Business Continuity Management Plan

(1)

Business Continuity

Management Plan

Document Number: ……..

Business

Continuity

Management & Support Services

Operations

Emergency

Preparedness

(2)

SOUTH EAST COAST AMBULANCE SERVICE NHS

TRUST

BUSINESS CONTINUITY MANAGEMENT PLAN

FOREWORD:

As the Chief Executive of the South East Coast Ambulance Service NHS Trust, I can confirm that it is the policy of the Trust to ensure continuity of service delivery following an unplanned disruption to normal working.

This will be achieved by the adoption of the recommendations as referenced in the following legislation and guidance:

 Civil Contingencies Act 2004, Emergency Preparedness Chapter 6;  British Standard for Business Continuity 25999-Part1 (Code of Practice) In doing so the South East Coast Ambulance Service NHS Trust will promote greater confidence to the public and Department of Health that the service provided to the communities within the Ambulance Trust area will be sustained as far as is reasonably practicable.

Good plans are essential and we need to ensure that all staff fully understand their roles and prepare themselves and their departments for that unexpected event.

This plan has been produced by the Emergency Preparedness Team to help meet those responsibilities. Please ensure you understand the contents of this document before an event.

Paul Sutton Chief Executive

(3)

BUSINESS CONTINUITY MANAGEMENT PLAN

(4)

South East Coast Ambulance Service NHS Trust

BUSINESS CONTINUITY MANAGEMENT PLAN

For ease of use this Business Continuity Management Plan is divided into three sections:

Policy and General Information Section 1

BCMP Activation Procedures – Action Cards Section 2

Business Continuity Plans Section 3

(5)

SOUTH EAST COAST AMBULANCE SERVICE NHS TRUST

Business Continuity Management Plan

AMENDMENT RECORD SHEET

DATE AMENDMENT NO.

PAGE NO.

(9)

Distribution List

All Service Departments;

BCMP Section 1 (Generic Plan)

BCMP Section 2 (Activation Procedures) BCMP Sub-Section 3A (Schedules) All Directors

All Emergency Preparedness Managers All Members of the Trust Resilience Group All Senior Managers;

(10)

BUSINESS CONTINUITY MANAGEMENT PLAN

SECTION ONE

(11)

1. Business Continuity Management

1.1 What is Business Continuity Management?

“Business Continuity Management (BCM) is a management process that helps manage the risks to the smooth running of an organisation or the delivery of a service, ensuring that the business can continue in the event of a disruption”.

“A planned process aimed at managing the many and varied operational risks inherent in the day-to-day activities involved in delivering services. The main purpose of the process is to ensure continuity of service delivery following an unexpected disruption to normal working”.

1.1. Scope of the BCM duty on Category 1 Responders:

 Applies to all functions (not just Civil Protection);

o Continue to perform critical aspects of day-to-day function; o Continue to exercise civil protection functions

 Functions include those organisations they rely on to delivery services

1.1.1 Limits of Duty:

 Linked to definition of emergency

 “….so far as is reasonably practicable….”

1.1.2 Links to Risk Assessment:

 Identifies significant risks threatening critical functions  Considers both internal and external

1.2 Background

There are many threats that could impact on the ability of the South East Coast Ambulance Service NHS Trust (SECAmb) to deliver its services to the community, affecting both clinical and non-clinical areas.

The impact is not determined by the cause, but rather the effect on the Trust‟s service delivery. The philosophy of Business Continuity Management is geared towards reducing

(12)

the impact of any interruption to specific resources by restoring critical functions, as quickly as possible, irrespective of the nature of the disaster.

Disasters are impossible to define accurately or to predict, but the more feasible that would affect SECAmb are:

 I.T. Systems Failure1

 Operational Communications Failure  Extensive Failure to Critical Equipment

 Staffing Levels – i.e. Pandemic, Skills Shortage.  Severe Weather; Flood, Heat, Snow, Wind.  Fire

 Utilities Failure  Supply Chain Failure

 External causes - i.e. other health providers, Major Incident, Terrorist Incident etc.  Earthquake

Whatever the reason for the interruption to normal working, the effect may result in, an inability to provide the core services of SECAmb. The effect could be disastrous if a comprehensive Business Continuity Plan was not in place to help mitigate the effects. The speed and efficiency at which SECAmb is able to recover from any disruptive challenge upon our services depends largely on the extent to which services have been pre-identified and prioritised.

The most essential resource/part of the service is the staff. It is imperative that every member of staff is aware of the outline procedures which will be followed should there be a break in service continuity. It is also essential that key members of staff with specific roles to play in both the Crisis and Recovery Phases, clearly understand those roles and responsibilities.

1.3 Legislative Requirements

The Civil Contingencies Act 2004 requires all Category 1 responders to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency, so far as is reasonably practicable.

An ‘Emergency’ as defined in Section 1 of the Act is “an Event or Situation which threatens serious damage to human welfare in a place in the United Kingdom – an event

or Situation threatens human welfare only if it involves, causes or may cause – loss of human life, human illness or injury, disruption of money, food, water, energy or fuel, systems of communication, facilities for transport or disruption to services relating to health, and other non-health related matters.”

1

CMI BC Survey 2009 reported that Loss of IT, Extreme Weather, Loss of People, Loss of

telecommunications and Loss of outage eg. Electricity, gas, water, as the top five reported causes of disruption experienced. Compare this with top five of 2008; Loss of IT, Loss of People, Loss of Communications, Extreme Weather and Loss of Key Skills.

(13)

This duty relates to all the functions of a Category 1 responder, not just its civil protection functions.

Business Continuity Policy:

1.4 Introduction

The Chair and the Chief Executive of the SECAmb confirm that it is the policy of the Trust to ensure the continuity of service delivery following an unplanned disruption to normal working.

This will be achieved by the adoption of the recommendations as referenced in the following legislation and guidance:

 Civil Contingencies Act 2004, Emergency Preparedness Chapter 6;  British Standard for Business Continuity 25999-Part 1(Code of Practice)

In doing so SECAmb will promote greater confidence to the public and Department of Health that the service provided to the communities within the Ambulance Trust area will be sustained as far as is reasonably practicable.

1.5 Application

The policy applies to all directorates of the organisation. All employees within these directorates must be aware of this policy. This policy applies in particular to directorate heads, their nominated resilience representatives and unit managers.

1.6 Purpose

The purpose of this policy is to provide a structure through which SECAmb will be able to:  Establish and maintain a BCMS (Business Continuity Management System);

 Identify and prioritise key activities and responsibilities which are essential to the Trust and to seek to restore those key activities, should they be disrupted;

 Provide a mechanism to establish a Command Centre with a supporting structure to be able to prioritise the strategic issues facing the Trust and be able to manage the initial response to the crisis. including communications to all stake holders within and external to the Trust;

(14)

 Develop plans to ensure continuity of key activities at a minimum acceptable standard following a disruption, this may include plans both corporate and/or for individual directorate, department or location;

 Invocation of business continuity plans can be managed;  Plans are subject to ongoing exercising and revision;

 The executive board can be assured that the BCMS remains up to date and relevant.

1.7 Policy Statement

 Each key activity within our organisation is to be owned by a designated directorate. The head of the directorate will ensure, with their nominated resilience

representative, that plans capable of maintaining a minimum acceptable standard of service delivery are in place for each key activity.

 All departments will provide professional support to improve resilience of critical activities and resources that support SECAmb mission critical activities.

 Each directorate will carry out an annual review of its business continuity process and plan(s). The Resilience Group will monitor the review process and provide support where necessary.

 Each directorate must exercise its business continuity plan(s) at least once a year and make modifications where necessary.

 Contracts with suppliers of critical goods and services to the organisation must include a requirement to have in place a validated Business Continuity Plan.  All employees must be made aware of the plans that affect their directorate, unit,

office and their role following invocation of business continuity plans.

1.8 Benefits

The policy provides a clear commitment to establishing an effective Business Continuity Management System within SECAmb that will enable the organisation to, so far as is reasonably practicable2:

 Continue to provide critical services to the public following a disruptive event;  Make best use of personnel and resources at times when both might be scarce;  Reduce the period of disruption to both the organisation and the community;  Comply with standards of governance;

 Improve resilience of our organisation‟s infrastructure to reduce the likelihood of significant disruption;

 Reduce the operational and financial impact of a disruptive event;  Manage the resumption of normal working efficiently.

2_{„The CCA requires Category 1 responders to maintain plans to ensure that they can exercise their functions}

(15)

1.9 Responsibilities

 The Director of Operations is responsible to the executive board for business continuity issues.

 This policy is owned by the Resilience Group.

 The Head of Emergency Preparedness and Business Continuity Manager are the professional leads within the organisation and will;

- Review and develop the policy in line with best practice and the needs of the organisation;

- Monitor standards and compliance with the policy;

- Provide support and guidance to directorate representatives/unit managers.

1.10 Review of Policy

As the preceding policy is contained within this Business Continuity Management Plan it will be subject to review annually and will be signed on behalf of SECAmb by the CEO.

1.11 Management of the Business Continuity Management Plan

The Business Continuity Management Plan must be ‟signed off‟ by the Chief Executive Officer.

SECAmb has appointed the Head of Emergency Preparedness and the Business Continuity Manager responsible for the maintenance of the Business Continuity Management Plan, including ensuring that reviewing, updating, training and exercising of the plan are undertaken.

*Section Three of this BCMP contains details of linking documents (plans) .

1.12 Business Continuity Plans (BCP)

SECAmb Business Continuity Management Plan is a generic plan that may be implemented totally or in part. The SECAmb BCMP will require ‘Business Continuity

Plans’ produced by Directorates and / or Departments that provide direct and vital support to the maintenance of critical service delivery.

(16)

It is necessary to ensure that the plan/s are regularly reviewed and updated and appropriate training and exercising is provided to relevant key personnel, together with the opportunity to exercise all or individual elements.

There are already in place other SECAmb Plans which support Business Continuity and neither this policy, or plan displaces those plans, but will be co-ordinated alongside them; i.e. Major Incident Plan, Pandemic Flu Contingency Plan, NEP-Fuel Contingency

Plan & Heat-wave Plan. See Appendix 3.

1.13 Business Impact Analysis

„Business impact analysis is a process of analysing business functions and the effect that a business disruption might have upon it.‟ (BS 25999)

Therefore in is necessary to identify critical/key activities and for each, set out resource requirements and time scales for recovery. That process includes the use of BCM questionnaires to aid the production of BC Plan/s and Action Cards.

Some departments will be required to produce their own Business Continuity Plans to support the generic plan, in respect of their specialised area of work; e.g. I.M & T; Human Resources; Logistics etc.

Risk Assessment

Areas of risk vary greatly according to impact and likelihood. SECAmb will use the agreed risk matrix as shown in appendix 2; and the Risk & Health & Safety Department risk assessments will support the BIA process.

It should be noted that any risk is not constant – it changes as the culture and conditions of the Trust change. Therefore the assessments will be constantly changing in line with risk preventative measures undertaken or new risks which may be introduced as a result of improvements in other areas, e.g. I.T. The plan/s will be comprehensively reviewed and updated every six months and any changes which will require amendment to the plan/s identified as a result of:

 Exercise;  Training;

 A response to an actual BCM challenge;

Amendments should be notified to the Head of Emergency Preparedness and Business Continuity Manager.

Main Areas of Risk

The main areas of risk are considered to be the Trust Headquarters (Banstead), the two area offices (Kent & Sussex), in whole or in part, based upon the centralisation of essential business elements and the Make Ready Stations as they become operational. This

(17)

Date of Issue: December 2009 Review By Date September 2010

Authorised By: Chief Executive To Be Reviewed By: Emergency Preparedness Dept document therefore gives priority consideration to the business continuity arrangements for these areas.

Identified hazards to these locations and the risks to the services undertaken in them are shown in the appropriate Business Continuity Plans. (See Section 3.)

1.14 Mission Critical Services

The following have been identified by the Trust as being Mission Critical Services. Mission Critical Services

 Emergency Dispatch Centre‟s & Fall Back Arrangements. (I.M&T) *Call Handling and Dispatch of Resources.

 Operational Personnel & Resource Centre‟s. (HR & Ops) *Staffing for maintenance of critical activities and vital services. *Staff Welfare

 Operational Response (Logistics) *Maintaining availability of vehicles.

1.15 Critical Activities

Each of the organisations directorates will identify activities which are critical to the maintenance of the above mission critical services.

1.16 Service (Business) Locations

SECAmb‟s area of operations encompasses the counties of Kent, Surrey, and East & West Sussex and has bases at various locations within this area. The majority of these sites are the direct responsibility of the trust, with which this and other related documents are primarily concerned. Details of these will be included within Trust plans. Details of Trust premises are located in Appendix 1.

The business continuity arrangements (Schedules and BCP’s) in respect of specific departments / units / offices, and for any other locations are detailed in Section 3.

(18)

2. COMMAND AND CONTROL – BCMP:

2.1 Procedure for Invoking Business Continuity Management Plan

In the event of any serious disruptive challenge which is likely to affect the ability of SECAmb to deliver any of the core functions, the Business Continuity Management Plan will be implemented.

The Business Continuity Management Plan will be implemented as detailed within this plan. (See „Section 2 - Activation Procedures‟.) This will also apply in the initial stages of any scenario which involves the evacuation of the building. In this instance, only the initial stages of the plan will be invoked. If, after consultation, reoccupation of the building is not permitted for whatever reason, that part of the BCP which relates to the care of staff and provision of resources will be implemented, according to the scale of the crisis.

The Chief Executive or in his absence an Executive Director, or any Senior Manager in consultation with the duty Emergency Preparedness Tactical Advisor will have the authority to implement the Plan.

2.2 Command and Control Structure

The command structure to be established to deal with the event will be a Crisis Management Team and a Business Recovery Team. (See 3. & 4.)

The Command and Control structure for the initial and recovery stages will comprise of a Crisis Management Team (BC Gold) and a Business Resilience & Recovery Team (BC Silver – located at SECAmb Mission Control) supported by the Emergency Preparedness & Planning Team.

2.3 Major Incident Response

If the Trust Major Incident Plan is implemented and a response is required to deal with a

Declared Major Incident, the Business Continuity Management Plan must be invoked and

consideration given to the establishment of a Crisis Management Team.

The Crisis Management Team will not be involved in the management of the Major Incident Response but will be formed to consider the overall effect of the Major Incident Response on the core services provided by the South East Coast Ambulance Service NHS Trust. The BRRT formed will concentrate on managing the impact upon the service and the recovery arrangements.

(19)

Authorised By: Chief Executive To Be Reviewed By: Emergency Preparedness Dept

3. Crisis Management Team

3.1 Scope and Membership

The Crisis Management Team (CMT) will consider the strategic aspects of the crisis and the impact to the Trust as a whole and the services it operates. It will ensure that the Business Resilience & Recovery Team (BRRT) (See 4.) can carry out its tasks in an effective and efficient manner for the recovery of core functions. The CMT will also approve the tactics of the BRRT.

Membership of the Crisis Management Team will be:  The Chief Executive or nominated deputy  Finance Director or nominated deputy

 Head of Emergency Preparedness or nominated deputy

 Head of Communications (Public Relations / Media Officer) or nominated deputy  Other Key Staff relevant to the crisis as determined by the Chief Executive.  Nominated Loggist

The team should meet face to face/by teleconference regularly subject to the nature and scale of the crisis, in order that efficient, consistent and timely corporate warning and informing statements are available for release to both, the press, other stakeholders and staff.

3.2 Roles and Responsibilities of the Crisis Management Team

 To open and maintain an Incident / Decision Log & maintain effective records It will be the responsibility of the Crisis Management Team to ensure notification to the Strategic Health Authority of appropriate incidents.

 To communicate information regarding the incident to all stakeholders

 To liaise with the SECAmb Trust Board regarding all matters relating to the crisis and ensure the BRT are kept informed of any relevant decisions taken.

 To authorise appropriate finance, based on available information, to assist the Business Resilience & Recovery Team to aid vital services in a crisis

 To assist the Business Resilience & Recovery Team (BRRT) by providing adequate funding to enable them to complete and maintain a comprehensive recovery plan  To liaise with the Business Resilience & Recovery Team at frequent intervals during

the initial stages of the crisis

 To recognise the need for and allocate additional contracted staff as necessary to help the recovery process

 To advise on the implementation of the recovery plan in a crisis situation in liaison with all other appropriate services

 To appoint a manager to investigate the crisis in those circumstances where one is not naturally apparent

This is not a comprehensive list; additional responsibilities will become apparent in relation to specific types of incident.

(20)

3.3 Head of Communications (Media)

The Head of Communications (Public Relations / Media) will:

 Process regular media statements via the Crisis Management Team meetings  Devise methods of “Warning and Informing” on the developing implications of the

disruptive challenge facing the South East Coast Ambulance Service  Update the SECAmb Website and Intranet site at regular intervals  Take enquiries from the public and other stakeholders as necessary  Deal with press enquiries as appropriate

 Ensure all Non-Executive members are kept up to date through regular briefings

4. Business Resilience & Recovery Team: (BRRT)

4.1 Scope and Membership

The Business Resilience & Recovery Team (BRRT) supported by the Trust Emergency Preparedness Team; will ensure that the resilience and recovery of services is handled in an effective manner. A team of key staff members will be formed to manage (at a tactical level,) the operational aspects of the recovery and will consist of all or an appropriate selection dependant on the scale of the event and the impact upon the service:

An initial Response Group would include Lead Representatives from:  Emergency Preparedness Team

 Director of Finance or nominated deputy or Resilience team member  Assistant Director (As appropriate)

 EDC Manager or nominated deputy or Resilience team member  I.M & T. Director or nominated deputy or Resilience team member  HR- Workforce Manager or Resilience team member

 Risk, Health & Safety Manager or Resilience team member

 TS&L - Logistics Manager or nominated deputy or Resilience team member  Fleet Manager or nominated deputy or Resilience team member

 Senior Operations Manager or Resilience team member  Clinical Operations Manager or Resilience team member  Chief Executives PA or Resilience team member

 Communications Team or Resilience team member

*Consideration should be given to the attendance (if appropriate,) of a senior staff side representative.

(21)

4.2 Roles and Responsibilities of the Business Resilience & Recovery Team

 To ensure an Incident / Decision Log is maintained throughout the duration of the incident; Appoint Loggist;

 To prepare a strategy and plan in relation to the affected area of service delivery;

 To implement the plan/s where appropriate;

 To keep the Crisis Management Team (CMT) up to date on developments and provide detailed information on the progressing situation and projections as appropriate;

 To ensure all staff are aware and kept fully informed of the developing situation at all times;

 To provide situation reports on Departmental re-instatement as required;  To maintain effective records.

 Ensure notification to insurers of appropriate incidents via Risk, Health and Safety Department.

This is not a comprehensive list; additional responsibilities will become apparent in relation to specific types of incident.

4.3 Roles and Responsibilities within the Business Resilience & Recovery Team

Estates Manager (TS&L):

 To work with the various agencies and to report to the BRRT on the technical aspects of the buildings, power and other utilities;

 To liaise with the appointed Salvage Manager and Security Management Specialist on security matters;

 To organise technical experts in the event of a crisis relating to the building and to report progress back to the BRRT.

I.M & T. Representative:

 To organise the recovery of essential computer systems in the shortest time possible, either on site or at an alternative site, in the event of a crisis;

 To identify and replace server(s) as necessary;

 To identify and replace PC‟s/workstations as required within the priorities listed in the plan;

 To organise additional labour to reinstate the system(s) as necessary;  To report progress back to the BRRT.

HR (Workforce) Manager:

 To ensure maintenance of contact numbers for all key staff;  To ensure immediate access to staff records is maintained;

 To ensure all section heads have contact numbers for all their staff;

 To advise staff of their rights in a crisis and deal with any eventualities arising;  To arrange for any staff support as required.

(22)

Salvage Manager: (To be nominated when the Business Resilience & Recovery Team is activated/until suitably trained staff is in position)

 To liase with Estates Manager/Security Management Specialist on security matters;

 To liaise with Risk, Health & Safety Manager on any Health & Safety matters;  To liaise with insurers;

 To liaise with other Emergency Service Officers re access to building;

 To supervise staff volunteers with salvage operation, to salvage essential material.

 To report progress back to the BRRT.

Risk Manager:

 To liaise with Salvage Manager on any H&S matters;

 To ensure that H&S rules are not contravened at any stage of the crisis bearing in mind the immediate situation;

 To liaise with Health & Safety Executive.  To report progress back to the BRRT

5. Documentation

5.1 Essential Documentation

In the event of an incident it will be necessary for Managers to ensure arrangements for the identification and provision of essential documentation and forms not only to provide for emergency business continuity but also to for recovery. These must include financial documentation to enable purchases to be made. Arrangements will be made to identify such documentation and stock provision in the event of an incident.

5.2 Incident Records

All events, regardless of whether an incident or near miss, must be recorded on the current reporting system and processed in accordance with the incident procedures. It is normally the responsibility of the person initially involved or discovering the event to ensure this is completed. It is recognised that circumstances may arise when one person cannot be identified and in such cases the responsibility rests with the manager taking charge of the incident. Where the incident may be multifunctional, the responsibility for the completion of a report, using the current reporting process, rests with the Business Recovery Team.

(23)

Authorised By: Chief Executive To Be Reviewed By: Emergency Preparedness Dept The investigation responsibility will depend on the type and extent of the incident and it will be the responsibility of the Crisis Management Team to appoint the investigator where one is not naturally apparent.

SECAmb have trained Loggists for use during incidents to maintain decision logs on behalf of the CMT and BRRT. Requests for Loggists should be made through the EDC‟s.

5.3 Action Records

All incidents require assessment and some may require detailed information for purposes of insurance, litigation etc. It is therefore essential that all who are involved in the incident, at whatever stage, maintain a diary of events, including all areas of expenditure and actions carried out. Such information must be passed to the appointed Investigation Officer.

6. Other Arrangements

6.1 Finance

Except for routine expenditure, which is within normal departmental work, each department involved in the crisis should maintain records of any additional expenditure incurred, hours worked and details of any claimable expenses, all of which must be set against the designated finance code. Authority to spend over delegated limits should be sought from the Director of Finance or nominated deputy at the earliest opportunity.

6.2 Postal Services

In the event of the need to redirect the receipt of postal services to and from Headquarters, Kent or Sussex Office‟s, to the „Business Planning Manager‟ will be responsible for such arrangements and notifying the Post Office and other delivery agencies.

6.3 Removal of Items from Incident Site/s

Authority for the removal of specific items of equipment rests with the „appointed‟ Salvage Manager or nominated deputy; (See 7.1)

(24)

6.4 Working from Home and Workforce Flexibility Policies

The requirements for policies on working from home and workforce flexibility have been identified and will be developed by the Human Resource Department. These policies would only become effective during a disruptive event and with the approval of the Crisis Management Team. These policies will be linked to this document.

7. Salvage

It is probable that any equipment lost or damaged as the result of an incident will be covered by the Trust‟s insurance – however the Trust has a duty to minimise or mitigate any loss where possible, and the main way of doing this is by salvage. In addition salvaged equipment can be put back into service before replacements can be obtained and irreplaceable documentation may be saved from further deterioration.

The most efficient form of salvage is undertaken by specialist salvage companies. However unless the damage is very severe or extensive, it is likely that there will be sufficient expertise within the Trust to undertake or oversee most recovery work without the need to employ one of these companies. As long as the incident does not involve suspicious circumstances i.e. terrorist explosion, arson, when the building should be secured against unauthorised entry and the weather until profession help is obtained, it is better to begin salvage operations as soon as the building is declared safe.

If it is decided that salvage operations are viable, the Business Recovery Team will:  decide upon priorities for salvage;

 decide whether items are to be left in situ or to be removed to safe storage;  Obtain approval from the Loss Adjuster to carry out salvage operations.

7.1 Salvage Manager Tasks

 to salvage essential documentation and resources;

 to salvage such other equipment as can be removed from the affected site;  To protect from further damage equipment that cannot be removed.

Responsibilities

The overriding responsibility of the Salvage Manager is the safety of the salvage team. Salvage operations will cease immediately if:

 a member of the emergency services advises that operations should stop;  The Salvage Manager considers it unsafe to continue.

(25)

7.2 Before commencing Salvage Work

It is vital that the actions of the salvage team do not prejudice the Trust‟s ability to claim from the insurers. It is therefore necessary to obtain the approval from the loss adjuster to carry out salvage operations.

 If salvage has been initiated by the Fire & Rescue Service, take steps to prevent further deterioration of salvaged items.

 Ensure the area has been declared safe by the emergency services.  Ventilate the area to dispel smoke and reduce humidity.

 Remove or isolate all power, including battery back-ups.

 The Salvage Manager must ensure that a record is made of the state of all equipment salvaged or scrapped. This may be achieved by photographing or videoing each item.

7.3 Removal and Storage

The advice of the Loss Adjuster must be sought before removing any equipment from the site for whatever reason. It is likely that s/he will visit the site at an early stage and his/her approval will be sought then. A written record must be maintained of all equipment and fittings removed from the building, whether they are to be scrapped or sent for temporary storage or specialised recovery treatment.

(26)

8. Trust Resilience Group

Membership of the Resilience Group will comprise of members of the Emergency Preparedness Team and an appropriate representative from relevant Directorates, empowered to make decisions on behalf of their Directorate and to act as a co-ordinator for the departments in the production of specific Department Business Continuity Plan(s), training and exercising. (It would be advantageous to select members who would be

suitable to be the representative on the BRRT.)

Members (or their deputy,) will;

 ensure the Resilience of SECAmb to maintain its Key Critical Activities and directorate critical activities, „as far as is reasonably practicable‟, in the event of any disruption(s) caused by both internal and external incidents.

 ensure that they nominate a deputy to assist and cover them if they are unable to attend a meeting. For continuity a directorate must always be represented.  agree on Terms of Reference for the group are produced;

 ensure each meeting has agenda and minutes/ notes/actions recorded and circulated within time frames agreed.

 meet quarterly or as directed by the Emergency Preparedness Team;  Network with group through a programme of regular meetings;

 Ensure that any BC Schedules are completed and submitted as a minimum requirement of all directorate sites;

 identify and bring forward for discussion, recommendation, and adoption both

strategic and tactical matters emanating from their

Directorate/Department/Unit(s) that are liable to have an impact on Service Business Continuity and BC plan(s);

 Ensure their Directorate‟s awareness, that it is the responsibility of each directorate to assess their requirement to produce a directorate/department/unit specific BCP;

 inform the group of any amendments in relation to their individual directorate Business Continuity Plan(s) and/or BC Schedules;

 ensure/manage the maintenance of their individual Directorate Plan(s) ensuring the BCM is provided with current copies;

 Ensure training and exercising programme involvement by their directorate staff;  identify the need for members of their Directorate to receive relevant training

and/or exercising in relation to BCMP and BCP(s);

 Identify stakeholders and suppliers and ensure they have a BCP;

 undertake an annual review of all plans and schedules in order to ensure that they conform to the required best practice and audit requirements;

(27)

9. Training, Exercising & Audit

It is a requirement under the Civil Contingencies Act for us to ensure that arrangements are in place for us to both exercise and train staff, in order to validate the plan and ensure staff, “are confident and competent concerning the plan”.3

9.1 Training

All staff will receive an appropriate introduction to Business Continuity during an induction course.

Upon deployment to a particular area of service delivery, all staff will be familiarised with the relevant Business Continuity Plans.

Additional Training will be incorporated into staff development programmes from time to time to ensure a continued awareness of roles and responsibilities.

Should any changes to the BC Plans be made, staff will receive appropriate training and development to ensure the continued effectiveness of the BCM response.

Details of all Business Continuity training will be held on the SECAmb BC Training Register and individuals training databases.

9.2 Exercising

Exercising of the BCM response will be incorporated into any exercise involving the SECAmb response to a Major Incident.

Exercises will be held to validate any alteration, either in part or whole, to any element of the plan/s.

Exercising of the BCM response to any element of service delivery will be held as a regular feature of the ongoing management of the SECAmb Business Continuity Management Plan.

Details of all Business Continuity exercises will be held on the SECAmb BC Exercise Register.

3

CCA Chapter 6-6.22 The Regulations require Category 1 responders to put in place arrangements for exercising Business Continuity Plan‟s in order to ensure that they are effective. 6.25 The Regulations require Category 1 responders to put in place a training programme for those directly involved in the execution of the BCP should it be invoked.

(28)

9.3 Review and Audit

Review

The Plan will be reviewed annually and/or after any invocation of the plan and/or further development of the plan identified changes in detail within Best Practice guidance from sources such as NHS Resilience Team, Business Continuity Institute or Legislative Requirements i.e. CCA 2004 / CCS. The above will also apply to individual directorate BCP’s.

Internal Audit

The Emergency Preparedness Team will undertake an internal self assessment of the Plan, either in part or whole, in conjunction with the objectives of the following;

 Civil Contingencies Act 2004, Emergency Preparedness Chapter 6;  British Standard for Business Continuity 25999-Part 1 (Code of Practice)  Ambulance Trust-Information Governance – IG 106

The Department also maintains a register to show SECAmb compliance against BS25999, which is reported through Head of Emergency Preparedness team to the TOPS (Top Operational Managers Meetings)

External Audit

Independent audit will be undertaken by the Audit Commission.

Details of all Business Continuity reviews and audits will be held on the SECAmb BC Review and Audit Registers.

10. Abbreviations & Glossary of Terms

BC Business Continuity

BCP Business Continuity Plan

BCM Business Continuity Management

BCMP Business Continuity Management Plan

BRRT Business Resilience and Recovery Team

BIA Business Impact Analysis

CCA Civil Contingencies Act 2004

CMI Chartered Management Institute

CMT Crisis Management Team

IM&T Information Management & Technology

MIP Major Incident Plan

RG Resilience Group

(29)

Authorised By: Chief Executive To Be Reviewed By: Emergency Preparedness Dept SECAMB South East Coast Ambulance Service NHS Trust

SHA Strategic Health Authority

TOR Terms of Reference

Crisis Management

A process by which an organisation manages the wider impact of any incident until it is either under control or contained without impact to the organisation or until the BCP is invoked.

Business Continuity Plan

Collection of documented procedures and information that has been developed compiled and maintained in readiness for use in an incident, to enable an organisation to continue to deliver its critical activities at an acceptable level.

Critical Activities

Those activities which have to be performed in order to deliver the key services that enable an organisation to meet its most important and time sensitive objectives.

Disruption An event, whether anticipated (e.g. a labour strike or hurricane) or unanticipated (e.g. a blackout or earthquake), which causes an unplanned, negative deviation from the expected delivery of products or services according to the organizations objectives.

Resilience Ability of an organisation to resist being affected by an incident. Recovery Time

Objective target time set for:

Resumption of service delivery after an incident; or

Resumption of performance of an activity after an incident; or Recovery of an IT system or application after an incident.

11. References & Acknowledgements:

SECAmb Pandemic Flu Plan SECAmb Heat Wave Plan SECAmb Major Incident Plan

SECAmb NEP - Fuel Continuity Plan

Other

British Standards for Business Continuity 25999-Part 1 (Code of Practice) British Standards for Business Continuity 25999-Part 2 (Specification) CCA – Emergency Preparedness Chapter 6, Business Continuity

(30)

Date of Issue: December 2009 Review By Date September 2010 Cabinet Office - Emergency Planning College: BCM1/2

Expecting the Unexpected: Business Continuity in an Uncertain World. London Ambulance Service Business Continuity Policy and Plan Middlesborough Council Business Continuity Policy

Gloucestershire County Council Guide to Business Continuity Management Secure in the Knowledge: Building a Secure Business.

DoH Health Building Note 00-07: Resilience Planning for the healthcare estate

12. Appendices:

Appendix 1 Service Locations Appendix 2 Risk Matrix

Appendix 3 Inter-action with other Plans Appendix 4 BC Event Notification Flowchart

(31)

Appendix 1

SERVICE LOCATIONS

Headquarters Banstead, Surrey. Kent Office Coxheath, Kent. Sussex Office Lewes, Sussex.

Emergency Dispatch Centres Kent – Coxheath, Maidstone, Kent. Surrey – Banstead, Surrey.

Sussex – Lewes, Sussex. Staff Development Centres

(Awaiting update)

Logistics & Fleet Centres Kent – Maidstone Surrey - Banstead Sussex Fleet – Lewes Emergency Preparedness Surrey Office- Banstead

Sussex Office- Lewes

Ambulance Stations by Operational Dispatch Area: (Eastern Division:E; Western Division: W.)

North Kent: (E)

 Dartford  Medway  Sheppey  Sittingbourne  Strood  Thameside

East Kent (E)

 Herne Bay

 Thanet (Make Ready)

 Deal

 Canterbury

 Faversham

South Kent (E)

 Ashford

 Folkestone

 Lydd

(32)

The Weald (E)  Cranbrook  Crowborough  Maidstone  Tonbridge  Tunbridge Wells  Sevenoaks Rother (E)  Battle  Bexhill  Eastbourne

 Hastings (Make Ready)

 Hailsham

 Heathfield

 Rye

 Uckfield

Brighton & Hove (W)

 Brighton  Burgess Hill  Haywards Heath  Hove  Lewes  Newhaven West Sussex (W)  Bognor Regis  Chichester  Littlehampton  Midhurst  Pulborough  Shoreham  Worthing Guildford (W)  Cranleigh  Godalming  Guildford  Farnborough  Haslemere  Tongham

(33)

Date of Issue: December 2009 Review By Date September 2010 Redhill (W)  Caterham  Crawley  Dorking  East Grinstead  Epsom  Godstone  Horley  Horsham  Leatherhead  Redhill Chertsey (W)  Staines

 Chertsey (Make Ready)

 Esher

 Knaphill

 Walton

(34)

Appendix 2 Risk Matrix B High Impact Low Likelihood A High Impact High Likelihood D Low Impact Low Likelihood C Low Impact High Likelihood I N C R E A S IN G I M P A C T INCREASING LIKELIHOOD

(35)

Appendix 3

Interaction with other plans.

SECAmb Major Incident Plan

If the SECAmb Major Incident Plan is activated it may be necessary to activate this plan.

SECAmb Major Incident Plan: (Special Contingencies) Section FIVE: Extremes of Weather

If the SECAmb Major Incident Plan (Special Contingencies) Section FIVE: (Extremes of Weather) is activated it may be necessary to activate this plan.

SECAmb Pandemic Flu Contingency Plan

If the Pandemic Flu Plan is activated the „Management and Response Team‟ (MART) as stated in the Pandemic Flu Plan will also assume the role and responsibilities of the Business Recovery Team.

National Emergency Plan – Fuel (NEP-F)

(36)

BC Event Notification Flowchart Appendix 4

Normal Service

INCIDENT

Emergency Procedures taken

Person identifying incident informs Line Manager/on call manager

BC Plan/s Invoked

Escalation to Senior Management (Silver/Tactical)

Inform Senior Manager/On call

Escalation to Director (Gold/Strategic) Inform Director Level/On call

Escalation from Director Director to assess incident with Senior Manager and EPM on Call.

Decide on actions to be taken

INVOKE BCMP

Incident Resolved Return to Normal Service

(37)

BUSINESS CONTINUITY MANAGEMENT PLAN

SECTION TWO

(38)

Section 2. Activation of the Business Continuity Management Plan

Aim and Objective

In response to an „Emergency‟ or Major Incident, from whatsoever source, internal or external, it is the intention of the South East Coast Ambulance Service NHS Trust to deal with the „Emergency‟ whilst continuing to maintain its (other) critical functions, as far as is reasonably practicable.

Criteria for Activation

The Business Continuity Management Plan will become effective where there are disruptive events to service delivery that:

 a Major Incident is declared;

 are likely to last for more than half a working day;  will impact on the delivery of key activities;

 affect a vulnerable group of service users;  would generate negative publicity; or

 Are likely to escalate into one of the above categories.

Escalation after Detection and preliminary assessment of a disruptive event.

Escalation to a Senior Manager

In the event that any staff member/manager becomes aware of a potential disruptive event they should:

 Ensure any relevant emergency procedures are followed e.g. building evacuation;  Gather as much information as is quickly available; and

 Provide a detailed and accurate situation report to a Senior Manager. Escalation from Senior Manager to Director

Who the Senior Manager is will depend on the type of disruptive event; (within which directorate the event occurs.) They will be responsible for:

 Instigating relevant emergency response;

 Make contact through the EDC with their Head/Director of Department (OOH duty Director.) Who in turn will inform and liaise with the Emergency Preparedness Tactical Adviser/Team Member and the duty „Silver‟.

Escalation from Director

The Director will assess the details of the disruptive event with the Emergency

Preparedness Tactical Adviser/Team member, duty „Silver‟ and decide what action should be taken, this may be;

 The disruptive event is minor and / or confined to a single directorate/unit and can be contained within the Directorate/unit; requirement for activation of any plan is not required in part or in full.

(39)

 The disruptive event is significant and / or confined to a single directorate/unit and can be contained within the directorate without affecting service delivery, but may require the activation, or part thereof, of a department BCP. If a BCP is activated the BCMP may be activated in part or in full.

 The disruptive event is significant / major and affects or has the potential to affect, more than one directorate/unit and will or has the potential to affect critical services; then the BCMP will be activated

Activation of BCMP - Responsibility/Authorisation for;

The Chief Executive or in his absence an Executive Director or Senior Manager in

consultation with Emergency Preparedness Tactical Advisor/Team Member will have the authority to invoke the BCMP.

The Crisis Management Team is likely to be mobilised when:

 The event affects multiple service departments/units and is unlikely to be resolved within half a working day; and

 An emergency event is declared that will have an impact on service delivery (Critical / Vital activities).

Business Continuity Command Centre Locations

In the event that the Crisis Management Team is required to convene, the prime location will be the Chief Executives Meeting Room at Banstead; or an alternative location may be designated by the Chief Executive or his nominated deputy. (Organised by the Lead

Executive.)

The Business Resilience & Recovery Team will convene at a suitable location in the area of the incident; or alternatively in the large Meeting Rooms at, Banstead, Coxheath or Lewes. (Organised by Emergency Preparedness Team,) Some incidents may require the opening of a „mission control centre‟ where members of the BRRT will be situated

(40)

South East Coast Ambulance Service

BCMP

Guidance Card for Action Card 1

No: Department: Log: Times, actions etc.

*Name of department/unit affected *Time incident log opened

1

Disruptive Event Identifier by: Dept. or

EDC, SOM, COM. *Name of reporting staff member

2 What is the identified risk/threat

*Description of disruptive event 3 Will it affect Critical / Vital support?

* Describe how the event will affect the service

4 Is the disruptive Event occurring NOW?

*Yes or describe the potential for a disruptive event. 5 Is the Disruptive Event anticipated within

a. 2-8 hours b. 8-24 hours c. 24-48 hours d. 48+ hours

*If potential, when is it anticipated to happen?

6

What is proposed to resolve the event?

*How are we going to manage and resolve this event? *What options are there to consider? *Can we estimate recovery time from the event? *Can we maintain Critical Activities?

7

EDC informs ‘Duty Silver’ or

Departmental Director & ‘Duty EPM’ – Liaison concludes incident or take action as 8/9 below

Name & Time:

*Names & time of those informed

8 Informs on call Gold & BC Director/EPPPSM

Name & Time:

*Name and time of declaration?

9

On Call Gold

a. Will note proposed actions or b. Request a timed update or

c. Convene Crisis Management Team

*Decision taken by „Gold‟

10 CMT Convenes

Location & Time:

*Location of convened CMT and time of first meeting

(41)

South East Coast Ambulance Service

BCMP

Action Card 1 – Initial Actions

1

Disruptive Event Identifier by: Dept. or EDC, SOM, COM.

2 What is the identified risk/threat

3 Will it affect Critical / Vital support?

4 Is the disruptive Event occurring NOW?

5 Is the Disruptive Event anticipated within a. 2-8 hours

b. 8-24 hours c. 24-48 hours d. 48+ hours

6

What is proposed to resolve the event?

7

EDC informs ‘Duty Silver’ or

Departmental Director & ‘Duty EPM’ – Liaison concludes incident or take action as 8/9 below

Name & Time:

8 Informs on call Gold & BC Director/EPPPSM

Name & Time:

9

On Call Gold

a. Will note proposed actions or b. Request a timed update or

c. Convene Crisis Management Team

10 CMT Convenes

(42)

Guidance Card for Action Card 2

(For those responsible Managers/ Directors receiving information, and making decisions in relation to the event.)

*Name of department/unit affected *Time incident log opened

1 Duty / On Call Gold informed at: *Log time & method of notification

2

What is the nature of the Disruptive Event:

*Description of disruptive event 3 Will it affect Critical / Vital Activities?

* EDC's - Call Handling & Dispatch of Resources *Operational Personnel & Resource Centres *Operational Response (Logistics) etc… 4

How will it affect critical activities / vital support?

*Describe problems real or potential. 5 Is the Disruptive Event occurring NOW?

*Yes or describe the potential for a disruptive event. 6 Is the Disruptive Event anticipated within

a. 2-8 hours b. 8-24 hours c. 24-48 hours d. 48+ hours

*If potential, when is it anticipated to happen?

7 What is proposed to resolve the event? (Maintain critical / vital activities.)

*How are we going to manage and resolve this event? *What options are there to consider? *Can we estimate recovery time from the event? *Can we maintain Critical Activities?

8

On Call Gold - Will assess, note proposed actions

& either request a timed update or convene CMT.

(activate the BCMP)

*Based on information provided, guidance and liaison with Director/s/Managers decide on activation of

BCMP *IF IN DOUBT - ACTIVATE THE PLAN*

9

Gold declares a BC Incident - (unless the Incident emanates from a declared MI elsewhere.)

Name & Time:

*Name and time of declaration? 10

Crisis Management Team (CMT)

convenes. *Time of start of first meeting?

11

Representative of SECAmb sits on SCG

(Gold) if separate. *Name of Representative

12 CMT Meetings held - Agenda & Minutes *Person responsible for agenda / minutes

13

Business Resilience & Recovery Team (BRRT) convenes

Location & Time:

*Location of convened BRT and time of first meeting. 14

BRRT provides ongoing Risk

assessment for Gold. *Updates CMT regularly

15 BRRT Meetings held - Agenda & Minutes *Person responsible for agenda / minutes

16

CMT tasks BRRT in respect of Business Continuity

*Decision log and name of nominated liaison officer 17

CMT determines - Normality has

returned. *Decision log entry of closure of event

18 SECAmb, Media & Public informed.

*Ensure Warning and Informing process takes place 19

Post Event procedures - De-brief, welfare etc.

*Check on de-briefing and welfare of those involved

(43)

Action Card 2 – Subsequent Actions

1 Duty / On Call Gold informed at:

2

What is the nature of the Disruptive Event:

3 Will it affect Critical / Vital Activities?

4

How will it affect critical activities / vital support?

5 Is the Disruptive Event occurring NOW?

6 Is the Disruptive Event anticipated within a. 2-8 hours

b. 8-24 hours c. 24-48 hours d. 48+ hours

7 What is proposed to resolve the event? (Maintain critical / vital activities.)

8

On Call Gold - Will assess, note proposed actions

& either request a timed update or convene CMT.

(activate the BCMP)

9

Gold declares a BC Incident - (unless the Incident emanates from a declared MI elsewhere.)

Name & Time:

10

Crisis Management Team (CMT) convenes.

11

Representative of SECAmb sits on SCG(Gold) if separate.

12 CMT Meetings held - Agenda & Minutes

13

Business Resilience & Recovery Team

(BRRT) convenes Location & Time:

14

BRRT provides ongoing Risk assessment for Gold.

15 BRRT Meetings held - Agenda & Minutes

16

CMT tasks BRRT in respect of Business Continuity

17

CMT determines - Normality has returned.

18 SECAmb, Media & Public informed.

19

Post Event procedures - De-brief, welfare etc.

(44)

Business Continuity Management Plan

Business Continuity

Management Plan

Business

Continuity

Operations

Emergency

Preparedness

SOUTH EAST COAST AMBULANCE SERVICE NHS

TRUST

BUSINESS CONTINUITY MANAGEMENT PLAN

FOREWORD:

BUSINESS CONTINUITY MANAGEMENT PLAN

South East Coast Ambulance Service NHS Trust

BUSINESS CONTINUITY MANAGEMENT PLAN

CONTENTS:

SOUTH EAST COAST AMBULANCE SERVICE NHS TRUST

Business Continuity Management Plan

AMENDMENT RECORD SHEET

BUSINESS CONTINUITY MANAGEMENT PLAN

SECTION ONE

1.

Business Continuity Management

Business Continuity Policy:

2.

COMMAND AND CONTROL – BCMP:

3.

Crisis Management Team

4. Business Resilience & Recovery Team: (BRRT)

5. Documentation

6. Other Arrangements

7. Salvage

8.

Trust Resilience Group

9.

Training, Exercising & Audit

10.

Abbreviations & Glossary of Terms

11.

References & Acknowledgements:

12.

Appendices:

BUSINESS CONTINUITY MANAGEMENT PLAN

SECTION TWO

South East Coast Ambulance Service

BCMP

South East Coast Ambulance Service

BCMP

BUSINESS CONTINUITY MANAGEMENT PLAN

SECTION THREE

Business Continuity Plans