1
Ref Number: Version: 1 Status: Pending Approval Author: A Brown Approval
body
Governing Body Date Approved
Date Issued Review Date March 2016
Contact for Review: Corporate Affairs
Business Continuity Policy & Plans
2
Prepared by This Policy has been reviewed by the Corporate Affairs team. Impact
Assessment
Completed Consultation
Authorised by Pending approval by the CCG Governing Body What is it for?
This document sets out the aims and objectives to Business Continuity management with a business continuity action plan in the event of an incident.
Who is it aimed at and which
settings?
The Policy is for use by CCG staff which for the purposes of this policy includes but is not limited to governing body members, contractors, agency & temporary staff, student, honorary and volunteer staff.
Evidence
Other relevant approved documents References
Civil Contingencies Act 2004
Training and competences
All staff to be made aware of this policy through staff briefing and mandatory training
Monitoring and Evaluation
This policy will be monitored and reviewed for effectiveness by the Corporate Affairs team on a regular basis.
Appendix
1. Impact Analysis Priority Table
2. Business Impact Analysis: Assessment Form 3. Recovery Action Plan
4. Initial Business Impact Assessment 5. Business Continuity Plan
Authority to Invoke and Stand Down the Plan
The following officers of the CCG have authority to invoke and subsequently stand down the plan:
Position Name Tel email
Accountable Officer Chief Financial Officer (as Business Continuity Lead) Chief Operating Officer
3 1 Introduction
The Civil Contingencies Act 2004 & NHS Emergency Planning Guidance 2005 requires CCG’s to have a Business Continuity Policy. Business Continuity Planning (BCP) helps to reduce the risk of interruption to the delivery of NHS South Norfolk Clinical Commissioning Group (the “CCG”) services in the event of a disruption to normal operations. These
disruptions may be external, such as severe weather or loss of utilities, or internal such as IT system failures or the loss of key staff.
BCP provides the framework to enable the CCG to identify its critical functions and maintain these during a disruption, allowing the deliver of services to continue whilst recovery is in progress.
The generation of Business Continuity Plans ensures that the organisation fulfils its
responsibilities in respect to BCP as both a Category 2 organisation as defined by the Civil Contingencies Act and as an NHS body.
NHS England requires that:
NHS organisations and providers of NHS funded care must therefore be able to maintain continuous levels in key services when faced with disruption from identified local risks such as severe weather, fuel or supply shortages or industrial action. BCP gives organisations a framework for identifying and managing risks that could
disrupt normal service.
An organisations business continuity plans in concert with the Major Incident Plan helps it to anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever part of the business they affect.
2 Policy statement & objectives
NHS England requires the CCG to have prepared to continue to provide its critical services and functions in the event of an internal or external disruption.
2.1.1 The overall goal of the CCG BCP is to ensure that patient services are not unnecessarily interrupted by internal or external disruptions affecting the organisation. 2.1.2 This policy provides the framework for the CCG Business Continuity Plan to be developed, implemented tested and reviewed to ensure that any impact on patient care is reduced in the event of a disruption to CCG operations.
2.1.3 The anticipated outcomes of the Business Continuity Plan include:
Identification of critical, essential, routine and non-urgent activities of the CCG Prioritising delivery of those activities in response to a disruption
4
Increased staff awareness of BCP principles and processes
Supporting the achievement of the CCG strategic objectives and associated action plans
Ensuring legal compliance with planning obligations
Inform a response process which is flexible to meet changes in service delivery of the CCG
3 Scope
3.1 The scope of this document is limited to the activities of the CCG. Any staff directly employed by, or contracted to work for CCG are covered. It does not cover activities related to providers’ premises, processes, staff or systems where they are not related to a core contractual term with CCG.
3.1 Each area of CCG has responsibilities for managing its own business risk and business continuity arrangements. These are brought together under a corporate Business Continuity Plan which establishes how the Governing Body will oversee the response to and recovery from, any business interruptions.
4 Definitions
Activity: Processes or sets if processes undertaken by the CCG, or on behalf of the CCG, that supports delivery of services.
Business As Usual: Pre-defined acceptable levels of service delivery
Business Continuity Planning (BCP): Holistic process to identify and assess the impact of potential threats, building a framework to support CCG resilience to those threats, including protecting patients’ and stake-holders interests and achieving strategic objectives. The strategic and tactical capability of the CCG to plan for and respond to business interruptions in order to support continued delivery of ‘business as usual’
Critical Activities: Those activities carried out by the CCG which are most time-sensitive and important for ensured continued delivery. These will be mainly those services essential for immediate life and death of patients. These activities will typically suffer if delayed by more than one hour.
Disruption: Any event, planned or unplanned, which causes an interruption to the CCG’s ability to continue business as usual.
5
Major Incident: An event classified as a major Incident according to the CCG Major Incident Plan.
Non- Urgent Activities: Those activities carried out by the CCG which can be postponed or delayed most easily. These activities will begin to suffer if delayed by more than one month.
Routine Activities: Those activities carried out by the CCG which support business delivery on a daily basis and are not critical or essential. These activities will typically start to suffer if delayed by more than one week.
Service Recovery: The process through which business as usual is reached, following an interruption or disruption event.
Function: The purpose of a department of the CCG i.e. commissioning or quality that is a combination of activities and services.
5 Duties
5.1 Governing Body
5.1.1 The Governing Body must act to ensure/monitor the overall strategic direction of Business Continuity Planning across the CCG.
5.1.2 The Governing body must ensure that the Business Continuity Policy and development plan is enforced and resourced appropriately.
5.1.3 In the event of a serious or widespread disruption to the activities of the CGG it may be necessary to invoke the (Major Incident Plan – held by the Resilience Manager on behalf of Norfolk CCGs. Note that the Major Incident Plan will be moving to an Incident Response Plan during 2014/15 with the intention that it incorporates all Norfolk CCG Business Continuity Plans). In this case the Governing Body may need to lead the response or delegate incident management coordination to named
officers.
5.2 Head of Corporate Affairs
5.2.1 Undertake leadership and sponsorship of the Business Continuity Planning framework under the direction of the Governing Body.
5.2.2 Act as a point of tactical leadership in support of the staff.
5.2.3 Liaise with the Senior Managers to ensure that the Business Continuity Plans meet the needs of the CCG.
5.2.4 Ensure that where appropriate, sections of Business Continuity Plans and policies are published and accessible to the public.
6 5.3 Senior Managers
5.3.1 Undertaking of a Business Impact Analysis for their area of responsibility (see section 6.1 and appendix 2).
5.3.2 Preparing a Recovery Plan for critical services and key activities in their area. 5.3.3 Report on service continuity performance as required.
6 Procedures
6.1 Business Continuity Management Plan
6.1.1 The Business Continuity Management plan will consist of a series of business Impact Assessments produced for each function of the CCG.
6.1.2 The CCG will maintain a corporate business continuity plan to enable it to respond to business disruptions. This plan will be scalable, enabling an individual director to manage low level disruptions whilst also providing a framework for the Governing Body to manage disruptions that affect the whole organisation.
6.1.3 The CCG will undertake a Business Impact Analysis to determine which are its critical services and functions and to identify the Recovery Time Objective for each. The Business Impact Analysis will also identify key stakeholders for each activity.
6.1.4 The Business Impact Analysis and Business Continuity Plan will be reviewed at regular intervals to ensure that they continue to reflect the organisation’s needs.
6.1.5 The Business Continuity Plan will be tested at regular intervals and training will be provided to staff where required to ensure that disruptions can be responded to effectively.
6.2 Business Impact Analysis
A business Impact Assessment forms the foundation for the Business Continuity plan. Using appendix 1, follow the steps for conducting a Business Impact Analysis as set out below: 6.2.1 Step 1: Identify the key activities for the service function that will have the greatest
impact if disrupted and the type of disruption to which they are vulnerable (this will also help identify any inherent risks to the business)
6.2.2 Step 2: Identify the critical resources required to undertake the key activities, the minimum level (trigger criteria) and the desired level for business as usual 6.2.3 Step 3: Use the priority label (Appendix 1) to determine the tolerance for disruption of
activities and set the priority for action.
6.2.4 Step 4: Generate an action plan for recovery and determine the cost per day of any disruption and recovery
7
6.3.1 The Business Continuity plan can be invoked by the Chair, the Chief Officer, the Governing Body or its committees, or the designated on call director.
6.3.2 The Business Continuity Plan will be automatically initiated when any disruption to service delivery is experienced that reaches the trigger criteria (See flow chart below) 6.3.3 The trigger criteria are reached when the service requirements fall below minimum
and should be described in the impact assessment form in appendix 2.
6.3.4 The minimum service requirements are not normally sustainable and should not be used as the business as usual recovery levels.
6.3.5 There are many and varied possible causes of service disruption. Such as: 6.3.5.1 Major accident or incident, national disaster, epidemic, terrorist attack 6.3.5.2 Fire, flood, extreme weather conditions Loss of utilities, including IT and
telephone systems
6.3.5.3 Major disruptions to staffing; epidemic, transport disruption, industrial action, inability to recruit; mass resignations (e.g. lottery syndicate) 6.3.6 These events may not be mutually exclusive, e.g. extreme weather leads to loss of
electricity, disruption to transport, staff unable to get work.
6.3.7 A cause of a service disruption event may also become an internal Major Incident for the CCG and invoke the Major Incident Plan. In this event, the plans should be carried out simultaneously with the response to the Major Incident, as far as is possible.
8
6.4.1 Normal succession planning for staff may not cover all critical activities for the CCG. Priority should be given to ensuring that key tasks can be undertaken by multiple individuals to mitigate the risk of dependency on single members of staff.
6.4.2 Contingency plans for on-going projects and strategic objectives should be taken into consideration when developing action plans.
6.5 Testing and Training
6.5.1 The Head of Corporate Affairs is responsible for identifying appropriate levels of training and awareness sessions for all CCG staff to ensure business continuity becomes part of organisational culture and daily business routines, improving the organisations resilience to the effects of business disruptions.
6.5.2 The on-going viability of the business continuity program can only be determined through continual tests and improvements. The Head of Corporate Affairs will be responsible for ensuring regular tests and revisions are made to all plans to ensure they provide the level of assurance required.
6.5.3 If there is a major change to the CCG roles and/or structure, plans will be tested and revised once a settling-in period has been achieved, to allow for a confident level of recovery.
6.5.4 Testing should follow the ‘plan, study, do, and act’ model and can be either: Discussion based exercises that involve stakeholders and team planning.
Table top exercises involve ‘testing’ the plan against a given scenario, rehearsing actions and responses.
Live exercises will test a single or selection of components of an action plan where the other two types are not suitable (e.g. fire drills, generator testing).
6.5.5 A full test of the Business Continuity Plans will be undertaken yearly. All senior managers and Heads of Service will be expected to take part in these exercises. A cold debriefing session will take place following the exercise to establish if any
changes need to be made as a result of the exercise. All leads will be asked to review their Business Continuity Plans at this stage and submit them to the CCG’s overall plans.
6.6 Debriefing, Evaluation and Lessons Learned
6.6.1 Following a test or real activation of the business continuity plan, there should be a debrief for participants to identify areas that went well, and areas that require development.
6.6.2 An after action report will be produced following a test or real activation of the Business Continuity Plan by the appropriate director, highlighting recommendations from the debrief.
9 7 Monitoring and review of effectiveness
The Business Continuity Plan will be reviewed by the Audit Committee and if necessary revised in the light of legislative, guidance or organisational change.
NHSLA Monitoring Table
Criteria Measurable Frequency Reporting to Action
Plan/Monitoring Fit for purpose Business Continuity
Plans
6 Months Audit Committee Effectiveness of
plans
Exercises Annually Audit Committee Appropriate use
of Business impact
assessments
Audit Annually Audit
Committee
7.1 Review of the policy
7.1.1 A suitable assessment tool will be used to support review of the effectiveness of this policy
7.1.2 This policy will be reviewed annually and a report brought to the Audit Committee 8. Business Continuity Plans
10
11
13
14
15
8 Appendices
Appendix 4
8.1 Initial Business Impact Assessment
In order to construct a Business Continuity Plan, the starting point is to undertake a Business Impact Assessment which identifies the essential functions and services which define the organisation and assesses, based on impact and risk, the maximum time (Recovery Time Objective) the organisation can be considered to be sustainable without the ability to deliver those functions and services.
Purpose of Activity
Actual Activity Carried out by Resources needed
Dependencies (other teams, other
agencies)
Impact Recovery Time
Objective Current Contingencies Proposed Contingencies Financial Management Budgeting & Reporting
Finance Team Network access to ISFE PC access
CSU Significant 2 weeks Home Working
Financial Transitions Payroll Sales Ledger Cash Management CSU Finance Team Network Access PC Access Serco CSU SBS Bank
Crucial 2 weeks CSU(s) and SBS
Business Continuity Plans Dependent on CSU business continuity plan Activity and Contract Management
Data Capture & Analysis
CSU Network
access PC access
Providers data Major 1 Month CSU(s) B.C. Plan Dependent on CSU
16 Quality Management Monitoring SUI’s Safeguarding (adult hosted by North Norfolk CCG, children by GY&W CCG) Infection Control Corporate Affairs & Director of Quality & Patient Safety Internet access PC access Providers reports
Crucial 3 days CSU
Public Health Medicines Management Benchmarking Best Practice Monitoring prescribing CSU Prescribing Data South Norfolk CCG
Moderate 1 month South Norfolk Dependent on CSU
Manpower Management Recruitment Appraisal CSU/ Head of Corporate Affairs Telecommunic ations
CSU HR Team Moderate 6 Weeks Home Working CSU business
continuity plan
Commissioning On-going decisions
Defining need for services System change Chief Operating Officer Network access
Lead CCGs Moderate 2 months Home Working
Public Engagement Website Press relations Surveys FOI requests Head of Corporate Affairs Internet Access CSU Moderate Major Minor Crucial 1 month 1 day 6 weeks 3 days
CSU useXXX?” Dependent on CSU
business continuity plan
Procurement Securing goods
and services
Commissioning Network access
CSU Moderate 2 months CSU
Governance & Compliance
Maintenance of risk and GBAF Handling complaints Conducting Governing Body & Committees CO/Chair/Head of Corporate Affairs Admin Team Network Access
None Significant 2 weeks, 3 days,
1 month
17 Impact: Minor (1), Moderate (2), Significant (3), Major (4), Crucial (5)
Recovery Time Objective: Immediate, 1 day, 3 days, 1 week, 2 weeks, 1 month, 6 weeks, 3 months Performance Monitoring &
reporting QIPP AT/SHA liaison and performance regime Chief Operating Officer, CFO Network access
CSU Moderate 1 month Homeworking
Research & Development Access to PPIRES Database & research operational files Head of Research & Development Network access Research teams and PPIRES volunteers
Significant 2 weeks Networks and
18
Appendix 5 Business Continuity Plan
There are a number of threats to the continuity of business at South Norfolk CCG. The major ones are:
Loss of access to office Loss of key to managers Loss of access to I.T. Office:
Loss of access to the Head Office (Lakeside 400, Old Chapel Way, Broadland Business Park, Norwich, Norfolk, NR7 0WG) may occur due to the building being unavailable
for use (fire damage, flood damage, loss of power) or access being denied to the
building and immediate vicinity (Security alert).
If the loss of access is expected to be short term (less than 2 working days), most
staff can work from home or utilise space in GP practice.
If the disruption is longer than 2 working days the CCG would seek to utilise space
within neighbouring CCGs or the CSU if parts of Lakeside 400 were usable.
If a temporary relocation of Head Office takes place, an alert will be placed on the CCG website by the Engagement Manager informing the public of the relocation and predicted length of disruption.
“Due to unforeseen circumstances, South Norfolk CCG has temporarily moved headquarters to XXXX. The telephone to be used for the time being is XXXX, e-mails to XXX.” (E-mail address will not change, message is just to re-enforce that).
It may be possible to divert telephones to the temporary address but it is likely that an enforced move would happen without sufficient notice to action this (e.g. incident in the building out of hours).
The essential staff to relocate are: Chief Finance Officer Chief Operating Officer
Director of Quality & Patient Safety Head of Corporate Affairs
Head of Research and Development
Other staff would be asked to work from home and report to their head of department for a daily update on work required and possible date to return to normal work.
19 Excess travel costs to Aldershot will be met if claimed. Loss of key managers
This may be considered lower threat to business continuity as there is already a high degree of close-knit working and covering roles within the senior team.
It is preferable to formalise arrangements and ensure that each senior leader selects a “shadow” and invests time outlining their major objectives. It is also critical that shared drives for essential files are utilised and the file discipline shared with all staff.
Loss of I.T.
This is a critical risk.
If there is a lack of access to IT the CCG will need to mobilise access via alternative sites such as other Norfolk CCG offices.
Loss of access to data/information is mitigated by existing back-up arrangements for the CCGs data, carried out by the NHS CSU (South). The CCG must seek regular assurance and evidence that these back up arrangements re regularly undertaken.
Authority to Invoke and Stand Down the Plan
The following officers of the CCG have authority to invoke and subsequently stand down the plan:
Position
