BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity...

51
BUSINESS CONTINUITY POLICY & BUSINESS CONTINUITY PLAN IF YOU ARE RESPONDING TO A BUSINESS CONTINUITY INCIDENT, GO STRAIGHT TO PAGE 19 AND USE THE FLOWCHART ON PAGE 21 Last Review Date December 2018 Approving Body Audit Committee Date of Approval 7 March 2019 Date of Implementation 11 March 2019 Next Review Date December 2021 Review Responsibility Head of Corporate Governance Version 3.1

Transcript of BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity...

Page 1: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

BUSINESS CONTINUITY POLICY & BUSINESS CONTINUITY PLAN

IF YOU ARE RESPONDING TO A BUSINESS CONTINUITY INCIDENT, GO STRAIGHT TO PAGE 19

AND USE THE FLOWCHART ON PAGE 21

Last Review Date

December 2018

Approving Body

Audit Committee

Date of Approval

7 March 2019

Date of Implementation

11 March 2019

Next Review Date

December 2021

Review Responsibility

Head of Corporate Governance

Version

3.1

Page 2: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

2

REVISIONS/AMENDMENTS SINCE LAST VERSION

Date of Review Amendment Details

December 2013 New policy developed across South Yorkshire & Bassetlaw CCGs in line with national guidance. Localisation of the template has taken place to reflect the Doncaster position.

September 2016 Refresh of policy in accordance with revised NHS England guidance, and to link to Emergency Preparedness, Resilience & Response. Main changes to policy:

Update of definitions (p.4)

Refresh of policy aim in line with national guidance (p.5)

Update of legislation (p.6) Main changes to procedure:

Definition of CCG responsibilities (p.10)

Revise sections to mirror business continuity management cycle (p10 to p.13)

Expand requirements for exercising in line with national guidance (p.13)

Expand plan activation guidance in line with national guidance (p.13 to p.14)

Add new section on Stand-down (p.14)

Expand requirements for communications strategy in line with national guidance (p.14)

Add new section on Stand-down (p.14)

Add new section on our relationship with external suppliers and contractors (p.16)

Main changes to procedure:

Add Business Continuity Plan to policy (was previously held separately).

o Amendments to reflect the national 5 areas of business impact: people, premises, technology, information, suppliers.

o New flowchart to further explain incident management process (p.21)

o Minor amendments to communication strategy (p.24 to p.25)

o Appendix D – inclusion of reference to externally held action cards

December 2018 Main changes to policy:

Updated email addresses throughout the document.

Change reference Chief of Corporate Services to Associate Director of HR and Corporate Services

Page 3: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

3

throughout the document.

Update Communications manager details (p 27).

Removal of reference to Doncaster CVS.

Risk Scoring Matrix amended to reflect the Risk Management Strategy, Policy and Framework (p 36).

Page 4: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

4

CONTENTS

Page Definitions 5 Section A – Policy 6-10 1. Policy Statement, Aims and Objectives 6-7 2. Legislation and Guidance 7 3. Scope 7 4. Accountabilities and Responsibilities 7-9 5. Dissemination, Training and Review 9-10 Section B – Procedure 11-17 1. The Approach to Business Continuity Management

11

2. Stage 1 – Understanding the Organisation

12

3. Stage 2 – Determining Business Continuity Management Strategy

12-13

4. Stage 3 – Developing and Implementing the Business Continuity Management Response

13

5. Stage 4 – Exercising, Maintaining and Reviewing

14

6. Plan Activation

14-15

7. Stand-down

15

8. Communications Strategy

15-16

9. Business Continuity and Incident Response Packs

16

10 Training and Awareness

16

11. External Suppliers and Contractors

16-17

Section C – Business Continuity Plan 18-48

Page 5: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

5

DEFINITIONS Term

Definition

BCM

Business Continuity Management

BCMS Business Continuity Management System

BCP

Business Continuity Plan

BIA Business Impact Analysis

Business Continuity Incident

A business continuity incident is an event or occurrence that disrupts, or might disrupt, an organisation’s normal service delivery, below acceptable predefined levels, where special arrangements are required to be implemented until services can return to an acceptable level. This could be a surge in demand requiring resources to be temporarily redeployed.

Critical incident A critical incident is any localised incident where the level of disruption results in the organisation temporarily or permanently losing its ability to deliver critical services, patients may have been harmed or the environment is not safe requiring special measures and support from other agencies, to restore normal operating functions.

CCG

Clinical Commissioning Group

Major incident

A major incident is any occurrence that presents serious threat to the health of the community or causes such numbers or types of casualties, as to require special arrangements to be implemented. For the NHS this will include any event defined as an emergency under Section 1 of the Civil Contingency Act 2004:

An event or situation which threatens serious damage to human welfare in a place in the United Kingdom.

An event or situation which threatens serious damage to the environment of a place in the United Kingdom.

War, or terrorism, which threatens serious damage to the security of the United Kingdom.

Page 6: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

6

SECTION A – POLICY 1. Policy Statement, Aims and Objectives 1.1. NHS Doncaster Clinical Commissioning Group (CCG) must deliver an

effective Business Continuity Management System (BCMS) in order to secure the best possible outcomes for patients and to successfully deliver our strategic objectives and operational plan. In addition, the CCG must comply with the Civil Contingencies Act (2004).

1.2. Commissioning is a key function of the NHS and CCGs. The CCG plays a key role within the local health system, and therefore it is important that the organisation is able to continue its activities in the face of situations that might be, or could lead to, disruption, loss, emergency or crisis.

1.3. In order to effectively carry out our commissioning functions, the CCG requires access to resources to ensure that all of its activities are delivered effectively. These resources fall into five broad categories:

People

Premises

Technology

Information

Suppliers and partners 1.4. Business continuity is defined as the “capability of the organisation to continue

delivery of products or services at acceptable predefined levels following a disruptive incident.” (ISO 22300).

1.5. A business continuity incident becomes possible when access to resources is threatened. Threats can emerge internally or externally, ranging from a technology failure to an influenza pandemic.

1.6. The CCG’s strategy for dealing with these threats to resources is to implement a robust BCMS to identify and analyse risks to business continuity, where possible take measures to prevent incidents occurring, and to document and implement BCPs in order to minimise the impact of incidents when they do occur. Business continuity management is an essential tool in establishing our organisation’s resilience.

1.7. This policy statement provides a framework for the CCG to follow in the event of a business continuity incident. It also states the process for implementing and maintaining a robust BCMS.

1.8. The policy objectives are:

To identify key CCG functions / services which, if interrupted for any reason, would have the greatest impact on the community, the health economy and the organisation.

Page 7: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

7

To identify and reduce the risks and threats to the continuation of these key services.

To develop plans which enable the organisation to maintain and / or resume key services in the shortest possible time.

2. Legislation and Guidance 2.1. The following legislation and guidance has been taken into consideration in

the development of this procedural document:

NHS England Emergency Preparedness Framework.

NHS England Business Continuity Management Framework.

ISO 22301 Societal Security - Business Continuity Management Systems – Requirements.

ISO 22313 Societal Security - Business Continuity Management Systems – Guidance.

PAS 2015 - Framework for Health Services Resilience.

Civil Contingencies Act 2004. 3. Scope 3.1. This policy applies to those members of staff that are directly employed by the

CCG and for whom the CCG has legal responsibility. For those staff covered by a letter of authority / honorary contract or work experience this policy is also applicable whilst undertaking duties on behalf of the CCG or working on the CCG premises and forms part of their arrangements with the CCG. As part of good employment practice, agency workers are also required to abide by the CCG policies and procedures, as appropriate, to ensure their health, safety and welfare whilst undertaking work for the CCG.

4. Accountabilities and Responsibilities 4.1. Overall accountability for ensuring that there are systems and processes to

effectively manage business continuity lies with the Chief Officer. Responsibility is also delegated to the following individuals:

Chief Officer / Executive

Team

Have delegated responsibility for:

Reviewing the business continuity status and the application of the policy and standards in all business undertakings.

Enforcing compliance through assurance activities, provision of appropriate levels of resource and budget to achieve the required level of business continuity competence.

Coordinating the overall management of an incident, providing strategic direction of organisational recovery plans.

Ensuring information governance standards continue to be

Page 8: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

8

applied to data and information during an incident.

Deciding when to escalate to the EPRR Policy framework and deciding when to escalate to the Area Team.

Leading the recovery plan after the incident.

Associate Director of HR and Corporate

Services (or equivalent)

Has delegated responsibility for:

Determining the criteria for implementing the BCP.

Overseeing the implementation of the BCP and standards.

Corporate Governance

Manager

Has delegated responsibility for:

Supporting staff across the organisation to develop operational BCPs.

Ensuring that the organisational BCP is reviewed and updated at regular intervals to determine whether any changes are required to procedures or responsibilities.

Managing training and awareness of the plan and maintaining the plan including change control and testing.

Audit Committee

Has delegated responsibility for:

Ratifying this policy.

Seeking assurance that up to date policies and plans are being implemented effectively in the event of a business continuity incident.

Line Managers

Have delegated responsibility for:

Assessing their specific area of expertise and planning actions for any necessary recovery phase, setting out procedures and staffing needs and specifying any equipment or technical resource which may be required in the recovery phase.

Holding two hard copies of the BCP allocated to them. It is intended that one copy should be located at the holder’s home address so it is easily accessible and the second in a Folder clearly marked BCP at their office base. The BCP folder will also contain recovery procedures, contacts, lists of vital materials or instructions on how to obtain them.

Staff

Responsibilities of staff (including all employees, whether full/part time, agency, bank or volunteers) are:

Achieving an adequate level of general awareness regarding business continuity.

Being aware of the contents of their own business areas disaster recovery plan and any specific role or responsibilities allocated.

Page 9: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

9

Participating actively in the business continuity programme where required.

Ensuring information governance standards continue to be applied to data and information during an incident.

5. Dissemination, Training and Review 5.1. Dissemination 5.1.1. The effective implementation of this procedural document will support

openness and transparency. The CCG will:

Ensure all staff and stakeholders have access to a copy of this procedural document via the organisation’s website.

Communicate to staff any relevant action to be taken in respect of complaints issues.

Ensure that relevant training programmes raise and sustain awareness of the importance of effective complaints management.

5.1.2. This procedural document is located in the General Policy Manual. A set of

hardcopy Procedural Document Manuals are held by the Governance Team for business continuity purposes and all procedural documents are available via the organisation’s website. Staff are notified by email of new or updated procedural documents.

5.2. Training 5.2.1. All staff will be offered relevant training commensurate with their duties and

responsibilities. Staff requiring support should speak to their line manager in the first instance. Support may also be obtained through their HR Department.

5.3. Review 5.3.1. As part of its development, this procedural document and its impact on staff,

patients and the public has been reviewed in line with the CCG’s Equality Duties. The purpose of the assessment (refer to Appendix G) is to identify and if possible remove any disproportionate adverse impact on employees, patients and the public on the grounds of the protected characteristics under the Equality Act.

5.3.2. The procedural document will be reviewed every three years, and in

accordance with the following on an as and when required basis:

Legislatives changes

Good practice guidelines

Case Law

Page 10: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

10

Significant incidents reported

New vulnerabilities identified

Changes to organisational infrastructure

Changes in practice 5.3.3. Procedural document management will be performance monitored to ensure

that procedural documents are in-date and relevant to the core business of the CCG. The results will be published in the regular Governance Reports.

Page 11: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

11

SECTION B – PROCEDURE 1. The approach to Business Continuity Management (BCM) 1.1. The CCG is responsible for commissioning a wide range of patient services

for the local population and in the event of an emergency or business interruption, it is essential that critical services which support our commissioning activities can be restored and maintained as soon as is practically possible.

1.2. BCM is a holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause. It provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.

1.3. The diagram below illustrates the BCM cycle which we have adopted in order to develop a robust BCM culture across the organisation.

1.4. In the event of an emergency or business interruption the CCG will endeavour to maintain services as usual or as close to the usual standard as is practically possible, however it may be evident that this is unachievable. The functions of the organisation will therefore been identified, defined and prioritised using a BIA.

2. Stage 1 – Understanding the Organisation 2.1. The BIA is the process of analysing business functions and determining the

effect that a business disruption might have upon them, and how these vary over time. The aim of the business impact analysis is to ensure that the CCG has identified those activities that support its key services in advance of an incident, so that robust business continuity plans can be put into place for those identified critical activities.

2.2. Our BIA process:

Page 12: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

12

Defines the function and its supporting processes.

Determines the impacts of a disruption.

Defines the recovery time objectives (where ISO 22313 defines Recovery Time Objective (RTO) as the period of time following an incident within which a product or service must be resumed, activity must be resumed, or resources must be recovered);

Determines the minimum resources needed to meet those objectives.

Considers any statutory obligations or legal requirements placed on the CCG.

2.3. Our BIA results in the identification of those activities whose loss would have

the greatest impact in the shortest time and need to be recovered most rapidly.

2.4. The community risk register will be considered when undertaking BIA in order to enable the organisation to understand the threats to, and vulnerabilities of, critical activities and supporting resources, including those provided by suppliers and partners.

3. Stage 2 – Determining Business Continuity Management Strategy 3.1. There are many and varied possible causes of service disruption.

3.2. Business continuity planning will be carried out to minimise the effects of a

number of potentially disruptive events. A series of robust plans and mitigation will be developed for these priority areas. The list is not exhaustive and judgement will be applied in each case:

People: Loss of key staff short and long term including significant national or international incidents impacting on the CCG, such as a pandemic.

Premises: Loss of primary workplace in the short and long term.

Technology: Loss of information and communications technology infrastructure services.

Information: Loss of data.

Suppliers & Partners: Business continuity affecting suppliers and/or partners.

Any other requirements as identified by the business impact analysis process.

4. Stage 3 – Developing and Implementing the Business Continuity

Management Response

4.1. The following areas will be included in the organisation’s BCP:

BIA / Hazard Identification – Local Risk Assessment

Page 13: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

13

The process of identifying business functions and the effect a business disruption will have on them. Risk assessment is the process of risk identification, analysis and evaluation using a risk matrix.

Critical Activities Those activities whose loss would have the greatest impact in the shortest time and need to be recovered most rapidly. Critical activities will be reflected on our Assurance Framework or Risk Register, as appropriate.

Communications Strategy Internal and external communications and how the CCG cascades information.

4.2. The response to an emergency or business continuity incident does not

necessarily or automatically translate into the declaration of a major incident and the implementation of a full recovery operation. Incidents may cause a temporary or partial interruption of activities with limited or no short term or longer term impact. It will be the responsibility of the CCG Executive team, as available, to evaluate and declare the appropriate level of response.

4.3. The severity of an incident will be identified as follows, and this has been

linked to the CCG risk scoring matrix:

CCG Risk scoring matrix

description and score

Business Continuity

incident rating

1-3 Low Insignificant

4-6 Medium Minor

8-12 High Moderate

15-20 Very High Major

25 Extreme Catastrophic

4.4. The severity level will indicate the urgency of recovering the business service,

and also the order in which services should be reinstated.

4.5. The CCG is not responsible for the direct provision of health services, however it is responsible for some functions that could have an impact on providers of health services, for example contractual financial payments and safeguarding. Therefore the risks to our stakeholders resulting from an incident affecting the CCG could be significant.

5. Stage 4 – Exercising, Maintaining and Reviewing 5.1. Exercises can expose vulnerabilities in an organisation’s structure, initiate

processes needed to strengthen both internal and external communication and can help improve management decision making during an incident. They are also used to assess and identify gaps in competencies and further training that is required for our staff.

Page 14: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

14

5.2. The on-going viability of the business continuity programme can only be determined through continual tests and improvements. The Associate Director of HR & Corporate Services and Corporate Governance Manager will be responsible for ensuring regular tests and revisions are made to the business continuity plan to ensure they provide the level of assurance required.

5.3. Exercises and tests will:

Be consistent with the scope and objectives of the BCMS;

Be based on appropriate scenarios that are well planned with clearly defined aims and objectives;

Minimise the risk of disruption of operations;

Produce post-exercise reports;

Be conducted at planned intervals and when there are significant changes within the organisation or to the environment in which it operates.

5.4. We aim to exercise and test our business continuity arrangements alongside

partner NHS organisations, where practicable. 5.5. We will share lessons learned and post-exercise reports with all interested

parties.

5.6. We will aim to run or participate in:

A live partnership exercise every three years;

A desktop exercise annually;

A communications test 6-monthly. 6. Plan Activation 6.1. The Chief of Service in the work area concerned will decide in discussion with

other available Chiefs of Services and the Chief Officer whether the plan or any part of it should be activated.

6.2. Out of hours the decision will be made by the On-Call lead officer.

6.3. Immediate response and management functions required to handle an incident will be led by the most senior CCG Officer on site/on call.

6.4. Once the plan is activated, the incident will be managed by the Chief of Service of the work area in which the incident occurred.

6.5. The relevant Chief of Service has responsibility for convening a response team to ensure that essential services are maintained and that recovery plans are put into place. The response team membership is at the discretion of the senior manager as each incident is different. Members could include another Chief of Service, Chief Officer or Chief Finance Officer, Corporate Governance Manager, and a member of the Communications Team.

6.6. Anyone called to attend the response team by the lead Chief of Service must attend as soon as practicable. There are no exceptions.

Page 15: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

15

6.7. Good record keeping is paramount if the BCM plan is initiated. The Director leading the crisis is responsible for ensuring that accurate records are kept of all decisions and actions (including expenses) taken once the BCM plan is initiated.

7. Stand-Down

7.1. The Chief of Service managing the incident has authority to stand down the

plan in consultation with the Chief Officer.

7.2. Following activation and stand down of the plan a de-brief report detailing the incident, actions taken and lessons learned will be provided to the Audit Committee. The Corporate Governance Manager will lead the creation of this report.

7.3. We will risk assess recovery, and liaise with partners to minimise our recovery impact upon them.

8. Communications Strategy 8.1. Good communication is essential at a time of crisis. A communications

strategy will be developed to ensure there are appropriate statements for internal and external communication and processes for ensuring communication to all staff in the case of an emergency. This strategy will be the same across all plans.

8.2. The strategy will include reference to procedures for regular communications with partner organisations and other interested parties. This is particularly important during the planning stage for known disruptions such as winter weather. Formal reporting and situation updates may also be required in the lead up to and during a disruption to create a local, regional and national overview of effects across the NHS.

8.3. The main aims of the strategy will be to:

Deliver relevant messages about the incident to the relevant stakeholder group/s

Utilise relevant media channels to reassure and inform the public and patients

Ensure that messages are timely and relevant to the target audience

8.4. A cascade structure will be developed to ensure key individuals within and external to the organisation have been informed of incidents.

Page 16: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

16

9. Business Continuity and Incident Response Packs 9.1. The Corporate Governance Manager will develop business continuity packs to

be held in the CCG headquarters. The contents of these packs will be checked for completeness and updated regularly, or whenever there is a change in the organisational activities which may affect its contents.

10. Training and Awareness 10.1. All Governing Body members and Senior Management Team members need

to be aware of the contents of this policy, and ensure that they are acquainted with the CCG’s BCP and have access to the appropriate templates.

10.2. The Associate Director of HR & Corporate Services and Corporate Governance Manager will identify appropriate levels of training and awareness raising for CCG staff to ensure business continuity becomes part of CCG culture and daily business routines, improving the organisations resilience to the effects of emergencies.

10.3. The Associate Director of HR & Corporate Services and Corporate Governance Manager will also receive relevant training to ensure they can perform their role effectively and participate in testing.

11. External Suppliers and Contractors 11.1. The CCG will request and assess business continuity plans from partners and

providers. For our main providers and partners, this will be through the LHRP, and for suppliers through procurement requirements, and, subsequently, through contractual arrangements.

Page 17: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

17

[Page left deliberately blank]

Page 18: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

18

BUSINESS CONTINUITY PLAN

Page 19: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

19

CONTENTS

Page 1. Introduction 20 2. Incident Identification 20-21 3. Incident Declaration 21-22 4. Managing a Declared Business Continuity Incident 23-25 5. Communications Strategy 25-27 6. Business Continuity Governance 28 Appendices 29-48 Appendix A – Key contacts 29-30 Appendix B – Business Impact Analysis / Hazard Identification 31-36 Appendix C – Categorisation of CCG Critical Activities 37-39 Appendix D – Action Cards

Incident Manager

Nominated Business Continuity Administrator

40 41-44 44-45

Appendix E – Service-specific Action Cards 46 Appendix F – Debrief Template 47-48

Page 20: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

20

1. Introduction 1.1. As Category 2 responders under the Civil Contingencies Act 2004, a Clinical

Commissioning Groups (CCG) is required to have a Business Continuity Plan (BCP) in place to manage the effects of any incident that might disrupt its normal business.

1.2. Our plan lays down the process to be followed in the event of an incident

which impacts upon the delivery of CCG functions by adopting a generic approach to such incidents.

1.3. Appendix A shows key contact numbers to use during a Business Continuity incident.

1.4. Based on the Business Impact Analysis (BIA) shown at Appendix B, the following functions are considered to be critical (Appendix C):

CCG Emergency Preparedness, Resilience & Response (EPRR) 1.5. The CCG has staff located at: Sovereign House Heavens Walk Doncaster DN4 5HZ (Main Headquarters)

White Rose House Ten Pound Walk Doncaster DN4 5DJ (Continuing Healthcare team)

722 Prince of Wales Road Sheffield S9 4EU (Previously Unassessed Periods of Care Team)

2. Incident Identification 2.1. An incident or set of circumstances which might present a risk to the

continuity of a CCG function or service may be identified by any member of staff. When an incident or set of circumstances which might present a risk to the continuity of a CCG function or service is identified, it is important that the person identifying the incident knows what to do. In the initial stages, this will involve making sure that the right people have been informed.

2.2. The BIA / Hazard Identification matrix (Appendix B) sets out a list of priority incidents:

Staffing shortage: Loss of key staff short and long term including through epidemic / pandemic illness, industrial action, school closures, transport disruption.

Loss of operating premises: Contamination, disruption to utilities (water, gas, electricity, heating/cooling), fire, flooding, structural defect / failure, cordon.

Page 21: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

21

Information Technology failure: major electronic attacks or severe disruption to the IT network and systems (telephone network, data network, active directory, hardware failure, loss of major application, loss of mobile phone network, loss of switchboard, server failure).

Information/data loss: Data stolen / lost, destruction of paper files, failure of back-up or failsafe, temporary loss of connection.

Supplier failure: Contract breach, industrial action, stock management failure, supplier goes into administration, supply chain collapse.

3. Incident Declaration

3.1. The following Officers of the CCG (or in their absence their Deputies) can

declare an incident where business continuity is disrupted or at risk of disruption:

DESIGNATION TELEPHONE

Chief Officer

01302 566061 (x1061)

Chief Finance Officer (Deputy Chief Officer)

01302 566078 (x1078)

Chief Nurse

01302 566211 (x1221)

Director of Strategy & Delivery

01302 566331 (x1331)

Associate Director of HR & Corporate Services

01302 566050 (x1250)

3.2. If the incident is categorised as a Major Incident, move to follow the steps in

the CCG EPRR Policy. See EPRR Policy for details. In summary, the actions are:

Nominate a Team Leader.

Team to operate from the Incident Control Centre (ICC), which is the Chair’s Office, Sovereign House, Heavens Walk, Doncaster DN4 5HZ, Telephone: 01302 566300, Safe Haven Fax: 01302 566321, Email: . [email protected]

Follow the Escalation Flowchart in the CCG’s EPRR Policy. 3.3. The diagram over the page describes the process for invoking and then

progressing a business continuity incident.

Page 22: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

22

INCIDENT OCCURS

Can incident

be managed

within current

resources?

No further action

YES

Discuss with Senior

Management Team member(s)

NO

Activate

Business

Continuity

Plan?

NO

YES

DECLARE & ASSESS INCIDENT Refer to action cards where relevant.

COMMUNICATE & UPDATE Develop communication strategy – notify

affected staff/partners/stakeholders

GET SUPPORT Set up incident response team if required

COORDINATE Monitor progress and amend business

continuity plan as required

Consider

stand-

down

YES

NO

DEBRIEF Organise debrief. Produce lessons learned report.

Page 23: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

23

4. Managing a Declared Business Continuity Incident 4.1. The overarching aim is to systematically review the situation and maintain

overall control of the CCG response.

INCIDENT

DECLARED

Identify an incident manager.

Move to the Incident Control Centre.

Start a log of the incident (Appendix D), documenting information and actions.

If it is a major incident, STOP and move to EPRR policy and escalation flowchart.

ASSESS

INCIDENT

Assess the risk and impact of the incident to the organisation – this may be based on which resources are affected:

o People o Premises o Technology o Information o Suppliers and partners

Assess the likely duration of the incident

Identify which critical functions are affected by the incident (Appendix C).

Assess any wider implications of the incident (e.g. to providers / stakeholders / partners).

Take any actions required to ensure Category A functions continue unhindered and Category B functions can be resumed within 3-7 calendar days (see Action Cards – Appendix E).

Ensure Health and Safety of staff is prioritised.

GET SUPPORT

Identify who can help to manage the incident (this will be dependent on the type of incident).

Form an incident response team, if required.

Page 24: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

24

COMMUNICATE

Develop a communications strategy for the incident – the generic strategy is detailed below.

Ensure that staff are briefed about the incident and given clear instructions, including, if applicable, on whether they should relocate or go home, and when they are expected to return.

Inform key chain partners as necessary.

Where a major incident has been declared, escalate according to the Escalation Flowchart in the CCG’s EPRR Policy.

UPDATE

Update staff and other key stakeholders with recovery plans and estimated recovery time objectives.

COORDINATE NEXT STEPS

Once the main priorities have been dealt with, you might consider scaling down the Business Continuity Team, or handing over to another member of staff to deal with the medium and long term issues, or the day to day recovery of the incident.

If an incident is going to go on for more than 4-8 hours, establish a rota for staff within the team and regular hand over for the Business Continuity Manager role.

Incident Manager to authorise Stand Down.

ORGANISE DEBRIEF

Ensure debrief meetings are held, logged information is retained and lessons learned captured in a final report. A debrief tool is shown in Appendix F.

4.2. The CCG Incident Control Centre is not kept on permanent stand-by and will

be enacted by the Emergency Accountable Officer or their nominated Deputy as required. The CCG Incident Control Centre is located in:

Chair’s Office Sovereign House Heavens Walk Doncaster DN4 5HZ Telephone: 01302 566300

Page 25: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

25

Safe Haven Fax: 01302 566321 Email: [email protected] The decant plan, should the Incident Control Centre be compromised, will be the premises of one of the other South Yorkshire & Bassetlaw CCGs. This has been agreed with the partner CCGs under mutual aid and can be enacted via contact with the Chief Officer (or their nominated Deputy) of each CCG:

NHS Barnsley Clinical Commissioning Group

NHS Bassetlaw Clinical Commissioning Group

NHS Rotherham Clinical Commissioning Group

NHS Sheffield Clinical Commissioning Group

5. Communications Strategy 5.1. During a period of business continuity it is vital that communication is

managed effectively with a variety of stakeholders. This plan supports this management before, during and after any incident that is detailed within the BCP.

5.2. The CCG already has a range of communication channels with our key stakeholders, partners, providers and supply chain. These will continue to be used and built upon during management of a business continuity incident.

5.3. For a CCG specific incident the business continuity team and communications leads will work together to ensure clear and consistent communications activity. The main aims will be to:

Deliver relevant messages about the incident to the relevant stakeholder group(s);

Utilise relevant media channels to reassure and inform the public and patients;

Ensure that messages are timely and relevant to the target audience. 5.4. Stakeholders: Our stakeholders are divided into two categories with specific

communications mechanisms for each one:

Internal Staff in Headquarters buildings, and those who work remotely

External Doncaster Metropolitan Borough Council (DMBC)

NHS England local Area Team

Rotherham Doncaster & South Humber NHS Foundation Trust (RDaSH)

Doncaster and Bassetlaw Hospitals NHS Foundation Trust (DBHFT)

Fylde Coast Medical Services Ltd (FCMS) – Urgent Care

Care Homes and Domiciliary Care organisations

Member Practices

Media

Page 26: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

26

Voluntary Sector via Doncaster Health watch

NHS Property Services (landlord for headquarters premises)

5.5. Communication methods: The communication activity used will be activated

in conjunction with any incident detailed in the business continuity plan and will be specific to each of the relevant stakeholders affected.

Internal Staff, Governing Body Members and GP Leads It is essential that we inform staff and keep them up-to-date with any incident that impacts on the ability to undertake their role or has a direct impact on the organisation. This incident could be triggered by a multi-agency source or from within the CCG. The methods used to communicate with staff will be:

Text message/phone call via Chiefs of Service to their teams (or deputies, in their absence) – used to disseminate an initial message about the incident, containing immediate actions needed and how further messages will be communicated.

Email – Staff can receive messages via the CCG’s distribution lists (held electronically) in normal working hours, and via remote working.

Website – Staff can get up-to-date information without having access to CCG specific systems. This section of the public site can be updated remotely and will ensure that everyone could access accurate, timely information.

External GP Member Practices Member Practices of the CCG will be informed of any incidents relating to business continuity via email. Contact details for the CCG throughout the affected period will be shared and practice staff advised to visit the CCG website for updates. Media – Print and Broadcast Managing the media should take place in line with the CCG’s existing media protocols. The Communications Lead has good links with the media, which will be utilised for any incident that requires information communicating to local people and patients. Local radio stations would be able to broadcast public information in their regular bulletins. Information will be issued to the local printed media dependent on the incident timing in relation to the paper publication day. Media statements may be required following an incident and once normal business has resumed. Information will also be published using the CCG’s social media sites e.g. Twitter and Facebook with links to the website for more detail.

Page 27: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

27

Partners When an incident impacts on the business of the CCG it is imperative that we inform colleagues at our local partner organisations. Depending on the nature of the incident this will be done either by telephone or by email – via the Chief Officer, Chair or Business Continuity Lead. Partner organisations would be encouraged to disseminate the details to their staff via communication channels. Providers – All Providers from whom we commission a healthcare service Depending on the nature of the incident this would be done either by telephone or by email – via the Chief Officer, Chair or Business Continuity lead. Provider organisations will be encouraged to disseminate the details to their staff via communication channels, providing details of alternative ways to contact the CCG during the period of the incident. Notice will then be given once the incident was resolved and normal business resumed. Key contacts within the CCG should advise counterparts in the provider organisations of their contact details during the incident.

Out of Hours

There is no formal out-of-hours communication service within the CCG, however senior officers have been provided with the Communication Manager’s mobile number who should be contacted in the case of an incident that may affect business continuity. Messages and notifications can be posted on the public website using an internet connection in any location and there are a number of officers with the organisation who have access to the admin section.

5.6. NHS Doncaster CCG’s Communications Manager is:

Mr Paul Hemingway NHS Doncaster Clinical Commissioning Group (CCG) Sovereign House Heavens Walk Doncaster DN4 5HZ

Tel: 01302 566042 Email: [email protected] Twitter: @doncasterccg

Page 28: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

28

6. Business Continuity Governance 6.1. This plan will be ratified in its initial form by the Audit Committee.

6.2. The plan will be reviewed by the CCG’s Corporate Governance Manager on a

quarterly basis and updated for any changes that have occurred during the last quarter, e.g. changes in staff contact details, changes in CCG functions etc. It will also be updated with any recommendations arising from a debrief session.

6.3. The CCGs only Category A function (EPRR) will be monitored via the Governing Body Assurance Framework.

6.4. The financial implications of this business continuity plan are nil. Unexpected expenditure will be covered via the CCG’s 0.5% annual contingency.

6.5. Communication of this Plan to staff will be via email. The plan will also be available on the CCG website. Key stakeholders and partners will also be informed of this.

6.6. The CCG will ensure that staff are trained with the knowledge and skills required of them in this area, as defined by the National Occupation Standards for Civil Contingencies and NHS England competencies.

6.7. This plan will be tested using risk-assessed worse-case scenarios.

Page 29: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

29

Appendix A Key contacts

A detailed list of contacts for all providers and partners is held by On Call team members and stored in the Emergency Box in Sovereign House

Partner Telephone number(s) Lead contact(s) Address

NHS England (South Yorkshire & Bassetlaw

Team) [email protected] Director

South Yorkshire and Bassetlaw office Oak House

Moorhead Way Bramley

Rotherham S66 1YY

Rotherham, Doncaster & South Humber NHS

Foundation Trust 01302 796000

Chief Executive

Emergency Planning Lead

Woodfield House Trust Headquarters

Tickhill Road Hospital Tickhill Road

Balby Doncaster DN4 8QN

Doncaster & Bassetlaw Hospitals NHS Foundation

Trust 01302 366666

Chief Executive

Emergency Planning Lead

Armthorpe Road Doncaster DN2 5LT

Doncaster Metropolitan Borough Council

Office Hours: 01302 736000

Out of Hours: 01302 341628

Chief Officer

Emergency Planning Lead

Civic Office Waterdale Doncaster DN1 3BU

NHS Barnsley CCG 01226 730000 Chief Officer

Emergency Planning Lead

49/51 Gawber Road Barnsley

South Yorkshire S75 2PY

Page 30: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

30

Partner Telephone number(s) Lead contact(s) Address

NHS Bassetlaw CCG 01777 274400 Chief Officer

Emergency Planning Lead

Retford Hospital North Road

Retford Nottinghamshire

DN22 7XF

NHS Doncaster CCG 01302 566300

Chief Officer

Associate Director of HR & Corporate Services

Corporate Governance Manager

Sovereign House Heavens Walk

Doncaster DN4 5HZ

NHS Rotherham CCG 01709 302000 Chief Officer

Emergency Planning Lead

Oak House Moorhead Way

Bramley Rotherham

South Yorkshire S66 1YY

NHS Sheffield CCG 0114 305 1000 Chief Officer

Emergency Planning Lead

722 Prince of Wales Road Sheffield S9 4EU

Page 31: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

31

Appendix B Business Impact Analysis / Hazard Identification – NHS Doncaster Clinical Commissioning Group

Hazard How the hazard affects business

Consequence Likelihood Risk

Score Controls in

Place Short Term (under 72 hours)

action Longer term action

Epidemic / pandemic

illness

Loss of key staff in the short or long

term

4 3 12 Flu vaccinations. National alerts to support planning.

Prioritise work around critical functions.

Prioritise work around critical functions.

Appoint temporary staff where feasible, including secondments from other

organisations.

Industrial action

4 2 8 Staff engagement and HR policies

Prioritise work around critical functions.

Prioritise work around critical functions.

Appoint temporary staff where feasible, including secondments from other

organisations.

Simultaneous resignation of a number of

staff (e.g. lottery

syndicate win)

4 1 4 Notice period in

contracts N/A

Accelerate normal recruitment processes.

Seek secondments or agency staff to cover gap and provide

continuity.

School closures

3 2 6 Advisory notices

from schools.

Prioritise work around critical functions.

Staff work at home where they can do this around childcare

responsibilities.

Prioritise work around critical functions.

Appoint temporary staff where feasible, including secondments from other

organisations.

Page 32: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

32

Hazard How the hazard affects business

Consequence Likelihood Risk

Score Controls in

Place Short Term (under 72 hours)

action Longer term action

Travel / transport disruption preventing

staff getting to base or home

4 3 12

Receipt of severe weather alerts

and planning for staff working from home – adverse

weather procedure.

Hotels within walking distance of headquarters

for staff who cannot get home.

Prioritise work around critical functions.

Staff work at home or at other

premises or organisations

As short term, if necessary (long term impact less likely).

Car share.

Use mutual aid bases where

these are closer to home than usual base.

Contamination of premises or

access to premises

Loss of operating premises or access

to operating premises

4 1 4 Emergency

response plan

Staff work at home or hot desk at other sites where they have

access.

Transfer of main switchboard telephone line and safe haven fax line remotely to alterative

location.

Temporary alternative work base for business critical staff via mutual aid arrangements to enable point of contact and

email/internet access.

Disruption of utility supply to

premises 4 2 8

NHS Property Services

contracts with utility providers

Fire 4 2 8

Fire Procedures; annual CCG fire inspection & risk assessment with remedial action

plan

Flooding 4 1 4

Council Flood Plan; local

drainage courses behind building

Page 33: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

33

Hazard How the hazard affects business

Consequence Likelihood Risk

Score Controls in

Place Short Term (under 72 hours)

action Longer term action

Structural defect / failure

4 1 4

NHS Property Services building inspections; CCG annual building

inspection & risk assessment with remedial action

plan

Terrorist or criminal attack

4 1 4 Emergency

Response Policy

Cordon preventing access to premises

4 1 4 Emergency

Response Policy

Major electronic attacks

Loss of information technology support

structure

4 2 8 IT back-up systems

IT back-up system comes online.

Remote working through

NHSNet.

Access to limited paper files.

As short term.

Severe disruption to

the IT network and systems including loss

of data network, major

applications

4 3 12 IT back-up systems

IT back-up system comes online.

Remote working through

NHSNet.

Access to limited paper files.

As short term.

Hardware failure

3 2 6

Spare equipment held.

Remote working devices kept at home by Senior

Management Team.

Use spare equipment / “at home” devices.

Order replacements via contract with IT provider.

Page 34: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

34

Hazard How the hazard affects business

Consequence Likelihood Risk

Score Controls in

Place Short Term (under 72 hours)

action Longer term action

Loss of landline

telephones including

switchboard

3 2 6

Mobile phones for key staff.

Contract with IT provider.

Use mobile phones.

Transfer of main switchboard telephone line and safe haven fax line remotely to alterative

location.

As short term.

Loss of mobile phone network

4 2 8

On Call staff have provided landline numbers to the call coordination

centre.

Use landlines. As short term.

Electronic data stolen / lost

Data loss, affecting CCG

service/function delivery

4 3 12

Cloud based solutions where

possible. Contract with IT provider includes

resilience & testing.

Attempt to recover data from originating source.

Identify data loss and assess risk.

Notify Information

Commissioner.

Destruction of paper files

3 2 6

Very few paper records kept.

Contract for hard archiving –

resilient and secure.

Attempt to recover data from originating source.

Identify data loss and assess risk.

Notify Information

Commissioner.

Failure of back-up or

failsafe 4 1 4

Contract with IT provider includes

resilience & testing.

Attempt to recover data from originating source.

Identify data loss and assess risk.

Notify Information

Commissioner.

Temporary loss of

connection to data

3 1 3

Contract with IT provider includes

resilience & testing.

Only critical functions maintained.

N/A

Page 35: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

35

Hazard How the hazard affects business

Consequence Likelihood Risk

Score Controls in

Place Short Term (under 72 hours)

action Longer term action

Supplier / provider contract breach

Supplier failure, affecting CCG

service/function delivery

4 3 12

Contracts with providers including

resilience / business

continuity clauses

Work with provider in accordance with contract.

Contract termination and re-tendering.

Supplier / provider industrial

action

4 2 8

Contracts with providers including

resilience / business

continuity clauses

Work with provider to ensure maintenance of critical

functions in accordance with contract.

As short term.

Stock management

failure 3 2 6

Ordering from NHS regional

distribution centre.

Alternative local purchasing options.

As short term.

Supplier goes into

administration / supply chain

collapse

3 2 6

Contracts with providers including

resilience / business continuity clauses.

Performance monitoring of

providers.

Alternative local purchasing options.

Contract termination and re-tendering.

Partner CCGs unable to delivery hosted

functions

4 2 8 Memorandums of

Understanding

Use directly employed staff and/or agency staff to deliver

critical functions.

Host CCG to remedy. If it cannot, seek alternative

sources of support or deliver internally.

Page 36: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

36

Risk Matrix Consequences / Severity

Insignificant Minor Moderate Major Catastrophic

Likelihood of Occurrence

1 2 3 4 5

(1) Rare

1 2 3 4 5

(2) Unlikely

2 4 6 8 10

(3) Possible

3 6 9 12 15

(4) Likely

4 8 12 16 20

(5) Almost Certain

5 10 15 20 25

CCG Risk scoring matrix

description and score

Business Continuity

incident rating

1-3 Low Insignificant

4-6 Medium Minor

8-12 High Moderate

15-20 Very High Major

25 Extreme Catastrophic

Page 37: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

37

Appendix C Categorisation of CCG Critical Activities / Services / Functions

CA

TE

GO

RY

A

(Cri

tic

al

fun

cti

on

mu

st

co

nti

nu

e)

Emergency Preparedness, Resilience & Response (EPRR) via On Call function

CA

TE

GO

RY

B

(Hig

h P

rio

rity

/ M

ed

ium

Pri

ori

ty -

R

esu

me w

ith

in 3

to

7

cale

nd

ar

day

s)

Finance & Contracting:

Approval and funding of Urgent Placements (Continuing Health Care)

Invoice payments to providers

Quality:

Continuing Healthcare – clinical review of current cases needing assessment for urgent care packages

Safeguarding Children and Adults

Medicines Management (Controlled Drugs)

Strategy & Delivery:

IT via Contract through RDaSH

Corporate:

Communication (to support management of business continuity incident only)

Information Governance (relating to the Category B services) and Freedom of Information

Facilities management

Health & Safety function

Page 38: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

38

CA

TE

GO

RY

C

(Re

su

me

as s

oo

n a

s p

racti

cab

le)

Finance & Contracting:

Year End Accounts (may escalate to Category B depending on time of year)

Ensuring accuracy / availability of reports to NHS England & Governing Body

Financial probity

Contracting

Procurement

Quality:

Continuing Healthcare – clinical review of current cases needing re-assessment for routine care packages

Previously Un-assessed Periods of Care team reviews

Overseeing patient safety issues through quality reporting & dealing with Serious Incidents

Medicines Management (general)

Strategy & Delivery:

Strategic Planning

Managing workstream meetings (ensuring CCG remains on track with Business Plan)

Performance Management / Business Intelligence

Corporate:

Managing corporate meetings (ensuring CCG remains on track with Business Plan)

Human Resources function

Engagement, Experience and Equality

Corporate Governance reporting

Corporate meeting infrastructure

Organisational Development

Partnerships & Primary Care:

Primary Care contracting and performance management

Partnership commissioning

Page 39: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

39

PRIORITY SERVICE CATEGORISATION

Category Impact Recovery Timescale

Category A (Critical Function)

Loss of this service would immediately: Directly endanger life Endanger the safety of those individuals for whom the CCG

has a legal responsibility Prevent the operation of another service in this category Seriously affect the CCG’s finances or accuracy of critical

records Prevent communication of vital information

This service must continue to be provided This group will include Services that usually provide a full service 7 days a week, all year

Category B (High Priority /

Medium Priority)

High Priority: Loss of Service would immediately: Present a risk to Health or Safety Prevent the CCG fulfilling a statutory obligation Prevent the operation of another service in this category Would seriously adversely affect the CCG’s reputation

This service must be resumed within 3 calendar days Services included in this group are mainly those that provide a reduced service at weekends and during holiday periods

Medium Priority: Loss of service would lead to: Serious knock on effects for the operation of a Critical or High

Priority service The CCG’s reputation being adversely affected

This service must be resumed within 7 calendar days Services included in this group will include those that normally close during weekends and during holiday periods

Category C (Low Priority)

Loss of this service would lead to: Potential knock on effect in disrupting the activities of other

services within the CCG, but no immediate impact upon the provision of Critical or High Priority services

This service should be resumed as soon as practicable Includes all other service areas that are required in order for the CCG to go about its usual business

Page 40: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

40

Appendix D

Your Role Action Card for Incident Manager

Your Base

Chair’s Office Sovereign House Heavens Walk DN4 5HZ Telephone: 01302 566300 Safe Haven Fax: 01302 566321 Email: [email protected]

Your Responsibility

Coordinating the response to the business continuity incident.

Your Immediate Actions

Identify which critical functions have been disrupted (Appendix C), assessing the facts, evaluating the impact, and clarifying the lines of communication accordingly.

Decide on contingency actions to be taken (consider action plans – Appendix E). Identify any particularly urgent issues e.g. legal / contractual.

Identify staff, resources & equipment required and assign responsibility and timescales.

Consult the Chief Officer or nominated deputy about activating the BCM Plan and suspending non-critical functions where necessary.

Convene a CCG BCM Team as required.

Inform Staff.

Inform Stakeholders of disruptions and action plan.

Consider escalation to the relevant Category 1 according to the CCG’s EPRR Policy if necessary.

Allocate rooms, telephone lines and support staff as required.

Record all relevant details of the incident and response.

Ongoing Management

Convene CCG BCM Team as necessary to monitor progress made, obstacles encountered and decide on continuing recovery process.

Provide updated information to staff and stakeholders.

Maintain action log.

Stand down If the incident can be dealt with using normal resources, notify the appropriate personnel and maintain a watching brief.

Continue to reassess the situation as further information becomes available and determine if any additional action is required.

Undertake a de-brief (Appendix F).

Page 41: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

41

National Decision Making tool:

1. Gather information and intelligence

Define the situation (what is happening or has happened). Clarify matters relating to any initial information and intelligence.

What is happening?

What do you know so far?

What further information (or intelligence) do you want/need?

What resources are available at this time and what further resources may be needed

2. Assess risks and develop a working strategy

Assess the situation, including any specific threat, the risk of harm and the potential for benefits.

Do you need to take action immediately?

Do you need to seek more information?

What could go wrong? (and what could go well?)

How probable is the risk of harm?

How serious would it be?

Is that level of risk acceptable?

Is this a situation for the NHS alone to deal with?

Are you the appropriate person to deal with this?

Develop a working strategy to guide subsequent stages:

What are you trying to achieve?

3. Consider powers, policies & procedures

Consider what powers, policies and legislation might be applicable in this particular situation

Does the CCG have the power to require action?

Does NHS England have the power to require action?

Does this incident require escalation?

Is there any NHS England or Civil Contingency Act guidance covering this situation?

Do any local Local Resilience Forum (LRF) or Local Health Resilience Partnership (LHRP) plans or guidelines apply?

What legislation might apply?

4. Identify options and contingencies

Consider the different ways to make a particular decision (or resolve a situation) with the least risk of harm.

Options:

What options are open to you? Consider the options for response, the limits of information to hand, the amount of time available, available resources and support, your own knowledge/experience/skills, and the impact of potential actions on the situation/ the public.

Contingencies:

What will you do if things do not happen as you anticipate?

5. Take action and review what happened

This stage requires you to make and implement appropriate decisions. It also requires you, once an incident is over, to review what happened.

Action:

Respond: Implement the option you have selected. Does anyone else need to know what you have decided?

Record: If you think it appropriate, record what you did and why.

Monitor: What happened as a result of your decision? Was it what you wanted or expected to happen? If the incident is continuing, go through the National Decision Making tool again as necessary.

Review: If the incident is over, review your decisions. What lessons can you take from how things turned out? What might you do differently next time?

Page 42: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

42

Incident Response Team Notes – in the event of activation of the Business Continuity Policy/Plan or Emergency/Major Incident Declared

Reason for Activating Plan

Date

Time

Brief summary of situation

Departments / functions affected

Other organisations affected

Other organisations alerted (include date and time)

Page 43: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

43

ACTIONS REQUIRED

BY WHOM

Immediate

Within 8 hours

Within 1 Working Day

Within 3 Working Days

Within 1 Week

Situation to be reviewed every

……………… hours ……………….days

Name and role of person completing (include date and time)

Name and role of person responsible for monitoring / updating (include date and time)

Page 44: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

44

Your Role Action Card for Nominated Business Continuity Administrator

Your Base

Chair’s Office Sovereign House Heavens Walk DN4 5HZ Telephone: 01302 566300 Safe Haven Fax: 01302 566321 Email: [email protected]

Your Responsibility

Provide administrative support to the management of the business continuity incident.

Your Immediate Actions

1. Report to the Business Continuity Manager for a briefing. 2. Assist in setting up the Incident Control Room with

telephones, computers etc.

3. Provide administrative support as required.

Ongoing Management

Provide updated information to staff and stakeholders.

Stand down Following stand down evaluate admin effectiveness and any lessons learned.

Page 45: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

45

Incident Log [Incident name]

Loggist initials

Date & Time Description of action / decision / communication

Action taken by / Decision made by

Page number [ ]

Page 46: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

46

Appendix E

Service-specific Action Cards

Action cards for service-specific functions / individual teams are available in the online business continuity folder, and in the emergency

box in Sovereign House.

Page 47: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

47

Appendix F Debrief Template

BUSINESS CONTINUITY INCIDENT REPORT

Date / time of incident: Date / time of stand-down:

Business Continuity Team Members:

1. Description of Incident

2. Cause/Reasons

3. Could the Incident have been prevented? If so how?

Page 48: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

48

4. Summary of Event

5. Issues Arising from the Incident

6. Recommendations/Lessons Learnt

Action Plan Drafted Yes / No

Page 49: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

49

Appendix G

Equality Analysis Form

Subject of equality analysis

Business Continuity Policy and Plan

Type Tick

Policy √

Strategy

Business case

Commissioning service redesign

Contract / Procurement

Event / consultation

Owner Name: Helen Harris

Job Title: Head of Corporate Governance

Date 13 December 2018

Assessment Summary

The overall purpose of the policy is to set out the CCG’s approach to .

Stakeholders

Tick

Staff √

General public

Service users

Partners

Providers

Other

Data collection and consultation

Please note that due to the small number of staff employed by the CCG, data with returns small enough to identity individuals cannot be published. However, the data should still be analysed as part of the EIA process, and where it is possible to identify trends or issues, these should be recorded in the EIA. Consultation on the updated policy has taken place locally. Other policies related to or referred to as part of this analysis: Legal framework: •

Protected characteristic

Positive Neutral Negative

Negative: What are the risks?

Positive: What are the benefits / opportunities?

Page 50: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

50

Protected characteristic

Positive Neutral Negative

Negative: What are the risks?

Positive: What are the benefits / opportunities?

Age

x

This policy applies to all regardless of age

Disability

x

This policy applies to all regardless of disability.

This Policy is not currently available in other formats. The assumption is that all staff will have the correct physical equipment on

their desktops to ensure that they will be able to

view this document. The CCG website does provide

the facility to view documents in larger fonts.

Gender

x

This policy applies to all regardless of gender

Race

X

This policy applies to all staff regardless of

race/ethnicity. Analysis of employee data

indicates that the percentage of white

employees is reflective of the local population.

However, the proportion of BME staff is lower than

that of the local population it serves

All staff require competencies which

include the ability to read and understand English or to request the information in another format available

to them.

Religion &

Belief

x

This policy applies to all regardless of religion or

belief

Sexual

Orientation x

This policy applies to all, regardless of sexual

orientation

Page 51: BUSINESS CONTINUITY POLICY & BUSINESS ......ISO 22301 Societal Security - Business Continuity Management Systems – Requirements. ISO 22313 Societal Security - Business Continuity

51

Protected characteristic

Positive Neutral Negative

Negative: What are the risks?

Positive: What are the benefits / opportunities?

Gender

reassignment

x

This policy applies to all regardless of

transgender/gender reassignment

Pregnancy &

Maternity

x

This policy applies to all regardless of pregnancy or

maternity

Marriage & Civil

Partnership

x

This policy applies to all regardless of marriage or

civil partnership

Social Inclusion / Community

Cohesion x This policy applies to all.

Conclusion & Recommendations including any resulting action plan

As the policy is written in English there is a potential impact on employees whose first language is not English and therefore may struggle reading the policy. The CCGs internal ‘portal’ and external website signpost individuals to alternative formats such as large print, braille or another language. Responsible lead: CCG Communications.

Review date December 2020