business continuity policy - south western ambulance service policies... · page 2 of 26 – south...
TRANSCRIPT
Business Continuity Policy
Version: 7.1
Status: Approved
Title of originator/author: Resilience Officer, Business Continuity
Name of responsible director: Executive Director of IM&T
Developed/revised by group/committee and Date:
Business Continuity Steering Group
Approved by group/committee and Date: Directors 16 September 2014
Effective date of issue: (1 month after approval date)
16 October 2014
Next review date: June 2017
Date Equality Impact Assessment Completed:
Regulatory Requirement: Civil Contingencies Act 2004
Emergency Preparedness, Resilience and Response NHS Core Standards (clause 7)
Page 1 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
Trust Policy Foreword
South Western Ambulance Service NHS Foundation Trust (SWASFT) has a number of specific corporate responsibilities and obligations relating to patient safety and staff wellbeing. All Trust policies need to appropriately include these.
Health and Safety - SWASFT will, so far as is reasonably practicable, act in accordance with the Health and Safety at Work etc. Act 1974, the Management of Health and Safety at Work Regulations 1999 and associated legislation and approved codes of practice. It will provide and maintain, so far as is reasonable, a working environment for employees which is safe, without risks to health, with adequate facilities and arrangements for health at work. SWASFT employees are expected to observe Trust policy and support the maintenance of a safe and healthy workplace. Risk Management - SWASFT will maintain good risk management arrangements by all managers and staff by encouraging the active identification of risks, and eliminating those risks or reducing them to the lowest level that is reasonably practicable through appropriate control mechanisms. This is to ensure harm, damage and potential losses are avoided or minimized, and the continuing provision of high quality services to patients, stakeholders, employees and the public. SWASFT employees are expected to support the identification of risk by reporting adverse incidents or near misses through the Trust web-based incident reporting system. Equality Act 2010 and the Public Sector Equality Duty - SWASFT will act in accordance with the Equality Act 2010, which bans unfair treatment and helps achieve equal opportunities in the workplace. The Equality Duty has three aims, requiring public bodies to have due regard to: eliminating unlawful discrimination, harassment, victimization and any other conduct prohibited by the Act; advancing equality of opportunity between people who share a protected characteristic and people who do not share it; and fostering good relations between people who share a protected characteristic and people who do not share it. SWASFT employees are expected to observe Trust policy and the maintenance of a fair and equitable workplace. NHS Constitution - SWASFT will adhere to the principles within the NHS Constitution including: the rights to which patients, public and staff are entitled; the pledges which the NHS is committed to uphold; and the duties which public, patients and staff owe to one another to ensure the NHS operates fairly and effectively. SWASFT employees are expected to understand and uphold the duties set out in the Constitution. Code of Conduct and Conflict of Interest Policy - The Trust Code of Conduct for Staff and its Conflict of Interest and Anti-Bribery policies set out the expectations of the Trust in respect of staff behaviour. SWASFT employees are expected to observe the principles of the Code of Conduct and these policies by declaring any gifts received or potential conflicts of interest in a timely manner, and upholding the Trust zero-tolerance to bribery. Information Governance - SWASFT recognises that its records and information must managed, handled and protected in accordance with the requirements of the Data Protection Act 1998 and other legislation, not only to serve its business needs, but also to support the provision of highest quality patient care and ensure individual’s rights in respect of their personal data are observed. SWASFT employees are expected to respect their contact with personal or sensitive information and protect it in line with Trust policy.
Page 2 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
Emergency Preparedness, Resilience and Response – The NHS needs to be able to plan for and respond to a wide range of incidents and emergencies that could affect health or patient care. These could be anything from severe weather to an infectious disease outbreak or a major transport accident. Under the Civil Contingencies Act (2004), NHS organisations and sub-contractors must show that they can deal with these incidents while maintaining services to patients. This work is referred to in the health service as ‘emergency preparation, resilience and response’ (EPRR). Business Continuity Strategy – The main guidance for business continuity management is contained in:
ISO 22301 Societal Security - Business Continuity Management Systems – requirements
ISO 22313 Societal Security - Business Continuity Management Systems – Guidance
PAS 2015 - Framework for Health Services Resilience In the past, organisations in the UK developed their business continuity management systems in line with BS25999. However, this standard has been replaced by ISO 22301. ISO 22313 provides good practice, guidelines and recommendations based on the requirements of ISO 22301. The aim of PAS 2015 is to provide a resilience framework for NHS organisations and all providers of NHS funded care South Western Ambulance has a Business Continuity strategy which documents how Business Continuity will be delivered in the Trust. This can be found on the Trust intranet. The Strategy is supported by the Business Continuity Policy which obligates staff and management to engage and manage business continuity within their departments and Trust-wide. Departmental Planning – Each Trust department will complete a business impact analysis annually or whenever there is significant change which influences the content in this plan. This plan will be activated in response to an incident causing significant disruption to normal service delivery, particularly the delivery of critical activities. Disruptions to be planned for include the loss of:
People – the loss of personnel due to sickness / pandemic
Premises – denial of access to normal place of work
IM&T and communications / ICT Equipment issues
Suppliers internal and external to the organisation
Page 3 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
CONTENTS Purpose 4 Scope 4 Definitions 4-5 Duties, Responsibilities and Reporting 6 Business Continuity Management System 6-10 Business Impact Analysis 11-12 Business Continuity Plans 12-14 Exercising and Evaluations 14-15 Monitoring 16 References 16 Associated Documentation 16 Appendices: Document Version Control Sheet Appendix A - Internal and External issues affecting the BCMS Appendix B - Interested parties relevant to the BCMS Appendix C - Role description for the Departmental Business Continuity Lead Appendix D - SWASFT 5 Appendix E - Communication of Business Continuity Planning
Page 4 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
1. Purpose
1.1 South Western Ambulance NHS Foundation Trust (the ‘Trust’) is committed to having in place, a Business Continuity Management (BCM) Programme as required under the Civil Contingencies Act (2004) and Emergency Preparedness, Resilience and Response (EPRR) NHS Core Standards 2014 (clauses 7 & 8)
1.2 The SWASFT Business Continuity Management Programme provides the
framework within which the Trust can comply with the Business Continuity requirements of our patients and stakeholders by aligning the BCM with ISO22301:2012.
1.3 Business Continuity Management has been established to ensure the Trust can
continue to deliver a minimum level of service to our patients and stakeholders in the event of any disruption.
1.4 The Trust is committed to meeting legal and regulatory requirements and
continual improvements of the BCM system. 1.5 It is the intention of the Trust to fully conform to all requirements as stated in
ISO22301:2012 to deliver an effective Business Continuity Management System.
2. Scope
2.1. This policy applies to all employees, interested parties, contractors and suppliers to the Trust to understand the content and must be followed by all Trust departments and directorates.
3. Definitions Activity (activities) a process or set of processes undertaken by the
Trust (or on its behalf) that produces or supports one or more services
Audit a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria is filled
Business Continuity the capability of the Trust to continue delivery of activities at an acceptable predefined level following a disruptive incident
Business Continuity Management (BCM)
the holistic management process that identifies potential threats to the Trust and the impacts to business operations, and which provides a framework for building organisational resilience
Business Continuity Management System
the management system that establishes, implements, operates, monitors, reviews, maintains and improves Business Continuity
Page 5 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
Business Continuity Plan documented procedures that guides the Trust to respond, recover, resume and restore to a pre-defined level of operation following disruption
Business Continuity Programme
on-going management and governance process supported by top management and appropriately resourced to implement and maintain Business Continuity management
Business Continuity Steering Group (BCSG)
a forum of departmental Business Continuity leads that contributes and steers the direction and promotion of Trust-wide Business Continuity
Business Impact Analysis process of analysing activities and the effect that a disruption might have upon them
Conformity fulfilment of a requirement
Continual Improvement recurring activity to enhance performance
Corrective Action action to eliminate the cause of a non-conformity and to prevent recurrence
Departmental Business Continuity Lead
identified responsible person(s) from an individual department that contributes to Business Continuity planning and promotes Business Continuity within their respective departments. Attends and contributes to the BCSG and supports a Trust-wide disruptive incident
Interested Party stakeholder
person(s) or organisation(s) that can affect, be affected by or perceive themselves to be affected by a decision or activity
ISO International Standard Organisation
Maximum Tolerable Period of Disruption (MTPD)
time it would take for adverse impacts which might arise as a result of not providing a service or activity to become unacceptable
Non-conformity non-fulfilment of a requirement
Objective result to be achieved
Procedure specified way to carry out an activity or a process
Process set of interrelated or interacting activities which transforms inputs into outputs
Prioritised activities activities to which priority must be given following an incident in order to mitigate impacts
Recovery Point Objective (RPO)
point to which information used by an activity must be restored to enable the activity to operate in resumption
Recovery Time Objective (RTO)
period of time following an incident which activity must be resumed
Requirement need or expectation that is stated, general implied or obligatory
Risk appetite amount and type of risk the Trust is willing to pursue or retain
Risk Assessment overall process of risk identification, risk analysis and risk evaluation
Page 6 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
4. Duties, Responsibilities and Reporting
4.1. Overall responsibility and accountability for BCM under the Civil Contingencies Act (2004) remains with the Chief Executive.
4.2. It is identified through the ISO standards that directorates and departments are required to assess their BCM needs as part of an organisational response.
4.3. Each directorate and each Trust department has identified a suitable member of staff to lead on all Business Continuity matters within their respective area of the Trust. A Departmental Business Continuity Lead will work in close partnership with the Resilience Officer – Business Continuity in completing their department’s business impact analysis (BIA) and risk assessment process of analysing business functions and the effects of an incident upon their department and the Trust.
4.4. Corporate Business Continuity Management is provided at Directors level. The Executive Director for IM&T, who is also the Trust Senior Information Risk Owner (SIRO) will ensure that strategic direction in relation to Trust wide Business Continuity issues are addressed and that Business Continuity remains the focus of all staff.
4.5. The Resilience Officer – Business Continuity will advise the Trust on Business Continuity planning and will also provide strategic and tactical advise during in the event of a Business Continuity disruption or incident. The Resilience Officer – Business Continuity will also provide an essential organisational link with the Resilience Team to ensure the sustainability of critical functions during any disruptive challenge.
4.6. All Trust staff have a responsibility of understanding their contribution to the effectiveness of the BCMS, the implications of not conforming with the BCMS requirements and their own role during a disruptive incident.
5. Business Continuity Management System
5.1. Business Continuity is the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
5.2. The BCMS requirements apply to all directorates, and all Trust departments are expected to adhere to the BCMS and associated processes and procedures.
5.3. To achieve the intended outcome(s) of the BCMS, the Trust has identified internal and external issues that have been taken into account when developing the BCMS.
These issues are listed in Appendix A and detail the risk and impact to the Trust activities in relation to a disruptive incident. Appendix A should be taken into account when making business decisions and incident response decisions to mitigate the potential impact.
Page 7 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
5.4. The Trusts risk appetite and management of all Trust related risk is documented in the Risk Management Strategy that can be found on the intranet and should be referred to when completing and assessing risk for Business Continuity
5.5. The Business Continuity objectives can be linked to Trust corporate objectives 2015/2016:
CO4.12 Ensure each Trust Department and the organisation is fully compliant with Business Continuity standards
CO4.13 Demonstrate every Trust department and the organisation has completed an effective cycle of the Business Continuity Management System (BCMS)
CO4.14 Promote and raise trust-wide awareness of general Business Continuity, and especially the Trusts identified critical activities in all business planning and incident management
5.6. Appendix B details interested parties that have been taken into consideration
and are relevant to the BCMS.
5.7. The Trust is committed to ensuring that it meets all legal and regulatory requirements and has processes in place to identify assess and implement applicable legislation and regulation requirements related to the continuity of operations, services as well as the interests of interested parties. The Resilience Officer, Business Continuity is embedded into the National Ambulance Resilience Unit (NARU) National Business Continuity Group will is a network of ambulance Business Continuity Managers who horizon scan and advise on national Business Continuity strategies, which will include any changes to legislative, obligatory or best practice requirements.
5.8. In the event of a legislative or regulatory change to Business Continuity Management or the requirements on the Trust to deliver Business Continuity a full briefing will be provided to the EPRR Team and Directors by the Resilience Officer, Business Continuity to assess the requirements, any impact and identify any processes that need to be added or reviewed.
5.9. A documented process to implement any changes will be completed
5.10. The scope of the BCMS has been determined and agreed, with all interested party and legal requirements considered and include all departments within SWASFT by Trust Directors.
5.11. All products, services, contracts, and activities of all departments are within scope for the BCMS. There is a responsibility on each department to identify critical suppliers, external stakeholders and interested parties, confirm and be satisfied by all Business Continuity plans and arrangements for these external stakeholders. This remains the responsibility of each Trust department to ensure that this is reviewed annually in line with their own Business Continuity Management System review.
Page 8 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
5.12. The Trust will establish, implement, maintain and continually improve the BCMS through management reviews, audit and debriefing (as detailed in section 8)
5.13. To support the BCMS, the Executive Director of IM&T has been identified as the Executive responsible for the effective delivery of Business Continuity.
5.14. Leadership and commitment to the BCMS will be demonstrated by all Executive Directors by;
5.14.1. Ensuring policy and objectives are compatible with the strategic
direction of the Trust. 5.14.2. Ensure integration of the BCMS into the organisations business
processes and decisions. 5.14.3. Ensuring that appropriate resources are made available to
deliver the BCMS. 5.14.4. Communicating the importance of effective Business Continuity
Management and conforming to the BCMS requirements. 5.14.5. Ensuring that the BCMS achieves its intended outcomes. 5.14.6. Directing and supporting persons to contribute to the
effectiveness of the BCMS. 5.14.7. Promoting continual improvement of Business Continuity. 5.14.8. Supporting other relevant management roles to demonstrate
leadership and commitment to their areas of responsibility. 5.14.9. Adhering to Trust risk management strategies when assessing
Business Continuity risks. 5.14.10. Actively engaging in exercising and testing of Business
Continuity Planning. 5.14.11. Ensuring that internal audits of the BCMS are completed. 5.14.12. Conducting management reviews of the BCMS. 5.14.13. Demonstrating its commitment to continual improvement.
5.15. The Resilience Officer – Business Continuity is responsible for ensuring that
the BCMS conforms to the requirements of ISO22301:2012 and will provide reports to the Executive Directors monthly of Trust-wide progress; and when required will provide reviews and reports of incidents; audits; updates to Business Continuity risk assessments.
5.16. The Business Continuity objectives have been agreed for 2014-2017 as:
5.16.1. To develop, maintain and continuously improve a Business
Continuity Management System which satisfies the requirements of ISO 22301. The Trust is committed to conforming to ISO22301 in its entirety across the whole organisation. At this time, accreditation is not being considered.
5.16.2. Use the Business Continuity Management System to identify, protect and maintain prioritised activities, in order to deliver and recover service to an acceptable level
Page 9 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
5.16.3. Each identified critical and essential departmental business continuity planning shall complete a cycle of the Business Continuity Management System annually within their respective department.
5.16.4. The Trust-wide Business Continuity planning shall complete a cycle of the Business Continuity Management System annually with associated documentation including all relevant areas of the Trust.
5.16.5. Trust-wide awareness and consideration of Business Continuity will factor in daily activity for all Trust staff. This will be promoted through awareness campaigns, workshops, training and exercising. The awareness and use of the “SWASFT 5” slogan and associated material will be recognised and understood by all Trust staff
5.16.6. To guide the Trust into a position where it can easily demonstrate through audit and peer reviews alignment to Business Continuity standard ISO 22301:2012
5.16.7. To develop and integrate technology to assist with the Business Continuity Management System
5.17. The resources required for the establishment, implementation, maintenance
and continual improvement of the BCMS span the entire Trust and should be made available in all directorates.
5.18. Appropriately competent staff should be identified and allocated Business
Continuity roles as described in the role descriptions in Appendix C to support the BCMS and deliver the Business Continuity objectives
5.19. All Trust staff and any other contractor or supplier to the Trust must be aware
of:
5.19.1. The Business Continuity Policy 5.19.2. Their contribution to the effectiveness of the BCMS 5.19.3. The implications of not conforming with the BCMS requirements 5.19.4. Their own role during a disruptive incident
5.20. The requirements in 5.17 is the responsibility of the relevant Head of
Department for the staff and any persons completing work on behalf of the Trust to be fully sighted, aware and provide access to Business Continuity documentation. For new permanent employees into the Trust, this will be completed at induction. As part of the approved awareness campaign (Appendix D) all staff should be aware of the Business Continuity slogan “SWASFT 5” In addition to the publications in the awareness campaign, annual inclusion into the mandatory training workbook and annual Business Continuity awareness days will be available.
5.21. All BCMS documentation will be available to all staff via the intranet
Page 10 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
5.22. The Trust Communications strategy and Information Governance Policy should be referred too when considering communication of Business Continuity documents and processes with interested parties.
Communication of Business Continuity planning is included in each of these documents and in Appendix E.
5.23. Each Business Continuity plan will include:
5.23.1. Appropriate identification and description including title, date,
author and reference number(s) 5.23.2. Appropriate format and media availability 5.23.3. Review and approval details 5.23.4. Adequate document control procedures 5.23.5. Available and suitable for use 5.23.6. Adequately protected (improper use / sensitive information for
example) using recognised NHS Protective Marking Scheme (or the newly introduced Government Security Classifications)
5.24. In addition to the above requirements the following standards will apply to all
Business Continuity documentation:
5.24.1. Distribution, access, retrieval and use will remain with the Head of the Department that owns their Business Continuity Plan. For corporate Trust-wide Business Continuity Plans, this responsibility remains with the Resilience Officer, Business Continuity.
5.24.2. The storage and preservation (including legibility) of all Business Continuity Plan’s is the responsibility of the EPRR Department.
5.24.3. Control of changes will be managed by the plan author and monitored by the Resilience Officer, Business Continuity.
5.24.4. Retention of previous versions of plans will remain in storage for 3 years and will then be appropriately disposed of.
5.24.5. Management of retrieval and use of Business Continuity Plan’s will be managed by the Resilience Officer, Business Continuity through the Business Continuity intranet page, supported by the Public Relations and Communications team
5.24.6. To prevent unintended use of obsolete information, Business Continuity Plan’s will be subject to exercise and testing to confirm accuracy and relevance.
5.25. Documented Business Continuity information received from external origins will
be stored and controlled by the Resilience Officer, Business Continuity in collaboration with other Trust departments.
Page 11 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
5.26. Every Trust department will complete a cycle of the BCMS within their department by completing:
5.26.1. Business Impact Analysis (BIA) (Analysis) 5.26.2. Publishing of a Business Continuity Plan (Design) 5.26.3. Awareness training (Implementation) 5.26.4. Exercising (Validation)
5.27. Annually or whenever there is a significant change in the department or Trust,
and after any incident, a review of the Business Continuity system will be performed as detailed in 5.24. This process will be led by the nominated Business Continuity Lead supported by the Resilience Officer, Business Continuity.
6. Business Impact Analysis (BIA)
6.1. The Trust and each Trust department will complete a Business Impact Analysis as part of the Business Continuity Management System.
6.2. Every Business Impact Analysis will follow the same format and will be
completed with the support of the Resilience Officer – Business Continuity.
A Business Impact Analysis will be completed for every Trust department; identified activities that requires an assessment for Business Continuity and identified services outside of the scope
6.3. The Business Impact Analysis will include an analysis of:
6.3.1. The context of the assessment 6.3.2. Criteria defined 6.3.3. An evaluation of the impact of a disruptive incident 6.3.4. Legal requirements 6.3.5. Prioritisation of risk treatment and any associated costs 6.3.6. Definition of the output of the Business Impact Analysis 6.3.7. Process of keeping the information up-to-date
6.4. A formal, documented evaluation process of the Business Impact Analysis shall
also include:
6.4.1. Identification of activities that support the delivery of the department or Trust business area
6.4.2. Assessing the impact over time of not performing the identified activities
6.4.3. Setting timeframes for resuming these activities at a specified minimum acceptable level of operation
6.4.4. Identifying dependencies both internal and external to the Trust
Page 12 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
6.5. The Business Impact Analysis is designed to look at specific areas to deliver the requirements in 6.3 & 6.4:
6.5.1. Programme What business as usual is 6.5.2. People Who delivers the activities 6.5.3. Processes How the activities are delivered 6.5.4. Premises Where the activities are delivered 6.5.5. Providers Who the dependencies are 6.5.6. Profile Protecting Trust and personal reputation 6.5.7. Performance Benchmarking and key performance
indicators 6.5.8. Legal Requirements the activities deliver
6.6. As part of the Business Impact Analysis, a risk assessment will be completed
against the prioritised activities, assessing the impact and likelihood of any disruption. This will include identifying any risk treatment that is required to ensure priority activities can continue to be delivered
6.7. Risk treatments should be commensurate with Business Continuity objectives, in accordance with the Trusts risk appetite.
6.8. The Trust should be aware that this analytical information may be requested by
financial or government organisations.
7. Business Continuity Plans (BCP) 7.1. For every BIA there will be an associated BCP detailing the arrangements to
reduce any risks identified and arrangements in place to manage any impact from a disruptive incident, owned by each Trust Directorate.
7.2. The Trust will document procedures for managing and responding to a
disruptive incident and how it will continue or recover its activities within a predetermined timeframe.
7.3. Each BCP will include the arrangements and detail to address:
7.3.1. Roles and responsibilities for people and teams during and following an incident
7.3.2. Activating the BCP 7.3.3. Management of the immediate consequences giving due regard
to the welfare of individuals; strategic, tactical and operational options for responding to a BC incident and prevention of further loss or unavailability of prioritized activities
7.3.4. How and under what circumstances the Trust will communicate with employees, key interested parties and emergency contacts
7.3.5. How the Trust will continue or recover prioritized activities within predetermined timeframes
7.3.6. The media response 7.3.7. A process for standing down once an incident is over
Page 13 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
7.4. Each plan shall follow a similar format to enhance familiarity by defining:
7.4.1 Purpose and scope 7.4.2 Objectives 7.4.3 Activation criteria and procedures 7.4.4 Implementation procedures 7.4.5 Roles, responsibilities and authorities 7.4.6 Communication requirements and procedures 7.4.7 Internal and external interdependencies and interactions 7.4.8 Resource requirements 7.4.9 Information flow and documentation processes
7.5. The key headings in the BCP that will collate the detail from the BIA and point
7.4 are:
7.5.1 Business as usual contextualization 7.5.2 Accommodation and relocation 7.5.3 Staffing and options for loss of staff 7.5.4 Vehicle requirements 7.5.5 Equipment and supplies 7.5.6 IM&T requirements 7.5.7 Command 7.5.8 Other considerations
7.6. Corporate level planning shall include Trust wide consideration and include the
detail as given in points 7.3 & 7.4 All of the departmental business continuity planning shall contribute into the
Trust wide planning. As a minimum, the suite of corporate Trust level plans will include:
7.6.1 Incident Management Plan 7.6.2 Constant Care 7.6.3 Constant Contact 7.6.4 Fuel Plan 7.6.5 Severe Weather Plan 7.6.6 Pandemic Influenza Plan
7.7. Procedures will be established through the Business Continuity planning to
manage a disruptive incident and continue activities based on recovery objectives identified in the business impact analysis. Documented procedures (including necessary arrangements) shall:
7.7.1 Establish an appropriate internal and external communications
protocol 7.7.2 Be specific regarding the immediate steps that are to be taken
during a disruption 7.7.3 Be flexible to respond to unanticipated threats and changing
internal and external conditions
Page 14 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
7.7.4 Focus on the impact of events 7.7.5 Be developed based on stated assumptions and an analysis of
interdependencies 7.7.6 Be effective in minimising consequences through
implementation of appropriate mitigation strategies
7.8. Specific procedures that shall establish, be documented and implemented across the organisation shall include a response structure that shall:
7.8.1. Identify impact thresholds that justify initiation of a formal
response 7.8.2. Assess the nature and extent of a disruptive incident and its
potential impact 7.8.3. Activate an appropriate business continuity response 7.8.4. Detail activation, operation, coordination and communication of
the response 7.8.5. Detail the resources required 7.8.6. Methods of the detection of a Business Continuity incident 7.8.7. Provide regular monitoring of an incident 7.8.8. Provide internal communication 7.8.9. Record vital information about the incident, actions taken and
decision made
7.9. Recovery from a disruptive incident shall follow a documented procedure to restore and return Trust activities from a temporary state to support normal Trust business following an incident (Business Continuity incident, major or critical incidents)
8. Exercising and evaluation
8.1. As per obligatory requirements, Business Continuity planning will be subjected to exercising and testing to validate planning and ensure that they are consistent with Business Continuity objectives.
8.2. Business Continuity exercising will be conducted to confirm that are:
8.2.1. Consistent with the scope and objectives of the Business
Continuity Management System 8.2.2. Are based on appropriate scenarios that are planned with clearly
defined aims and objectives 8.2.3. Minimise the risk of disruption of operations 8.2.4. Produce formal post-exercise reports that contains the
outcomes, recommendations and actions to provide continual improvement
8.2.5. Reviewed within the context of promoting continual improvement and;
8.2.6. Are conducted at planned intervals and when there are significant changes within the Trust
Page 15 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
8.3. The Trust shall conduct evaluations of Business Continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness. These evaluations shall be undertaken through periodic peer reviews, exercising, testing, post-incident reporting and performance audits.
8.4. The evaluations shall measure against compliance with applicable legal and
regulatory requirements; ISO22301:2012 Business Continuity Management System and the Trusts Business Continuity policy and objectives at planned intervals and when significant changes occur.
8.5. Audits will be conducted internally at planned intervals to provide the
information on whether the Business Continuity Management System conforms to the Trusts requirements and the requirements of the ISO.
This will be conducted through a programme to visit a selection of departments
and audit different elements of the Business Continuity Management System. The scope, aim and objectives will be confirmed to each department and/or directorate and will be conducted by appropriate auditors selected for the audit.
8.6. The audit programme, including the schedule shall be based on the results of
risk assessments of the Trust activities and the results of previous audits. 8.7. The management responsible for the department and/or directorate being
audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.
8.8. The Trust will engage with any external auditing that is completed with
transparency in relation to the review of the Business Continuity Management System
8.9. Directors shall review the Trust Business Continuity Management System at
planned intervals to ensure its continuing suitability adequacy and effectiveness. The Directors review shall include considerations of the status of previous reviews, changes in internal and external issues that are relevant to the Business Continuity Management System and information on Business Continuity performance.
8.10. The outputs from the Directors review shall include documented decisions
related to continual improvement opportunities and the possible need for changes to the Business Continuity Management System that includes variations to the scope of Business Continuity Management System and an update of risk assessment, Business Impact Analysis and Business Continuity Plan and related procedures.
8.11. The Trust will continually improve the suitability, adequacy and effectiveness of
the Business Continuity Management System
Page 16 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy
9. Monitoring
Element to be Monitored Full policy document
Lead Resilience Officer, Business Continuity
Tool Content to be aligned to ISO22301:2012 Societal Security – Business Continuity Management system requirements
Frequency Full policy document review annually
Training Needs As contained in the job description for Resilience Officer, Business Continuity, no further formal training needs required
Reporting Arrangements Consultation and sharing with the Business Continuity Steering Group Approval through the Quality and Governance Committee
Acting on Recommendations and Lead(s)
The Business Continuity Steering Group shall act on any recommendations where relevant. All actions managed by the Resilience Officer, Business Continuity
Change in practice and lessons to be shared
Through the Business Continuity Steering Group
10. References
10.1. British Standards Institute BS ISO 22301:2012 Societal security – Business Continuity Management System first edition
10.2. Previous Trust (GWAS & SWAST) Business Continuity Policy’s 10.3. Business Continuity Institute Good Practice Guidelines 2013
11. Associated Documents
11.1. SWASFT Business Continuity Strategy 2014-2017 11.2. SWASFT Major Incident Plan 11.3. SWASFT Business Continuity Plan : Incident Management Plan
Version Control Sheet – Business Continuity Policy
Version Date Author Summary of changes
[GWAS] Jan 2010 Unknown EOC arrangements
[GWAS] October 2010
Unknown Business Continuity Plan and policy merged into one document
[GWAS] January 2012
Unknown General update, increased information on policy purpose and the BSI Standard BS25999
[SWAST] 1 2006 Vanessa Williams Original document
[SWAST] 2 Sep 2009 Mike Bottone Review in capacity of Acting Business Continuity Manger
[SWAST] 3 March 2010 Mike Bottone Review prior to handover to Mike Killoran
[SWAST] 4 April 2010 Mike Killoran Change of ownership
[SWAST] 5 March 2011 Mike Killoran Annual review for presentation to Quality and Governance Committee meeting
[SWAST] 6 May 2011 Mike Killoran Minor changes following Quality and Governance meeting, change in author and change of responsible individual
7.0 May 2014 Oliver Tovey Change of ownership; review and merge of documents from GWAS & SWAST into one document; update to ISO 22301:2012 standard
7.1 June 2015 Oliver Tovey Annual review – no changes
Appendix A Internal and external issues affecting the BCMS
Internal Issues Issue Impact L C Risk Control
BC Planning will not be updated due to operational pressure
BC Planning will be affected, inaccurate and not effective for a BC incident if allowed to not be updated due to pressures
4 4 16
Consistent support and review from Resilience to ensure BCMS is being followed. Timescales for completion Monthly updates to Directors on progress of departmental BC BC is now included as a corporate objective
Departmental Business Continuity Leads unable to commit to time to complete BCMS or attend BCSG meetings
As above + Trust wide BC planning will continue without departmental input – BC updates will not be received
4 3 12
BCSG meetings planned well in advance Minutes available post meeting Resilience Officer, BC readily available to all departments to advise on BC
BC awareness not effective so access and adherence to planning will not be completed
Awareness of BC not consistent through Trust which may encourage silo decision making without knowledge or intelligence of planning or wider Trust impacts 3 3 9
Intranet page fully available to all Trust staff which will hold all Trust BC planning, process documents and BC information. BCSG membership available for input from each department during an incident Audit programme to include visit to each department to review awareness of staff of department and Trust wide BC planning
Departments unable to allocated suitable member of staff to lead on departmental BC
Departments risk not having adequate planning in place to support a disruption to normal business. If they do have planning there is a risk that this will not be embedded into departments
2 4 8
BC added to Directors job descriptions to ensure accountability for the delivery of BC throughout directorates is consistent and effective.
BC incident that challenges the BCMS process and planning that results in a negative outcome
Credibility of the BCMS will be questioned and not supported Increase in workload and resources to rectify any issues
2 3 6
Regular monitoring of effectiveness of BC planning including exercising and audit. Regular assurance reported to Directors that monitors progress and conformity to the ISO standard
Accessing BC planning through the normal channels not available
If BC planning is not available through the BC intranet page, access and adherence to plan will be limited
1 3 3
Departmental BC Plans emailed for hard copy storage within departments. Exercising programme to include all staff from departments to embed arrangements to support accessing the plan. For SWASFT 5 activities critical action cards to be available to follow for initial staff to manage an incident
External Issues Issue Impact L C Risk Control
National and International BC risks and threats. For example; cyber attacks; weather; mobile communications
Will affect the Trust and its critical services
4 4 16
By all departments and Trust wide planning following the BCMS a robust and effective BC culture and capability will have arrangements in place to continue business at an acceptable level. Monitoring of BCI monthly international risk assessments
Major supplier issue (for example NHS Supply Chain during severe weather; bankruptcy of a supplier for example MIS CAD) not considered and mitigated through normal BC planning
Disruption to SWASFT critical services due to supplier issue. Ad hoc planning resulting in mis-management and non-effective results Continuation of alternative supplier management
3 4 12
Identification of major and critical suppliers included in BC Planning and mitigating actions completed. Engagement with identified critical suppliers to review supplier BC planning and disaster recovery strategies [to be completed]
CCG requirements of the Trust to deliver BC to a different standard or area out of scope of the agreed BCMS
Increase in workload Uncontrolled input and management on areas that have not been agreed to be covered by the BCMS, resulting in processes outside of the BCMS
3 4 12
Regular contact with Directors and constant horizon scanning of requirements and requests locally and nationally. BCMS strategy, documents and programme information to be made available to CCG to manage expectations
Disbandment of the NARU BC Group
Network of BC Managers no longer available through a formal forum to manage national BC
2 4 8
Continue to meet and deliver beneficial products from the group such as peer reviews; BC strategy and training opportunities
Requirement of the ISO. At this time Trusts are able to decide what level of conformity they want to achieve with the ISO. If this lowered or increased may cause issues regarding credibility of the standard and/or resource requirements to deliver the expectation
ISO standard may lose credibility or may require significant resource uplift if for accreditation is mandated
2 4 8
NARU BC Group monitoring and advising on the expectations of the ISO who can remain ahead of any developments and advise on impact and provide mechanisms to support any change to requirements
Liability to the Trust if no BC strategy is developed, implemented and delivered
Not meeting the statutory legislative requirements and obligations (CCA2004, Health and Social Care Act, EPRR Core Standards, European Commission on Human Rights) Not meeting Commissioner expectations or requirements Not meeting patient expectations or requirements
1 5 5
Resilience Officer recruited to coordinate all BC management and arrangements BC Strategy approved BC remains part of the National EPRR Core Standards and a requirement of the Trust under the CCA2004
Change of BC requirements (currently ISO22301) set by the Department of Health / NARU
Work already completed in line with ISO will be reviewed and changed. Robust standard that includes a lot of BC principles already in place
1 4 4
NARU BC Group supporters of ISO22301 and have provided assurance documents and have advised on strategy to deliver the ISO standard principles across all ambulance services
Appendix B Interested parties relevant to the BCMS
Internal External Corporate ownership (Directors) Patients
Every Trust Department Police (within and bordering SWASFT)
Employees of SWASFT Fire & Rescue (within and bordering SWASFT)
Departmental Business Continuity Leads Local Authorities (within and bordering SWASFT)
Business Continuity Steering Group NHS England
Contractors Clinical Commissioning Groups
National Ambulance Trusts
Public Relations and Media
Outsourcing organisations (for example St John)
Suppliers (NHS Supply Chain; British Telecom; Mercedes)
National Ambulance Resilience Unit (NARU)
British Continuity Institute (BCI)
Care Quality Commission
Appendix C Role description for the Departmental Business Continuity Lead
Role: Department Business Continuity Lead
Directorate/Department: Relevant department
Location: Relevant department location
Accountable To: Associate Director of Relevant Department
Responsible For:
Coordinating and documenting the relevant department Business Continuity Plan and arrangements to comply with the Trust Policy, its Legal Obligations set out in the Civil Contingencies Act 2004 and International Standard ISO22301 (Business Continuity standard)
General Summary:
The role will take the lead in coordinating and writing the business continuity plans and arrangements for the relevant department ensuring plans are in place, reviewed and tested as per the requirements of the Trusts Business Continuity Management Policy, to meet the requirements of the Civil Contingencies Act and ISO22301. The BC Lead will work with the all levels of their own department and the BC lead for other departments to develop and deliver sound plan, processes and systems to mitigate the identified risks to the Trust/Departments prioritised activities.
Structure
Associate Director / Head of Relevant Department
Resilience Officer – Business Continuity Business Continuity Lead
Core Responsibilities:
Coordinate and document of the departments business continuity plan, processes and arrangements.
Supported by the Resilience Officer, BC design and deliver an annual exercise which tests the business continuity plans, processes and arrangement
In consultation with the department and the Resilience Officer, BC establish department annual objectives for the development of business continuity services relative to the Trust, the wider health community and other interested parties
Monitor progress and ensure the achievement of these objectives
Ensure effective consultation with interested parties
Represent the department for business continuity at BC meetings.
Take responsibility for own Personal Development Review (PDR) and engage in appropriate learning and development interventions and opportunities that underpin the demands of the role
Ensure new and innovative ideas and good practice are actively encouraged, supported and shared with others, internally and externally where appropriate.
Develop and maintain good working relationships with internal and external suppliers
Coordinate and participate in debriefs for exercises and incidents
Monitor on behalf of the department the action logs for lessons identified and report on progress
Participate in BCSG meetings to manage an incident at short notice
Service Provision: Ensure the delivery of the Business Continuity plans, processes and
arrangements by adhering to the Trust policy and its legal obligations contributes to the highest standards of patient care.
Workforce:
Contribute to putting in place arrangements that actively encourage a patient focused culture within the organisation.
Promote the effective prioritisation of the Trusts activities to ensure its core patient focused activities are protected.
Leadership and Corporate Governance:
Promote and protect the equality diversity and rights of others and assist in the provision of a fair and just culture by being open, honest, supportive and respectful of others.
Embrace high standards of employment practice and act in accordance with the ‘Managers Code of Conduct and Promote the vision, values and goals of the organisation.
Contribute as an active member of the key meetings to ensure successful collaborative working
Organisational Profile:
Establish effective local networks and partnerships with internal departments and other organisations to enable the department to continuously improve and learn
Promote a positive organisation and directorate image
Key relationships:
Develop working relationships with colleagues within own department/organisation and other organisations that are productive in terms of supporting and delivering your work and that of the overall organisation
Attend business continuity meetings and represent the department.
Responsibility to remain informed of developments within the Trust
Key relationships include: o The Trusts Resilience Officer, BC o The Trusts EPRR team o Other Department Business Continuity Leads o Director and head of own department o Key suppliers to prioritised activities
Key areas of portfolio: Own Department Business Continuity
Additional:
This job description is not intended to be exhaustive and it is likely that duties may be altered from time to time in the light of changing circumstances, in discussion with the post-holder, the department Associate Director and the Resilience Officer, Business Continuity
This role is not subject to banding as it forms part of full job description already established for the individual.
COMPETENCY PROFILE
Department Business Continuity Lead
Directors and/or Head of the relevant departments will be required to appoint a Business Continuity Lead of sufficient seniority and competence to carry out the duties for this role. Any training relating to business continuity will be provided, the nominated BC lead is expected to already be competent in the departments own area of business. The Competency Profile below provides a guide of the skills and attributes required for the BC Role within Yorkshire Ambulance Service.
Experience and work achievements
Has a good level of knowledge and experience within the relevant department Essential
Can demonstrate successful partnership working through collaboration Essential
Undertake relevant training programs in the field of business continuity Essential
An understanding of performance and operational demands within Ambulance Services Desirable
Working knowledge of the Civil Contingencies Act 2004 Desirable Working knowledge of best practice and emerging threats including the international Standard ISO22301 Desirable
Experience of Business Continuity Management Desirable
Skills and abilities
Well developed communication skills, both written and oral Essential
Good communicator, able to deal with complex issues when working with interested parties Essential
Ability to handle detail within plans and make informed decisions and judgments Essential
Ability to create and develop effective working relationships with interested parties Essential
Competent in Microsoft applications including Word and Excel Essential
Thorough knowledge of Trust policies and procedures Essential
Ability to empathise with service users Essential
Is credible to interested parties Essential
Ability to assess risks, anticipate difficulties and successfully address them Essential
Ability to develop plans and procedures specific to business continuity Essential
Ability to carry out structured debrief and to recommend changes where required Desirable
Produce timely and accurate plans Essential
Personal attributes
Demonstrates resilience, confidence when working to strict deadlines or new priorities Essential
Committed to promoting diversity and awareness of equal opportunities Essential
Demonstrates commitment to the values, principles of public service and health and social care in particular and seeks continual improvement
Essential
Ability to influence effectively at all levels of the organisation Desirable
Self-motivated – able to work on own initiative Essential
Works effectively as part of a team Essential
Able to travel between work sites Desirable
Knowledge and educational achievements
Educated to Diploma level Essential
Evidence of recent on-going personal development Essential
Knowledge of the Civil Contingencies Act 2004 Desirable
Knowledge of ISO22301 procedures Desirable
Current broad knowledge of the national NHS context Desirable
Appendix E Communication process of Business Continuity Planning
Permission denied; requestor updated with rationale
Permission granted; documents forwarded as per GSC*
Resilience contacts plan owner for authorisation
Request sent to Information Governance who contacts
Resilience
External Request for BC documentation
External organisations may request copies of SWASFT BC plans, process documents or strategies for a number of reasons. It is important that this information is handled appropriately when releasing details outside of SWASFT, especially as some plans could contain sensitive information. The Trust Information Governance and Freedom of Information policies apply and any request for information should be directed to: [email protected] The Resilience Officer, Business Continuity can offer advice of information sharing outside of the organisation. Internal sharing of information remains with plan owners to share their planning if appropriate.
* GSC – Government Security Classification and the
management of sensitive information sharing.