business continuity plan › pdf › business_continuity_plan(2).pdf · 3.1 invoke emergency...
TRANSCRIPT
1 | P a g e
ABRIDGED
CONFIDENTIAL
2012
DRAFT
Nicola Kelly
Project Manager HRCS
03/10/2012
Business Continuity Plan
2 | P a g e
3 | P a g e
This Page is intentionally left blank
4 | P a g e
CONTENTS
1.0 PLAN OVERVIEW ...................................................................................... 666
1.1 Purpose of this Plan ............................................................................... 666
1.2 Scope of Functions Covered by this Plan ............................................... 666
1.3 Scope of Disasters and Failures Covered by this Plan ........................... 777
1.4 Objectives of this Plan ............................................................................ 777
2.0 ROLES AND RESPONSIBILITIES ............................................................. 888
2.1 Management Arrangements ................................................................... 888
2.2 Coordinating Group Leader .................................................................... 999
2.3 Directorate/Location Contingency Teams ............................................... 999
2.4 Directors ................................................................................................. 999
2.5 Other Key Roles ............................................................................... 101010
3.0 NOTIFICATION, INVOCATION AND ESCALATION POLICY .............. 121212
3.1 Invoke Emergency Response/Business Continuity Plan .................. 121212
3.2 Incident Discovery ............................................................................ 121212
3.3 Unavailability of Premises ................................................................ 121212
3.4 Unavailability of Staff ........................................................................ 131313
3.5 Unavailability of Information & Communication Technology (ICT) .... 131313
3.7 Outbreak of Pandemic ...................................................................... 131313
3.8 Interruption of Power Supplies ......................................................... 131313
3.9 Adverse weather conditions ............................................................. 131313
3.10 A combination of the above scenarios ............................................ 131313
4.0 COMMUNICATION STRATEGY .......................................................... 151515
4.1 Corporate Communications .............................................................. 151515
4.1.1 Coordinating Group Co-ordination ........................................ 151515
4.1.2 Contingency Site Arrangements ............................................ 151515
4.1.3 Provision of common resources ................................................ 151515
4.1.4 Reliance on ICT for provision of services.................................. 161616
4.1.5 Scenarios .................................................................................. 181817
4.1.6 Corporate Business Continuity Support Response Plan ....... 191918
4.2 Communication to Staff .................................................................... 202019
5 | P a g e
4.2.1 SMS messaging/conference call system ..................................... 202019
4.3 Communication to Clients ................................................................. 202019
4.4 Communication to Public and Media ................................................ 202019
4.5 Communication to Next of Kin .......................................................... 212120
4.6 Communication to Third Party Service Providers / External Parties . 212120
5.0 INCIDENT ADMINISTRATION AND FOLLOW UP ............................... 222221
5.1 Recording and Reporting Incidents .................................................. 222221
Incident Recording ............................................................................... 222221
Incident Report ..................................................................................... 222221
Business recovery incident report ........................................................ 222221
5.2 Exercising, Maintenance and Review ............................................... 222221
5.3 Embedding Business Continuity in the Organisation’s Culture ......... 232322
6.0 CRITICAL ACTIVITIES RECOVERY PLANS ....................................... 242423
6.1 Critical Priorities................................................................................ 242423
6.1.1 Priority One Services............................................................. 242423
6.1.2 Priority Two Services ................................................................ 242423
6.1.3 Priority Three Services.............................................................. 242423
6.1.4 Priority Four Services ............................................................... 252524
6.2 Critical Activities Recovery Plans ..................................................... 252524
APPENDICES ............................................................................................ 272726
Annex 9 - Quick Guides (page 375 of unabridged BCM Manual) ........... 282827
Annex 10 - Policy on Business Continuity Management ........................ 333331
6 | P a g e
1.0 Plan Overview
1.1 Purpose of this Plan
This Business Continuity Plan (BCP) is designed to deliver a strategy capable of managing the Organisation during situations when our ability to perform core functions is seriously compromised. In order to give Directorates maximum flexibility to respond to such incidences, the detection of both internal and external threats against business continuity must be identified. In this regard, a concrete recovery strategy can be established to mitigate concerns and ensure organisational stability during unforeseen disruption.
At such times when communications may be considered inadequate, scope for initiative by Directors and Unit managers must be in place to clarify those areas of responsibility, and those tasks regarding corporate functions. Ultimately, the overall aim of this Plan is to ensure that Business Continuity prevails over circumstances beyond the Organisation’s control control. NOTE: This document should be read in conjunction with the BSO Pandemic Response Plan and the HSC ICT Contingency Plan, which are contained in the Appendices.
1.2 Scope of Functions Covered by this Plan
The scope of this Plan covers all of the functions of the Organisation.
The Directorates/Business Units covered are:
a) Service Functions 1. Operations
Family Practitioner Services (FPS Medical, Dental, Pharmaceutical & Ophthalmic Services, Information & Research Unit)
Counter Fraud and Probity Services (CFPS)
HSC Pensions
Procurement and Logistics Service (PaLS)
Information Technology Services (ITS) 2. Legal Services (DLS) 3. Office for Research Ethics Committees (OREC) 4. Equality Unit 5. Internal Audit 6. Leadership Centre 7. Clinical Education
b) Support Functions
1. Finance 2. Human Resources & Corporate Services 3. Customer Care and Performance
7 | P a g e
Early analyses of Response Plans for individual directorates indicate a high degree of dependency on the availability of Information and Communication Technology (ICT), and in many cases, the course(s) of action to be taken is/are almost wholly determined by how long staff will be without access to systems and data. ICT Business Continuity arrangements are, therefore, outlined in a separate section in this document (see Annex 7); forming part of the corporate Business Continuity functions.
1.3 Scope of Disasters and Failures Covered by this Plan
The most likely scenarios to trigger an emergency response are:
(1) Unavailability of Premises (2) Unavailability of Staff (3) Unavailability of Information & Communication Technology (ICT) (4) Outbreak of Pandemic (e.g. avian influenza) (5) Interruption of Power Supplies (e.g. power outage) (6) Adverse weather conditions (7) A combination of the above scenarios
The means by which the Organisation is alerted to the above situations will differ, as will the responses (See Section 5.2).
1.4 Objectives of this Plan
The objectives of this Plan and service continuity procedures are to:
ensure that our service contribution and level of support to the HSCNI is maintained, regardless of operational disruptions
proactively identify, rectify and restore operational disruptions within the Organisation in the shortest feasible timeframe
promptly re-establish compromised services with all pertinent stakeholders to the levels defined in the Service Level Agreements (SLA)
prioritise comprised services in a manner which inflicts the least overall disruption to the HSCNI
learn from previous service continuity incidences and update Plan accordingly, in order to improve the Organisation’s long term resilience against unanticipated service interruptions
8 | P a g e
2.0 Roles and Responsibilities
2.1 Management Arrangements
The Senior Management Team (SMT) will act as the Coordinating Group (CG) in managing the responses to the emergency situation. In its coordinating role the SMT will ensure the provision of essential services. The Chair of the Coordinating Group will be the Chief Executive. In the event that the Chief Executive is not available this role will transfer to the Director of Human Resources and Corporate Services and in extremis to the other directors in the following order:
Membership of the CG comprises of 1 nominated key member and deputy from each Directorate/Location. Contact details are recorded in Directorate Key Contact Lists. The CG will convene at the agreed Control Centre, its responsibilities including:
Responsibilities Reference
Oversee and manage the Corporate Response Plan Section 5.0
Act as sole point of communications in respect of Key Contact Lists
Appendix 2
Ensure communications channels are maintained throughout the Incident with Directorate/Location Contingency Team
Section 5.0
Coordinating Group members and their deputies are appointed on the basis of their capability to carry out the responsibilities above. They hold the Internal and External Key Contact Lists, i.e. hard copy of personal phone lists, electronic contact databases, etc., which have been compiled. Directorates will have established procedures for keeping these lists up-to-date and storing securely offsite, readily accessible when required. The Intranet and Internet sites are available as potential document storage areas. Directorate Key Contact Lists will contain the personal data of those staff who are members of the CG and Contingency Team only. Other members of staff will receive information updates via the www.hscbusiness.hscni.net .
Director of Finance
Director of Operations
Director of Customer
Care & Performance
Director of Legal
Services
9 | P a g e
2.2 Coordinating Group Leader
The CG Leader (Chief Executive or delegate) will review the nature and extent of the situation, confirm the chain of command, ensure other members of the Coordinating Group are aware of their immediate objectives, review progress and ensure the CG is resourced to carry out its tasks. He/she will channel corporate communications via the Website and take responsibility for the Key Contact List, i.e. those stakeholders relevant to all services. The CG Leader will be the primary communication link with the incident Site Officer and CG.
2.3 Directorate/Location Contingency Teams
Each Directorate/Location will establish a Contingency Team for directorate specific situations and will be made up of at least one nominated member of staff and deputy. Where there are multiple members, a Team Leader will be nominated whose responsibility will be to:
Responsibilities Reference
Implement the Directorate/Location Response Plan, ensuring the resources identified are secured
Section 5.2
Ensure CG is kept up-to-date regarding progress for communication to Key Contacts
Section 4.0
Each Directorate/Location will formally identify Contingency Team members and acquaint them fully with Response Plans.
2.4 Directors
Each Director is responsible for choosing continuity solutions specific to their operations and has responsibility for the Plan as it relates to his/her line of business.
In advance of a disaster situation, this responsibility involves:
Being aware of the risks that might have an impact on the operations for which they are responsible; risks must be identified both as regards the likelihood of occurrence and the ensuing impacts. Risk identification shall be repeated and updated at regular intervals
Modifying the Plan as necessary, with reviews at regular intervals Qualifying the level of criticality of the operations for which he/she is responsible
and defining whether they require emergency assistance and determining time limits
Envisaging measures making it possible to reduce, or even eliminate such risks Defining continuity solutions, more particularly by specifying the human,
computing and material resources necessary for the implementation of these solutions.
Making sure that Response Plans are appropriate to the measures taken as part of the BCP process
Complying with organisation-wide BCP tests as arranged
10 | P a g e
Identifying the persons needed to implement continuity solutions Seeing that those persons are trained in continuity solutions Seeing that the details of those persons are listed and kept up to date.
In the case of a disaster, the Director or their designate will immediately contact the Chief Executive, the Director of Human Resources and Corporate Services, making them aware of the disaster in question and ensuring that the appropriate staff are present at the Contingency site. He/she will ensure that a communication has been made with all staff in the department, whether this is of immediate concern or at a later stage, in order to ensure staff is fully aware of their responsibilities throughout the ensuing disaster. The Director will ensure that continuity procedures are enacted in line with the BCP written for their department.
2.5 Other Key Roles
Administration Services Manager The Administration Services Manager will prepare the Control Centre for use by the CG, liaising with the CG Leader as required.
Incident Site Officers The Incident Site Officer for each site will remain at or near the incident site under the direction of the CG Leader to advise staff, visitors, contractors etc., who may conclude that the Error! Reference source not found. of the Business Continuity Plan is/was necessary
Corporate Services Contingency Team Leader The Administration Services Manager will have responsibility for implementing the HRCS Department’s Response Plan and for carrying out tasks outlined in Section 5.2 below.
11 | P a g e
This Page is intentionally left blank
12 | P a g e
3.0 Notification, Invocation and Escalation Policy
3.1 Invoke Emergency Response/Business Continuity Plan
Coordinating Group members will declare a standby response to an incident, or in the event that it affects all services simultaneously, the Chief Executive or delegate will confirm the Business Continuity situation. This can only happen once the seriousness of the situation has been assessed. CG members will then consult their Key Contact Lists (See Appendix 2) to declare the standby response to key strategic people and partners.
The most likely incidents to affect the Organisation are laid out below.
3.2 Incident Discovery
The person that discovers the incident, if after working hours, should make their best attempt at assessing the extent of the damage to the operational facility and hence the potential disruption in operations. This information should be communicated to the Security Company, G4S, who will then notify the Facilities Management Manager and the Administration Services Manager. Information will be passed along to the Chief Executive. The Chief Executive as CG leader will in turn contact the other members of the CG to make an informed decision as to whether the BCP should be activated. On a normal working day, members of the CG may be present and accessible. If a disaster occurs after regular hours and staff and management are in the building, someone present with appropriate seniority to assess the situation should contact the Security Company who will in turn contact the Administration Services Manager/CG Leader. If a crisis incident should occur during working hours, the initial concern will be for the safety of all staff and management. The Corporate Services Manager/Nominated Officer (Fire) is responsible for the training of all staff and management in evacuation procedures and these should be followed to ensure that everyone reaches safety in a timely fashion.
3.3 Unavailability of Premises
Possible causes of the premises being unavailable include fire, explosion, power failure or civil disturbance. Should these occur at times when the building is unoccupied; the alert will be triggered either by Fire Security or Group 4. The first point of contact will be the designated key-holder He/she will trigger the response and initiate the communication procedures.
13 | P a g e
3.4 Unavailability of Staff
It is probable that there would be some forewarning of this scenario. It is impossible to predict where, and in what numbers, staff would become unavailable. Except in the most extreme circumstances Directorate and Business Unit heads would monitor the situation as it developed. It is their responsibility to communicate to the corporate level when the situation becomes critical.
3.5 Unavailability of Information & Communication Technology (ICT)
This is a contingency that could occur at any time, and might be highly variable in its impact.
3.7 Outbreak of Pandemic
A specific plan has been developed for an outbreak of disease considered by the World Health Organisation to be pandemic.
NOTE: For more information, visit http://www.dhsspsni.gov.uk/pandemiclinks.
3.8 Interruption of Power Supplies
The most likely cause for the instigation of the business continuity plan and might be variable in its impact. Impact is dependent on the use of generators and duration of the power outage.
3.9 Adverse weather conditions
Although the unpredictability and effect of weather conditions can generally be difficult to assess, in recent times, adverse weather conditions have becoming an increasing concern, particularly during winter months. Scope for the development of a plan to prioritise services in such conditions is proposed, although overall responsibility for combative action throughout such interruptions will generally lie outside the jurisdiction of this Organisation.
3.10 A combination of the above scenarios
The most likely combination would be the simultaneous unavailability of the building and the ICT facilities residing within it.
14 | P a g e
This Page is intentionally left blank
15 | P a g e
4.0 Communication Strategy The CG will determine a message to be made consistently to all internal and external parties affected by an incident or operational disruption in the Organisation. Communication to various stakeholders will be as follows:
4.1 Corporate Communications
The CG Leader will assume overall responsibility for corporate communications, particularly in respect of the following:
Updating the corporate Website accordingly. The location of the Control Centre will be chosen to allow access to the Internet.
Liaising with the Administration Services Manager to implement arrangements with telecoms provider to have the Organisation’s exchange number re-directed appropriately [ref Corporate Services Key Contact List]
Liaising with Royal Mail and Courier Services to have post re-directed accordingly [ref Corporate Services Key Contact List]
Securing, with the assistance of the Administration Services Manager, common resources including mobile telephony
Obtaining updated situation reports from other CG members concerning Response status progress.
Advising key stakeholders of the impact of services
Make contact with DHSSPS Press Office where appropriate
4.1.1 Coordinating Group Co-ordination The Chief Executive as CG Leader will monitor, by means of Checklist and Issue Log, activity in the Control Centre to ensure satisfactory progress with Response Plans and to note aspects requiring particular attention or correction. Some or all information will feed into communications with the Department and other key strategic stakeholders.
4.1.2 Contingency Site Arrangements Corporate Services will be responsible for alerting the Contingency Site [ref Corporate Services Key Contact List] at Centre House and to liaise with the Directorate of Information Systems to ensure the availability of suitable accommodation and its preparedness.
4.1.3 Provision of common resources Corporate Services will be responsible for procuring materials and goods that are common to Directorate/Location Response Plans, including mobile telephones. This may require a combination of purchase and/or negotiating supply under contract with a preferred Supplier.
16 | P a g e
4.1.4 Reliance on ICT for provision of services
A Business Impact Analysisd.Business Impact Analysis has highlighted the Organisation’s dependence on ICT for critical Business processes including communications; the table below illustrates the variety of applications and their respective locations for each Directorate/Location. Internet access and email are common to all and are dependent on a link between the BSO central communications in the Computer Suite, Champion House, and the HPSS gateways managed by BSO ITS.
SUMMARY TABLE OF ICT APPLICATIONS 1
Directorate/Location BSO File
Server1
Consolidated
Server2HSC
Data Centre
Third Party
ServerMainframe3
All BSO
Exchange & Fileshare
X X
Family Practitioner
Services
FPS Payments X X
Patient Registration X
FPS Information X
Counter Fraud and
Probity Services
X
Pensions X
Legal Services X
Research & Development X
ORECNI X
Finance X
Human Resources X
1 This table lists the critical ICT systems in BSO. A more substantial table of systems will be established and
maintained in support of BCM. This will be made available as an annex in the unabridged BCM Manual.
Formatted: Line spacing: single
Formatted: Font: 11 pt, Not Bold
Formatted: Font: Not Bold
17 | P a g e
Corporate Services X
BSTP X
1 Servers housed in Computer Suite, Champion House 2 HPSS Consolidated Server platform, located at Royal and City Hospitals 3 Mainframe services managed by Fujitsu at Airport Road West, Belfast
A separate contingency plan has been developed by ICT in respect of the arrangements to be put in place for HSCNI systems (Annex 7 a). 1
Formatted: Line spacing: single
18 | P a g e
4.1.5 Scenarios Scenario 1 – Unavailability of Premises
As the core communications to all applications are through the Computer Suite in Champion House, this scenario would result in no Directorate/Location being able to access systems in their normal way.
If the nature of the incident is such that the Computer Suite remains operational, resolution will be by means of decanting a minimum number of staff to the Contingency Site which has communication links to the HPSS Wide Area Network. From there, IT would liaise with BSO ITS to channel datacomms as necessary. Back-end applications would remain unaffected although it would not be possible to retrieve backups from the time of the incident until Return to Normal.
However, if the file servers and datacomms were compromised, contingency activity would be identical to Scenario 3 (below)
Scenario 2 – Unavailability of Staff
This scenario assumes Premises and ICT remain unaffected.
Scenario 3 – Unavailability of ICT
This scenario might come about due to the nature of the same event which renders the Premises unavailable (see above), or an independent computer/communications incident. It is assumed that access to business critical applications via current IT infrastructure is no longer possible.
The impact of this, and the coping strategy, will be varied, as can be seen from the table above:
Those Directorates with applications residing on the Organisation’s own file and data servers will be dependent on the capability of the IT department to replicate the relevant Computer Suite hardware, and loading most recent data backups available. The “interim” Suite will require datacomms to connect Directorate clients from Centre House;
For those computer systems running on the Consolidated Server platform or on the Fujitsu Mainframe, the priority will be to re-locate to Centre House. Of critical importance will be the re-configuration of data channels to allow connectivity to the back-end applications, requiring close liaison with BSO ITS.
The corporate activities will be, therefore:
19 | P a g e
Corporate Services will plan, with the IT department, the potential replication of the Computer Suite with associated connectivity.
Corporate Services will agree a reciprocal Memorandum of Understanding with BSO ITS regarding Contingency accommodation.
4.1.6 Corporate Business Continuity Support Response Plan
Extra-Directorate impact: variable, depending on Scenario, but potentially all Directorates and a number of Small Agencies
The following activities will be the responsibility of the CG Leader and the Corporate Services Contingency Team:
SUMMARY RESPONSE PLAN
SCENARIO RESPONSE RECOVERY
All Scenarios Organise Contingency Site arrangements, if required, as agreed
Arrange for re-direction of all mail to Centre House.
Procure and distribute Contingency materials as appropriate
Arrange for Hotline number with recorded message for enquiries, including those from staff members
Monitor progress with Response Plans and play active role in the absence of key Directorate staff
Process corporate Contact List
Update corporate Website (from alternative site)
Determine and co-ordinate ‘return to normal’ arrangements for building
For details, see Directorate of Human Resources & Corporate Services Response Plan (Section 5.2 below)
20 | P a g e
4.2 Communication to Staff
Each Director must have a (separate) list of contact details for those staff identified as having a particular role in the Directorate’s Response Plan. A copy of this should be kept off-site should the disaster occur outside of regular hours. Not all staff will be needed immediately. Once contacted by the Directorate’s CG member, staff should make their way to the Contingency Site. For those staff who will be called upon at a later stage (i.e. possibly after-hours), they will be responsible to call into their Contingency Team leader. If a telephone tree has been set up and maintained for the Directorate, the staff member will be responsible for contacting another member of their team to give the latest update. Otherwise, staff should have received this information from a dedicated telephone contact number or the Organisation’s website.
4.2.1 SMS messaging/conference call system Scope for the development of an SMS messaging alert system has also been acknowledged. The advantages of such a system to the Organisation in a time of disruption could be ample, allowing for a relatively inexpensive form of communication to a wide array of staff that may be affected by an incident. Additionally, the development of a conference call system has also been proposed, this would allow for key members of the CG team to communicate with one another when face-to-face communication is impractical or unfeasible during a particular scenario. The development of such systems would generally lie with ITS and it is envisaged that following consultation with ITS, such systems could be put into place in the very near future.
4.3 Communication to Clients
Directorate CG members will be responsible for communicating the situation to all clients. This will be done to an appropriate level of seniority within the client’s organisation in order that they can communicate to all employees. A consistent message will be devised at CG.
4.4 Communication to Public and Media
The Chief Executive or nominated deputy will have sole responsibility for communications to the media and general public. This should be done in the form of a written statement. Staff should be advised that they are not to talk to the media or discuss the situation with others in the public domain. NOTE: Depending on the severity and nature of the given disaster, the press office of the department may be used by the Chief Executive for communication.
21 | P a g e
4.5 Communication to Next of Kin
This BCP assumes that there will not be a situation where there is total loss of life as a result of the disaster. However, there may be staff injured or killed as a result of an event. In this case, it will be the responsibility of Human Resources to contact the PSNI and/or next of kin. The Director of Human Resources will compile a list of affected individuals from each department. Each Director, from communication with their staff, should know who has been affected personally.
4.6 Communication to Third Party Service Providers / External Parties
Each Directorate has identified third party service providers or other external parties that they have on going contact with and would need to be aware of a disaster situation/ business interruption. Directorates will have made necessary arrangements to ensure the Key Contact List is maintained /updated.
See Annex 4 for an illustration of the Incident Response/Impact Guidelines.
22 | P a g e
5.0 Incident Administration and Follow up
5.1 Recording and Reporting Incidents
Incident Recording At all stages of an incident records should be maintained by the CG or Incident Team Leader. This includes:
Decision and Action Logs
Incident Management Checklists Examples of proforma for these logs are included (see Annex 8)
Incident Report All incidents are to be reported to Corporate Services using the incident report form or by email. Corporate Services are responsible for RIDDOR reporting as appropriate.
Business recovery incident report This report must be completed by the CG Leader as soon as possible after the closure of the incident and agreed by the Coordinating group. Its content will vary, depending on the nature and extent of the incident, but the following should be included if relevant:
Description, date, time and cause of incident
Damage to premises or services
Loss of services
Effect on staff
Quantified effect on operations
Recovery facilities invoked
Logistics involved for staff, documents, equipment, locations etc
Dates, times and durations for key activities in the recovery cycle
Unexpected problems encountered and resolutions
Lessons learned and improvements identified
Improvements identified to BC and recovery plans
Additional costs incurred during the incident.
5.2 Exercising, Maintenance and Review
23 | P a g e
This Business Continuity Plan (BCP) sets out how the Organisation will respond to
serious threats to the continuity of our services.
It considers the scenarios that may be predicted and seeks to determine
preparatory actions to be taken in advance of potential scenarios, as well as
highlighting the actions to be taken when threats to business continuity arise.
If threats to organisational stability should arise and the Business Continuity Plan is
invoked, it is crucial that the Organisation monitor its success in dealing with the
particular scenario through a predetermined review process. In this regard, the
effectiveness of the BCP can be assessed and amended where necessary (See
Annex 5).
Inevitably, the technical and organisational environments in which these services
are delivered are subject to substantial change and development on an on-going
basis, therefore, this BCP must be treated as a living document which, to be of most
use, will need regular review and updating as appropriate in order to improve the
Organisation’s long term resilience against unanticipated service interruptions.
5.3 Embedding Business Continuity in the Organisation’s Culture
In order to increase awareness of the importance of business continuity to all
employees throughout the Organisation, various training simulations have been
carried out in order to embed the initiative into the Organisation’s culture.
To view a training simulation previously carried out by the Organisation, see
Appendix 6.
24 | P a g e
6.0 Critical Activities Recovery Plans
6.1 Critical Priorities
The Business Services Organisation has decided that its priorities in maintaining service
shall be as follows:
6.1.1 Priority One Services (Cannot be deferred or delegated)
a) Maintenance of ICT infrastructure within the HSCNI by BSO Technology Services; b) Delivery of stock products to HSCNI by BSO Procurement and Logistics Service; c) Operational procurement of critical medical and surgical products by BSO
Procurement and Logistics Service; d) Attendance of BSO Legal Services staff at essential court and tribunal proceedings; e) Family and Childcare legal support; f) Mental Health Tribunal case support; g) Legal Out Of Hours support; h) Telephony Services; i) Support for the EOC within the Public Health Agency; j) Maintaining as consistent a supply of staff for these departments as possible.
6.1.2 Priority Two Services (Do not deter if possible)
a) Maintenance of payroll (it should be noted that payment will be made even if it is
based on the previous month's); b) Payment of independent contractors and suppliers (may be on the basis of payments
in previous months); c) Payment to practitioners (may be on the basis of payments in previous months); d) Legal advice of a non-critical nature; e) Recruitment of additional and replacement staff
6.1.3 Priority Three Services (To be reinstated within a few weeks if disrupted)
a) Recruitment to permanent posts; b) Non-estimated payments to practitioners; c) ORECNI; d) Sourcing services (i.e. tendering and quotation activity); e) General pricing enquiries from Trusts; f) Capital projects and equipping; g) FOI and complaints procedures; h) ICT project work; i) Provision of routine management information reports;
25 | P a g e
j) Processing of grievances, HR investigations and disciplinary action; k) Training.
6.1.4 Priority Four Services (These services will be stood down if disrupted or if staff are required to work
elsewhere, but will be reinstated as soon as possible)
a) Counter fraud and probity services; b) Supply of product non-acute, non-pandemic centres and non-residential health
and social care facilities; c) Issue of medical cards; d) Medical Negligence, Litigation, Conveyancing and Debt Recovery services
subject to the agreement of the Court Services and Tribunal systems.
Please turn to the next page
6.2 Critical Activities Recovery Plans - have been removed and added to a
supplementary document which will be included in the BCM Folder.
26 | P a g e
This Page is intentionally left blank
27 | P a g e
Appendices Page 95 of unabridged BCM Manual
The appendices 1 – 7 are available as a supporting document, with the exception of the
Quick Guides, policy and strategy.
28 | P a g e
Annex 9 - Quick Guides (page 375 of unabridged BCM Manual)
Potential Business Continuity Incident
Senior Manager on Call notified of a potential Business Continuity Incident
Senior Manager on Call assumes the role of BC Incident Manager
BC Incident Manager Confirms inital severity of Incident –
decides course of next actions
Confirm Incident Severity Status
GREEN
Potential Incident Awareness
AMBER
Communicate Standby to the Indicent Response Team
Trigger Local BCP and Monitor the Situation
Contact Director and DHRCS
RED Contact DHRCS or Head of Admin
Trigger BSO BCP
BSO Site Incident
3rd party Supplier/Provider/Customer
See BCP Guide 3
BCP Guide 1
See BCP Guide 4
29 | P a g e
Status Description
RED A serious issue affecting the operations of either a site or service requiring immediate invocation of the Business Continuity Plan and notification of members of the SMT/Contingency Team.
AMBER An issue showing the potential to affect the business operations of either site or service that might escalate and require full invocation of the BCP. “Standby” notification issued to members of the BC Incident response team required. Notification of and consultation with the DHRCS or Head of Administration required.
GREEN Not deemed to be of serious enough nature to alert the Business Continuity incident team, but provide a watch and wait for further instructions
Formatted Table
30 | P a g e
31 | P a g e
32 | P a g e
Major Incident? Yes
Major Incident? No
BCP Guide 3
Site Incident
Assemble Incident Response Team & documentation as required
Business Continuity Incident Manager invokes site/team Action Plan and manages execution
Check plans invoked, monitor teams BC Plans and support required – ensure actions and plans
are logged
Communications cascade and
plan
If required establish Hotline Communications Helpdesk
Arrange schedule of Business Continuity Team Meetings
Monitor progress until recovered. Update the operational log
Incident over?
• Stand down Incident Team
• Prepare Debrief • Report Incident
to Centre
• Initiate Root Cause Analysis
• Final Report to DHRCS
33 | P a g e
Annex 10 - Policy on Business Continuity Management
Page 379 of the Unabridged BCM Manual
34 | P a g e
This page is intentionally left blank
35 | P a g e
POLICY ON BUSINESS CONTINUITY MANAGEMENT (as approved by BSO Board: February 2012)
36 | P a g e
1 Role of the Business Services Organisation The Business Services Organisation has been established to provide a broad range of regional businesses support functions and specialist professional services to the health and social care sector in Northern Ireland. These include Procurement and Logistics Service
Information Technology Services Pensions Service
Legal Services Family Practitioner Payments and
Administration
Internal Audit
Office of Research Ethics (NI)
Counter Fraud and Probity
Finance
Human Resources Services
Leadership Centre
Clinical Education Centre
Equality and Human Rights Customer Care and Performance Management
2 Purpose
2.1 The aim of this policy is to detail a comprehensive framework for Business Continuity
Management so that the Business Services Organisation (BSO) can continue to function through an unplanned operational interruption. Such interruptions could be caused by
Loss of utilities
Loss of premises
Loss or shortage of staff
Civil contingencies
Public Health Incidents
Loss of services 2.2 This document sets out the general principles and processes for the development,
maintenance and review of business continuity plans for the BSO. 2.3 This policy is separate from but complements the BSO Risk Management Policy. It is
based on the requirements of BS25999 -1, Business Continuity Management – Code of Practice.
2.4 This policy should be read with due reference to the BSO Risk Management Strategy
and Policies and action plans; Business Continuity Plans and the PHA/HSCB/BSO Joint Response Plan.
3 Scope ---- What is Business Continuity Management? 3.1 Business Continuity Management is a business-owned, business driven process that
establishes a fit-for-purpose strategic and operational framework that:
37 | P a g e
Business
Continuity
Plan
Business
Plan
Maintain
& Review
Risk
Register
Establish objectives
Proactively improves an organisation’s resilience against the disruption of its ability to achieve its key objectives;
Provides a rehearsed method of restoring an organisation’s ability to supply its key products and services to an agreed level within an agreed time after a disruption; and
Delivers a proven capability to manage a business disruption and protect the organisation’s reputation and brand.
3.2 Business Continuity Management involves managing the continuation or recovery of business activities in the event of a business disruption, and management of the overall programme through training, exercises and reviews, to ensure that business continuity plans stay current and up-to-date.
4 Relationship with Business Planning and Risk Management 4.1 Business Continuity Management shall be part of the planning cycle undertaken within
the BSO Organisation. The cycle applies to all levels of planning in the Organisation. All levels shall have business plans, risk registers, business continuity plans and processes for the maintenance and review of plans. Business Unit level Business Continuity Plans are mandatory. An outline of the planning cycle is set out below.
4 Civil Contingencies and Business Continuity Management
Process for the on-going
maintenance and review
of the business plan, risk
register and business
continuity plans
Document procedures and information
in readiness for use in an incident to
enable the Directorate to continue to
deliver its critical activities at an
acceptable pre-defined level
Identify risks that may
cause interruption to
business or prevent
the achievement of
objectives
38 | P a g e
4.1 Civil contingencies activities are those undertaken by individuals and organisations to
prevent emergencies and critical business interruptions, to mitigate and control their effects and to prepare to respond. These activities include risk assessment, Business Continuity Management, Integrated Emergency Management, preparedness, validation, response and promotion of recovery and restoration.
4.2 Business Continuity Management provides an organisation with the resilience to
continue to function during an emergency and to return to full functionality effectively and efficiently once the crisis has passed.
5 Policy Statement 5.1 BSO is committed to ensuring the delivery of services on a continuous basis and
where possible to restore business within 4 days of any interruption. It is essential that, irrespective of demands and circumstances, the BSO is able to deliver its critical functions and services as set out in the Business Continuity Plan.
5.2 BSO shall develop, exercise, maintain and review the Business Continuity Plan for its critical functions and services in the event of a service disruption or disaster. The Business Continuity Plan will detail the priorities and processes for the management of particular circumstances covered by the Business Continuity Plan with a view to ensuring the rapid, efficient and cost effective continuity of the Organisation’s functions and services.
6. Roles and Responsibilities 6.1 Board
The Board has overall responsibility to ensure that the organisation has a robust approach to the management of risks to business continuity and how critical events are managed.
6.2 Chief Executive
Whilst holding overall accountability the Chief Executive will delegate the operational requirements to each individual director for their own business units who will have the responsibility to ensure each business unit has a business continuity plan which will include a business impact analysis.
6.3 The Director of Human Resources and Corporate Services (DHRCS)
The DHRCS will be responsible through the Administrative Services Manager for the coordination of Business Continuity Plan and activities for the organisation
6.4 The Senior Management Team (SMT)
The SMT will agree the overall strategy for Business Continuity Management by:
Defining the objectives of the strategy
39 | P a g e
Developing the risk assessment process which will identify critical activities and critical dependencies, which need to be addressed to ensure continuation of a pre-determined level of clinical service.
Implement a training programme in Business Continuity Management for appropriate staff.
Ensuring that the Directorates undertake their risk assessments and produce Business Continuity plans to overcome the critical risks identified in the shortest possible time where appropriate.
Ensure that the Directorates have considered the cost benefits between reducing the risk and the benefit achieved.
At leastEnsuring annually reviewing the Business Continuity Plans
Conducting exercise events to at least annually test the effectiveness of the Business Continuity Plan and ensure any action points arising from such tests are implemented.
Whilst retaining overall responsibility and accountability for these tasks SMT will establish a sub- group od Assistant Directors/Senior Managers to take these matters forward on a quarterly basis. 7 Framework and Approach 7.1 The BSO shall establish a framework of plans which shall be underpinned by a
corporate Business Continuity Plan. The corporate Business Continuity Plan shall take account of the key functions and services in the organisation and plan for their on-going delivery in the event of an interruption to normal business. Further plans shall be developed at Business Unit level to support the corporate plan and ensure resilience of key products and services. Directorate level Business Continuity Plans are not required but may be developed if required.
7.2 The BSO shall adopt the code of practice as set out in BS25999 -1 and establish a
Business Continuity Management Programme against the standard. 7.3 BSO will strive to conform to BS25999 -1 8.0 Communications and Training 8.1 Relevant staff will be trained in the application of the management arrangements
surrounding business continuity and all staff will be advised of the existence of the policy.
8.2 When Business Continuity plans are operational special emphasis will be based on
the need to communicate and effectively update all staff during an emergency 9.0 Monitoring 9.1 Review of all Directorate Business Continuity Plans and the overarching Corporate
Business Continuity Plan will be undertaken at least annually. The testing of the
40 | P a g e
plans will be undertaken regularly in accordance with relevant controls assurance standards.
10.0 Evidence Base/References 10.1 This policy has been developed in accordance with the following list of legislative,
guidance and standards;
NI Civil Contingencies Framework 2004
British Standard for Business Continuity BS25999
Controls Assurance Standards
Joint Emergency Response Plan Equality Considerations. In developing and implementing business continuity plans the BSO will be particular alert to the needs of the following section 75 categories particularly when a change in location is required.
Those with a disability
Those with caring responsibilities Equality Statement This policy has been drawn up and reviewed in the light of Section 75 of the Northern Ireland Act (1998) which requires the BSO to have due regard to the need to promote Equality of Opportunity. In line with the duty of equality this policy has been screened against particular criteria and as a result no major issues requiring further impact assessment have been identified. This policy has also been considered and prepared with regard to the Board’s obligation under the Human Rights Act 1998. The Board is satisfied that the policy complies with its obligations under the Act. If at any stage of the life of the policy there are any issues within the policy which are perceived by any party as conflicting with his/her rights, that party should bring these to the attention of the Head of Corporate Services.
41 | P a g e
Glossary of Terms Business Continuity Management (BCM)
Holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause. It provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, brand and value-creating activities
Business Continuity Management Programme
On-going management and governance process supported by top management and appropriately resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services through training, exercising, maintenance and review.
Business Continuity Plan (BCP)
Documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical activities at an acceptable pre-defined level.
Civil Contingencies Civil contingencies are the events and situations impacting on the community which may or may not occur, but would lead to an emergency if they did. Civil contingencies covers all the hazards and threats which could impact upon human welfare, the environment, national security or the continuity of essentials of life services.
Disruption Event, whether anticipated (e.g. a labour strike or hurricane) or unanticipated (e.g. a blackout or earthquake), which causes an unplanned, negative deviation from the expected delivery of products or services according to the organisation’s objectives.
Emergency An event or situation that threatens serious damage to human welfare, the environment or the security of the UK.
Emergency planning Development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency.
Incident Situation that might be, or could lead to, a business disruption, loss, emergency or crisis.
Risk Something that might happen and its effect(s) on the achievement of objectives.
Risk management
Structured development and application of management culture, policy, procedures and practices to the tasks of identifying, analysing, evaluating, and controlling responding to risk.
42 | P a g e
This policy was approved by BSO Board on 28 February 2012
43 | P a g e
Annex 11 – BCM Strategy
Business Continuity Management Strategy
1 Introduction
This strategy sets out the approach to be taken within the BSO to provide a robust Business Continuity Management (BCM) framework that establishes a fit-for-purpose strategic and operational framework that:
proactively improves the Business Services Organisation (BSO)'s resilience against the disruption of its ability to achieve its key objectives;
provides a rehearsed method of restoring the BSO's ability to supply its key products and services to an agreed level within an agreed time after a disruption; and
delivers a proven capability to manage a business disruption and protect the BSO's reputation.
2 Strategy
2.1 There are two key components underpinning this strategy which are:-
The BSO BCM Policy, which outlines the objectives for BCM; and
An annual BCM improvement plan arising from a baseline assessment against the Controls Assurance Standard (& British Standard)for Emergency Planning.
2.2 The Senior Management Team has overall responsibility for overseeing the
implementation of this strategy, the BCM policy and the BCM improvement plan. All will be subject to periodic review and progress reported to the BSO Board. The SMT will ensure that BCM is embedded within the organisational structure of Directorates and business units/services.
2.3 The Director of Human Resources and Corporate Services (DHRCS) is the named person on the SMT with responsibility for BCM.
2.4 This strategy cannot be seen in isolation as continuity of business processes plays a
key part in Governance, Strategic Risk, Service Planning and Performance Management. The strategy therefore links into all of these aspects of the organization. The implementation of this strategy will reduce the level of current risk.
44 | P a g e
2.5 Fundamental to the success of delivering the BCM strategy is developing a BCM
culture within the BSO. Awareness and training needs to be provided to all BSO staff who utilize information in their day to day work to promote this culture. In order to achieve this, a training plan will be identified by the DHRCS.
2.6 Any associated resource implications incurred by the implementation of the BCM
policy and action plan will be identified by the DHRCS. Business cases will be then developed and submitted to SMT for approval.
2.7 Performance will be monitored by the DHRCS and submitted to SMT on an annual
basis.
3 Conclusion
3.1 The implementation of the BCM strategy, policy and action plan will ensure that BCM
is more effectively managed at the BSO. Each year the policy will be reviewed and an action plan developed against controls assurance standard (& British standard) to identify key areas for continuing improvement.