Business Continuity Strategy · 6.5 Exercising, Maintaining and Reviewing the BCMS 14 . 6.5.1 Exercising (and testing) 14 . 6.5.2 Maintaining 14 . 6.5.3 Reviewing 15 . 6.5.4 Audit

Page 1 of 23

Doc Number :- Version : 1.0 Status : Final

Business Continuity Strategy

Type of document ie. Clinical guidance, Form, Procedure etc

Authorisation Groups: Business Continuity Steering Group, Emergency Planning Resilience and Response Group, Governance and Risk Committee

Ratified by:

Date Ratified:

Date Processed:

Review Date: Annually

Document Author: Business Continuity Manager

Document Owner: Head of Resilience and Special Operations

Authorised Signatory:

Authorised Staff: All Staff


Page 2 of 23

Doc Number :- Version : 1.0 Status : Final


Contents

Section Page

1. Introduction 3

2. Business Continuity Management System 7

2.1 Senior Management Accountability 7

2.2 Business Continuity Manager 8

2.3 Business Continuity Plan Owners 8

2.4 Business Continuity Steering Group 9

3. Competencies and Training relating to those with responsibility for the BCMS 9

4. Interested Party / Stakeholder Analysis 10

5. Budget Requirements 10

6. Understanding the Organisation 10

6.1 Business Impact Analysis 10

6.1.1 Strategic Business Impact Analysis 12

6.1.2 Tactical Business Impact Analysis 12

6.1.3 Operational Business Impact Analysis 12

6.2 Risk Assessment 13

6.3 Determining BCM Strategies for Service Areas 13

6.4 Developing and Implementing a BC Response 14

6.5 Exercising, Maintaining and Reviewing the BCMS 14

6.5.1 Exercising (and testing) 14

6.5.2 Maintaining 14

6.5.3 Reviewing 15

6.5.4 Audit 15

7. Embedding Business Continuity Management 15

8. Sources of Information relating to the BCMS 16

Annex A – BC Steering Group Terms of Reference 15

Annex B – Core Competencies for those with responsibilities for the BCMS 19

Glossary of Terms 20

Bibliography 21

Page 1 of 21 Doc Number :- Version : 1.0 Status : Final


1. Introduction This strategy has been developed to support achievement of the objectives identified in the NEAS Business Continuity Policy. It is designed to identify the actions needed to address the findings from the Business Impact Assessment (BIA) and risk assessments in a way that meets the needs of the business continuity objectives of the Trust. The BIA will help the organisation ensure that its business continuity aligns with its purpose (to deliver right care, right place, right time) and vision (to make a difference by integrating care and transport in pursuit of equity and excellence for our patients) based on NEAS’ strategic intentions and values as well as its statutory duties and obligations to its interested parties. BIA and risk assessment will provide the information the organisation needs to determine and select business continuity strategies and measures that:

a. Limit the impact of a disruption on the organisation;

b. Shorten the period of disruption; and c. Reduce the likelihood of a disruption.

The following diagrams (Figures 1, 2 and 3) are intended to illustrate conceptually how business continuity can be effective in mitigating impacts in certain situations. No particular timescales are implied by the relative distance between the stages depicted in each of the diagrams. The diagrams show: Figure 1 - Sudden Incident – an event that has been foreseen by the organisation and business continuity response arrangements are in place to deal with a disruption to the service(s). A local example of this could be the failure of the Emergency Operations Control (EOC). Figure 2 - Gradual Incident – an event that has been foreseen and there is a period of warning leading towards the incident. Business continuity response arrangements are in place to deal with the disruption to the service(s). A local example of this could be the lead up to the declaration of an Influenza Pandemic.

Figure 3 – Sudden Crisis – an event that has not been foreseen by business continuity processes or where the event is so large in its scale and complexity that all business continuity arrangements fail leading to widespread service disruption to the wider Trust and its partners. During such incidents, a ‘Crisis’ should be declared and the Trusts Crisis Management Plan invoked to form the response.



Figure 1 – Illustration of business continuity being effective for a sudden disruption e.g. an A&E Contact Centre service failure

Figure 2 – Illustration of business continuity being effective for gradual disruption (e.g. approaching pandemic)



The context, evaluation criteria and format of the outcome of the BIA will be agreed in advance and this information will be regularly reviewed, particularly during times of change. Understanding the context of the organisation is central to the successful implementation of ISO 22301 – Societal Security – Business Continuity Management (hereafter known as ISO 22301) which is the states aim of the Trust Business Continuity Policy. The process of gaining this understanding is outlined in Figure 3.

Figure 3 – Illustration of business continuity being effective for an unforeseen, high impact, large scale disruption that will involve the invocation of the Crisis Management Plan



Actions and strategies to enhance business continuity are likely to be needed before, during and after a disruptive incident and may, for example, include reducing the overall impact of a disruptive incident through business continuity arrangements that shorten the period of interruption and reduce its intensity to acceptable levels. The organisation will determine appropriate strategic options for:

a. Protecting its prioritised activities and their supporting services which have been identified in the BC Policy as:

i. Emergency Care

ii. Patient Transport Services

iii. Contact Centre Management

iv. Supporting national resilience

b. Stabilising, continuing, resuming and recovering prioritised activities.

c. Mitigating, responding to and managing impacts.

NEAS will also have a documented mechanism in place for the review and approval of recommended solutions.

Figure 4 – Understanding the organisation



2. Business Continuity Management System (BCMS) The BCMS is comprised of a variety of documentation, systems and processes which can be split into three broad headings: Governance, Planning and a Management System. This is outlined in Figure 4 below. In order to meet the objectives of the BC Policy, the Service has clarified the roles and responsibilities placed on those involved in the BCMS. 2.1 Senior Management Accountability Senior Management accountability for BCM lies with the Chief Operating Officer. Should a business interruption have a significant impact on service delivery, the Chief Operating Officer will lead the strategic response and convene a Business Continuity Management Team. Responsibility for BCM processes fall under the remit of the Head of Resilience and Special Operations (HoRSO). The role of the HoRSO includes:

a. Implementation of policy and strategy relating to BCM;

b. Embedding BCM culture throughout the Service; c. Advisor to the Executive Group and Trust Board on BCM issues; d. Advisor to the Risk and Governance Group on BCM issues; and e. Reporting on the performance of the BCMS to Executive Team and Trust

Board.

Figure 5 – The Makeup of the BCMS



When necessary, the Business Continuity Manager will deputise for the Head of Resilience and Special Operations in relation to the above responsibilities. 2.2 Business Continuity Manager The Business Continuity Manager has responsibility for:

a. Supporting implementation of policy and strategy relating to BCM;

b. Supporting the embedding of a BC culture throughout the Trust; c. Internal audits in respect of business continuity in line with relevant standards, statutory responsibilities and recognised good practice; d. Development of policy and strategy relating to BCM; e. Ensuring that the BCMS conforms to the requirements of the Civil Contingencies Act (2004) and ISO 22301 – Societal Security – Business Continuity Management; f. Administration of an exercise programme to validate BCM arrangements; g. Providing audit information to relevant interested parties; h. Training and supporting plan owners in all aspects of BCM; i. Monitoring national and local developments in respect of BCM and liaising with other Ambulance Trusts and partner agencies; j. Incorporating BCM into the corporate Risk Management framework; and k. Measuring performance against the BCMS Objectives and creating reports for the Business Continuity Steering Group, Executive Team and the Trust Board.

2.3 Business Continuity Plan Owners Business Continuity Plan Owners have responsibility for Business Continuity Plans (BCPs) for their own service area (roles are defined in each BCP). Their responsibilities include:

a. Identification and analysis of critical activities within their service area (as part of the Business Impact Analysis process); b. Development of appropriate strategies to reduce, shorten or limit the impact of any disruption to their service area activities; c. Preparation and maintenance of BCPs in consulting with the Business Continuity Manager; d. Attendance at relevant internal training/workshop events to develop BCM within their service area;

e. Ensuring BCM is communicated and promoted to all staff within their service area;



f. Ensuring the BCP is tested and exercised so that it is current and effective in line with the BC Exercise Schedule; and g. Invoke the BCP following a business disruption or exercise and submitting a Business Interruption Report (BIR) when appropriate.

2.4 Business Continuity Steering Group The Business Continuity Steering Group (BCSG) is the principle mechanism for management review of the BCMS and informing Senior Management on emerging BCM issues. Members of the BCM Steering Group will be responsible for implementing and monitoring strategic direction in respect of the BCMS. Terms of Reference have been created for this group (see Annex A) and is attended by:

• Head of Resilience and Special Operations

• Head of Risk and Claims • Business Continuity Manager • Emergency Care Business Manager • IT Systems Manager • Control Systems and Resilience Officer

3. Competencies and Training relating to those with responsibility for the BCMS A Training Needs Analysis (TNA) will be conducted by the Business Continuity Manager in close cooperation with the Learning and Development department. This will identify differing levels of competencies required by those with responsibilities under the BCMS. Where appropriate, these are aligned with the relevant National Occupational Standards (NOS). Appropriate training for those identified will be carried out by the Business Continuity Manager, the wider Resilience Department and other external agencies as appropriate e.g. British Standards Institute (BSI), the Business Continuity Institute (BCI) and the Serco (Cabinet Office) Emergency Planning College. Courses delivered will be mapped against the BCM NOS where appropriate. The Business Continuity Manager is currently investigating BCM software to be deployed in the Trust. Part of the software specification includes sections about training record management and it is hoped that this new system will be used to store records of training events and exercises. Where appropriate, the Oracle training system will also be used to demonstrate that competency has been achieved and maintained by individuals who have responsibilities under the BCMS. The Service is working towards Oracle records for all staff as the BC Training Programme matures.



Evaluation of internal and external training and exercises will be achieved using NEAS established training evaluation documents. Core competency SMART objectives for those with responsibility for the BCMS can be found at Annex B. 4. Interested Party / Stakeholder Analysis As well as identifying key roles and responsibilities within the organisation, an analysis has been carried out to identify which other interested parties / stakeholders (both internal and external) are to be considered and engaged in the BCMS. These are detailed in the BCMS Communications Strategy. 5. Budget Requirements Budget provision for the continual assessment costs associated with accreditation are currently being discussed at a strategic level. 6. Understanding the Organisation 6.1 Business Impact Analysis (BIA) The key services that enable NEAS to operate in line with the organisations statutory requirements, its mission, vision and strategic intentions in line with its values are:

a. Emergency Care

b. Patient Transport Services

c. Contact Centre Management

d. Supporting national resilience

The process of identifying activities that support the effective delivery of our key services and determining and documenting the impact of a disruption to them is known as a Business Impact Analysis (BIA). All locations and service areas are included in the scope of the BCMS and will be subject to a BIA. The process then categorises all service area activities according to their priority for recovery by determining a Maximum Tolerable Period of Disruption (MTPD) for each activity based on one of the seven categories: i. Intolerable Impact activities that should be reinstated within 1 hour ii. Intolerable Impact activities that should be reinstated within 3 hours iii. Intolerable Impact activities that should be reinstated within 1 day iv. Substantial Impact activities that should be reinstated within 3 days v. Moderate Impact activities that should be reinstated within 1 week



vi. Tolerable impact activities that should be reinstated within 4 weeks vii. Trivial Impact activities that need to be reinstated over 4 weeks A trivial impact activity does not indicate that the activity is not important; it indicates that the activity is less time critical. Those activities that need to be reinstated within 4 weeks are subject to further analysis to identify and document the necessary minimum resources required to reinstate each activity efficiently. Activities that have an MTPD of over 4 weeks will not be subject to further analysis of resources and will come under the scope of the recovery process following a disruption. Those activities having the greatest impact in the shortest time and need to be recovered most rapidly in the event of a disruption are referred to as ‘Critical Activities’. For our Trust, these are activities that would have to be reinstated within 1 day (or less). All Business Continuity Plan holders are responsible for completing the BIA for their own service area (with support, facilitation and guidance from the Resilience Department). It is anticipated that the BIA process will be completed in a specialist, web-based BCM software solution rather than on a traditional spread sheet process. IM&T, Estates and Procurement will all be informed of each service areas BIA. This will ensure that in the event of a Service-wide disruption, they can respond in accordance with the overall Trust priorities identified in the BIA. The BIA process is outlined in Figure 2.

Three different levels of Business Impact Analysis will be conducted as part of the ISO implementation in the Trust.

In the event of a significant change to the Department, Service or wider organisation, the BIA process will need to be reviewed and updated.

Figure 6 – Overview of the Business Impact Analysis process



6.1.1 Strategic Business Impact Analysis The Strategic BIA will identify and prioritise the organisations products and services and understand the organisations recovery timescales and tolerance levels. 6.1.2 Tactical Business Impact Analysis The Tactical BIA will determine the dependent activities for the most urgent services and assess the impact of disruption on them. 6.1.3 Operational Business Impact Analysis The Operational BIA will determine the required resources for the continuity and recovery for the most urgent activities. This three tier approach is outlined in Figure 7 below.

Figure 7 – Three levels of Business Impact Analysis at the Strategic, Tactical and Operational Levels



6.2 Risk Assessment BCM is integral to the NEAS Risk Management Strategy framework which currently exists. This process identifies the organisational risks the Service faces, some of which encompass BCM risks. Department / Division Risk Registers are monitored at the Risk and Governance Group on a quarterly basis. Part of the BIA involves plan holders identifying any BCM risks or vulnerabilities applicable to the activities of their service area. These vulnerabilities may be Single Points of Failure (SPoFs) where there are no contingency arrangements in place to support the resources required. For example, where there is only one specialist skilled member of staff to carry out a particular activity or there is a single piece of equipment that is held at a location and no alternative sources of this equipment has been identified. Single suppliers that support our critical activities may be identified as SPoFs. The Business Continuity Steering Group review the BIA risks identified and work with service managers to consider loss mitigation and risk treatment strategies. Any significant risks to the organisation will be raised at the Emergency Planning Working Group and subsequently the Risk and Governance Group and be managed under the established risk management framework. Certain specific risks will require the development of a more detailed Business Continuity Plan – for instance, contingency plans for Pandemic Influenza, capacity and demand management and fuel supply disruption. 6.3 Determining BCM Strategies for Service Areas Once vulnerabilities are identified relating to the organisations critical activities, this next stage involves identifying appropriate BC strategies to resume the more critical activities taking into consideration cost and consequences of inaction. Examples of BC strategies that service areas can adopt include identifying alternative sites that activities can be carried out from, implementing multi-skilled training so that more than one individual is trained in a specialist role and identifying alternative suppliers or outsourcing. As the Service procures a diverse range of commodities/services from a wide range of suppliers/contractors, a BC Procurement Strategy will be developed to provide assurance that more than the supplier/contractors that support the delivery of our critical activities can deliver their contractual obligations regardless of any business disruption that they may face. The BC Steering Group work with service managers to agree BC strategies and record these in BCPs.



6.4 Developing and Implementing a BC Response BCPs will be developed by service managers to detail the priorities of that service area, how that service area will manage a business continuity incident and how it will reinstate critical activities (to a pre-determined level) in the event of a disruption. Incident management of the overall Service response to a business interruption is detailed in the NEAS Crisis Management Plan. BCPs are supported by Evacuation Plans which have been specifically developed for all locations by Risk and Claims / Estates. Estates will also be asked to produce Premises Information Packs for each location to enable premises related emergencies to be dealt with effectively to mitigate the emergency resulting in a business disruption. 6.5 Exercising, Maintaining and Reviewing the BCMS 6.5.1 Exercising (and testing) All BCPs will be exercised by the most appropriate means with minimum disruption to service areas to ensure that they are reliable. Specific exercises allow the effectiveness of each plan to be validated and, where necessary, adjustments to be made. As well as providing BC awareness, exercising also instils confidence amongst exercise participants by allowing them to rehearse their response during a business interruption in a safe and consequence free environment. Consequently, exercising also facilities training of all individuals who participate. All plan owners will be responsible for contributing to exercising their own service areas BCP supported by the Resilience Team. An annual schedule of exercises will be developed and agreed at Board-level. The exercising and testing of any BCPs will be recorded on the (future) BC software solution for audit and review purposes. Any preventative actions arising from the exercise are allocated a responsible person and timeframe for completion. The (future) BC software solution will automatically record and maintain the database based on the information provided during and after the exercise. 6.5.2 Maintaining The procedure for maintaining BCMS documentation is detailed in the BCMS Document and Record Control Guidance.



6.5.3 Reviewing The BC Steering Group is the principle mechanism for management review of the BCMS. Meetings are scheduled at planned intervals (at least quarterly) and agendas and minutes are produced. The meetings will follow the format outlined in the management review schedule. Monitoring changes and reviewing the BCPs is the responsibility of the plan holder (in consultation with the Resilience Team where necessary). The plan holder should self-assess the BCP to ensure it is fit for purpose and update the BCP if any significant changes are required e.g. outcomes from business disruptions, incidents, exercises and training, organisational structure changes, changes to contact details, changes in supplier/contractor, new ways of working or new risks identified etc. As well as this on-going review, the Resilience Team will also coordinate an annual formal self-assessment of BCPs. Plan holders will be requested to review their own plans and confirm they are current or make the necessary amendments. The invocation of any continuity plans (or potential invocation) will be recorded on the (future) BC software solution for audit and review purposes. Any corrective actions arising from the business interruption/potential business disruption (close call) are allocated to a responsible person and a timeframe for completion. The Resilience Team is responsible for monitoring the (future) BC software solution based on the information inputted by service area managers. 6.4.4 Audit Internal audit of BCM arrangements are part of a continual programme undertaken by the Resilience Team (qualified to audit against the requirements of ISO 22301). Other Ambulance Trusts through the National Ambulance Resilience Unit (NARU) Business Continuity group will also conduct regular peer reviews of the BCMS to provide assurance the Trust is compliant with its statutory responsibilities. It is hoped that the Trust will choose to accredit to ISO 22301 in the future – this will then require continual assessment to maintain certification to the ISO through the British Standards Institute (external audit). The continual assessment process will involve the transition to ISO 22301, the International Standard for Business Continuity Management.

7. Embedding Business Continuity Management The Trust will support the embedding of a BCM culture which will be led by the Board by allocating key responsibilities for BC arrangements. The Service recognises that all staff must have an understanding of the importance of BCM, commensurate with their BC responsibilities. Training will be delivered to relevant staff who may be involved in managing a BC incident or who are required to complete elements of the BCMS e.g. the BIA, BCP etc. The Service will continue to review, develop and drive effective BCM strategies and arrangements. The Trust is committed to the principles of BCM and will support all staff to ensure that we will always deliver the mission of the organisation based on its vision, strategic intentions and values.



8. Sources of Information relating to the BCMS The main location of information relating to the BCMS will be the (future) BC software solution and the NEAS Intranet. The software solution will store the latest versions of BCPs, BIAs, policy/strategy along with details of exercises, interruptions and associated action plans. Records of attendance at training events and exercises are held on the (future) BC software solution, maintained by the Resilience Team. The software solution is also a portal used across the Service for HR contact information. As part of our continual improvement plan, the Service is working towards BC training records for all staff as the training programme matures. The (future) BC software solution will be used to not only record training, but also demonstrate that competency has been achieved and maintained by individuals under the BCMS. The (future) BC software solution holds information on all interruptions, potential interruptions (near misses) and exercises. It maintains action plans for corrective and preventative actions arising from these events and has a facility to print reports to identify trends/improvements (across the whole of the BCMS as well as training). Any additional information not published relating to the BCMS will be held on the (future) BC software solution.



ANNEX A

Terms of Reference

Title:

Business Continuity Steering Group

Date approved, and approving body:

Emergency Planning & Resilience Group

Date reviewed: Next review date:

1st October 2013

Purpose:

The BC Steering Group is the principle mechanism for management review of the BCMS and informing Senior Management on emerging BCM issues. Members of the BCM Steering Group will be responsible for implementing and monitoring strategic direction in respect of the BCMS and will discuss:

• Ensuring the BCMS meets the needs of North East Ambulance Service NHS Foundation Trust;

• Monitor emerging legislation, good practice and guidance and discuss BCM issues raised at external groups such as the Local Resilience Fora (Northumbria LRF, Durham and Darlington LRF and Cleveland LRF) or Association of Ambulance Chief Executives (AACE) National Ambulance Resilience Unit (NARU) Business Continuity group;

• Lead the implementation of the (future) BC software solution in the Trust;

• Monitoring other internal or external changes that could affect BCM Policy and Strategy;

• Constantly evaluating risk and monitoring vulnerabilities and threats to the BCMS;

• Monitor feedback and identify methods to continually improve the BCMS by reviewing procedures and policy;

• Evaluate response to business interruptions;

• Monitoring the status of preventative and corrective actions logged on the (future) BC software solution;

• Coordinate and evaluate the training and awareness programme;



• Evaluate exercise results, actions and outcomes;

• Carry out necessary actions from the management review schedule;

• Review results of BCMS audits and reviews; and

• Determining and allocating budget and other resource requirements for the BCMS.

This list of terms is not exhaustive and other issues may be discussed as deemed appropriate, others may also be invited to attend the group determined by the nature of discussions.

Membership: Business Continuity Manager Head of Resilience and Special Operations Head of Risk and Claims Head of IM&T Head of Estates Control Systems and Resilience Officer Non – core members : Important specialist input will be required on a less regular basis – these members will be invited to meetings that will deal specifically with their work areas,

Chair: Business Continuity Manager Vice Chair: Head of Resilience and Special Operations Quorum: A quorum shall be five members. Secretary: Trust Resilience Department Frequency of Meetings: Meetings will be held to take forward specific pieces of work and to

measure progress; they will take place on a quarterly basis, however the Chair can call meetings at short notice if necessary.

Rules as to Meetings & Proceedings:

Inc. Notice (period) of meeting, issue of Agenda & supporting papers e.g., 3 clear days in advance, Minutes of proceeding shall be drawn up for agreement at next ensuring accuracy

Attendance at meetings: Attendance at meetings is mandatory, deputies are allowed but not encouraged

Authority/Tolerances:

• Oversee any investigation of activities within its Terms of Reference.

• Seek reports and positive assurances from Managers and others on individual functions or overall arrangements for all aspects of Business Continuity Management.

• Obtain legal advice or other independent professional advice. Secure the attendance/participation of external/internal stakeholders with relevant experience and expertise.

• Establish time limited task groups to undertake specific pieces of work



Duties – decision making:

• Approve the NEAS Business Continuity Policy, the NEAS Business Continuity Strategy, the NEAS Crisis Management Plan and other related documentation to the BCMS relative to its remit

• Agree the annual objectives of the group • Approve any related Business Continuity procedures

Duties – advisory: • To recommend annually that the BCMS key documentation

(BC Policy, BC Strategy and Crisis Management Plan and any supporting arrangements) is approved by the Board via the Emergency Planning and Resilience Group and the Governance and Risk Committee;

• Seek assurances that the systems and processes are in place

to assure the Business Continuity of the Trust is maintained at all times from across the organisation; and

• Propose effective measures are put in place to ensure

Business Continuity of the Trust Duties – monitoring: • NEAS requirements under the International Standard for

Business Continuity – ISO 220301 – Societal Security – Business Continuity Management;

• NEAS duties under the Civil Contingencies Act to implement Business Continuity Management as per Section 6 of Emergency Preparedness;

• To monitor the effectiveness of the BCMS and ensure that recommendations are raised to the appropriate level to ensure continual improvement;

• To monitor and oversee all Business Continuity activities

occurring within the Trust;

• To monitor and scrutinise business disruptions within the Trust and to ensure that lessons identified/learnt from such incidents are properly documented within the BCMS and supporting systems;

• To monitor against the annual objectives of the group;

• To monitor and oversee all action plans arising from reviews

and audits to ensure they meet expected outcomes;

• To review all audits and reviews making comment on any draft documents relating to the BCMS or Business Continuity more widely;

• To ensure regular reports and updates are provided to the

Governance and Risk Committee through the Emergency Planning and Resilience Group;

• To monitor and review any critical incident within its remit;

• To monitor and review national and regional risk registers; and



• To monitor and review the Business Continuity training and

development status of all staff within the Trust and in particular those with responsibilities under the BCMS as identified in the BC Strategy.

Duties – Standing Agenda Items (must include these): • Every meeting:

• Apologies for absence • Minutes of the last meeting • Matters arising via action sheet • BCMS Quality Assurance – Business Interruptions and Action

Plans • Continual improvement plan 2013/2014

o Procedure review o Implementation of ISO 22301

• External/Internal Audit • Exercising/Testing • Emerging BCMS issues/risks • Risk registers • AOB • Date and time of next meeting

• Annually:

Review Terms of Reference and membership of the group Review the Trust objectives and the objectives of the group i. Contribution to the Cost Improvement Programme? Any?

ii. Decisions made? Has other internal/external stakeholder

involvement (budgetary/training etc) been considered? (April/May) – Consideration of Trust Business Objectives and the contribution of the group/committee

Subgroups: Task and finish groups to be formed as required Accountability: Governance and Risk Committee through the Emergency Planning

and Resilience Group Reporting responsibilities:

Minutes will be submitted to the Governance and Risk Committee through the Emergency Planning and Resilience Group

Self-Assessment: The group will review its performance annually against its Terms of Reference and through peer reviews on conformance with ISO 22301.



ANNEX B Core Competencies and SMART Objectives for those with responsibility for the BCMS

Individual Specific SMART

Objective

Expected Outcome – Actions to achieve activity

Measures to indicate successful completion

Due Date

New Objective Be Specific How Is it Measurable? How Is it Attainable & Is it Relevant? Timed

To ensure that Directorate / Department Business Impact Analysis (BIA) are maintained, updated, revised and signed off every 12 months.

All Business Impact Analysis for all service and critical functions updated, reviewed (with the assistance of the Business Continuity Manager) and signed off.

BIA updated on the BCM web-based software.

12 months


Objective



Due Date


To ensure that Directorate / Department Business Continuity Plans are maintained, updated, revised and signed off every 12 months.

All Business Continuity Plans for all service and critical functions updated, reviewed (with the assistance of the Business Continuity Manager) and signed off.

BCP updated on BCM web-based software.

12 months


Objective



Due Date


To train on and exercise each service Business Continuity Plan.

Training delivered on BCP and wider Business Continuity Management – supported by Business Continuity Manager and Resilience Department. BCP is exercised annually – supported by the Business Continuity Manager and Resilience Department.

Evidence of training captured on web-based BCM software. Evidence of exercise captured on web-based BCM software.

12 months


Objective



Due Date


Any Business Continuity disruptions documented and debriefed.

Any Business Continuity disruptions documented. Debrief sessions conducted with staff post-disruption.

All disruptions documented and evidenced on web-based BCM software.

As required



Glossary of Terms Term Description Activity A process or set of processes undertaken by an organisation (or on its behalf)

that produces or supports one or more products or services. BSI British Standards Institution, the UK national standards body and UK

representatives to ISO.

Business Continuity (BC)

The strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.

Business Continuity Institute (BCI)

The Institute of professional Business Continuity Managers. Website www.thebci.org.

Business Continuity Management (BCM)

A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats—if —might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Business Continuity Management System (BCMS)

Part of the overall management system that implements, operates, monitors, reviews, maintains, and improves business continuity.

Business Continuity Plan (BCP)

A documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical products and services at an acceptable predefined level.

Business Continuity Policy

A BCM policy sets out an organisation’s aims, principles and approach to BCM, what and how it will be delivered, key roles and responsibilities and how BCM will be governed and reported upon.

Business Impact Analysis (BIA)

The process of analysing business functions and the effect that a business disruption might have upon them.


A strategic approach by an organisation to ensure its recovery and continuity in the face of a disaster or other major incidents or business disruptions.

Critical Activities (or services)

Those activities which have to be performed to deliver the key products and services and which enable an organisation to meet the most important and time-sensitive objectives.

Disruption An event that interrupts normal business, functions, operations, or processes, whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack, technology failure, or earthquake).

Exercise Rehearse the roles of team members and staff, and test the recovery or continuity of an organisation’s systems (e.g., technology, telephony, administration) to demonstrate business continuity competence and capability.

ISO 22301 The International Standard that set outs the requirements for a Business Continuity Management System (BCMS). ISO22301 is based on the 'Plan-Do-Check-Act' model as found in other management system standards.

Risk Appetite

Total amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.



Bibliography The Business Continuity Institute (2013) Good Practice Guidelines 2013 – Global Edition – A Guide to Global Good Practice in Business Continuity Available online at: www.thebci.org British Standards Institute (2012) Societal security – Business Continuity Management Systems - Requirements Available from the Trust Resilience Team British Standards Institute (2013) Societal security – Business Continuity Management Systems – Guidance Available from the Trust Resilience Team HMG (2004) The Civil Contingencies Act (2004), Her Majesties Stationary Office. Available online at: http://www.legislation.gov.uk/ukpga/2004/36/contents HMG (2004a) Emergency Preparedness – Guidance on Part 1 of the Civil Contingencies Act 2004, its associated regulations and non-statutory arrangements, Her Majesties Stationary Office Available online at: https://www.gov.uk/government/publications/emergency-preparedness NHS Commissioning Board (2013) NHS Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response (EPRR) Available online at: http://www.england.nhs.uk/wp-content/uploads/2013/02/eprr-standards.pdf NHS Commissioning Board (2013a) NHS Commissioning Board Business Continuity Management Framework (service resilience) Available online at: http://www.england.nhs.uk/wp-content/uploads/2013/01/bus-cont-frame.pdf

http://www.thebci.org/

http://www.legislation.gov.uk/ukpga/2004/36/contents

https://www.gov.uk/government/publications/emergency-preparedness

http://www.england.nhs.uk/wp-content/uploads/2013/02/eprr-standards.pdf

http://www.england.nhs.uk/wp-content/uploads/2013/01/bus-cont-frame.pdf

Documents

Business Continuity Strategy · 6.5 Exercising, Maintaining and Reviewing the BCMS 14 . 6.5.1 Exercising (and testing) 14 . 6.5.2 Maintaining 14 . 6.5.3 Reviewing 15 . 6.5.4 Audit