Business Continuity Management Policy Docum… · practices with ISO 22301 Societal Security – Business Continuity Management Systems – Requirements, which specifies the requirements

Business Continuity Management Policy

Approved By: Policy and Guideline Committee Date of Original Approval:

18 January 2013

Trust Reference: B1/2013 Version: V4 Supersedes: V3 – January 2019 Trust Lead: Ben Collins, Emergency Planning Officer Board Director Lead: Rebecca Brown, Chief Operating Officer

Date of Latest Approval

19 July 2019 – Policy and Guideline Committee

Next Review Date: October 2022

CONTENTS

Section Page 1 Introduction and Overview 3 2 Policy Scope 3 3 Definitions and Abbreviations 5 4 Roles 5 5 Policy Implementation and Associated Documents 8 6 Education and Training 16 7 Process for Monitoring Compliance 17 8 Equality Impact Assessment 17 9 Supporting References, Evidence Base and Related Policies 17 10 Process for Version Control, Document Archiving and Review 18 Appendices Page A Definitions and Abbreviations 20 B List of Business Disruption Risks for Consideration by Services and

Departments 25

C BCMS Documentation 26

Table of Amendments Version Date Amendment Details 3.0 Apr 2019 Full policy rewrite 2.0 Jan 2013 New policy 1.0 Dec 2012 New policy (Draft) KEY WORDS

Business Continuity, Business Impact Analysis, Risk, Risk Assessment, Disaster Recovery

Business Continuity Management Policy Page 2 of 26 V4 Approved by Policy and Guideline Committee on 19 July 2019 Trust Ref: B1/2013 Next Review: Oct 2022

NB: Paper copies of this document may not be most recent version. The definitive version is held on INsite Documents

1. INTRODUCTION AND OVERVIEW

1.1.1 For the NHS, business continuity management can be understood as the management process that enables an NHS organisation to:

• Identify those key services which, if interrupted for any reason, would

have the greatest impact upon the community, the health economy and the organisation;

• Identify and reduce the risks and threats to the continuation of these key services; and

• Develop plans which enable the organisation to recover and/or maintain critical and essential functions in the shortest possible time.

1.1.2 NHS organisations are required to align their business continuity management

practices with ISO 22301 Societal Security – Business Continuity Management Systems – Requirements, which specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). As described in ISO 22301, a BCMS emphasises the importance of:

• Understanding an organisation’s needs and the necessity for

establishing business continuity management policy and objectives; • Implementing and operating controls and measures for managing

an organisation’s overall capability to manage disruptive incidents; • Monitoring and reviewing the performance and effectiveness of the

BCMS; and • Continual improvement based on objective measurement.

1.1.3 This document sets out the University Hospitals of Leicester (UHL) NHS Trust’s

(hereafter referred to as ‘the Trust’) policy for business continuity management and specifically how it will establish, implement, operate, monitor, review, maintain and improve its BCMS.

2. POLICY SCOPE

2.1.1 ISO 22301 states that a BCMS has five key components:

• A policy; • People with defined responsibilities; • Management processes relating to:

o policy, o planning, o implementation and operation, o performance assessment, o management review, and o improvement;

• Documentation providing auditable evidence; and • Any business continuity management processes relevant to the

Trust. 2.1.2 This policy describes each of the above five key components in the context of the

“Plan-Do-Check-Act” model which ISO 22301 applies to establishing,



implementing, operating, monitoring, reviewing, maintaining and improving the effectiveness of an organisation’s BCMS:

UHL Business Continuity Management System (BCMS)

Establish (Plan)

Context for the BCMS Scope of the BCMS BCMS Leadership BCMS Roles and Responsibilities BCMS Resources Business Continuity Policy Statement Business Continuity Objectives Risk Assessment Business Impact Analysis Business Continuity Plans BCMS Documented Information

Implement and Operate (Do) Training Workshops Business Continuity Toolkit

Monitor and Review (Check) Exercising Internal Audit

Maintain and Improve (Act) Learning from Incidents Review

2.1.3 The “Plan-Do-Check-Act” model is llustrated in Figure 1 below:

Figure 1: Plan-Do-Check-Act Model [SOURCE: ISO 22301]



2.1.4 The aim of this policy is to ensure the Trust has in place a robust business continuity management system (BCMS), so to ensure any disruption to the Trust’s activities are kept to within predefined tolerable levels.

2.1.5 The objectives of this policy are to:

• Establish the key terms and definitions relating to business continuity management;

• Identify the key roles and responsibilities that will support the Trust establish, implement and operate, monitor, review and maintain and improve its business continuity management system;

• Set out how the Trust will establish, implement and operate, monitor, review and maintain and improve its business continuity management system;

• Align the Trust’s business continuity management system with: o ISO:22301 Societal Security – Business Continuity Management

Systems – Requirements; o ISO 22313 Societal Security – Business Continuity Management

Systems – Guidance; o NHS England Business Continuity Framework (2013); and o NHS England Business Continuity Management Toolkit

(2016). 2.1.6 This policy should be read in close conjunction with the Trust’s Emergency

Preparedness, Resilience and Response (EPRR) Policy. 2.1.7 While this policy references disaster recovery planning, it is not included within

the scope of this policy. Detail of how the Trust manages disaster recovery can be found in the IM&T Business Continuity and Disaster Recovery Plan.

2.1.8 This policy applies to all UHL staff, including temporary and agency staff, those

with honorary contracts and students. This policy also applies to staff of contractors or other service providers who are contracted to work by UHL.

3. DEFINITIONS AND ABBREVIATIONS

3.1.1 All definitions and abbreviations used in this policy, and all EPRR documentation, are based on the Lexicon of UK Civil Protection Terminology which can be accessed online at https://www.gov.uk/government/publications/emergency-responder-interoperability-lexicon.

3.1.2 A copy of relevant definitions and abbreviations specific to this policy can be found listed under Appendix A.

4. ROLES AND RESPONSIBILITIES

4.1 Chief Executive 4.1.1 The Chief Executive is responsible for ensuring the Trust is meeting its legal and

statutory obligations to have in place business continuity plans.



https://www.gov.uk/government/publications/emergency-responder-interoperability-lexicon

https://www.gov.uk/government/publications/emergency-responder-interoperability-lexicon

4.1.2 The Chief Executive will appoint an Executive Board Director as the Accountable Emergency Officer who will be assigned the responsibilities set out in section 4.2.

4.2 Accountable Emergency Officer (AEO) 4.2.1 The AEO role is assigned to the Chief Operating Officer (COO) who is a member

of the Trust’s Executive Board of Directors and is responsible for:

a) Ensuring that the Trust, and any sub-contractors, are compliant with the EPRR requirements as set out in the Civil Contingencies Act (2004), the NHS Act (2006) (as amended) and the NHS Standard Contract, including the NHS England EPRR Framework and the NHS England Core Standards for EPRR;

b) Ensuring that the Trust is properly prepared and resourced for dealing with an incident;

c) Ensuring that the Trust, any of its commissioned providers and any subcontractors all have robust business continuity planning arrangements in place which are aligned to ISO 22301 or subsequent guidance which may supersede this;

d) Ensuring that the Trust has a robust surge capacity plan that provides an integrated organisational response and that it has been tested with other providers and partner organisations in the local area served;

e) Ensuring that the organisation complies with any requirements of NHS England, or agents of NHS England, in respect of monitoring compliance;

f) Providing NHS England with such information as it may require for the purpose of discharging its functions; and

g) Ensuring that the Trust is appropriately represented by director level engagement with, and effectively contributes to any governance meetings, subgroups or working groups of the Local Health Resilience Partnership (LHRP) and/or Local Resilience Forum (LRF), as appropriate.

4.3 Executive Directors 4.3.1 All Executive Directors will demonstrate clear leadership with respect to

establishing, implementing, operating, monitoring, reviewing, maintaining and improving the Trust’s business continuity management system. In accordance with ISO 22301, strong leadership with respect to the Trust’s BCMS can be provided by:

• Ensuring that policies and objectives are established for the BCMS and are compatible with the Trust’s strategic direction;

• Ensuring BCMS requirements are integrated into the Trust’s business processes;

• Ensuring resources needed for the BCMS are made available; • Communicating to staff the importance of effective business continuity

management and conforming to the BCMS requirements; • Ensuring that the BCMS achieves its intended outcome(s); • Directing and supporting staff to contribute to the effectiveness of the

BCMS; • Promoting continual improvement; and • Supporting other relevant management roles to demonstrate their

leadership and commitment as it applies to their areas of responsibility.



4.4 Emergency Preparedness, Resilience and Response (EPRR) Board 4.4.1 The EPRR Board will receive compliance reports against the Trust’s BCMS at

each meeting. Where non-conformities are identified, the Chair of the EPRR Board will task its relevant members to ensure a plan is in place to achieve compliance within an agreed timeframe.

4.5 Emergency Planning Office (Emergency Planning Officer and Emergency Planning Assistant)

4.5.1 The Emergency Planning Office will write and update this policy no less frequently than every three years to ensure it remains fit for purpose.

4.5.2 The Emergency Planning Office will develop a business continuity toolkit which can be used by each of the Trust’s services and departments to achieve compliance with the Trust’s BCMS.

4.5.3 The Emergency Planning Office will support Business Continuity Leads to establish, implement, operate, review, maintain and improve their business continuity toolkit(s) by:

• Holding face-to-face interviews to assist in the first-time completion of the business impact analysis and risk assessment;

• Providing examples of good practice;

• Providing adhoc support. 4.5.4 The Emergency Planning Office will collate the information captured in each

service’s/department’s business impact analysis to:

• Create a single business impact analysis for each CMG to support CMGs responding to a business continuity, critical or major incident;

• Create a single business impact analysis for the Trust to support the UHL Tactical Incident Coordination Team responding to a business continuity, critical or major incident;

4.5.5 The Emergency Planning Office will develop and maintain the Trust-wide business continuity plan for the Trust.

4.5.6 The Emergency Planning Office will support services and departments to test and exercise their local-level business continuity plans by providing at least one exercise scenario per year.

4.5.7 The Emergency Planning Office will monitor the compliance against this policy and the BCMS and report on this regularly to the EPRR Board.

4.6 CMG Heads of Operations and Corporate Directors 4.6.1 CMG Heads of Operations and Corporate Directors will define each of the

services and departments within their portfolio and nominate for each a Business Continuity Lead who will be tasked with the duties listed in Section 4.7 below.

4.7 Business Continuity Leads 4.7.1 Business Continuity Leads will establish, implement, operate, monitor, review,

maintain and improve a business continuity toolkit for each service/department that they are the assigned Lead for.

4.7.2 Business Continuity Leads will ensure their business continuity toolkit is saved on sharepoint and that printed copies are available within the service/department.

4.7.3 Business Continuity Leads will use the outcomes of their business impact analysis to contribute to the “IT System Application Business Continuity &



Disaster Recovery Compliance Sheet” with details of realistic Recovery Time Objectives and Recovery Point Objectives for their area of responsibility.

4.7.4 Business Continuity Leads will ensure all staff in their service/department are made aware of their local-level business continuity plans.

4.7.5 Business Continuity Leads will coordinate and deliver tests and exercises of their local-level business continuity plans, no less frequently than bi-annually.

4.8 IT System Application Owners 4.8.1 IT System Application Owners will coordinate the development of their respective

IT system applications’ business continuity plan in line with Section 5.10.7 – 5.10.12 of this policy.

4.9 IM&T 4.9.1 IM&T will populate and keep up-to-date the “IT System Application Business

Continuity & Disaster Recovery Compliance Sheet” saved on sharepoint with the most up-to-date list of the Trust’s IT System Applications and their System Owners

4.9.2 IM&T will have in place disaster recovery plans to ensure any disruption is kept to within pre-defined tolerable limits. IM&T will update its disaster recovery plan no less frequently than annually and ensure all agreed Recovery Time Objectives and Recovery Point Objectives are clearly stated on the “IT System Application Business Continuity & Disaster Recovery Compliance Sheet.”

4.9.3 IM&T will use the information submitted by Business Continuity Leads on the “IT System Application Business Continuity & Disaster Recovery Compliance Sheet” to inform their disaster recovery planning objectives.

4.10 All Staff 4.10.1 All staff should make sure they are aware of what is expected of them in a

business continuity, critical or major incident. For those staff who may be assigned a role-specific action card in a business continuity, critical or major incident, this should include reading the Trust’s Incident Response Plan and any relevant supporting annexes, including the Trust-wide business continuity plan.

5. POLICY IMPLEMENTATION AND ASSOCIATED DOCUMENTS

5.1 Context for the BCMS 5.1.1 University Hospitals of Leicester (UHL) is one of the biggest and busiest NHS

Trusts in the country, serving the one million residents of Leicester, Leicestershire and Rutland (LLR) and increasingly specialist services over a much wider area.

5.1.2 Patients (and their friends, family, neighbours and colleagues) rely on UHL to provide them care and treatment when they need it on a range of different clinical pathways ranging from non-clinically urgent outpatient appointments to immediate lifesaving interventions. For everybody it is here to serve, UHL must be available to deliver its strategic objective “caring at its best to every patient every time,” irrespective of any disruptive challenges we may come to face. Consequently, the Trust has a moral duty to have plans in place to ensure it can continue to deliver all of its critical and essential functions during any potential disruptive incident.



5.1.3 In addition to a moral obligation, the Trust is required to have in place robust business continuity management plans as set out in:

• NHS Contract; • Civil Contingencies Act (2004); and • NHS England Core Standards for Emergency Preparedness,

Resilience and Response (EPRR).

5.1.4 Alongside the Trust’s strategic objective to provide “caring at its best for every patient every time,” the Trust has a series of annual priorities and core values which have been accounted for when developing the Trust’s BCMS. The Trust’s annual priorities can be found on INsite and its core values are described below:

• We treat people how we would like to be treated;

• We do what we say we are going to do;

• We focus on what matters most;

• We are one team and we are best when we work together;

• We are passionate and creative in our work. 5.2 Scope of the BCMS 5.2.1 The scope of the Trust’s BCMS applies to the entirety of the Trust, including all

services, departments and functional areas in each of the Trust’s CMGs as well as within each of the Trust’s supporting corporate services. The scope of the Trust’s BCMS also includes all activities which are contracted out to other providers or contractors.

5.3 BCMS Leadership 5.3.1 Establishing, implementing, operating, monitoring, reviewing, maintaining and

improving the Trust’s BCMS will require strong leadership from the Trust Board of Executive and Non-Executive Directors.

5.3.2 Overall leadership for the Trust’s BCMS will be provided by the Trust’s Accountable Emergency Officer (Chief Operating Officer) who holds ultimate accountability for ensuring the Trust is compliant with its duties listed under the Civil Contingencies Act (2004) and NHS England’s Core Standards for EPRR.

5.4 BCMS Roles and Responsibilities 5.4.1 Effective delivery of the Trust’s BCMS will require input from a wide number of

staff from across the organisation and it is important these staff are clear on their roles and responsibilities with respect to achieving the Trust’s business continuity aims and objectives. These roles and responsibilities are set out in section 4.0 of this policy.

5.5 BCMS Resources 5.5.1 Effective delivery of the Trust’s BCMS will require sufficient resources to be

allocated and made available if the Trust is to achieve its business continuity aims and objectives:

• Human resources: Time and availability of competently trained staff will need to be made available, particularly in the two year period 2019 – 2021 where the Trust’s BCMS will be established and implemented. To ensure staff are competently trained, training and workshops will be provided and are described in sections 5.12 and 5.13 below;



• Finance: Establishing and implementing the Trust’s BCMS may identify risks which threaten the ability of the Trust to meet its business continuity aims and objectives. If this occurs, mitigation options may have a financial need and this will need to be sourced from either pre-existing budgets or capital funding.

5.6 Business Continuity Policy Statement 5.6.1 ISO 22301 makes clear that a “key component of establishing a BCMS will be

the creation of a suitable policy statement, indicating the intention and commitment of the organisation in creating, maintaining and improving the business continuity system of the organisation.” The Trust’s business continuity policy statement is:

“University Hospitals of Leicester NHS Trust is fully committed to creating, maintaining and improving a robust business continuity management system, so to ensure the continuation of its critical and essential functions at all times.”

5.7 Business Continuity Objectives 5.7.1 The Trust’s business continuity objectives are:

• To comply with the Civil Contingencies Act (2004); • To achieve full compliance against NHS England’s core standards for

emergency preparedness, resilience and response (EPRR); • To identify, assess and manage risks which may lead to a disruption to the

Trust’s activities; • To undertake a Trust-wide business impact analysis and embed a process

whereby this can be maintained as part of business-as-usual processes; • To ensure tried and tested business continuity plans are in place to ensure

any disruption is kept to within pre-defined tolerable limits; • To identify the location of critical data and assets; • To inform IM&T’s disaster recovery planning.

5.8 Risk Assessment 5.8.1 To enable the Trust to understand the business disruption risks it faces, all

services and departments will complete a business disruption risk assessment, which forms part of their business continuity toolkit. This will be completed by the service’s/department’s nominated Business Continuity Lead.

5.8.2 The business continuity toolkit’s business disruption risk assessment will be completed in line with the Trust’s risk management policy.

5.8.3 In assessing risks, Business Continuity Leads should refer to the following sources of information:

• Existing Trust risk registers;

• LLR community risk register;

• Incident history (for the service/department, the CMG, the Trust and the local area).

5.8.4 Based on the outcomes of the business disruption risk assessment, strategies will need to be devised for all risks identified from very high to low scores, based on the following framework:

• Mitigation: identifying strategies, activities, modifications or controls aimed at reducing the risk likelihood and/or consequence;



• Acceptance: ensuring the risk is owned at the appropriate level (normally director level) within the organisation;

• Transferring: changing an activity, ceasing an activity, outsourcing the activity or transferring the risk (if financial, by means of insurance);

• Eliminating: if possible by removing the cause, avoiding the risk or introducing preventative measures;

• Recovery: developing and testing recovery plans to deal with any threats and hazards identified.

5.8.5 As part of the business disruption risk assessment process, all services and departments should give consideration to the risks listed in Appendix A.

5.9 Business Impact Analysis 5.9.1 ISO 22313 defines a business impact analysis as the “process of analysing

operational functions and the effect that a disruption might have upon them”. The business impact analysis identifies, quantifies and qualifies the impacts and their effects of a loss, interruption or disruption and measures the impact of disruptions to its processes on the organisation. It provides information that underpins later decisions about business continuity strategies.

5.9.2 All services and departments will complete a business impact analysis for their own activities and will form part of their business continuity toolkit. This process will be completed by the service’s/department’s nominated Business Continuity Lead and will involve the following:

• Defining each of the activities undertaken within the service/department;

• Determining the impacts of a disruption to each of the identified activities;

• Categorising each activity based on the potential impacts of disruption and the maximum tolerable period of disruption, where:

o A tier 1 activity is categorised as being any activity where the maximum tolerable period of disruption is less than 4hrs;

o A tier 2 activity is categorised as being any activity where the maximum tolerable period of disruption is between 4 – 12 hours;

o A tier 3 activity is categorised as being any activity where the maximum tolerable period of disruption is between 12 – 24 hours;

o A tier 4 activity is categorised as being any activity where the maximum tolerable period of disruption is 24 hours – 72 hours;

o A tier 5 activity is categorised as being any activity where the maximum tolerable period of disruption is 72 hours – 1 week;

o A tier 6 activity is categorised as being any activity where the maximum tolerable period of disruption is greater than 1 week.

• Defining the recovery time objectives (RTO) of each activity;

• Determining the minimum resources needed to meet the identified recovery time objectives;

• Defining the recovery point objectives (RPO) of each activity; and

• Identifying all internal and external dependencies relevant to each activity.

5.9.3 Through the business impact analysis the Trust will:



• Obtain a clear understanding of its activities and processes, their respective priority, as well as the timeframes for resumption following an interruption;

• Quantify the maximum tolerable period of disruption for each process – the timeframe during which a recovery must become effective before an outage compromises the ability of the Trust to achieve its business objectives in light of contractual, regulatory and statutory requirements;

• Obtain the resource information from which an appropriate recovery strategy can be determined and recommended;

• Quantify the resources required over time to maintain key activities at an acceptable level and within the maximum tolerable period of disruption;

• Through the identification of RTOs and RPOs inform IM&T’s disaster recovery plans and backup schedules.

5.10 Business Continuity Plans Introduction

5.10.1 Business continuity plans are documented procedures that guide organisations to respond, recover, resume, and restore activities to a pre-defined level of operation following a disruption. To achieve its business continuity objectives, the Trust will embed the following business continuity plans:

• Trust-wide business continuity plan; • Local-level business continuity plans; • IT system application business continuity plans; • IM&T disaster recovery plans; and • Supplier and contractor business continuity plans.

Trust-wide business continuity plan

5.10.2 A single Trust-wide business continuity plan will describe the generic business continuity response arrangements for key business disruption risks identified as part of the business disruption risk assessment.

5.10.3 The Trust-wide business continuity plan will be written by the Emergency Planning Office, in consultation with key stakeholders. Local-level business continuity plans

5.10.4 Local-level business continuity plans will describe detailed business continuity response arrangements for key business disruption risks identified as part of local business disruption risk assessments.

5.10.5 Local-level business continuity plans will be specific to each service/department and be completed as part of their business continuity toolkit. This process will be completed by the service’s/department’s nominated Business Continuity Lead.

5.10.6 Local-level business continuity plans may take direction from the Trust-wide business continuity plan to ensure local arrangements are commensurate with the Trust’s wider business continuity plan. IT system application business continuity plans

5.10.7 As the Trust pursues an increasingly digital way of working, its reliance on digital systems leaves it potentially vulnerable to IT system application downtime or failure. To mitigate this, all IT system applications must have in place business continuity plans to ensure any disruption is kept to within pre-defined tolerable limits.



5.10.8 IT system application business continuity plans will be coordinated by their respective IT system application system owners who will develop generic paper-based plans which can be used by all services and departments which use the system or application they are responsible for.

5.10.9 The development of IT system application business continuity plans should be undertaken with key stakeholders in mind and a comprehensive consultation process undertaken to ensure they are fit for purpose. To support this, IT system application business continuity plans should have an identified committee, group or Board who are responsible for signing off and approving any final draft or amendment to a plan. It will be for the IT system application owners to select an appropriate committee, group or Board to fulfil this role.

5.10.10 IT system application owners will save their IT system application business continuity plans on sharepoint and ensure these are reviewed at least annually.

5.10.11 All services and departments relying on IT system applications must be familiar with their respective IT system applications’ business continuity plans and have these readily available for use within the service/department. Business Continuity Leads will be able to check for available IT system application business continuity plans by looking on sharepoint. Until plans are developed as part of the implementation of this policy, Business Continuity Leads are responsible for ensuring sufficient arrangements are in place to mitigate any outcomes of system(s) downtime.

5.10.12 An audit trail of the status of all IT system applications’ business continuity plans will be maintained through an “IT System Application Business Continuity & Disaster Recovery Compliance Sheet” which will be saved on sharepoint.

• IM&T will be responsible for populating the sheet with the up-to-date list of all IT System Applications and their respective system owners; and

• IT system application owners will keep the sheet up-to-date at all times on the status of the business continuity plan(s) for which they are responsible.

5.10.13 The Emergency Planning Office will report on the number of IT System Applications with up-to-date and approved business continuity plans to each meeting of the EPRR Board.

5.10.14 The process for implementing the requirements listed here for IT system applications will differ depending on the status of the IT system application:

• For new IT system applications in the future, the requirements listed under section 5.10.7 – 5.10.12 must be undertaken prior to any go-live date as part of IM&T project service acceptance and change control process;

• Any changes or upgrades made to existing IT system applications: The requirements listed under section 5.10.7 – 5.10.12 must be undertaken prior to any go-live date as part of IM&T project service acceptance and change control process;

• For any already existing IT system applications which are not due to be changed or upgraded before 1st April 2021: The requirements listed under section 5.10.7 – 5.10.12 must be complete by 1st April 2021.

IM&T disaster recovery plans 5.10.15 IM&T must have in place disaster recovery plans to to ensure any

disruption is kept to within pre-defined tolerable limits. IM&T will update its disaster recovery plan no less frequently than annually.



5.10.16 IM&T will use the information submitted by Business Continuity Leads on the “IT System Application Business Continuity & Disaster Recovery Compliance Sheet” to inform their disaster recovery planning objectives. IM&T will also keep the “IT System Application Business Continuity & Disaster Recovery Compliance Sheet” up-to-date at all times to provide Business Continuity Leads with reliable planning assumptions on how long it may take to recover each IT System Application following a period of downtime. Supplier and contractor business continuity plans

5.10.17 Where appropriate, the Trust will review existing contracts, develop service level agreements and/or memoranda of understanding which will help in monitoring the business continuity arrangements of relevant external service providers and/or contractors.

5.11 BCMS Documented Information 5.11.1 The Trust’s BCMS will incorporate the following documented information:

• EPRR Policy;

• Risk Management Policy;

• Business Continuity Management Policy;

• Trust-Wide Business Continuity Plan;

• Business Continuity Toolkit Template;

• Business Continuity Toolkits for each service/department, including a Business Disruption Risk Assessment, Business Impact Analysis and Local-Level Business Continuity Plan;

• Business Continuity Toolkit Compliance Sheet;

• IM&T Disaster Recovery Plan

• IT System Application Business Continuity Plans;

• IT System Application Business Continuity & Disaster Recovery Compliance Sheet; and

• Estates and Facilities Procedure Sheets. 5.11.2 Full details on the above listed documentation is listed under Appendix C. 5.12 Training 5.12.1 The Trust must have competently trained staff if it is to effectively establish,

implement, operate, monitor, review, maintain and improve its BCMS. Full details on the education and training requirements of this policy are described in Section 6.0.

5.13 Exercising 5.13.1 The Emergency Planning Office will validate its emergency and business

continuity plans through a programme of testing and exercising. At a minimum, this will include:

• 1 communication test every six months;

• 1 tabletop exercise every year;

• 1 live exercise every three years.



5.13.2 An exercise needs analysis must be completed as part of any work to create, review or update any of the Trust’s emergency or business continuity plans and this is the responsibility of the plan owner.

5.13.3 The Emergency Planning Office will create an annual EPRR Testing and Exercising Programme which will be informed by the outcomes of any available exercising needs analyses. The EPRR Testing and Exercising Programme will be overseen by the EPRR Board.

5.13.4 Local emergency and business continuity plans belonging to individual services, departments or CMGs should be tested on a regular basis. At a minimum, this should include one tabletop exercise per year. Local testing and exercising should be undertaken in line with best practice and include a debrief report to capture what took place, the lessons learned and recommendations. All debrief reports should be shared with the Trust’s Emergency Planning Office within 28 calendar days of being signed off by the Exercise Director.

5.14 Internal Audit 5.14.1 The Trust will employ internal auditors to review its BCMS on a regular basis and

no less frequently than three-yearly. Outcomes of any audit should be reported to the EPRR Board and the Audit Committee, with any actions being overseen by the EPRR Board and incorporated into the EPRR Work Programme.

5.15 Learning from Incidents 5.15.1 The Trust will seek to learn as much information as possible following either a

test, exercise or real-life activation of its emergency or business continuity plans. This information will be used to:

• Identify what happened;

• Identify strengths and weaknesses in the response;

• Identify issues, lessons learned and recommendations;

• Create a debrief report. 5.15.2 To support the Trust learn from a business, critical or major incident, the

Emergency Planning Office will coordinate internal “hot” and “cold” debriefs with staff before writing a debrief report which will be sent to the Trust’s Emergency Preparedness, Resilience and Response (EPRR) Board.

5.15.3 In the event of multi-agency debriefs being held, the Trust should be represented by the Emergency Planning Office and the UHL Tactical and/or Strategic Commander.

5.16 Review 5.16.1 As described in ISO 22301, a BCMS emphasises the importance of continual

improvement based on objective measurement. To achieve this, the Trust’s BCMS documentation will be reviewed and updated periodicially and in line with the timescales outlined in Appendix C.



6. EDUCATION AND TRAINING REQUIREMENTS

6.1 Introduction

6.1.1 For the Trust to achieve the aim and objectives of this policy, there are a number of staff groups with defined education and training needs which must be met and these are described below in sections 6.2 – 6.6.

6.2 Emergency Planning 6.2.1 Staff working in the Emergency Planning Office must have the relevant

knowledge and skills to be able to effectively coordinate the development of the Trust’s BCMS. This need will be met by:

• Including a relevant qualification to business continuity management in the job descriptions of all staff working in the Emergency Planning Office;

• Promoting relevant courses in business continuity management as part of the ongoing personal development of staff working in the Emergency Planning Office.

6.3 IM&T 6.3.1 Staff working in IM&T who are responsible for disaster recovery planning must

have the relevant knowledge and skills to be able to effectively coordinate the development and implementation of the Trust’s disaster recovery plans. This need will be met by:

• Including the need for relevant training, experience and/or qualifications in disaster recovery planning within the job descriptions of all staff responsible for disaster recovery planning in IM&T;

• Promoting relevant courses in disaster recovery as part of the ongoing personal development of staff responsible for coordinating disaster recovery planning within IM&T.

6.4 Executive Directors 6.4.1 For the aim and objectives of this policy to be met, senior leadership from

Executive Directors will be required. Effective leadership can only be provided if Executive Directors have a good understanding of business continuity management, including the requirements of this policy and the scope of the Trust’s BCMS.

6.4.2 Education and training will be provided to Executive Directors via the “UHL Strategic Incident Coordination Team” training, provided by the Emergency Planning Office on a regular basis, and no less frequently than annually.

6.5 Business Continuity Leads 6.5.1 During the implementation phase of this policy (upto 1st April 2021), Business

Continuity Leads will not require any training as they will be closely supported by the Emergency Planning Office to meet the needs of the policy.

6.5.2 From 1st April 2021, Business Continuity Leads will be required to attend bi-

annual training workshops to equip them with the knowledge and skills required to be able to meet the needs of this policy, including:

• How to update and maintain their Business Continuity Toolkit;



• How to develop appropriate business continuity plans for their service/department, in line with the Trust-Wide Business Continuity Plan;

• How to deliver local tests and exercises of their local-level business continuity plans.

6.5.3 Business Continuity Workshops will be provided by the Emergency Planning Office. Attendance will be recorded on HELM and monitored by the EPRR Board through the Business Continuity Compliance Sheet.

6.6 All Staff 6.6.1 All staff should be made aware:

• Business continuity plans may be used to inform the response strategy to a disruptive incident or an emergency;

• The Trust has two levels of business continuity plan, including Trust-wide and local-level; and

• Where business continuity plans can be located. 6.6.2 The above training will be provided to all staff via:

• Trust induction, provided by the Emergency Planning Office;

• Email communications from the Emergency Planning Office;

• Tests and exercises of the Trust’s emergency and business continuity plans; and

• Communications from their respective Business Continuity Leads. 7. PROCESS FOR MONITORING COMPLIANCE

7.1 The process for monitoring compliance against this policy is set out in the table on the page below.

8. EQUALITY IMPACT ASSESSMENT

8.1.1 The Trust recognises the diversity of the local community it serves. Our aim therefore is to provide a safe environment free from discrimination and treat all individuals fairly with dignity and appropriately according to their needs.

8.1.2 As part of its development, this policy and its impact on equality have been reviewed and no detriment was identified.

9. SUPPORTING REFERENCES, EVIDENCE BASE AND RELATED POLICIES

9.1.1 This policy was developed in line with the following:

• Civil Contingencies Act (2004);

• Health & Social Care Act (2012);

• NHS Contract;

• ISO:22301 Societal Security – Business Continuity Management Systems – Requirements;



• ISO 22313 Societal Security – Business Continuity Management Systems – Guidance;

• NHS England Business Continuity Framework (2013);

• NHS England Business Continuity Management Toolkit (2016); and

• NHS England’s Core Standards for EPRR. 10. PROCESS FOR VERSION CONTROL, DOCUMENT ARCHIVING AND REVIEW

10.1.1 This policy will be reviewed on every 3 years and 3 months or more frequently if new or revised national guidance is released. Any review should be led by the Trust’s Emergency Planning Office.



Element to be monitored Lead Tool Frequency Reporting arrangements

Relevant policies Emergency Planning Office

Is the EPRR Policy, Business Continuity Policy and Risk Management Policy up-to-date?

Annually To be reported to the EPRR Board, via the EPRR Annual Report to Trust Board

Trust-Wide Business Continuity Plan

Emergency Planning Office

Does the Trust have an up-to-date Trust-Wide Business Continuity Plan and is this available to all staff on INsite?


Services/departments with a completed and up-to-date Business Continuity Toolkit

Business Continuity Leads

Business Continuity Toolkit Compliance Sheet

Quarterly Compliance status to be reported to the EPRR Board

IT System Applications with a completed and up-to-date Business Continuity Plan

IT System Application Owners

IT System Application Business Continuity & Disaster Recovery Compliance Sheet

Quarterly Compliance status to be reported to the EPRR Board

IM&T Disaster Recovery Plan

IM&T Do IM&T have an up-to-date Disaster Recovery Plan?


Estates and Facilities Procedure Sheets

Senior Specialist Engineer, Estates & Facilities

Do Estates & Facilities have up-to-date procedural sheets for loss of utilities including power, water, fuel, heating, cooling, gas and medical gases

Quarterly To be reported to the EPRR Board



11. APPENDIX A: DEFINITIONS & ABBREVIATIONS

Primary Term Acronym Definition Accountable Emergency Officer

AEO

Activity Process or set of processes undertaken by an organisation (or on its behalf) that produces or supports one or more products and services

Business Continuity

Capability of the organisation to continue delivery of products or services at acceptable predefined levels following disruptive incident

Business Continuity Incident

A business continuity incident is an event or occurrence that disrupts, or might disrupt, an organisation’s normal service delivery, below acceptable predefined levels, where special arrangements are required to be implemented until services can return to an acceptable level. (This could be a surge in demand requiring resources to be temporarily redeployed).

Business Continuity Management

BCM A holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.” (Business Continuity Institute, Good Practice Guidelines, March 2013) For the NHS, business continuity management can more specifically be understood as the management process that enables an NHS organisation:

• To identify those key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation;

• To identify and reduce the risks and threats to the continuation of these key services; and

• To develop plans which enable the organisation to recover and/or maintain critical and essential services in the shortest possible time.

Business Continuity Management System

BCMS Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity

Business Continuity Plan

BCP Documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation following disruption

Business Continuity Programme

Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management

Business Continuity Management Policy Page 20 of 26 V4 Approved by Policy and Guideline Committee on 19 July 2019 Trust Ref:B1/2013 Next Review: Oct 2022


Primary Term Acronym Definition Business Impact Analysis

BIA The process of analysing functional areas and the effect that a disruption might have upon them

Civil Contingencies Act (2004)

CCA Act of 2004 which established a single framework for Civil Protection in the United Kingdom. Part 1 of the Act establishes a clear set of roles and responsibilities for Local Responders; Part 2 of the Act establishes emergency powers

Community Risk Register

CRR A register communicating the assessment of risks within a Local Resilience Area which is developed and published as a basis for informing local communities and directing civil protection work streams.

Critical Function A service or operation the continuity of which a Category 1 responder needs to ensure, in order to meet its business objectives and/or deliver essential services.

Critical Incident A critical incident is any localised incident where the level of disruption results in the organisation temporarily or permanently losing its ability to deliver critical services, patients may have been harmed or the environment is not safe requiring special measures and support from other agencies, to restore normal operating functions.

Disaster Emergency (usually but not exclusively of natural causes) causing, or threatening to cause, widespread and serious disruption to community life through death, injury, and/or damage to property and/or the environment.

Emergency An event or situation which threatens serious damage to human welfare in a place in the UK, the environment of a place in the UK, or the security of the UK or of a place in the UK.

Emergency Plan A document or collection of documents that sets out the overall framework for the initiation, management, co-ordination and control of personnel and assets to reduce, control or mitigate the effects of an emergency.

Emergency Planning

Aspect of Integrated Emergency Management concerned with developing and maintaining procedures to prevent emergencies and to mitigate the impact when they occur.

Emergency Preparedness

The extent to which emergency planning enables the effective and efficient prevention, reduction, control and mitigation of, and response to emergencies.

Emergency Preparedness, Resilience and Response

EPRR

Exercise A simulation designed to validate organisations’ capability to manage incidents and emergencies. Specifically exercises will seek to validate training undertaken and the procedures and systems within emergency or business continuity plans.



Primary Term Acronym Definition Exercise Programme

Planned series of exercises developed by an organisation or group of organisations to validate training and plans.

Harm Nature and extent of physical injury (including loss of life) or psychological or economic damage to an individual, community, or organisation.

Hazard Accidental or naturally occurring (i.e., non-malicious) event or situation with the potential to cause death or physical or psychological harm, damage or losses to property, and/or disruption to the environment and/or to economic, social and political structures.

Incident Event or situation that requires a response from the emergency services or other responders

Incident Coordination Centre

Operations centre from which the management and co-ordination of the response by each emergency service to an emergency are carried out.

Likelihood Chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, and almost certain), frequencies or mathematical probabilities.

Local Resilience Forum

Process for bringing together all the category 1 and 2 responders within a police force area for the purpose of facilitating co-operation in fulfilment of their duties under the Civil Contingencies Act

Major Incident A major incident is any occurrence that presents serious threat to the health of the community or causes such numbers or types of casualties, as to require special arrangements to be implemented.

Maximum Tolerable Period of Disruption

MTPD The time it would take for adverse impacts, which might arise as a result of not providing a service or performing an activity, to become unacceptable. The recovery time objective (RTO) has to be less than the maximum tolerable period of disruption.

Mobile Telecommunications Privileged Access Scheme

Scheme that provides call preference for key emergency management organisations if public network access is restricted

Multi-agency Involving the participation of several agencies Mutual Aid An agreement between Category 1 and 2 responders

and other organisations not covered by the Act, within the same sector or across sectors and across boundaries, to provide assistance with additional resource during an emergency.

National Risk Assessment

NRA The full and classified assessment of the likelihood and potential impact of a range of different risks that might directly affect the UK.

National Risk Register

NRR A publically available statement of the assessment of the likelihood and potential impact of a range of different risks that might directly affect the UK.



Primary Term Acronym Definition Operational The level (below tactical level) at which the management

of ‘hands-on’ work is undertaken at the incident site(s) or associated areas, equating for single agencies to operational level.

Preparedness Process of preparing to deal with known risks and unforeseen events or situations that have the potential to result in an emergency.

Recovery The process of rebuilding, restoring and rehabilitating the community following an emergency.

Recovery phase Phase focussed on recovery, commencing at the earliest opportunity following the onset of an emergency, and running in tandem with the response phase.

Recovery Time Objective

RTO The period of time following an incident within which an activity must be resumed or resources must be recovered in order to avoid unacceptable consequences. The RTO is expressed in a unit of time and must be less than the identified Maximum Tolerable Period of Disruption.

Recovery Point Objective

RPO The point to which information used by an activity must be restored to enable the activity to operate on resumption. Can also be referred to as “maximum data loss.” The RTO is expressed in a unit of time. In other words, how much data can be lost and the activity still be able to function upon resumption of the activity following a disruption?

Resilience Ability of the community, services, area or infrastructure to detect, prevent, and, if necessary to withstand, handle and recover from disruptive challenges.

Response Decisions and actions taken in accordance with the strategic, tactical and operational objectives defined by emergency responders. At a high level these will be to protect life, contain and mitigate the impacts of the emergency and create the conditions for a return to normality.

Response phase

Phase in which decision making and actions are focused on response to an actual emergency or disaster.

Risk Measure of the significance of a potential emergency in terms of its assessed likelihood and impact.

Risk management

All activities and structures directed towards the effective assessment and management of risks and their potential adverse impacts.

Risk treatment Process of determining those risks that should be controlled (by reducing their likelihood and/or putting impact mitigation measures in place) and those that will be tolerated at their currently assessed level.

Service Interruption

Any disruptive challenge that threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal operating functions which could be short, medium or long term.



Primary Term Acronym Definition Situational awareness

The state of individual and/or collective knowledge relating to past and current events, their implications and potential future developments.

Situation Report SitRep Report produced by an officer or body, outlining the current state and potential development of an incident and the response to it.

Statutory Prescribed in legislation.

Statutory guidance

Advice provided by or to an authority under statutory powers concerning the implementation of or compliance with a specific law.

Strategic The level (above tactical level and operational level) at which policy, strategy and the overall response framework are established and managed.

Strategic Coordinating Group

Multi-agency body responsible for co-ordinating the joint response to an emergency at the local strategic level.

Tactical Level (below strategic level and above operational level) at which the response to an emergency is managed.

Tactical Coordinating Group

A multi-agency group of tactical commanders that meets to determine, co-ordinate and deliver the tactical response to an emergency.

Training Needs Analysis

TNA



12. APPENDIX B: LIST OF BUSINESS DISRUPTION RISKS FOR CONSIDERATION BY SERVICES AND DEPARTMENTS

Hazard/Threat Risk to Service Lost/stolen data

Loss of data, IM&T and digital infrastructure

Lost/stolen/destroyed paper files Failure of backup or failsafe Failure of hard disk drive Disruption to connection Disruption to internal telephone network Disruption to data network Disruption of active directory Failure of localised hardware Loss of application Loss of mobile/telephone phone network(s) Loss of switchboard Failure of server Contamination

Loss of premises, physical infrastructure and utilities

Disruption to direct medical gas supply Disruption to water supply Disruption to electrical power supply Disruption to heating Disruption to cooling Structural defect/failure Failure of equipment Fire Flooding Introduction of cordon Disruption to road fuel supplies

Loss of equipment and supplies

Disruption to product quality Breach of contract Failure to fund/supply goods or service Industrial action by drivers Industrial action by supplier Disruption/failure of stock management Supplier goes into administration Supplier chain collapse Under production by supplier Clustered notice giving

Loss of staff

Epidemic illness Influenza pandemic Industrial action School closures Disruption to public transport



13. APPENDIX C: BCMS DOCUMENTATION

Documentation Owner Governance Route Storage Location Access To Update

Frequency EPRR Policy Emergency Planning Office EPRR Board INsite All staff 3-yearly Risk Management Policy Risk and Assurance Manager Audit Committee INsite All staff 3-yearly Business Continuity Policy

Emergency Planning Office EPRR Board INsite All staff 3-yearly

Trust-Wide Business Continuity Plan

Emergency Planning Office EPRR Board INsite All staff 3-yearly

Business Continuity Toolkit Template

Emergency Planning Office EPRR Board Sharepoint Emergency Planning Office and Business Continuity Leads

3-yearly

Business Continuity Toolkits for each Service/Department

Business Continuity Leads CMG Boards Sharepoint Emergency Planning Office and Business Continuity Leads

Annually

Business Continuity Toolkit Compliance Sheet

Emergency Planning Office EPRR Board Sharepoint Emergency Planning Office and Business Continuity Leads

Adhoc, when Business Continuity Toolkits are updated

IM&T Disaster Recovery Plan

Chief Information Officer IM&T Board IM&T Shared Drive IM&T staff Annually

IT System Application Business Continuity Plans

System Owners CMG Boards IM&T Board

Sharepoint All staff 3-yearly

IT System Application Business Continuity & Disaster Recovery Compliance Sheet

Emergency Planning Office EPRR Board Sharepoint IT System Application Owners, IM&T, Business Continuity Leads and Emergency Planning Office

Adhoc, when IT System Application Plans are updated

Estates and Facilities Procedure Sheets

Head of Estates and Facilities

E&F Senior Mgt. Team

E&F Shared Drive Estates and Facilities staff

Annually

