APPENDIX A

Business Continuity Strategy June 2013

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 1

Contents 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

Foreword................................................................................................ 3 Management Information .................................................................... 4 Introduction ........................................................................................... 5 Business Continuity ............................................................................. 7 Background ........................................................................................... 9 Vision ................................................................................................... 10 Strategy Objectives / Priorities .......................................................... 10 The Strategy’s Approach .................................................................... 11 The Vision into Action ........................................................................ 14 Performance, Exercising, Maintaining and Reviewing .................... 14 Responsibilities................................................................................... 15 Contact ................................................................................................. 17 Review .................................................................................................. 17 Appendices .......................................................................................... 18

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 2

1. Foreword We believe that South Tyneside Council‟s tenants and leaseholders have the right to expect us to continue to deliver our services at all times despite whatever disruption we, as an organisation, may be experiencing. A disruption that could hinder the delivery of services includes:      

Loss of electricity ICT network crash Loss of telephone lines Lack of office accommodation due to a fire / floods Mass staff absence Contractors / suppliers are unable to deliver services for us

Business Continuity Management is not only a key feature of effective Governance arrangements but is also a comfort to our customers that we have robust and fit for purpose plans to enable us to continue to deliver services to our customers in the event of a disruption. A high percentage of business affected by a major incident either never re-open or close within 18 months. Should we be unable to deliver our services for a day, a week, a month or even longer then there could be a significant impact on the wellbeing of the Borough‟s communities and we therefore need to make sure we are prepared. Business success is as much about protection as growth, The ability to withstand serious incidents like flooding and fire, and quickly re-open for “business as usual” is critical. There is also the commercial benefit to consider, as companies with business continuity plans in place are more attractive to do business with. This document sets out the steps we need to take to ensure that we are prepared for any disruptive event that could impact on our ability to provide services to the community

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 3

2. Management Information Strategy Title:

Business Continuity Plan

Lead Officer:

Brian Scott

Strategy drafted by:

Joanne Robason (STH)

Date Agreed by Board: Next Review Date:

June 2016

Version:

2.1

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 4

3. Introduction

South Tyneside Homes Company Plan 2013/16 sets out our close partnership working with South Tyneside Council in which we aim to deliver the Council vision for housing of: “Making South Tyneside a place with a housing market and services that offer affordability, quality and choice to attract new residents and meet the needs of current residents” “Better Housing and neighbourhoods” is also one of five long term shared aims set out in South Tyneside Council‟s Sustainable Community Strategy. Realising the visions cannot be achieved in isolation. Effective Business Continuty Management is essential to ensure that we can deliver on our visions and objectives as it aims to minimises the impact of any threats to us and the Council. Effective Business Continuity Management helps us manage our risks effectively and gives assurance to stakeholders that we are prepared. In the event of an incident the priority of the company will be to manage the incident, ensure services continue and implement work to recover the situation as quickly as possible. The strategy employed will enable the company to: 

Continue to operate at an acceptable level, and



Recover the service within an acceptable timeframe.

Our actions will ensure that we: 

Proactively identify the impacts of an operational disruption and put in place an effective and planned response to disruptions, minimising any impact on South Tyneside Homes and our stakeholders;



Maintain an ability to manage uninsurable risks; and



Demonstrate a credible response through exercising plans.

The following illustration shows the high level documentation of South Tyneside Homes approach to Business Continuity:

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 5

Corporate Business Recovery Management Plan

Middlefield‟s Building Plan

Area Offices‟ Plan

Strathmore Building Plan

Programme Team Repairs Mechanical Team Health & Safety Stores Empty Homes Operational Development

Horsley Hill Housing Office Landreth Housing Office Jarrow Housing Office Hebburn Housing Office Central Library Market Place

Communications Decent Homes/Client Executive Team Finance Customer Services HR ICT Income Involvement

Leasehold & RTB Business Support & Governance

Business Continuity Strategy

Employee contact Support Plan

Communications Plan

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Asset Management Support Plan

Human Resources Plan

Page 6

4. Business Continuity 4.1 What is Business Continuity? Business Continuity is the capability of an organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-determined level. 4.2. What is Business Continuity Management? Business Continuity Management (BCM) establishes a strategic and operational framework that:   

Proactively improves an organisation‟s resilience against disruption to its key functions; Provides a rehearsed method of restoring an organisations ability to supply its key products and services to an agreed level within an agreed time following a disruption; Delivers a proven capability to manage a disruptive event and protect the organisation‟s reputation.

Effective Business Continuity Management ensures that the aims and objectives of the Company are not compromised by unexpected disruptions. Business Continuity Management is complementary to the company‟s risk management framework and as such this document should be read in conjunction with our Risk Management Policy and Strategy. 4.3 Why should an organisation undertake Business Continuity Management? BCM forms an important element of good business management. Many organisations believe that disruptive incidents will not happen to them or that insurance alone will enable them to recover effectively. Insurance may provide for the financial aspects of loss but it cannot minimise the likelihood or impact of an incident, recover and rebuild an organisation or win back community confidence and reputation. Effective business continuity management ensures a speedy return to ‘business as usual’. Nearly one in five organisations suffers a major disruption every year – we accept it could happen to us! How quickly and painlessly we manage to get back to ‘business as usual’ in the event of fire, flood or any other major disruption depends on how effectively we devise and put into action our own Business Continuity arrangements. We need to ensure that we are able to offer „business as usual‟ to our customers as soon as possible following any disruption to our services. Our objective is to implement an effective business continuity framework that identifies the key functions of the Company, their vulnerabilities and put in NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 7

place processes to increase resilience to minimise the likelihood and/or impact of a disruption in terms of:    

Threats to the health and safety of public, employees and partners; Financial loss; Bad publicity and reputation loss; and Claims for compensation.

To do this we will ensure that:  

  

plans are in place to respond to and manage the early stages of an incident, ensuring the safety and well being of employees; we have systems in place to identify and prioritise critical functions, interrelationships and dependencies on internal and external functions. We understand the interrelationships between services and dependency on internal and external functions; appropriate business continuity plans are formulated; recovery timescales for critical functions are determined and agreed; Business continuity plans are exercised to ensure that they are „fit-forpurpose.

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 8

5. Background South Tyneside Homes was established as an Arms Length Management Organisation (ALMO) on 1 April 2006 to manage and maintain the council‟s housing stock in South Tyneside. At 1 April 2013 there were 18,626 rented and 705 leasehold homes in management. We are a significant local employer with a current staff complement of 649, governed by a Board comprising four tenants, four councillors and four independent members with relevant experience and skills. We aim to significantly improve the quality of life for council tenants and leaseholders, through an exciting and innovative programme of service improvements and through major investment in the housing stock. We will also contribute to local employment through our own business and through initiatives developed with our strategic partners.

Strathmore

Housing Offices / Alternative Sites

Middlefields

Communications Decent Homes/Client Executive Team Finance Customer Services HR ICT Income Involvement Leasehold & RTB Governance & Business Support Landreth House Central Library Hebburn Civic Centre Jarrow Town Hall Horsley Hill Market Place Programme Team Repairs Mechanical team Health & Safety Stores Empty Homes Operational Development

The Civil Contingencies Act 2004, requires South Tyneside Council to have in place robust business continuity plans and procedures that would in the event of an emergency enable them to continue to provide their services. As an Arms Length Management Organisation of South Tyneside Council this duty is extended to us. This Strategy is primarily concerned with South Tyneside Homes Business Continuity arrangements and as such supports the delivery of local priorities and strategies by ensuring that services to tenants are not affected by a disruptive event impacting the organisation.

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 9

6. Vision The company has three strategic objectives, achievement of which will deliver the vision of „Working together to make South Tyneside the place people are proud to call home‟. The objectives are:  Great Homes in Great Places.  Great Services.  Great Company. By having robust business continuity plans in place we can ensure that we can continue to strive towards the achievement of these objectives with assurance that should we experience a disruptive event affecting our operational sites we have plans to deal with it.

7. Strategy Objectives / Priorities South Tyneside Homes Business Continuity Strategy centres on:  Ensuring that services deemed critical are restored and operational within 24 hours from point of failure – Priority being given to highly critical services  Sufficient workspace being made available for critical staff by the displacement of less critical staff  Third Party Disaster Recovery Services (Server cover)  The physical safety of critical staff and their willingness/ availability to participate in the recovery  The successful management of an incident or crisis. Given the critical nature of certain service areas, the Recovery Strategy ensures that a recovery site is available in less than 24 hours.

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 10

8. The Strategy’s Approach 8.1 In line with current good practice guidelines including British Standard BS25999, we have adopted a staged business continuity programme that allows for our arrangements to be continuously refined and improved. Subsequently our approach is based around: 

Understanding our business;



Developing and agreeing our business continuity strategies;



Developing and implementing our business continuity response;



Exercising, maintaining and auditing our plans; and



Embedding our continuity culture.

The programme is generally sequential, although some elements span more than one stage of the programme

Business Continuity Lifecycle, BS25999

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 11

8.2 Our Business Continuity Strategy is based on the mutual displacement of staff from non-critical services to accommodate staff from a critical service. In brief, staff from critical service areas in the invoked building / site will be reassigned to the work areas of staff from less critical service areas at the Recovery Site. The strategy is supported by four plans namely: 1. Asset Management Support Plan and Recovery Site Invocation Guide (Asset Management Plan) 2. Human Resources Support Plan (HR Plan) 3. Communications Support Plan 4. Employee Contact Plan The purpose of the Asset Management Support Plan is to provide Asset Management with an „at a glance‟ overview of the recovery time objectives and resource requirements, per building/site of each service area and the processes and procedures that may be required by Asset Management following an invocation decision by the Corporate Business Continuity Management Leader or Building Recovery Management Team thus ensuring the orderly restoration of services. The document also provides for the:      

Initial inspection of the affected area; Preparation of the recovery site(s) to receive staff; Preparation of general office requirements; Procedures for receiving BRMT and Service Recovery Teams once the site is ready for their occupation; Communications procedures and logs to be maintained; Logs to be used to record events and decisions.

The purpose of the HR Plan is to provide the HR team with an „at a glance‟ overview of the processes and procedures that may be required by them following an invocation decision ensuring the welfare of staff and the orderly restoration of services.  

Communications procedures and logs to be maintained; Logs to be used to record events and decisions.

The purpose of the Communications Support Plan is to provide the Communications Team with an „at a glance‟ overview following an invocation of the business continuity plan and ensuring both staff and service users are aware that services are being maintained and the site from which they are being provided.    

Communications procedures and logs to be maintained; Logs to be used to record events, decisions and expenses; Location of staff assistance points; Request for staff assistance;

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 12



Logs to be used to record events and decisions.

The Employee Contact Plan contains the contact details of South Tyneside Homes staff and is only to be utilised in the event of an out of office hours incident pertaining to Business Continuity Management (BCM). The supporting plans will be reviewed with the strategy to ensure any updates to SLA‟s and/or changes in service provision are accounted for. In order to ensure that data for each service area has been appropriately recorded a document framework, has been established to provide two way feeds of information and provides for an orderly and planned recovery from a disruptive event.

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 13

9. The Vision into Action This strategy will allow us to build on the good work we have done so far, and plan ahead looking at how we can continue to improve and refine our business continuity plans. The development of a work programme will ensure that plans remain relevant, up to date and are robust. This can be achieved by: 

Ensuring documents are reviewed and updated annually



Exercising plans and incorporating updates where weaknesses are identified



Encouraging our partners and suppliers to develop their own business continuity plans

Performance, Exercising, Maintaining and Reviewing To help us assess our progress and make sure that we deliver the strategy we will: 

Maintain a continuous cycle of review and maintenance of existing business continuity documentation in conjunction with colleagues at South Tyneside Council



Develop an exercising programme to test the robustness of our current business continuity plans



Review and update plans to address any identified weaknesses



Communicate with officers who have a responsibility for business continuity plans to ensure understanding and awareness of the plans and how they link to our corporate and operational objectives.

The above enables us to:        

Demonstrate the extent to which our strategies and plans are complete, current and accurate; Identify opportunities for improvement; Rehearse our ability to recover from an incident; Verify that the Business Continuity Plan incorporates all critical activities, dependencies and priorities; Validate the effectiveness of the business continuity strategies; Highlight assumptions that need to be questioned; Improve confidence amongst participants; Validate the effectiveness and timeliness of the restoration of critical activities.

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 14



Ensure officers are aware of their responsibilities and requirements in relation to business continuity and its implementation.

To enable this to happen we have put in place:    

An Action Plan which is set out at Appendix 1; Systems of version control to ensure that plans are kept up to date; Plans stored both electronically and a hard copy kept at an appropriate alternative site to ensure accessibility during a disruption; An annual Service Impact Analysis to re-assess our critical activities.

10.

Responsibilities

Achieving our vision for Business Continuity Management must be managed – it will not happen by chance. We recognise that ownership and leadership, by the Senior Executive Director and Executive Team, Chair, Board, and Senior Managers is essential for the plan to be effective. The Board of South Tyneside Homes is responsible for making sure that the company‟s commitment to Business Continuity Management is embedded throughout the whole organisation and monitored effectively to ensure its validity. The Head of Finance and Business Support has specific responsibility for driving forward the Business Continuity Management agenda in the organisation. Set out below are the key responsibilities and accountabilities to enable Business Continuity Management to be delivered within South Tyneside Homes Board Agree the Business Continuity Strategy Ensure commitment to Business Continuity Management Require Business Continuity management to be embedded Great Company Committee Receive the Business Continuity Audit Plan Approve the Business Continuity Maintenance Programme of annual reviews Review learning points following business continuity exercises and endorse continual development of business continuity plans Directors Lead on Corporate Business Continuity arrangements Promote Business Continuity in the service areas they have responsibility for Heads of Service Agree and sign off Service Recovery plans NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 15

Lead on Building Management plans Lead on Support Plans to this Strategy (where applicable) Service Managers Conduct Service impact Analyses and Risk Assessments Develop and somplete Business Continuity and Resource Recovery Plans for approval by STC quality assurance Lead on Support Plans to this Strategy (where applicable) Ensure awareness of their Business Continuity plans within their teams Engage in annual reviews of their own Business Continuity plans Business Continuity Champions Promote and raise awareness of the Business Continuity Management Programme South Tyneside Council Resilience Team Perodically deliver workshops / training / awareness for South Tyneside Homes Staff on Service Impact Analyses, risk assessments and Business Continuity Management updates Support Service managers in the Service Impact Analysis and Risk Assessment process Quality assurance of suite of South Tyneside Homes Business Continuity Plans

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 16

11.

Contact

Who to contact regarding this strategy South Tyneside Homes Governance and Business Support Team South Tyneside Homes Strathmore 11 Rolling Mill Road Viking Business Park Jarrow NE32 3DP Tel: 0191 426 8473

12.

Review

The Strategy will be reviewed every three years but documents appended to the strategy will be reviewed when necessary.

NOT PROTECTIVELY MARKED / UNCLASSIFIED Version 2.1 – June 2013

Page 17

13.

Appendices

Appendix A : Action Plan Year

No.

Actions

Responsibility

Review of Business Impact Analysis and Service Recovery Procedures for all services Review Business Recovery Management Plans

STH Service leads

STC Resilience and STH Governance and Business Support Manager STC Resilience

2013

1.

2013

2.

2013

3.

Planned exercise of Business Recovery Management Plan

2013

4.

Review Corporate Continuity Plan

2013/14

5

Review Strategy Support Plans

2013/14

6.

2013/14

7.

2014

1.

2014

2.

Communicate review and updates to staff with business continuity responsibility Communicate review and updates with all staff by way of an article in staff matters/team matters Review of Business Impact Analysis and Service Recovery Procedures for all services Review Business Recovery Management Plans

2014

3.

Planned exercise of Business Recovery Management Plan

2014

4.

Review Corporate Continuity Plan

2014/15

5.

Review Strategy Support Plans

2014/15

6.

2014/15

7.

Communicate review and updates to staff with business continuity responsibility Communicate review and updates with all staff by way of an article in staff matters/team matters

Resources required STH Service leads

Outcomes

STC Resilience

STH Governance and Business Support Manager and STC Resilience STH Governance and Business Support Manager STH Governance and Business Support Manager STH Service leads

STC Resilience

STC Resilience and STH Governance and Business Support Manager STC Resilience

STH Governance and Business Support Manager and STC Resilience STH Governance and Business Support Manager STH Governance and Business Support Manager

18

Appendix B: Glossary Many of the terms defined in this glossary appear in this strategy and various other documents within the Business Continuity Management Document Framework, others do not, but are included here in order to aid the reader‟s general understanding of common Business Continuity terminology. Term

Definition

Battle Box

A container, stored away from the normal place of business, which holds critical items that will be required during the recovery process. Each business unit would normally have their own Battle Box.

Business Continuity Champion

The individual within a primary / secondary site (s) with responsibility for cascading the requirements of BIA‟s, SCP and aiding in their completion. Also has responsibility for the collecting, storage and offsite storage of Battle Boxes. May be called upon by the BRMT to assist in the management of a disruptive event.

Business Continuity

The process of ensuring that services continue to be provided.

Business Impact Analysis (BIA)

The Business Impact Analysis (BIA) is a data gathering document to enable the service to assess their needs and provide key details for their Service Recovery Procedures. The BIA also gathers information relating to the Recovery Time (RTO – Recovery Time Objective) of the service in relation to resuming at the recovery site and the relevant system requirements. It also records the amount of data that can be lost from the individual systems used (RPO – Recovery Point Objective).

Business Recovery Leader

A member of the BRMT who co-ordinates the recovery of a service units at their alternate location, dependent on the number of alternative locations is the number of BR Leaders required. This would normally be the senior officers‟ representative of the individual service areas.

Business Recovery Management Plan (BRMP)

The BRMP is an executive summary of all the service Business Recovery Procedures within a specific building / number of secondary sites within an organisation. It provides details on how to invoke the BRMP and the actions to be taken at set timescales. It lists the principal spokesperson for that building and the call cascade details for communicating with employees working from that building.

Business Recovery Management Team (BRMT)

The management team for a specific building, its members representing each service area normally operating from that building. Responsible for undertaking the initial assessment of an incident and deciding whether to invoke the Business Recovery Management Plans. This team is also responsible for co-ordinating the high level activation of the Business Continuity process.

Call Cascade

A hierarchical structure determining how messages will be relayed to all employees in affected teams / buildings. Generally, nobody on the list should be required to contact more than 5 or 6 others. This structure enables messages to be disseminated more quickly than if a single individual has to make all calls.

Consolidated Business Continuity Requirements

A list which brings together the information from all the service areas and forms the basis for the Recovery Site Invocation Plan.

19

Corporate Business Continuity Leader

Ultimate decision maker for Business Continuity within an organisation who can sanction movement of people, equipment and other resources.

Corporate Business Recovery Management Plan (CBRMP)

The CBRMP is an executive summary of all the organisation‟s BRMPs. It details the overall recovery strategy of mutual displacement of a noncritical service for a critical service; provides the invocation procedures to be followed and how communication is to be dealt with.

Corporate Business Recovery Management Team (CBRMT)

The CBRMT is made up of senior level officers whose role is to advise and support the BRMTs during an invocation and plan for the long term recovery.

Documentation and Vital Records

All vital documentation that is stored within each service area, as well as how that documentation is stored, and what the impact would be of losing that documentation in a fire or flood, etc.

Disaster Recovery

Relates to the processes to be implemented following the loss of IT and telephone facilities.

Emergency Planning

Those incidents affecting the wider external environment ie chemical leaks, major rail accidents etc

Employee Contact Support Plan

The document holding out of office contact telephone numbers of all staff

Impact Assessment

By reference to the initial assessment made relating to the criticality of the service area. If that service area was completely unable to function for a period in excess of the length of time the Impact

Incident / disruptive event

Any event that adversely impacts the normal operation of a service area. Not all incidents result in invocation of the Recovery Plans, e.g. an incident that has been estimated to last less time than it would instigate alternative arrangements.

Incident Impact Assessment

A brief statement outlining the impact an incident has had upon the business and any additional recovery processes necessary to achieve this.

Interdependencies

Those internal / external stakeholders that may need to be contacted following an invocation of the Service Continuity Plans who in the normal course of business are communicated with on a regular basis. Other business groups / business units / departments, etc. upon which a given business unit is dependent in order to operate.

Invocation

When the decision has been made to make the plans become active in part or full.

Manual Procedures

Any procedures that are in place to continue operations, should a given system be unavailable, i.e. manual raising of cheques or use of other means of communication in the absence of e-mail.

Primary Site (PS)

Habitual place of business.

Process Description

A brief overview of each Process or Function performed within your particular team.

20

Recovery Point Objective (RPO)

This represents the maximum amount of data loss that could be tolerated from a computer system, i.e. a loss of 24 hours‟ worth of information that has been inputted. The shorter the RPO, the more critical the data that the system produces.

Recovery Process

The process of returning the organisation to back to normal function.

Recovery Site (RS)

The building(s) designated for the team to work from in the event of a denial of access to their normal place of work.

Recovery Site Invocation Plan

The procedures and instructions for bringing the Recovery Site to operational readiness for occupation by those employees displaced from their normal place of work.

Recovery Time Objective (RTO)

This identifies the numbers of staff, equipment and systems required at a given timescale. These are expressed in terms of hours ie H+24 is indicative of one day, or days ie D+5 relates to a week.

Service Recovery Procedure (SRP)

The SRP document is personalised by the individual teams to provide details of their specific recovery procedures. It details the actions to be undertaken at key timescales by the team and lists the order in which employees would be required to attend work as a result of a real invocation.

Staff List

A list of all employees in a Team or recovery team and their contact details both during and outside normal working hours. This is often combined with a Call-Out Cascade.

Standard / Internal / Other Systems

Looks at identifying IT systems used by each Team. System is meant PCor server-based system used to perform a particular function.

Team

Self-contained group usually responsible for a specific provision of service.

A

21