Corporate Policy Business Continuity by cyu16385

VIEWS: 21 PAGES: 13

Corporate Policy Business Continuity document sample

More Info
									Business Continuity
Policy




T:\Website\Uploaded content\Information Governance\Business Continuity Policy 071114.doc
Policy Reference Information


Policy Reference Number             TP


Version Number                      1.0


Status                              Final


Author/Lead                         Philip Cottis
                                    Information Governance Project Manager

Implementation Date                 07 February 2008


Date of Last Review Date


Date of Next Formal Review          07 February 2009


Ratified by                         Information Governance Steering Group

Date of Ratification                07 February 2008

Date of Equality Impact
Assessment




   Ver        Description of Change(s)      Reason for        Author         Date
                                             Change
Contents

1.   INTRODUCTION................................................................................................. 1
2.   PURPOSE........................................................................................................... 1
3.   POLICY STATEMENT ........................................................................................ 1
4.   DEFINITIONS...................................................................................................... 1
5.   BUSINESS CONTINUITY PLANNING................................................................ 2
6.   DEVELOPING PLANS ........................................................................................ 2
7.   PLANNING DOCUMENTS AND GUIDELINES .................................................. 3
8.   ROLES AND RESPONSIBILITIES...................................................................... 4
9.   TRAINING REQUIREMENTS ............................................................................. 5
10. IMPLEMENTATION, MONITORING AND REVIEW ........................................... 5
APPENDIX 1: EXAMPLES OF CORE FUNCTIONS .................................................. 6
APPENDIX 2: BUSINESS CONTINUITY PLANNING PRO FORMA.......................... 7
APPENDIX 3: BUSINESS CONTINUITY PLAN (TEMPLATE) ................................... 8
APPENDIX 4: RISK CATEGORISATION MATRIX..................................................... 9
APPENDIX 4: RISK CATEGORISATION MATRIX (CONT’D) .................................. 10
Business Continuity Policy v1.0 Final




1.      INTRODUCTION

The PCT must ensure that the highest level of service to patients is maintained
regardless of what might happen to clinical/non clinical procedures or the
infrastructure of facilities. Business continuity management is an important part of the
PCT’s risk management arrangements. The Civil Contingencies Act identifies the
PCT as a ‘Category 1 Responder’, and imposes a statutory requirement on the PCT
to have robust business continuity plans in place to manage disruptions to the
delivery of services.

There are many possible causes of service disruption. As a general guide, business
continuity planning must be carried out to minimise the effects of a number of
potentially disruptive events, for example:

•     Major accident or incident, national disaster, epidemic, terrorist attack;
•     Fire, flood, extreme weather conditions;
•     Loss of utilities, including IT and telephone systems; and
•     Major disruption to staffing; epidemic, transport disruption, industrial action,
      inability to recruit; mass resignations.

It must be understood that these events may not be mutually exclusive, for example
extreme weather leads to loss of electricity, disruption to transport, staff unable to get
to work and so on.

2.      PURPOSE

This document sets out the general principles and processes for the creation and
revision of business continuity and service recovery plans for the PCT.

3.      POLICY STATEMENT

The PCT will take all reasonable steps to ensure that in the event of a service
interruption essential services will be maintained and normal services restored as
soon as possible. To ensure that this happens the PCT must have in place robust
business continuity and service recovery plans that are regularly reviewed and
tested.

To help managers produce robust business continuity and service recovery plans the
PCT will provide planning templates and procedures and support.

4.      DEFINITIONS

•     Service Interruption: Any incident which threatens personnel, buildings or the
      operational procedures of an organisation and which requires special measures
      to be taken to restore normal functions”.

      An appropriate response would aim to maintain essential services and restore
      normal services as soon as possible in the circumstances prevailing at the time.




                                            1
Business Continuity Policy v1.0 Final




•     Business Continuity Management: The identification and management of risk
      and threats faced by the NHS, due to disruption and interruption, taking steps to
      control and reduce the risks, assessing the impact on the organisation if the
      risks should materialise and providing a plan to be followed to ensure that the
      activities of the organisation continue.

5.      BUSINESS CONTINUITY PLANNING

The Business Continuity Institute has developed a five-stage approach that has been
incorporated into a British Standards Institute Publicly Available Specification (PAS
56). The process is widely accepted as ’industry standard’ and has been adopted by
the PCT.

The stages are:

•     Understanding your business; defining the critical/core functions of the
      organisation (examples are given at Appendix 1);
•     Identify and categorise risks (Appendix 4) and assess how they are to be
      managed;
•     Develop a response to risks;
•     Raising awareness and embedding plans; and
•     Maintaining and auditing plans.

The PCT has incorporated these stages into a planning pro forma (Appendix 2) to
help identify core functions and a business continuity plan template (Appendix 3).

Each directorate or department is required to carry out an analysis of core functions
using the pro forma as a guide and to then complete a business continuity plan for
each risk identified.

The core functions analysis, risk identification and business plans must be reviewed
and amended at least annually or sooner if there is a major service development.

6.      DEVELOPING PLANS

It is important that each directorate/department has ownership of the business
continuity plans that relate to the services it provides. To ensure this each
directorate/department will be responsible for completing a core functions analysis
and identifying risks to those functions. From this the directorates/departments will
develop business continuity plans.

Plans will be cascaded to all staff within directorates as appropriate. The original
copies of core functions analysis and business continuity plans will be held by
directorates. The pro forma and template will be distributed to directorates.

Each directorate/department is responsible for ensuring that staff are given training
to assist them to implement business continuity plans. This training will vary
according to the content of the plans.

The flowchart below sets out the business continuity planning process:


                                           2
Business Continuity Policy v1.0 Final




                        Planning policy and templates
                       distributed to directors/heads of
                                 departments




                        Directors/heads of department
                          ensure that core functions                 Plans cascaded to
                        analysis is completed and risks              appropriate staff in
                      identified and copied to corporate                directorates
      Annual          services Originals to be kept with
      Review                   relevant services


                                                                      Training provided
                          Business continuity plans                  to appropriate staff
                        completed and signed off by
                        directors. Originals to be kept
                            with relevant services



                           Master plan collated by
                        Organisational Development &
                              Support Services



7.      PLANNING DOCUMENTS AND GUIDELINES

7.1     Core Functions Pro forma

This pro forma (Appendix 2) is intended to provide a tool for each
directorate/department to identify its core functions. These are the functions that
underpin the ability to respond to an emergency and those that impact on the
credibility and public perception of the PCT. The key risks, which would result in the
loss of function, are also to be added to the pro forma.

7.2     The business continuity plan template

For each risk identified on the core functions analysis pro forma a business continuity
plan should be completed using the template provided (Appendix 3).

Plans must include:

•      The risk identified and a risk score;
•      Detailed actions plans to reduce the risk;




                                               3
Business Continuity Policy v1.0 Final




•     Who is responsible for overseeing contingency planning and activating plans,
      and how it should be done;
•     Who is responsible for implementing action plans;
•     External organisations to be involved if appropriate;
•     Escalation procedures if appropriate; and
•     Who within the organisation should be informed that the plan has been
      activated (for example, director, director on call and chief executive).

Plans must also contain information about how their implementation will be monitored
and recorded.

8.      ROLES AND RESPONSIBILITIES

8.1     Chief Executive

The chief executive has overall responsibility for ensuring that the PCT has in place
effective arrangements to respond to an incident that has the potential to affect
service provision.

8.2     Directors/Service Managers

Directors and service managers are responsible for ensuring that:

•     Directorates and services complete an analysis of core functions and risk
      identification;
•     Business continuity plans are completed for each risk identified;
•     Business continuity plans are cascaded to appropriate staff within the
      directorate who are given appropriate training; and
•     Plans and core function analyses are reviewed annually or sooner as
      appropriate.

8.3     Head of Governance

The head of governance will be responsible for ensuring that:

•     Pro forma and templates are distributed to all directors and heads of services;
•     Completed core functions analyses and business continuity plans are collated
      into a master document, which is held within the corporate services department;
      and
•     The master plan is kept electronically and a web link is established to allow for
      maximum access.

8.4     All Staff

All staff must make themselves familiar with their individual roles as set out in:
•      This policy and procedure; and
•     Individual business continuity plans.


                                              4
Business Continuity Policy v1.0 Final




9.       TRAINING REQUIREMENTS

Completion of the pro forma and the business continuity templates training will be
provided for directors/service managers by the head of governance and health and
safety adviser. Training in risk assessment is provided through the risk management
strategy by the same team.

Each directorate/department is responsible for ensuring that staff receiving training
appropriate to individual business continuity plans.

10.      IMPLEMENTATION, MONITORING AND REVIEW

         Implementation

This policy and procedure will be distributed to all directors and service managers
with an accompanying letter setting out their responsibilities.

      Monitoring

The development of plans against a timetable approved by the boards will be
monitored. Progress will be reported quarterly to the PCT committee responsible for
the management of risk. Through this committee the PCT board will be kept
informed.

The board will also receive reports in the annual emergency planning report as
required in the Department of Health Emergency Planning Guidelines 2005.
Assurance on emergency planning including business continuity planning will be
presented to the audit committee and the board in line with Standards for Better
Health requirements (core standard 24).
.




                                         5
APPENDIX 1: EXAMPLES OF CORE FUNCTIONS


Core business functions of the PCT that must be supported in any emergency
situation.

Organisational functions

•    Commissioning;
•    Human Resources;
•    Information Management and Technology;
•    Finance;
•    Public Health Primary Care – provider services; and
•    Corporate Services including Board functions.

Necessary core business functions

Utilities and services without which the core business functions would not be able to
continue, eg:

•    Gas, Water, Electricity;
•    Fire alarms, Security system;
•    IT system, Telephone / Communications; and
•    Post, Portering, Catering, Estate services.

Contractor Services

The PCT’s response to unplanned loss of a Contractor or Contractor Service, eg:

•    General Medical Practitioners
•    General Dental Practitioners
•    Pharmacists
•    Optometrists




                                          6
APPENDIX 2: BUSINESS CONTINUITY PLANNING PRO FORMA


This pro forma should be used to record the core functions of the service/department and the risks to the delivery of the core functions.
To fully identify the risks, the resources required to deliver the core functions should also be considered.

                                                                                                          Person responsible for
                                   Resources required to                 Risks to delivery of core
Core Function                                                                                             overseeing business
                                   provide core functions                function
                                                                                                          continuity planning




                                                                     7
      APPENDIX 3: BUSINESS CONTINUITY PLAN (TEMPLATE)


      Directorate                            Provider Services
      Core Function                          Provision of District Nursing Services

Description of identified risk                                         Contingency Plans                  Impact of event/incident        Actions to minimise risk




                                                          Risk Score
                                             Likelihood
                                    Impact




Reduction in clinical staffing      4          3          12           1. List of out-of-hours contact    1. Reduction in staff           1. Establish Incident
levels through:                                                           details for staff not on duty      availability                    Management Team
  •    Staff sickness                                                  2. List of non-essential           2. Non-treatment of patients    2. Identify priority patients for
                                                                          services that could be                                             treatment
  •    Providing staff to support                                         suspended (Note: attached
                                                                                                          3. Complaints and litigation
       a major incident eg mass                                                                                                           3. Activate mutual aid
                                                                                                          4. Sustaining services over a
       immunisation                                                    (Note: identify where these are                                       agreement with local PCTs
                                                                                                             long period of time
                                                                       available or attach as part of                                        etc
                                                                       plan)




                                                                                              8
APPENDIX 4: RISK CATEGORISATION MATRIX


Impact of Incident Occurring

 Level   Descriptor                Description
   1     Insignificant             No injuries, low financial loss
   2     Minor                     First aid treatment, situation immediately contained, financial loss below £5k
   3     Moderate                  Medical treatment required, some loss of service capability, situation contained with
                                   difficulty or with outside assistance, breach of regulation, inability to achieve important
                                   target, high financial loss £5-49k, local adverse publicity/loss of confidence in the PCT
   4     Major                     Extensive and lasting injuries or illness to individual or group, significant loss of service
                                   capability, situation contained with significant difficulty, significant breach of regulation,
                                   inability to achieve key target, major financial loss £50k+, national adverse
                                   publicity/major loss of confidence in the PCT
   5     Catastrophic              Death, significant threat to the general public, service closure, financial loss >500k,
                                   national or international adverse publicity/severe loss of confidence in the PCT


Likelihood of Incident Occurring

 Level   Descriptor                Description
   1     Rare                      May occur in exceptional circumstances
   2     Unlikely                  Could occur at some time
   3     Possible                  Might occur at some time
   4     Likely                    Will probably occur in most circumstances
   5     Almost likely             Is expected to occur in most circumstances




                                                                 9
APPENDIX 4: RISK CATEGORISATION MATRIX (CONT’D)


Overall Risk Rating

Likelihood               1           2        3             4           5                 Action
                   Insignificant   Minor   Moderate        Major   Catastrophic
1 Rare                   1           2        3             4           5          No immediate action
2 Unlikely              2           4         6             8          10         Action within 12 months
3 Possible              3           6         9             12         15
4 Likely                4           8        12             16         20              Urgent action
5 Almost certain        5           10       15             20         25




                                                      10

								
To top