Business Continuity Management Policy

(1)

1 Business Continuity Management Policy

Author: Stuart Brown Version: 2

April 2015

SH NCP 67

Business Continuity Management

Policy

Version: 2

Summary: This Business Continuity Policy provides the strategic framework for Southern Health NHS Foundation Trust‘s (SHFT) Business Continuity arrangements and describes the SHFT Business Continuity Management programme that will ensure SHFT meets its legal obligations to ensure the organisations Prioritised Activities and Services are protected against potential disruption as a result of incidents and emergency situations and climate change adaption.

Keywords (minimum of 5): (To assist policy search engine)

Business Continuity Policy, Business Continuity Management, Emergency Planning, Business Continuity Plan, Organisational Resilience, Climate Change Adaption

Target Audience: All employees of Southern Health NHS Foundation Trust. Non-Executive Directors, Volunteers, Governors and Contractors.

Next Review Date: January 2017

Approved and ratified by: EPRR Working Group

Date of meeting:

12 January 2015

Date issued: April 2015

Author: Stuart Brown

Business Continuity Advisor

Sponsor: Helen Ludford

(2)

April 2015

Version Control

Document Change Record

Date Author Version Page Reason for Change

24.05.13 T Pettis 1 Changes to reflect NHS Commissioning Board, NHS England and Public Health England structures following the abolition of Strategic Health Authorities and Primary Care Trusts.

24.05.13 T Pettis 1 NHS Commissioning Board BC related documents 02.12.13 S Brown 1 Replacement of reference to BS 25999 with ISO 22301

International Business Continuity Standard

31.01.14 S Brown Replacement of reference to BS 25999 with ISO 22301 International Business Continuity Standard

18.05.14 T Pettis 1 Review and update of entire document and Business Impact Analysis

10.06.14 L Sawyer 1 Integration with Trusts Climate Change Adaption Plan 10.11.14 S Brown 2 Review of completed document and inclusion of BIA and

BC Plan templates for EPRR WG on 21 Nov 14 05.01.15 S Brown 2 Inclusion of amended Business Impact Analysis (BIA)

Reviewers/contributors

Name Position Version Reviewed & Date

Sharon Gomez Essential Training Lead 1 04 Feb 2013 Fiona Richey Head of Risk and Business Continuity 1 12 Feb 2013 Ricky Somal Equality and Diversity Lead 1 17 Feb 2013 Alida Towns Interim Business Manager 1 18 Feb 2013 Helen McCormack Chief Medical Officer 1 27 Mar 2013

Tim Pettis BCR Manager SHFT 1 01 Apr 2013

David Griffiths EPM (UHS) (External Reviewer) 1 01 May 2013 Libby Beesley EPM DUFT (External Reviewer) 1 01 May 2013

Tim Pettis BCR Manager SHFT 1 24 May 2013

Stuart Brown BC Advisor 1 02 Dec 2013

Stuart Brown BC Advisor 1 31 Jan 2014

Tim Pettis BCRM SHFT 1 29 May 2014

Louise Sawyer Environmental Sustainability Manager 1 10 June 2014

Stuart Brown BC Advisor 2 17 Nov 2014

(3)

Author: Stuart Brown Version: 2 April 2015 CONTENTS Page 1. Introduction 4 2. Scope 5 3. Definitions:

3.1 Business Continuity Management 3.2 Business Impact Analysis

3.3 Emergency

3.4 Prioritised Activities

3.5 Maximum Tolerable Period of Disruption 3.6 Recovery Time Objective

5

4. Duties/responsibilities

4.1 Chief Executive and Board 4.2 Lead Director

4.3 Head of Risk and Business Continuity 4.4 Divisional and Service Managers 4.5 All Staff

6

5. Main policy content:

5.1 Business Continuity Lifecycle 5.2 Business Continuity Objectives 5.3 Business Impact Analysis 5.4 Risk Assessment

5.5 Recovery Plans

5.6 The Southern Health NHS Foundation Trust Business Continuity Plan

5.7 Incident Identification 5.8 Incident Declaration 5.8.1 Normal working hours 5.8.2 Out of Hours

5.9 Stand Down

5.10 Recovery and Debrief 5.11 Document Management 5.12 Exercising 8 6. Training requirements 15 7. Monitoring compliance 15 8. Policy review 15 9. Associated documents 15 10. Supporting references 16 Appendices

A1 Policy Implementation Plan 17

A2 Business Impact Analysis Template 18

A3 Business Continuity Plan Template and Completion Guidance 38

A4 Business Continuity Plan Completion Guidance 49

A5 Training Needs Analysis (TNA) 56

(4)

April 2015

Business Continuity Management Policy 1. Introduction

1.1 Business Continuity Management (BCM) is a legal requirement for all NHS, private and third sector organisations, which under NHS funded Provider status, provide care or services to patients. Business Continuity Management forms part of the Care Quality Commission’s essential Standards of Quality and Safety, which all health providers must comply with as a condition of registration and the NHS

Commissioning Board, Core Standards for Emergency Preparedness, Resilience and Response 2013 (EPRR). Business Continuity Management is an integral part of EPRR and this discipline sits within the EPRR Core standard Framework in both planning and assurance. Southern Health NHS Foundation Trust has services and facilities which cover a huge geographical area. The following hyperlink provides an interactive google map of the Trust’s sites.

1.2 Statutory requirements under the Civil contingencies Act (2004) require all NHS Trusts to have in place Business Continuity Management arrangements that enable them to:

 Respond to incidents (major and other) and emergencies of any kind;  Ensure the health, safety and well-being of its service users and staff; and  Support partner agencies in extreme circumstances.

1.3 The Trust’s Strategy for Organisational Resilience provides the strategic framework for Southern Health NHS Foundation Trust‘s (SHFT) Business Continuity

arrangements and describes the SHFT Business Continuity Management programme that will ensure that the Trust’s Prioritised Activities/Services are

protected against potential disruption as a result of incidents, emergency situations, and climate change and ensures that its statutory obligations are met.

1.4 The SHFT Business Continuity Management programme described in this policy is based on the following standards:

 NHS Commissioning Board Core Standards for Emergency Preparedness,

Resilience and Response 2013; and

 International Standards Organisation ISO: 22301: 2012.

1.5 Business Continuity Management (BCM) is an integral and critical part of the incident response planning process and helps build organisational resilience within an

organisation. Business Continuity Management is about identifying an organisation’s Prioritised Activities/Services, the ‘appropriate’ resources required to deliver them, and planning how to maintain and reinstate them as soon as reasonably practicable or possible should an incident occur that causes disruption. Business Continuity Management achieves this by assessing the risks to an organisation’s ability to deliver its services, then considering how these risks can be eliminated or reduced, the contingency plans that can be put in place to ensure that those services identified as critical or essential are maintained regardless of the disruption, and how the other services can best be recovered when the disruption ceases.

1.6 The Climate Change Act 2008 also places a mandatory requirement on health care

(5)

April 2015

organisational resilience within the organisation to deal with severe weather events and other climate change impacts.

1.7 This policy requires ALL Services in ALL Divisions to develop Business Continuity Plans which detail how a service will perform its functions in the event of disruption by defining and prioritising it’s Prioritised Activities/Services, detailing contingency arrangements during the disruption and, when the disruption has passed, how all services will be restored (recovered) by.

 Undertaking a Business Impact Analysis (BIA) to identify Prioritised Activities/Services;

 Identifying the risks to the delivery of Prioritised Activities/Services and the likely impact if they are affected;

 Planning how to mitigate against risk to Prioritised Activities and improve the resilience; and

 Developing a Recovery Plan that details the Minimum Tolerable Period of Disruption (MTPD) to Prioritised Activities, their Recovery Time Objectives (RTO), and the minimum and appropriate resources required delivering them and the order of priority to in which these and other services should be restored to normal.

1.8 Other NHS, private and third sector organisations that provide services to NHS patients on behalf of the Trust, or equipment and goods, which will be used in the treatment of the Trust’s NHS patients, are required and must have their own business continuity and resilience arrangements in order to meet the legal and contractual obligations with this Trust.

2. Scope

2.1 This Policy applies to:

 All Southern Health NHS Foundation Trust (SHFT) services in all Divisions; and

 All SHFT managers responsible for contracting, commissioning or purchasing goods or services from external organisation(s), defined as NHS Funded Providers. These SHFT managers are responsible for ensuring that contracts and/or service level agreements with providers of goods and/or services include arrangements to ensure that there are robust business continuity arrangements are in place so that the service or product they provide can be maintained thus supporting the Trusts’ own identified Prioritised Activities.

3. Definitions

3.1 Business Continuity Management (BCM)

(6)

April 2015

3.2 Business Impact Analysis (BIA)

Business Impact Analysis is the process of analysing ALL business functions and the effect that a business disruption might have upon them.

3.3 Emergency

For the purposes of this policy an emergency is defined as:

‘An actual or impending situation that may cause injury, loss of life, destruction of property, detrimental environmental impact or cause the interference, loss or disruption of the organisation’s normal business operations to such an extent that it poses a threat’.

3.4 Prioritised Activities/Services

Prioritised Activities/Services are those services, which are necessary for the preservation of life or to ensure the health, safety and welfare of patients and staff. 3.5 Maximum Tolerable Period of Disruption (MTPD)

Maximum Tolerable Period of Disruption is the time duration after which an

organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

3.6 Recovery Time Objective (RTO)

Recovery Time Objective is a target time set for the resumption of a product, service, activity or resource after an incident.

4. Duties/Responsibilities 4.1 Chief Executive and Board

The Chief Executive and the Board have a legal duty set under the Civil Contingencies Act (2004) and within NHS England Emergency Preparedness, Resilience and Response (EPRR) Core Standards (2014) to ensure Southern Health NHS Foundation Trust (SHFT) is prepared to respond to a major incident or civil contingency event within the local and wider health community, to maintain the public’s protection, and maximise NHS in its overall response.

Trusts are ultimately accountable to the public and the Secretary of State for Health for ensuring that the organisation consistently follows the principles of good corporate governance and internal control. This ensures that a EPRR programme, of which Business Continuity Management (BCM) is an integral part is in place to ensure that, in the event of a loss or major disruption to core functions, the public continue to receive the best quality and range of services it is reasonably practicable to deliver, and that Prioritised Activities/Services are maintained.

4.2 Accountable Emergency Officer (AEO) for Emergency Planning, Resilience and Response

The Accountable Emergency Officer (AEO) for Emergency Preparedness, Resilience

(7)

April 2015

requirements of this policy are met, that the Board are provided with reasonable assurance, and are kept informed of any significant concerns.

The AEO is supported where appropriate by a non-executive director, or appropriate other board member, to endorse assurance to the board that the organisation is meeting its obligations with respect to EPRR and relevant statutory obligations under the Civil Contingencies Act 2004. This will include assurance that the organisation has allocated appropriate resources to meet these requirements, which includes the support of trained and competent emergency planning and business continuity professional staff member(s) as appropriate.

4.3 Head of Risk and Business Continuity

The Head of Risk and Business Continuity is responsible for the development and implementation of the Trust’s Business Continuity Management programme, advising on compliance with the Civil Contingencies Act and NHS England EPRR Core

Standards.

The Head of Risk and Business Continuity may delegate some or all of the above to the Business Continuity and Resilience Manager, the organisation’s designated

Emergency Planning Manager.

The Head of Risk and Business Continuity and designated Emergency Planning Manager will also:

 Develop a Trust wide Incident Response Plan (IRP) from which the Business Continuity element will list the Trust’s Prioritised Activities/Services;

 Provide specialist advice and guidance in respect of Business Continuity Management issues including the co-ordination, development, implementation and review of the business continuity policies, programme, plans and

procedures;

 Interpret the requirements of the Civil Contingencies Act 2004, NHS England EPRR Core Standards and ISO 22301 Societal Security - Business Continuity Management System Requirements, and associated guidance to support the Trust’s Divisions and service areas and to ensure that these requirements are met;

 Conduct risk assessments based on current and future threats identified through environmental scanning and intelligence gathering;

 Embed an EPRR/ Business Continuity culture through communication in concert with the offices of the AEO and the Trust’s EPRR Working Group, and through the EPRR WG make the provision of awareness sessions, training and exercises to staff, according to their roles and needs; and

 Liaise with other NHS organisations and the wider area external agencies as required

 Audit compliance via the EPRR WG relating to local Emergency Response and Business Continuity Plans, facilitating tests and providing

recommendations and other management feedback as appropriate. 4.4 Environmental Sustainability Manager:

The Environmental Sustainability Manager is responsible for developing and

(8)

April 2015

4.5 Divisional and Area/Service Managers:

Divisional and Area/Service Managers are responsible for:

 Implementing and supporting the Business Continuity Management policy;  Ensuring a Business Impact Analysis for their services is undertaken;  Developing, maintaining and reviewing at least annually or when a new

service is undertaken their Divisional Business Continuity Plans, including the BIA;

 Testing and exercising at least annually the Divisional/Area/Service Business Continuity Plans (see section 5.12);

 Ensuring sufficient training is given;

 Participating in exercises where appropriate; and

 Maintaining all relevant operational Business Continuity Plans as they are developed, ensuring that any significant service changes or risks are reflected in plans, and for understanding all the requirements and responsibilities as detailed in the plans.

4.6 Departmental Managers/Team Leaders

Departmental Managers/Team Leaders are responsible for:

 Ensuring all their staff are familiar with their Divisional/Area/Service business continuity arrangements and Business Continuity Plans;

 Testing and exercising at least annually Divisional/Area/Service Business Continuity Plans (see section 5.12);

 Ensuring sufficient training is given; and  Participating in exercises where appropriate. 4.7 All Staff:

Staff will make themselves aware of their department’s Business Continuity Plans, and will participate in training and exercises as required.

5 Main Policy Content

5.1 Business Continuity Lifecycle

To align with the required standards, and best practice, the Southern Health NHS Foundation Trust (SHFT) Business Continuity Management (BCM) process will follow the five stages of the BCM lifecycle. Those actions required to deliver this process are captured within the Policy Implementation Plan at Appendix 1. The five stages are:

 Understanding the organisation;  Determining BCM Strategy;

 Developing and implementing the BCM Response;  Exercising, maintaining and reviewing; and

 Embedding BCM in the organisation. 5.2 Business Continuity Objectives

(9)

April 2015

 Comply with legal, regulatory and contractual obligations;  Ensure effective and competent incident management;

 Ensure Prioritised Activities/Services have been identified, are protected, and their continuity made certain;

 Ensure staff are trained to respond effectively to an incident or disruption through appropriate exercising;

 Understand the requirements of key stakeholders and maintain communication with them;

 Maintain the safety and well-being of service users, staff and estates;  Deliver an enhanced level of service to meet the extraordinary demands of

an evolving scenario;

 Ensure the supply chain is secured; and

 Contribute to whole System/Wide Area Resilience. 5.3 Business Impact Analysis

ALL Trust services in ALL Divisions will undertake a Business Impact Analysis (BIA) using the SHFT Business Impact Analysis template (See Appendix 2).

Support and training in the use of the template will be provided by the Business Continuity and Resilience Manager.

The Business Impact Analysis element of the Business Continuity Management process will analyse the functions/activities of the service and/or Division on the basis of not performing that function.

The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical). These are categorised using the Impact Matrix at Page 5 within the BIA. Only those identified as RED, AMBER and YELLOW will be captured within the BIA, as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director, whilst those GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager.

This categorisation system will enable the Division/Area/Service to identify all Prioritised Activities and provides the Decision Maker, the Trusts Incident Gold Commander to determine from a Trust wide perspective those services which need to be Enhanced, Reduced or Suspended.

The number and complexity of Prioritised Activities/Services identified will determine the subsequent level of support needed to be provided to Division/Area/Service during an incident. The necessary supporting resources for the delivery of the services will also be analysed and identified, and during an incident via a dynamic process.

All services in all Divisions will review their BIA on an annual basis, on undertaking a new service or service provider, post exercise and post incident.

5.4 Risk Assessment

(10)

April 2015

The Risk Assessment element of the process considers the services and supporting resources identified in the BIA stage. The likelihood and impact of a variety of risks that could cause disruption to these services is analysed with the focus being on the

RED, AMBER and YELLOW Prioritised Activities/Services, allowing services and/or Divisions to prioritise their risk reduction activities.

For the identified RED, AMBER and YELLOW Prioritised Activities/Services, ALL Divisions will analyse the impact of disruption and determine:

 The Maximum Tolerable Period of Disruption (MTPD) using the following Standard List:  One hour  Four hours  One Day  One Week  One month

 The Recovery Time Objective (RTO) of a product, service or activity which must be less than its MTPD, using the following Standard List:

 One hour  Four hours  One Day  One Week  One month

 The minimum amount of appropriate resources (including staff, premises, IT, equipment and information) in order to maintain that Prioritised

Activities/Services at a basic level and with the appropriate skills/level of expertise required, This must include processes to identify persons with skills which are not easily obtained from elsewhere, within the Trust;  When key services supplied by another organisation, has in place any

reciprocal arrangements, and whether they are available out of hours if required, and if there are mutual aid arrangements in place;

 The impact of particular resource losses and where appropriate, to reference this to the appropriate risk register; and

 Appropriate control measures that can be put in place to reduce the

likelihood of disruption, shorten the period of disruption, and limit the impact. 5.5 Recovery Plans

Having made the Business Impact Analysis and Risk Assessment, all services in all Divisions will formulate their Recovery Plan as to how RED, AMBER and YELLOW Prioritised Activities/Services will be restored in order to meet the determined RTOs.

Recovery Plans will be:

 Comprehensive but easy understandable;  Legal;

(11)

April 2015

 Risk Assessments concise as possible and readily available when needed; and

 Easy to revise and update.

Service, Area and Divisional Recovery Plans will form a key part of the Divisional Incident Response Plans. These plans will also detail the mechanism for escalating business continuity incidents to the Divisional Director and their On-Call Senior Manager to the Trust’s On-Call Director to ensure incidents are managed at the appropriate level according to the level of risk posed.

5.6 Southern Health NHS Foundation Trust Directorate and Service Business Continuity Plans

Each Directorate and Service Area will complete a specific Business Continuity Plan resulting from the Business Impact Analysis (BIA) carried out within their area of responsibility. The purpose of this document is to provide a framework for an appropriate response and therefore mitigate the impacts of business disruption on the operation and reputation of the organisation by:

 Responding to a disruptive incident (incident response);

 Maintaining delivery of Prioritised Activities/services during an incident (business continuity); and

 Returning to Business as Usual (resumption and recovery)

5.7 Southern Health NHS Foundation Trust Trust-wide RED, AMBER and YELLOW

Prioritised Activities/Services

The Head of Risk and Business Continuity and designated Emergency Planning Manager will compile from the Service/Area and Divisional Business Continuity Plans a Trust wide list of all SHFT’s RED, AMBER and YELLOW Prioritised Activities/ Services and the planned responses to disruption.

This will be held at the Trust Incident Co-ordination Centre (ICC) and form part of the On-Call Director’s Pack.

In the event of a major incident or emergency being declared the Trust’s Incident Management Team (IMT) will use this plan during and after the event to support decision making in maintaining the organisations Prioritised Activities/Services and to bring back on line those services reduced or suspended as soon as reasonable practicable.

5.8 Incident Identification

(12)

April 2015

Level of Incident Action

NEGLIGIBLE

Limited local impact



Take any remedial action it is safe to take



Report to line manager



Follow Service/Area/Divisional Business Continuity Plan

MINOR

Disruption to a GREEN Service



Only notify Service/Area

Manager/Divisional Director if this impacts upon a Priority Activity



Take any remedial action it is safe to take



Report to line manager



MODERATE

Disruption to a YELLOW Service

(A service which could be suspended if necessary)



Notify Service/Area Manager/Divisional Director who may notify the Director On Call & Accountable Emergency Officer (AEO)



MAJOR

Disruption to an AMBER Service

(A service which could be reduced/scaled down if necessary)



Notify Service/Area Manager/ Divisional Director who will notify the Director On Call & Accountable Emergency Officer (AEO)



Out of Hours notify the Divisional Manager on Call who will notify the Director on Call



Follow Service/Area/Division Business Continuity Plan

CATASTROPHIC

Disruption to a RED Essential Service

(A service which must be enhanced/continued)



Notify Service/Area Manager/ Divisional Director who will notify the Director on Call & Accountable Emergency

Officer(AEO)



Out of Hours notify the Divisional Manager on Call who will notify the Director on Call



The Director on Call will determine whether to declare a Major Incident or Major Incident Standby(as appropriate)

(13)

April 2015

5.9 Incident Declaration 5.9.1 Normal Working Hours

During normal working hours, in the event of an incident, or set of circumstances which might present a risk to the continuity of RED, AMBER and YELLOW

Prioritised Activities/Services, an Incident would be declared and the local

Business Continuity Plan invoked by the Divisional Director or Area/Service Manager with responsibility for the service affected. If appropriate the Accountable Emergency Officer will declare a Major Incident or Major Incident Standbyin order to mobilise an effective response across the organisation and ensure the involvement of partners where required.

Where more than one service is affected, any one of the responsible Divisional Directors or Area/Service Manager can decide to declare an incident and invoke the Trust’s Incident Response Plan.

5.9.2 Out of Hours

In the event of an incident, or set of circumstances which might present a risk to the continuity of RED, AMBER and YELLOW Prioritised Activities/Services occurring outside normal working hours, the Divisional On-Call Senior Manager would decide to declare an Incident and invoke the ‘local’ Business Continuity Plan, informing the Trust On-Call Director. If appropriate the On-Call Director will declare a Major Incident or Major Incident Standby and invoke the Trust’s Incident Response Plan in order to mobilise an effective response across the organisation and ensure the involvement of partners where required.

Both during normal working hours and out of hours the responsible Divisional Director, Area/Service Manager or Divisional Manager on Call would:

 Start an incident log;

 Notify the Accountable Emergency Officer (in hours) and the On-Call Director of the incident and response at the earliest opportunity;

 Notify the Director of Communications and Engagement (in hours). Out of hours the Director on Call would notify the Communications on Call; and  If out of hours, notify the Divisional Director, Area/Service Manager with line

management responsibility for the service at the earliest possible opportunity the next working day.

During in hours and out of hours the On-Call Director decides it is appropriate to either declare a Major Incident or Major Incident Standby the Trust’s Incident Response Plan would then be followed.

5.10 Stand Down

(14)

April 2015

5.11 Recovery, Debrief, Lessons identified to Lessons learnt

The responsible Divisional Director or Area/Service Manager would be responsible for leading a debriefing and review process to ensure organisational learning, through identifying lessons to then be learnt:

 A review of the response by the service, area, division, organisation, partners/other agencies is evaluated, from which lessons that are identified can be highlighted and from which a timetable of how those lessons will be learnt.

 Staff receive appropriate support to ensure their health, safety and well-being at work; All areas of concern are addressed

 All relevant documents are collated and a report prepared;

 Any additional training needs are identified and a timetable of when that will delivered;

 Staff are kept fully informed; and

 The local Business Continuity Plans are reviewed and updated. 5.12 Document Management

Every Business Continuity Plan will be version controlled, and sent to the Trust Head of Business Continuity and Resilience Manager who will collate a central register of Business Continuity Plans and make these plans, together with this Policy available on the Trust Intranet in the Emergency Planning section. The plan’s author is responsible for ensuring the most up to date version is available on the Intranet and easily accessible within the Division and to its services.

5.12 Exercising

Trust wide exercises (unannounced, planned or table top) will be conducted as described in the Trust’s Incident Response Plan (IRP).

Individual Divisions are responsible for ensuring that their Business Continuity Plans are exercised. The frequency of exercise will be dependent on the number of Prioritised Activities/Services and the risk to them, and will be at the discretion of the Divisional Director. However all Business Continuity and Recovery Plans should be exercised and reviewed annually by:

 Testing. Not all aspects of a plan can be tested, but crucial elements such as the contact list and the activation process can;

 Discussion. Staff are brought together to inform them of the plan and their individual responsibilities. Discussion allows problems and solutions to be identified; (Lessons identified to be Learnt)

 Table-top. Staff take decisions as a scenario unfolds in the same way they would in the event of a real Incident; and

 Live. Ranges from a small scale test of one component, such as evacuation, through to a full scale test of all the components of the plan.

(15)

April 2015

6 Training Requirements

The Head of Risk and Business Continuity will ensure that Business Continuity Management (BCM) is included in the Trust’s corporate induction risk management training.

All managers will ensure that awareness of their Service/Area or Divisional Business Continuity Response Plans form a part of the local induction process.

Staff with a Divisional lead role in BCM will be trained according to their level of need, as per the Trust’s and Local Resilience Forum(s) Training Needs Analysis (TNA). See Appendix 5.

Significant changes and updates to BCM requirements or processes will be notified through the Trust’s Emergency Preparedness, Resilience and Response Working Group (EPRR WG).

7 Monitoring Compliance

The Trust’s Emergency Preparedness, Resilience and Response (EPRR) Working Group (WG) will monitor compliance with Trust’s Business Continuity Management arrangements.

Exceptions against the standards defined in this policy will be reported to the Assurance and Risk Committee.

Business Continuity Management compliance will be included in the Annual Report for Business Continuity and Resilience to the Assurance and Risk Committee. Audits of Service/Area and Divisional Business Continuity Plans will be initiated and carried out in accordance with the Trust’s Annual Audit programme.

This Policy has been through an Equality Impact Assessment at Appendix 6.

8 Policy Review

This policy will be reviewed annually of it being approved or at any point within this time to reflect organisational change, changes in legislation and/or guidance or following an Incident.

9 Associated Documents

This document should be read in conjunction with the Trust’s:  Incident Response Plan, associated plans and action cards;

 An Emergency Event: Guidelines on Managing the Workforce Issues;  Risk Management Policy;

 Risk Management Strategy;  Incident Management Policy;  Health & Safety Policy;

 Climate Change Adaption Plan; and

(16)

April 2015

10 Supporting References

The following documents provide the regulatory and strategic context for this policy. They make Business Continuity Management a legal requirement for Southern Health NHS Foundation Trust, and describe expectations and good practice regarding emergency preparedness and business continuity:

 Civil Contingencies Act 2004 and the Civil Contingencies Act 2004 (Contingency Planning) regulations 2005;

 Humanitarian Assistance Guidance;

 Business Continuity Institute Good Practice Guidelines (2013);  International Standards Organisation ISO: 22301: 2012;

 Health and Social Care Act 2008 (Regulated Activities) Regulations 2009;  Care Quality Commission’s Essential Standards of Quality and Safety’  Responding to Emergencies: The UK Central Government Response.

Concept of Operations 2010;

 NHS Resilience PAS 2015: Guidance for NHS-funded organisations 2010  Health and Social Care Act 2012;

 National Occupational Standards for Civil Contingencies: Skills for Justice;  British Standards Institute PAS 2015 Framework for Health Services

Resilience;

 NHS Commissioning Board Core Standards for Emergency Preparedness,

Resilience and Response 2013;

 NHS Commissioning Board Emergency Preparedness Framework 2014;  NHS Commissioning Board Business Continuity Framework (Service

Resilience) 2013;

 NHS Commissioning Board Business Continuity Policy Guidance; and

 NHS England Business Continuity Management Toolkit.

(17)

April 2015

Appendix 1 Policy Implementation Plan

Policy Title: Policy Author:

Business Continuity Management Policy Fiona Richey, Head of Risk and Business Continuity

Action to be taken By who By when Progress to date

Review of Corporate Induction Governance and Risk Management sessions to ensure inclusion of Business Continuity Management

Head of Risk and Business Continuity/Business Continuity and Risk Manager + those responsible for delivering TQ21 and Medical Gov and Risk Induction training - tbc

Completed Completed

Review of Business Continuity and Resilience Group Terms of Reference

Head of Risk and Business Continuity/Business Continuity and Risk Manager

Identification of Divisional Business Continuity Leads

Divisional Directors/Area/Service Managers Completed Completed

Business Continuity Training to Divisional Business Continuity Leads

Development of Service, Area and Divisional Business Impact Assessments (BIA)

Divisional Directors/Area/Service Managers February 2015

Development of, or updating of, Service, Area and Divisional Business Continuity Plans

Divisional Directors/Area/Service Managers March 2015

Inclusion of Trust wide Business Continuity Plan in the Director on Call Information Pack and Trust Incident Co-ordination Centre (ICC)

April 2015

Annual review of Service, Area, Divisional and Trust Business Continuity Plans

Divisional Directors, Area/Service Managers, and Head of Risk and Business Continuity/Business Continuity and Risk Manager

(18)

(19)

Southern Health NHS Foundation Trust Business Impact Analysis: template Version Number: 0.4 Page 2 Contents 1. Introduction ... 3 2. Supporting information ... 4

3. Department / team / service information ... 6

4. Prioritised Activities ... 7

5. Business Continuity Risks ... 14

6. Continuity Requirements Analysis ... 16

7. Staff Mapping Tool ... 17

(20)

Southern Health NHS Foundation Trust Business Impact Analysis: template

Version Number: 0.4 Page 3

1. Introduction

This document has been adapted from the NHS England Business Continuity Management Toolkit.

The purpose of the original document is to assist those who are developing a Business Continuity Plan for their organisation. This version has been adapted for use within Southern Health NHS Foundation Trust and for our NHS Funded providers.

This template is produced in the spirit of ISO 22301 & 22313 but focusses on the priorities in which the NHS England EPRR Core Standards are set around.

Further guidance on the wider subject Business Continuity can be sort from:  NHS England Region/Area/Directorate Business Continuity Leads  The NHS England National Support Centre Business Continuity Team

 The NHS England Business Continuity Management Framework (service resilience) 2013  The NHS England Preparedness Framework 2013

 ISO 22301 Societal Security - Business Continuity Management Systems – Requirements  ISO 22313 Societal Security - Business Continuity Management Systems – Guidance  PAS 2015 - Framework for Health Services Resilience

 Business Continuity & Resilience Manager – Southern Health NHS Foundation Trust  Environmental Sustainability Manager – Southern Health NHS Foundation Trust

Southern Health NHS Foundation Trust will develop and maintain a Business Impact Analysis (BIA) for each service. Included within this document are fields which relate to environmental impacts. Please also complete these areas as this will in addition to supporting the BIA also support the Trust’s Environmental Strategies.

(21)

2. Supporting information

This section provides some background information to assist the EPRR leads to complete Business Impact Analysis (BIA).

NHS Mail

Provided by the Health and Social Care Information Centre

The disaster recovery solution is based on dual-site, geographically separated data centres with active and standby nodes of all infrastructures in the primary data centre. Data is synchronised across all three instances of the infrastructure so if a component fails in the primary data centre it will fail over to the standby node in the same data centre. If the data centre suffers a full outage, the service will fail over to the secondary data centre.

Buildings

Provided by SHFT or via NHS Property Services or Contracts with other providers

SHFT Estates and facilities will work with NHS Property Services to explore potential strategies for managing a loss of building. EPRR leads are encouraged to discuss disaster recovery locations with their local Estates and facilities lead. There may be local arrangements already in place for providing alternative premises in the event of a building failure.

Business Continuity Risk

The key risks to the organisation achieving its objectives can be found in the Board Assurance Framework along with the Board papers. Operational risks will be held within directorates. Drawing on material from all directorates, an executive risk management group will have an overview significant risks, take actions where needed and bring the most significant strategic risks to the attention of the Board. Remember Contingency Plans under the CCA are based on local risks, for which the Trust must be aware and include within the Risk monitoring processes. Therefore those Risks that are identified as part of the business continuity management process should be managed in line with the organisation and directorates processes and procedures. Prioritised activities

Prioritised activities are those to which priority must be given following an incident in order to mitigate impacts. It may be that an activity can be suspended initially but later it becomes a priority. For example a task that must be completed at certain intervals rather than on continuous basis. Examples of prioritised activities are:

 Incident Response  Media communications

Examples of activities that can be completed at certain intervals are:-  Reporting to National Bodies

 Freedom of information requests  Complaints

(22)

Version Number: 0.4 Page 5 Examples of environmental impacts:-

 Pollution incident, for example spillage from oil storage tank  Chemical spillage

 Noise pollution

Examples of climate change impacts:-

(23)

3. Department / team / service information

Reference Number:

1. Name of author: 2. Job title of author:

3. Author telephone and e-mail: 4. Date:

5. Business Continuity Lead:

(24)

4. Prioritised Activities

The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical).

Step One:

The first part of the Business Impact Analysis (BIA) process is to identify the core business and key deliverables of the Directorate/Service. These are your Prioritised activities.

Prioritised Activities are those to which priority must be given following an incident in order to mitigate impacts.

Step Two:

Using those Prioritised Activities that you have identified above, use the Impact Matrix at Page 9 to identify what the impact score would be of each if they were affected.

Step Three:

Following the process at Step Two, now use Likelihood Matrix at Page 10 to identify what the Likelihood score is of each of the Prioritised Activities being affected.

Step Four:

Using the scores from both Step Two and Three, map the scores for each Prioritised Activity into the Likelihood x Impact Matrix at Page 11. Use this final score.

Step Five:

Only those identified as RED, AMBER and YELLOW will be captured within the BIA as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director.

Those identified as GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager.

(25)

Version Number: 0.4 Page 8 List the prioritised activities undertaken Tick as appropriate Responsible

Officer Red Amber Yellow

(26)

Version Number: 0.4 Page 9 Impact Matrix

Qualitative Assessment of Impact

Level Descriptor Descriptor

1 Negligible

 Minor – first aid treatment.  No environmental implications.

 No or very low financial loss i.e. under £1,000.

 No or very minor internal disruption to the overall service delivery or other services.

 No impact on the organisation’s overall service delivery.



No or very minor disruption to external services reliant upon them.

2 Minor



Injury requiring first-aid treatment or temporary minor illness (less than 3 days lost).



Minimal environmental implications.



Failure to meet (local) departmental standards.



Minimal loss of reputation.



Moderate financial loss (£1k to £9k).  Minimal business interruption.

3 Moderate



Break of minor bone or temporary minor illness (3-7 days lost).



Moderate environmental implications.



Moderate financial loss (£10k to £49k).



Moderate loss of reputation.



Failure to meet organisational standards.



Moderate business interruption.

4 Major



Single death of any person/ Permanent serious illness/ disability.



Extreme environmental implications.



Extreme financial loss (£250k to £499k).



Intermittent failure to meet national professional standards and/ or statutory requirements.



Extreme business interruption.

5 Catastrophic



Multiple deaths involving any persons/ multiple permanent serious illness/ disability.



Extreme financial loss (£500k+).



Catastrophic business interruption.

(27)

Version Number: 0.4 Page 10 Likelihood Matrix

Qualitative Assessment of Likelihood Level Descriptor Likelihood (over 5 years)

1 Rare May occur in exceptional circumstances (less than 5% chance). 2 Unlikely Could occur at some time (6 – 25% chance).

(28)

Southern Health NHS Foundation Trust Business Impact Analysis: template Version Number: 0.4 Page 11 Impact x Likelihood = Catastrophic 5 10 15 20 25 Major 4 8 12 16 20 Moderate 3 6 9 12 15 Minor 2 4 6 8 10 Negligible 1 2 3 4 5 Impact/

Likelihood Rare Unlikely

Moderately

Unlikely Likely Certain

Negligible Minor Moderate Major Catastrophic

(29)

Version Number: 0.4 Page 12 Impact of disruption to prioritised activities

Prioritised

Activity Length of disruption

Category of Impact (please tick)

Comment Score1 Tolerable (Yes or No) F in a n c ia l S e rv ic e d e li v e ry R e p u ta ti o n H e a lt h a n d s a fe ty E n v ir o n m e n ta l In fo rm a ti o n s e c u ri ty S ta tu to ry o r re g u la to ry d u ty B u s in e s s o b je c ti v e S u p p li e r i. Up to ½ day ½ day to 1 day 1 day to 1wk 1wk to 1mth 1mth to 3mths iii. Up to ½ day ½ day to 1 day 1 day to 1wk 1wk to 1mth 1mth to 3mths iv. Up to ½ day ½ day to 1 day 1 day to 1wk 1wk to 1mth 1mth to 3mths

(30)

Version Number: 0.4 Page 13 Some activities will be of greater priority at different points in the year, for example, certain financial processes will be need to be prioritised at financial year end

.

(31)

5. Business Continuity Risks

The table below is based on the NHS England Risk Register from the NHS Risk Management Policy and Procedures and includes a number of scenarios that present a risk to the organisation. Consider these scenarios and decide whether or not they present a risk to the prioritised activities that you provide. For example, if your service is paperless it is unlikely that a loss of paper records will have an impact.

Please add any other scenarios that are relevant to your service.

Which of the following hazards and threats are relevant to your department or service?

Ref Hazard of threat Y or N Why?

1 Fire or flood

2 Loss of electronic records 3 Loss of paper records

4 IT systems/application failure 5 Mobile telephony failure 6 Major IT network outage 7 Denial of premises

8 Terrorist attack or threat affecting the transport network or office locations 9 Theft or criminal damage

10 Chemical contamination or pollution incident, such as oil spillage

11 Serious injury to, or death of, staff whilst in the offices

12

Significant staff absence or disruption to patient access due to severe weather or transport issues

13 Infectious disease outbreak

14 Simultaneous resignation or loss of key staff 15 Industrial action

16 Fraud, sabotage or other malicious acts 17 Violence against staff

18 Please add any other relevant threats

The Civil Contingencies Act (CCA) regulations and guidance (chapter 6, 6.74) identifies five broad strategy options that could be considered when developing your risk reduction strategy:

 Do nothing: if the risk is deemed to be acceptable by senior management they may choose to do nothing. This may be suitable for an event with a very low probability of occurrence, such as an earthquake.

 Changing, transferring or ending the process: consideration must be given to fulfilling any statutory duties and any insurance or reputation ramifications as a result of a third party failing to deliver.

 Insurance: may provide some financial cover but cannot protect the reputation of the organisation and other associated losses.

 Loss mitigation: putting in place procedures to eliminate or reduce the risk, such as installing smoke alarms.

(32)

Version Number: 0.4 Page 15 Using the reference number from the left hand column of the table above, plot those risks identified against the Impact Matrix at page 8 and the Likelihood Matrix below. This gives you an overview of the level of risk to your prioritised activities.

Risk Assessment Ref Dat e rev iew ed Hazard or Threat Imp ac t L ike liho o d RAG status Senior Responsible Officer

Mitigating Actions Risk Owner Dat e fo r rev iew Resi d u al risk

Qualitative Assessment of Likelihood Level Descriptor Likelihood (over 5 years)

1 Rare May occur in exceptional circumstances (less than 5% chance). 2 Unlikely Could occur at some time (6 – 25% chance).

(33)

6. Continuity Requirements Analysis

The purpose of this section is to identify what is required in order to deliver your prioritised activities and it is this information that will form the basis of the recovery plan. This section must be completed where the risks to the service cannot be removed or reduced to an acceptable level through other mitigating actions.

Prioritised Activity Recovery time objective (RTO)2 Premises required to restore the service Technology required to restore the service Information required to restore the service Recovery Point Objective (RPO)3 Supplies required to restore the service Stakeholders required to restore the service Maximum Tolerable Period of Disruption (MTPD)4 i. ii. iii. iv. v.

Recovery Time Objective (RTO) and Maximum Tolerable Period of Disruption (MTPD). The following standards are ONLY to be used:  One hour  Four hours  One Day  One Week  One month

2

The RTO is the period of time following an incident within which an activity must be resumed and is always less that the MTPD

3_{The RPO is the point to which information used by an activity must be restored to enable the activity to operate on resumption} 4

(34)

7. Staff Mapping Tool

The reason for mapping staff skills is to facilitate redeployment in an incident. If you have identified staff who ordinarily are involved in activities that are not an immediate priority but have the appropriate pre-requisites to work in an immediate priority area the organisation would aim to move them around in order to cover absence or supplement a team that is dealing with a sudden increase in workload.

This information will also be used to identify where as an organisation there is a shortage of some certain essential skills so this can be addressed.

In the table below you should list the minimum number of staff, skill-set, competencies and qualifications required to deliver prioritised activities. If none of your activities fall into these categories please leave the table blank.

Prioritised Activity:

i. ii. iii. iv. v.

Business as Usual No. of Staff5 Minimum no. staff required Skill / Competency / Qualification

5

(35)

Version Number: 0.4 Page 18 Starting in the second column from the left

,

list the skills, competencies and qualifications required for the organisation’s highest priority

activities. This information will be gathered from each area completing the table above. The table below should be used to record the relevant skills that are held by members of your department/team/service.

(36)

Version Number: 0.4 Page 19 The final table asks for some personal and work information for each member of your department/team/service. This table must only be

completed with the explicit permission of the individual members of staff and the information included must be treated in confidence.

Employee Name Main place of work

(where does this employee usually work from) Does the member of staff depend on public transport to get to work? (Yes or No) Does the member of staff depend upon vehicle fuel to get to work? (Yes or No) Can the member of staff work from another office location? (Yes or No)

Can the member of staff work from home with a work laptop and VPN (remote access)? (Yes or No)

(37)

8. Beyond the BIA

This section explains how the information gathered through the BIA informs business continuity planning.

Business Continuity Plan (BCP)

The BC plan will details the alert, triggers for activation, activation process, roles and responsibilities for Incident Commanders, Incident managers, incident Coordination Centre operations, communications, recovery requirements, stand-down and resumption of

business as usual.

The BCP covers the three phases of an incident. The information gathered through the BIAs will inform the business continuity phase of an incident by providing the decision maker with an overarching situational status of the organisation and from which strategic decisions can be made about which services will be Enhanced, Reduced or Suspended.

Source: PD 25888:2011

Incident Response Phase

Health organisations have to have an Incident Response Plan (IRP) in place for managing the incident response phase on a business disruption. The IRP will be devised by BC lead, with the EPRR Working group. EPRR leads should work with the Business Continuity and Resilience Manager to ensure that there is a coordinated approach.

Recovery and Resumption Phase

(38)

April 2015

Appendix 3 Business Continuity Plan Template

Name of Division/ Area/ Service

Business Continuity Plan

Name of Division / Area / Service or Premise

Name of Plan’s owner

Job title of Plan’s owner

Owners telephone and email

(39)

April 2015

Section Title Page

1. Identifying Priority Activities / business functions

2. Priority Activities / business functions, and non-essential Priority Activities / business functions that could be suspended for a period of time

3. Analysis of the impact of loss of key resources on Priority Activities / business functions 4. Risk avoidance and contingency measures

5. Minimum amount of resources (people, premises, technology, information, supplies and partners) to maintain Prioritised Activities at a basic level and the skills/level of expertise required

6. Recovery (order of service restoration, maximum tolerable period of disruption, recovery time objectives) 7. Key stakeholder contacts details

8. Management arrangements

(40)

April 2015

1. Identifying Priority Activities / business functions

Priority Activities / business

functions

Assessment of risk if service ceases:

(41)

April 2015

2. Priority Activities / business functions, and non-essential Priority Activities

/ business functions that could be

suspended for a period of time

Prioritised Activities that must be continued are as follows:

Services that could be scaled down if necessary are:

(42)

April 2015

Services that could be suspended for a period of time are:

(43)

April 2015

3. Analysis of the impact on essential Priority Activities

/ business functions of the loss of key resources

Resource: Affects

Prioritised Activities:

Yes/No

Assessment of risk if input ceases:

Outcome of input ceasing Likelihood (1-5) Impact (1-5) Risk Score (L x I) People Premises Technology Information Supplies Utilities:



Electricity



Gas



Water



Vehicle fuel Partners Beds

(44)

April 2015

4. Risk avoidance and contingency measures

Resource: Risk avoidance measures either

in place or to be taken

Contingency measures either in place or to be taken in the event

of a potential risk occurring

Lead responsibility Date for completion People Premises Technology Information Supplies Utilities:



Electricity



Gas



Water



Vehicle Fuel Partners Beds

(45)

April 2015

5. Minimum amount of resources (people, premises, technology, information, supplies, utilities, partners and beds)

to maintain Priority Activities

at a basic level and the skills/level of expertise required

(46)

April 2015

6. Recovery (order of service restoration, maximum tolerable period of disruption, recovery time objectives)

Order of service restoration

Priority Activities / business function Recovery Time Objective (Target time) Maximum Tolerable Period of Disruption (Target time)

1.

2.

3.

4.

5.

6.

Services that could continue to be suspended for a period of time

7.

(47)

April 2015

7. Key stakeholder contact details

Stakeholder Contact number Mobile number Email address Out Of Hours contact number

Out Of Hours mobile number

(48)

April 2015

8. Management arrangements

To achieve business continuity it is vital that there are clear management lines within each Directorate.

(49)

April 2015

Appendix 4

Business Continuity Plan Template Completion Guidance

Introduction

This Business Continuity Plan template is an appendix to the Southern Health NHS Foundation Trust (SHFT) Business Continuity Management Policy, and these documents should be read in conjunction, and with the SHFT Incident Response Plan.

Business Continuity Management (BCM) is part of the Emergency Preparedness, Resilience and Response arrangements and is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building organisational resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. BCM is about:

 Undertaking a Business Impact Analysis by analysing business functions and the effect that a business disruption might have upon them to identify Priority Activities;

 Identifying the risks to the delivery of Priority Activities and the likely impact if they are affected;

 Planning how to mitigate against risk to Priority Activities and putting in place contingency arrangements to improve their resilience; and

 Developing a Recovery Plan that details the Minimum Tolerable Period of Disruption to Priority Activities, their Recovery Time Objectives, the minimum resources required to deliver them, and the order of priority to in which these and other services should be restored to normal.

Prioritised Activities/Services are services which are necessary for the preservation of life or to ensure the health, safety and welfare of patients and staff.

Maximum Tolerable Period of Disruption is the time duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed.