Business Continuity Policy

Similar documents
NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Policy. Business Resilience MB2010.P.119

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

To be an active partner, always ready to improve by working with others

Business Continuity and Disaster Recovery

How ISO helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Global Statement of Business Continuity

Introduction to Business Continuity Management

Information Security Policy

Information Security Strategy

Facilities Management and Business Continuity. 10 May 2017

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

TSC Business Continuity & Disaster Recovery Session

Business Continuity: How to Keep City Departments in Business after a Disaster

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

INFORMATION SECURITY AND RISK POLICY

Cyber Security Strategy

Risk Management. Continuity Management

The Metropolitan Police Service Approach to Corporate Resiliency

Introduction to Business continuity Planning

BCM s Role in Effective Risk Management: A Risk Manager s Point of View

Security Director - VisionFund International

Information Governance Incident Reporting Policy

Number: USF System Emergency Management Responsible Office: Administrative Services

Information Governance Incident Reporting Procedure

Building resilience. Delivering assurance.

Exam contingency plan 2017/18

Principles for BCM requirements for the Dutch financial sector and its providers.

Implementing a Global Business

BOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018

CCS NHS Trust EPRR Core Standards Work Plan & Schedule (attached below).

GUIDANCE NOTE ON CYBERSECURITY

Canada Life Cyber Security Statement 2018

Information Security Incident

Building a BC/DR Control Library and Regulatory Response Program

External Supplier Control Obligations. Cyber Security

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Information Security Controls Policy

THE LINK BETWEEN ENTERPRISE RISK MANAGEMENT AND DISASTER MANAGEMENT

INTERNAL AUDIT DIVISION REPORT 2017/138

Business Continuity Management Program Overview

7 th BICSI Southeast Asia Conference 2009 Building the Next Generation Broadband Network

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Emergency Preparedness, Resilience and Response Quarter 1&2 Report: April - September 2014

INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) DISASTER RECOVERY POLICY AND PROCEDURES

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

POSITION DESCRIPTION

Apex Information Security Policy

Security and Privacy Governance Program Guidelines

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

BUSINESS CONTINUITY MANAGEMENT. A short guide 2017

Business continuity management and cyber resiliency

INTERNAL AUDIT DIVISION REPORT 2017/151. Audit of business continuity in the United Nations Interim Force in Lebanon

Data Encryption Policy

Public Safety Canada. Audit of the Business Continuity Planning Program

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Manchester Metropolitan University Information Security Strategy

TURNING STRATEGIES INTO ACTION DISASTER MANAGEMENT BUREAU STRATEGIC PLAN

01.0 Policy Responsibilities and Oversight

Table of Contents. Sample

University of Sunderland Business Assurance PCI Security Policy

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Andrew Durant/Ellen Sullivan

Infocomm Professional Development Forum 2011

Build a viable plan for disaster recovery and crisis management.

ISO Business Continuity Management System

Cybersecurity for Health Care Providers

Preparing your C-Suite for a Cyber Crisis

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Resilience in London

Driving Global Resilience

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

Template. IT Disaster Recovery Planning: A Template

DISASTER RECOVERY PRIMER

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Information Security Controls Policy

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

Continuity of Business

Unit 3 Cyber security

Risk Management in Electronic Banking: Concepts and Best Practices

Checklist: Credit Union Information Security and Privacy Policies

BT Business Continuity Quick Start Service

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Operational Risk Management: Major Processes and Assignments

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

BCM Program Development

Appendix 3 Disaster Recovery Plan

NATIONAL CAPITAL REGION HOMELAND SECURITY STRATEGIC PLAN SEPTEMBER 2010 WASHINGTON, DC

Why you should adopt the NIST Cybersecurity Framework

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

SFC strengthens internet trading regulatory controls

Transcription:

Business Continuity Policy Version Number: 3.6 Page 1 of 14

Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014 Vicky Ryan Updated to include reference to linked documents 2.1 13/01/2015 Vicky Ryan Minor change 3.0 29/12/2015 Laura Davey / Debbie Campbell Full review of document and changes including, adding reference to Pandemic Flu Framework Version number 3.6 Status Final Author Laura Davey / Debbie Campbell Approver Mary Backhouse Date approved Version Number: 3 Page 2 of 14

NS CCG Business Continuity Policy Contents Contents... 3 1 Introduction... 4 2 Policy statement... 5 3 Roles & responsibilities... 7 3.1 North Somerset Accountable Emergency Officer... 7 3.2 Head of Planning and Business Support... 7 3.3 North Somerset CCG staff... 8 4 Business continuity incident... 8 5 Financial arrangements... 9 6 Communications strategy... 9 7 Exercising, maintaining and reviewing... 9 8 Distribution & Implementation... 10 8.1 Distribution Plan... 10 8.2 Implementation plan... 10 9 Compliance Monitoring... 10 9.1 Compliance... 10 10 Approval... 10 11 Associated & reference documentation... 10 11.1 Associated documents... 11 11.2 Reference documents... 11 Appendix 1 Glossary... 13 Version Number: 3.6 Page 3 of 14

1 Introduction Business Continuity is a key part of North Somerset Clinical Commissioning Group s (CCG) requirements as a Category 2 responder for Emergency Preparedness, Resilience & Response (EPRR) requirements. In addition, the CCG and external providers must comply with the Civil Contingencies Act (2004) in developing robust business continuity plans. The CCG must deliver effective Business Continuity Management (BCM) in order to secure the best possible outcomes for patients in the event of an incident. The CCG recognises the potential operational and financial losses associated with a major service disruption, and the importance of maintaining viable recovery strategies. A key element of a successful BCM is embedding a strong business continuity culture throughout the CCG, and this is endorsed by NHS England. The Business Continuity Policy document defines how the CCG will implement BCM to minimise the impact of incidents. It is supplemented by the Business Continuity Plan and Business Impact Assessments for each business area in the CCG. The CCG will have accountability at Accountable Emergency Officer level and responsibility at Head of EPRR level. North Somerset CCG business continuity objectives are to: Provide robust and consistent BCM throughout North Somerset CCG Identify and mitigate business continuity risk Ensure that BCM incorporates, planning, training and continuous improvement to manage operational incidents. Enable the successful delivery of the CCGs Business Continuity Plan. Promote and maintain the reputational integrity of the CCG. Meet the requirements of the Civil Contingencies Act (2004) and align to ISO business continuity requirements and guidelines. Assure the Governing Body that Business Continuity plans are fit for purpose and meet the necessary requirements as outlined in Section 2 below. This policy should be read in conjunction with the following EPRR documents: Version Number: 3 Page 4 of 14

NS CCG Business Continuity Policy LHRP Health Community Response plan Severe Weather Plan Fuel Shortage Response Plan Communicable Diseases Plan Incident Response Plan Pandemic Flu Framework 2 Policy statement North Somerset CCG is committed to ensuring robust and effective BCM as a key mechanism to restore and deliver continuity of key services in the event of an incident. The CCG also has a Business Continuity Plan in place and this will be based on the following standards: NHS England Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response (EPRR). ISO 22301:2012 - Business Continuity Management Systems -Requirements. ISO / PAS 22399: 2007 - Guideline for Incident Preparedness and Operational Continuity Management. Recognised standards of corporate governance. All CCG Officers and Managers will ensure that BCM is maintained throughout the organisation and that within their areas of responsibility Business Continuity Impact Assessments (BIA), which detail the prioritised activities within each department, are completed by all teams. All staff must be aware of the Business Continuity Plan and associated BIA that affects their business areas and their individual role following invocation. The CCG will implement a programme of training, exercise, maintenance and review. In addition, the CCG will provide assurance to NHS England on BCM progress. Version Number: 3.6 Page 5 of 14

The management of business continuity at the CCG aims to accommodate the needs and expectations of interested parties. Version Number: 3 Page 6 of 14

NS CCG Business Continuity Policy 3 Roles & responsibilities 3.1 North Somerset Accountable Emergency Officer North Somerset Chief Operating Officer or delegated deputy, has accountability, as the Accountable Emergency Officer for: Promoting the embodiment of the business continuity culture within North Somerset CCG Provision of appropriate levels of resource and budget to achieve the required level of business continuity in response to incidents Ensuring information governance standards continue to be applied to data and information during an incident Providing assurance to NHS England via the EPRR Core standards Self-Assessment, regular assurance meetings and engagement with LHRP Ensure the CCG supports NHS England Local Area Team (LAT) in discharging its EPRR functions and duties 3.2 Head of Planning and Business Support North Somerset CCG Head of Planning and Business Support will be responsible for: Implementation of the Business Continuity Policy and Plan The development, exercise and maintenance of the CCGs Business Continuity Plan and Business Impact Assessments The testing, exercising, updating and subsequent communications of the CCGs Business Continuity Plan and Business Impact Assessments on a minimum of an annual basis Ensuring training is carried out and attendance records are maintained Producing a report of any incident that leads to the invoking of Business Continuity Plans and sharing the learning from any incident with any relevant parties Version Number: 3.6 Page 7 of 14

3.3 North Somerset CCG staff All North Somerset CCG Senior Managers and staff are responsible for: Developing an awareness of BCM within their area of responsibility. Escalating any business continuity incident in line with the process detailed in the Business continuity plan Developing and updating business continuity assessments within their own area of responsibility 4 Business continuity incident 4.1 Robust procedures should be detailed within the Business Impact Assessments for the following priority incidents as a minimum. Unavailability of premises for a period that significantly impacts prioritised activities caused by fire, flood or other incidents; Significant numbers of staff prevented from reaching North Somerset CCG premises, or getting home due to severe weather or transport issues; Major electronic attacks or severe disruption to the IT network, systems and mobile telephony; Terrorist attack or threat affecting transport networks or office locations; Denial of access to key resources, assets, utilities and fuel supply; Theft or criminal damage severely compromising the organisation s physical assets; Significant chemical contamination of the working environment; Serious injury to, or death of, staff whilst in the offices; Illness/epidemic striking the population and affecting a significant number of staff; Outbreak of a serious disease or illness in the working environment; Simultaneous resignation or loss of a number of key staff; Widespread industrial action; Significant fraud, sabotage or other malicious acts; Version Number: 3 Page 8 of 14

NS CCG Business Continuity Policy Violent incidents affecting staff. 4.2 Incident Response Structure. The structure for responding to incidents will be detailed in the Business Continuity Plan and will include details of incident analysis, management and recovery. 5 Financial arrangements 5.1 5.2 The finance representative for Business Continuity within the CCG is the Deputy Chief Finance Officer. The funding required to cover any Business Continuity eventualities will be made available from the CCG financial allocation from the Department of Health. A unique cost centre for Emergency Planning exists within the CCG coding structure to record any unexpected costs related to a business continuity issue. The budget allocated against this cost centre will be made available from the CCG financial allocation from the Department of Health. 6 Communications strategy 6.1 6.2 6.3 6.4 Business continuity awareness will be developed through communications and training. Business Continuity will be discussed at the Senior Management Team meetings. Effective communication is essential at a time of crisis. Communications in relation to an incident will be defined within the BCP. New or variations to legal, regulatory and other business continuity requirements shall be communicated to affected staff and areas. All staff shall be set up with an nhs.net account when they join the CCG which will be used in the event of an incident 7 Exercising, maintaining and reviewing 8.1 The BCP and BIAs will be exercised, reviewed and updated annually and after any actual incident, to determine whether any changes are required to procedures or responsibilities. Version Number: 3.6 Page 9 of 14

The EPRR Work Programme details a timetable of exercise and review. 8 Distribution & Implementation 8.1 Distribution Plan This document will be made available to all interested parties including partners, providers and staff via the North Somerset CCG website. 8.2 Implementation plan To implement the CCG business continuity plan or any of the CCGs business continuity impact assessments in the event of an incident staff will require appropriate training. Required levels of training for key staff and appropriate awareness training for all CCG staff will be identified and training will be undertaken. This will improve the organisation s resilience to the effects of incidents and ensure all staff will be able to respond appropriately in the event of an incident. 9 Compliance Monitoring 9.1 Compliance Compliance with this policy and the associated documents and procedures will be monitored by the NHS England through the annual self-assessment assurance process, together with independent reviews. 10 Approval 10.1 The Quality and Assurance Group (QAG) has approved this policy and the business continuity plan and has delegated to the Chief Clinical Officer to sign off any updates/amendments. 11 Associated & reference documentation Version Number: 3 Page 10 of 14

NS CCG Business Continuity Policy 11.1 11.2 Associated documents North Somerset CCG Business Continuity Plan Business Impact Assessments Business Continuity Training Schedule and Exercise Programme LHRP Health Community Response plan Severe Weather Plan Fuel Shortage Response Plan Communicable Disease Plan Incident Response Plan Pandemic Flu Framework Reference documents Civil Contingencies Act 2004. ISO 22301:2012 Business Continuity Management Systems Requirements. ISO 22313:2012 Business Continuity Management Systems Guidance. ISO / PAS 22399:2007 Guideline for Incident Preparedness and Operational Continuity Management. NHS England Commissioning Board Business Continuity Framework. NHS England Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response (EPRR) NHS England Emergency Preparedness Resilience and Response Framework NHS England Business Continuity Management Toolkit. NHS England Risk Management Policy and Procedure. PAS 2015:2010 Framework for Health Services Resilience. Version Number: 3.6 Page 11 of 14

Version Number: 3 Page 12 of 14

NHS Commissioning Board Business Continuity Policy Appendix 1 Glossary Board Budget Business Continuity Business Continuity Management (BCM) means the Chair, Executive Members and Non-executive Members of North Somerset CCG collectively as a body. means a resource, expressed in financial terms, proposed by the Board for the purpose of carrying out, for a specific period, any or all of the functions of NHS England. Means capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. The overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. BCM ensures a robust process is in place that identifies potential threats to an organisation and, the potential impacts to business operations from those threats. BCM provides a framework for building organisational resilience that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Business Continuity Plan (BCP) The documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. NOTE Typically this covers resources, services and activities required to ensure the continuity of critical business functions. Business Impact Analysis (BIA) Incident National Director NHS England Prioritised Activities The document that details the analysis of activities and the effect that a business disruption might have upon them. means a situation that might be, or could lead to, a disruption, loss, emergency or crisis. means an Executive Member or other Officer of NHS England who reports directly to the Chief Executive. means NHS Commissioning Board. activities to which priority must be given following an incident in order to mitigate impacts. NOTE Terms in common use to describe activities within this group include: critical, essential, vital, urgent and key. Risk Assessment overall process of risk identification, risk analysis and risk evaluation. Version Number: 3.6 Page 13 of 14

Version Number: 3 Page 14 of 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback