Policy Title; Business Continuity Management Policy Date Published/Reviewed; February 2018 Business Lead; Head of Strategic Governance CCMT sponsor; Deputy Chief Constable Thames Valley Police ensures that all policies have been assessed and comply with MoPI Guidance, and the Data Protection 1998. In addition this Policy has been reviewed by The Force Head of Health, Safety and Environment and has undergone an Equality Impact Assessment. About this Policy Rationale Thames Valley Police (TVP), as a Category One responder, is required by the Civil Contingencies Act 2004 to have business continuity management arrangements in place. TVP must be able to continue to exercise its civil protection functions as well as, where possible, continuing to perform its ordinary functions in the event of an emergency or a disruption. Business Continuity is defined in the International Standard Organisation (ISO) 22301:2012 as the capability of the organisation to continue delivery of products and services at acceptable redefined levels following a disruptive incident (paragraph. 3.3) Intention This policy, along with the supporting documents, will provide details of the business continuity management process. This process aims to deliver the following outcomes: Ensure that TVP can continue to deliver critical services to the public in the event of a disruption Improve organisational resilience by developing strategies and adaptable and usable plans to minimise the impact of any emergency or disruption from identified threats and risks Ensure resources are used more effectively in order to ensure that duties to the public are met, particularly when resources are diminished Protect against reputational damage and increase public confidence Support the organisation s recovery following a disruption.
General Principles This policy defines the methodology by which TVP will meet its statutory duties. The continuity management lifecycle (see diagram below) for British Standard (BS) 25999 has been taken into account. However, Thames Valley Police will align with ISO 22301 where possible and therefore will use the Plan, Do, Check, Act (PDCA) structure. The business continuity management process is a continual cycle of activity that is maintained and reviewed to reflect changes in Force priorities and lessons learned from incidents and exercises. Continual improvement in business continuity management pro-actively aims to embed it into the organisation s culture. TVP business continuity management process activity aligns and includes: Identification of critical functions and prioritisation of all associated activities Conducting threat and risk assessments Conducting a Business Impact Analysis Development and maintenance of business continuity plans and network of points of contact / plan owners Exercising business continuity plans to validate and ensure effectiveness Audit, maintenance and review of business continuity arrangements Training and awareness of business continuity plans and requirements Learning from incidents, disruptions and exercises Monitoring standards and compliance with all related legislation, standards, policies and good practice.
Statement of Policy Business Continuity is a force-wide responsibility. All staff and officers have a role to play in the effective embedding of BCM into the culture of Thames Valley Police. The Civil Contingency Act 2004 (CCA) provides that Category 1 responders may use generic plans, specific plans or a combination of the two. The guidance for TVP is this Policy. Procedures and Tactics are contained in the Force Business Continuity Plan / Management Framework and a set of specific Local Policing Area (LPA), Operational Command Unit (OCU), and Departmental Business Continuity Plans complement this. The TVP business continuity strategy provides strategic actions planned for the next three years. A strategic business continuity plan will also be in place for the large non-operational / limited operational sites. This will set out the Force response to any disruption, including activation procedures and action checklists for the command structure. These plans will be supported by the more detailed plans in place within the Local Policing Areas, Operational Command Units and Departments. The Civil Contingencies Act 2004 requires that arrangements are to be reviewed regularly to ensure validity in the event of any changes. All plans will be developed, maintained and exercised in accordance with the CCA 2004. All Business Continuity Plans should be based on a Business Impact Analysis (BIA) and will be coordinated centrally, to manage interdependencies and ensure a common approach. This Policy, the TVP Business Continuity Strategy and the supporting documents and the Local Policing Area/Operational Command Units/Departmental Business Continuity Plans, as well as Business Impact Analyses, exercises, training and all related activity, form the overall arrangements for Thames Valley Police to fulfil its statutory duty. The requirements of the Civil Contingencies Act 2004 are that Category 1 responders may enter into collaborative arrangements with other responders but Business Continuity Management must be owned and driven within the organisation itself in order to be effective. All employees need to understand their responsibilities in a disruption and this should be encapsulated within the activity to embed the process into the organisation. The knowledge to provide this understanding to staff as well as training and support for those with specific responsibilities around writing plans will be developed. This will be disseminated via a network of business continuity contacts. Critical activities As category 1 responders Thames Valley Police will continue to deliver our civil protection functions. These functions and supporting activities are prioritised according to statutory requirements and by force objectives determined by the Strategic Planning Process. The Business Impact Analysis process requires all activities to be prioritised based on a threat and risk assessment. Each critical activity identified in this process requires a recovery time to be set and resources and interdependencies to be recorded. The Force s critical activities, endorsed by the Chief Constable are:
Emergency Response Crime Investigation Custody Management Managing High Risk Threats to service delivery BCM arrangements take into account the threat and risks identified at a national, regional and community level. They will also take into account those risks identified through the internal Business Impact Analysis process and the organisational Risk Management process. The National Decision Model (NDM) is a key part of the approach to the management of risk within TVP, and in particular recognises the need to take account of the Code of Ethics BCM in TVP aims to address the impact of any incident in the following four areas: People: Loss of Staff/Officers (severe weather, disease pandemic, industrial action, abstractions) Premises: Denial of access or damage to premises (due to fire, flooding, police cordon/operational activity, power failure etc) ICT/Communications: Loss of critical systems (Local Area Network/Telephony failure, power or system failure or essential maintenance disruption) Suppliers/Stakeholders: Loss or failure of internal or external stakeholders/suppliers (LPAs / OCUs /departments, partner agencies, utilities, etc) In most circumstances the identification of a disruption is clear, such as denial of access to a building due to a fire or flood, but any incident identified as having an impact on service delivery or the potential to impact on service delivery should be notified according to the procedure set out in the Force Business Continuity Plan. Some disruptions may be more difficult to identify, such as the impact of a failure of a key supplier, system failure, lack of key staff.
Incident classification The BCM arrangements in place for TVP should be considered in the planning, response and recovery to any incident or emergency. When an incident is identified by any officer or staff member or stakeholder, that could adversely affect the capability of TVP to maintain normal service delivery, BCM plans should be activated in support of any operational response. In a similar way to when a Critical Incident is identified, any incident which requires a Business Continuity response can be categorised as defined in the Force Business Continuity Plan. Plan activation LPA / OCU / department BCPs should be activated by the Commander or Head of Department in consultation with the Gold Commander following identification of a High or Medium impact incident. The following incident grid follows the APP Tier 1 to 3 High Impact (Tier 3) A tier three incident is when any incident, or preplanned event, has significantly impacted or has the potential to significantly impact on the force as a whole, across forces, or nationally, and Thames Valley Police s ability to perform its critical activities. This is managed at a GOLD level Medium Impact (Tier 2) A tier two incident is when any incident, or pre-planned event, has impacted or has the potential to impact Thames Valley Police s ability to deliver its critical functions across multiple LPAs or Departments. This is managed by an LPA Commander or Department Head nominated by GOLD Low Impact (Tier1) Potential A tier one incident is when any incident, or pre-planned event, has impacted the Force s ability to deliver its critical activities across a single LPA or Department. This is managed by an LPA Commander or Department Head An issue is identified that it is believed could potentially impact on critical activities the issue requires assessing and monitoring (e.g. industrial action, severe weather, a major event, building work etc) The activation process is detailed in the Business Continuity Management Framework. This activation process is compatible with the process used by Hampshire Constabulary ensuring ease of use within Collaborated areas such as the Joint Operations Unit.
Roles and Responsibilities The ultimate responsibility of ensuring Thames Valley Police complies with the Business Continuity requirements of the Civil Contingencies Act 2004 remains with the Chief Constable. All staff, officers and volunteers are responsible for being aware of the Business Continuity arrangements for their area in the event of a disruption. Specific roles are identified in the table below: Role Deputy Chief Constable (DCC) Responsibility Overall Force lead on Business Continuity Head of Strategic Governance Unit Corporate Governance Manager Corporate Governance Officer Senior Management Teams / Business Continuity single points of contact (and Deputies) Senior Information Risk Owner (SIRO) Human Rights Articles Engaged Responsible at strategic level for Business Continuity Responsible for all business continuity management activity in the Force. Support/advise in a disruption when required. Must ensure a tactical log of decisions and actions during any disruption is captured. Responsible for implementation, coordination and support of all business continuity activity at a tactical force level. Support/advisor in a disruption when required. Must ensure a log of any disruption is captured and debriefed. Responsible for the LPA / OCU / Departmental business continuity activity at an operational / departmental level. Support / advise in a disruption when required. Must ensure a log of any disruption is captured and reported to the Strategic Governance Unit. In the event of a disruption, there may be a requirement to work outside normal information security policies and procedures. The SIRO should be responsible for authorisation. The policy does not invoke Human Rights Articles. Health and Safety at Work The Health and Safety at Work Act imposes a duty of care upon the Chief Constable to ensure, as far as is reasonably practicable, the health, safety and welfare of all staff. There is a legal requirement to conduct a risk assessment based on the individual s role and capabilities, which should include
consideration of assessments under specific legislation e.g. Manual Handling Regulations. Communications, Challenges and Representations - Communication Deputy Chief Constable Thames Valley Police Oxford Road Kidlington Oxon OX5 2NX - Review This policy document will be reviewed as and when necessary (e.g. following a tier 3 incident) and in any event every 12 months following the sign off of this review. The review will be carried out by the Strategic Governance Unit and will examine: Changes in legislation Court rulings Domestic, European and Human Rights Examples of good practice from other Forces or other organisations Changes in Home Office Circulars NPCC policy and Authorised Professional Practice Representations made by individuals and relevant organisations Relevant Equality data The policy will next be reviewed in February 2019 - FOI status and protective marking This policy is suitable to be made available to the public and can be published on the Thames Valley Police Freedom of Information Publication Scheme. Government Security Classification Policy (GSCP) This policy has been assessed as OFFICIAL however the supporting documents have been assessed as OFFICIAL SENSITIVE and will therefore not be published as above. All policies will be published on the Policy Management Unit Intranet site. New and reviewed policies will be promoted in Managers Briefing Related Legislation and guidance Civil Contingencies Act 2004 Human Rights Act 1998 Equality Act 2010 (section 149) Freedom of Information Act 2000
Health and Safety at Work Act Government Classification Scheme ISO 22301:2012 Societal Security Business Continuity Management Systems BS 25999 Business Continuity Management Part 1 2006 Code of Practice and Part 2 Specification 2007 BS 65000: 2014 Guidance on Organisation Resilience Business Continuity Institutes (BCI) Good Practice Guidelines 2013 National Decision Making Model (NDM) Code of Ethics MOPI: Code of Practice For use by the Policy Management Unit Only Chief Officer Policy Authorisation Policy signed off by: Name of relevant ACC Date Version Date Author Reason Reviewed 2.0 June 2018 Sarah Holland Updated to new policy template and low level contextual and grammatical changes.