and treatment

Financial risk

B – Activities which could be scaled down if necessary

B1 – To ensure the provision of expert prescribing advice in a timely manner to GP practices, non-medical prescribers, pharmacists, Acute and MH Trusts etc

Clinical risk, financial risk, reputational risk

B2 – To ensure the strategic oversight of medicines optimization and patient safety

B3 – The provision of expert advice concerning the map of medicine

B4 – Non medical prescribing approval of applications and support for prescribers and dispensers around all primary care secure and non-secure supplies

B5 – Local/national initiatives such as raising antibiotic awareness

B6 - Signing off invoices

B7 – The provision of weekly clinical support to intermediate care beds in Jubilee Court (Stevenage) and Garden City Court Care Home (Letchworth)

No medicines reconciliation, patients in intermediate care not receiving the correct medicine.

Contractual obligations to Quantum Care

B8 – Individual treatment requests, high cost drugs and invoice validation

Financial risk if drugs are funded that would not normally be approved.

In breach of NICE guidance

Risk of judicial review

Reputational risk

B9 – The provision of expert advice to CCG commissioners on the managed entry of new medicines and medical devices

Page 29: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 29 of 58

B10 – Clinical medication reviews of care home patients – Vanguard Project

Limit to responding to urgent queries from the quality team. Risk of not meeting outcomes required by Vanguard

C – Activities which could be suspended if necessary

C1 – The oversight of every aspect of financial management in respect of prescribing and medicines usage

C2 – Locality prescribing meetings, Hertfordshire Medicines Management Committee, Primary Care Medicines Management Group

C3 – Monitoring of prescribing, key performance indicators

Directorate/Team: Strategic Planning (including Programme Office)

Key Contacts: Beverley Flowers – Accountable Officer

Harper Brown – Director of Commissioning

Jacqui Bunce - Associate Director of Strategy

Grant Neofitou – Head of Programme Office

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

B – Activities which could be scaled down if necessary

B1 – Administration of meetings – minutes/ papers for Joint Commissioning Body, OPD, Long Term Conditions Committee

Loss of record of accountability / decision making/ record keeping / public record

B2 – Attendance at meetings Loss of face to face to contact as part of normal business processes

B3 – Telephone access Reliance on email or face to face contact with relevant colleagues

C – Activities which could be suspended if necessary

C1 – Reporting of projects and work streams

Lack of information to commission and plan services.

C2 – Usual place of work Not all staff have remote access working

Directorate/Team: Chief Executive Office:

Communications (including Engagement)

Key Contacts: Beverley Flowers – Accountable Officer

Hari Pathmanathan - Chair of Governing Body

Nuala Milbourn – Assistant Director Communications

Page 30: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 30 of 58

Heather Marshall – Communications Manager

Ewan Marshall – Web development and digital communications officer

Lynda Dent – Head of Patient Engagement

Mark Edwards – Patient engagement manager

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 - Communications to GP practices about service disruption, service suspensions or other issues affecting business continuity. Including :-

1. Acute in-hours home visiting service

2. Problems with capacity at the hospital trust

3. Appeals for doctors to assist with additional shift with Herts Urgent Care

4. Information about industrial action

5. Severe weather advice and guidance

6. Loss of referral routes or services due to factors outside of the CCG’s control

This would mean that GPs would be unaware of the service disruption, suspensions or other issues resulting in :- - Continuing to refer very poorly patients to the acute in-hours visiting service when there is no capacity for them to be visited at home. -Continuing to refer to patients to A&E where they could experience a long wait for treatment. As a result they might not seek alternative treatment pathways for their patients. - GP practices would not be able to encourage GPs to make themselves available for additional shifts to help Herts Urgent Care to deliver services at pressurised periods. CCG guidance on the implications of industrial action for primary care would not be issued directly to practices. Severe weather information and advice for patients and practices – such as heatwave information for vulnerable patients or changes to pathology sample collection times due to bad weather, could not be issued Urgent changes to referral information, such as a loss of a particular fax or phone number due to technical problems, could not be communicated to practices, which would mean that patients would not be able to access the services they need.

A2 - Communications to the public and the media via the CCG’s website, the New QEII Hospital website, media releases and social media about service disruption, service suspensions, epidemics, heatwaves or other issues affecting services the public rely on, e.g

Patients and carers would not be aware of the following should they occur. - That their planned or emergency GP services are not available -That their planned or emergency

Page 31: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 31 of 58

1. Disruption to GP services

2. Disruption to hospital services

3. Disruption to pharmacy services

4. Proactive and reactive communications to the media about issues which could have a negative impact on the CCG’s reputation as a commissioner of NHS services

5. Proactive and reactive communications to the public and the media about circumstances which could have a significant impact on health and wellbeing, such as a heatwave or the outbreak of an infectious disease.

hospital visits would not be possible - That they could not visit the pharmacy to collect essential medication. -The CCG’s stakeholders and the public would lose confidence in the organization - That they should take precautions or positive action to protect their own health and the health of the family, friends and neighbours

A3 - Communications to GPs and health professionals on policy and protocol updates, including:

1. Updating the Beds and Herts priorities forum, which is accessed through the CCG’s website

2. Supply urgent briefing material in response to requests from NHS England’s Parliamentary hub

Clinicians across Beds and Herts would not have the up-to-date referral information that they need for patients.

ENHGCC would not be able to account for its actions to Ministers and MPs in the House of Commons.

A4 - Communications with other NHS organisations, provider organisations and public sector partners on issues of significant mutual concern and interest where a joined-up approach to messaging is required.

There is a risk that important messages both within the health system and beyond would not be coordinated effectively, leading to public confusion or unnecessary duplication.

B – Activities which could be scaled down if necessary

B1 - The GP bulletin could be produced more quickly as a word document.

Some of the functionality of the GP bulletin, such as the open rate information and information on which articles have been read, would be lost

B2 - The staff magazine could be replaced by all-staff emails covering urgent issues specifically.

Staff morale could be negatively affected and the open rate of all-staff emails could decrease.

B3 - Proactive campaign and event work could be scaled down.

The impact and reach of the CCG’s own campaigns and our support for national campaigns would be diminished. This would mean that fewer people receive important health and wellbeing information

B4 - The extent of partnership communications work could be scaled back.

This could lead to confusion and duplication of messages or important messages being missed.

C – Activities C1 The weekly staff round-up email Staff would not be as aware of

Page 32: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 32 of 58

which could be suspended if necessary

could be suspended

policy updates, health stories in the media or training sessions.

C2 The Friday learning hours

Staff would not be as aware of ‘bigger picture’ health and social care information which could have a positive impact on their day-to-day work or personal circumstances.

C3 The design and printing of leaflets could a) be contracted out to an agency or b) information could be provided on simple word documents instead

This would be more costly and would probably take up more officer time than producing leaflets in-house.

Information that is produced to a lower quality might not be as valued or trusted by patients.

C4 Suspension of patient and carer member meetings

Patient and carer members would not be aware of the issues facing local health services and communicate that to their communities

Directorate/Team: HBL ICT

Key Contacts: Phil Turnock – HBL ICT Shared Services Director

Simon Carey - Assistant Director HBL ICT, Business Relationships &

Assurance

Keith Fairbrother – HBL ICT Head of Infrastructure

Essential/Priority activities undertaken: Risk to activities:

A – Activities which must be continued

A1 – Infrastructure as a Service Loss of Datacentre, loss of networks

A2 –Service Desk as a Service Loss of IaaS, loss of telephony

A3 – RA and SmartCard Loss of IaaS, loss of site

B – Activities which could be scaled down if necessary

B1 – Procurement, Finance Loss of Iaas, loss of site

B2 – Asset Management Loss of IaaS,

C – Activities which could be suspended if necessary

Page 33: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 33 of 58

Business Impact Assessment Summary

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All

2

3 A1 - A4

B1 - B6

C1 - C2

A1 – A4

B1 – B3

C2

B1, B2 B1 A1

B2

C1

B1, B2, B3, B4,

B6, B7, B8,

B9,B10, B11

A1-A3,

B1-B5

All A1,A3,A4,

B2,C1,C4

4 A1-A4

5

6

7

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Loss of

email

l Use of NHS.net if

available

l Prioritise

responses in terms of

date

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

l Use of telephone

system, Application

portals

l Network and

service monitoring in

place. Failover to

alternative datacentre

l Communications

team needs access to

outlook web via Ipad.

Page 34: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 34 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All

2

3 A2 B8,B9 A1-A4, B1-B4,C1-

C4

4 A1 – A4

B1 – B6

C1 – C2

A1

B1

C3

C4 C2 A1

A2

B2

B1-B5,

C1-C3, A1,

B10, B11

B3,B5 A1,B1-B7

B10

C1-C3

5 A2-A3

C3

6 A1-A4

7

Loss of

internet

l Network and

service monitoring in

place. Failover to

alternative datacentre

l Hard copy also

posted

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Page 35: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 35 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1

2 All A1

3 B8,B9

4 A1

B1,B3

C2

5 A1-A4 A1 – B6

C1 – C2

A4 B3

C2 to C6

C1 C1 B1-B5,

C1-C3,

B8-9

B4,C1 A1,B1-B7

B10

C1-C3

B1,B2

6

7 C1

Loss of

Microsoft

Office

l Copies of key

documents stored in

PDF format

l Use of other

programmes and

saving formats

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Page 36: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 36 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1

2

3 All A1

4 A1-A4 A1 – A4

B1 – B6

C1 – C2

B1

C2

C4

B3

C1 to C6

C1 C1 B1-B5, C1-C3,

B8, B9, B10, B11

B3,B4 All A3,B1,B2,

C3,C4

5

6

7

Loss of

access to

stored

document

s (servers)

l Where available,

use of hard copies,

desk-top, and email

attachments

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

l Copies of key

documents stored on

alternate servers and

on intranet

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Page 37: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 37 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All N/A N/A N/A

2

3 A1 All B8,B9

4 A2 – A4

B2 – B4

B6

B1-B3, C1, C3,

A1, B7,

B10, B11

A1,B1-B7

B10

C1-C3

5 A1-A4

6 A1-A4,

B1-B4

C1-C3

7

Loss of

individual

IT

systems/

applicatio

ns

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

l Copies of key

documents stored on

alternate servers and

on intranet

l Recover from

backup

l Restoration of QA

plus for CHC team

l Use of alternative

desktop/laptop/other

IT interface.

l Backup system

Waverly Road

l ESR can be accessed

remotely via the

internet

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Page 38: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 38 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All

2

3 A1-A4

B1-B3

C1-C4

B8,B9 A1-A4

B1-B4

C1-C3

4 A1-A4 A1 – A4

B2 – B6

C1 – C2

B1 to B4

C1 to C6

B1 to C2 A1

A2

B2

A1, B1-B11, C1-

C3,

B1-B5 A1,B1-B7

B10

C1-C3

5

6

7

Major IT

network

outage

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

l Use of telephone

and hard copies

l Backup system

Waverly Road

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Page 39: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 39 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All N/A N/A

2

3 A1-A4

4 A1-A4 B2-B6 All A2,B10,B11 A1-A3

B2

All A2,A4

5

6 C1-C2 All

7

Failure of Telecoms

Loss of

telephone

communic

ation

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

l Use of email and

mobile phones

l Network and

service monitoring in

place. Failover to

alternative datacentre

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 40: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 40 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All A1 B3 N/A N/A

2

3 All A2,A4

4 A1-A4 A1-B6 A1-A3

B2

5

6 C1-C2 All

7

Mobile

telephony

failure

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

l Use of email,

landlines & post.

l Network and

service monitoring in

place. Failover to

alternative datacentre

l For on-call ICT to

complete central

divert . If mobile

network is not

working =

a) Divert to landline,

b) Use another

landline number,

communicate to

NHSEIf mobile

network is working

but divert function

fails = On-call

switchover phone

physically passed from

one manager to

another

Failure of Telecoms

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 41: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 41 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 N/A

2

3 All All

4 A1-A4 A1-B6 B1

C2

C4

B1 - B4

C1 - C6

B1 - C2 B1-B9,

C1-C3

A4

B3-B4

All

5

6 C1-C2

7

Loss of Records

Loss of

electronic

reports

l Alternative copies

stored on email

l Back up important

documents and retain

hard copies.

l Copies of key

documents stored on

alternate servers and

on intranet

l Report to HBLICT

Service Desk -

Managed in

accordance with

actions identified

within the ICT

Business Impact

Assessment

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 42: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 42 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 N/A N/A

2

3

4

5

6 A1-C2

7 A1-A4 All B3

C4

C1 C1 B8,B11 B4 B6,B7,B8

Loss of Records

Loss of

paper

records

l Use electronic

copies

l Version control and

document stroage

processes.

l Back up important

documents

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 43: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 43 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All

2

3 A1-A4

B1-B4

C1-C4

4 A1-A4 A1-B6 A4,B1,B3,C1,

C3,C4

A1

B1 -B4

C1 - C6

All A1

A2

B1

A1, B7, C4

B10,B11

C1 All

5

6 C1-C2

7

Failure of Utilities

Failure of

Utilities

l Use alternative

premises:

HCT,ENHT,HPFT

County Council,

HVCCG,Home

working,VPN and RAS

l Denial of site - RAS

token access for users

l Failover to alternate

datacentre

l Telephone

conferencing

l ICC plan identifies

mutal aid provision

with HVCCG

l Increase

communication and

maintain team

stability

l Prioritise essential

tasks in 24hr time

frames.

l Review roles of

team to ensure

efficient use of

resources

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 44: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 44 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All

2

3 A1-A4

B1-B4

C1-C4

4 A1-A4 A1-B6 A1-A4,

B1-B3,

C1-C4

A1

B1 - B4

C1 - C6

C2 A1

A2

B1

A1-A2, B7, B10

B11,C4

C1 All

5

6 C1-C2

7

Loss of building

Denial of

premises

l Use alternative

premises:

HCT,ENHT,HPFT

County Council,

HVCCG,Home

working,VPN and RAS

l Telephone

conferencing

l Denial of site - RAS

token access for users

l ICC plan identifies

mutal aid provision

with HVCCG

l Increase

communication and

maintain team

stability

l Prioritise essential

tasks in 24hr time

frames.

l Review roles of

team to ensure

efficient use of

resources

l Managed in

accordance with

tenancy agreement

with NHS Property

Services

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 45: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 45 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 All

2

3

4 A1-A4 A1-B6 A1-A4,

B1-B3,

C1-C4

A1

B1 - B4

C1 - C6

C2 A1

A2

B1

B2

A1-A2, B7,

B10,B11

C1 All A1-A4

B1-B4

C1-C4

5

6 C1-C2

7

Fire or

Flood

l Use alternative

premises:

HCT,ENHT,HPFT

County Council,

HVCCG,Home

working,VPN and RAS

l Denial of site - RAS

token access for users

l Failover to alternate

datacentre

l Telephone

conferencing

l ICC plan identifies

mutal aid provision

with HVCCG

l Increase

communication and

maintain team

stability

l Prioritise essential

tasks in 24hr time

frames.

l Review roles of

team to ensure

efficient use of

resources

Loss of building

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 46: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 46 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1

2

3

4 All

5 A1-A4 A1-C2 A1-A4,

B1-B3,

C1-C4

A1

B1 - B4

C1 - C6

C2 A1

A2

B1

A1-A2,B7

B10,B11

C1 All A1-A4

B1-B4

C1-C4

6

7

Fuel shortages

Fuel

shortages

l Use alternative

premises:

HCT,ENHT,HPFT

County Council,

HVCCG,Home working

VPN and RAS

l Denial of site - RAS

token access for users

l Telephone

conferencing

l ICC plan identifies

mutal aid provision

with HVCCG

l Increase

communication and

maintain team

stability

l Prioritise essential

tasks in 24hr time

frames.

l Review roles of

team to ensure

efficient use of

resources

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 47: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 47 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1

2 All

3

4 All B8,B9

5 A1-A4

B1-B4

C1-C4

6 A1-A4 A1-A4,

B1-B3,

C1-C4

7 A1-A4

B1-B6

C1-C2

A1

B1 - B4

C1 - C6

All A1-A2,

B2-B11,

C1,C3,C4

A1-A4

B1-B5

A1,B1-B7

B10,C1-C3

Simultane

ous

resignatio

n or loss of

key staff

l Re-assign tasks /

responsibilities

l Formal review of

portfolios

l Consider

appointment of

successor

l Resignation period

of handover

l Documentation and

cross training to

remove SPOF

l Engage HR for

recruitment process

l Use of Agency staff

l Review of priorities

and team roles

Staff shortage/ Loss of Staff

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 48: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 48 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1

2

3 A1-A4 A1

B1 - B4

C1 - C6

All A1

A2

A1-A2

B1-B11

C1-C4

A1-A4

B1-B5

All A1-A4

B1-B4

C1-C4

4 All A1-A4

B1-B6

5

6 C1-C2 A1-A4,

B1-B3,

C1-C4

7

Significant

absence

due to

severe

weather or

transport

issues

l Reassign

tasks/responsibilities

l Severe Weather

Policy

l Use alternative

premises depending

on where staff live:

HCT,ENHT,HPFT

County Council,

HVCCG,Home working

VPN and RAS

l Denial of site - RAS

token access for users

l Telephone

conferencing

l Prioritise essential

tasks in 24hr time

frames.

l Formal activation of

the incident

coordination plan

l In hours utilize duty

manager to support

critical functions

l Out of hours – on

call director

Staff shortage/ Loss of Staff

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 49: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 49 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1

2 A1-A4 A1

B1 - B4

C1 - C6

All A1

A2

A1-A2

B1-B11

C1-C4

All B1-B10 A1-A4

B1-B4

C1-C4

3 C1-C3

4 All A1-A4

B1-B6

5

6 C1-C2 A1-A4,

B1-B3,

C1-C4

7

Pandemic

Flu

l Re assign tasks/

responsibilities

l Home working VPN

and RAS

l Denial of site - RAS

token access for users

l Cross Training and

Documentation

removing SPOF

l Formal activation of

the of the Incident

coordination Plan

l Telephone

conferencing

l Invoke

Hertfordshire

pandemic influenza

plan

l In hours utilize duty

manager to support

critical functions

l Prioritise essential

tasks in 24hr time

frame

l Out of hours – on

call director

Staff shortage/ Loss of Staff

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 50: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 50 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1-A4 A1

B1 - B4

C1 - C6

All All A1-A2

B1-B11

C1-C4

A1-A4

B1-B5

All A1-A4

B1-B4

C1-C4

2

3 A1-C2

4 All

5

6 A1-A4,

B1-B3,

C1-C4

7

Serious

injury

to,or

death of,

staff

whilst in

the office

l Assign responsible

officer

l Provide appropriate

response

l Cross Training and

Documentation

removing SPOF

l Identify senior staff

to provide support to

individuals and teams

l Level and type of

support will be

dependent on nature

of incident and

individual

circumstances

l Consider whether

individual or group

debrief sessions

would be of benefit

l Reassign urgent

work

Staff shortage/ Loss of Staff

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 51: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 51 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1-A4 A1-A4,

B1-B3,

C1-C4

A1 N/A All A1-A2,B7 N/A A1 A1-A4

B1-B4

C1-C4

2 B1-B10

3 A2

4 All A1-B6 B1,B2

5 B3

6 C1-C2 C4 C1-C3

7 B4

Other

Terrorist

attack or

threat

affecting

the

transport

network or

office

locations

l Assign responsible

officer

l Provide appropriate

response

l Invoke Major

Incident Plan

l Denial of site - RAS

token access for users

l Formal activation of

Incident Co-ordination

Plan

l Identify senior staff

to provide support to

individual and teams

l Level and type of

support will be

dependent on nature

of incident and

individual

circumstances

l Consider whether

individual or group

debrief sessions

would be of benefit

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 52: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 52 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1

2 A1-A4 All All A1-A2, B6-B11

C4

All B1-B10 A1-A4

B1-B4

C1-C4

3 All A2

4 All B1,B2

5 B3

6 C4 C1-C3

7 A1-C2 B4

Other

Theft or

criminal

damage

l Denial of site - RAS

token access for users

l Physical Access

barriers to Office/DC

l Work at other

location.

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 53: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 53 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1-A4 A1 All A1-A2, B6-B11

C4

A1 A1-A4

B1-B4

C1-C4

2 All All B1-B10

3 A2

4 All A1-B6 B1,B2

5 B3

6 C1-C2 A1-A4,

B1-B3,

C1-C4

C3 C1-C3

7 B4

Chemical

Contamina

tion

l Assign responsible

officer and provide

appropriate response

l Major Incident Plan

l Denial of site - RAS

token access for users

l Prioritise essential

tasks in 24hr time

frames

l In hours utilise duty

manager to support

critical functions

l Identify senior staff

to provide support to

individuals and teams

l Level and type of

support will be

dependent on nature

of incident and

individual

circumstances

l Consider whether

individual or group

Other

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 54: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 54 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1 A1 A1-A4

B1-B4

C1-C4

2 A1-A4 All All A1-A2, B6-B11

C1-C4

All B1-B10

3 A2

4 All A1-B6 B1,B2

5 B3

6 C1-C2 A1-A4,

B1-B3,

C1-C4

C3 C1-C3

7 B4

Infectious

disease

outbreak

l Invoke PHE

infectious disease

outbreak plan

(Hertfordshire)

l Reassign

tasks/responsibilities

l Home working VPN

and RAS

l Denial of site - RAS

token access for users

l Telephone

conferencing

l Prioritise essential

tasks in 24hr time

frames

l In hours utilise duty

manager to support

critical functions

l Identify senior staff

to provide support to

individuals and teams

l Level and type of

support will be

dependent on nature

of incident and

individual

circumstances

l Consider whether

Other

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 55: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 55 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1-A4 A1 All A1-A2, B6-B11

C1-C4

A1-A4

B1-B4

C1-C4

2 All All B1-B10

C1-C3

3 A2

4 All A1-B6 B1,B2

5 B3

6 C1-C2 A1-A4,

B1-B3,

C1-C4

C3

7 B4

Industrial

action

l Assign responsible

officer

l Provide appropriate

response

l Prioritise essential

tasks in 24hr time

frame

l In hours utilise duty

manager to support

critical functions

l Formal activation of

the Incident Control

Centre Plan

l Denial of site - RAS

token access for users

Other

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 56: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 East and North Hertfordshire Clinical Commissioning Group

Page 56 of 58

Operations and

Resilience

ICT Quality Team Human

Resources

Governance and

Corporate

Affairs

Strategic

Planning (incl.

Programme

Office)

Continuing

Healthcare

Finance

Directorate

Commissioning

Directorate

Pharmacy and

Medicines

Optimisation

Communication

(incl.

Engagement)

1 A1-A4 All A1 All All A1-A2, B6-B11

C1-C4

All A1-A4

B1-B4

C1-C4

2 ALL

3 A2

4 A1-B6 B1,B2

5 B3

6 C1-C2 A1-A4,

B1-B3,

C1-C4

C3

7 B4

Fraud,

sabotage

or other

malicious

acts

l Assign responsible

officer

l Provide appropriate

response

l Identify senior staff

to provide support to

individuals and teams

l Level and type of

support will be

dependent on nature

of incident and

individual

circumstances

l Consider whether

individual or group

debrief sessions

l Cyber 10 step plan

l Physical/Logical

Access barriers in

place to DC, Office and

systems

Other

Threat Contingency measures

and actions required

RTO in

relation

to risk

Risk (linked to Essential/Priority activities)

Page 57: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group

Page 57 of 58

Appendix 5 – Equality Impact Assessment Stage 1 Screening

1. Policy EIA Completion Details

Title: Business Continuity Plan Names and Titles of staff involved in completing the EIA: - Sarah Feal - Company Secretary - Jas Dosanjh - Head of Risk Management

Proposed Existing

Date of Completion: January 2015

Review Date: January 2016

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

3. Impact on Groups with Protected Characteristics

Probable impact on group? High, Medium or Low

Please explain your answers Positive Adverse None

Age

Being married or in a civil partnership

Disability, inc. learning difficulties, physical disability, sensory impairment etc.

Having just had a baby or being pregnant

Race, ethnicity, nationality, language etc.

Religion or belief

Sex (inc. being a transsexual person)

Sexual Orientation

Other:

No impact on any of the groups above.

No action to be taken/planned as a result of the equality impact assessment as the impact assessment showed that this policy had a neutral effect on each of the protected characteristics.

4. Which equality legislative Act applies to the policy?

Human Rights Act 1998 Equality Act 2010 Health and Safety Regulations

Mental Health Act 1983 Mental Capacity Act 2005

5. How could the identified adverse effects be minimised or eradicated?

N/A

6. How is the effect of the policy on different Impact Groups going to be monitored?

N/A

Page 58: BUSINESS CONTINUITY PLAN€¦ · Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans

OFFICIAL - SENSITIVE

Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group

Page 58 of 58

Appendix 6 Privacy Impact Assessment Stage 1 Screening

1. Policy PIA Completion Details

Title: Business Continuity Plan Names and Titles of staff involved in completing the PIA: - Sarah Feal - Company Secretary - Jas Dosanjh - Head of Risk Management

Proposed Existing

Date of Completion: January 2015

Review Date: January 2016

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

Yes No Please explain your answers

Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards)

Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.)

By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats?

Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations)

Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected)

If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department?

N/A