NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Similar documents
Business Continuity Policy

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

Policy. Business Resilience MB2010.P.119

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

INFORMATION SECURITY AND RISK POLICY

To be an active partner, always ready to improve by working with others

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

Cyber Security Strategy

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Manchester Metropolitan University Information Security Strategy

Why you should adopt the NIST Cybersecurity Framework

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Emergency Preparedness, Resilience and Response Quarter 1&2 Report: April - September 2014

TSC Business Continuity & Disaster Recovery Session

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Resilience in London

Global Statement of Business Continuity

Business Continuity and Disaster Recovery

THE LINK BETWEEN ENTERPRISE RISK MANAGEMENT AND DISASTER MANAGEMENT

The Metropolitan Police Service Approach to Corporate Resiliency

Member of the County or municipal emergency management organization

Information Security Strategy

Risk Management. Continuity Management

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

Business Continuity Management Program Overview

Information Security Policy

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

INTERNAL AUDIT DIVISION REPORT 2017/151. Audit of business continuity in the United Nations Interim Force in Lebanon

Security Director - VisionFund International

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

Appendix 3 Disaster Recovery Plan

Continuity of Business

Overview of the Federal Interagency Operational Plans

GRAMPIAN SCG PUBLIC COMMUNICATIONS PLAN

CCS NHS Trust EPRR Core Standards Work Plan & Schedule (attached below).

Principles for BCM requirements for the Dutch financial sector and its providers.

HPH SCC CYBERSECURITY WORKING GROUP

Information Security Incident

Information Security Controls Policy

AGENDA ITEM: 3.4 DATE OF MEETING: 3 MAY 2018 INFORMATION MANAGEMENT, TECHNOLOGY & GOVERNANCE COMMITTEE

Table of Contents. Sample

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

NDIS Quality and Safeguards Commission. Incident Management System Guidance

INTERNAL AUDIT DIVISION REPORT 2017/138

THE STRATEGIC POLICING REQUIREMENT. July 2012

Introduction to Business continuity Planning

MassMutual Business Continuity Disclosure Statement

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

NATIONAL CAPITAL REGION HOMELAND SECURITY STRATEGIC PLAN SEPTEMBER 2010 WASHINGTON, DC

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Enterprise resilience and the role of Standards

How ISO helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016

Facilities Management and Business Continuity. 10 May 2017

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

BCM Program Development

Building resilience. Delivering assurance.

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Business Continuity: How to Keep City Departments in Business after a Disaster

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Using International Standards to Implement a Business Continuity Management System (BCMS)

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

OFFICIAL COMMISSIONING OF SECURITY SYSTEMS AND INFRASTRUCTURE

BUSINESS CONTINUITY MANAGEMENT. A short guide 2017

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Information for Local Resilience Partners and Emergency Responders

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Global Security Advisor

CYBER RESILIENCE & INCIDENT RESPONSE

Directive on security of network and information systems (NIS): State of Play

Session 5: Business Continuity, with Business Impact Analysis

Information Governance Incident Reporting Policy

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Introduction to Business Continuity Management

Business continuity management and cyber resiliency

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Business Continuity Management

Bundling Arrows: Making a Business Case for Adopting an Incident Command System (ICS) 2012 The Flynt Group, Inc.; All Rights Reserved. FlyntGroup.

Port Facility Cyber Security

National Preparedness System. Update for EMForum June 11, 2014

Use Of Mobile Communication Devices Within Healthcare Premises Policy

External Supplier Control Obligations. Cyber Security

John Snare Chair Standards Australia Committee IT/12/4

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

LEADERSHIP GROUP LG (2017) Paper October 2017 RESILIENCE BOARD

Emergency Management Response and Recovery. Mark Merritt, President September 2011

ACTIVE SHOOTER RESPONSE CAPABILITY STATEMENT. Dynamiq - Active Shooter Response

Information Governance Incident Reporting Procedure

EMERGENCY SUPPORT FUNCTION (ESF) 13 PUBLIC SAFETY AND SECURITY

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

INFORMATION SECURITY- DISASTER RECOVERY

HSCIC Audit of Data Sharing Activities:

ICT Portable Devices and Portable Media Security

Data Security Standards

01.0 Policy Responsibilities and Oversight

Transcription:

NHS Gloucestershire Clinical Commissioning Group 1

Document Control Title of Document Gloucestershire CCG Author A Ewens (Emergency Planning and Business Continuity Officer) Review Date February 2017 Classification OFFICIAL SENSITIVE Revision Version Changes made Summary of Change Authorised by Date No by Review and updating to bring in line Andy Ewens M. Andrews- 19.2.15 1 with current BCM principles Evans 12.1.16 1.1 Reviewed following PWC Audit Andy Ewens M. A-E Plan Management This plan is maintained by the Emergency Planning and Business Continuity Officer (EP&BCO) at Gloucestershire Clinical Commissioning Group. Exercising Specific areas to include- Decision to declare/mechanism for notifying partners of Business Continuity incident Organisational command, control and coordination arrangements for single/multiple site incidents, in light of regional and national response structures Mobilisation/command of all staff within the CCG Identification of mutual aid requirements and mechanism for requests Welfare considerations for all staff-at scene/additional sites Protection of the CCG reputation Date Exercise Name Description 24.11.15 Exercise Laithwaite Live Play BCM Exercise Associated Plans Gloucestershire CCG Business Continuity Plan and Departmental Critical Function Analyses Gloucestershire LRF Major Incident Procedures Manual Gloucestershire LRF Humanitarian Assistance Guide Gloucestershire LRF Mass Fatalities Plan Gloucestershire LRF Emergency Mortuary Plan Gloucestershire LRF Recovery Plan Gloucestershire LRF Warning and Informing Plan Freedom of Information Act Statement This document outlines the current capabilities and vulnerabilities for Gloucestershire Local Resilience Forum (LRF) in its mass casualty response capability and capacity. It is therefore not suitable for public release under the Freedom of Information Act (FOIA) as to do so would be detrimental to the effectiveness and security of LRF partners. ii

Record of Amendments Version Date Nature of Amendment / Remarks Draft AUG 13 Initial draft 1/13 v.1 12.09.13 Approved 29.08.2013 1 19.2.15 Updated Andy Ewens 1.1 12.1.16 Update Andy Ewens Table of Contents 1.0 Introduction 1 2.0 Aim 1 3.0 Objectives 1 4.0 What is Business Continuity Management? 2 5.0 Roles and Responsibilities 6 6.0 Implementation Programme 6 7.0 Major or Escalating Internal Incident 7 8.0 Training 8 9.0 Testing, Maintenance and Practice 8 10.0 Document Reviews 8 11.0 Supporting Guidance and Documentation 9 iii

1.0 Introduction 2.0 Aim The role of Gloucestershire Clinical Commissioning Group (GCCG) is to commission healthcare, both directly and indirectly, so that publicly funded healthcare providers secure the best possible outcomes for patients. In doing so, the GCCG will seek to meet the objectives prescribed in the mandate and to uphold the NHS Constitution. The GCCG recognises the potential operational, reputational and financial losses associated with a significant service interruption, and the importance of maintaining viable recovery strategies. All NHS organisations are required to maintain a good standard of preparedness to respond safely and effectively to a full spectrum of threats, hazards and disruptive events. These range from pandemic flu, mass casualty, potential terrorist incidents, severe weather, chemical, biological, radiological and nuclear incidents, fuel and supplies disruption and public health incidents. (NHS Operating Framework 2012/2013) GCCG seeks to ensure that the highest level of services to patients is maintained during any interruption to clinical or non-clinical procedures, medical services or the infrastructure of facilities. Whilst the Civil Contingencies Act identifies the organisation as a Category 2 Responder there is a statutory requirement for the organisation, as a provider of NHS services, to ensure that it has effective business continuity plans in place to manage any disruptions to the delivery of its services. Business Continuity Management (BCM) is an essential component of Emergency Preparedness Resilience and Response (EPRR). It ensures there is capability to provide and maintain an effective response to any significant incident. It links to and contributes to effective Risk Management whilst supporting sound Corporate Governance by GCCG. It is important for all staff within the CCG to be cognisant of Business continuity Management Systems, to take ownership of those functions within their remit and regularly review and maintain their own, their team and their organisational issues within the planning process. The CCG and Plans area available to all employees of the CCG through CCG Live the on line intranet. The aim is to establish a Business Continuity Management System which will: Ensure that the organisation is aligned with good practice and appropriate guidance of ISO 22301 and ISO (PAS) 22399 1

3.0 Objectives The objectives of this Strategy are to: Explain what BCM is Identify the BCM lifecycle and elements of the planning process Identify management procedures to prevent or minimise a disruption to service delivery Implement a BCM System within GCCG Provide details regarding incident management and command and control arrangements Detail how the organisation will provide support to areas affected by providing appropriate management and support Identify the process for developing individual team/service/department BCM Plans 4.0 Business Continuity Management 4.1 WHAT IS BUSINESS CONTINUITY MANAGEMENT Business continuity is the agreed process to ensure the continuation of critical functions in the event of a significant incident. Business Continuity Management is a process that: Identifies and manages current and future threats to a business Takes a proactive approach to minimising the impact of incidents Provides a framework for building organisational resilience Keeps critical functions up and running during times of crises Minimises downtime during incidents and improves recovery time Demonstrates resilience to stakeholders and suppliers. Protects reputation and brand. Business Continuity Management must become embedded into the way the organisation plans and manages activities. It is recognised that a disruption to internal services provision could escalate, resulting in the organisation requiring the support of other emergency responders. 2

4.2 BUSINESS CONTINUITY MANAGEMENT LIFECYCLE The Business Continuity Management lifecycle is a series of activities which collectively cover all aspects and phases of the business continuity management programme. See figure 1: Figure 1 Business Continuity Management Toolkit HM Government 4.3 UNDERSTANDING THE ORGANISATION This involves gaining a full understanding of the services we provide and identifying key activities and staff required to maintain critical and essential services. This process starts with identifying service provision or processes where any failure, e.g. of equipment, suppliers, etc., would lead to a significant interruption. The main internal and external threats that the organisation faces need to be identified, their impact calculated and risk assessed. Once the threats are established, the resources are identified that are needed to ensure critical services are maintained. In order to develop BCM Plans staff need to understand the services provided across the organisation. This would include identifying critical functions or services, the effect of those functions being disrupted and the priority for returning to normality. Irrespective of the disruption, BCM needs to cater for the loss or unavailability of the following: People Premises and utilities Technology Information 3

Supplies Transport Stakeholders. 4.4 DETERMINING THE OPTIONS (STRATEGY) GCCG will consider strategic options for its critical activities and the resources that each activity will require on its resumption. The most appropriate strategy or strategies will depend on a range of factors such as: The maximum tolerable period of disruption of the critical activity The costs of implementing a strategy or strategies, and The consequences of inaction. The organisation must agree which services are critical to be maintained and have plans in place to ensure service delivery is maintained for the first 24 hours, followed by procedures to continue for three days and then seven days. Further disruption may need to be managed in accordance with those services and type of disruption. Members of the Incident Management Team must have the information, authority and knowledge to be able to assess the situation, confirm the priorities and decide on the appropriate course of action, which may include invoking the appropriate BCM plans. 4.5 DEVELOP AND IMPLEMENT A BUSINESS CONTINUITY MANAGEMENT RESPONSE The organisation will ensure a defined incident response structure is in place to enable an effective response and recovery from disruptions. The GCCG will make sure that arrangements are in place to ensure that disruptions can be managed within specialist individual areas, services or teams. Each critical service will ensure they have a local business continuity plan in place. The Incident Management Team would enable the organisation to: Confirm the nature and extent of the incident Take control of the situation Contain the incident, and Communicate with stakeholders. The Incident Management Team should assess risks that might affect ability to deliver services and consider how both clinical and non-clinical provision can be maintained, regardless of the type of disruption. This can be achieved by identifying a list of all known risks or hazards which may threaten service provision. The risk should be rated, which will help inform what may need to be done to minimise or respond to the risk. 4

The following describe strategies that could be adopted: Tolerate (Do nothing) Transfer (Change, transfer or end the process) Treat (Insure) Mitigate (Take steps to soften the impact). Any significant risks that have been identified as part of this process should be incorporated into the organisation s risk register. 4.6 MAINTAINING, EXERCISING AND TESTING These are essential processes to ensure that procedures and BCM arrangements remain current and fit for purpose. Regular testing of the processes, combined with an ongoing review of this strategy and BCM contingency plans is essential. 4.7 EMBEDDING A BUSINESS CONTINUITY MANAGEMENT CULTURE Embedding a BCM Culture is a long-term activity aimed at ensuring BCM principles are adopted across the organisation and become part of the day-to-day planning of services and training. ISO 22301 Societal Security Business Continuity Management Systems Requirements 5

Business continuity plans must be kept up-to-date, key staff provided with appropriate training and procedures validated through exercises and testing. The process will also include effectively managing the prioritisation of services and ensuring resilience of key providers and suppliers. 5.0 Roles and Responsibilities 5.1 Corporate responsibility The Strategy does not change the responsibilities of the Board, which has ultimate responsibility for management of GCCG. 5.2 Implementing strategy The governing body Accountable Emergency Officer (Executive Nurse) is responsible for implementing this strategy and establishing a BCM System within GCCG. The Accountable Emergency Officer will ensure that a corporate BCM Plan incorporating departmental Critical Function Analyses is developed and maintained. 5.3 Management and departmental support The Accountable Emergency Officer will be supported by the EPRR lead manager for GCCG and the Emergency Planning and Business Continuity Officer. Each member of staff, team, service and department manager is responsible for maintaining individual services and implementing BCM within their team. They will develop and maintain service or departmental BCM Plans. Where a service is contracted out, or is dependent on external providers or suppliers, it is the responsibility of the manager of that service to ensure continuity arrangements are in place. Therefore, appropriate managers need to ensure that providers, suppliers and contractors have robust BCM Plans in place to provide and maintain contracted services. All staff will contribute to the development of their service or departmental BCM Plan. They will ensure that they are familiar with the plan and their role and responsibilities in implementing it. 6.0 Significant or Escalating Internal Incident Any disruption to service delivery has the potential to escalate into an internal incident that may require the organisation to invoke the Major Incident Plan. A major incident is any occurrence that cannot be dealt with by routine management arrangements alone. 6

Once a potential disruption to service delivery has been identified the Senior On Call Manager will invoke an appropriate management response commensurate with the incident. This may require a formal major incident to be declared or internal escalation management procedures to be put in place. An example of what this management support might look like follows: 7 Management support Provision of support for first 24 hours In hours Managers and appropriate staff will assess the incident and take appropriate action based on relevant business continuity plans. They will inform the Senior On Call or On Call Manager of the incident, actions taken, and progress of the incident. Out of hours take appropriate action based on relevant business continuity plans. If this were to continue for three to seven days the approach would be a planned approach by an appropriate level Incident Management Team. 7.1 Managing longer term incident (i.e. Pandemic Flu) Any incident lasting seven days or longer could lead the Incident Management Team to consider whether to escalate to declare a major incident and whether this needs to extend to include support from the Local Resilience Forum in accordance with contingency plans already developed. Although Major Incident and Business Continuity Management are two separate work streams, they must have the ability to quickly interact with each other. Sound BCM ensures there is capability to provide and maintain an effective response to a major incident. Major Incident and Business Continuity Management Planning Interaction 7

Emergencies (Major Incidents) Business Continuity is an essential part of the response to an Emergency (Major Incident) Business Continuity Management (BCM) Note: An internal disruption to services may not be a major incident to external agencies 8.0 Training Staff who may be required to become involved with BCM response will receive appropriate training to enable them to fulfil their management role and/or function. This training will include procedures outlined in Business Continuity Management Plans, Action Cards and protocols detailed in individual risk assessments. Training for key staff will give assurance to the Board that staff are able to respond effectively to an incident. All staff are made aware of BCM issues. Those not directly involved in the delivery of critical services need to understand what is expected of them to support the response to a disruption to services provision. The Accountable Emergency Officer will ensure training needs are identified, training records compiled and the BCM planning lifecycle is maintained. Staff should receive training during induction and refresher training when changing appointment and when procedures are altered. 9.0 Testing, Maintenance and Practice BCM procedures must be tested to demonstrate that they work and be reviewed in line with any lessons learned. 10.0 Document Reviews All BCM Plans will be reviewed annually or earlier if required and evidence of reviews maintained. 8

11.0 Supporting Documentation/Guidance The following documents were consulted and should be read in conjunction with this strategy. The Civil Contingencies Act 2004 The Health and Social Care Act 2012 NHS Resilience and Business Continuity Management Guidance (Department of Health, 2008) NHS EPRR documents and supporting materials including: NHS Emergency Planning Framework (2013) NHS Core Standards for Emergency Preparedness, Resilience and Response (EPRR) NHS Business Continuity Management Framework BS: ISO 22301 Societal Security Business Continuity Management Systems Requirements Business Continuity Management Toolkit HM Government BSI PAS: 2015 Framework for Health Services Resilience Gloucestershire Local Resilience Forum Major Incident Strategic and Tactical Plans Gloucestershire Local Resilience Forum Pandemic Flu Plan Gloucestershire Local Resilience Forum Severe Weather plan 2014 Gloucestershire Local Health Resilience Partnership: Health Community Response Plan GCCG Major Incident Plan 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback