Anda di halaman 1dari 62

SH NCP 67

Business Continuity Management


Policy
Version: 3

Summary: This Business Continuity Policy provides the strategic


framework for Southern Health NHS Foundation
Trust‘s (SHFT) Business Continuity arrangements and
describes the SHFT Business Continuity Management
programme that will ensure SHFT meets its legal
obligations to ensure the organisations Prioritised
Activities and Services are protected against potential
disruption as a result of incidents and emergency
situations and climate change adaption.

Keywords (minimum of 5): Business Continuity Policy, Business Continuity


(To assist policy search engine) Management, Emergency Planning, Business
Continuity Plan, Organisational Resilience, Climate
Change Adaption

Target Audience: All employees of Southern Health NHS Foundation


Trust. Non-Executive Directors, Volunteers,
Governors and Contractors.

Next Review Date: May 2020

Approved and ratified by: EPRR Working Group Date of meeting:


12 January 2015
Date issued: May 2017

Author: Philip Rudin,


Business Continuity and Emergency Preparedness
Officer
Sponsor: Helen Ludford
Interim Head of Quality Governance

1
Business Continuity Management Policy
Version: 3
April 2017
Version Control

Document Change Record

Date Author Version Page Reason for Change


24.05.13 T Pettis 1 Changes to reflect NHS England, NHS England and
Public Health England structures following the abolition
of Strategic Health Authorities and Primary Care Trusts.
24.05.13 T Pettis 1 NHS England BC related documents
02.12.13 S Brown 1 Replacement of reference to BS 25999 with ISO 22301
International Business Continuity Standard
31.01.14 S Brown Replacement of reference to BS 25999 with ISO 22301
International Business Continuity Standard
18.05.14 T Pettis 1 Review and update of entire document and Business
Impact Analysis
10.06.14 L Sawyer 1 Integration with Trusts Climate Change Adaption Plan
10.11.14 S Brown 2 Review of completed document and inclusion of BIA and
BC Plan templates for EPRR WG on 21 Nov 14
05.01.15 S Brown 2 Inclusion of amended Business Impact Analysis (BIA)
14.03.2017 P. Rudin 3 General update of terminology, organisations’ names
etc. Replace reference to Strategy for Organisational
Resilience with details of current progress assurance
procedures. Ensure consistency with other Trust plans
and policies re escalation/invocation.

Reviewers/contributors

Name Position Version Reviewed & Date

Sharon Gomez Essential Training Lead 1 04 Feb 2013


Fiona Richey Head of Risk and Business Continuity 1 12 Feb 2013
Ricky Somal Equality and Diversity Lead 1 17 Feb 2013
Alida Towns Interim Business Manager 1 18 Feb 2013
Helen McCormack Chief Medical Officer 1 27 Mar 2013
Tim Pettis BCR Manager SHFT 1 01 Apr 2013
David Griffiths EPM (UHS) (External Reviewer) 1 01 May 2013
Libby Beesley EPM DUFT (External Reviewer) 1 01 May 2013
Tim Pettis BCR Manager SHFT 1 24 May 2013
Stuart Brown BC Advisor 1 02 Dec 2013
Stuart Brown BC Advisor 1 31 Jan 2014
Tim Pettis BCRM SHFT 1 29 May 2014
Louise Sawyer Environmental Sustainability Manager 1 10 June 2014
Stuart Brown BC Advisor 2 17 Nov 2014
Stuart Brown BC Advisor 2 05 Jan 2015
Lesley Stevens AEO 3 09 May 2017

2
Business Continuity Management Policy
Version: 3
April 2017
CONTENTS

Page
1. Introduction 4

2. Scope 5

3. Definitions: 5
3.1 Business Continuity Management
3.2 Business Impact Analysis
3.3 Emergency
3.4 Prioritised Activities
3.5 Maximum Tolerable Period of Disruption
3.6 Recovery Time Objective

4. Duties/responsibilities 6
4.1 Chief Executive and Board
4.2 Accountable Emergency Officer (AEO)
4.3 Head of Compliance, Assurance & Quality
4.4 Environmental Sustainability Manager
4.5 Divisional and Area/Service Managers
4.6 Departmental Managers/Team Leaders
4.7 All staff

5. Main policy content: 8


5.1 Business Continuity Lifecycle
5.2 Business Continuity Objectives
5.3 Business Impact Analysis
5.4 Risk Assessment
5.5 Business Continuity Plans
5.6 The Southern Health NHS Foundation Trust Business
Continuity Plan
5.7 Prioritised Activities/Services
5.8 Incident Identification
5.9 Incident Declaration
5.9.1 Normal working hours
5.9.2 Out of Hours
5.10 Stand Down
5.11 Recovery and Debrief
5.12 Document Management
5.13 Exercising

6. Training requirements 14
7. Monitoring compliance 15
8. Policy review 15
9. Associated documents 15
10. Supporting references 16

Appendices
A1 Business Impact Analysis Template 17
A2 Business Continuity Plan Template and Completion Guidance 38
A3 Business Continuity Plan Completion Guidance 49
A4 Training Needs Analysis (TNA) 56
A5 Equality Impact Assessment (EqIA) 58

3
Business Continuity Management Policy
Version: 3
April 2017
Business Continuity Management Policy

1. Introduction

1.1 Business Continuity Management (BCM) is a legal requirement for all NHS, private and
third sector organisations, which under NHS funded Provider status, provide care or
services to patients. Business Continuity Management forms part of the Care Quality
Commission’s essential Standards of Quality and Safety, which all health providers must
comply with as a condition of registration and the NHS England, Core Standards for
Emergency Preparedness, Resilience and Response 2013 (EPRR). Business Continuity
Management is an integral part of EPRR and this discipline sits within the EPRR Core
standard Framework in both planning and assurance. Southern Health NHS Foundation
Trust has services and facilities which cover a huge geographical area.
1.2 Statutory requirements under the Civil contingencies Act (2004) require all NHS Trusts
to have in place Business Continuity Management arrangements that enable them to:

 Respond to incidents (major and other) and emergencies of any kind;


 Ensure the health, safety and well-being of its service users and staff; and
 Support partner agencies in extreme circumstances.

1.3 The implementation of this policy is overseen by the EPRR Working Group, with
escalation if required to the Accountable Emergency Officer. In addition there is annual
reporting to the Audit, Assurance and Risk Committee and Trust Board, and the required
work-streams are reflected in the annual EPRR Work Plan

1.4 The SHFT Business Continuity Management programme described in this policy is
based on the following standards:

 NHS England Core Standards for Emergency Preparedness, Resilience and


Response 2013; and
 International Standards Organisation ISO: 22301: 2012.

1.5 Business Continuity Management (BCM) is an integral and critical part of the incident
response planning process and helps build organisational resilience within an
organisation. Business Continuity Management is about identifying an organisation’s
Prioritised Activities/Services, the ‘appropriate’ resources required to deliver them, and
planning how to maintain and reinstate them as soon as reasonably practicable or
possible should an incident occur that causes disruption. Business Continuity
Management achieves this by assessing the risks to an organisation’s ability to deliver
its services, then considering how these risks can be eliminated or reduced, the
contingency plans that can be put in place to ensure that those services identified as
critical or essential are maintained regardless of the disruption, and how the other
services can best be recovered when the disruption ceases.

1.6 The Climate Change Act 2008 also places a mandatory requirement on health care
organisations to put in place Climate Change Adaption plans. Our climate is changing
and a consequence we are seeing more frequent and severe weather events, such as
droughts, heat waves, storms and extremes of cold and hot weather bringing increased
disruption to our services and activities. The Business Continuity Management forms
part of the Trust’s Climate Change Adaption plans by building in organisational
resilience within the organisation to deal with severe weather events and other climate
change impacts.

1.7 This policy requires ALL Services in ALL Divisions to develop Business Continuity
Plans (BCPs) which detail how a service will perform its functions in the event of
disruption by defining and prioritising it’s Prioritised Activities/Services, detailing

4
Business Continuity Management Policy
Version: 3
April 2017
contingency arrangements during the disruption and, when the disruption has passed,
how all services will be restored (recovered) by.

 Undertaking a Business Impact Analysis (BIA) to identify Prioritised


Activities/Services;
 Identifying the risks to the delivery of Prioritised Activities/Services and the likely
impact if they are affected;
 Planning how to mitigate against risk to Prioritised Activities and improve the
resilience; and
 Developing a BCP that details the Minimum Tolerable Period of Disruption
(MTPD) to Prioritised Activities, their Recovery Time Objectives (RTO), and the
minimum and appropriate resources required delivering them and the order of
priority to in which these and other services should be restored to normal.

1.8 Other NHS, private and third sector organisations that provide services to NHS patients
on behalf of the Trust, or equipment and goods, which will be used in the treatment of
the Trust’s NHS patients, are required and must have their own business continuity and
resilience arrangements in order to meet the legal and contractual obligations with this
Trust.

2. Scope

2.1 This Policy applies to:

 All Southern Health NHS Foundation Trust (SHFT) services in all Divisions; and
 All SHFT managers responsible for contracting, commissioning or purchasing
goods or services from external organisation(s), defined as NHS Funded
Providers. These SHFT managers are responsible for ensuring that contracts
and/or service level agreements with providers of goods and/or services include
arrangements to ensure that there are robust business continuity arrangements
are in place so that the service or product they provide can be maintained thus
supporting the Trusts’ own identified Prioritised Activities.

3. Definitions

3.1 Business Continuity Management (BCM)

Business Continuity Management is an all-inclusive management process that identifies


potential impacts that threaten an organisation and provides a framework for building
organisational resilience readiness and resilience and the capability for an effective
response that safeguards the interests of its service users, staff, key stakeholders, Trust
brand and reputation.

3.2 Business Impact Analysis (BIA)

Business Impact Analysis is the process of analysing ALL business functions and the
effect that a business disruption might have upon them.

3.3 Emergency

For the purposes of this policy an emergency is defined as:

‘An actual or impending situation that may cause injury, loss of life, destruction of
property, detrimental environmental impact or cause the interference, loss or disruption

5
Business Continuity Management Policy
Version: 3
April 2017
of the organisation’s normal business operations to such an extent that it poses a
threat’.

3.4 Prioritised Activities/Services

Prioritised Activities/Services are those services, which are necessary for the
preservation of life or to ensure the health, safety and welfare of patients and staff.

3.5 Maximum Tolerable Period of Disruption (MTPD)

Maximum Tolerable Period of Disruption is the time duration after which an


organisation’s viability will be irrevocably threatened if product and service delivery
cannot be resumed.

3.6 Recovery Time Objective (RTO)

Recovery Time Objective is a target time set for the resumption of a product, service,
activity or resource after an incident.

4. Duties/Responsibilities

4.1 Chief Executive and Board

The Chief Executive and the Board have a legal duty set under the Civil Contingencies
Act (2004) and within NHS England Emergency Preparedness, Resilience and
Response (EPRR) Core Standards (2014) to ensure Southern Health NHS Foundation
Trust (SHFT) is prepared to respond to a major incident or civil contingency event within
the local and wider health community, to maintain the public’s protection, and maximise
NHS in its overall response.

Trusts are ultimately accountable to the public and the Secretary of State for Health for
ensuring that the organisation consistently follows the principles of good corporate
governance and internal control. This ensures that a EPRR programme, of which
Business Continuity Management (BCM) is an integral part is in place to ensure that, in
the event of a loss or major disruption to core functions, the public continue to receive
the best quality and range of services it is reasonably practicable to deliver, and that
Prioritised Activities/Services are maintained.

4.2 Accountable Emergency Officer (AEO) for Emergency Planning, Resilience and
Response

The Accountable Emergency Officer (AEO) The Accountable Emergency Officer for
Emergency Preparedness, Resilience and Response (EPRR) has delegated
responsibility from the Board to ensure that the requirements of this policy are met, that
the Board are provided with reasonable assurance, and are kept informed of any
significant concerns.

The AEO is supported where appropriate by a non-executive director, or appropriate


other board member, to endorse assurance to the board that the organisation is meeting
its obligations with respect to EPRR and relevant statutory obligations under the Civil
Contingencies Act 2004. This will include assurance that the organisation has allocated
appropriate resources to meet these requirements, which includes the support of trained
and competent emergency planning and business continuity professional staff
member(s) as appropriate.

6
Business Continuity Management Policy
Version: 3
April 2017
4.3 Head of Compliance, Assurance & Quality

The Head of Compliance, Assurance & Quality is responsible for the development and
implementation of the Trust’s Business Continuity Management programme, advising on
compliance with the Civil Contingencies Act and NHS England EPRR Core Standards.

The Head of Compliance, Assurance & Quality may delegate some or all of the above to
the Business Continuity and Emergency Preparedness Officer Business Continuity and
Emergency Preparedness Officer Business Continuity and Emergency Preparedness
Officer the organisation’s designated Emergency Planning Manager.

The Head of Compliance, Assurance & Quality and designated Emergency Planning
Manager will also:

 Develop a Trust wide Incident Response Plan (IRP) from which the Business
Continuity element will list the Trust’s Prioritised Activities/Services;
 Provide specialist advice and guidance in respect of Business Continuity
Management issues including the co-ordination, development, implementation
and review of the business continuity policies, programme, plans and
procedures;
 Interpret the requirements of the Civil Contingencies Act 2004, NHS England
EPRR Core Standards and ISO 22301 Societal Security - Business Continuity
Management System Requirements, and associated guidance to support the
Trust’s Divisions and service areas and to ensure that these requirements are
met;
 Conduct risk assessments based on current and future threats identified through
environmental scanning and intelligence gathering;
 Embed an EPRR/ Business Continuity culture through communication in concert
with the offices of the AEO and the Trust’s EPRR Working Group, and through
the EPRR WG make the provision of awareness sessions, training and exercises
to staff, according to their roles and needs; and
 Liaise with other NHS organisations and the wider area external agencies as
required
 Audit compliance via the EPRR WG relating to local Emergency Response and
BCPs, facilitating tests and providing recommendations and other management
feedback as appropriate.

4.4 Environmental Sustainability Manager:

The Environmental Sustainability Manager is responsible for developing and


implementing the Trust’s Climate Change Adaption plans, including responsibility for
advising the Head of Risk and Business Continuity of any climate change risks and
impacts that may affect the Trust’s organisational resilience in business continuity.

4.5 Divisional and Area/Service Managers:

Divisional and Area/Service Managers are responsible for:

 Implementing and supporting the Business Continuity Management policy;


 Ensuring a Business Impact Analysis for their services is undertaken;
 Developing, maintaining and reviewing at least annually or when a new service is
undertaken their BCPs, including the BIAs;
 Testing and exercising at least annually the Divisional/Area/Service BCPs (see
section 5.12);
 Ensuring sufficient training is given;
 Participating in exercises where appropriate; and

7
Business Continuity Management Policy
Version: 3
April 2017
 Maintaining all relevant operational BCPs as they are developed, ensuring that
any significant service changes or risks are reflected in plans, and for
understanding all the requirements and responsibilities as detailed in the plans.

4.6 Departmental Managers/Team Leaders

Departmental Managers/Team Leaders are responsible for:

 Ensuring all their staff are familiar with their Divisional/Area/Service business
continuity arrangements and BCPs;
 Testing and exercising BCPs at least annually (see section 5.12);
 Ensuring sufficient training is given; and
 Participating in exercises where appropriate.

4.7 All Staff:

Staff will make themselves aware of their department’s BCP, and will participate in
training and exercises as required.

5 Main Policy Content

5.1 Business Continuity Lifecycle

To align with the required standards, and best practice, the Southern Health NHS
Foundation Trust (SHFT) Business Continuity Management (BCM) process will follow
the five stages of the BCM lifecycle. The five stages are:

 Understanding the organisation;


 Determining BCM Strategy;
 Developing and implementing the BCM Response;
 Exercising, maintaining and reviewing; and
 Embedding BCM in the organisation.

5.2 Business Continuity Objectives

In any situation, the primary Business Continuity objectives for the Trust will be to:

 Comply with legal, regulatory and contractual obligations;


 Ensure effective and competent incident management;
 Ensure Prioritised Activities/Services have been identified, are protected, and
their continuity made certain;
 Ensure staff are trained to respond effectively to an incident or disruption
through appropriate exercising;
 Understand the requirements of key stakeholders and maintain communication
with them;
 Maintain the safety and well-being of service users, staff and estates;
 Deliver an enhanced level of service to meet the extraordinary demands of an
evolving scenario;
 Ensure the supply chain is secured; and
 Contribute to whole System/Wide Area Resilience.

5.3 Business Impact Analysis

ALL Trust services in ALL Divisions will undertake a Business Impact Analysis (BIA)
using the SHFT Business Impact Analysis template (See Appendix 1).

8
Business Continuity Management Policy
Version: 3
April 2017
Support and training in the use of the template will be provided by the Business
Continuity and Emergency Preparedness Officer.

The Business Impact Analysis element of the Business Continuity Management process
will analyse the functions/activities of the service and/or Division on the basis of not
performing that function.

The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood
x impact) to services/business functions to identify which elements or functions of their
service are Priority Activities (critical). These are categorised using the Impact Matrix at
Page 5 within the BIA. Only those identified as RED, AMBER and YELLOW will be
captured within the BIA, as these could have a wider impact on the Trust and may
require the support by the Trust and the Trust On-Call Director, whilst those GREEN and
LIGHT GREEN can be supported internally be each Service and their On-Call Senior
Manager.

This categorisation system will enable the Division/Area/Service to identify all Prioritised
Activities and provides the Decision Maker, the Trusts Incident Gold Commander to
determine from a Trust wide perspective those services which need to be Enhanced,
Reduced or Suspended.

The number and complexity of Prioritised Activities/Services identified will determine the
subsequent level of support needed to be provided to Division/Area/Service during an
incident. The necessary supporting resources for the delivery of the services will also be
analysed and identified, and during an incident via a dynamic process.

All services in all Divisions will review their BIA on an annual basis, on undertaking a
new service or service provider, post exercise and post incident.

5.4 Risk Assessment

All Trust services in all Divisions will undertake a Risk Assessment within the Trust’s
Business Impact Analysis template and guidance tools (See Appendix 1).

The Risk Assessment element of the process considers the services and supporting
resources identified in the BIA stage. The likelihood and impact of a variety of risks that
could cause disruption to these services is analysed with the focus being on the RED,
AMBER and YELLOW Prioritised Activities/Services, allowing services and/or Divisions
to prioritise their risk reduction activities.

For the identified RED, AMBER and YELLOW Prioritised Activities/Services, ALL
Divisions will analyse the impact of disruption and determine:

 The Maximum Tolerable Period of Disruption (MTPD) using the following


Standard List:

 One hour
 Four hours
 One Day
 One Week
 One month

 The Recovery Time Objective (RTO) of a product, service or activity which must
be less than its MTPD, using the following Standard List:

 One hour
 Four hours

9
Business Continuity Management Policy
Version: 3
April 2017
 One Day
 One Week
 One month

 The minimum amount of appropriate resources (including staff, premises, IT,


equipment and information) in order to maintain that Prioritised
Activities/Services at a basic level and with the appropriate skills/level of
expertise required, This must include processes to identify persons with skills
which are not easily obtained from elsewhere, within the Trust;
 When key services supplied by another organisation, has in place any
reciprocal arrangements, and whether they are available out of hours if
required, and if there are mutual aid arrangements in place;
 The impact of particular resource losses and where appropriate, to reference
this to the appropriate risk register; and
 Appropriate control measures that can be put in place to reduce the likelihood
of disruption, shorten the period of disruption, and limit the impact.

5.5 Business Continuity Plans (BCPs)

Having made the Business Impact Analysis and Risk Assessment, all services in all
Divisions will formulate their BCP as to how RED, AMBER and YELLOW Prioritised
Activities/Services will be restored in order to meet the determined RTOs.

BCPs will be:


 Comprehensive but easily understandable;
 Legal;
 Efficient;
 Achievable;
 Realistic;
 Risk Assessments concise as possible and readily available when needed; and
 Easy to revise and update.

BCPs will form a key part of the Divisional Incident Response Plans. These plans and
the Trust BCP will also detail the mechanism for escalating business continuity incidents
to the Divisional Director and their On-Call Senior Manager to the Trust’s On-Call
Director to ensure incidents are managed at the appropriate level according to the level
of risk posed.

5.6 Southern Health NHS Foundation Trust Directorate and Service Business
Continuity Plans

Each Directorate and Service Area will complete a specific BCP resulting from the
Business Impact Analysis (BIA) carried out within their area of responsibility. The
purpose of this document is to provide a framework for an appropriate response and
therefore mitigate the impacts of business disruption on the operation and reputation of
the organisation by:

 Responding to a disruptive incident (incident response);


 Maintaining delivery of Prioritised Activities/services during an incident (business
continuity); and
 Returning to Business as Usual (resumption and recovery)

5.7 Southern Health NHS Foundation Trust Trust-wide RED, AMBER and YELLOW
Prioritised Activities/Services

The Head of Compliance, Assurance & Quality and designated Emergency Planning
Manager will compile from the Service, Area and Divisional BCPs a Trust wide list of all
10
Business Continuity Management Policy
Version: 3
April 2017
SHFT’s RED, AMBER and YELLOW Prioritised Activities/ Services and the planned
responses to disruption.

This will be held at the Trust Incident Co-ordination Centre (ICC) as an Annexe to the
Trust Business Continuity Plan and form part of the On-Call Director’s Pack.

In the event of a major incident or emergency being declared the Trust’s Incident
Management Team (IMT) will use this plan during and after the event to support
decision making in maintaining the organisations Prioritised Activities/Services and to
bring back on line those services reduced or suspended as soon as reasonable
practicable.

5.8 Incident Identification

An incident or set of circumstances which might present a risk to the continuity of a


service might be identified by any member of staff. When an incident or set of
circumstances which might present a risk to the continuity of a service is identified, it is
important that the staff member identifying the incident knows what to do. In the initial
stages, this will involve making sure that the right people have been informed.

In the event of a minor incident, or one that can be dealt with using normal services and
resources available, then managers and staff will manage the incident, locally.

The below table outlines the Levels of Incident and the required action of Trust staff and
On-Call staff:

Level 1 – Minor incident / disruption

One or more of the following apply:


 The incident is not serious or widespread and is unlikely to affect business operations
to a significant degree
 No significant impact on patient safety
 The incident can be dealt with by relevant managers / implementation of service level
BCPs
 One or a small number of local BCPs are implemented
 A Priority Yellow Activity is likely to be disrupted beyond its RTO*

Actions to be taken:

 Divisional Manager On Call to notify relevant managers that disruption should be


managed by local BCPs

Level 2 – Minor incident / disruption

One or more of the following apply:

 The incident is expected to be fully resolved and closed within 24 hours


 Limited impact on patient safety
 The incident can be dealt with by relevant managers / implementation of service level
BCPs
 One or a number of local BCPs are implemented
 A Priority Yellow Activity is likely to be disrupted beyond its MTPD**
 A Priority Amber Activity is likely to be disrupted beyond its RTO*

11
Business Continuity Management Policy
Version: 3
April 2017
Actions to be taken:

 Divisional Manager On Call to notify relevant managers that disruption should be


managed by local BCPs and notify appropriate Divisional Directors and Director On
Call

Level 3 – Significant incident / disruption

One or more of the following apply:

 The incident / disruption is likely to last longer than 24 hours


 Significant impact on patient safety
 Access to systems / services for more than 24 hours
 A number of services are seeking to activate local BCPs and management of the
incident using these does not seem viable
 A Priority Amber Activity is likely to be disrupted beyond its MTPD**
 A Priority Red Activity is likely to be disrupted beyond its RTO*

Actions to be taken:

 Activate local BCPs and this BCP if necessary


 Divisional Manager On Call to notify appropriate Divisional Directors and Director On
Call
 Divisional Manager On Call to closely monitor the situation
 Incident Management Team will be established if necessary and the Divisional
Manager On Call and Director On Call will determine the composition and set-up of this
Team

Level 4 – Major incident / disruption

One or more of the following apply:

 Disruption / loss of major or multi-occupancy sites


 Major impact on patient safety
 Major wide-scale incident in a geographical area affecting several services
 Significant disruption to business activities
 Local BCPs inadequate to deal with the incident
 Incident Management Team required to respond
 Possible Incident Response Plan activation
 A Priority Red Activity is likely to be disrupted beyond its MTPD**

Actions to be taken:

 Activate this BCP


 Divisional Manager On Call and Director On Call will establish an Incident Management
 Team and will determine the composition and set-up of this Team dependent on the
type of incident / disruption.

* Recovery Time Objective


** Maximum Tolerable Period of Disruption

Important: Should the Director On Call decide at any time to invoke the Trust’s Incident
Response Plan then the continuing management of the business continuity incident will
be incorporated into the Major Incident management activities, structure and processes.
12
Business Continuity Management Policy
Version: 3
April 2017
5.9 Incident Declaration

5.9.1 Normal Working Hours

During normal working hours, in the event of an incident, or set of circumstances which
might present a risk to the continuity of RED, AMBER and YELLOW Prioritised
Activities/Services, an Incident would be declared and the local BCP invoked by the
Divisional Director or Area/Service Manager with responsibility for the service affected.
If appropriate the Accountable Emergency Officer will declare a Major Incident or Major
Incident Standby in order to mobilise an effective response across the organisation and
ensure the involvement of partners where required.

5.9.2 Out of Hours

In the event of an incident, or set of circumstances which might present a risk to the
continuity of RED, AMBER and YELLOW Prioritised Activities/Services occurring
outside normal working hours, the Divisional On-Call Senior Manager would decide to
declare an Incident and invoke the ‘local’ BCP, informing the Trust On-Call Director. If
appropriate the On-Call Director will declare a Major Incident or Major Incident Standby
and invoke the Trust’s Incident Response Plan in order to mobilise an effective response
across the organisation and ensure the involvement of partners where required.

Both during normal working hours and out of hours the responsible Divisional Director,
Area/Service Manager or Divisional Manager on Call would:

 Start an incident log;


 Notify the Accountable Emergency Officer (in hours) and the On-Call Director of
the incident and response at the earliest opportunity;
 Notify the Director of Communications and Engagement (in hours). Out of hours
the Director on Call would notify the Communications on Call; and
 If out of hours, notify the Divisional Director, Area/Service Manager with line
management responsibility for the service at the earliest possible opportunity the
next working day.

During in hours and out of hours if the On-Call Director decides it is appropriate
to either declare a Major Incident or Major Incident Standby the Trust’s Incident
Response Plan would then be followed.

5.10 Stand Down

The responsible Divisional Director, Area/Service Manager and out of hours Divisional
Manager on Call, would decide in consultation with the On-Call Director, and
Accountable Emergency Officer when an Incident can be stood down.

5.11 Recovery, Debrief, Lessons identified to Lessons learnt

The responsible Divisional Director or Area/Service Manager would be responsible for


leading a debriefing and review process to ensure organisational learning, through
identifying lessons to then be learnt:

 A review of the response by the service, area, division, organisation,


partners/other agencies is evaluated, from which lessons that are identified can
be highlighted and from which a timetable of how those lessons will be learnt.
 Staff receive appropriate support to ensure their health, safety and well-being at
work; All areas of concern are addressed
 All relevant documents are collated and a report prepared;
13
Business Continuity Management Policy
Version: 3
April 2017
 Any additional training needs are identified and a timetable of when that will
delivered;
 Staff are kept fully informed; and
 The local BCPs are reviewed and updated.

5.12 Document Management

Every BCP will be version controlled, and sent to the Trust Business Continuity and
Emergency Preparedness Officer who will collate a central register of Business
Continuity Plans and make these plans, together with this Policy available on the Trust
Intranet in the Emergency Planning section and/or on the Director On Call Sharepoint
site. The plan’s author is responsible for ensuring the most up to date version is
available and easily accessible within the Division and to its services.

5.13 Exercising

Trust wide exercises (unannounced, planned or table top) will be conducted as


described in the Trust’s Incident Response Plan (IRP).

Individual Divisions are responsible for ensuring that their BCPs are exercised. The
frequency of exercise will be dependent on the number of Prioritised Activities/Services
and the risk to them, and will be at the discretion of the Divisional Director. However all
BCPs should be exercised and reviewed annually by:

 Testing. Not all aspects of a plan can be tested, but crucial elements such as
the contact list and the activation process can;
 Discussion. Staff are brought together to inform them of the plan and their
individual responsibilities. Discussion allows problems and solutions to be
identified; (Lessons identified to be Learnt)
 Table-top. Staff take decisions as a scenario unfolds in the same way they
would in the event of a real Incident; and
 Live. Ranges from a small scale test of one component, such as evacuation,
through to a full scale test of all the components of the plan.

It is the responsibility of the BCP owner to implement the lessons identified into lessons
learnt/any actions required as a result of exercise.

6 Training Requirements

The Head of Risk and Business Continuity will ensure that Business Continuity
Management (BCM) is included in the Trust’s corporate induction risk management
training.

All managers will ensure that awareness of their Service/Area or Divisional BCP form a
part of the local induction process.

Staff with a Divisional lead role in BCM will be trained according to their level of need, as
per the Trust’s and Local Resilience Forum(s) Training Needs Analysis (TNA). See
Appendix 4.

Significant changes and updates to BCM requirements or processes will be notified


through the Trust’s Emergency Preparedness, Resilience and Response Working Group
(EPRR WG).

14
Business Continuity Management Policy
Version: 3
April 2017
7 Monitoring Compliance

The Trust’s Emergency Preparedness, Resilience and Response (EPRR) Working


Group (WG) will monitor compliance with Trust’s Business Continuity Management
arrangements.

Exceptions against the standards defined in this policy will be reported to the Assurance
and Risk Committee.

Business Continuity Management compliance will be included in the Annual Report for
Business Continuity and Resilience to the Assurance and Risk Committee.

Audits of Service/Area and Divisional BCPs will be initiated and carried out in
accordance with the Trust’s Annual Audit programme.

This Policy has been through an Equality Impact Assessment at Appendix 5.

8 Policy Review

This policy will be reviewed at least every three years or at any point within this time to
reflect organisational change, changes in legislation and/or guidance or following an
Incident.

9 Associated Documents

This document should be read in conjunction with the Trust’s:

 Incident Response Plan, associated plans and action cards;


 An Emergency Event: Guidelines on Managing the Workforce Issues;
 Risk Management Policy;
 Risk Management Strategy;
 Incident Management Policy;
 Health & Safety Policy;
 Climate Change Adaption Plan; and
 Investigation, Analysis and Learning Policy.

10 Supporting References

The following documents provide the regulatory and strategic context for this policy.
They make Business Continuity Management a legal requirement for Southern Health
NHS Foundation Trust, and describe expectations and good practice regarding
emergency preparedness and business continuity:

 Civil Contingencies Act 2004 and the Civil Contingencies Act 2004 (Contingency
Planning) regulations 2005;
 Humanitarian Assistance Guidance;
 Business Continuity Institute Good Practice Guidelines (2013);
 International Standards Organisation ISO: 22301: 2012;
 Health and Social Care Act 2008 (Regulated Activities) Regulations 2009;
 Care Quality Commission’s Essential Standards of Quality and Safety’
 Responding to Emergencies: The UK Central Government Response. Concept
of Operations 2010;
 NHS Resilience PAS 2015: Guidance for NHS-funded organisations 2010
 Health and Social Care Act 2012;
15
Business Continuity Management Policy
Version: 3
April 2017
 National Occupational Standards for Civil Contingencies: Skills for Justice;
 British Standards Institute PAS 2015 Framework for Health Services Resilience;
 NHS England Core Standards for Emergency Preparedness, Resilience and
Response 2013;
 NHS England Emergency Preparedness Framework 2014;
 NHS England Business Continuity Framework (Service Resilience) 2013;
 NHS England Business Continuity Policy Guidance; and
 NHS England Business Continuity Management Toolkit.
 Climate Change Act 2008

16
Business Continuity Management Policy
Version: 3
April 2017
Appendix 1

Directorate/
Service name

Business
Impact
Analysis
(BIA)

Date:

17
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Contents
1. Introduction ............................................................................................................................ 19
2. Supporting information ........................................................................................................... 20
3. Department / team / service information ................................................................................. 22
4. Prioritised Activities ................................................................................................................ 23
5. Business Continuity Risks ...................................................................................................... 30
6. Continuity Requirements Analysis .......................................................................................... 32
7. Staff Mapping Tool ................................................................................................................. 33
8. Beyond the BIA ...................................................................................................................... 36

18
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

1. Introduction
This document has been adapted from the NHS England Business Continuity Management
Toolkit.

The purpose of the original document is to assist those who are developing a Business Continuity
Plan for their organisation. This version has been adapted for use within Southern Health NHS
Foundation Trust and for our NHS Funded providers.

This template is produced in the spirit of ISO 22301 & 22313 but focusses on the priorities in
which the NHS England EPRR Core Standards are set around.

Further guidance on the wider subject Business Continuity can be sort from:

 NHS England Region/Area/Directorate Business Continuity Leads


 The NHS England National Support Centre Business Continuity Team
 The NHS England Business Continuity Management Framework (service resilience) 2013
 The NHS England Preparedness Framework 2013
 ISO 22301 Societal Security - Business Continuity Management Systems – Requirements
 ISO 22313 Societal Security - Business Continuity Management Systems – Guidance
 PAS 2015 - Framework for Health Services Resilience
 Business Continuity & Resilience Manager – Southern Health NHS Foundation Trust
 Environmental Sustainability Manager – Southern Health NHS Foundation Trust

Southern Health NHS Foundation Trust will develop and maintain a Business Impact Analysis
(BIA) for each service. Included within this document are fields which relate to environmental
impacts. Please also complete these areas as this will in addition to supporting the BIA also
support the Trust’s Environmental Strategies.

This document also contains a staff mapping tool that can be used to gather information to
facilitate workforce capability and capacity management in the event of a business disruption.

19
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

2. Supporting information
This section provides some background information to assist the EPRR leads to complete
Business Impact Analysis (BIA).

NHS Mail

Provided by the Health and Social Care Information Centre

The disaster recovery solution is based on dual-site, geographically separated data centres with
active and standby nodes of all infrastructures in the primary data centre. Data is synchronised
across all three instances of the infrastructure so if a component fails in the primary data centre it
will fail over to the standby node in the same data centre. If the data centre suffers a full outage,
the service will fail over to the secondary data centre.

Buildings

Provided by SHFT or via NHS Property Services or Contracts with other providers
SHFT Estates and facilities will work with NHS Property Services to explore potential strategies
for managing a loss of building. EPRR leads are encouraged to discuss disaster recovery
locations with their local Estates and facilities lead. There may be local arrangements already in
place for providing alternative premises in the event of a building failure.

Business Continuity Risk

The key risks to the organisation achieving its objectives can be found in the Board Assurance
Framework along with the Board papers. Operational risks will be held within directorates.
Drawing on material from all directorates, an executive risk management group will have an
overview significant risks, take actions where needed and bring the most significant strategic risks
to the attention of the Board. Remember Contingency Plans under the CCA are based on local
risks, for which the Trust must be aware and include within the Risk monitoring processes.

Therefore those Risks that are identified as part of the business continuity management process
should be managed in line with the organisation and directorates processes and procedures.

Prioritised activities

Prioritised activities are those to which priority must be given following an incident in order to
mitigate impacts. It may be that an activity can be suspended initially but later it becomes a
priority. For example a task that must be completed at certain intervals rather than on continuous
basis. Examples of prioritised activities are:

 Incident Response
 Media communications

Examples of activities that can be completed at certain intervals are:-

 Reporting to National Bodies


 Freedom of information requests
 Complaints
 Parliamentary questions

20
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Examples of environmental impacts:-

 Pollution incident, for example spillage from oil storage tank


 Chemical spillage
 Noise pollution

Examples of climate change impacts:-

 Extreme weather events: flooding, heat wave, severe cold spell, storms

21
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

3. Department / team / service information


Reference Number:

1. Name of author:

2. Job title of author:

3. Author telephone and e-mail:

4. Date:

5. Business Continuity Lead:

6. Name and description of service and location:

22
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

4. Prioritised Activities

The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact)
to services/business functions to identify which elements or functions of their service are Priority
Activities (critical).

Step One:

The first part of the Business Impact Analysis (BIA) process is to identify the core business and key
deliverables of the Directorate/Service. These are your Prioritised activities.

Prioritised Activities are those to which priority must be given following an incident in order to
mitigate impacts.

Step Two:

Using those Prioritised Activities that you have identified above, use the Impact Matrix at Page 9 to
identify what the impact score would be of each if they were affected.

Step Three:

Following the process at Step Two, now use Likelihood Matrix at Page 10 to identify what the
Likelihood score is of each of the Prioritised Activities being affected.

Step Four:

Using the scores from both Step Two and Three, map the scores for each Prioritised Activity into
the Likelihood x Impact Matrix at Page 11. Use this final score.

Step Five:

Only those identified as RED, AMBER and YELLOW will be captured within the BIA as these
could have a wider impact on the Trust and may require the support by the Trust and the
Trust On-Call Director.

Those identified as GREEN and LIGHT GREEN can be supported internally be each Service
and their On-Call Senior Manager.

The results from Step Four are then reflected in the table overleaf:

23
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Tick as appropriate Responsible


List the prioritised activities undertaken
Red Amber Yellow Officer

i.

ii.

iii.

iv.

vi

vii

24
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Impact Matrix

Qualitative Assessment of Impact

Level Descriptor Descriptor


 Minor – first aid treatment.
 No environmental implications.
1 Negligible  No or very low financial loss i.e. under £1,000.
 No or very minor internal disruption to the overall service delivery or other
services.
 No impact on the organisation’s overall service delivery.
 No or very minor disruption to external services reliant upon them.

 Injury requiring first-aid treatment or temporary minor illness (less than 3


days lost).
 Minimal environmental implications.
2 Minor  Failure to meet (local) departmental standards.
 Minimal loss of reputation.
 Moderate financial loss (£1k to £9k).
 Minimal business interruption.
 Break of minor bone or temporary minor illness (3-7 days lost).
 Moderate environmental implications.
 Moderate financial loss (£10k to £49k).
3 Moderate
 Moderate loss of reputation.
 Failure to meet organisational standards.
 Moderate business interruption.

 Single death of any person/ Permanent serious illness/ disability.


 Extreme environmental implications.
 Extreme financial loss (£250k to £499k).
4 Major
 Intermittent failure to meet national professional standards and/ or
statutory requirements.
 Extreme business interruption.

 Multiple deaths involving any persons/ multiple permanent serious illness/


disability.
5 Catastrophic  Extreme financial loss (£500k+).
 Catastrophic business interruption.
 Sustained failure to meet national professional standards and/ or statutory
requirements.

25
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Likelihood Matrix

Qualitative Assessment of Likelihood

Level Descriptor Likelihood (over 5 years)

1 Rare May occur in exceptional circumstances (less than 5% chance).

2 Unlikely Could occur at some time (6 – 25% chance).

3 Moderately unlikely The event should occur at some time (26 – 50% chance).

4 Likely The event will occur in most circumstances (51 – 75% chance).

5 Certain The event is expected to occur in the next 5 years.

26
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Impact x Likelihood =

Catastrophic 5 10 15 20 25

Major 4 8 12 16 20

Moderate 3 6 9 12 15

Minor 2 4 6 8 10

Negligible 1 2 3 4 5

Impact/ Moderately
Rare Unlikely Likely Certain
Likelihood Unlikely

Negligible Minor Moderate Major Catastrophic

Use the table overleaf to record the impact of the loss of an activity for different lengths of time
and identify where this length of disruption would be acceptable to the organisation and its
stakeholders. Using the Descriptors above, add a ‘Score’ to each and whether or not this will be
tolerable.

27
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Impact of disruption to prioritised activities


Category of Impact (please tick)

regulatory duty
Environmental
Tolerable
Prioritised Score

Statutory or
Information
Reputation

Health and
Length of disruption Comment 1 (Yes or

Business
Activity

Financial

objective

Supplier
security
delivery
No)

Service

safety
Up to ½ day

½ day to 1 day

i. 1 day to 1wk

1wk to 1mth

1mth to 3mths
Up to ½ day

½ day to 1 day

iii. 1 day to 1wk

1wk to 1mth

1mth to 3mths

Up to ½ day

½ day to 1 day

iv. 1 day to 1wk

1wk to 1mth

1mth to 3mths

1
1=Negligible, 2=Minor, 3=Moderate, 4=Major, 5=Catastrophic
28
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Some activities will be of greater priority at different points in the year, for example, certain financial processes will be need to be prioritised at
financial year end.

Do your prioritised activities vary at different times of the month or year? Please explain

29
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

5. Business Continuity Risks


The table below is based on the NHS England Risk Register from the NHS Risk Management Policy
and Procedures and includes a number of scenarios that present a risk to the organisation. Consider
these scenarios and decide whether or not they present a risk to the prioritised activities that you
provide. For example, if your service is paperless it is unlikely that a loss of paper records will have an
impact.
Please add any other scenarios that are relevant to your service.

Which of the following hazards and threats are relevant to your department or service?
Ref Hazard of threat Y or N Why?
1 Fire or flood
2 Loss of electronic records
3 Loss of paper records
4 IT systems/application failure
5 Mobile telephony failure
6 Major IT network outage
7 Denial of premises
Terrorist attack or threat affecting the
8
transport network or office locations
9 Theft or criminal damage
Chemical contamination or pollution
10
incident, such as oil spillage
Serious injury to, or death of, staff whilst in
11
the offices
Significant staff absence or disruption to
12 patient access due to severe weather or
transport issues
13 Infectious disease outbreak
14 Simultaneous resignation or loss of key staff
15 Industrial action
16 Fraud, sabotage or other malicious acts
17 Violence against staff
18 Please add any other relevant threats
The Civil Contingencies Act (CCA) regulations and guidance (chapter 6, 6.74) identifies five broad
strategy options that could be considered when developing your risk reduction strategy:
 Do nothing: if the risk is deemed to be acceptable by senior management they may choose to
do nothing. This may be suitable for an event with a very low probability of occurrence, such as
an earthquake.
 Changing, transferring or ending the process: consideration must be given to fulfilling any
statutory duties and any insurance or reputation ramifications as a result of a third party failing to
deliver.
 Insurance: may provide some financial cover but cannot protect the reputation of the
organisation and other associated losses.
 Loss mitigation: putting in place procedures to eliminate or reduce the risk, such as installing
smoke alarms.
 Business Continuity Planning: putting in place arrangements that allow for the recovery and
continuity of key business processes within a pre-identified time frame.

30
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Using the reference number from the left hand column of the table above, plot those risks identified against the Impact Matrix at page 8 and
the Likelihood Matrix below. This gives you an overview of the level of risk to your prioritised activities.

Risk Assessment

Ref Hazard or Threat RAG Senior Mitigating Actions Risk

Likelihood
reviewed

status Responsible Owner

Residual
Date for
Impact
Officer

review
Date

risk
Qualitative Assessment of Likelihood

Level Descriptor Likelihood (over 5 years)

1 Rare May occur in exceptional circumstances (less than 5% chance).

2 Unlikely Could occur at some time (6 – 25% chance).

3 Moderately unlikely The event should occur at some time (26 – 50% chance).

4 Likely The event will occur in most circumstances (51 – 75% chance).

31
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

6. Continuity Requirements Analysis


The purpose of this section is to identify what is required in order to deliver your prioritised activities and it is this information that will form the
basis of the recovery plan. This section must be completed where the risks to the service cannot be removed or reduced to an acceptable level
through other mitigating actions.

Prioritised Recovery Premises Technology Information Recovery Supplies Stakeholders Maximum


Activity time required to required to required to Point required to required to Tolerable
objective restore the restore the restore the Objective restore the restore the Period of
3
(RTO)2 service service service (RPO) service service Disruption
4
(MTPD)
i.
ii.
iii.
iv.
v.

Recovery Time Objective (RTO) and Maximum Tolerable Period of Disruption (MTPD). The following standards are ONLY to be used:

 One hour
 Four hours
 One Day
 One Week
 One month

2
The RTO is the period of time following an incident within which an activity must be resumed and is always less that the MTPD
3
The RPO is the point to which information used by an activity must be restored to enable the activity to operate on resumption
4
The MTPD is is the time frame during which a recovery must be affected before an outage compromises the ability of to achieve the
organisation’s business objectives and/or survival, also referred to as the Maximum Acceptable Outage.
32
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

7. Staff Mapping Tool


The reason for mapping staff skills is to facilitate redeployment in an incident. If you have identified staff who ordinarily are involved in activities
that are not an immediate priority but have the appropriate pre-requisites to work in an immediate priority area the organisation would aim to
move them around in order to cover absence or supplement a team that is dealing with a sudden increase in workload.

This information will also be used to identify where as an organisation there is a shortage of some certain essential skills so this can be
addressed.

In the table below you should list the minimum number of staff, skill-set, competencies and qualifications required to deliver prioritised activities.
If none of your activities fall into these categories please leave the table blank.

Prioritised Activity:
i. ii. iii. iv. v.
5
Business as Usual No. of Staff
Minimum no. staff required
Skill / Competency / Qualification

5
The number of whole time equivalent (WTE) staff
33
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

Starting in the second column from the left, list the skills, competencies and qualifications required for the organisation’s highest priority
activities. This information will be gathered from each area completing the table above. The table below should be used to record the relevant
skills that are held by members of your department/team/service.

Employee Name Skill / Competency / Qualification

34
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

The final table asks for some personal and work information for each member of your department/team/service. This table must only be
completed with the explicit permission of the individual members of staff and the information included must be treated in confidence.

Employee Name Main place of Does the Does the Can the Can the member Can the member
work member of staff member of staff member of of staff work of staff work from
(where does this depend on depend upon staff work from from home with a home using a
employee usually public transport vehicle fuel to another office work laptop and personal
work from) to get to work? get to work? location? VPN (remote computer?
(Yes or No) (Yes or No) (Yes or No) access)? (Yes or No)
(Yes or No)

35
Business Continuity Management Policy
Version: 3
April 2017
Southern Health NHS Foundation Trust Business Impact Analysis: template

8. Beyond the BIA


This section explains how the information gathered through the BIA informs business
continuity planning.

Business Continuity Plan (BCP)

The BC plan will details the alert, triggers for activation, activation process, roles and
responsibilities for Incident Commanders, Incident managers, incident Coordination Centre
operations, communications, recovery requirements, stand-down and resumption of
business as usual.

The BCP covers the three phases of an incident. The information gathered through the
BIAs will inform the business continuity phase of an incident by providing the decision
maker with an overarching situational status of the organisation and from which strategic
decisions can be made about which services will be Enhanced, Reduced or Suspended.

Source: PD 25888:2011
Incident Response Phase

Health organisations have to have an Incident Response Plan (IRP) in place for managing
the incident response phase on a business disruption. The IRP will be devised by BC lead,
with the EPRR Working group. EPRR leads should work with the Business Continuity and
Emergency Preparedness OfficerBusiness Continuity and Emergency Preparedness Officer
to ensure that there is a coordinated approach.

Recovery and Resumption Phase

The BCP will provide a framework for managing the return to business as usual.

36
Business Continuity Management Policy
Version: 3
April 2017
Appendix 2
Business Continuity Plan Template

Name of Division/ Area/ Service


Business Continuity Plan

Name of Division / Area / Service or Premise

Name of Plan’s owner

Job title of Plan’s owner

Owners telephone and email

Date

38
Business Continuity Management Policy
Version: 3
April 2017
Section Title Page

1. Identifying Priority Activities / business functions

2. Priority Activities / business functions, and non-essential Priority Activities / business functions that could be
suspended for a period of time
3. Analysis of the impact of loss of key resources on Priority Activities / business functions

4. Risk avoidance and contingency measures

5. Minimum amount of resources (people, premises, technology, information, supplies and partners) to maintain
Prioritised Activities at a basic level and the skills/level of expertise required
6. Recovery (order of service restoration, maximum tolerable period of disruption, recovery time objectives)

7. Key stakeholder contacts details

8. Management arrangements

Appendix 1 Business Continuity Plan Template completion guidance

39
Business Continuity Management Policy
Version: 3
April 2017
1. Identifying Priority Activities / business functions

Priority Activities / business Assessment of risk if service Outcome of Priority Activities ceasing:
functions ceases:
Likelihood Impact Risk Score
(1-5) (1-5) (L x I)

40
Business Continuity Management Policy
Version: 3
April 2017
2. Priority Activities / business functions, and non-essential Priority Activities / business functions that could be
suspended for a period of time

Prioritised Activities that must be continued are as follows:

Services that could be scaled down if necessary are:

Priority Activities / business function How the service could be scaled down

41
Business Continuity Management Policy
Version: 3
April 2017
Services that could be suspended for a period of time are:

Priority Activities / business function Number of days service function could cease

42
Business Continuity Management Policy
Version: 3
April 2017
3. Analysis of the impact on essential Priority Activities / business functions of the loss of key resources

Resource: Affects Assessment of risk if input Outcome of input ceasing


Prioritised ceases:
Activities: Likelihood Impact Risk Score
(1-5) (1-5) (L x I)
Yes/No
People

Premises

Technology

Information

Supplies

Utilities:
 Electricity
 Gas
 Water
 Vehicle fuel
Partners

Beds

PICU (Psychiatric Intensive


Care Unit) beds

43
Business Continuity Management Policy
Version: 3
April 2017
4. Risk avoidance and contingency measures

Resource: Risk avoidance measures either Contingency measures either in Lead Date for
in place or to be taken place or to be taken in the event responsibility completion
of a potential risk occurring
People

Premises

Technology

Information

Supplies

Utilities:
 Electricity
 Gas
 Water
 Vehicle Fuel
Partners

Beds

PICU (Psychiatric Intensive


Care Unit) beds (if appropriate)

44
Business Continuity Management Policy
Version: 3
April 2017
5. Minimum amount of resources (people, premises, technology, information, supplies, utilities, partners and beds)
to maintain Priority Activities at a basic level and the skills/level of expertise required

Priority Activities Minimum resources to maintain Priority Activity at a basic level and the skills/ level of expertise
required

45
Business Continuity Management Policy
Version: 3
April 2017
6. Recovery (order of service restoration, maximum tolerable period of disruption, recovery time objectives)

Order of service Priority Activities / business function Recovery Time Maximum


restoration Objective (Target Tolerable Period
time) of Disruption
(Target time)
1.

2.

3.

4.

5.

6.

Services that could continue to be suspended for a period of time

7.

8.

9.

10.

46
Business Continuity Management Policy
Version: 3
April 2017
7. Key stakeholder contact details

Stakeholder Contact number Mobile number Email address Out Of Hours Out Of Hours Out Of Hours
contact number mobile number email address

47
Business Continuity Management Policy
Version: 3
April 2017
8. Management arrangements

To achieve business continuity it is vital that there are clear management lines within each Directorate.

Insert Hierarchy chart outlining Command Structure within the Directorate/Service Area

48
Business Continuity Management Policy
Version: 3
April 2017
Appendix 3
Business Continuity Plan Template Completion Guidance

Introduction

This Business Continuity Plan template is an appendix to the Southern Health NHS Foundation Trust (SHFT) Business Continuity
Management Policy, and these documents should be read in conjunction, and with the SHFT Incident Response Plan.

Business Continuity Management (BCM) is part of the Emergency Preparedness, Resilience and Response arrangements and is a holistic
management process that identifies potential impacts that threaten an organisation and provides a framework for building organisational
resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value
creating activities. BCM is about:

 Undertaking a Business Impact Analysis by analysing business functions and the effect that a business disruption might
have upon them to identify Priority Activities;
 Identifying the risks to the delivery of Priority Activities and the likely impact if they are affected;
 Planning how to mitigate against risk to Priority Activities and putting in place contingency arrangements to improve their
resilience; and
 Developing a Recovery Plan that details the Minimum Tolerable Period of Disruption to Priority Activities, their Recovery
Time Objectives, the minimum resources required to deliver them, and the order of priority to in which these and other
services should be restored to normal.

Prioritised Activities/Services are services which are necessary for the preservation of life or to ensure the health, safety and welfare of
patients and staff.

Maximum Tolerable Period of Disruption is the time duration after which an organisation’s viability will be irrevocably threatened if
product and service delivery cannot be resumed.

Recovery Time Objectives is a target time set for the resumption of a product, service, activity or resource after an incident and is less
than the Maximum Tolerable Period of Disruption.

49
Business Continuity Management Policy
Version: 3
April 2017
1. Identifying Prioritised Activities/ Services / business functions
and
2. Prioritised Activities/Services / business functions, and non-Prioritised Activities / business functions that could
be suspended for a period of time

Priority Activities and/or essential business functions are services which are necessary for the preservation of life or to ensure the
health, safety and welfare of patients and staff. Priority Activities are the elements of a service and its functions that must continue
to operate whatever difficulties are faced. To identify these each service lists the elements of their service and considers the effect
of ceasing to provide each element of their service or function on:

 Meeting the needs and ensuring the safety of patients, particularly Southern Health NHS Foundation Trust (SHFT) most
vulnerable patients;
 Other health care providers and social care;
 The safety of estates and buildings;
 SHFTs statutory and legal responsibilities; and
 SHFTs reputation.

The Business Impact Analysis (BIA) in Appendix 1 enables a qualitative assessment of risk (likelihood x impact) to
services/business functions to identify which elements or functions of their service are Priority Activities (critical). These are then
categorised using the Impact Matrix within the BIA. Only those identified as RED, AMBER and YELLOW will be captured within
the BIA, as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director,
whilst those GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager.

The results of this exercise can then be recorded in Section 1 Assessment of Priority Activities and/or essential business functions,
Section 2 Priority Activities and/or essential business functions, and non-Prioritised Activities and/or non-essential business
functions that could be suspended for a period of time of the Business Continuity Plan Template.

While it is recognised it is difficult to give 100% accurate figures, a robust informed estimate can be made.

50
Business Continuity Management Policy
Version: 3
April 2017
3. Analysis of the impact on Priority Activities / business functions of the loss of key resources

There are a number of resources required to run a service that if lost could adversely affect service delivery. These include:

 People e.g. sickness due to seasonal or pandemic flu, carer responsibilities, part time/full time staff, distance/time staff travel to
work, specialist roles, number of military reservists;
 Premises e.g. fire, flood;
 Technology e.g. PCs, internet connections, telephone landlines;
 Information e.g. referrals in, patient records, access to clinical guidelines;
 Supplies and partners e.g. protective equipment, pharmaceutical supplies, disposable instruments, dressing packs, scales,
chairs, desks, examination lamps, clinical waste and sharp containers, screens, adjustable couches, catering, unique or long
lead time equipment;
 Utilities, e.g. electricity, gas, water, vehicle fuel;
 Stakeholders e.g. local authority, estates and facilities, IT, procurement team, pharmacy, ambulance service, GPs, acute
hospitals; and
 Beds, e.g. wards and capacity, emergency beds, PICU (Psychiatric Intensive Care Unit) beds etc.

Some services may have service specific risks to their Priority Activities e.g. a building from where services are delivered situated in an
area of high flood risk, a reliance on highly specialist equipment or staff.

Section 3 Analysis of the impact on Priority Activities / business functions of the loss of key resources in the Business Continuity Plan
Template and the Risk Matrix and Consequence Table in this document enables a service to identify risks to their Priority Activities if a
key resource is lost, and to prioritise each risk.

51
Business Continuity Management Policy
Version: 3
April 2017
4. Risk avoidance and contingency measures

Once the risks to Priority Activities and/or essential business functions have been identified and prioritised, how to avoid the risks and
contingency planning needs to be considered. Risk avoidance is concerned with proactively putting measures in place to remove or
minimise a risk. These include:

 People e.g. staff flu vaccination, multi- skill training, ensuring more than one person has specialist skills, succession planning,
bank and agency staff;
 Premises e.g. alternative premises within the organisation or provided by other organisations, remote access, working from
home;
 Technology e.g. maintaining the same technology at different locations, holding older equipment as emergency replacement,
mutual aid agreements with other services, use of staff computers (Portwise access), use of staff mobile phones, additional
chargers;
 Information e.g. backing-up, hard copies, electronic copies, patient held records;
 Supplies and partners e.g. storage of additional supplies at another location, arrangements for the delivery of supplies at short
notice, identification of alternative suppliers, increasing the number of suppliers, ensuring service level agreements are in place
with suppliers who have business continuity capabilities (consider out of hours arrangements, cost implications of sudden
unexpected ordrs, prior approval, delivery times);
 Utilities, e.g. alternative premises, access to back-up generators, alternative heating and water provision arrangements, staff
travel to work in the event of vehicle fuel shortages etc.
 Stakeholders e.g. strategies to manage relationships with stakeholders, special arrangements for the most vulnerable
patients/service users; and
 Beds (including PICU beds where appropriate), e.g. early discharges, alternative emergency bed capacity, transport of patients
for discharge and to alternative inpatient provision, access to medicines, beds, bedding, towels, chairs, catering etc.

Consider who has lead responsibility and date for completion of contingency measure yet to be put in place.

Section 4 Risk avoidance and contingency measures in the Business Continuity Plan Template enables a service to list the risk
avoidance and contingency measures it has adopted, or is going to adopt, for each of the Prioritised Activities if a key resource is lost.

52
Business Continuity Management Policy
Version: 3
April 2017
5 Minimum amount of resources (people, premises, technology, information, supplies utilities, partners and beds) to
maintain that Priority Activities at a basic level and the skills/level of expertise required

Consider the resources required to maintain Priority Activities and/or essential business functions at an acceptable level. Again these
will include:

 People e.g. how many staff are required to deliver Priority Activities, what is the minimum staffing level, what skill/level of
expertise are required to undertake these activities?
 Premises e.g. what locations do Priority Activities operate from, what alternative premises are there, what facilities are essential?
 Technology e.g. is the service dependant on electrical medical equipment, what IT is essential, what systems and means of
communication are required?
 Information e.g. what information is essential, how is this information stored?
 Supplies and partners e.g. who are the priority suppliers/partners, are key services contracted out, are there mutual aid
arrangements in place?
 Utilities, e.g. electricity, gas, water, vehicle fuel; and
 Beds (including PICU beds where appropriate).

6. Recovery (order of service restoration, maximum tolerable period of disruption, recovery time objectives)

Several Priority Activities and/or essential business functions may be lost at the same time. Therefore it is important to decide the
priority and when services will be restored to ensure the impact of a disruption on patients, partners and staff is minimised. The
Minimum Tolerable Period of Disruption (MTPD) is the time duration after which an organisation’s viability will be irrevocably threatened
if product and service delivery cannot be resumed. The Recovery Time Objectives is a target time set for the resumption of a product,
service, activity or resource after an incident and must be less than the MTPD.

Section 7 Recovery in the Business Continuity Plan Template enables a service to agree in what order its Priority Activities and non-
Priority Activities and/or business functions, will be restored and when.

53
Business Continuity Management Policy
Version: 3
April 2017
7. Key stakeholder contact details

All Business Continuity Plans (BCPs) should contain, or provide a reference to, the contact details for all key stakeholders:

 Team members e.g. all those staff involved in the implementation of the plan;
 Internal e.g. people, managers, staffing agencies, premises, estates, IT, suppliers;
 External e.g. local GPs, hospitals, social services; and
 Patients/carers/families.

This should include how to contact stakeholders out of hours. The data protection of personal information, for example patient contact
details and private telephone numbers, should be ensured.

Section 7 Key stakeholders contact details in the BCP Template enables a service to list its key stakeholder contact details.

8. Management arrangements

All Business Continuity Plans (BCPs) should contain a description of their service’s management and on call arrangements. This
should be in the form of a diagram of departmental through to Divisional management arrangements.

Section 8 Management arrangements in the BCP Template enables a service to describe its management and on call arrangements.

54
Business Continuity Management Policy
Version: 3
April 2017
9. Exercise and review

All Business Continuity Plans (BCPs) should be validated annually by exercise and reviewed to ensure they are effective and up to
date.

The frequency of exercise and review will depend on the rate of change to a service, its risk profile, and the outcomes of previous
exercise and review i.e. if particular weaknesses have been identified requiring changes to be made.

There are four main types of exercising:

 Testing. Not all aspects of a plan can be tested, but crucial elements such as the contact list and the activation process can;
 Discussion/walkthrough. Staff are brought together to inform them of the plan and their individual responsibilities. Discussion
allows problems and solutions to be identified;
 Table-top. Staff take decisions as a scenario unfolds in the same way they would in the event of a real incident; and
 Live. Ranges from a small scale test of one component, such as evacuation, through to a full scale test of all the components of
the plan.

BCPs must be exercised and reviewed annually, and any actions required as a result of this process implemented. In addition BCPs
must be reviewed following restructuring, changes to the method of delivery of Prioritised Activities, statutory changes, lessons learnt as
a result of an incident, changes to key staff.

Exercise and review is the responsibility of the Plan’s owner.

55
Business Continuity Management Policy
Version: 3
April 2017
Appendix 4
Training Needs Analysis (TNA)

Delivery Recording Strategic & Operational


Training Programme Frequency Course Length Trainer(s)
Method Attendance Responsibility

Governance/ Strategic: Accountable


As part of the
Business Emergency Officer
Business Continuity Governance and Presentation
Once at Induction Continuity Team LEaD
Management Awareness Risk Management Face to face
Operational: Head of Risk and
induction session
Business Continuity

As part of the local


Line
Divisional/ Area/ Service Once at Induction and induction process
manager Strategic: Appropriate Director
Business Continuity at least annually and routine Face to face Line manager
(LEaD in Operational: Line manager
Plans thereafter exercising (see
the future)
section 5.12)
Head of Risk and
Business Continuity Once on appointment Strategic: Accountable
Business
Management for to Divisional/ Area/ Emergency Officer
Continuity/
Divisional/ Area/ Service Service lead role for Three hours Face to face LEaD
Business
Business Continuity Business Continuity Operational: Head of Risk and
Continuity Team
Leads and yearly thereafter Business Continuity
Business Continuity Strategic: Accountable
Management for staff Divisional/ Emergency Officer
responsible for Once at induction and Area/Service Lead
Two hours Face to face LeAD
developing local service 2 yearly thereafter for Business
Business Continuity Continuity Operational: Head of Risk and
Plans Business Continuity
Strategic: Accountable
Head of Risk and
Once on joining the Emergency Officer
Business
Directors on Call rota and yearly One hour Face to face LEaD
Continuity/ BC
thereafter Operational: Head of Risk and
Team
Business Continuity
56
Business Continuity Management Policy
Version: 3
April 2017
Target Audience
Directorate Division
Adult Mental Health

Learning Disabilities

Older Persons Mental


MH/LD
Health
Specialised Services
All staff to attend Corporate and Service Induction Sessions.
TQtwentyone
Divisional/Area/Service leads for Business Continuity to attend Business Continuity Management training.
Adults
Divisional/Area/Service leads for Business Continuity to train staff responsible for the development of
local service Business Continuity Plans
Children’s &
ICS Wellbeing

Dental

All (HR, Finance,


Corporate Services Governance, Estates
etc.)

57
Business Continuity Management Policy
Version: 3
April 2017
Appendix 5
Equality Impact Assessment

Equality Impact Assessment (or ‘Equality Analysis’) is a process of systematically analysing a new
or existing policy/practice or service to identify what impact or likely impact it will have on protected
groups.

It involves using equality information, and the results of engagement with protected groups and
others, to understand the actual effect or the potential effect of your functions, policies or
decisions. The form is a written record that demonstrates that you have shown due regard to the
need to eliminate unlawful discrimination, advance equality of opportunity and foster good
relations with respect to the characteristics protected by equality law.

For guidance and support in completing this form please contact a member of the Equality
and Diversity team

Name of policy/service/project/plan: Business Continuity Management Policy

Policy Number: SH NCP 67

Department: Quality and Governance

Lead officer for assessment: Head of Risk and Business Continuity

Date Assessment Carried Out: January 2015

1. Identify the aims of the policy and how it is implemented.

Key questions Answers / Notes


Briefly describe purpose of the policy The Business Continuity Management Policy has
including been developed to provide the strategic framework
 How the policy is delivered and by for Business Continuity Management across the
whom Trust and describes the Trust’s Business
 Intended outcomes Continuity Management programme. The aim is to
ensure the Trust meets its legal obligations to
protect Prioritised Activities against potential
disruption as a result of incidents and emergency
situations. The Policy therefore applies to all staff.
All Staff are made aware of the policy and its
content during mandatory staff Induction Training.

The Head of Business Continuity and Resilience


has lead operational responsibility for the
implementation of the policy.

The Policy is publically available on the Trust Web


site and Staff Intranet.
2. Consideration of available data, research and information

Monitoring data and other information involves using equality information, and the results of
58
Business Continuity Management Policy
Version: 3
April 2017
engagement with protected groups and others, to understand the actual effect or the potential
effect of your functions, policies or decisions. It can help you to identify practical steps to tackle
any negative effects or discrimination, to advance equality and to foster good relations.

Please consider the availability of the following as potential sources:

 Demographic data and other statistics, including census findings


 Recent research findings (local and national)
 Results from consultation or engagement you have undertaken
 Service user monitoring data
 Information from relevant groups or agencies, for example trade unions and
voluntary/community organisations
 Analysis of records of enquiries about your service, or complaints or
compliments about them
 Recommendations of external inspections or audit reports

Key questions Data, research and


information that you can
refer to
2.1 What is the equalities profile of the team delivering the All staff members,
service/policy? contractors, visitors and
volunteers should comply
with this Policy.

The Trust’s Equality and


Diversity team report on
workforce equality
monitoring data on an
annual basis and this
information is available if
required.

2.2 What equalities training have staff received? All Trust staff have a
requirement to undertake
Equality and Diversity
training as part of
Organisational Induction
(Respect and Values) and
E-Assessment

2.3 What is the equalities profile of service users? The Trust’s Equality and
Diversity team report on
Trust patient equality data
profiling on an annual
basis and this information
is available if required.
2.4 What other data do you have in terms of service users or The Quality and Safety
staff? (e.g results of customer satisfaction surveys, Committee is a Sub-
consultation findings). Are there any gaps? Committee of the Trust
Board, and therefore has a
responsibility to receive
and scrutinise assurance,
59
Business Continuity Management Policy
Version: 3
April 2017
and provide onward
assurance to the
assurance and Audit
Committees and Trust
Board.

It monitors business
continuity management as
part of risk management
processes to ensure that
these are working
correctly.

Delegated responsibility
for specific areas of
business continuity
management is held by
the following groups:

 Local Divisional /
Directorate /
Business and
Governance Groups
 Health and Safety
Committee
 Trust EPRR WG

2.5 What internal engagement or consultation has been This Section requires
undertaken as part of this EIA and with whom? completion following
What were the results? Service users/carers/Staff completion of the Policy
consultation. The EIA will
be sent out as part of the
policy consultation
process.
2.6 What external engagement or consultation has been The Trust has embraced
undertaken as part of this EIA and with whom? the Equality Delivery
What were the results? General System and will drive
Public/Commissioners/Local Authority/Voluntary forward a strong
Organisations engagement plan to
involve and communicate
with staff and patients so
that they can share their
skills and expertise on key
issues on affecting service
delivery.

60
Business Continuity Management Policy
Version: 3
April 2017
In the table below, please describe how the proposals will have a positive impact on service users or staff. Please also record any
potential negative impact on equality of opportunity for the target:

In the case of negative impact, please indicate any measures planned to mitigate against this:

Positive impact Negative Impact Action Plan to address negative impact


(including examples of
what the policy/service
has done to promote
equality)
Actions to Resources Responsibility Target date
overcome required
problem/barrier
Appropriate action is No negative impacts
Age taken to ensure that have been identified at
the work environment this stage of screening
is conducive to the
needs of all our staff
and service users.

The Trust will support There is a potential The equality and Equality and
Disability staff with a disability negative impact in diversity team will Diversity Team
and provide making assumptions provide support
reasonable about the health and and guidance to Estates
adjustments safety implications of a the Trust Department
Personal Emergency person’s disability as it
Evacuation Plans might not make a
(PEEP’S) are difference to business
available to ensure the continuity
safety to staff and management.
patients.
The Trust has People hiding a
61
Business Continuity Management Policy
Version: 3
April 2017
conducted Disability disability that might
Access Audits on its have business
services continuity implications.
The Trust will provide
appropriate
interpreting and
translation services to
respond to requests
for information in
alternative formats.

Gender The ethical framework No negative impacts


Reassignment used by the Trust will have been identified at
ensure each staff this stage of screening
members and
patient’s privacy and
confidentiality are
preserved

Marriage and No negative Impacts


Civil identified at this stage
Partnership of screening.

Pregnancy and The Trust will ensure No negative impacts


Maternity risk assessments are have been identified at
undertaken for all new this stage of screening
and expectant
mothers to ensure
preventative
measures are
undertaken where
significant risks to
business continuity
62
Business Continuity Management Policy
Version: 3
April 2017
are identified.

Race The Trust responds No negative Impacts


positively to requests identified at this stage
of information in of screening
alternative formats.
The Equality and
diversity Lead can be
contacted for
information on
Interpreting and
Translation services

Religion or No negative Impacts


Belief identified at this stage
of screening.

Sex No negative Impacts


identified at this stage
of screening.

Sexual The ethical framework No negative Impacts


Orientation used by the Trust will identified at this stage
ensure each patient’s of screening
privacy and
confidentiality are
preserved.

63
Business Continuity Management Policy
Version: 3
April 2017

Anda mungkin juga menyukai