BACKGROUND PLANNING AIDE AND BIA TEMPLATES MRC

RESEARCH CONTINUITY PLANNING GUIDELINES FOR THE MRC CONTENTS RESEARCH CONTINUITY PLANNING GUIDELINES FOR THE MRC............................ 1 CONTENTS ................................................................................................. 1 INTRODUCTION .......................................................................................... 2 Impact and Likelihood ............................................................................... 3 Comprehension and Control ....................................................................... 4 RESEARCH CONTINUITY PLANNING ............................................................... 5 Management Responsibilities...................................................................... 6 Glossary .................................................................................................... 7 BUSINESS IMPACT ANALYSIS ....................................................................... 8 Essential Site Services............................................................................... 8 Core Functions ......................................................................................... 9 Impact Assessment..................................................................................10 Research Groups / Divisions......................................................................11 DECISION MAKING QUORUM / CRISIS MANAGEMENT TEAM .............................11 SCENARIO PLANNING .................................................................................12 1 INTRODUCTION Organisations face risks from many sources; the principal categories of risks that the MRC faces are: • Strategic Risks ie the possibility that the policies and objectives set by the Council will not deliver the desired benefits in terms of advances in medical science. Within the MRC this is termed ‘Risk Management’. Operational Risks ie failure to deliver against planned objectives because of disruptions such as fire, flood, fraud and terrorist activity. These are captured in both the ‘Director’s Annual Statement of Internal Control’ and the ‘Risk Register’. The remainder of this document is concerned with the management of these operational risks which, within the MRC, is termed ‘Research Continuity Planning’. • This division of risks is illustrated below. Scope of Risk Management Controls achievement of business critical projects Operating plan Achieves Results Objectives (Research and Business Improvement) Risk Management Enables the organisation to function Day to Day Business Activities (Buildings, services, people etc.) Business Continuity Planning Corporate Compliance (legal, ethical) Within a finite budget it is not possible to address all risks simultaneously so it is important to be able to prioritise risk mitigation efforts. Two tools to assist with this process are described below. 2 Impact and Likelihood One way of categorising risks is by Impact and Likelihood. Standard definitions of Impact have been agreed across the MRC as shown in the table below. Disruption to Staff and / or Operations Low Score 1 Medium Score 2 High Score 3 Disruption requiring minimal work to catch up Disruption requiring extra work to catch up Disruption requiring significant extra work to catch up Disruption to own and other units requiring significant extra work to catch up Damage to Reputation Negative reports within community Negative reports in one national publication Negative reports in multiple national publications Significant negative media attention on international scale Legal or Regulatory Obligation Failure to meet informally stated standards Failure to meet regulatory or legal obligations Failure results in legal action Direct or Indirect Cost (including cost of nonproductive staff) £10,001 to £100,000 £100,000 to £500,000 £500,000 to £1M Very High Score 4 Failure results in suspension of operations Over £1M The likelihood of particular events can then be estimated and plotted on the chart shown below. Very High Likelihood High Med ium Low Low Medium High Very High Impact Events falling in the red area will be the first target for risk mitigation through either: • • Reducing the likelihood by eg improving security Reducing the impact by eg Research Continuity Planning 3 Comprehension and Control Estimating the probability of an event is fundamentally a rather subjective matter. Furthermore there is a need to balance mitigation of unlikely but catastrophic events with mitigation of more probable but lower impact events. To assist in determining where the planning effort should be focused the following matrix is offered for consideration. Taking the same risks that have been identified in the likelihood and impact matrix plot these risks onto the template below. As a rough guide the most comprehensive plans are naturally for those risks that are both well understood and over which the organisation has some control, in this case the green shaded areas. Control over either the cause or effect High Control Low Comprehension eg: ALF/ anarchist threat High Control High Comprehension eg: Possible server failure Low Control Low Comprehension eg: Meteorite hits building High Comprehension Low Control eg: Terrorist attack Comprehension of a specific threat The remainder of this document focuses on Research Continuity Planning. Specifically it examines two areas in detail: • • • • The MRC’s concept of Research Continuity Planning. Business Impact Analysis. This is a systematic process for quantifying the likely impact of an event on an organisation. Composition of the Decision Making Quorum / Crisis Management Team. Scenario Planning. 4 RESEARCH CONTINUITY PLANNING The diagram below illustrates the MRC’s concept of Research Continuity Planning. • • The planning activity takes place before an incident. This is the Research Continuity Plan. As soon as an incident occurs then an emergency response is made. Individual MRC Units have detailed emergency response plans (eg evacuation of building and release of hazardous materials) and these should be incorporated into the Research Continuity Plan as annexes. Concurrent with this is a crisis management response by the organisation locally and with head office support, for example the issuing of press statements in conjunction with the site affected. Also initiated concurrently is the recovery of the building people and processes necessary to regain Business as Usual (BAU). • • The time scale is arbitrary and the time taken to regain normal working will vary from days to months. Emergency response Crisis Management Business Recovery BC preparation incident time 5 Management Responsibilities Council manages business continuity through the following structure: Executive Board BC Manager Health, Safety And Security Unit Director Unit BC Coordinator Executive Board The Executive Board directs, and monitors business continuity arrangements across the Council. It promotes business continuity preparation and planning that will detect, prevent and, if necessary, handle events that could disrupt the business of the Council. The Executive Board receives biannual reports from the Business Continuity Manager. Business Continuity Manager The Business Continuity Manager is the focal point for business continuity management within the Council. This involves co-ordinating and steering business continuity arrangements, ensuring the Council is prepared to respond to and recover from events that could disrupt its business. The Business Continuity Manager works closely with the Risk Steering Group, Head Office groups and research units on both business continuity and emergency management. Business Continuity Coordinators Each Business Continuity Coordinator is responsible for implementing business continuity within their own Unit. Corporate Health, Safety and Security Section The Corporate Health, Safety and Security Section is responsible for security standards and guidance relating to business continuity across Council. The Section offers the appropriate training and assistance to Business Continuity Coordinators in producing, testing and maintaining their unit’s business continuity plans and fulfils a monitoring role. 6 Glossary Contingent Depending on something else in the future to happen. Contingency A possible future event, a chance happening, or occurrence of events, usually causing problems or making further arrangements necessary. Contingency Plan Plan(s) or arrangements made in case a particular situation should arise. Continuity Uninterrupted connection, succession of work. Continuity Plan Plan(s) to ensure continuity of an activity or work. Incident An incident or occurrence that may or may not have an adverse effect, but could lead to an emergency; a minor event threatening more serious trouble. Emergency An unexpected or sudden occurrence requiring immediate action that could or has lead to potential harm to staff, the environment, equipment or buildings. Recovery The act of returning to or restoring the original state of affairs. Recovery Plan Plan(s) that will ensure rapid return to the original condition or state of affairs. 7 BUSINESS IMPACT ANALYSIS The Business Impact Analysis (BIA) begins by identifying the ‘Critical Functions’ that an organisation carries out and the resources upon which these functions depend – ‘Critical Dependencies’. As far as possible, the impact on the organisation of losing specific functions for different periods of time is then quantified. For the purposes of the BIA, the functions of MRC Units are broken down into three categories, as described below. Essential Site Services There are a number of services upon which all work at a Unit depends. Some examples are given below and a blank template is on page 4 of the Research Continuity Plan to be completed by each Unit. Function Location Main Gate Reception Staff 4 Security Staff 2 Receptionists Critical Dependencies Alarm Systems Access Control Systems Fire Alarm Maintaining a Safe Working Environment Hazard Monitoring Systems Water and Sewerage Systems Electricity Sub Stations Building Services Staff IT Manager 3 IT Technicians Electricity Supplies Non-Industrial Gas Supplies Security Building Services Staff Heat and Light IT Connectivity Server Room Loss of any of these essential site services will have an immediate and serious impact so the Recovery Plan must include explicit plans for the restoration of their critical dependencies. 8 Core Functions Core Functions covers activities that support a number of Research Groups / Divisions. Some examples are given below and a blank template is on page 5 of the Research Continuity Plan to be completed by each Unit. Function Culturing of bacteria, viruses and cells Preparation of standard media and solutions Disposal of hazardous waste Location Staff 3 Technicians Building Services Staff 3 Technicians Media Laboratory Building Services Staff 6 Waste Handling Staff Security Staff IT Staff Data Storage and Retrieval Offices, Library, IT Centre IT Manager 3 IT Technicians 40 Biomedical Staff Building Services Staff 4 Purchasers 3 Accountants Data Systems Access to Funds Building Services Data Systems Internet Access Critical Dependencies Consumables Specialist Equipment Consumables Specialist Equipment Specialist Equipment Large Scale Laboratory Care of Animals Animal Buildings Purchase of Consumables Supplies and Accounts1 1 Note that Supplies is scheduled to move to Swindon in 2006. 9 Impact Assessment In most cases, the impact of the loss of a core function will increase over time. It is therefore necessary to grade the impact at various stages. Leave cells blank if impact is negligible / impossible to predict. Some examples are given below and a blank template is on page 6 of the Research Continuity Plan to be completed by each site. Staff / Operations Legal or Regulatory Reputation Remarks Cost Work in a number of sections affected 4 Critical research programme compromised Significant number of fatalities Supplies for a number of critical activities run out Culturing of viruses, bacteria and cells 2 days 1 week 2 weeks 1 month 3 months 2 days 1 week 2 weeks 1 month 3 months 2 days 1 week 2 weeks 1 month 3 months 2 days 1 week 2 weeks 1 month 3 months 2 days 1 week 2 weeks 1 month 3 months 2 days 1 week 2 weeks 1 month 3 months 1 2 2 4 1 2 3 4 3 4 Preparation of standard media and solutions Immediate impact in most areas All work come to a stand still 3 4 1 2 3 4 Disposal of Hazardous Waste 3 Worst case – waste pick-up due so immediate effect 4 Work would have to cease in 1 section All work comes to a stand still, risk of legal penalties Increasing risk of press interest Data Storage and Retrieval All staff suffer inconvenience 2 3 3 4 Care of Animals 3 4 3 4 Purchase of Consumables As a guideline, the Recovery Plan should include detailed restoration plans for the Critical Dependencies of any functions that reach an impact of 4 in any category within 1 week. 10 Research Groups / Divisions The function of the MRC is to conduct and publish medical research; this activity is carried out in the numerous Research Groups / Divisions. The criticality of the work being carried on in individual Research Groups / Divisions varies significantly over time. It is therefore impossible to predict in advance the impact of disruption to any particular group and impractical to make detailed recovery plans for each particular group in advance of an incident. DECISION MAKING QUORUM / CRISIS MANAGEMENT TEAM Overall responsibility for Business Continuity resides with the Director of each Unit and the Senior Management Team. However, if any form of disruption is anticipated, a group of key staff will be called together to explore possible scenarios and plan mitigation strategies. This group is known as the Decision Making Quorum (DQM). If a crisis is declared, the members of the DMQ (together with other personnel at the discretion of the Director) become the Crisis Management Team (CMT). An example composition of a DMQ is shown below and a blank template is on page 12 of the Research Continuity Plan to be completed by each Unit. Note that, depending on the precise nature of the incident, not all members (or alternates) may be required: equally, some incidents may require the cooption of other individuals onto the DMQ. Primary Job title Director (Chairman) BC Coordinator (Alternate Chairman) Alternate Phone Name Phone Responsibilities Overall Coordination Liaison with MRC Press Liaison Deputy Chairman Point of contact with BC Manager Liaison with HSE, Environment Agency Liaison with Utilities providers Sourcing of emergency accommodation and equipment Sourcing of emergency transport Accounting for staff Name Head of Facilities Head of HR Communication with staff and families and local community Financial planning Liaison with suppliers Planning IT requirements and recovery times Head of Finance Head of IT Head of Biological Services 11 SCENARIO PLANNING Before launching into detailed Crisis Management planning, it is important to consider some examples of incidents which might affect the organisation. The aim is not to predict precisely what will happen but rather it provides confirmation of the effectiveness of planning activity so far; in particular it tests the following: • • Has the Business Impact Analysis really captured the critical functions of the unit? Is senior management satisfied with how quickly normal working can be restored after an incident? If not, a budget needs to be allocated to remedy this situation. Subsequently, other scenarios against will be used to test the effectiveness of the plan and to train the Decision Making Quorum / Crisis Management Team. A number of scenarios are listed below. Low Impact Minor fire in non-critical area of the building. Spillage of Hazard Group 2 material of hazardous chemicals within lab environment. Freezer containing biological samples breaks down. Prolonged disruption to public transport. Medium Impact Suspect package delivered to Reception / Goods In. Flooding in part of the building. Large-scale demonstrations by protest groups. Industrial action High Impact Uncontained fire on site. Compromise of personal details of staff (names, addresses etc). Epidemic affecting large numbers of staff. Infection of staff with a Hazard Group 3 pathogen. 12