Page 1 of 7
Policy for the Management of Business
Continuity
VERSION 2.1
Prepared by: Jeremy Cowen 29 January 2014
Page 2 of 7
1.0
Version Control
Date Version Amendment Amended by
12 Jan 2011 1.0 Document created J Cowen
28 Jan 2011 1.1 Amendments to text J Cowen
21 Jun 2011 1.2 Amendments to text Addition of approval section Roles and responsibilities expanded Linked to Trust strategy defined Paragraphs and pages numbered
J Cowen
24 Jun 2011 1.3 Addition of BCM levels section Amendments to text
J Cowen 18 Jul 2011 1.4 Amendments to text
Reformatting of section 10 Paragraphs numbered Pages numbered
J cowen
25 Aug 2011 1.5 Amendments to text D McManus
01 Feb 2013 1.6 References to ISO22301 J Cowen
10 Oct 2013 1.7 Corrections to text
Role of Assistant Directors added
J Cowen 24 Oct 2013 1.8 Amendments to text para 9.5
Amendments to text para 12.2 Para 12.3 added reporting lines
J Cowen
13 Nov 2013 1.9 Comments from CEx incorporated: 6.1 Amended text
8.1 Amended text 12.1, 12.2, 12.3 Clarified
J Cowen
23 Dec 2013 2.0 Equality screening template completed and reflected in section 3
J Cowen 29 Jan 2014 2.1 Amendment to Section 3.1 and insertion of Section
6.2 following presentation at Trust Assurance Committee 27 Jan 2014
D McManus
2.0
Approval
Version 2.1
Approved by Trust Board
Date approved 30 January 2014
Name of Author Jeremy Cowen
Date issued
Page 3 of 7
3.0
Review
3.1 This Policy will be reviewed no later than one year from the date of implementation, i.e. by 31 December 2014.
4.0
Equality Screening
4.1 The equality screening template was reviewed on 19 December 2013 – no impacts of any significance were identified during the screening process and that this policy was unlikely to have any adverse impact on equality of opportunity or impact on the patients and service users. It concluded that a full EQIA was not required.
Page 4 of 7
5.0
Introduction
5.1 The Northern Ireland Civil Contingencies Framework (2005) document and the various associated Statutory Regulations and Guidance require the Northern Ireland Ambulance Service HSC Trust (The Trust) to produce and maintain a comprehensive Business Continuity Plan that will enable the Trust to continue to provide critical service to the population of Northern Ireland in the event of an emergency or other crisis as far as is reasonable practicable.
5.2 The Department of Health, Social Services and Public Safety, Northern Ireland (DHSSPSNI) have established a Health and Social Care Business Continuity Project. The project aims to ensure that:
‘…HSC organisations to have business continuity management plans in place to the British Standard BS25999 by the end March 2012…’.
5.3 The British Standards Institute have replaced the BS25999 standard with an international standard for Business Continuity, ISO22301.
5.4 The Strategy document for the Trust confirms that the Trust will adopt the principles of BS25999 and ISO22301 for the Business Continuity programme.
6.0
Policy Statement
6.1 The Trust will establish and maintain appropriate and relevant Business Continuity arrangements.
6.2 The Trust will ensure that adequate business continuity arrangements are in place in those organisations upon whom the Trust depends for the delivery of key functions and the provision of essential services to the Trust.
6.3 This Policy applies to all staff within the Trust, both permanent and non-permanent and for whom the Trust has legal responsibility.
7.0
Purpose
7.1 The purpose of this policy is to ensure that the Trust has robust Business Continuity arrangements in place, and that a defined structure for use by all staff is managed and maintained.
7.2 All Business Continuity arrangements within the Trust will be in accordance with this policy and in compliance of ISO22301.
Page 5 of 7
8.0
Policy Objectives
8.1 The objectives of this Policy are to ensure that:
The Roles and Responsibilities for Business Continuity for all Staff bound by this Policy are defined
The Governance and reporting arrangements for Business Continuity Management are defined
That Business Continuity is embedded within all levels and areas of the Trust
Plans appropriate to the respective organisational levels are written
Regular Risk and Threat assessments are carried out
Critical activities are identified and mapped out
Page 6 of 7
9.0
Roles and Responsibilities
9.1 Trust Board
The Trust Board will be responsible for monitoring the continued effectiveness of the Trust’s Business Continuity Management arrangements through the Assurance Committee.
9.2 Chief Executive
The Chief Executive has overall responsibility for Business Continuity Management within the Trust.
9.3 Medical Director
The lead Director for Business Continuity Management is the Medical Director who reports directly to the Chief Executive in relation to Business Continuity Management within the Trust. The Medical Director will discharge his responsibility through the Emergency Planning Officer who will work collaboratively with the nominated leads from each directorate and department. 9.4 Executive Directors
The Executive Directors are responsible for Business Continuity within their own Directorate. They will ensure compliance with this policy within their area of responsibility.
9.5 Assistant Directors
The Executive Directors normally discharge their responsibilities through their Assistant Directors. The Assistant Directors will be the functional lead for business continuity in their particular area of responsibility or speciality.
9.6 Emergency Planning Officer
The Emergency Planning Officer is responsible for maintaining a central record of plans, testing, exercising, validating and reviews of such plans and ensuring that the linkages and interdependencies between departments, for example in the case of IT, are accurately reflected in the plans.
9.7 All other staff
All other staff have a responsibility to comply with the Business Continuity arrangements as defined within the respective procedure(s) for their own work area. They are required to report all actual or potential Business Continuity risks or issues via the appropriate system of reporting.
Page 7 of 7
10.0 Levels
10.1 Each plan will be identified clearly with the organisational level at which it is aimed. This level will be defined post completion of each of the respective departments Business Impact Analysis and will depend on whether the impact will affect NIAS either at a corporate level, or whether the impacts will be felt at a more local level.
10.2 The levels are identified in table 1 below:
Area of Impact
Plan Level
Corporate-wide impact 4
Directorate-wide impact 3
Division/Departmental-wide impact 2
Sub-departmental-wide impact 1
11.0 Activation
11.1 All staff are authorised to activate a LEVEL 1 plan as defined within the respective procedure(s). 11.2 Any other level of plan can only be authorised by the level of Management as defined within the
respective procedure(s).
11.3 In each instance of activating a business continuity plan, the line manager above the level of the individual who activated the plan must be informed. Out of Hours, the EAC must be informed in the first instance.
12.0 Reporting
12.1 It is the responsibility of all staff to ensure that any actual or potential activation of any business continuity procedure or plan is reported to their directorate functional lead through their line manager and to the risk manager through the Trust’s Untoward Incident reporting procedure. 12.2 The Risk Manager will inform the EPO in order to ensure that the incident is recorded. The EPO
will then ensure that appropriate actions and reviews are undertaken.
12.3 The emergency preparedness and business continuity committee will consider all incidents as a standing agenda item and will then, in turn, report to the Trust’s Assurance Committee.