bcp ( business continuity plan)

7/27/2019 BCP ( Business Continuity Plan)

1/34

!

! "


2/34

2

#

"

"# $ % !&'#( ) ! * + ##

+ )

! * , " , -( "+ + ( #) ( # ( # "( % ..//)

( # " "( 0% # +((" ) " ( # " " # #( 1 ) + ( ( + ( +( " ## "( )

( # - ", #( # -

# " - # ) 2 +# 3445) + ( 0% # " # + + " ,+ ( ) 0%# ( ( ( 6# , ( 7 82 + " 6 , ,- # )7 "( + + 6 #7)

% ( ( " , ( ( + + # () ! " # ( # + ( ,, + # # 8(

# #)

# # ) ( +# & #( # " " ( 2-( " #( # ,-# -# " +" )

'#( #( # " ) # "# # ) !+ "( #(#)


3/34

3

$

%&' ( )

9)9 + ( # # *+ 0% #) *+ :*# +

+ ,+

- ./%0001

9)3 *+ " + + ;


4/34

4

, ,- , 8 # - + ") # 4 ) )

3)3 ( ( +( ( " + "( # #) + , " "( ,# :

%(

" ( C -( ( )) , C, # "#

? " ( - ) " 8 , " , ,-)

3)@ - - , " - , =- #) 3& - " # " + "(# - :

=- + 1 + ( =- 1 ,- =- 1 )#)

% - , , ") 8 " , "# ,+ , - "+ "+# -)

3)5 #( , " + , " - + ( " )

7&' "

@)9 + " # , ++# , 6 %7) + , 8 # , 8 "( ,- ( ! , " ) " "-, 2 )

@)3 #( +( + -( ( " +" + # # 8# # # , 8 #) , " " ( "

) # - + ( , , +" # +)

8&'

5)9 #( , " "" # , " + ) " + " + # ( -# ++ ) + #( 7)


5/34

5

9&'

A)9 ,# + #( +( , " " + () '8# , " " +# , , , ( , )

A)3 =+( + >? - ( 8 ' ! ) + +( , )

:&' $

B)9 %+ ( "( "# " # +, ( # +) ="( , " # # +, + ) , " , , +# "( , , ++ #

#( ) '? ! * , + + "( +,##( " ,+ # 8 ,# )

.)4

.)9 # -( ( # # -( 2) " # " , #, ()

.)3 # ## #) ! +( " #) # + " ## ()

.)@ %+ ( )# " $;


6/34

6

0&' #

/)9 =+( # , # " ( # , +( ( ) , # #( #( "-1 )

%'&' (

94)9 "( %+ , # + ) #( , " ! )

%%&' $

99)9 "( + ( + + ) , , # # '8+ # )#) #) ! )

%3&' (

+ , #( + " ## ++ - 1 +,) ! 8 # # #( " ( )


7/34

7

% # +

3 =- 8

7 %+ (

8 ! # E +

9 C ! = =#

: =- %+ !

= *( E +


8/34

8

" $

%

$ " (

%&

! + + # )#) ' ! # , , ( ) ! -( , " + # , , , "( # +)

# , ,- , ? # ) , # , ) '8+ 1 , " ) , # + + ,

)

3&


9/34

9

Incident recovered no fu rtheraction necessary

Incident/Event218

Contact support dep t/external service p rovideras appropriate to assess situation

e.gEstatesas outlined in Step 1 in the Risk

Assessment tool for Service Interruption

Initial assessment in liaison withperson reporting, s upport department &Dept headWill it affect service delivery?

Yes

Report to on Director ofOperations

NoManage incidentand the recovery

w ithin department

Has there beenfull recovery ofthe systemaffected

No

Yes

Support Dept/FacilitiesManagement Co. and RiskManagement to assessimpact using Step 2&3 ofRA tool in liaison with sitesupport lead as necessaryIs impact significant?

NoImpactMinorSystem remains

down

Contact Director or AssistantDirector and agreemanagement lead

Support Dept/external serviceProvider e.g. Estates tonotify relevant Heads of Dept

AgreedManagement lead

Implement Contingency Plan in liaisonwith other specialist personnel as required.Consider a need to involve external agencies.NB Regular reports and major developments mus t be commun icated

Agreed supportdept lead

Communication and Reporting arrangements forincidents involving interruption to Hospital services

Yes

Initiate post incident reviewprocess in liaisonwith Major Incident Group

Agreeincident plan

Office HoursMon-Fri 0900-1700hrs

MG4/04

If significant consider escalating to Major incident

plan


10/34

10

Communication and Reporting arrangements for incidentsinvolving interruption of Hospital Services

Contact appropriateon-call staff, Estates, IT

Yes

Contact on-call ExecutiveDirector

Incident recovered no furtheraction necessary

System remainsdown

Contact Director orAssistant Director toagree management lead

No

Initial assessment in liaison withperson reporting incident using step 1of the risk assessment tool for ServiceInterruptionWill it affect service delivery?

Incident/Event

218

Out of hours1700-0800hrs and weekends

Has there been fullrecovery of the systemaffected

No

Yes

Manage incidentand the recovery

Initiate post incidentReview process in liaisonWith Major Incident Group

Support Dept/Facilities Managementand on-call Executive Director to liaise toassess potential impact using Step 2&3of RA tool in liaison with site supportlead as necessaryIs the impact significant?

Yes

Agreedmanagement lead

Support Dept/external serviceprovider e.g. Estates/FacilitiesManagement, to notify relevantheads of Dept

Agreed supportDept lead

Implement Contingency Plan in liaison With other specialistpersonnel as required.Consider the need to involve external agencies.NB Regular reports and major developments must be communicatedto Incident management team

NoImpact Minor

Agree

incident plan

If significant consider escalating to Major Incident Plan


11/34

11

Appendix 2

Risk Grading Matrix and Assessment Tool

Risk Grading Matrices(Adapted from AS/NZS 4360:3999 Risk Management Standard)

The Matrices below are not exhaustive, but are intended as a broad guide to interpretation of theconsequence and likelihood scores. They are intended to support the application of professional

judgement in relation to specific risk issues.

Table 1 Qualitative measures of consequence or impact

Level Descriptor Example detail description1 Insignificant No injuries, low financial loss

2 Minor First aid treatment, situation immediately contained, financial loss below 5k

3 Moderate Medical treatment required, some loss of service capability, situationcontained with difficulty or with outside assistance, breach of regulation,inability to achieve important target, high financial loss 5-49k, local adversepublicity/loss of confidence in the Trust

4 Major Extensive and lasting injuries or illness to individual or group, significant lossof service capability, situation contained with significant difficulty, significantbreach of regulation, inability to achieve key target, major financial loss>50k, national adverse publicity/major loss of confidence in the Trust

5 Catastrophic Death, significant threat to the general public, service closure, financial loss>500k, national or international adverse publicity/severe loss of confidencein the Trust.

Table 2 Qualitative measures of likelihood

Level Descriptor Description

5 Almost certain Is expected to occur in most circumstances

4 Likely Will probably occur in most circumstances

3 Possible Might occur at some time

2 Unlikely Could occur at some time1 Rare May occur only in exceptional circumstances

Table 3 Qualitative Risk analysis matrix level of risk

The overall Risk Rating, which indicates level of risk, is calculated as a multiplier of the scores from tables 1and 2 above.

ConsequencesLikelihood Insignificant

1Minor

2Moderate

3Major

4Catastrophic

5

5 (almost certain) 5 - M 10 - H 15 - H 20 - V 25 - V

4 (likely) 4 - L 8 - M 12 - H 16 - V 20 - V

3 (moderate) 3 - L 6 - M 9 - M 12 - H 15 - H2 (unlikely) 2 - L 4 - L 6 - M 8 - M 10 - H

1 (rare) 1 - L 2 - L 3 - L 4 - L 5- M

LegendV - Risk Rating 16-25: Very high - Executive Director involvement and action plan needed.H - Risk Rating 10-15: High risk - Management Executive and Senior Management attention

and action plan needed.M - Risk Rating 5-9: Moderate risk - Management responsibility and controls must be specified.L Risk Rating 1-4: Low risk - Manage by routine procedures.


12/34

12

Appendix 3

SERVICE CONTINUITY PLAN

Directorate/Department

Author

Date

Person responsible for review

Date for review


13/34

13

%& (

! + ( # # + ( + , ( ,- +( + +) , " # #( ) % -( - -( " , 8 , ,

," ! ( + , #) ! "( # -( - + " # + ")

#( , " "" # , " + ) " + " + # ( -# ++ )

#( " , ( () ,( 68 97 , #+ # # ) ! = " "( " ++ # ( 68 .7)

3& ( @ )

H , " " ( -( - + ( - +, =- =# ! =# ( , # + ( ) -( - # 8 3 %+ (()

! # + " - - )

7&

! #( + , "- + ( " ) # #( + ( + ( , ) ! #( :

% ( 2 )) ! + # # 2 2 + # # )) ## + ,

" ! )#) 1 "( # + - )#) , ( (

) # 2


14/34

14

H , ", ( - "( ()

, # ! (

8& #

H +? " +, " 2( , " # + + "#) !+ # , "## 8 )

9&

+( &+ , + ( + >"- ? ++ - 1 +, , " +) ! 8 # + + # +)

A $ > $&


15/34

15

Appendix 3.1Service Continuity Plan

Business impact analysis to be completed electronically by service/department manager.

Name of service / department:

Name of person(s) completing this document:

About your Work Area

Location and address(es):

Floor and room numbers (if appropriate):

Does your department / service work from any other location?

Yes:

No:

If Yes, please give details:

Details of potential alternative work area/building, eg could you work from anotheridentified building:

Staff

How many staff are in your service / department:


16/34

16

Please list the services you provide:

Please list the core service functions your department / service provides (this listneeds to be comprehensive and cover each function of your service). Pleasehighlight any critical service functions in bold to distinguish them from the non-critical core functions:*Critical means an essential service function that must be maintained at all times to ensure the safety of patients(eg. care of inpatients, ITU). If in the event of a major incident (eg. fire, flood at the Trust) you are able to cancela service function for a day/s then the function should not be defined as critical (eg. child health clinic or podiatryclinic).

Who is ultimately responsible for the service:

Suppliers and Stakeholders

Who are your stakeholders / patients / customers - i.e. who depends upon yourservice:

Are there any suppliers to your service upon whom you depend:Supplier: What do they supply:


17/34

17

Loss of Service Impact Analysis

How would loss of your service impact on: Score 1-5 (5 high impact, 1 low impact):

EHT/NHS departmentsPatients/Community(Other) Independent ContractorsOther services you provideFinancesReputation

Please estimate which services would be required or need to be provided in relation tothe following timeframes if disrupted / interrupted:*eg. you may assess that in the event of an incident 10% or no service mustbe maintained for up to a weekwithout detriment to patient safety, but after that a limited service (20%) must be offered.

Timeframe: % level of totalservice: Which service functions and why:

1 hour

1 day

2-6 days

1 week or more(protracted incidents)1 month or more

Would the level required vary at different times of the month/year, please state why:


18/34

18

Resource Requirements

Staff

To answer this question, please bear in mind your answers to the last two questions. Yourservice might for instance, have 25 staff but you may only need, say 8 staff, to run a verybasic service, although those 8 staff may be needed within 24 hours, or to workcontinuously.

Time: Number of staffrequired:

Could any ofthese staff workfrom home?Please indicatehow many:

Would theyneed ITequipment towork fromhome? If Yes,please indicatewhat would berequired:

Would they need anyother specialistequipment in order tooperate from home?If so, state what theywould need:

First 24 hours ofdisruption

24 48 hours

48 hours 6 days

1 week 2 weeks

2 weeks plus


19/34

19

ICT

What software would be required (e.g. what systems does your service / team use):

First 24 hours 24 48 hours 48 hours 6days

1 week 2weeks

2 weeks plus

Vehicles

Please note any vehicles required:

First 24 hours 24-48 hours 48 hours 6days

1-2 weeks 2 weeks plus

Specialist equipment

Please note any equipment required that is not identified elsewhere in thisquestionnaire.

First 24 hours 24-48 hours 48 hours 6days

1-2 weeks 2 weeks plus


20/34

How much IT equipment does your team have?

PCs Laptops Printers Other IT equipment (please

describe)

How many of these would be required immediately in an incident and thereafter?

First 24 hours 24 - 48 hours 48 hours 6 days 1 2 w

PCs Laptops Printers

Other PCs Laptops Printers Other PCs Laptops Printers Other PCs

2 weeks plus

PCs Laptops Printers Other

Is there any other equipment required for your service? (for example, digital cameras, clinical equipment ,etc)Please note both equipment and amount required

First 24 hours 24 - 48 hours 48 hours 6 days 1 week 2 weeks


21/34

Data

What information do you need for your service to operate, and where is it held?

Please state what the data is:Description of

dataFormat of dataE = electronic

P = Paper

Where is the datastored (please bespecific roomand floor where

relevant)

How much of thisdata do you hold(see definitions

below)

If you are not thedata owner, who is

and how is thismanaged?

What is thimportance

this data? C, D or E? (

definitions be

Amount DefinitionSmall Less than half a dozen paper files; less than a dozen floppy disksMedium More than half a dozen paper files; more than one dozen floppy disks or more than one CDLarge More than one dozen paper files; more than half a dozen CDs

Importance definitionA Necessary for legal reasons / statutory obligationsB Loss would have an unacceptable affect on financesC Necessary for acceptable delivery of serviceD None of the aboveE All of the above


22/34

22

Essential documentation

Does your service / team use particular stationery without which it would be difficultto function? Examples can include letterhead paper, or forms for specific purposes.

Item


23/34

Appendix 3.2 Service Continuity Plans

Service / Department:

Directorate:

Form completed by: Date: Date for review (annual revie

Core Function / Service

(list critical core functionsfirst & highlight in bold).

Resources Required toDeliver Core Function /Service (eg.departmental premises,staff, equipment)

Risks Associated with Lossof Core Function

Actions Required toMitigate Risks

ContingenCore Funborrowingalternative

Core function 1

Core function 2

Core function 3


24/34

24

8

& ?

4 ( $ #

" , %+ ( ( #( + , , #

+ () # # '8+ 1 ( - ,# )

9) , # ,( 8 9)

3) C , ' )#) # 1 ' # ) ,) ; 8 3 =- )

@) ' ( +( , " 1 , " ## + #( )

5) = = 68 .7 + " ) ! + ( )

A) +( ) ! 8 ' & ! , + , + 8 # " (

B) ' & "( + ( ")

.) ' ( + , (

"( + + +)

D) ( " " + -# , )

/) ! , , " 3 # #"# )

94) ( " # #( )) " ,#) #( 8 5)

99) ! + , # # , ()

93) ! , , " + E ' , )


25/34

25

8

&


26/34

26

8

& (# B

4 ( $ #

" , %+ ( (

#( + , , # + () # # '8+ 1 ( - ,# )

9) , # ,( 8 9)

3) C , # ! )#) ! 11 1'# ) ,) ; 8 3 =- )

@) ' ( +( , " 1 , " ## + #( )

5) = = 68 .7 + " ) ! + ( )

A) +( ) ! 8 ' & ! , + , + 8 # " (

B) ' & "( + ( ")

.) ' ( + , ( "( + + +)

D) ! 0,- " # " & # + )

/) ! C , - ( , # # ( +( 0,- %( -( )

94) ! ,- # +( ## " #( ( "( ! + 8 + + +( ( ,- + 8 )


27/34

27

8

& (#

" $ (# C ( $

" , %+ ( (

#( + , , # + () # " 1 ( - ,# )

9) , # ,( 8 9)

3) ' ( +( , " 1 , " ## + 1 #( )

@) C , # # 1 # ) , ) ; =- 8 3 ( )

5) +( ) ! 8 #( " +( ) # )

A) ' & "( ( "1 # , " " ( , )

B) ! 0,- " # " & # + )

.) ( ( +( 0,- %( -( 1 1#)

9) ! ,- # +( ## " #( ( " + 8 + + +( (,- + 8 )


28/34

28

9 4 " (

+ , -( + 8 , , # -) ! " , '? ( ( =- #) " "( " -# # # + +)

" *+ " + #

! # %9 =- +

= "(: 6 07 : :

%#:

( (

- 5 !

( ) "D &&(

'+

! 8# )#) "

,'& +# # 9 -

( I

, # , I

" I ! 2I

, # , - + +I

! ' 2I

, #

=+ ( " + =- # "

I

1

#

=2 - 0&+( C#

(

!( , & 1;( 8+ #)


29/34

29

( ! "# 4 4 &

! : ! C :C#


30/34

30

$)

(

#

$

E)

B

ED

#


31/34

31

#!


32/34

32

Risk Assessment Tool for Service Interruption

Step 1 Using table 1 measure the impact of the event or failure of the and score as indicated

Table 1 Qualitative measures of consequence or impact

Level Descriptor Example detail description1 Insignificant No injuries, low financial loss

2 Minor First aid treatment, situation immediately contained, financial loss below 5k

3 Moderate Medical treatment required, some loss of service capability, situationcontained with difficulty or with outside assistance, breach of regulation,

inability to achieve important target, high financial loss 5-49k, local adversepublicity/loss of confidence in the Trust

4 Major Extensive and lasting injuries or illness to individual or group, significant lossof service capability, situation contained with significant difficulty, significantbreach of regulation, inability to achieve key target, major financial loss>50k, national adverse publicity/major loss of confidence in the Trust

5 Catastrophic Death, significant threat to the general public, service closure, financial loss>500k, national or international adverse publicity/severe loss of confidencein the Trust.

Table 2 Estimated TimescalesStep 2 Measure the impact of the eventor failure at the time it will cause a significantimpact on service. i.e. if water supply is turnedoff the impact will be significant within1hr and will score level 5

Step 3 The overall Risk Rating, which indicates level of risk, is calculated as a multiplier of the scores from table 1and 2 above.

Table 4 Qualitative Risk analyses Matrix - level of risk

Consequence or ImpactTimescaleslevel score

Insignificant1

Minor2

Moderate3

Major4

Catastrophic5

5 5 - M 10 - H 15 - H 20 - V 25 - V

4 4 - L 8 - M 12 - H 16 - V 20 - V

3 3 - L 6 - M 9 - M 12 - H 15 - H

2 2 - L 4 - L 6 - M 8 - M 10 - H

1 1 - L 2 - L 3 - L 4 - L 5- M

LegendRisk Rating Response times to incident Descriptor

V 16 25 Very high 5mins Executive involvement Consider implementing MIPH 10 15 High-risk 10mins Implement Contingency plans as appropriateM 5 9 Moderate Risk 30mins Action plan and management specifiedL 1 4 Low Risk 60mins Manage by routine proceduresEscalate and agree contingency plan and response time based on this risk assessment.Refer to specific scenario guidance to inform step 2 assessments.

LevelTime Scale in

Hours

51hr

4 2hrs

34hrs

26hrs

112 hours


33/34

33

=

A #

(# + #)

% - "( " # - "+)

# # # , )

A

,- # , 0% # " (+# 2( + ## # "( # + , 8 , )

I + 8 2+( 2+()

" , 8 + , ( " +

# + + 0% # # >" "? # + "+ " - # - -)

A

( "( , " + # "+ "( ,( , ()

! # # + )

BI )

( + #)

(( + ( ( # ++# ( (

( + + +( # )


34/34

! #+ 2 ,)

( "- , )

+# + , )

) # + - - )

)

"" "( 8# +"() " +, :=- K ! L L M"(

)

# # - ( )

)

+" #

" " - -

)$

, +# + )

"

# - # + 1 +)

") # , ( " "( ++ " "( +()

!) N+ ""( 2(

bcp ( business continuity plan)

Documents