The NHS Information Centre Business Continuity Plan

The NHS Information Centre

Business Continuity Plan

Customer: The NHS Information Centre Division/Project number:

Project Manager:

Project/Document reference:

Issue: 0.1.10

Issue date: July 2008

Status: Draft Issue

Distribution:

Prepared by: Martin Liddament

... Reviewed:

... Approved (NHSIA):

2

Amendment history

All formal issues to this document are recorded below. Subsequent to Definitive Issue 1.0, all issues must record reasons for change, either by reason or by reference to the Change Form (Appendix C).

Date Issue Status Initials Reason for Change September 2007 0.1.2 First Draft ML First rough draft for initial

discussion

October 2007 0.1.3 Second Draft ML Incorporating initial Group feedback and significantly shortened.

October 2007 0.1.4 Third Draft SL / ML Tidying up October 2007 0.1.5 Fourth Draft SL / ML Final tidying up

October 2007 0.1.6 Fifth Draft SL / ML Paper for Audit & Risk sub-committee of Board

November 2007 0.1.7 Sixth Draft ML Revisions following Audit & Risk sub-committee of Board December 2007 0.1.8 Seventh

Draft

ML Further revisions following Audit & Risk sub-committee of Board: Risks to Plan added January 2008 0.1.9 Eighth Draft ML Further revisions following

receipt of other ALB’s plans July 2008 0.1.10 Ninth Draft KB Updated the EMT members

Table of Contents

Page

(1) Introduction... 4

(

(

(

(

(

(

(

(

(

(

(

(

(

(

(

(

(

(

1. IT Disaster Recovery Plan

2. Trevelyan Square Bomb Evacuation Plan 3. Fire Evacuation Plan

4

Business Continuity Plan

1. Introduction

The NHS Information Centre mission is to become recognised as a source of high quality, authoritative comparative data to support improvement in front line health and social care delivery. In order to achieve this goal, The NHS Information Centre recognises that its most important asset is its people. The purpose of this plan is to make sure that in the event of a disaster or emergency, staff are protected and supported to become productive again as soon as possible.

As the document suggests, business continuity involves thinking ahead in order to avoid or mitigate risk, taking corrective action and being in control of the outcome of an emergency.

The Business Continuity Plan (BCP) sets out procedures for managing an emergency incident and its immediate aftermath. By planning for an orderly recovery, it limits the impact on employees, offices and critical business functions.

2. Purpose

The NHS Information Centre recognises the potential operational and financial losses associated with a major service interruption, and the importance of maintaining viable recovery strategies. This BCP is intended to provide a framework for the Emergency Management Team (EMT) to follow in the event of an incident such as fire, flood, bomb or terrorist attack, power and/or communication failure or any other emergency that may impact upon the daily operations of The NHS Information Centre.

The main purpose of this BCP is to:

ƒ Formalise the process for emergency incident notification within The NHS Information Centre offices

ƒ Ensure all NHS Information Centre offices will be supported by the EMT

ƒ Develop guidelines for recovery planning, maintenance and testing for all business continuity plans throughout The NHS Information Centre.

The primary objectives therefore are to:

ƒ Maximise the safety and security of all NHS Information Centre workers, visitors & stakeholders.

ƒ Open easily-accessed communications channels for staff and stakeholders and maintain a flow of timely, good-quality information and instructions for the duration of the incident and during the recovery phase.

ƒ Provide the Emergency Management Team with a tested plan which, when invoked, will provide direction and guidance to help bring about an efficient and timely recovery of the interrupted business operation.

ƒ Minimise the inconvenience and potential disruption to users and clients.

ƒ Minimise financial or operational impacts that could seriously jeopardise The NHS Information Centre.

ƒ Protect The NHS Information Centre’s public image and minimise legal consequences. ƒ Lead and support business continuity.

3. Scope

The severity of possible incidents is measured later in this document; however, it is useful to give examples of what might be considered an event that would invoke this plan. The following list is not exhaustive and judgement will be applied in each case.

ƒ Unavailability of premises for more than 5 working hours caused by fire, flood or other incidents

ƒ Serious injury to, or death of, staff whilst in the offices

ƒ Significant chemical contamination of the working environment

ƒ Significant numbers of staff prevented from reaching The NHS Information Centre premises, or getting home, due to bad weather or transport issues

ƒ Terrorist attack or threat affecting transport networks or the office locations

ƒ Theft or criminal damage severely compromising the organisation’s physical assets ƒ Major electronic attacks or severe disruption to the IT network and systems

ƒ Denial of access to key resources and assets

ƒ Illness / epidemic striking the population and therefore affecting a significant number of staff

ƒ Outbreak of a serious disease or illness in the working environment ƒ Simultaneous resignation or loss of a number of key staff

ƒ Widespread industrial action

ƒ Significant fraud, sabotage or other malicious acts ƒ Violent incidents affecting staff.

The plan provides for the recovery of time-sensitive business operations in accordance with predetermined time frames and for the resumption of less time-sensitive business operations as required and finally, a return to a permanent operating environment.

6

However, the plan does not address building evacuation procedures or individual office evacuation plans, which are all covered in separate documents, although for completeness these procedures are attached to this document as appendices.

Individual senior managers are required to assess their specific area of expertise and plan actions for any necessary recovery phase, setting out procedures and staffing needs and specifying any equipment or technical resource which may be required in the recovery phase.

4. Roles and responsibilities

In order for The NHS Information Centre to develop a good long-term business continuity capability, it is essential that all staff take on an appropriate level of responsibility.

Area/Function Responsibilities

NHS Information Centre Senior Management

Implementation of this policy and standards.

Review of business continuity status and the application of the policy and standards in all business undertakings.

Enforce compliance through assurance activities.

Provision of appropriate levels of resource and budget to achieve the required level of business continuity competence.

Ensure information governance standards continue to be applied to data and information during an incident.

Department Heads

Maintain good awareness of all business continuity activity within their business areas.

Provide feedback to business leaders about the currency and effectiveness of their departmental disaster recovery plan in the context of the corporate business continuity plan.

Ensure that departmental disaster recovery plans are regularly reviewed, tested and exercised in the context of the corporate business continuity plan.

Act as a conduit for dissemination of information, guidelines, programmes of activity etc to all management and staff

Facilitate a group/cross business area approach to business continuity where appropriate.

Ensure information governance standards continue to be applied to data and information during an incident.

All Colleagues

Achieve an adequate level of general awareness regarding business continuity.

Be aware of the contents of own business area’s disaster recover plan and any specific role or responsibilities allocated.

Participate actively in the business continuity programme where required. Ensure information governance standards continue to be applied to data and information during an incident.

Emergency Management Team (EMT)

5. EMT Members

The selected EMT members are:

Chief Executive (may not be able to attend all meetings – see cascade list below) – Tim Straughan. Director IT – Martin Liddament

Director of Finance – Stephen Leathley

Director of Information Governance – Clare Sanderson Head of HR – Tim Roebuck

Head of Media – Fraser Woodward Head of Contact Centre – Jane E Moore Procurement Estates Manager - William Hewitt Facilities Manager – Ginger Buckland

IT Operations Manager – Kevin Johnson

Programme Manager Operations – Madeleine Watson Senior Business Support – Karen Brisco

It is the responsibility of each of these members to assign a deputy to cover their position.

6. Cascade Process

While the EMT provides the immediate management functions needed to handle an incident, it will also be necessary for it to have access to the Chief Executive and Directors. In the event of the CEO and / or some or all of Directors being unavailable, the following cascade structure will be adopted:

1. Chief Executive – Tim Straughan 2. Director of Finance – Stephen Leathley 3. Director of Operations – Andy Sutherland 4. Director of Business Development – Phil Wade

5. Director of Information Governance and Quality – Clare Sanderson 6. Executive Medical Director – Mark Davies

If an emergency situation is so extreme or unusual that the CEO and Directors are not available and are unlikely to be contactable or are unable to engage with the situation within the timescales needed to resolve it, then the EMT is required to nominate one of its members to contact The Department of Health to request guidance and assistance.

7. Ownership and Distribution

The BCP will be owned by the EMT who will also be responsible for change control, maintenance and testing of the plan.

8

8. Risk Analysis

Throughout this BCP it is acknowledged that the risks to our stakeholders resulting from a large or catastrophic incident affecting The NHS Information Centre are relatively low. When compared with the impact of major incidents on many private sector or NHS bodies, a disaster striking The NHS Information Centre would affect its operations and its staff, but the work of its customers would not be severely disrupted. The NHS Information Centre’s primary purpose and products are not necessarily so time sensitive that a major interruption of systems for a reasonably lengthy period will have a serious impact on customer service.

For instance, if the Finance systems using SBS were unavailable for up to a calendar month then the impacts on producing financial information or on cash flow are not overly significant. Similarly most NHS Information Centre hosted websites are largely used for access to information. Disruption to these services, whilst inconvenient to customers, is not critical - the 2006 incident in Hemel Hempstead that took down the Northgate IT centre resulted in the HES system being off-line for a month, causing some inconvenience, but not a major disaster.

The NHS Information Centre outsources its IT infrastructure and associated technical controls to Computer Sciences Corporation (CSC) which also hosts a large number of Department of Health and NHS systems. It is acknowledged that The NHS Information Centre service portfolio will be relatively low priority for CSC in the event of a major incident affecting its computer facilities. Quite rightly, front-line NHS Trust systems would be reactivated first. Thus, in addition to this BCP, a risk register has been created to identify the key areas of NHS Information Centre activity that require to be addressed as a priority and ensure that internal managers and external providers have prioritised them accordingly.

Prioritised likely incidents

(Likelihood and Impact scales = 1 (low) – 5)

Incident Likelihood Impact Plan robustness and mitigation 1 Unavailability of premises for more

than 5 working hours caused by fire, flood or other incidents

3 4 Plan robust. Mitigation is by home working, use of centralised

communications channels and use of an emergency command centre. 2 Major electronic attacks or severe

disruption to the IT network and systems

3 4 Plan robust. Sub-plan for IT disaster recovery in place. NHS Information Centre data is duplicated across geographically remote sites. Equipment rebuilding and stand -alone working possible as a temporary measure. Prioritised restoration of SharePoint and email systems would allow remote workers to use non-NHS Information Centre equipment

securely to reduce dependency on corporate equipment.

3 Terrorist attack or threat affecting transport networks or the office locations

3 3 Plan robust. Mitigation is by home working and use of centralised communications channels. 4 Denial of access to key resources

and assets

3 3 Plan robust. Mitigation is by home working and use of centralised communications channels. 5 Significant numbers of staff

prevented from reaching NHS Information Centre premises, or

4 2 Plan robust. Mitigation is by home working, use of centralised

getting home, due to bad weather or transport issues

an emergency command centre. Incident Likelihood Impact Plan robustness and mitigation 6 Theft or criminal damage severely

compromising the organisation’s physical assets

2 3 Plan robust. Sub-plan for IT disaster recovery in place. NHS Information Centre data is duplicated across geographically remote sites. Equipment re-building and stand-alone working possible as a temporary measure. Prioritised restoration of SharePoint and email systems would allow remote workers to use non-NHS Information Centre equipment

securely to reduce dependency on corporate equipment.

7 Significant chemical contamination of the working environment

1 4 Plan robust. Mitigation is by home working, use of centralised

communications channels and use of an emergency command centre. 8 Serious injury to, or death of, staff

whilst in the offices

2 2 Plan robust. Mitigation is by use of centralised communications channels and co-ordination between internal teams via EMT.

9 Illness / epidemic striking the population and therefore affecting a significant number of staff

1 3 Plan robust. Mitigation is by home working, use of centralised communications channels and co-ordination between internal teams via EMT.

10 Outbreak of a serious disease or illness in the working environment

1 3 Plan robust. Mitigation is by home working, use of centralised communications channels and co-ordination between internal teams via EMT.

11 Simultaneous resignation or loss of a number of key staff

1 2 Plan robust. Mitigation is by use of centralised communications

channels and co-ordination between internal teams via EMT.

12 Widespread industrial action 1 2 Plan robust. Mitigation is by use of home working (where appropriate), centralised communications

channels and co-ordination between internal teams via EMT.

13 Significant fraud, sabotage or other malicious acts

1 2 Plan robust. Mitigation is by use of home working (where appropriate), centralised communications

channels and co-ordination between internal teams via EMT.

14 Violent incidents affecting staff 1 2 Plan robust. Mitigation is by use of centralised communications

10

9. Incident Notification

Any member of staff may undertake a preliminary assessment of an incident and relay the information to any member of the EMT at any time.

The member (or members) of staff concerned should:

ƒ Ensure safety of workers, visitors & stakeholders at the office and take names of any known injured

ƒ Conduct a preliminary assessment of the incident regarding damage and disruption to the office and business operations with the facts necessary to make informed decisions regarding subsequent recovery activity

ƒ Notify the EMT of the incident, initial assessment findings and any known injured ƒ Notify emergency services if required

After being told about a possible emergency, the EMT Member receiving notification will:

ƒ Ensure that the staff member on site has undertaken all initial actions considered appropriate to stabilise the position and will keep them fully briefed at all times.

ƒ Analyse the nature of the incident and make an initial decision about the level of response required.

ƒ Contact other EMT Members as appropriate and summarise the incident based on the information available, acting as the primary co-ordinating group member until the incident is closed.

ƒ Confirm the status of the incident, agreeing an Incident Definition and immediate recovery actions with the other EMT members.

ƒ Attend the affected office if the circumstances dictate and take charge of the incident. ƒ Liaise with Senior Executives, and brief them on the incident and business situation.

ƒ On the information provided, make a pronouncement whether to close a facility or office during normal business hours, or whether or not to open an office that has been affected out of hours.

ƒ Ensure any internal and external communications to staff, customers and stakeholders are properly reviewed, as well as acting as The NHS Information Centre representative should there be any media involvement, until the media team are able to take control (NB – the Media / Communications team should always be involved as soon as possible and no other staff should ever speak with the media during and incident).

ƒ Assist with regard to office solutions and security issues and monitor any premises issues. ƒ Agree with the Head of HR any staff related issues and hiring of contracted recovery

The staff member who initially notified the incident (assuming no EMT Member is available at the location affected) will:

ƒ Keep in continuous communications with the EMT to update information on when access to the facility will be allowed and the ongoing condition of any known injured

ƒ Liaise with any EMT member attending the scene and brief them accordingly on the current condition at the office

ƒ Assist with any recovery tasks as determined by the EMT.

There may be circumstances involving an office incident which will only need information to be circulated to the EMT via email or telephone conversation. Not all emergencies will result in every member of the EMT being informed.

Depending upon the circumstances of the incident and its severity, the EMT may notify all staff and managers immediately and activate a designated Command Centre.

10. Incident Analysis

One of the first activities in any incident notification is to identify the impact on the workers, the office and critical business functions.

The impact of the incident on The NHS Information Centre will change with each office and each situation and each critical business function affected. The initial analysis must identify where an incident happened, who was involved and what was affected.

It must be noted that response to an emergency incident does not necessarily or automatically translate into the declaration of a disaster and the implementation of a full recovery operation.

Incidents may cause a temporary or partial interruption of activities with limited or no office damage. It will be the responsibility of the EMT, in conjunction with The NHS Information Centre’s Directors as available, to evaluate and declare the appropriate level of response.

The EMT (and NHS Information Centre directors as available) will decide if temporary premises or alternative long-term premises are eventually to be required and will manage the acquisition.

If a long-term replacement site is required it is estimated that it would be needed within one month of a disaster. The location would be likely to remain in operation for several months and may even become a permanent replacement for Trevelyan Square.

Three offices have been identified as essential when considering recovery actions: ƒ Leeds - Trevelyan Square

ƒ London - Harmsworth House ƒ Southport

The impact on the above offices specifically, but all offices generally, is the effect on business services, measured on a severity scale as follows:

12

The severity level indicates the urgency of recovering this business service. It also identifies the order in which these services should be re-instated.

In particular, immediately upon notification of an incident involving the IT infrastructure, the IT Operations Manager should be made aware of the affected service and obtain an initial assessment. The IT Operations Manager keeps all NHS Information Centre IT servers on a business priority list and will be able to readily identify the impact on the business services.

11. Incident Definitions

The EMT has agreed and assigned the following definitions that classify incidents according to the level of downtime expected:

Criteria for Classifying Incidents Service Levels Affected NHS Information Centre Staff Affected Estimated Duration

SMALL No impact <20 Less than a day

MEDIUM Minimal inconvenience

>20 <100 >1 Day < 7 Days LARGE Key systems

affected or NHS Information Centre deadlines in jeopardy >100 <200 > 7 Days < 14 Days CATASTROPHIC Severe disruption to customers / staff. NHS Information Centre deadlines not met >200 Impact Extending >14 Days (a) SMALL

Any emergency of this expected duration would be handled as part of the normal in-house recovery procedures. The EMT will be informed but no action taken with this incident recorded for information purposes only.

(b) MEDIUM

(c) LARGE

This definition addresses situations of prolonged loss of office, power, data, IT and key workers. The EMT will invoke the BCP, notify the necessary directors and managers and will commence appropriate recovery processes.

(d) CATASTROPHIC

This type of emergency will most likely be of extreme proportions. The EMT will invoke the BCP, notify the necessary Directors and managers and will commence appropriate recovery processes. All Board members and DH sponsors will need to be advised and kept up to date as appropriate. The EMT and / or The NHS Information Centre Directors as available will be responsible for this action.

12. Communications Strategy

Good communication is essential at a time of crisis. The NHS Information Centre Directors (or if not available, the EMT) will be responsible for approving the appropriate statements for internal and external communication. The Media / Communications team will manage contact with the media. The BCP folders will have preformatted statements ready to populate with incident details as appropriate. These statements will have been agreed in advance and held in reserve for speedy, accurate and clear statements.

Statements should include information regarding the incident, staff, visitors & stakeholders at the office and an estimated time of office denial, if appropriate, and will be circulated to all NHS Information Centre offices.

Should any statements to external parties be necessary these will be circulated if the Directors or EMT consider it necessary.

Should a Director or the EMT need to speak with the media about the incident, the Press Officer will assist in making any release statements.

An emergency phone-in line will be set up and its number communicated to all staff. If NHS Information Centre premises cannot be accessed, staff can use the phone-in line’s recorded message to get up to date information and instructions. The EMT will keep staff and stakeholders as fully informed as possible for the duration of the incident and during the recovery phase.

An emergency website will be set up and its URL communicated to all staff. If NHS Information Centre premises cannot be accessed, staff can use the site from any Internet-capable PC and get up to date information and instructions.

14

13. Command Centres

The NHS Information Centre will have three command centres; the Primary Command Centre is located at Trevelyan Square in the Boardroom. The Secondary Command Centre will be located in the Quarry House premises of the Department of Health in Leeds. This secondary location will be provided under a reciprocal arrangement whereby IT equipment and Internet and phone access will be made available as well as temporary accommodation for an agreed number of staff.

The third Command Centre will be at The NHS Information Centre’s London offices. The EMT will state which office has been designated when notifying managers. However, it is not anticipated using the London office except in the case of an extreme and catastrophic incident affecting the wider Leeds area.

If the incident is severe enough the appropriate Command Centre will be activated so the EMT can meet immediately to be briefed on the incident and to discuss the appropriate recovery actions. Conference-call facilities will be available at all Command Centres, and as soon as practical after the incident, conference calls will be established.

14. Disaster Recovery Packs

There will be two Disaster Recovery Packs, located in each Command Centre. In addition, each EMT member and each executive director will have a pack to be kept at their home.

The contents and materials of the Disaster Recovery Packs will be mirrored. Each pack will be checked for completeness and updated regularly, or whenever any change in the BCP or Disaster Recovery Module has been made to affect its contents.

CONTENT ITEMS

Hard and soft copy of the EMT Plan and any other recovery documents on CD ROM and USB stick

Electronic lists of personal telephone numbers and e-mail addresses for all staff Information on how to write to the emergency web page

Information on how to update the emergency telephone message Information on to use a service to send texts to all staff mobiles Access to emergency RAS accounts and the associated key fob Data card for internet access via mobile phone network

Configuration to access a none-CSC ISP Skype or similar VOIP account information

The update number for the 0844 4457573 emergency line

Hard and soft copies of key documents, policies, passwords, contact numbers etc. Hard and soft copies of the all EMT Check Lists

IT Asset register

Phone lists of key suppliers such as: CSC

SBS financial services

DH contacts, NHS Information Centre directors etc security companies

taxi companies (at least 2)

local hotels with meeting rooms near offices local train and bus timetables

15. BCP Maintenance

Plan Maintenance

Maintenance procedures are divided into two general categories: scheduled and unscheduled. Scheduled maintenance is time-driven, whereas unscheduled maintenance is event-driven.

Scheduled Maintenance

Scheduled maintenance will consist of an annual review and update. The purpose of this review is to determine whether changes are required to procedures or responsibilities. A complete BCP will be distributed annually to each EMT Member.

Unscheduled Maintenance

Certain maintenance requirements are unpredictable and cannot be scheduled, such as changes to off-office storage premises, vendors, Command Centre location and also any transfers, promotions or resignations of EMT Members.

16

16. Training and Awareness

For business continuity to become part of NHS Information Centre culture and daily business routines, all staff must be trained. The training required can be broken down into two types:

Team member training – Ensuring that team members have the skills and knowledge to carry out their responsibilities.

General awareness of staff and business contacts – Making sure that all NHS Information Centre staff and business associates understand what has been done to implement business continuity and that all staff know what to do in the event of a major incident

Skill Enhancement of Team Members

Team leaders, deputies and team members must receive training in order to perform their role effectively. If the team leader is not available, then a deputy will be called into action to lead, so it is important that both are trained to the same standard. All need to understand fully:

ƒ The objective of the business continuity and team disaster recovery plans ƒ How the plans are activated

ƒ How briefing will take place during an incident ƒ The roles of the leader and deputy and who they are ƒ How resumption of normal work will be managed ƒ Their own role and responsibilities

ƒ Other teams’ responsibilities and what else is happening.

The primary form of training is to participate in testing. Over time, this should ensure that all participants will be able to undertake the actions required of them.

General Awareness of NHS Information Centre Staff & Business Contacts

Raising awareness of business continuity amongst NHS Information Centre staff and key business contacts is also very important. Staff members who do not have a specific role must know what to do. In many cases, they will be expected to go home and remain on standby so that they can be contacted if they are needed.

Key business contacts also need to understand how The NHS Information Centre will respond in an emergency so that they help rather than hinder the recovery.

Raising awareness will be achieved by: ƒ Regular briefings

ƒ Demonstration of stand-by facilities ƒ Induction training

ƒ Newsletters and Intranet

ƒ Issuing credit-card sized guides to all staff containing basic information about what to do if an incident occurs

17. Testing

The ongoing viability of the business continuity program can only be determined through continual tests and improvements. The main issues in holding disaster tests are the time and resources required. Therefore, it is imperative that the managers or their deputies participate when tests are carried out.

Should there be a major change in The NHS Information Centre’s role and structure, it is advisable that a test should be conducted once a ‘settling-in’ period has been achieved, to ensure a confident level of recovery.

The EMT is charged with the following responsibilities with regard to office testing: ƒ Conducting an annual test

ƒ Identifying the objective of the area to be tested

ƒ Ensuring that individual measurement and procedures are established for each test objective

ƒ Monitoring and observing all activities in the test

ƒ Ensuring that test objectives are met in accordance with other related or impacted areas and workers

ƒ Documenting results related to any strengths and weaknesses observed during the test ƒ Ensuring all BCP documents are completed and that all Plan holders are given revised

copies

18. Risks to the Business Continuity Plan

There are a number of risks to the delivery of the Business Continuity Plan itself. The table below summarises these.

(Likelihood and Impact scales = 1 (low) – 5 )

Risk Likelihood Impact Mitigation

1 Organisation does not engage with the plan and take it seriously

4 5 Senior management ownership and promotion of the plan. Good internal publicity and high-profile testing.

2 Plan is tested, but fails on implementation because of unforeseen circumstances

3 5 Ensure plan achieves the best balance between flexibility and formalised process. Ensure that detailed processes are only applied to areas that are predictable and put in place more flexible approaches to deal with areas of uncertainty. 3 Plan goes out of date 3 5 Review the plan annually and

also when the organisation undergoes significant change (e.g. NHSCR project). 4 Plan focuses on the wrong aspects

of the business

3 4 Review the plan annually and also when the organisation undergoes significant change (e.g. NHSCR project).

5 Plan is not understood 2 5 Good internal publicity and high-profile testing.

6 Key teams do not develop their associated disaster recovery plans

2 5 Business Continuity Group require teams to produce the plan. Senior management highlight importance of

compliance. Business Continuity Group produces template and guidance for teams to follow. 7 Plan is not tested and fails on

implementation

2 5 Test plan every year and revise as required.

8 Key individuals lack the skills and knowledge to implement key parts of the Plan

2 4 Ensure that all those with key responsibilities under the Plan are comfortable that they have the necessary skills. Add appropriate training to personal development plans as required. 9 Plan is too generic 2 4 Ensure that key teams within the

organisation understand the Plan and develop and append their own disaster recovery and business continuity procedures to it. This must be done to a standard format to ensure consistency and reviewed by the Business Continuity Group to ensure fit with the overall Plan. 10 Plan is too costly to implement 1 5 Review the plan to ensure it is

practical, flexible and cost-effective. Benchmark against other ALBs’ BCPs.

19. Incident Checklist

Questions

When notification is received regarding an incident there is specific information needed to judge the extent of the impact on the office. In an emergency situation, the staff member may not be aware of the importance of adequate information. The following are general questions the EMT may find useful prompting the reporting member of staff, so that a more accurate understanding of the incident can be obtained and the appropriate recovery processes put in place.

(1) Who is speaking and what is your contact number?

________________________________________________________________ (2) What happened?

________________________________________________________________ (3) Where are you?

________________________________________________________________ (4) Did you need to evacuate the building?

________________________________________________________________ (5) Are all workers, visitors & stakeholders accounted for?

________________________________________________________________ (6) Are there any injuries?

________________________________________________________________ (7) Who is injured? Their full names (first and surname)

________________________________________________________________ (8) Do you know what hospital they were taken to?

________________________________________________________________ (9) Did a NHS Information Centre worker go with them? Who?

________________________________________________________________ (10) Do you know the initial extent of damage to the building? For how long?

________________________________________________________________ (11) Are emergency services involved?

________________________________________________________________ (12) Do you require an EMT presence immediately at the office to give them

assistance?

________________________________________________________________ (13) Are the press/media involved?