Business Continuity Strategy

Type of document ie. Clinical guidance, Form, Procedure etc Business Continuity Steering Group, Emergency Planning Resilience and Response Authorisation Groups: Group, Governance and Risk Committee Ratified by: Date Ratified: Date Processed: Review Date: Document Author: Document Owner:

Annually Business Continuity Manager Head of Resilience and Special Operations

Authorised Signatory:

Authorised Staff:

All Staff

Business Continuity Strategy Page 1 of 23 Doc Number :-

Version : 1.0

Status : Final

Contents Section

Page

1.

Introduction

3

2.

Business Continuity Management System

7

2.1

Senior Management Accountability

7

2.2

Business Continuity Manager

8

2.3

Business Continuity Plan Owners

8

2.4

Business Continuity Steering Group

9

3.

Competencies and Training relating to those with responsibility for the BCMS

9

4.

Interested Party / Stakeholder Analysis

10

5.

Budget Requirements

10

6.

Understanding the Organisation

10

6.1

Business Impact Analysis

10

6.1.1 Strategic Business Impact Analysis

12

6.1.2 Tactical Business Impact Analysis

12

6.1.3 Operational Business Impact Analysis

12

6.2

Risk Assessment

13

6.3

Determining BCM Strategies for Service Areas

13

6.4

Developing and Implementing a BC Response

14

6.5

Exercising, Maintaining and Reviewing the BCMS

14

6.5.1 Exercising (and testing)

14

6.5.2 Maintaining

14

6.5.3 Reviewing

15

6.5.4 Audit

15

7.

Embedding Business Continuity Management

15

8.

Sources of Information relating to the BCMS

16

Annex A – BC Steering Group Terms of Reference

15

Annex B – Core Competencies for those with responsibilities for the BCMS

19

Glossary of Terms

20

Bibliography

21

Business Continuity Strategy Page 2 of 23 Doc Number :-

Version : 1.0

Status : Final

1.

Introduction

This strategy has been developed to support achievement of the objectives identified in the NEAS Business Continuity Policy. It is designed to identify the actions needed to address the findings from the Business Impact Assessment (BIA) and risk assessments in a way that meets the needs of the business continuity objectives of the Trust. The BIA will help the organisation ensure that its business continuity aligns with its purpose (to deliver right care, right place, right time) and vision (to make a difference by integrating care and transport in pursuit of equity and excellence for our patients) based on NEAS’ strategic intentions and values as well as its statutory duties and obligations to its interested parties. BIA and risk assessment will provide the information the organisation needs to determine and select business continuity strategies and measures that: a.

Limit the impact of a disruption on the organisation;

b.

Shorten the period of disruption; and

c.

Reduce the likelihood of a disruption.

The following diagrams (Figures 1, 2 and 3) are intended to illustrate conceptually how business continuity can be effective in mitigating impacts in certain situations. No particular timescales are implied by the relative distance between the stages depicted in each of the diagrams. The diagrams show: Figure 1 - Sudden Incident – an event that has been foreseen by the organisation and business continuity response arrangements are in place to deal with a disruption to the service(s). A local example of this could be the failure of the Emergency Operations Control (EOC). Figure 2 - Gradual Incident – an event that has been foreseen and there is a period of warning leading towards the incident. Business continuity response arrangements are in place to deal with the disruption to the service(s). A local example of this could be the lead up to the declaration of an Influenza Pandemic. Figure 3 – Sudden Crisis – an event that has not been foreseen by business continuity processes or where the event is so large in its scale and complexity that all business continuity arrangements fail leading to widespread service disruption to the wider Trust and its partners. During such incidents, a ‘Crisis’ should be declared and the Trusts Crisis Management Plan invoked to form the response.

Business Continuity Strategy Page 1 of 21 Doc Number :-

Version : 1.0

Status : Final

Figure 1 – Illustration of business continuity being effective for a sudden disruption e.g. an A&E Contact Centre service failure

Figure 2 – Illustration of business continuity being effective for gradual disruption (e.g. approaching pandemic) Business Continuity Strategy Page 2 of 21 Doc Number :-

Version : 1.0

Status : Final

Figure 3 – Illustration of business continuity being effective for an unforeseen, high impact, large scale disruption that will involve the invocation of the Crisis Management Plan

The context, evaluation criteria and format of the outcome of the BIA will be agreed in advance and this information will be regularly reviewed, particularly during times of change. Understanding the context of the organisation is central to the successful implementation of ISO 22301 – Societal Security – Business Continuity Management (hereafter known as ISO 22301) which is the states aim of the Trust Business Continuity Policy. The process of gaining this understanding is outlined in Figure 3.

Business Continuity Strategy Page 3 of 21 Doc Number :-

Version : 1.0

Status : Final

Figure 4 – Understanding the organisation

Actions and strategies to enhance business continuity are likely to be needed before, during and after a disruptive incident and may, for example, include reducing the overall impact of a disruptive incident through business continuity arrangements that shorten the period of interruption and reduce its intensity to acceptable levels. The organisation will determine appropriate strategic options for: a. Protecting its prioritised activities and their supporting services which have been identified in the BC Policy as: i.

Emergency Care

ii.

Patient Transport Services

iii.

Contact Centre Management

iv.

Supporting national resilience

b.

Stabilising, continuing, resuming and recovering prioritised activities.

c.

Mitigating, responding to and managing impacts.

NEAS will also have a documented mechanism in place for the review and approval of recommended solutions.

Business Continuity Strategy Page 4 of 21 Doc Number :-

Version : 1.0

Status : Final

2.

Business Continuity Management System (BCMS)

The BCMS is comprised of a variety of documentation, systems and processes which can be split into three broad headings: Governance, Planning and a Management System. This is outlined in Figure 4 below.

Figure 5 – The Makeup of the BCMS

In order to meet the objectives of the BC Policy, the Service has clarified the roles and responsibilities placed on those involved in the BCMS. 2.1

Senior Management Accountability

Senior Management accountability for BCM lies with the Chief Operating Officer. Should a business interruption have a significant impact on service delivery, the Chief Operating Officer will lead the strategic response and convene a Business Continuity Management Team. Responsibility for BCM processes fall under the remit of the Head of Resilience and Special Operations (HoRSO). The role of the HoRSO includes: a.

Implementation of policy and strategy relating to BCM;

b.

Embedding BCM culture throughout the Service;

c.

Advisor to the Executive Group and Trust Board on BCM issues;

d.

Advisor to the Risk and Governance Group on BCM issues; and

e.

Reporting on the performance of the BCMS to Executive Team and Trust Board.

Business Continuity Strategy Page 5 of 21 Doc Number :-

Version : 1.0

Status : Final

When necessary, the Business Continuity Manager will deputise for the Head of Resilience and Special Operations in relation to the above responsibilities. 2.2

Business Continuity Manager

The Business Continuity Manager has responsibility for: a.

Supporting implementation of policy and strategy relating to BCM;

b.

Supporting the embedding of a BC culture throughout the Trust;

c. Internal audits in respect of business continuity in line with relevant standards, statutory responsibilities and recognised good practice; d.

Development of policy and strategy relating to BCM;

e. Ensuring that the BCMS conforms to the requirements of the Civil Contingencies Act (2004) and ISO 22301 – Societal Security – Business Continuity Management; f.

Administration of an exercise programme to validate BCM arrangements;

g.

Providing audit information to relevant interested parties;

h.

Training and supporting plan owners in all aspects of BCM;

i. Monitoring national and local developments in respect of BCM and liaising with other Ambulance Trusts and partner agencies; j.

Incorporating BCM into the corporate Risk Management framework; and

k. Measuring performance against the BCMS Objectives and creating reports for the Business Continuity Steering Group, Executive Team and the Trust Board. 2.3

Business Continuity Plan Owners

Business Continuity Plan Owners have responsibility for Business Continuity Plans (BCPs) for their own service area (roles are defined in each BCP). Their responsibilities include: a. Identification and analysis of critical activities within their service area (as part of the Business Impact Analysis process); b. Development of appropriate strategies to reduce, shorten or limit the impact of any disruption to their service area activities; c. Preparation and maintenance of BCPs in consulting with the Business Continuity Manager; d. Attendance at relevant internal training/workshop events to develop BCM within their service area; e. Ensuring BCM is communicated and promoted to all staff within their service area;

Business Continuity Strategy Page 6 of 21 Doc Number :-

Version : 1.0

Status : Final

f. Ensuring the BCP is tested and exercised so that it is current and effective in line with the BC Exercise Schedule; and g. Invoke the BCP following a business disruption or exercise and submitting a Business Interruption Report (BIR) when appropriate. 2.4

Business Continuity Steering Group

The Business Continuity Steering Group (BCSG) is the principle mechanism for management review of the BCMS and informing Senior Management on emerging BCM issues. Members of the BCM Steering Group will be responsible for implementing and monitoring strategic direction in respect of the BCMS. Terms of Reference have been created for this group (see Annex A) and is attended by: •

Head of Resilience and Special Operations

•

Head of Risk and Claims

•

Business Continuity Manager

•

Emergency Care Business Manager

•

IT Systems Manager

•

Control Systems and Resilience Officer

3. Competencies and Training relating to those with responsibility for the BCMS A Training Needs Analysis (TNA) will be conducted by the Business Continuity Manager in close cooperation with the Learning and Development department. This will identify differing levels of competencies required by those with responsibilities under the BCMS. Where appropriate, these are aligned with the relevant National Occupational Standards (NOS). Appropriate training for those identified will be carried out by the Business Continuity Manager, the wider Resilience Department and other external agencies as appropriate e.g. British Standards Institute (BSI), the Business Continuity Institute (BCI) and the Serco (Cabinet Office) Emergency Planning College. Courses delivered will be mapped against the BCM NOS where appropriate. The Business Continuity Manager is currently investigating BCM software to be deployed in the Trust. Part of the software specification includes sections about training record management and it is hoped that this new system will be used to store records of training events and exercises. Where appropriate, the Oracle training system will also be used to demonstrate that competency has been achieved and maintained by individuals who have responsibilities under the BCMS. The Service is working towards Oracle records for all staff as the BC Training Programme matures.

Business Continuity Strategy Page 7 of 21 Doc Number :-

Version : 1.0

Status : Final

Evaluation of internal and external training and exercises will be achieved using NEAS established training evaluation documents. Core competency SMART objectives for those with responsibility for the BCMS can be found at Annex B.

4.

Interested Party / Stakeholder Analysis

As well as identifying key roles and responsibilities within the organisation, an analysis has been carried out to identify which other interested parties / stakeholders (both internal and external) are to be considered and engaged in the BCMS. These are detailed in the BCMS Communications Strategy.

5.

Budget Requirements

Budget provision for the continual assessment costs associated with accreditation are currently being discussed at a strategic level.

6.

Understanding the Organisation

6.1

Business Impact Analysis (BIA)

The key services that enable NEAS to operate in line with the organisations statutory requirements, its mission, vision and strategic intentions in line with its values are: a. Emergency Care b. Patient Transport Services c. Contact Centre Management d. Supporting national resilience The process of identifying activities that support the effective delivery of our key services and determining and documenting the impact of a disruption to them is known as a Business Impact Analysis (BIA). All locations and service areas are included in the scope of the BCMS and will be subject to a BIA. The process then categorises all service area activities according to their priority for recovery by determining a Maximum Tolerable Period of Disruption (MTPD) for each activity based on one of the seven categories: i.

Intolerable Impact activities that should be reinstated within 1 hour

ii.

Intolerable Impact activities that should be reinstated within 3 hours

iii.

Intolerable Impact activities that should be reinstated within 1 day

iv.

Substantial Impact activities that should be reinstated within 3 days

v.

Moderate Impact activities that should be reinstated within 1 week

Business Continuity Strategy Page 8 of 21 Doc Number :-

Version : 1.0

Status : Final

vi.

Tolerable impact activities that should be reinstated within 4 weeks

vii.

Trivial Impact activities that need to be reinstated over 4 weeks

A trivial impact activity does not indicate that the activity is not important; it indicates that the activity is less time critical. Those activities that need to be reinstated within 4 weeks are subject to further analysis to identify and document the necessary minimum resources required to reinstate each activity efficiently. Activities that have an MTPD of over 4 weeks will not be subject to further analysis of resources and will come under the scope of the recovery process following a disruption. Those activities having the greatest impact in the shortest time and need to be recovered most rapidly in the event of a disruption are referred to as ‘Critical Activities’. For our Trust, these are activities that would have to be reinstated within 1 day (or less). All Business Continuity Plan holders are responsible for completing the BIA for their own service area (with support, facilitation and guidance from the Resilience Department). It is anticipated that the BIA process will be completed in a specialist, web-based BCM software solution rather than on a traditional spread sheet process. IM&T, Estates and Procurement will all be informed of each service areas BIA. This will ensure that in the event of a Service-wide disruption, they can respond in accordance with the overall Trust priorities identified in the BIA. The BIA process is outlined in Figure 2.

In the event of a significant change to the Department, Service or wider organisation, the BIA process will need to be reviewed and updated.

Figure 6 – Overview of the Business Impact Analysis process

Three different levels of Business Impact Analysis will be conducted as part of the ISO implementation in the Trust.

Business Continuity Strategy Page 9 of 21 Doc Number :-

Version : 1.0

Status : Final

6.1.1 Strategic Business Impact Analysis The Strategic BIA will identify and prioritise the organisations products and services and understand the organisations recovery timescales and tolerance levels. 6.1.2 Tactical Business Impact Analysis The Tactical BIA will determine the dependent activities for the most urgent services and assess the impact of disruption on them. 6.1.3 Operational Business Impact Analysis The Operational BIA will determine the required resources for the continuity and recovery for the most urgent activities. This three tier approach is outlined in Figure 7 below.

Figure 7 – Three levels of Business Impact Analysis at the Strategic, Tactical and Operational Levels

Business Continuity Strategy Page 10 of 21 Doc Number :-

Version : 1.0

Status : Final

6.2

Risk Assessment

BCM is integral to the NEAS Risk Management Strategy framework which currently exists. This process identifies the organisational risks the Service faces, some of which encompass BCM risks. Department / Division Risk Registers are monitored at the Risk and Governance Group on a quarterly basis. Part of the BIA involves plan holders identifying any BCM risks or vulnerabilities applicable to the activities of their service area. These vulnerabilities may be Single Points of Failure (SPoFs) where there are no contingency arrangements in place to support the resources required. For example, where there is only one specialist skilled member of staff to carry out a particular activity or there is a single piece of equipment that is held at a location and no alternative sources of this equipment has been identified. Single suppliers that support our critical activities may be identified as SPoFs. The Business Continuity Steering Group review the BIA risks identified and work with service managers to consider loss mitigation and risk treatment strategies. Any significant risks to the organisation will be raised at the Emergency Planning Working Group and subsequently the Risk and Governance Group and be managed under the established risk management framework. Certain specific risks will require the development of a more detailed Business Continuity Plan – for instance, contingency plans for Pandemic Influenza, capacity and demand management and fuel supply disruption. 6.3

Determining BCM Strategies for Service Areas

Once vulnerabilities are identified relating to the organisations critical activities, this next stage involves identifying appropriate BC strategies to resume the more critical activities taking into consideration cost and consequences of inaction. Examples of BC strategies that service areas can adopt include identifying alternative sites that activities can be carried out from, implementing multi-skilled training so that more than one individual is trained in a specialist role and identifying alternative suppliers or outsourcing. As the Service procures a diverse range of commodities/services from a wide range of suppliers/contractors, a BC Procurement Strategy will be developed to provide assurance that more than the supplier/contractors that support the delivery of our critical activities can deliver their contractual obligations regardless of any business disruption that they may face. The BC Steering Group work with service managers to agree BC strategies and record these in BCPs.

Business Continuity Strategy Page 11 of 21 Doc Number :-

Version : 1.0

Status : Final

6.4

Developing and Implementing a BC Response

BCPs will be developed by service managers to detail the priorities of that service area, how that service area will manage a business continuity incident and how it will reinstate critical activities (to a pre-determined level) in the event of a disruption. Incident management of the overall Service response to a business interruption is detailed in the NEAS Crisis Management Plan. BCPs are supported by Evacuation Plans which have been specifically developed for all locations by Risk and Claims / Estates. Estates will also be asked to produce Premises Information Packs for each location to enable premises related emergencies to be dealt with effectively to mitigate the emergency resulting in a business disruption. 6.5

Exercising, Maintaining and Reviewing the BCMS

6.5.1 Exercising (and testing) All BCPs will be exercised by the most appropriate means with minimum disruption to service areas to ensure that they are reliable. Specific exercises allow the effectiveness of each plan to be validated and, where necessary, adjustments to be made. As well as providing BC awareness, exercising also instils confidence amongst exercise participants by allowing them to rehearse their response during a business interruption in a safe and consequence free environment. Consequently, exercising also facilities training of all individuals who participate. All plan owners will be responsible for contributing to exercising their own service areas BCP supported by the Resilience Team. An annual schedule of exercises will be developed and agreed at Board-level. The exercising and testing of any BCPs will be recorded on the (future) BC software solution for audit and review purposes. Any preventative actions arising from the exercise are allocated a responsible person and timeframe for completion. The (future) BC software solution will automatically record and maintain the database based on the information provided during and after the exercise. 6.5.2 Maintaining The procedure for maintaining BCMS documentation is detailed in the BCMS Document and Record Control Guidance.

Business Continuity Strategy Page 12 of 21 Doc Number :-

Version : 1.0

Status : Final

6.5.3 Reviewing The BC Steering Group is the principle mechanism for management review of the BCMS. Meetings are scheduled at planned intervals (at least quarterly) and agendas and minutes are produced. The meetings will follow the format outlined in the management review schedule. Monitoring changes and reviewing the BCPs is the responsibility of the plan holder (in consultation with the Resilience Team where necessary). The plan holder should self-assess the BCP to ensure it is fit for purpose and update the BCP if any significant changes are required e.g. outcomes from business disruptions, incidents, exercises and training, organisational structure changes, changes to contact details, changes in supplier/contractor, new ways of working or new risks identified etc. As well as this on-going review, the Resilience Team will also coordinate an annual formal selfassessment of BCPs. Plan holders will be requested to review their own plans and confirm they are current or make the necessary amendments. The invocation of any continuity plans (or potential invocation) will be recorded on the (future) BC software solution for audit and review purposes. Any corrective actions arising from the business interruption/potential business disruption (close call) are allocated to a responsible person and a timeframe for completion. The Resilience Team is responsible for monitoring the (future) BC software solution based on the information inputted by service area managers. 6.4.4 Audit Internal audit of BCM arrangements are part of a continual programme undertaken by the Resilience Team (qualified to audit against the requirements of ISO 22301). Other Ambulance Trusts through the National Ambulance Resilience Unit (NARU) Business Continuity group will also conduct regular peer reviews of the BCMS to provide assurance the Trust is compliant with its statutory responsibilities. It is hoped that the Trust will choose to accredit to ISO 22301 in the future – this will then require continual assessment to maintain certification to the ISO through the British Standards Institute (external audit). The continual assessment process will involve the transition to ISO 22301, the International Standard for Business Continuity Management.

7.

Embedding Business Continuity Management

The Trust will support the embedding of a BCM culture which will be led by the Board by allocating key responsibilities for BC arrangements. The Service recognises that all staff must have an understanding of the importance of BCM, commensurate with their BC responsibilities. Training will be delivered to relevant staff who may be involved in managing a BC incident or who are required to complete elements of the BCMS e.g. the BIA, BCP etc. The Service will continue to review, develop and drive effective BCM strategies and arrangements. The Trust is committed to the principles of BCM and will support all staff to ensure that we will always deliver the mission of the organisation based on its vision, strategic intentions and values.

Business Continuity Strategy Page 13 of 21 Doc Number :-

Version : 1.0

Status : Final

8.

Sources of Information relating to the BCMS

The main location of information relating to the BCMS will be the (future) BC software solution and the NEAS Intranet. The software solution will store the latest versions of BCPs, BIAs, policy/strategy along with details of exercises, interruptions and associated action plans. Records of attendance at training events and exercises are held on the (future) BC software solution, maintained by the Resilience Team. The software solution is also a portal used across the Service for HR contact information. As part of our continual improvement plan, the Service is working towards BC training records for all staff as the training programme matures. The (future) BC software solution will be used to not only record training, but also demonstrate that competency has been achieved and maintained by individuals under the BCMS. The (future) BC software solution holds information on all interruptions, potential interruptions (near misses) and exercises. It maintains action plans for corrective and preventative actions arising from these events and has a facility to print reports to identify trends/improvements (across the whole of the BCMS as well as training). Any additional information not published relating to the BCMS will be held on the (future) BC software solution.

Business Continuity Strategy Page 14 of 21 Doc Number :-

Version : 1.0

Status : Final

ANNEX A

Terms of Reference Title:

Business Continuity Steering Group

Date approved, and approving body: Date reviewed:

Emergency Planning & Resilience Group

Next review date: Purpose:

1st October 2013

The BC Steering Group is the principle mechanism for management review of the BCMS and informing Senior Management on emerging BCM issues. Members of the BCM Steering Group will be responsible for implementing and monitoring strategic direction in respect of the BCMS and will discuss: •

Ensuring the BCMS meets the needs of North East Ambulance Service NHS Foundation Trust;

•

Monitor emerging legislation, good practice and guidance and discuss BCM issues raised at external groups such as the Local Resilience Fora (Northumbria LRF, Durham and Darlington LRF and Cleveland LRF) or Association of Ambulance Chief Executives (AACE) National Ambulance Resilience Unit (NARU) Business Continuity group;

•

Lead the implementation of the (future) BC software solution in the Trust;

•

Monitoring other internal or external changes that could affect BCM Policy and Strategy;

•

Constantly evaluating risk and monitoring vulnerabilities and threats to the BCMS;

•

Monitor feedback and identify methods to continually improve the BCMS by reviewing procedures and policy;

•

Evaluate response to business interruptions;

•

Monitoring the status of preventative and corrective actions logged on the (future) BC software solution;

•

Coordinate and evaluate the training and awareness programme;

Business Continuity Strategy Page 15 of 21 Doc Number :-

Version : 1.0

Status : Final

•

Evaluate exercise results, actions and outcomes;

•

Carry out necessary actions from the management review schedule;

•

Review results of BCMS audits and reviews; and

•

Determining and allocating budget and other resource requirements for the BCMS.

This list of terms is not exhaustive and other issues may be discussed as deemed appropriate, others may also be invited to attend the group determined by the nature of discussions. Membership:

Chair: Vice Chair: Quorum: Secretary: Frequency of Meetings:

Rules as to Meetings & Proceedings:

Attendance at meetings:

Authority/Tolerances:

Business Continuity Manager Head of Resilience and Special Operations Head of Risk and Claims Head of IM&T Head of Estates Control Systems and Resilience Officer Non – core members : Important specialist input will be required on a less regular basis – these members will be invited to meetings that will deal specifically with their work areas, Business Continuity Manager Head of Resilience and Special Operations A quorum shall be five members. Trust Resilience Department Meetings will be held to take forward specific pieces of work and to measure progress; they will take place on a quarterly basis, however the Chair can call meetings at short notice if necessary. Inc. Notice (period) of meeting, issue of Agenda & supporting papers e.g., 3 clear days in advance, Minutes of proceeding shall be drawn up for agreement at next ensuring accuracy Attendance at meetings is mandatory, deputies are allowed but not encouraged • • • •

Oversee any investigation of activities within its Terms of Reference. Seek reports and positive assurances from Managers and others on individual functions or overall arrangements for all aspects of Business Continuity Management. Obtain legal advice or other independent professional advice. Secure the attendance/participation of external/internal stakeholders with relevant experience and expertise. Establish time limited task groups to undertake specific pieces of work

Business Continuity Strategy Page 16 of 21 Doc Number :-

Version : 1.0

Status : Final

Duties – decision making:

•

• • Duties – advisory:

Duties – monitoring:

Approve the NEAS Business Continuity Policy, the NEAS Business Continuity Strategy, the NEAS Crisis Management Plan and other related documentation to the BCMS relative to its remit Agree the annual objectives of the group Approve any related Business Continuity procedures

•

To recommend annually that the BCMS key documentation (BC Policy, BC Strategy and Crisis Management Plan and any supporting arrangements) is approved by the Board via the Emergency Planning and Resilience Group and the Governance and Risk Committee;

•

Seek assurances that the systems and processes are in place to assure the Business Continuity of the Trust is maintained at all times from across the organisation; and

•

Propose effective measures are put in place to ensure Business Continuity of the Trust NEAS requirements under the International Standard for Business Continuity – ISO 220301 – Societal Security – Business Continuity Management;

•

•

NEAS duties under the Civil Contingencies Act to implement Business Continuity Management as per Section 6 of Emergency Preparedness;

•

To monitor the effectiveness of the BCMS and ensure that recommendations are raised to the appropriate level to ensure continual improvement;

•

To monitor and oversee all Business Continuity activities occurring within the Trust;

•

To monitor and scrutinise business disruptions within the Trust and to ensure that lessons identified/learnt from such incidents are properly documented within the BCMS and supporting systems;

•

To monitor against the annual objectives of the group;

•

To monitor and oversee all action plans arising from reviews and audits to ensure they meet expected outcomes;

•

To review all audits and reviews making comment on any draft documents relating to the BCMS or Business Continuity more widely;

•

To ensure regular reports and updates are provided to the Governance and Risk Committee through the Emergency Planning and Resilience Group;

•

To monitor and review any critical incident within its remit;

•

To monitor and review national and regional risk registers; and

Business Continuity Strategy Page 17 of 21 Doc Number :-

Version : 1.0

Status : Final

•

• • • •

Duties – Standing Agenda Items (must include these): • Every meeting:

• • • • • • • • Annually:

To monitor and review the Business Continuity training and development status of all staff within the Trust and in particular those with responsibilities under the BCMS as identified in the BC Strategy. Apologies for absence Minutes of the last meeting Matters arising via action sheet BCMS Quality Assurance – Business Interruptions and Action Plans Continual improvement plan 2013/2014 o Procedure review o Implementation of ISO 22301 External/Internal Audit Exercising/Testing Emerging BCMS issues/risks Risk registers AOB Date and time of next meeting

Review Terms of Reference and membership of the group Review the Trust objectives and the objectives of the group i.

Contribution to the Cost Improvement Programme? Any?

ii.

Decisions made? Has other internal/external stakeholder involvement (budgetary/training etc) been considered?

(April/May) – Consideration of Trust Business Objectives and the contribution of the group/committee Subgroups: Accountability: Reporting responsibilities: Self-Assessment:

Task and finish groups to be formed as required Governance and Risk Committee through the Emergency Planning and Resilience Group Minutes will be submitted to the Governance and Risk Committee through the Emergency Planning and Resilience Group The group will review its performance annually against its Terms of Reference and through peer reviews on conformance with ISO 22301.

Business Continuity Strategy Page 18 of 21 Doc Number :-

Version : 1.0

Status : Final

ANNEX B Core Competencies and SMART Objectives for those with responsibility for the BCMS Individual Specific SMART Objective

Expected Outcome – Actions to achieve activity

Measures to indicate successful completion

Due Date

New Objective Be Specific

How Is it Measurable?

How Is it Attainable & Is it Relevant?

Timed

To ensure that Directorate / Department Business Impact Analysis (BIA) are maintained, updated, revised and signed off every 12 months.

All Business Impact Analysis for all service and critical functions updated, reviewed (with the assistance of the Business Continuity Manager) and signed off.

BIA updated on the BCM webbased software.

12 months

Individual Specific SMART Objective

Expected Outcome – Actions to achieve activity

Measures to indicate successful completion

Due Date

New Objective Be Specific

How Is it Measurable?

How Is it Attainable & Is it Relevant?

Timed

To ensure that Directorate / Department Business Continuity Plans are maintained, updated, revised and signed off every 12 months.

All Business Continuity Plans for all service and critical functions updated, reviewed (with the assistance of the Business Continuity Manager) and signed off.

BCP updated on BCM webbased software.

Individual Specific SMART Objective

Expected Outcome – Actions to achieve activity

Measures to indicate successful completion

Due Date

New Objective Be Specific

How Is it Measurable?

How Is it Attainable & Is it Relevant?

Timed

To train on and exercise each service Business Continuity Plan.

Training delivered on BCP and wider Business Continuity Management – supported by Business Continuity Manager and Resilience Department.

Evidence of training captured on web-based BCM software.

12 months

12 months

Evidence of exercise captured on web-based BCM software.

BCP is exercised annually – supported by the Business Continuity Manager and Resilience Department.

Individual Specific SMART Objective

Expected Outcome – Actions to achieve activity

Measures to indicate successful completion

Due Date

New Objective Be Specific

How Is it Measurable?

How Is it Attainable & Is it Relevant?

Timed

Any Business Continuity disruptions documented and debriefed.

Any Business Continuity disruptions documented.

All disruptions documented and evidenced on web-based BCM software.

As required

Debrief sessions conducted with staff post-disruption.

Business Continuity Strategy Page 19 of 21 Doc Number :-

Version : 1.0

Status : Final

Glossary of Terms Term

Description

Activity

A process or set of processes undertaken by an organisation (or on its behalf) that produces or supports one or more products or services. British Standards Institution, the UK national standards body and UK representatives to ISO.

BSI

Business Continuity (BC)

The strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.

Business Continuity Institute (BCI)

The Institute of professional Business Continuity Managers. Website www.thebci.org.

Business Continuity Management (BCM)

A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats—if — might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Business Continuity Management System (BCMS)

Part of the overall management system that implements, operates, monitors, reviews, maintains, and improves business continuity.

Business Continuity Plan (BCP)

A documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical products and services at an acceptable predefined level.

Business Continuity Policy

A BCM policy sets out an organisation’s aims, principles and approach to BCM, what and how it will be delivered, key roles and responsibilities and how BCM will be governed and reported upon.

Business Impact Analysis (BIA)

The process of analysing business functions and the effect that a business disruption might have upon them.

Business Continuity Strategy

A strategic approach by an organisation to ensure its recovery and continuity in the face of a disaster or other major incidents or business disruptions.

Critical Activities (or services)

Those activities which have to be performed to deliver the key products and services and which enable an organisation to meet the most important and timesensitive objectives.

Disruption

An event that interrupts normal business, functions, operations, or processes, whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack, technology failure, or earthquake). Rehearse the roles of team members and staff, and test the recovery or continuity of an organisation’s systems (e.g., technology, telephony, administration) to demonstrate business continuity competence and capability.

Exercise

ISO 22301

Risk Appetite

The International Standard that set outs the requirements for a Business Continuity Management System (BCMS). ISO22301 is based on the 'Plan-DoCheck-Act' model as found in other management system standards. Total amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.

Business Continuity Strategy Page 20 of 21 Doc Number :-

Version : 1.0

Status : Final

Bibliography The Business Continuity Institute (2013) Good Practice Guidelines 2013 – Global Edition – A Guide to Global Good Practice in Business Continuity Available online at: www.thebci.org British Standards Institute (2012) Societal security – Business Continuity Management Systems - Requirements Available from the Trust Resilience Team British Standards Institute (2013) Societal security – Business Continuity Management Systems – Guidance Available from the Trust Resilience Team HMG (2004) The Civil Contingencies Act (2004), Her Majesties Stationary Office. Available online at: http://www.legislation.gov.uk/ukpga/2004/36/contents HMG (2004a) Emergency Preparedness – Guidance on Part 1 of the Civil Contingencies Act 2004, its associated regulations and non-statutory arrangements, Her Majesties Stationary Office Available online at: https://www.gov.uk/government/publications/emergency-preparedness NHS Commissioning Board (2013) NHS Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response (EPRR) Available online at: http://www.england.nhs.uk/wp-content/uploads/2013/02/eprr-standards.pdf NHS Commissioning Board (2013a) NHS Commissioning Board Business Continuity Management Framework (service resilience) Available online at: http://www.england.nhs.uk/wp-content/uploads/2013/01/bus-cont-frame.pdf

Business Continuity Strategy Page 21 of 21 Doc Number :-

Version : 1.0

Status : Final