Business Continuity Management Strategy

Business Continuity Management Strategy Version Ratified by Date ratified Name of originator / author Name of responsible committee Date issued Revie...
0 downloads 0 Views 379KB Size
Business Continuity Management Strategy

Version Ratified by Date ratified Name of originator / author Name of responsible committee Date issued Review date Target audience

FINAL 1.0 Audit Committee 17/03/16 David Morris, Midlands and Lancashire CSU Sue Johnson, Dudley CCG Audit Committee 18/03/16 31/07/16 All Employees, Embedded Staff and Contractors

1

1

INTRODUCTION

Dudley CCG defines Business Continuity Management (BCM) as: “the activity performed to ensure that business critical functions are available and that the CCG is able to maintain acceptable levels of service and consistency in the event of a disruption”. The CCG’s Business Impact Analysis (BIA) identified 161 key processes undertaken by the teams indicated in the table below: Team Commissioning Communications and Public Insight Continuing/Intermediate Healthcare Finance Governance IT Membership and Primary Care Development OD and HR Office Management Performance Quality Safeguarding

BIA Owner Neill Bucktin Laura Broster Jenny Cale Sue Johnson Sue Johnson Paresh Patel Daniel King Stephanie Cartwright Emma Smith Anthony Nicholls Caroline Brunt Su Vincent

Number of Processes 17 24 13 14 6 10 5 17 10 12 16 17

The data obtained from the BIA process, Physical Risk Assessment and Distance to Work Survey is summarised in Appendix 1. This data was used to produce the business continuity strategy options which are set out in Section 3 below. 2

STRATEGY CONSIDERATIONS

Alternative premises must support the connection to the Dudley IT domain where Dudley Group NHS Foundation Trust is the IT service provider. In practice, all premises previously owned or leased by the former Dudley PCT should have this functionality as should all Dudley GP Practices. The CCG should ensure that such a connection is possible. Additionally, Wi-Fi should be enabled locally to increase available capacity. All staff will be Citrix enabled and be capable of accessing data in this way in the event of a disruption. Data access will be facilitated through the network or alternatively via Citrix and Wi-Fi direct to the Dudley Facilities Management Centre. The CCG will put in place an arrangement to replace hardware that is no longer accessible. Should the necessary hardware and/or Citrix capability be unavailable, staff will remain at home and, where possible, will access emails through their personal IT equipment/connection. Work files will be inaccessible. Wherever possible, the CCG will seek alternative premises through the use of void space that the CCG is already paying for. It will prioritise the use of premises operated by Community Health Partnerships (CHP) to leverage local relationships. The CCG will maintain a record of void space available. The CCG will put a firm agreement with CHP in place.

2

The void space at Stourbridge Health and Social Care Centre will accommodate 50 people and is expected to be available for the foreseeable future. This is sufficient capacity to accommodate all the staff needed to support processes that need to be recovered within 1 week of an incident. All other staff will be expected to work from home using Citrix to access their data. Arrangements will be put into place with larger GP practices to accommodate the 45 staff working from home within 1 month of an incident. The Continuing/Intermediate Healthcare Team is currently based at Tiled House. In the event of the need to relocate, they will move to Brierley Hill Health and Social Care Centre. Clinical staff will only require an alternative base for limited time period. In summary, the expectation is that all staff based at BHH&SCC would have an identified work base within one month of an incident. BHH&SCC will become the base for staff currently based at Tiled House. 3

STRATEGY

The table below lists the key strategies that Dudley CCG should employ to support its business continuity programme and increase resilience. The CCG’s solution is listed in each case. Strategy Premises  Internal (Continuing/Intermediate Healthcare)  Community Health Partnerships (CHP) 

Solution   

Primary Care

 Home (Citrix) Data Access  Links to CCG Network hosted by Dudley IT Services

     

People/Skills  Document key processes  Cross train staff in key areas  Address Single Points of Failure Supply Chain  Critical supply chain resilience assessment  Secondary suppliers

3

Dudley CCG: Brierley Hill Health and Social Care Centre (BHH&SCC): 4 desks CHP: Stourbridge Health and Social Care Centre (SH&SCC): 50 desks from 1 week GP Practices: Various locations: 45 desks from 1 month Home: Citrix: 45 for up to 1 month All staff to be Citrix enabled and capable Continuing/Intermediate Healthcare: Direct or Wi-Fi using Citrix: BHH&SCC: 19 Direct or Wi-Fi using Citrix: SH&SCC: 50 GP Practices: Citrix: 45 from 1 month Home computers using Citrix: 45 for up to 1 month

  

Procedures and process charts Internal training Internal training

 

Business Continuity Plans Produce list of alternative providers

4

STRATEGY APPLICATION

The principal premises and data access solutions that support the recovery of Dudley CCG processes have been applied to the CCG’s teams and are set out in the table below. Team (team members) CCG Leadership Team (7)

Premises Solution

Data Access Solution

SH&SCC Home/GP Practice

4 3

Citrix

7

Commissioning (13)

SH&SCC Home/GP Practice

4 9

Citrix

13

Communications and Public Insight (7)

SH&SCC Home/GP Practice

3 4

Citrix

7

Continuing / Intermediate Healthcare (19)

BHH&SCC meeting rooms and desking for 4 staff

19

Citrix

19

Finance (12)

SH&SCC Home/GP Practice

8 4

Citrix

12

Governance (1)

SH&SCC

1

Citrix

1

IT (4)

SH&SCC

4

Citrix

4

Membership (9)

SH&SCC Home/GP Practice

3 6

Citrix

9

OD and HR (3)

SH&SCC

3

Citrix

3

Office Management (13)

SH&SCC Home/GP Practice

6 7

Citrix

13

Performance and Contracts (16)

SH&SCC Home/GP Practice

4 12

Citrix

12

Quality (7)

SH&SCC

7

Citrix

7

Safeguarding (3)

SH&SCC

3

Citrix

3

4

Working from Home (email only)

Appendix 1 PROCESSES BY LENGTH OF DISRUPTION Brierley Hill H&SC Centre + Tiled House N S M H Internal Productivity 144 11 6 0 External Productivity 148 5 6 0 Financial Impact 160 0 1 0 Regulatory and Legal 157 3 1 0 Reputation and Media 153 1 4 2

4 hours

1 day Internal Productivity External Productivity Financial Impact Regulatory and Legal Reputation and Media

3 days Internal Productivity External Productivity Financial Impact Regulatory and Legal Reputation and Media

1 week Internal Productivity External Productivity Financial Impact Regulatory and Legal Reputation and Media

1 month Internal Productivity External Productivity Financial Impact Regulatory and Legal Reputation and Media

0 2 0 0 1

Brierley Hill H&SC Centre + Tiled House N S M H 135 13 7 5 138 11 6 4 158 2 1 0 144 12 4 1 143 8 5 3

161 VH

Brierley Hill H&SC Centre + Tiled House N S M H 116 24 9 9 120 18 16 4 152 6 2 1 131 12 15 3 125 15 13 6

161 VH

Brierley Hill H&SC Centre + Tiled House N S M H 106 18 20 12 96 19 22 20 138 12 8 3 99 22 22 18 100 14 27 17

161 VH

Brierley Hill H&SC Centre + Tiled House N S M H 73 32 25 25 66 22 31 36 111 24 18 8 63 18 43 34 42 33 45 33

161 VH

Teams Based at Brierley Hill H&SC Centre + Tiled House Commissioning Communications and Patient Insight Continuing/Intermediate Healthcare Finance Governance IT Membership & Primary Care Development OD and HR Office Management Performance Quality Safeguarding

BIA SUMMARY FOR DUDLEY CCG

PEOPLE BASED AT BRIERLEY HILL H&SC CENTRE + TILED HOUSE People Total Home Working SPOF

161 VH

13

TEAM RESILIENCE Premises/IT People/Skills Supply Chain

4

3

3

4

6

6

4

3

3

People 1 2 0 0 2

24

People 3 3 0 0 2

36

114

82

13

People 5 4 0 0 3

Distance Travelled to Work Survey Distance Travelled 0-2 miles 2-5 miles Over 5 miles

58

9 14 38

People 6 6 0 3 8

Process Ref CI013 CI001 CPI018 CI003 IT005 CI012 OM009 CI009 GOV006 PERF003 CPI022 PERF005 PERF004 COM016 CI002 MEM005 CI011 COM017 OM002 HR004 COM005 OM004 CI004 OM010 FIN003 QUA003 CPI024 CPI013 OM007 OM001

Recovery Time Objectives Summary 4 hours 0 processes 1 day 4 processes 3 days 28 processes 1 week 49 processes 1 month 80 processes

114

Physical Risk Assessment: Key Issues Ineffective visitor signing in process Lack of shared knowledge re server room equipment Unauthorised access to waste compound and medical gases store Disruptive incident at adjacent premises Lack of fire extinguisher in Waste Compound Ineffective fire safety, evacuation procedures and security observance across tenants Failure to record visitors to tenants Unrestricted access to rear of building Lack of gas sensor in gas supply metering room Vandalism of electricity substation Lack of oversight of process for issuing access fobs

Team Contg/Inter HC Team Contg/Inter HC Team Comms and PI Contg/Inter HC Team IT Contg/Inter HC Team Office Management Contg/Inter HC Team Governance Performance Comms and PI Performance Performance Commissioning Contg/Inter HC Team Membership Contg/Inter HC Team Commissioning Office Management OD and HR Commissioning Office Management Contg/Inter HC Team Office Management Finance Quality Comms and PI Comms and PI Office Management Office Management

Risk Score

Special Considerations 19 Continuing/Intermediate Healthcare staff at Tiled House

20 20 15 12 12 12 10 10 10 10 10

KEY BUSINESS PROCESSES TOP 30 (out of 161) Process RTO Total Discharging patients from acute trust < 1 day 333 Managing incoming telephone calls and enquiries < 1 day 328 Reactive press < 1 day 316 Maintain supplies of key goods and services for patients < 1 day 311 Managing day to day IT issues, queries and requests < 3 days 288 Completing patient assessments < 3 days 286 Co-ordinating resolution of building maintenance issues < 3 days 248 Co-ordinating resolution of building maintenance issues < 3 days 248 Management of Business Continuity Arrangements < 3 days 239 Prepare and submit Area Team Assurance pack < 3 days 207 Update social media < 3 days 201 Prepare and submit statutory returns < 3 days 198 Monthly statutory Assurance returns to Area Team < 3 days 198 Approve invoices < 3 days 196 Co-ordinating, organising and recording activities including appeals, panel meetings < 3 days & SITREP/MDT 196 Meetings Manage relationships and co-ordinate activities of member practices < 3 days 193 Finance mandates/invoices for Providers < 3 days 192 Approve requests for placements - mental health, learning disabilities and children < 3 days 191 Co-ordinating, organising and recording activities including Board and Committee < 3 days meetings182 (Business Continuity 'Office') Recording staff absence < 3 days 179 Prepare Operational Capacity and Resilience Plan < 3 days 178 Requisitioning and receiving all goods and supplies < 3 days 178 Requisitioning and receiving all goods and supplies < 3 days 178 Managing the deployment of the team < 3 days 175 Prepare, submit and publish Annual Report and accounts < 3 days 174 Serious Incident Management for Providers and the CCG < 3 days 167 Update information messages on website < 3 days 161 Global emails - maintaining list and communicating with Groups < 1 week 158 Receiving key data and information and disseminating appropriately < 3 days 156 Managing incoming telephone calls and enquiries (Business Continuity 'Office')< 3 days 155 Process Frequency Summary Daily Weekly Monthly Quarterly Annually Irregular Other

24 13 46 13 16 38 11

15% 8% 29% 8% 10% 24% 7%

PRINCIPAL RISKS AND STRATEGIES CCG output compromised 3-7 days post incident Premises and IT solution required at 3 days post incident for minimum 29 staff 25% staff require working capability within 3 days post incident rising to 36% after 7 days Premises and IT solution required at 3 days post incident for minimum 29 staff (41 after 7 days) 66% staff require require working capability within 1 month post incident Premises and IT solution required at 1 month post incident for 76 staff 72% staff have home working capability via Citrix, reducing to 30% if reliant on staff owned computer IT solution required for all staff 28% staff cannot connect to their data from home IT solution required for all staff 13 key roles in organisation identified as Single Point of Failure Document key processes. Cross train staff in key activities 8 teams not fully resilient for premises/IT Premises and IT solution required 9 teams not fully resilient for people/skills Document key processes. Cross train staff in key activities 9 teams not fully resilient for supply chain Assess key suppliers (internal and external) resilience. Identify secondary suppliers 62% staff surveyed live more than 5 miles away from their base Home Working Capability necessary part of IT solution 2% (4 processes) have a Recovery Time Objective (RTO) of up to 1 day Mutual aid premises solution. Home Working Capability necessary part of IT solution 20% processes have a Recovery Time Objective (RTO) of up to 3 days Mutual aid premises solution. Home Working Capability necessary part of IT solution Continuing and Intermediate Healthcare, Communications and Patient Insight and Office Management Mutual aid premises solution. Home Working Capability necessary part of IT solution run 19 of the top 30 processes Office Management run 6 of top 30 ranked processes but only 2 of 10 staff have home working capability Premises and IT solution required 23% processes have a daily/weekly cycle Premises and IT solution required Flexibility of use required at Brierley Hill. IT strategy to maintain connection to data. Paper Up to 19 staff may relocate from satellite site to Brierley Hill in the event of an incident at that site records solution. © Midlands and Lancashire CSU

© Midlands and Lancashire CSU 5

Suggest Documents