Business Continuity Policy Version Number: 3.6 Page 1 of 14
Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014 Vicky Ryan Updated to include reference to linked documents 2.1 13/01/2015 Vicky Ryan Minor change 3.0 29/12/2015 Laura Davey / Debbie Campbell Full review of document and changes including, adding reference to Pandemic Flu Framework Version number 3.6 Status Final Author Laura Davey / Debbie Campbell Approver Mary Backhouse Date approved Version Number: 3 Page 2 of 14
NS CCG Business Continuity Policy Contents Contents... 3 1 Introduction... 4 2 Policy statement... 5 3 Roles & responsibilities... 7 3.1 North Somerset Accountable Emergency Officer... 7 3.2 Head of Planning and Business Support... 7 3.3 North Somerset CCG staff... 8 4 Business continuity incident... 8 5 Financial arrangements... 9 6 Communications strategy... 9 7 Exercising, maintaining and reviewing... 9 8 Distribution & Implementation... 10 8.1 Distribution Plan... 10 8.2 Implementation plan... 10 9 Compliance Monitoring... 10 9.1 Compliance... 10 10 Approval... 10 11 Associated & reference documentation... 10 11.1 Associated documents... 11 11.2 Reference documents... 11 Appendix 1 Glossary... 13 Version Number: 3.6 Page 3 of 14
1 Introduction Business Continuity is a key part of North Somerset Clinical Commissioning Group s (CCG) requirements as a Category 2 responder for Emergency Preparedness, Resilience & Response (EPRR) requirements. In addition, the CCG and external providers must comply with the Civil Contingencies Act (2004) in developing robust business continuity plans. The CCG must deliver effective Business Continuity Management (BCM) in order to secure the best possible outcomes for patients in the event of an incident. The CCG recognises the potential operational and financial losses associated with a major service disruption, and the importance of maintaining viable recovery strategies. A key element of a successful BCM is embedding a strong business continuity culture throughout the CCG, and this is endorsed by NHS England. The Business Continuity Policy document defines how the CCG will implement BCM to minimise the impact of incidents. It is supplemented by the Business Continuity Plan and Business Impact Assessments for each business area in the CCG. The CCG will have accountability at Accountable Emergency Officer level and responsibility at Head of EPRR level. North Somerset CCG business continuity objectives are to: Provide robust and consistent BCM throughout North Somerset CCG Identify and mitigate business continuity risk Ensure that BCM incorporates, planning, training and continuous improvement to manage operational incidents. Enable the successful delivery of the CCGs Business Continuity Plan. Promote and maintain the reputational integrity of the CCG. Meet the requirements of the Civil Contingencies Act (2004) and align to ISO business continuity requirements and guidelines. Assure the Governing Body that Business Continuity plans are fit for purpose and meet the necessary requirements as outlined in Section 2 below. This policy should be read in conjunction with the following EPRR documents: Version Number: 3 Page 4 of 14
NS CCG Business Continuity Policy LHRP Health Community Response plan Severe Weather Plan Fuel Shortage Response Plan Communicable Diseases Plan Incident Response Plan Pandemic Flu Framework 2 Policy statement North Somerset CCG is committed to ensuring robust and effective BCM as a key mechanism to restore and deliver continuity of key services in the event of an incident. The CCG also has a Business Continuity Plan in place and this will be based on the following standards: NHS England Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response (EPRR). ISO 22301:2012 - Business Continuity Management Systems -Requirements. ISO / PAS 22399: 2007 - Guideline for Incident Preparedness and Operational Continuity Management. Recognised standards of corporate governance. All CCG Officers and Managers will ensure that BCM is maintained throughout the organisation and that within their areas of responsibility Business Continuity Impact Assessments (BIA), which detail the prioritised activities within each department, are completed by all teams. All staff must be aware of the Business Continuity Plan and associated BIA that affects their business areas and their individual role following invocation. The CCG will implement a programme of training, exercise, maintenance and review. In addition, the CCG will provide assurance to NHS England on BCM progress. Version Number: 3.6 Page 5 of 14
The management of business continuity at the CCG aims to accommodate the needs and expectations of interested parties. Version Number: 3 Page 6 of 14
NS CCG Business Continuity Policy 3 Roles & responsibilities 3.1 North Somerset Accountable Emergency Officer North Somerset Chief Operating Officer or delegated deputy, has accountability, as the Accountable Emergency Officer for: Promoting the embodiment of the business continuity culture within North Somerset CCG Provision of appropriate levels of resource and budget to achieve the required level of business continuity in response to incidents Ensuring information governance standards continue to be applied to data and information during an incident Providing assurance to NHS England via the EPRR Core standards Self-Assessment, regular assurance meetings and engagement with LHRP Ensure the CCG supports NHS England Local Area Team (LAT) in discharging its EPRR functions and duties 3.2 Head of Planning and Business Support North Somerset CCG Head of Planning and Business Support will be responsible for: Implementation of the Business Continuity Policy and Plan The development, exercise and maintenance of the CCGs Business Continuity Plan and Business Impact Assessments The testing, exercising, updating and subsequent communications of the CCGs Business Continuity Plan and Business Impact Assessments on a minimum of an annual basis Ensuring training is carried out and attendance records are maintained Producing a report of any incident that leads to the invoking of Business Continuity Plans and sharing the learning from any incident with any relevant parties Version Number: 3.6 Page 7 of 14
3.3 North Somerset CCG staff All North Somerset CCG Senior Managers and staff are responsible for: Developing an awareness of BCM within their area of responsibility. Escalating any business continuity incident in line with the process detailed in the Business continuity plan Developing and updating business continuity assessments within their own area of responsibility 4 Business continuity incident 4.1 Robust procedures should be detailed within the Business Impact Assessments for the following priority incidents as a minimum. Unavailability of premises for a period that significantly impacts prioritised activities caused by fire, flood or other incidents; Significant numbers of staff prevented from reaching North Somerset CCG premises, or getting home due to severe weather or transport issues; Major electronic attacks or severe disruption to the IT network, systems and mobile telephony; Terrorist attack or threat affecting transport networks or office locations; Denial of access to key resources, assets, utilities and fuel supply; Theft or criminal damage severely compromising the organisation s physical assets; Significant chemical contamination of the working environment; Serious injury to, or death of, staff whilst in the offices; Illness/epidemic striking the population and affecting a significant number of staff; Outbreak of a serious disease or illness in the working environment; Simultaneous resignation or loss of a number of key staff; Widespread industrial action; Significant fraud, sabotage or other malicious acts; Version Number: 3 Page 8 of 14
NS CCG Business Continuity Policy Violent incidents affecting staff. 4.2 Incident Response Structure. The structure for responding to incidents will be detailed in the Business Continuity Plan and will include details of incident analysis, management and recovery. 5 Financial arrangements 5.1 5.2 The finance representative for Business Continuity within the CCG is the Deputy Chief Finance Officer. The funding required to cover any Business Continuity eventualities will be made available from the CCG financial allocation from the Department of Health. A unique cost centre for Emergency Planning exists within the CCG coding structure to record any unexpected costs related to a business continuity issue. The budget allocated against this cost centre will be made available from the CCG financial allocation from the Department of Health. 6 Communications strategy 6.1 6.2 6.3 6.4 Business continuity awareness will be developed through communications and training. Business Continuity will be discussed at the Senior Management Team meetings. Effective communication is essential at a time of crisis. Communications in relation to an incident will be defined within the BCP. New or variations to legal, regulatory and other business continuity requirements shall be communicated to affected staff and areas. All staff shall be set up with an nhs.net account when they join the CCG which will be used in the event of an incident 7 Exercising, maintaining and reviewing 8.1 The BCP and BIAs will be exercised, reviewed and updated annually and after any actual incident, to determine whether any changes are required to procedures or responsibilities. Version Number: 3.6 Page 9 of 14
The EPRR Work Programme details a timetable of exercise and review. 8 Distribution & Implementation 8.1 Distribution Plan This document will be made available to all interested parties including partners, providers and staff via the North Somerset CCG website. 8.2 Implementation plan To implement the CCG business continuity plan or any of the CCGs business continuity impact assessments in the event of an incident staff will require appropriate training. Required levels of training for key staff and appropriate awareness training for all CCG staff will be identified and training will be undertaken. This will improve the organisation s resilience to the effects of incidents and ensure all staff will be able to respond appropriately in the event of an incident. 9 Compliance Monitoring 9.1 Compliance Compliance with this policy and the associated documents and procedures will be monitored by the NHS England through the annual self-assessment assurance process, together with independent reviews. 10 Approval 10.1 The Quality and Assurance Group (QAG) has approved this policy and the business continuity plan and has delegated to the Chief Clinical Officer to sign off any updates/amendments. 11 Associated & reference documentation Version Number: 3 Page 10 of 14
NS CCG Business Continuity Policy 11.1 11.2 Associated documents North Somerset CCG Business Continuity Plan Business Impact Assessments Business Continuity Training Schedule and Exercise Programme LHRP Health Community Response plan Severe Weather Plan Fuel Shortage Response Plan Communicable Disease Plan Incident Response Plan Pandemic Flu Framework Reference documents Civil Contingencies Act 2004. ISO 22301:2012 Business Continuity Management Systems Requirements. ISO 22313:2012 Business Continuity Management Systems Guidance. ISO / PAS 22399:2007 Guideline for Incident Preparedness and Operational Continuity Management. NHS England Commissioning Board Business Continuity Framework. NHS England Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response (EPRR) NHS England Emergency Preparedness Resilience and Response Framework NHS England Business Continuity Management Toolkit. NHS England Risk Management Policy and Procedure. PAS 2015:2010 Framework for Health Services Resilience. Version Number: 3.6 Page 11 of 14
Version Number: 3 Page 12 of 14
NHS Commissioning Board Business Continuity Policy Appendix 1 Glossary Board Budget Business Continuity Business Continuity Management (BCM) means the Chair, Executive Members and Non-executive Members of North Somerset CCG collectively as a body. means a resource, expressed in financial terms, proposed by the Board for the purpose of carrying out, for a specific period, any or all of the functions of NHS England. Means capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. The overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. BCM ensures a robust process is in place that identifies potential threats to an organisation and, the potential impacts to business operations from those threats. BCM provides a framework for building organisational resilience that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Business Continuity Plan (BCP) The documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. NOTE Typically this covers resources, services and activities required to ensure the continuity of critical business functions. Business Impact Analysis (BIA) Incident National Director NHS England Prioritised Activities The document that details the analysis of activities and the effect that a business disruption might have upon them. means a situation that might be, or could lead to, a disruption, loss, emergency or crisis. means an Executive Member or other Officer of NHS England who reports directly to the Chief Executive. means NHS Commissioning Board. activities to which priority must be given following an incident in order to mitigate impacts. NOTE Terms in common use to describe activities within this group include: critical, essential, vital, urgent and key. Risk Assessment overall process of risk identification, risk analysis and risk evaluation. Version Number: 3.6 Page 13 of 14
Version Number: 3 Page 14 of 14