CAYSH BUSINESS CONTINUITY MANAGEMENT SYSTEM · 1.1 The Business Continuity Management Standard (BS...

Policy Number: PP12 Issue Number: 06

: of 28

CAYSH BUSINESS CONTINUITY

MANAGEMENT SYSTEM

Document Review Responsibility: Chief Executive Date originally approved: 02/04/2014 Date last reviewed/updated: 01/09/2016

1.0 Introduction

1.1 The Business Continuity Management Standard (BS ISO 22301:2012) provides a framework for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System, aiming to help manage an organization’s overall operational risks and to avoid or aid the recovery from disruptive operational incidents. The requirements specified within the standard are generic and intended to be applicable to any organizations regardless of type, size and nature of business. This policy document describes CAYSH’s interpretation and application of Business Continuity Management in relation to this standard.

The schematic below illustrates the basic ‘Plan-Do-Check-Act’ cycle of continual improvement, which is a common feature to ISO standards based management systems. CAYSH’s business continuity management system follows this same principle, with the intention that system effectiveness develops over time.


: of 28

2.0 Normative References

2.1 This document corresponds with the structure of the Societal Security – ‘Business Continuity Management Systems’ – Requirements, international standard: BS ISO 22301:2012. This both supersedes and incorporates the requirements of CAYSH’s preceding BS:25999-2:2007 Business Continuity Management System.

3.0 Terms & Definitions

3.1 Key BCM terms, as used within ISO 22301, alphabetically listed below…

Business Continuity (BC) The capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident. Business Continuity Management (BCM) A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Business Continuity Management System (BCMS) The part of the organisation’s management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. (This may include organizational structure, policies, planning activities, responsibilities, procedures, processes, resources and records). Business Continuity Plan (BCP) – (Incident Management Plan) Documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. (This typically this covers resources, services and activities required to ensure the continuity of critical business functions). Business Impact Analysis (BIA) A process of analysing an organisation’s activities and the effect that a business disruption might have upon them Disaster A situation resultant from an uncontrolled major incident, where an organisations business continuity management system has ineffectively anticipated, prepared and responded. ICT ‘Information & Communications Technology’ – the electronic infrastructure upon which the organisation relies to administer the process in the modern age. (eg; Computers, Internet, Social Media, Landline & Mobile Telephones, etc)


: of 28

Incident Situation that might be, or could lead to, a disruption, loss, emergency or crisis Incident Management Plan (IMP) – (Business Continuity Plan) A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions necessary to manage the incident. Interested Party – (Stakeholder) A person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity. This can be an individual or group that has an interest in any decision or activity of an organization. Invocation The act of declaring that an organization’s business continuity arrangements need to be put into effect in order to continue delivery of key products or services Maximum - Acceptable Outage (MAO) / Tolerable Period of Disruption (MTPD) The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable Minimum Business Continuity Objective (MBCO) The minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption Mutual Aid Agreement A pre-arranged understanding between parties to render mutual assistance to each other Prioritized Activities Activities to which priority must be given following an incident in order to mitigate impacts. (Terms in common use to describe activities within this group include: critical, essential, vital, urgent and key). Recovery Point Objective (RPO) The point to which information used by an activity must be restored to enable the activity to operate on resumption. (Can be referred to as “maximum data loss”). Recovery Time Objective (RTO) The period of time following an incident within which product, service or activities must be resumed &/or resources must be recovered. (The RTO must be less than the MAO/MTPD). Risk The effect of uncertainty on objectives (an effect is a deviation from the expected) Risk Appetite The amount and type of risk that an organization is willing to pursue or retain.


: of 28

Risk Assessment The overall process of risk identification, risk analysis and risk evaluation.

Risk Management Coordinated activities to direct and control an organization with regard to risk. Stakeholders – (Interested Party) Those with a vested interest in an organisations success.

4.0 Context of the Organisation

4.1 - Understanding of the organisation and its context. CAYSH operates as a registered charity and is also registered at companies house as CAYSH, limited by guarantee. The core focus of CAYSH’s services is to help young people who are facing homelessness problems. There are a number of external and internal factors that can influence risk and CAYSH’s ability to provide services, including;

• Political climate and availability of funding for services of this nature.

• CAYSH’s success in securing local authority contracts.

• The availability of operational premises and conduct of the landlords.

• Travel restrictions, caused by weather, network disruption or strike action.

• The variable nature of benefits/challenges presented by the service users.

• Consistency within availability/competence of CAYSH’s own personnel.

• Performance of CAYSH’s operating IT and communication systems. There will of course be various other external and internal factors that influence CAYSH’s business continuing management system, but the above list is intended to outline the central issues. For further definition of CAYSH’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, etc, see the section on ‘scope’ (4.3). All of CAYSH’s policies and objectives are aligned to focus on the delivery of services to young people. As seen within sections 5.3 (Policy statement) and 6.2 (objectives), the overall purpose of the business continuity management system is to fully and reliably provide the core housing, support and advice services to young people, at an unaffected level, throughout incidents of disruption. When undertaking new business initiatives and developments, a measured amount of risk will be inherent for a forward thinking organisation such as CAYSH, however, the services provided to young people must be based upon reliable, risk averse methods and solutions, ensuring the outcome that the young person requires is not inadvertently disrupted. CAYSH has a low Risk Appetite.


: of 28

4.2 - Understanding the needs and expectations of interested parties. Stakeholders that interrelate with CAYSH’s BCMS and their needs include;

• Service Users (mainly young persons, needing quality and security of service),

• CAYSH staff, Volunteers and Trustees. (needing a functional work environment)

• Funders and Commissioners. (need confidence in CAYSH’s ability to perform)

• Regulators and Government bodies / Local Authority (eg; social services)

• Suppliers of products, services and premises landlords / lodging providers.

• The general public who encounter young persons under the support of CAYSH.

There are a number of legal and regulatory requirements within CAYSH’s field of operation. The below (non-exhaustive) list highlights key points (as amended);

• The Data Protection Act 1998. (and forthcoming GDPR)

• The Charities Act, 2011.

• The Housing Act, 2004.

• The Children Act, 2004.

• The Equalities Act, 2010.

• Safeguarding Vulnerable Groups Act 2006

• The Protection of Freedoms Act, 2012 (DBS – ‘Disclosure and Barring Service’).

• The Health & Safety at Work etc. Act 1974 (and subsequent underpinning regs).

Through direct daily working contact with the sector, CAYSH’s management team become aware of forthcoming changes in legal and regulatory requirements which may affect operational requirements. Such issues are presented and discussed during senior management meetings and escalated to board level, where necessary. Implementation of responses to governance changes would be planned and coordinated by the Support Team/CEO’s Office. A range of other more formal sources are also utilised to ensure these requirements are kept up to date, such as; The National Council for Voluntary Organisations (www.ncvo.org.uk), The Association of Chief Executives of Voluntary Organisations (www.acevo.org.uk), Third Sector Magazine (www.thirdsector.co.uk), Sector newsletters/web publications and national newspapers (eg: Guardian ‘Society’ section), etc.

4.3 – Determining the scope of the business continuity management system. Continuing from the introductory information given above, The Scope of this business continuity management system (the product and service) is:

The Business Continuity Management System in relation to the Provision of Housing, Support and Advice Services for Young People.


: of 28

A variety of key services are provided within the boundaries of the scope, inc:

• Provision of emergency and long term accommodation/support for 16-21 year olds.

• Placement and support of young persons with approved lodging providers.

• Signposting to specialist service providers for young persons with such needs.

• Preparation for financial, practical and emotional independent living.

• Facilitating reengagement with education, employment or training.

• Family Restoration Support (Homelessness prevention services)

The Principal Objective of the Business Continuity Management System is to

fully provide these services, during time of incident, continuing to operate and

meet the needs of Stakeholders, through any potential business disruption.

Scope of the BSI, ISO 22301 certification is applicable to the following location:

• 2 Whitgift Street, Croydon, CR0 1FL

CAYSH operate/deliver services from premises, including the follow key sites:

• HEAD OFFICE: Central Croydon. (base of management / administration activity)

• DROP IN ZONE: Cavendish House (Turnaround Centre – ‘walk-in’ facility).

• Short Time Out Projects (STOP): Locations vary across the borough(s).

• GREENWICH OFFICE: Woolwich. (small local office for services in that area)

• ACCOMMODATION SITES: A variety of supervised and self-contained properties.

Key Stakeholders, who may be involved in or benefit from the BCMS, include:

• Service Users (young persons – aged mostly 16-21),

• CAYSH staff, Volunteers and Trustees.

• Funders and Commissioners.

• Regulators and Government bodies / Local Authority (eg; social services)

• Suppliers of products, services and premises landlords / lodging providers.

• The general public who encounter young persons under the support of CAYSH.

4.4 – Business continuity management system.

CAYSH has developed and shall maintain and continually improve this Business Continuity Management System, to suit the above needs.

5.0 Leadership

5.1/5.2 – Leadership and Management Commitment. The senior management team at CAYSH shall endorse, communicate and actively implement the requirements of this business continuity management system. The management team for BCM is discussed within section 5.4.


: of 28

5.3 – Business Continuity Management Policy – Statement of Intent

This policy statement-of-intent, which is approved by the CAYSH Chief Executive, establishes our commitment to Business Continuity Management. The overall business continuity objective to which we are obligated is to fully and reliably satisfy core housing, support and advice requirements to young people, at an unaffected level, throughout incidents of disruption. When undertaking new business initiatives and developments, a measured amount of risk will be inherent for a forward thinking organisation such as CAYSH, however, the services provided to young people must be based upon reliable, risk averse methods and solutions, ensuring the outcome that the young person requires is not inadvertently disrupted. To help us to understand potential incidents that could cause disruption to the services that CAYSH provides, we maintain a Business Continuity Management System, in compliance with the requirements of the management standard: ISO 22301. The CAYSH BCMS is externally certified by the British Standards Institution, to verify that our plans are compliant, robust and effectively embedded throughout the organisation. The CAYSH BCMS ultimately results in precautions and planned responses to incidents that could affect our service. All personnel should ensure that they are aware of how to access this information and what they are responsible for in the time of a ‘Business Continuity Incident’. The CAYSH BCMS is available electronically and as an office Hard Copy. Training will be provided where necessary, but if you remain unfamiliar with this subject, it is your responsibility to ask your manager for guidance. This BCM Policy Statement and the importance of meeting its objective shall be communicated to all persons carrying out work on behalf of CAYSH. This statement is publically available upon request and shall be annually reviewed for ongoing suitability, as we are committed to continually improve the business continuity management system.

………………………………………………………………

Ann Tighe

Chief Executive


: of 28

5.4 – Organizational roles, responsibilities and authorities. All members of personnel have some role to play, either in the management and potential evocation of the business continuity management system, or just through adherence to procedures, diligence and precautions in areas of risk. The BCM Team include the following key members… Chief Executive – Responsible for endorsing the BCM policy ‘statement of intent’ and from that message, inspiring a positive approach to BC issues through the management team. The Chief Executive shall oversee any major BC changes, external statements or incidents of a significance requiring escalation.

Director of CAYSH Enterprise (Concierge Services) – Responsible for

overseeing the provision of ‘out of hours’ concierge services. Director of Operations – Responsible for the overseeing activities in relation to frontline service delivery and evocation of business continuity arrangements, if an incident was to occur that impacted upon CAYSH’s ability to provide these services. Operations Director is also involved in BC exercising and overseeing the level of business continuity awareness within the operational personnel. Operations Managers – Responsible for managing internal communications

and implementing planned responses to disruptive operational incidents. An out-of-hours rota is worked by the Operations Managers, often making them the first point of contact as a business continuity incident occurs. Communications & Business Development Manager – Responsible for producing (or overseeing) external communications and media statements resultant from an incident. Responsible for liaising both internally and with ICT service providers during an interruption to computer or telecom facilities. Business Continuity Management Representative – Responsible for

monitoring of the management team’s response during BC exercises and incidents. Responsible for liaising with any external specialist support (deputy) to oversee that the Business Continuity Management System conforms to requirements and that BCM performance is periodically reported to senior management. (This responsibility is currently held by the Communications & Business Development Manager). Property Officers (previously Estates Manager) – Responsible for the

management of physical fabric of the buildings and the safety/suitability of mechanical and electrical aspects, such as; Fire risk assessment/precautions/responses, Gas-safe (boilers), Portable/Fixed electrical checks, Water storage systems, CCTV, access control, etc. Finance Manager – Responsible for ensuring working capital, cash-flow and

payments, to ensure that suppliers/landlords do not withdraw services/facilities.


: of 28

HR Manager/Officer – Responsible for managing competence and training within the workforce and maintaining records of this. Ensuring that awareness of business continuity policy, objectives and individual responsibilities is maintained. Managing the resource of training bank staff. Internal Auditor – Responsible for planning the annual programme of internal

auditing, in liaison with the ISO 22301 Management Representative. Conducting independent internal audits to sample and critically examine the BCM processes and records to test compliance against the requirements of the ISO 22301 standard and highlight potential weakness and opportunity for improvement.

6.0 Planning

6.1 – Actions to address risk and opportunities. The CAYSH management team routinely review activities and plan for general business needs, including requirements for business continuity. 6.2 – Business continuity objectives and plans to achieve them. The overall business continuity objective to which we are obligated is to fully and reliably satisfy core housing, support and advice requirements to young people, at an unaffected level, throughout incidents of disruption. Reference back to section 4.3 of this document adds further definition to the application of this core objective. All individuals involved in the delivery of services on behalf of CAYSH shall be aware of precautions and actions that they must take to underpin the achievement of this overall organisational objective in preparation for or during, a time of disruption.

7.0 Support

7.1 – Resources. The CAYSH management shall ensure provision of sufficient resources to effectively achieve the objectives of the business continuity system. These resources shall include; administration bases (offices), young person liaison points, and accommodation facilities, as well as essential supportive resources such as personnel, equipment and infrastructure.


: of 28

7.2 – Competence. Throughout all operational activities CAYSH management shall ensure that personnel conducting key tasks are competent to do so, on the basis of training, qualification and/or experience. Where there is an agreed requirement, appropriate training shall be provided. Documented records shall be maintained, including each individual working on behalf of CAYSH, to reflect current skills, abilities and ongoing training requirements. With respect to business continuity management, within the overall system for planning and recording training and competence, there shall also be records to reflect competencies relating to business continuity management, for example;

• Key IT hardware/software (data recovery) skills.

• Skill to oversee the implementation of Incident Management Plans.

• Ability to compile and issue a Media Press Release.

• Involvement in ongoing BCM development through Exercise Coordination.

• Competence to provide BCM awareness & refresher training to staff.

7.3 – Awareness. Embedding BCM in the organisation’s culture is critical for the effective implementation of business continuity management arrangements during time of disruption that the arrangements are fully embedded across the organisation. In order to achieve this, a range of activities shall be maintained, including: - Availability of this document and the incident management plans, in communal hard copy in the head office and also electronically to all personnel. - Communication of business continuity arrangements within induction training for new starters (these shall be recorded). This should include discussion relating to the BCM policy, objectives and how the trainee would contribute towards the realisation of effective business continuity management at CAYSH. - Annual ‘refresher’ activities for all staff, either via training courses, forums and/or issue of written update information. - BCM Exercising continues to embed the principles - Display items on notice boards, including the BCM policy statement.


: of 28

The overall effectiveness of the above ‘embedding’ shall be routinely monitored through the exercising and internal auditing regimes, which are, in part, designed to test the organisations awareness of BCM processes. 7.4 – Communication. All external releases of information, including; media statements, communications with employee or young person’s relatives or communications with other interested parties, in time of incident, shall be delivered by the CAYSH communications manager or a member of the senior management team. If the nature of the situation dictates, the emergency services (eg; Police) maybe involved in delivering external communications. Internal communications at CAYSH are facilitated using a variety of face-to-face meetings, email, hard copy/displayed documentation, mobile and landline phones, text/messaging devices, social media, etc. There is no rigid set pattern to when internal communication occurs – it is as, how and when necessary. – Through this variety of mechanisms, internal communication is designed to be robust in a time of disruption. The communications manager shall stay in touch with any regional threat advisory systems, at a time of such an incident (for example; police/news when there is a risk of civil unrest, EA floodline, if a flooding risk is apparent, etc). 7.5 – Documented Information. The Documentation requirements of ISO 22301 are addressed both within this BCMS Manual, and also by the Supporting documentation/Incident Management Plans described within. BCMS records shall be maintained electronically, wherever feasible, thus ensuring retrivability, during or following an incident. All hard or electronic records shall be held in suitably named/identified folders in a legible manner. Each BCMS document shall show suitable identifying details, such as a title and/or reference number, plus a revision status and/or date. The Chief Executive shall review and approve the BCMS, before it is released into use – evidence of this is shown by recorded initials on the document itself. There shall be one office hard copy of the BCMS, to which all personnel have access. The critical BCMS documentation shall also be made electronically available via the CAYSH N Drive, which is accessible to staff from office computers and remotely.


: of 28

In event that BCM documentation is required, but is not available through the above two methods, this can be provided through a web-portal, to any member of the BCM management team, by external consultants, Admac Ltd, who also hold a copy of the information.

8.0 Operation

8.1 – Operational Planning and Control. CAYSH plans, implements and controls processes needed to meet the organisation’s business continuity requirements. 8.2 – Business Impact Analysis and Risk Assessment. The table below is used to represent the impact and variance over time caused by disruption to the activities that support CAYSH’s provision of service. The BIA is based upon stakeholder interests, applicable legal requirements (see 4.2) and the management team’s assessment of perceived effect. The currency and ongoing suitability of the BIA will be reconsidered annually within the management review process (see section 9.3) and/or when the organisation undergoes any significant change. This information will be kept up-to-date and confidential, if/where necessary. The left hand column states what the activity is, with each activity taking a new line in the table. Each cell in the row is allocated with a risk rating. The numerical rating is the level of impact caused to the organisation or service users of not having that particular activity available. If multiple activities are disrupted simultaneously, priority for recovery would be guided by the relative impact rating of each. Further BCM dependencies can be seen on the Incident Management Plans and within supporting documentation.

Supporting Activities & Risk Assessment Following the BIA is a definition of the critical activities needed to support the provision of the key product/service and perceived vulnerabilities and threats to their functioning. As a result of management discussions, against each of these activities is defined an assessment of threats/vulnerabilities and their potential impact on CAYSH’s operations. A likelihood/severity assessment has been applied, along with what are regarded to be appropriate treatments, taking into account their relative cost, in relation to the risk and criticality.


:

of 28

BUSINESS IMPACT ANALYSIS Ratings Index: 1 = Negligible / 2 = Low / 3 = Medium / 4 = Very High / 5 = Extreme.

Key : RTO (Recovery Time Objective) / MTPD (Maximum Tolerable Period of Disruption)

Activity 1

hour

4

hours

1

day

3

days

1

week

1

month RTO MTPD Dependencies Resources for Resumption Comment

Operation of information & communication

technology 3 3 4 4 5 5

1 Hour

1 Week

CAYSH IT Coordinator External Support (Akita)

External Software (CDP)

CAYSH IT Coordinator External Support (Akita)

ICT Hardware

Software (Systems & Data) Internet Connectivity

Exact impact would depend

upon the particular nature of the IT failure. Minimum recovery needs to ensure

access to operational data and email facility.

Availability of competent CAYSH personnel

3 3 4 4 5 5 4

Hours 1

Week CAYSH Personnel

Bank Personnel

CAYSH Managers / Staff Telecommunications

Bank Personnel

Exact impact would depend upon the number and roles of

the unavailable personnel.

Mobility of CAYSH personnel

2 2 2 3 3 4 1

Day 1

Week Bus / Train / Tube / Cars

Personnel driving licences

Telecommunications

Remote working capability Public transport or cars

Partial or total mobility

restrictions will have differing affects.

Availability of operational premises

3 3 4 4 5 5 4

Hours 1

Week CAYSH operational bases

Telecommunications Remote working capability Alternative work locations

Exact impact would depend upon the purpose and

duration of premises unavailability. Service managers to coordinate

relocation to alternative if appropriate.

Availability of funding / capital

1 1 1 2 3 4 1

Week

1

Month

WRAPP (Paloma) Sage

Barclays Bank

Personnel with bank access

Appropriate cash reserves

Non-availability of finance to fund CAYSH’s operations will have significant affect. The

head of finance is to oversee and manage such issues.


: of 28

a) - OPERATION OF INFORMATION & COMMUNICATION TECHNOLOGY.

CAYSH personnel access/update information and communicate from computers within the operational locations and/or via portable devices whilst out of office. Data is held on remote hosted servers, accessed via the local internet connection. Fixed line and mobile telephone devices are used extensively to communicate.

Threat Potential Impact Risk Treatment Responsible Residual Risk Assessment

Likelihood Severity

Hardware Failure

Inability for CAYSH to access operational

information or

communicate electronically

Ensure equipment is current and

maintained and that spares or replacements are readily

available.

It is expected that failure event would be restricted to a single

user/item

Com’s Manager and

supporters

Medium Low

Software failure

Inability for CAYSH to

access operational information or communicate

electronically

Ensure software is updated and

virus protected. Maintain the ability to wipe and re-load corrupt

software.

Maintain external support relationship

Com’s Manager and

supporters Medium Medium

Telephone Failure

Inability for CAYSH to make voice calls to other

members of CAYSH, service users or other

stakeholders.

Failure of a single telephony system would normally be backed

up by land-line to mobile, (or vis-versa).

Email can be a secondary back-

up

Com’s

Manager and supporters

Low Medium

Loss of

internet access

Access to the web can be from a wide variety of

sites.

Email and information on the server would be

unavailable

The method of internet access from all normal points of work is to

be known and understood, with ISP details readily available for

contact.

Com’s

Manager and supporters

Medium Medium

Data loss

Service user and operational data is stored electronically on external

hosted servers. Loss of this data would be a significant disruption

Data is externally hosted, which is

perceived to be much more secure than maintaining a local

server.

The hosting service provider is to demonstrate data security

provision

Com’s Manager and

supporters

Low High

Loss of access to

hosted

server

Inability for CAYSH to access operational data

and email.

Recognised, reputable, stringently evaluated providers are engaged

for provision of this service.

Com’s Manager and

supporters Medium Medium

Power Loss

Renders all computer based activities out of

action for the duration of

the outage

Ensure any local faults are identified and rectified via fixed

wire test.

Maintain remote server access

Com’s Manager and

Estates

Manager

Medium Medium


: of 28

b) - AVAILABILITY OF COMPETENT CAYSH PERSONNEL.

For CAYSH to provide services, competent personnel must be available for work in

a fit and functioning state.


Likelihood Severity

Accident, Illness or loss of a

key person

Certain key persons could be temporarily or

permanently unavailable

Multi-skill workforce wherever possible and practical. Define

clear working practices that would

be easily followed in such an event

Management Med Med

Epidemic

Operational personnel

being unavailable to provide CAYSH services.

Upon identification of epidemic, staff told to remain isolated if they

exhibit symptoms. Washing of hands and cleaning of office items

such as door handles, phones,

etc, to be increased

Managers to

communicate and

coordinate

Low High

Personnel strike

Operational personnel being unavailable to

provide CAYSH services.

Management/Staff disputes to be efficiently addressed. Any applicable unions are to be

known/understood

Management Low High

Group leavers

Operational personnel being unavailable to

provide CAYSH services.

Bid effectively for contracts, avoiding personnel loss through

TUPE. Management Low High

c) - MOBILITY OF CAYSH PERSONNEL.

Members of the CAYSH team travel to get to work, and during work, to reach the premises that requires their presence.


Likelihood Severity

Severe Weather

CAYSH personnel maybe prevented from any travel,

hence, impacting service

Traditionally, total inability to travel is for a short period only. Some staff can work from home and

some support can be facilitated over phone

Management to coordinate

Med Med

Fuel

Shortage

Private/CAYSH vehicle fuel maybe difficult to

obtain, causing mobility restrictions

Due to CAYSH’s area of operation, public transport links

are good. Most staff do not rely upon cars.

Management

to coordinate Med Low

Transport Strike

Trains, Buses and/or

Tubes maybe affected by industrial action, causing

mobility issue

Alternative arrangements such as cars, cycling and/or walking would

be appropriate. Some staff can work from home and some

support can be facilitated over

phone.

Management

to coordinate, but staff to be resourceful to

find alternative

Med Low

Vehicle

Loss

If a CAYSH vehicle became unavailable, this

is not critical to the service and other arrangement

can be made

CAYSH vehicle(s) to be appropriately serviced and

secured when parked. Replacement vehicle can be hired

at short notice if necessary

Management

to coordinate Med Low

Licence Loss

Person who drives for

CAYSH operational activity is no longer able

to do so.

An alternate driver can be appointed for such duties

Management to coordinate

Low Low


: of 28

d) - AVAILABILITY OF OPERATIONAL PREMISES.

CAYSH operate from various premises.


Likelihood Severity

Fire

Operational Premises may become temporarily

or permanently unavailable without

warning

Fire risk assessment to be completed on every operational

property and fire

equipment/precautions established.

Alternative premises to be known

and accessible, wherever feasible.

Estates Manager

Med High

Flood

(natural)


or permanently

unavailable without warning

Flood risk considered minimal in most CAYSH locations.

Substitute premises to be known and accessible, wherever feasible.

Management Low Med

Flood (Plumbing)

Operational Premises

may become temporarily unavailable without

warning

Plumbing engineer with prompt

call out response times to be known to CAYSH for such an

event.

Property Officers

Med Low

Power Loss

Operational Premises may become temporarily unusable without warning

Contact details for utility providers

to be readily available. Electrician with prompt call out response times to be known to

CAYSH for local fault rectification.

Management Med Low

Gas Leak Operational Premises

may become temporarily

unusable without warning

Contact details for utility providers to be readily available.

Gas engineer with prompt call out

response times to be known to CAYSH for local fault rectification.

Management Low Med

Heating or Hot Water

loss

Operational Premises may become

uncomfortable

Heating engineer with prompt call out response times to be known to

CAYSH for fault rectification.

Management Med Low

Weather damage


unusable without warning

Builder with prompt call out response times to be known to

CAYSH for rectification of unsafe

areas

Management Low Low

Police

cordon


inaccessible without warning


Some activities can be conducted remotely

Management Low Low

Road

closures


inaccessible without warning


Some activities can be conducted remotely

Management Low Low

Disruptive

resident

Safe and normal functioning of CAYSH

operations maybe interrupted by such an

event

Experienced CAYSH personnel will be available to pacify the

situation. Police involvement maybe necessary for criminal or

serious situations.

Management Med Low

Lost keys or faulty

locks

Operational Premises may be temporarily inaccessible without

warning

Key holders for CAYSH operation

sites shall be known and contactable. A locksmith with

prompt call out response times to

be known to CAYSH, if forced entry is necessary

Management High Low

Landlord

restrictions/evictions

Certain persons or business sections maybe

excluded by third party landlords

Ensure agreements with third parties are documented and

clearly define such Landlord/CAYSH rights

Management Low Med

Theft or Vandalism

Operational Premises

and/or equipment maybe temporarily unavailable,

without warning

Substitute premises to be known

and accessible, wherever feasible. Some activities can be conducted

remotely

Management Med Low


: of 28

e) - AVAILABILITY OF FUNDING / CAPITAL.

CAYSH is predominantly financed from statutory sources (i.e. public funded). The stability of the organisation is dependant upon continuing funding and security of capital and cashflow.


Likelihood Severity

Banking collapse

Significant effect on CAYSH’s capacity to pay staff and fund supporting

infrastructure

Working capital maintained with reputable large banks, which are

subject to levels of assurance

Directors and Finance

Manager

Negligible High

Payments to staff

Large payments such as redundancy or litigation

claims could affect

cashflow

Ensure compliant operations to avoid such payments wherever

possible

Maintain suitable cash reserves


Manager

Low Med

Funding

withdrawal

If CAYSH’s commissioners withdrew

funding, this would affect service capacity

CAYSH principles are to avoid this, however, this would be a

‘long-notice’ incident which could be planned for.


Manager

Low High

Fraud and

Forgery

Potential effect on CAYSH’s capacity to pay

staff and fund supporting infrastructure

Security/checking arrangements. Cheque signing protocols

Maintain cash reserves


Manager

Negligible High

8.3 – Business Continuity Strategy. CAYSH has in place an ample range of resources to prioritise and respond to operational disruptions, including an agile and dedicated team of frontline and supportive staff, a range of administrative and accommodation premises and a robust ICT system to bind operations together. In time of incident, the CAYSH management team coordinate a planned response, firstly evaluating the severity of the situation, the implications for the short term provision of service to the young person(s) and the resources applicable to respond to the incident. Incident management plans shall be referred to as guide towards re-establishing a satisfactory service level, within the recovery time objective. Evaluations/appraisals of critical suppliers shall be undertaken to ascertain their suitability and reliability. If an incident affects factors of CAYSH’s service that involve third party suppliers (i.e. accommodation provided by external landlords) – appropriate communication shall be instigated at the earliest opportunity. Current approach to supplier BCM assessment is diverse, depending upon the nature, risk and criticality of the supplier. As a minimum, a member of the BCM management team shall reflect upon their knowledge of the supplier’s BC characteristics and summarise this onto the critical suppliers list. – further action is instigated if necessary. Throughout the incident response, communication with appropriate stakeholders (specifically the young persons), shall be maintained, in order to minimise concern as to CAYSH’s ability to continue to provide services.


: of 28

8.4 – Establishment and Implementation of Business Continuity Procedures. When an incident is identified, the CAYSH management team/incident response personnel (See 5.4) shall coordinate the response, taking into account characteristics of the situation and guidance given on the incident management plans. CAYSH shall not routinely externally communicate regarding significant risks and impacts, but shall instigate communications during an incident, appropriate to the nature of events and response. Due to the nature of CAYSH’s activities, detection of an incident is a straightforward process, without the need for complex risk advisory or detection and warning systems. The threshold at which ‘a BC incident’ is declared is jointly decided by members of the management team, taking into account the observed and anticipated disruption to stakeholders. As an incident is identified and a response is planned and implemented, clear communication shall be ensured, both within CAYSH and externally with stakeholders and where appropriate, the young persons. Where an incident that maybe perceived as ‘serious’ is encountered, the CAYSH management team shall compile a public statement, ready for issue to stakeholders or media, etc. This is in order that an organised and robust appearance is portrayed, mitigating any potential lack of confidence in CAYSH’s ability or reputational damage. Public/media statements must be fact-based, reviewed and authorised by the Chief Executive or Communications Manager, prior to verbal or written release. Once an incident has been encountered and responded to, the BCM management team shall agree completion, stand-down and post-incident lessons to be learnt, via group discussion. A record of each significant incident encountered shall be recorded onto an Incident Record Sheet. – See Appendix No.1 at end of document.

Recovery and return to normal following ICT disruption (See: IMP A)

The rectification of malfunctioning hardware/software shall be investigated and rectified by CAYSH in-house/external ICT personnel. Staff make alternative arrangements to access information and communicate, as discussed above. Once ICT problems are addressed, applicable CAYSH staff shall be informed and they shall test-use the system to ensure it is fully functional again. Following this, normal operations shall resume. Recovery and return to normal following staff availability disruption (See: IMP B) Once the incident that has caused unavailability of staff has passed the CAYSH management/operational resource staff structure shall return to normal. Formal meetings and reports, or informal discussions may be necessary to share knowledge of events whilst staff have been away from the workplace. Return-to-work interviews may be necessary for individuals who have been on sick leave for an extended period.


: of 28

Recovery and return to normal following staff mobility disruption (See: IMP C)

Once mobility restrictions have ceased, staff will resume work activities as normal, with little requirement for special recommencement actions, other than visiting places/persons who may not have had the planned level of contact during the disrupted period. Recovery and return to normal following premises disruption (See: IMP D) The recovery actions to return to normal will be dependent upon the nature of the premises disruption. If access was only temporarily blocked, reoccupation can be as simple as just entering the premises and recommencing work activities. If the disruption has been more intrusive, communication with and movement of staff, young persons, furniture, ICT connections, etc, may have to be made. If the premises have been vacated for a significant period of time or their configuration/use has been changed, it may be necessary to carry out risk assessments to confirm the safety and suitability of the premises for their intended reoccupation. Recovery and return to normal following financial disruption (See: IMP E)

The senior financial team will require close monitoring of financial issues to ensure the flow of money in and out of the organisation is appropriate to ensure correct payments are made at the required times. Meetings with banks, funders and/or other financial stakeholders may be necessary to facilitate a smooth transition back to financial stability.

8.5 – Exercising and Testing. One mechanism for maintaining and reviewing the BCM arrangements is through the annual management review, where performance and suitability is considered and the need for systemic changed discussed. To verify that personnel have been made aware of business continuity management issues and to validate that the business continuity management system is effectively embedded across the organisation, a series of ‘exercises’ is conduced across the year. Due to the sensitive nature of CAYSH’s service provision and in order not to instigate occurrence of a real incident as a result, these exercises are generally based upon planned, but unannounced, staff interviews and office based scenarios, presenting a range of ‘mock incidents’, to which they will be asked to describe structured response. An annual exercise plan shall be defined, with approval of BCM management. Records of exercises and resultant improvements identified, shall be maintained.


: of 28

9.0 Performance Evaluation

9.1 – Monitoring, Measurement, Analysis and Evaluation. Characteristics of the business continuity management system shall be monitored and data analysed where appropriate. Due to the nature of CAYSH’s activities, there is not a large number of BC metrics. Key information monitored would include:

• Number of incidents that have formally invoked a formal BC response.

• Number of exercises completed (to help ascertain the comprehensiveness)

• Number of staff who have/haven’t had BC awareness induction/traning. 9.2 – Internal Audit. An ongoing programme of internal audits of the BCMS shall be planned, documented, undertaken and recorded. Any nonconforming findings shall be recorded within the audit documentation and subsequent corrective actions implemented. Personnel undertaking internal audits of the Business Continuity Management System for CAYSH must be experienced and competent in auditing techniques, have a good understanding of the structure and application of BS/ISO standards and shall be independent from the day-to-day operations of CAYSH’s BCMS. 9.3 – Management Review. The Senior Management shall Review the organization’s BCMS at least annually, or when significant changes occur, to ensure its suitability, adequacy and effectiveness. This Review shall include assessing opportunities for improvement and the need for changes to the BCMS, including the business continuity management policy and business continuity management objectives. The Reviews shall be clearly documented and records shall be maintained

10.0 Improvement

10.1 – Nonconformity and Corrective Action. In a situation where the BCMS has not performed as it should, a nonconformity report should be raised to record the situation and subsequent improvement actions. 10.2 – Continual Improvement. Through the setting and monitoring of objectives, continued BCMS development by the management team, and acting upon problems and outcomes of exercises and incidents, CAYSH shall endeavour to continual improve the effectiveness of the Business Continuity Management System.


: of 28

INCIDENT MANAGEMENT PLANS.

Quick-Find Index:

A - Z (Nature of Incident) Refer to…

Accident / Injury Incident Management Plan – B Banks Incident Management Plan – E

Buses Incident Management Plan – C Car Incident Management Plan – C CDP Incident Management Plan – A

Computers Incident Management Plan – A Data Access/Loss Incident Management Plan – A Diesel Incident Management Plan – C

Driving Incident Management Plan – C Email Incident Management Plan – A Epidemic Incident Management Plan – B

Financial Incident Management Plan – E Fire Incident Management Plan – D Flooding Incident Management Plan – C or D

Flu Incident Management Plan – B Fuel Incident Management Plan – C Gas Incident Management Plan – D

Hardware Incident Management Plan – A Heating / Hot Water Incident Management Plan – D Illness Incident Management Plan – B

Internet / Web Incident Management Plan – A Keys Incident Management Plan – D Laptop Incident Management Plan – A

Locks Incident Management Plan – D Mobile Phones Incident Management Plan – A N Drive Incident Management Plan – A

Personnel non-availability Incident Management Plan – B Petrol Incident Management Plan – C Phones Incident Management Plan – A

Police Incident Management Plan – D Power Loss Incident Management Plan – A and D Public Transport Incident Management Plan – C

Remote Working Incident Management Plan – A Road Closures Incident Management Plan – D or C Server Incident Management Plan – A

Sickness Incident Management Plan – B Snow Incident Management Plan – C Software Incident Management Plan – A

Strike Incident Management Plan – B or C Telephones Incident Management Plan – A Trains / Tubes Incident Management Plan – C

Vandalism Incident Management Plan – D Vehicles Incident Management Plan – C Weather Incident Management Plan – C or D


: of 28

INCIDENT MANAGEMENT PLAN – A

OPERATION OF INFORMATION & COMMUNICATION TECHNOLOGY (ICT).

> Purpose & Scope: To recover the full functionality of the ICT system. > Communication with Employees/Relatives: Employees informed at time of affect, either

via email/social media, mobile phone and/or face-to-face (whatever is applicable) > Resources for period of recovery: CAYSH IT support personnel, Akita & ICT Equipment > Objectives for critical activity recovery: Full ICT functionality, equally critical.

The BCM management team have responsibility and authority to oversee actions during and following such an incident. Activation of response shall follow verbal agreement and stand-down/external communications, etc, shall be coordinated by the BCM management team. Applicable scenario: computers, electronic information systems and/or communications

equipment fails to function correctly. Such failures can be for a range of reasons, with varying implications, restricting email or telephone communication, access to CDP/service user information, ability to carry out administration, etc. - Consider how the particular problem that you are experiencing will affect your ability to carry out your normal activity. Can your work plans be adjusted or alternative methods used, until the ICT system is restored? Some IT problems can be overcome by simple shutdown and restart of the hardware/software, so this is an action to initially try, where possible. If you are in a situation where you can easily speak to other members of staff, ascertain whether the problem is isolated to your equipment, or whether it is a wider problem for CAYSH? If within working hours, report the problem to the IT Coordinator (Communications Manager) for advice on contingencies and solutions. John is the key person at CAYSH to rectify ICT issues, working in association with our support providers ‘Akita’. In a lot of scenarios, the ICT issue will be applicable to an individual location or piece of equipment. If a short term resolution is not available, the person experiencing the outage should consider whether ICT based work can be (and is appropriate to be) conducted from another location, such as another CAYSH office, home working or even an internet café? (remote access to data is possible) If an ICT issue arises outside of working hours, or in-house help is unavailable, CAYSH personnel can make contact with the ICT support company directly. > Akita Systems Limited – 01732 762675 (http://www.akitasystems.com/)

Akita will advise upon the cause of the problem and necessary actions to rectify. NB: Be aware that charges to CAYSH maybe incurred if non-urgent calls are made to Akita, outside of working hours, therefore if the ICT failure does not significantly affect your ability to carry out your work, nor does it impact upon the services users, then the situation is to be reported at the beginning of the next working day.


: of 28

INCIDENT MANAGEMENT PLAN – B

AVAILABILITY OF COMPETENT CAYSH PERSONNEL

> Purpose & Scope: To deliver consistent service, throughout staff absences. > Communication with Employees/Relatives: Contact made on first day of absence, either

via email/social media, mobile phone and/or face-to-face (whatever is applicable) > Resources for period of recovery: CAYSH operational personnel & CAYSH Management. > Objectives for critical activity recovery: Management most critical, then frontline.

The BCM management team have responsibility and authority to oversee actions during and following such an incident. Activation of response shall follow verbal agreement and stand-down/external communications, etc, shall be coordinated by the BCM management team.

Applicable scenario: Key persons are not able to conduct work, through accident, illness,

industrial action or other such reason. (Welfare of staff to be ensured at all times) If individuals are unavailable for work on specific day(s), this is managed as routine staff absence/sickness, with management re-distributing or deferring tasks, as appropriate. At the point where personnel absence is reported, their manager and/or co-workers shall establish if there are any key task that have been planned to occur during that absence (especially if the young persons are involved – i.e. planned meetings, etc), and re-direct resource or reschedule the events, as appropriate. If it becomes apparent to management that a higher number of staff will become unavailable for a specific reason, an immediate meeting shall be held between the BCM management team (see: 3.2.4) to establish how workload is to be redistributed. In order to mitigate impacts of such an event, the following precautions are to be observed and the resultant preparations called upon in time of incident… > Bank Staff – For certain key positions, support staff shall be pre-established and vetted.

These persons are not operational on a day-to-day basis, but CAYSH has prior arrangements with them, on the understanding that they can be called upon in times where such a resource is needed. > Multi Skilling – Wherever possible within CAYSH, the requirements of an individual job role shall not be exclusively know by a single person. Throughout the course of operations, multiple individuals shall have experience with each type of process within the organisation, wherever viable. > Infection Control – If a member of staff is reporting or exhibiting symptoms of a significant

illness, especially if a particular illness type is reported as being currently prevalent in the UK – (i.e. strains of influenza, etc), it shall be requested that they visit their doctor without delay. Dependent upon job role and work location, the person’s manager shall consider whether it is appropriate to ask the person to remain at home (working remotely if applicable), to avoid the risk of staff infection. If a person with such symptoms/diagnosis has been within the workplace, increased diligence in cleaning of items such as keyboards/mice, phones, door handles, etc, shall be tactfully instigated.


: of 28

INCIDENT MANAGEMENT PLAN – C

MOBILITY OF CAYSH PERSONNEL

> Purpose & Scope: To deliver consistent service, throughout mobility restrictions. > Communication with Employees/Relatives: Contact made on first day of incident, either

via email/social media, mobile phone and/or face-to-face (whatever is applicable) > Resources for period of recovery: CAYSH Operational personnel & Transport means > Objectives for critical activity recovery: Frontline staff mobility is most critical.

The BCM management team have responsibility and authority to oversee actions during and following such an incident. Activation of response shall follow verbal agreement and stand-down/external communications, etc, shall be coordinated by the BCM management team. Applicable scenario: CAYSH staff commute to/from work and some personnel travel from site to site, across CAYSH’s operational area, in order to deliver front line services. Industrial action affecting public transport or fuel supplies, adverse weather or individual vehicle/licensing problems have scope to affect this mobility. For all of the above scenarios, two key considerations shall be made; 1) how does this affect the young persons. 2) Can the individual(s) work remotely/from home? Fuel Shortage – The BCM management team (see: 3.2.4) shall closely monitor any developing situations regarding industrial disputes that are likely to affect fuel supply. It shall be communicated to CAYSH personnel that drive, that vehicle fuel tanks should be maintained at a high level. If fuel supply does become interrupted, the following considerations shall be immediately undertaken… - Who needs to drive/where (i.e. what are important/non-important journeys)? / - What journeys could be undertaken by alternative means? The outcome of the above questions shall be communicated to CAYSH drivers and fuel reserves used as appropriately as possible. For safety reasons, CAYSH shall not store ‘emergency’ petrol/diesel in containers. Public Transport Strike – Upon announcement of industrial action that will affect trains, tubes, buses and/or trams, the BCM management team (see: 3.2.4) shall review which members of the CAYSH team currently rely upon these means and how services to young people maybe affected by the individual situation. CAYSH operates in a reasonably compact geographical area – staff consideration shall be given to applicability of alternative transport means (car / cycle / walk). Adverse Weather – When significant snow/ice, wind or flooding is forecast, the BCM management team (see: 3.2.4) shall review which members of staff need to travel from where and make decisions/advise staff based upon a risk assessment of travelling in bad weather and continuity of CAYSH’s service to the young persons. In this scenario, the safety of CAYSH personnel must not be put at significant risk. (Welfare of staff must be protected at all times) Vehicle or Licence Issues – When an incident occurs that affects an individual CAYSH vehicle or driver, the BCM management team shall hire a replacement vehicle (where appropriate) and/or redirect responsibility for driving activities.


: of 28

INCIDENT MANAGEMENT PLAN – D

AVAILABILITY OF OPERATIONAL PREMISES

> Purpose & Scope: To deliver consistent service, throughout premises restrictions. > Communication with Employees/relatives: Applicable staff immediately informed, either

via email/social media, mobile phone and/or face-to-face (whatever is applicable). > Resources for period of recovery: See BIA (Consistently throughout recovery) > Objectives for critical activity recovery: YP Accommodation is the highest priority

The BCM management team have responsibility and authority to oversee actions during and following such an incident. Activation of response shall follow verbal agreement and stand-down/external communications, etc, shall be coordinated by the BCM management team.

Applicable scenario: A CAYSH operational premises becomes unavailable without prior

sufficient notice to plan, communicate and instigate other arrangements. This situation may affect CAYSH offices and/or accommodation sites and maybe the result of a wide range of incidents such as damage to the building or blocked access, etc. (see 4.1) Such a scenario maybe a result of an ‘emergency situation’ and it is the responsibility of the CAYSH member of staff who first discovers it, to initiate actions as follows… Fire / Crime / Injury / Illness – Call 999 …a member of the CAYSH BCM team shall then be alerted for further review and action. Situations with Buildings/Utilities Supply: See Outlook Contact List separate to this document. As an individual becomes aware that use of the premises at which they intended to work will not be possible, the following considerations should be given to their role…

• Are young people directly affected by the situation?

• Will the situation require young people to be relocated to alternative accommodation?

• Are there imminent planned meetings with third parties that need to be facilitated?

• Is the individual’s main role of a mobile nature that can continue unaffected?

• Does the individual’s main role allow for home/remote working?

If the answers to the above considerations is no, then relocation to an alternative CAYSH premises

is appropriate.

Resource required… CAYSH premises management team & appropriate buildings (eg; Regus)


: of 28

INCIDENT MANAGEMENT PLAN – E

AVAILABILITY OF FUNDING / CAPITAL

> Purpose & Scope: To deliver consistent service, throughout financial incidents. > Communication with Employees: Senior management immediately informed, either via

email, mobile phone and/or face-to-face (whatever is applicable) > Resources for period of recovery: See BIA (Consistently throughout recovery) > Objectives for critical activity recovery: To be able to pay personnel on time.

The BCM management team have responsibility and authority to oversee actions during and following such an incident. Activation of response shall follow verbal agreement and stand-down/external communications, etc, shall be coordinated by the BCM management team. Applicable scenario: The financial stability/cashflow of the organisation is compromised by

an incident, as hypothesised within section 4.1 The CAYSH senior management team manage the financial and associated security arrangements of the organisation, with suitable reserves/robustness to secure the ongoing financial stability of the organisation. In such a situation where this is compromised, or appears as if it maybe compromised, the senior management and BCM management team (see: 3.2.4) shall review/discuss implications and especially how this filters through to the front line service to the young persons. Financial mitigations, in cooperation with commissioners and/or banks shall be instigated, as applicable to the situation. In order to protect reputational issues the Chief Executive and Finance Manager shall agree the need to issue a public statement of reassurance, which shall only be presented by either of those two persons.

Resource required… CAYSH finance personnel & Banking facilities.


APPENDIX 1 – INCIDENT RECORD SHEET

: of 28

When a significant incident occurs and CAYSH’s response is evoked, a record shall be made on this sheet

Date that incident began: Type of Incident:

Description of the Incident (what / when / where / who / etc)

What did CAYSH do to respond to the incident?

In the management’s opinion, was the incident satisfactory responded to? Yes / No.

Post-incident, what can be learnt as a result and do any changes need to be made?

Date that incident was closed: Manager Sign off:


APPENDIX 2 – AWARENESS & EXERCISE RECORD

: of 28

CAYSH carries out regular tests to verify that staff are aware of requirements of them, risk controls in place and planned

incident responses in the event of an interruption to our operations. This also acts as an exercise to ensure our BCM

arrangements are valid. To achieve this a Manager will from time to time conduct a short, unannounced ‘interview’ asking

questions to investigate the interviewees understanding of BCM as if a real interruption to operations had occurred. The

outcomes will be feedback to HR and may support further training but will not be part of any other HR consideration.

BCM A&E conducted by (manager): Date Conducted:

BCM A&E subject (interviewee): Job Title:

Did the interviewee demonstrate a sufficient understanding of the principles of Business Continuity

Management at CAYSH, including Policy and Objectives? Yes / Partly / No.

Comments..?

BCM EXERCISING…

The BCM Manager is now to present a mock scenario that that has been encountered. The interviewee is to describe what he/she would do to in response to this hypothetical incident. Description of mock scenario given for this exercise (eg: what incident / where / when / involving / etc?)

Paraphrased description of the interviewee’s response…

In the BCM manager’s opinion, was the result of this exercise satisfactory? Yes / No.

Post-exercise, what can be learnt as a result and do any changes need to be made?

CAYSH BUSINESS CONTINUITY MANAGEMENT SYSTEM · 1.1 The Business Continuity Management Standard (BS...

Documents

Transcript of CAYSH BUSINESS CONTINUITY MANAGEMENT SYSTEM · 1.1 The Business Continuity Management Standard (BS...