business continuity management policy - southern · pdf filesh ncp 67 business continuity...

1 Business Continuity Management Policy Version: 3 April 2017

SH NCP 67

Business Continuity Management

Policy

Version: 3

Summary:

This Business Continuity Policy provides the strategic framework for Southern Health NHS Foundation Trust‘s (SHFT) Business Continuity arrangements and describes the SHFT Business Continuity Management programme that will ensure SHFT meets its legal obligations to ensure the organisations Prioritised Activities and Services are protected against potential disruption as a result of incidents and emergency situations and climate change adaption.

Keywords (minimum of 5): (To assist policy search engine)

Business Continuity Policy, Business Continuity Management, Emergency Planning, Business Continuity Plan, Organisational Resilience, Climate Change Adaption

Target Audience:

All employees of Southern Health NHS Foundation Trust. Non-Executive Directors, Volunteers, Governors and Contractors.

Next Review Date: May 2020

Approved and ratified by:

EPRR Working Group Date of meeting: 12 January 2015

Date issued:

May 2017

Author:

Philip Rudin, Business Continuity and Emergency Preparedness Officer

Sponsor:

Helen Ludford Interim Head of Quality Governance


Version Control

Document Change Record

Date Author Version Page Reason for Change

24.05.13 T Pettis 1 Changes to reflect NHS England, NHS England and Public Health England structures following the abolition of Strategic Health Authorities and Primary Care Trusts.

24.05.13 T Pettis 1 NHS England BC related documents

02.12.13 S Brown 1 Replacement of reference to BS 25999 with ISO 22301 International Business Continuity Standard

31.01.14 S Brown Replacement of reference to BS 25999 with ISO 22301 International Business Continuity Standard

18.05.14 T Pettis 1 Review and update of entire document and Business Impact Analysis

10.06.14 L Sawyer 1 Integration with Trusts Climate Change Adaption Plan

10.11.14 S Brown 2 Review of completed document and inclusion of BIA and BC Plan templates for EPRR WG on 21 Nov 14

05.01.15 S Brown 2 Inclusion of amended Business Impact Analysis (BIA)

14.03.2017 P. Rudin 3 General update of terminology, organisations’ names etc. Replace reference to Strategy for Organisational Resilience with details of current progress assurance procedures. Ensure consistency with other Trust plans and policies re escalation/invocation.

Reviewers/contributors

Name Position Version Reviewed & Date

Sharon Gomez Essential Training Lead 1 04 Feb 2013

Fiona Richey Head of Risk and Business Continuity 1 12 Feb 2013

Ricky Somal Equality and Diversity Lead 1 17 Feb 2013

Alida Towns Interim Business Manager 1 18 Feb 2013

Helen McCormack Chief Medical Officer 1 27 Mar 2013

Tim Pettis BCR Manager SHFT 1 01 Apr 2013

David Griffiths EPM (UHS) (External Reviewer) 1 01 May 2013

Libby Beesley EPM DUFT (External Reviewer) 1 01 May 2013

Tim Pettis BCR Manager SHFT 1 24 May 2013

Stuart Brown BC Advisor 1 02 Dec 2013

Stuart Brown BC Advisor 1 31 Jan 2014

Tim Pettis BCRM SHFT 1 29 May 2014

Louise Sawyer Environmental Sustainability Manager 1 10 June 2014

Stuart Brown BC Advisor 2 17 Nov 2014

Stuart Brown BC Advisor 2 05 Jan 2015

Lesley Stevens AEO 3 09 May 2017


CONTENTS

Page 1. Introduction

4

2. Scope

5

3. Definitions: 3.1 Business Continuity Management 3.2 Business Impact Analysis 3.3 Emergency 3.4 Prioritised Activities 3.5 Maximum Tolerable Period of Disruption 3.6 Recovery Time Objective

5

4. Duties/responsibilities 4.1 Chief Executive and Board 4.2 Accountable Emergency Officer (AEO) 4.3 Head of Compliance, Assurance & Quality 4.4 Environmental Sustainability Manager 4.5 Divisional and Area/Service Managers 4.6 Departmental Managers/Team Leaders 4.7 All staff

6

5. Main policy content:

5.1 Business Continuity Lifecycle 5.2 Business Continuity Objectives 5.3 Business Impact Analysis 5.4 Risk Assessment 5.5 Business Continuity Plans 5.6 The Southern Health NHS Foundation Trust Business Continuity Plan 5.7 Prioritised Activities/Services 5.8 Incident Identification 5.9 Incident Declaration 5.9.1 Normal working hours 5.9.2 Out of Hours 5.10 Stand Down 5.11 Recovery and Debrief 5.12 Document Management 5.13 Exercising

8

6. Training requirements 14 7. Monitoring compliance 15 8. Policy review 15 9. Associated documents 15

10. Supporting references 16

Appendices

A1 Business Impact Analysis Template 17 A2 Business Continuity Plan Template and Completion Guidance 38 A3 Business Continuity Plan Completion Guidance 49 A4 Training Needs Analysis (TNA) 56 A5 Equality Impact Assessment (EqIA) 58


Business Continuity Management Policy 1. Introduction 1.1 Business Continuity Management (BCM) is a legal requirement for all NHS, private and

third sector organisations, which under NHS funded Provider status, provide care or services to patients. Business Continuity Management forms part of the Care Quality Commission’s essential Standards of Quality and Safety, which all health providers must comply with as a condition of registration and the NHS England, Core Standards for Emergency Preparedness, Resilience and Response 2013 (EPRR). Business Continuity Management is an integral part of EPRR and this discipline sits within the EPRR Core standard Framework in both planning and assurance. Southern Health NHS Foundation Trust has services and facilities which cover a huge geographical area.

1.2 Statutory requirements under the Civil contingencies Act (2004) require all NHS Trusts to have in place Business Continuity Management arrangements that enable them to:

Respond to incidents (major and other) and emergencies of any kind;

Ensure the health, safety and well-being of its service users and staff; and

Support partner agencies in extreme circumstances. 1.3 The implementation of this policy is overseen by the EPRR Working Group, with

escalation if required to the Accountable Emergency Officer. In addition there is annual reporting to the Audit, Assurance and Risk Committee and Trust Board, and the required work-streams are reflected in the annual EPRR Work Plan

1.4 The SHFT Business Continuity Management programme described in this policy is

based on the following standards:

NHS England Core Standards for Emergency Preparedness, Resilience and Response 2013; and

International Standards Organisation ISO: 22301: 2012. 1.5 Business Continuity Management (BCM) is an integral and critical part of the incident

response planning process and helps build organisational resilience within an organisation. Business Continuity Management is about identifying an organisation’s Prioritised Activities/Services, the ‘appropriate’ resources required to deliver them, and planning how to maintain and reinstate them as soon as reasonably practicable or possible should an incident occur that causes disruption. Business Continuity Management achieves this by assessing the risks to an organisation’s ability to deliver its services, then considering how these risks can be eliminated or reduced, the contingency plans that can be put in place to ensure that those services identified as critical or essential are maintained regardless of the disruption, and how the other services can best be recovered when the disruption ceases.

1.6 The Climate Change Act 2008 also places a mandatory requirement on health care organisations to put in place Climate Change Adaption plans. Our climate is changing and a consequence we are seeing more frequent and severe weather events, such as droughts, heat waves, storms and extremes of cold and hot weather bringing increased disruption to our services and activities. The Business Continuity Management forms part of the Trust’s Climate Change Adaption plans by building in organisational resilience within the organisation to deal with severe weather events and other climate change impacts.

1.7 This policy requires ALL Services in ALL Divisions to develop Business Continuity

Plans (BCPs) which detail how a service will perform its functions in the event of disruption by defining and prioritising it’s Prioritised Activities/Services, detailing

http://www.england.nhs.uk/wp-content/uploads/2013/03/eprr-framework.pdf


http://www.legislation.gov.uk/ukpga/2004/36/contents



http://www.iso.org/iso/catalogue_detail?csnumber=50038

http://www.iso.org/iso/catalogue_detail?csnumber=50038

http://www.legislation.gov.uk/ukpga/2008/27/contents


contingency arrangements during the disruption and, when the disruption has passed, how all services will be restored (recovered) by.

Undertaking a Business Impact Analysis (BIA) to identify Prioritised Activities/Services;

Identifying the risks to the delivery of Prioritised Activities/Services and the likely impact if they are affected;

Planning how to mitigate against risk to Prioritised Activities and improve the resilience; and

Developing a BCP that details the Minimum Tolerable Period of Disruption (MTPD) to Prioritised Activities, their Recovery Time Objectives (RTO), and the minimum and appropriate resources required delivering them and the order of priority to in which these and other services should be restored to normal.

1.8 Other NHS, private and third sector organisations that provide services to NHS patients

on behalf of the Trust, or equipment and goods, which will be used in the treatment of the Trust’s NHS patients, are required and must have their own business continuity and resilience arrangements in order to meet the legal and contractual obligations with this Trust.

2. Scope 2.1 This Policy applies to:

All Southern Health NHS Foundation Trust (SHFT) services in all Divisions; and

All SHFT managers responsible for contracting, commissioning or purchasing goods or services from external organisation(s), defined as NHS Funded Providers. These SHFT managers are responsible for ensuring that contracts and/or service level agreements with providers of goods and/or services include arrangements to ensure that there are robust business continuity arrangements are in place so that the service or product they provide can be maintained thus supporting the Trusts’ own identified Prioritised Activities.

3. Definitions 3.1 Business Continuity Management (BCM)

Business Continuity Management is an all-inclusive management process that identifies potential impacts that threaten an organisation and provides a framework for building organisational resilience readiness and resilience and the capability for an effective response that safeguards the interests of its service users, staff, key stakeholders, Trust brand and reputation.

3.2 Business Impact Analysis (BIA)

Business Impact Analysis is the process of analysing ALL business functions and the effect that a business disruption might have upon them.

3.3 Emergency For the purposes of this policy an emergency is defined as: ‘An actual or impending situation that may cause injury, loss of life, destruction of property, detrimental environmental impact or cause the interference, loss or disruption


of the organisation’s normal business operations to such an extent that it poses a threat’.

3.4 Prioritised Activities/Services

Prioritised Activities/Services are those services, which are necessary for the preservation of life or to ensure the health, safety and welfare of patients and staff.

3.5 Maximum Tolerable Period of Disruption (MTPD)

Maximum Tolerable Period of Disruption is the time duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

3.6 Recovery Time Objective (RTO)

Recovery Time Objective is a target time set for the resumption of a product, service, activity or resource after an incident.

4. Duties/Responsibilities

4.1 Chief Executive and Board

The Chief Executive and the Board have a legal duty set under the Civil Contingencies Act (2004) and within NHS England Emergency Preparedness, Resilience and Response (EPRR) Core Standards (2014) to ensure Southern Health NHS Foundation Trust (SHFT) is prepared to respond to a major incident or civil contingency event within the local and wider health community, to maintain the public’s protection, and maximise NHS in its overall response. Trusts are ultimately accountable to the public and the Secretary of State for Health for ensuring that the organisation consistently follows the principles of good corporate governance and internal control. This ensures that a EPRR programme, of which Business Continuity Management (BCM) is an integral part is in place to ensure that, in the event of a loss or major disruption to core functions, the public continue to receive the best quality and range of services it is reasonably practicable to deliver, and that Prioritised Activities/Services are maintained.

4.2 Accountable Emergency Officer (AEO) for Emergency Planning, Resilience and Response The Accountable Emergency Officer (AEO) The Accountable Emergency Officer for Emergency Preparedness, Resilience and Response (EPRR) has delegated responsibility from the Board to ensure that the requirements of this policy are met, that the Board are provided with reasonable assurance, and are kept informed of any significant concerns. The AEO is supported where appropriate by a non-executive director, or appropriate other board member, to endorse assurance to the board that the organisation is meeting its obligations with respect to EPRR and relevant statutory obligations under the Civil Contingencies Act 2004. This will include assurance that the organisation has allocated appropriate resources to meet these requirements, which includes the support of trained and competent emergency planning and business continuity professional staff member(s) as appropriate.


4.3 Head of Compliance, Assurance & Quality The Head of Compliance, Assurance & Quality is responsible for the development and implementation of the Trust’s Business Continuity Management programme, advising on compliance with the Civil Contingencies Act and NHS England EPRR Core Standards. The Head of Compliance, Assurance & Quality may delegate some or all of the above to the Business Continuity and Emergency Preparedness Officer Business Continuity and Emergency Preparedness Officer Business Continuity and Emergency Preparedness Officer the organisation’s designated Emergency Planning Manager. The Head of Compliance, Assurance & Quality and designated Emergency Planning Manager will also:

Develop a Trust wide Incident Response Plan (IRP) from which the Business Continuity element will list the Trust’s Prioritised Activities/Services;

Provide specialist advice and guidance in respect of Business Continuity Management issues including the co-ordination, development, implementation and review of the business continuity policies, programme, plans and procedures;

Interpret the requirements of the Civil Contingencies Act 2004, NHS England EPRR Core Standards and ISO 22301 Societal Security - Business Continuity Management System Requirements, and associated guidance to support the Trust’s Divisions and service areas and to ensure that these requirements are met;

Conduct risk assessments based on current and future threats identified through environmental scanning and intelligence gathering;

Embed an EPRR/ Business Continuity culture through communication in concert with the offices of the AEO and the Trust’s EPRR Working Group, and through the EPRR WG make the provision of awareness sessions, training and exercises to staff, according to their roles and needs; and

Liaise with other NHS organisations and the wider area external agencies as required

Audit compliance via the EPRR WG relating to local Emergency Response and BCPs, facilitating tests and providing recommendations and other management feedback as appropriate.

4.4 Environmental Sustainability Manager:

The Environmental Sustainability Manager is responsible for developing and implementing the Trust’s Climate Change Adaption plans, including responsibility for advising the Head of Risk and Business Continuity of any climate change risks and impacts that may affect the Trust’s organisational resilience in business continuity.

4.5 Divisional and Area/Service Managers: Divisional and Area/Service Managers are responsible for:

Implementing and supporting the Business Continuity Management policy;

Ensuring a Business Impact Analysis for their services is undertaken;

Developing, maintaining and reviewing at least annually or when a new service is undertaken their BCPs, including the BIAs;

Testing and exercising at least annually the Divisional/Area/Service BCPs (see section 5.12);

Ensuring sufficient training is given;

Participating in exercises where appropriate; and


Maintaining all relevant operational BCPs as they are developed, ensuring that any significant service changes or risks are reflected in plans, and for understanding all the requirements and responsibilities as detailed in the plans.

4.6 Departmental Managers/Team Leaders

Departmental Managers/Team Leaders are responsible for:

Ensuring all their staff are familiar with their Divisional/Area/Service business continuity arrangements and BCPs;

Testing and exercising BCPs at least annually (see section 5.12);

Ensuring sufficient training is given; and

Participating in exercises where appropriate.

4.7 All Staff: Staff will make themselves aware of their department’s BCP, and will participate in training and exercises as required.

5 Main Policy Content 5.1 Business Continuity Lifecycle

To align with the required standards, and best practice, the Southern Health NHS Foundation Trust (SHFT) Business Continuity Management (BCM) process will follow the five stages of the BCM lifecycle. The five stages are:

Understanding the organisation;

Determining BCM Strategy;

Developing and implementing the BCM Response;

Exercising, maintaining and reviewing; and

Embedding BCM in the organisation. 5.2 Business Continuity Objectives

In any situation, the primary Business Continuity objectives for the Trust will be to:

Comply with legal, regulatory and contractual obligations;

Ensure effective and competent incident management;

Ensure Prioritised Activities/Services have been identified, are protected, and their continuity made certain;

Ensure staff are trained to respond effectively to an incident or disruption through appropriate exercising;

Understand the requirements of key stakeholders and maintain communication with them;

Maintain the safety and well-being of service users, staff and estates;

Deliver an enhanced level of service to meet the extraordinary demands of an evolving scenario;

Ensure the supply chain is secured; and

Contribute to whole System/Wide Area Resilience.

5.3 Business Impact Analysis

ALL Trust services in ALL Divisions will undertake a Business Impact Analysis (BIA) using the SHFT Business Impact Analysis template (See Appendix 1).


Support and training in the use of the template will be provided by the Business Continuity and Emergency Preparedness Officer. The Business Impact Analysis element of the Business Continuity Management process will analyse the functions/activities of the service and/or Division on the basis of not performing that function. The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical). These are categorised using the Impact Matrix at Page 5 within the BIA. Only those identified as RED, AMBER and YELLOW will be captured within the BIA, as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director, whilst those GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager. This categorisation system will enable the Division/Area/Service to identify all Prioritised Activities and provides the Decision Maker, the Trusts Incident Gold Commander to determine from a Trust wide perspective those services which need to be Enhanced, Reduced or Suspended. The number and complexity of Prioritised Activities/Services identified will determine the subsequent level of support needed to be provided to Division/Area/Service during an incident. The necessary supporting resources for the delivery of the services will also be analysed and identified, and during an incident via a dynamic process.

All services in all Divisions will review their BIA on an annual basis, on undertaking a new service or service provider, post exercise and post incident.

5.4 Risk Assessment

All Trust services in all Divisions will undertake a Risk Assessment within the Trust’s Business Impact Analysis template and guidance tools (See Appendix 1). The Risk Assessment element of the process considers the services and supporting resources identified in the BIA stage. The likelihood and impact of a variety of risks that could cause disruption to these services is analysed with the focus being on the RED, AMBER and YELLOW Prioritised Activities/Services, allowing services and/or Divisions to prioritise their risk reduction activities. For the identified RED, AMBER and YELLOW Prioritised Activities/Services, ALL Divisions will analyse the impact of disruption and determine:

The Maximum Tolerable Period of Disruption (MTPD) using the following Standard List:

One hour Four hours One Day One Week One month

The Recovery Time Objective (RTO) of a product, service or activity which must be less than its MTPD, using the following Standard List:

One hour Four hours


One Day One Week One month

The minimum amount of appropriate resources (including staff, premises, IT, equipment and information) in order to maintain that Prioritised Activities/Services at a basic level and with the appropriate skills/level of expertise required, This must include processes to identify persons with skills which are not easily obtained from elsewhere, within the Trust;

When key services supplied by another organisation, has in place any reciprocal arrangements, and whether they are available out of hours if required, and if there are mutual aid arrangements in place;

The impact of particular resource losses and where appropriate, to reference this to the appropriate risk register; and

Appropriate control measures that can be put in place to reduce the likelihood of disruption, shorten the period of disruption, and limit the impact.

5.5 Business Continuity Plans (BCPs)

Having made the Business Impact Analysis and Risk Assessment, all services in all Divisions will formulate their BCP as to how RED, AMBER and YELLOW Prioritised Activities/Services will be restored in order to meet the determined RTOs. BCPs will be:

Comprehensive but easily understandable;

Legal;

Efficient;

Achievable;

Realistic;

Risk Assessments concise as possible and readily available when needed; and

Easy to revise and update.

BCPs will form a key part of the Divisional Incident Response Plans. These plans and the Trust BCP will also detail the mechanism for escalating business continuity incidents to the Divisional Director and their On-Call Senior Manager to the Trust’s On-Call Director to ensure incidents are managed at the appropriate level according to the level of risk posed.

5.6 Southern Health NHS Foundation Trust Directorate and Service Business Continuity Plans Each Directorate and Service Area will complete a specific BCP resulting from the Business Impact Analysis (BIA) carried out within their area of responsibility. The purpose of this document is to provide a framework for an appropriate response and therefore mitigate the impacts of business disruption on the operation and reputation of the organisation by:

Responding to a disruptive incident (incident response);

Maintaining delivery of Prioritised Activities/services during an incident (business continuity); and

Returning to Business as Usual (resumption and recovery)

5.7 Southern Health NHS Foundation Trust Trust-wide RED, AMBER and YELLOW Prioritised Activities/Services

The Head of Compliance, Assurance & Quality and designated Emergency Planning Manager will compile from the Service, Area and Divisional BCPs a Trust wide list of all


SHFT’s RED, AMBER and YELLOW Prioritised Activities/ Services and the planned responses to disruption. This will be held at the Trust Incident Co-ordination Centre (ICC) as an Annexe to the Trust Business Continuity Plan and form part of the On-Call Director’s Pack. In the event of a major incident or emergency being declared the Trust’s Incident Management Team (IMT) will use this plan during and after the event to support decision making in maintaining the organisations Prioritised Activities/Services and to bring back on line those services reduced or suspended as soon as reasonable practicable.

5.8 Incident Identification

An incident or set of circumstances which might present a risk to the continuity of a service might be identified by any member of staff. When an incident or set of circumstances which might present a risk to the continuity of a service is identified, it is important that the staff member identifying the incident knows what to do. In the initial stages, this will involve making sure that the right people have been informed. In the event of a minor incident, or one that can be dealt with using normal services and resources available, then managers and staff will manage the incident, locally. The below table outlines the Levels of Incident and the required action of Trust staff and On-Call staff:

Level 1 – Minor incident / disruption

One or more of the following apply: The incident is not serious or widespread and is unlikely to affect business operations to a significant degree No significant impact on patient safety The incident can be dealt with by relevant managers / implementation of service level BCPs One or a small number of local BCPs are implemented A Priority Yellow Activity is likely to be disrupted beyond its RTO*

Actions to be taken:

Divisional Manager On Call to notify relevant managers that disruption should be managed by local BCPs

Level 2 – Minor incident / disruption

One or more of the following apply: The incident is expected to be fully resolved and closed within 24 hours Limited impact on patient safety The incident can be dealt with by relevant managers / implementation of service level BCPs One or a number of local BCPs are implemented A Priority Yellow Activity is likely to be disrupted beyond its MTPD** A Priority Amber Activity is likely to be disrupted beyond its RTO*



Divisional Manager On Call to notify relevant managers that disruption should be managed by local BCPs and notify appropriate Divisional Directors and Director On Call

Level 3 – Significant incident / disruption

One or more of the following apply: The incident / disruption is likely to last longer than 24 hours Significant impact on patient safety Access to systems / services for more than 24 hours A number of services are seeking to activate local BCPs and management of the incident using these does not seem viable A Priority Amber Activity is likely to be disrupted beyond its MTPD** A Priority Red Activity is likely to be disrupted beyond its RTO*


Activate local BCPs and this BCP if necessary Divisional Manager On Call to notify appropriate Divisional Directors and Director On Call Divisional Manager On Call to closely monitor the situation Incident Management Team will be established if necessary and the Divisional Manager On Call and Director On Call will determine the composition and set-up of this Team

Level 4 – Major incident / disruption

One or more of the following apply: Disruption / loss of major or multi-occupancy sites Major impact on patient safety Major wide-scale incident in a geographical area affecting several services Significant disruption to business activities Local BCPs inadequate to deal with the incident Incident Management Team required to respond Possible Incident Response Plan activation A Priority Red Activity is likely to be disrupted beyond its MTPD**


Activate this BCP Divisional Manager On Call and Director On Call will establish an Incident Management Team and will determine the composition and set-up of this Team dependent on the type of incident / disruption.

* Recovery Time Objective ** Maximum Tolerable Period of Disruption

Important: Should the Director On Call decide at any time to invoke the Trust’s Incident Response Plan then the continuing management of the business continuity incident will be incorporated into the Major Incident management activities, structure and processes.


5.9 Incident Declaration

5.9.1 Normal Working Hours

During normal working hours, in the event of an incident, or set of circumstances which might present a risk to the continuity of RED, AMBER and YELLOW Prioritised Activities/Services, an Incident would be declared and the local BCP invoked by the Divisional Director or Area/Service Manager with responsibility for the service affected. If appropriate the Accountable Emergency Officer will declare a Major Incident or Major Incident Standby in order to mobilise an effective response across the organisation and ensure the involvement of partners where required.

5.9.2 Out of Hours In the event of an incident, or set of circumstances which might present a risk to the continuity of RED, AMBER and YELLOW Prioritised Activities/Services occurring outside normal working hours, the Divisional On-Call Senior Manager would decide to declare an Incident and invoke the ‘local’ BCP, informing the Trust On-Call Director. If appropriate the On-Call Director will declare a Major Incident or Major Incident Standby and invoke the Trust’s Incident Response Plan in order to mobilise an effective response across the organisation and ensure the involvement of partners where required. Both during normal working hours and out of hours the responsible Divisional Director, Area/Service Manager or Divisional Manager on Call would:

Start an incident log;

Notify the Accountable Emergency Officer (in hours) and the On-Call Director of the incident and response at the earliest opportunity;

Notify the Director of Communications and Engagement (in hours). Out of hours the Director on Call would notify the Communications on Call; and

If out of hours, notify the Divisional Director, Area/Service Manager with line management responsibility for the service at the earliest possible opportunity the next working day.

During in hours and out of hours if the On-Call Director decides it is appropriate to either declare a Major Incident or Major Incident Standby the Trust’s Incident Response Plan would then be followed.

5.10 Stand Down The responsible Divisional Director, Area/Service Manager and out of hours Divisional Manager on Call, would decide in consultation with the On-Call Director, and Accountable Emergency Officer when an Incident can be stood down.

5.11 Recovery, Debrief, Lessons identified to Lessons learnt The responsible Divisional Director or Area/Service Manager would be responsible for leading a debriefing and review process to ensure organisational learning, through identifying lessons to then be learnt:

A review of the response by the service, area, division, organisation, partners/other agencies is evaluated, from which lessons that are identified can be highlighted and from which a timetable of how those lessons will be learnt.

Staff receive appropriate support to ensure their health, safety and well-being at work; All areas of concern are addressed

All relevant documents are collated and a report prepared;


Any additional training needs are identified and a timetable of when that will delivered;

Staff are kept fully informed; and

The local BCPs are reviewed and updated.

5.12 Document Management Every BCP will be version controlled, and sent to the Trust Business Continuity and Emergency Preparedness Officer who will collate a central register of Business Continuity Plans and make these plans, together with this Policy available on the Trust Intranet in the Emergency Planning section and/or on the Director On Call Sharepoint site. The plan’s author is responsible for ensuring the most up to date version is available and easily accessible within the Division and to its services.

5.13 Exercising Trust wide exercises (unannounced, planned or table top) will be conducted as described in the Trust’s Incident Response Plan (IRP). Individual Divisions are responsible for ensuring that their BCPs are exercised. The frequency of exercise will be dependent on the number of Prioritised Activities/Services and the risk to them, and will be at the discretion of the Divisional Director. However all BCPs should be exercised and reviewed annually by:

Testing. Not all aspects of a plan can be tested, but crucial elements such as the contact list and the activation process can;

Discussion. Staff are brought together to inform them of the plan and their individual responsibilities. Discussion allows problems and solutions to be identified; (Lessons identified to be Learnt)

Table-top. Staff take decisions as a scenario unfolds in the same way they would in the event of a real Incident; and

Live. Ranges from a small scale test of one component, such as evacuation, through to a full scale test of all the components of the plan.

It is the responsibility of the BCP owner to implement the lessons identified into lessons learnt/any actions required as a result of exercise.

6 Training Requirements

The Head of Risk and Business Continuity will ensure that Business Continuity Management (BCM) is included in the Trust’s corporate induction risk management training. All managers will ensure that awareness of their Service/Area or Divisional BCP form a part of the local induction process. Staff with a Divisional lead role in BCM will be trained according to their level of need, as per the Trust’s and Local Resilience Forum(s) Training Needs Analysis (TNA). See Appendix 4. Significant changes and updates to BCM requirements or processes will be notified through the Trust’s Emergency Preparedness, Resilience and Response Working Group (EPRR WG).


7 Monitoring Compliance

The Trust’s Emergency Preparedness, Resilience and Response (EPRR) Working Group (WG) will monitor compliance with Trust’s Business Continuity Management arrangements.

Exceptions against the standards defined in this policy will be reported to the Assurance and Risk Committee.

Business Continuity Management compliance will be included in the Annual Report for Business Continuity and Resilience to the Assurance and Risk Committee.

Audits of Service/Area and Divisional BCPs will be initiated and carried out in accordance with the Trust’s Annual Audit programme.

This Policy has been through an Equality Impact Assessment at Appendix 5.

8 Policy Review

This policy will be reviewed at least every three years or at any point within this time to reflect organisational change, changes in legislation and/or guidance or following an Incident.

9 Associated Documents

This document should be read in conjunction with the Trust’s:

Incident Response Plan, associated plans and action cards;

An Emergency Event: Guidelines on Managing the Workforce Issues;

Risk Management Policy;

Risk Management Strategy;

Incident Management Policy;

Health & Safety Policy;

Climate Change Adaption Plan; and

Investigation, Analysis and Learning Policy. 10 Supporting References

The following documents provide the regulatory and strategic context for this policy. They make Business Continuity Management a legal requirement for Southern Health NHS Foundation Trust, and describe expectations and good practice regarding emergency preparedness and business continuity:

Civil Contingencies Act 2004 and the Civil Contingencies Act 2004 (Contingency Planning) regulations 2005;

Humanitarian Assistance Guidance;

Business Continuity Institute Good Practice Guidelines (2013);

International Standards Organisation ISO: 22301: 2012;

Health and Social Care Act 2008 (Regulated Activities) Regulations 2009;

Care Quality Commission’s Essential Standards of Quality and Safety’

Responding to Emergencies: The UK Central Government Response. Concept of Operations 2010;

NHS Resilience PAS 2015: Guidance for NHS-funded organisations 2010

Health and Social Care Act 2012;

http://www.legislation.gov.uk/uksi/2005/2042/contents/made

http://www.legislation.gov.uk/uksi/2005/2042/contents/made

https://www.gov.uk/government/publications/humanitarian-assistance-in-emergencies

http://www.legislation.gov.uk/ukpga/2012/7/contents/enacted


National Occupational Standards for Civil Contingencies: Skills for Justice;

British Standards Institute PAS 2015 Framework for Health Services Resilience;

NHS England Core Standards for Emergency Preparedness, Resilience and Response 2013;

NHS England Emergency Preparedness Framework 2014;

NHS England Business Continuity Framework (Service Resilience) 2013;

NHS England Business Continuity Policy Guidance; and

NHS England Business Continuity Management Toolkit.

Climate Change Act 2008



http://www.england.nhs.uk/wp-content/uploads/2014/01/toolkit-cover-doc.pdf


Appendix 1

Directorate/ Service name

Business

Impact Analysis

(BIA)

Date:

Southern Health NHS Foundation Trust Business Impact Analysis: template


Contents

1. Introduction ............................................................................................................................ 19

2. Supporting information ........................................................................................................... 20

3. Department / team / service information ................................................................................. 22

4. Prioritised Activities ................................................................................................................ 23

5. Business Continuity Risks ...................................................................................................... 30

6. Continuity Requirements Analysis .......................................................................................... 32

7. Staff Mapping Tool ................................................................................................................. 33

8. Beyond the BIA ...................................................................................................................... 36



1. Introduction

This document has been adapted from the NHS England Business Continuity Management Toolkit. The purpose of the original document is to assist those who are developing a Business Continuity Plan for their organisation. This version has been adapted for use within Southern Health NHS Foundation Trust and for our NHS Funded providers.

This template is produced in the spirit of ISO 22301 & 22313 but focusses on the priorities in which the NHS England EPRR Core Standards are set around. Further guidance on the wider subject Business Continuity can be sort from:

NHS England Region/Area/Directorate Business Continuity Leads

The NHS England National Support Centre Business Continuity Team

The NHS England Business Continuity Management Framework (service resilience) 2013

The NHS England Preparedness Framework 2013

ISO 22301 Societal Security - Business Continuity Management Systems – Requirements

ISO 22313 Societal Security - Business Continuity Management Systems – Guidance

PAS 2015 - Framework for Health Services Resilience

Business Continuity & Resilience Manager – Southern Health NHS Foundation Trust

Environmental Sustainability Manager – Southern Health NHS Foundation Trust

Southern Health NHS Foundation Trust will develop and maintain a Business Impact Analysis (BIA) for each service. Included within this document are fields which relate to environmental impacts. Please also complete these areas as this will in addition to supporting the BIA also support the Trust’s Environmental Strategies. This document also contains a staff mapping tool that can be used to gather information to facilitate workforce capability and capacity management in the event of a business disruption.

mailto:[email protected]

http://www.england.nhs.uk/wp-content/uploads/2013/01/bus-cont-frame.pdf




2. Supporting information

This section provides some background information to assist the EPRR leads to complete Business Impact Analysis (BIA).

NHS Mail Provided by the Health and Social Care Information Centre The disaster recovery solution is based on dual-site, geographically separated data centres with active and standby nodes of all infrastructures in the primary data centre. Data is synchronised across all three instances of the infrastructure so if a component fails in the primary data centre it will fail over to the standby node in the same data centre. If the data centre suffers a full outage, the service will fail over to the secondary data centre.

Buildings

Provided by SHFT or via NHS Property Services or Contracts with other providers SHFT Estates and facilities will work with NHS Property Services to explore potential strategies for managing a loss of building. EPRR leads are encouraged to discuss disaster recovery locations with their local Estates and facilities lead. There may be local arrangements already in place for providing alternative premises in the event of a building failure. Business Continuity Risk The key risks to the organisation achieving its objectives can be found in the Board Assurance Framework along with the Board papers. Operational risks will be held within directorates. Drawing on material from all directorates, an executive risk management group will have an overview significant risks, take actions where needed and bring the most significant strategic risks to the attention of the Board. Remember Contingency Plans under the CCA are based on local risks, for which the Trust must be aware and include within the Risk monitoring processes.

Therefore those Risks that are identified as part of the business continuity management process should be managed in line with the organisation and directorates processes and procedures.

Prioritised activities

Prioritised activities are those to which priority must be given following an incident in order to mitigate impacts. It may be that an activity can be suspended initially but later it becomes a priority. For example a task that must be completed at certain intervals rather than on continuous basis. Examples of prioritised activities are:

Incident Response

Media communications

Examples of activities that can be completed at certain intervals are:-

Reporting to National Bodies

Freedom of information requests

Complaints

Parliamentary questions



Examples of environmental impacts:-

Pollution incident, for example spillage from oil storage tank

Chemical spillage

Noise pollution Examples of climate change impacts:-

Extreme weather events: flooding, heat wave, severe cold spell, storms



3. Department / team / service information

Reference Number:

1. Name of author:

2. Job title of author:

3. Author telephone and e-mail:

4. Date:

5. Business Continuity Lead:

6. Name and description of service and location:



4. Prioritised Activities

The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical). Step One: The first part of the Business Impact Analysis (BIA) process is to identify the core business and key deliverables of the Directorate/Service. These are your Prioritised activities. Prioritised Activities are those to which priority must be given following an incident in order to mitigate impacts. Step Two: Using those Prioritised Activities that you have identified above, use the Impact Matrix at Page 9 to identify what the impact score would be of each if they were affected. Step Three: Following the process at Step Two, now use Likelihood Matrix at Page 10 to identify what the Likelihood score is of each of the Prioritised Activities being affected. Step Four: Using the scores from both Step Two and Three, map the scores for each Prioritised Activity into the Likelihood x Impact Matrix at Page 11. Use this final score. Step Five: Only those identified as RED, AMBER and YELLOW will be captured within the BIA as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director. Those identified as GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager. The results from Step Four are then reflected in the table overleaf:



List the prioritised activities undertaken Tick as appropriate Responsible

Officer Red Amber Yellow

i.

ii.

iii.

iv.

v

vi

vii



Impact Matrix

Qualitative Assessment of Impact

Level Descriptor Descriptor

1

Negligible

Minor – first aid treatment.

No environmental implications.

No or very low financial loss i.e. under £1,000.

No or very minor internal disruption to the overall service delivery or other

services.

No impact on the organisation’s overall service delivery.

No or very minor disruption to external services reliant upon them.

2

Minor

Injury requiring first-aid treatment or temporary minor illness (less than 3

days lost).

Minimal environmental implications.

Failure to meet (local) departmental standards.

Minimal loss of reputation.

Moderate financial loss (£1k to £9k).

Minimal business interruption.

3

Moderate

Break of minor bone or temporary minor illness (3-7 days lost).

Moderate environmental implications.

Moderate financial loss (£10k to £49k).

Moderate loss of reputation.

Failure to meet organisational standards.

Moderate business interruption.

4

Major

Single death of any person/ Permanent serious illness/ disability.

Extreme environmental implications.

Extreme financial loss (£250k to £499k).

Intermittent failure to meet national professional standards and/ or

statutory requirements.

Extreme business interruption.

5

Catastrophic

Multiple deaths involving any persons/ multiple permanent serious illness/

disability.

Extreme financial loss (£500k+).

Catastrophic business interruption.

Sustained failure to meet national professional standards and/ or statutory

requirements.



Likelihood Matrix

Qualitative Assessment of Likelihood

Level Descriptor Likelihood (over 5 years)

1 Rare May occur in exceptional circumstances (less than 5% chance).

2 Unlikely Could occur at some time (6 – 25% chance).

3 Moderately unlikely

The event should occur at some time (26 – 50% chance).

4 Likely The event will occur in most circumstances (51 – 75% chance).

5 Certain The event is expected to occur in the next 5 years.



Impact x Likelihood =

Catastrophic

5 10 15 20 25

Major

4 8 12 16 20

Moderate

3 6 9 12 15

Minor

2 4 6 8 10

Negligible

1 2 3 4 5

Impact/ Likelihood

Rare Unlikely Moderately

Unlikely Likely Certain

Negligible Minor Moderate Major Catastrophic

Use the table overleaf to record the impact of the loss of an activity for different lengths of time and identify where this length of disruption would be acceptable to the organisation and its stakeholders. Using the Descriptors above, add a ‘Score’ to each and whether or not this will be tolerable.



Impact of disruption to prioritised activities

Prioritised

Activity Length of disruption

Category of Impact (please tick)

Comment Score1

Tolerable

(Yes or

No)

Fin

an

cia

l

Serv

ice

delivery

Rep

uta

tio

n

Healt

h a

nd

safe

ty

En

vir

on

men

tal

Info

rmati

on

secu

rity

Sta

tuto

ry o

r

reg

ula

tory

du

ty

Bu

sin

ess

ob

jecti

ve

Su

pp

lier

i.

Up to ½ day

½ day to 1 day

1 day to 1wk

1wk to 1mth

1mth to 3mths

iii.

Up to ½ day

½ day to 1 day

1 day to 1wk

1wk to 1mth

1mth to 3mths

iv.

Up to ½ day

½ day to 1 day

1 day to 1wk

1wk to 1mth

1mth to 3mths

1 1=Negligible, 2=Minor, 3=Moderate, 4=Major, 5=Catastrophic



Some activities will be of greater priority at different points in the year, for example, certain financial processes will be need to be prioritised at

financial year end. Do your prioritised activities vary at different times of the month or year? Please explain



5. Business Continuity Risks

The table below is based on the NHS England Risk Register from the NHS Risk Management Policy and Procedures and includes a number of scenarios that present a risk to the organisation. Consider these scenarios and decide whether or not they present a risk to the prioritised activities that you provide. For example, if your service is paperless it is unlikely that a loss of paper records will have an impact.

Please add any other scenarios that are relevant to your service.

Which of the following hazards and threats are relevant to your department or service?

Ref Hazard of threat Y or N Why?

1 Fire or flood

2 Loss of electronic records

3 Loss of paper records

4 IT systems/application failure

5 Mobile telephony failure

6 Major IT network outage

7 Denial of premises

8 Terrorist attack or threat affecting the transport network or office locations

9 Theft or criminal damage

10 Chemical contamination or pollution incident, such as oil spillage

11 Serious injury to, or death of, staff whilst in the offices

12 Significant staff absence or disruption to patient access due to severe weather or transport issues

13 Infectious disease outbreak

14 Simultaneous resignation or loss of key staff

15 Industrial action

16 Fraud, sabotage or other malicious acts

17 Violence against staff

18 Please add any other relevant threats

The Civil Contingencies Act (CCA) regulations and guidance (chapter 6, 6.74) identifies five broad strategy options that could be considered when developing your risk reduction strategy:

Do nothing: if the risk is deemed to be acceptable by senior management they may choose to do nothing. This may be suitable for an event with a very low probability of occurrence, such as an earthquake.

Changing, transferring or ending the process: consideration must be given to fulfilling any statutory duties and any insurance or reputation ramifications as a result of a third party failing to deliver.

Insurance: may provide some financial cover but cannot protect the reputation of the organisation and other associated losses.

Loss mitigation: putting in place procedures to eliminate or reduce the risk, such as installing smoke alarms.

Business Continuity Planning: putting in place arrangements that allow for the recovery and continuity of key business processes within a pre-identified time frame.



Using the reference number from the left hand column of the table above, plot those risks identified against the Impact Matrix at page 8 and the Likelihood Matrix below. This gives you an overview of the level of risk to your prioritised activities.

Risk Assessment

Ref

Date

revie

wed

Hazard or Threat

Imp

act

Lik

elih

oo

d RAG

status Senior Responsible Officer

Mitigating Actions Risk Owner

Date

fo

r

revie

w

Resid

ual

risk

Qualitative Assessment of Likelihood

Level Descriptor Likelihood (over 5 years)

1 Rare May occur in exceptional circumstances (less than 5% chance).

2 Unlikely Could occur at some time (6 – 25% chance).

3 Moderately unlikely

The event should occur at some time (26 – 50% chance).

4 Likely The event will occur in most circumstances (51 – 75% chance).



6. Continuity Requirements Analysis

The purpose of this section is to identify what is required in order to deliver your prioritised activities and it is this information that will form the basis of the recovery plan. This section must be completed where the risks to the service cannot be removed or reduced to an acceptable level through other mitigating actions. Prioritised Activity

Recovery time objective (RTO)2

Premises required to restore the service

Technology required to restore the service

Information required to restore the service

Recovery Point Objective (RPO)

3

Supplies required to restore the service

Stakeholders required to restore the service

Maximum Tolerable Period of Disruption (MTPD)

4

i.

ii.

iii.

iv.

v.

Recovery Time Objective (RTO) and Maximum Tolerable Period of Disruption (MTPD). The following standards are ONLY to be used:

One hour

Four hours

One Day

One Week

One month

2 The RTO is the period of time following an incident within which an activity must be resumed and is always less that the MTPD 3 The RPO is the point to which information used by an activity must be restored to enable the activity to operate on resumption 4 The MTPD is is the time frame during which a recovery must be affected before an outage compromises the ability of to achieve the organisation’s business objectives and/or survival, also referred to as the Maximum Acceptable Outage.



7. Staff Mapping Tool

The reason for mapping staff skills is to facilitate redeployment in an incident. If you have identified staff who ordinarily are involved in activities that are not an immediate priority but have the appropriate pre-requisites to work in an immediate priority area the organisation would aim to move them around in order to cover absence or supplement a team that is dealing with a sudden increase in workload. This information will also be used to identify where as an organisation there is a shortage of some certain essential skills so this can be addressed. In the table below you should list the minimum number of staff, skill-set, competencies and qualifications required to deliver prioritised activities. If none of your activities fall into these categories please leave the table blank. Prioritised Activity:

i. ii. iii. iv. v.

Business as Usual No. of Staff5

Minimum no. staff required

Skill / Competency / Qualification

5 The number of whole time equivalent (WTE) staff



Starting in the second column from the left, list the skills, competencies and qualifications required for the organisation’s highest priority

activities. This information will be gathered from each area completing the table above. The table below should be used to record the relevant skills that are held by members of your department/team/service.

Employee Name Skill / Competency / Qualification



The final table asks for some personal and work information for each member of your department/team/service. This table must only be completed with the explicit permission of the individual members of staff and the information included must be treated in confidence. Employee Name Main place of

work (where does this employee usually work from)

Does the member of staff depend on public transport to get to work? (Yes or No)

Does the member of staff depend upon vehicle fuel to get to work? (Yes or No)

Can the member of staff work from another office location? (Yes or No)

Can the member of staff work from home with a work laptop and VPN (remote access)? (Yes or No)

Can the member of staff work from home using a personal computer? (Yes or No)



8. Beyond the BIA

This section explains how the information gathered through the BIA informs business continuity planning. Business Continuity Plan (BCP) The BC plan will details the alert, triggers for activation, activation process, roles and responsibilities for Incident Commanders, Incident managers, incident Coordination Centre operations, communications, recovery requirements, stand-down and resumption of business as usual. The BCP covers the three phases of an incident. The information gathered through the BIAs will inform the business continuity phase of an incident by providing the decision maker with an overarching situational status of the organisation and from which strategic decisions can be made about which services will be Enhanced, Reduced or Suspended.

Source: PD 25888:2011

Incident Response Phase

Health organisations have to have an Incident Response Plan (IRP) in place for managing the incident response phase on a business disruption. The IRP will be devised by BC lead, with the EPRR Working group. EPRR leads should work with the Business Continuity and Emergency Preparedness OfficerBusiness Continuity and Emergency Preparedness Officer to ensure that there is a coordinated approach. Recovery and Resumption Phase

The BCP will provide a framework for managing the return to business as usual.


Appendix 2 Business Continuity Plan Template

Name of Division/ Area/ Service

Business Continuity Plan

Name of Division / Area / Service or Premise

Name of Plan’s owner

Job title of Plan’s owner

Owners telephone and email

Date


Section Title Page

1. Identifying Priority Activities / business functions

2. Priority Activities / business functions, and non-essential Priority Activities / business functions that could be suspended for a period of time

3. Analysis of the impact of loss of key resources on Priority Activities / business functions

4. Risk avoidance and contingency measures

5. Minimum amount of resources (people, premises, technology, information, supplies and partners) to maintain Prioritised Activities at a basic level and the skills/level of expertise required

6. Recovery (order of service restoration, maximum tolerable period of disruption, recovery time objectives)

7. Key stakeholder contacts details

8. Management arrangements

Appendix 1 Business Continuity Plan Template completion guidance


1. Identifying Priority Activities / business functions

Priority Activities / business functions

Assessment of risk if service ceases:

Outcome of Priority Activities ceasing:

Likelihood (1-5)

Impact (1-5)

Risk Score (L x I)


2. Priority Activities / business functions, and non-essential Priority Activities / business functions that could be suspended for a period of time

Prioritised Activities that must be continued are as follows:

Services that could be scaled down if necessary are:

Priority Activities / business function

How the service could be scaled down


Services that could be suspended for a period of time are:

Priority Activities / business function

Number of days service function could cease


3. Analysis of the impact on essential Priority Activities / business functions of the loss of key resources

Resource: Affects Prioritised Activities:

Yes/No

Assessment of risk if input ceases:

Outcome of input ceasing

Likelihood (1-5)

Impact (1-5)

Risk Score (L x I)

People

Premises

Technology

Information

Supplies

Utilities:

Electricity

Gas

Water

Vehicle fuel

Partners

Beds

PICU (Psychiatric Intensive Care Unit) beds



Resource: Risk avoidance measures either in place or to be taken

Contingency measures either in place or to be taken in the event

of a potential risk occurring

Lead responsibility

Date for completion

People

Premises

Technology

Information

Supplies

Utilities:

Electricity

Gas

Water

Vehicle Fuel

Partners

Beds

PICU (Psychiatric Intensive Care Unit) beds (if appropriate)


5. Minimum amount of resources (people, premises, technology, information, supplies, utilities, partners and beds) to maintain Priority Activities at a basic level and the skills/level of expertise required

Priority Activities Minimum resources to maintain Priority Activity at a basic level and the skills/ level of expertise required



Order of service restoration

Priority Activities / business function Recovery Time Objective (Target

time)

Maximum Tolerable Period

of Disruption (Target time)

1.

2.

3.

4.

5.

6.

Services that could continue to be suspended for a period of time

7.

8.

9.

10.


7. Key stakeholder contact details

Stakeholder Contact number Mobile number Email address

Out Of Hours contact number

Out Of Hours mobile number

Out Of Hours email address


8. Management arrangements To achieve business continuity it is vital that there are clear management lines within each Directorate.

Insert Hierarchy chart outlining Command Structure within the Directorate/Service Area


Appendix 3

Business Continuity Plan Template Completion Guidance

Introduction

This Business Continuity Plan template is an appendix to the Southern Health NHS Foundation Trust (SHFT) Business Continuity Management Policy, and these documents should be read in conjunction, and with the SHFT Incident Response Plan. Business Continuity Management (BCM) is part of the Emergency Preparedness, Resilience and Response arrangements and is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building organisational resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. BCM is about:

Undertaking a Business Impact Analysis by analysing business functions and the effect that a business disruption might have upon them to identify Priority Activities;

Identifying the risks to the delivery of Priority Activities and the likely impact if they are affected;

Planning how to mitigate against risk to Priority Activities and putting in place contingency arrangements to improve their resilience; and

Developing a Recovery Plan that details the Minimum Tolerable Period of Disruption to Priority Activities, their Recovery Time Objectives, the minimum resources required to deliver them, and the order of priority to in which these and other services should be restored to normal.

Prioritised Activities/Services are services which are necessary for the preservation of life or to ensure the health, safety and welfare of patients and staff. Maximum Tolerable Period of Disruption is the time duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

Recovery Time Objectives is a target time set for the resumption of a product, service, activity or resource after an incident and is less than the Maximum Tolerable Period of Disruption.


1. Identifying Prioritised Activities/ Services / business functions

and

2. Prioritised Activities/Services / business functions, and non-Prioritised Activities / business functions that could be suspended for a period of time

Priority Activities and/or essential business functions are services which are necessary for the preservation of life or to ensure the health, safety and welfare of patients and staff. Priority Activities are the elements of a service and its functions that must continue to operate whatever difficulties are faced. To identify these each service lists the elements of their service and considers the effect of ceasing to provide each element of their service or function on:

Meeting the needs and ensuring the safety of patients, particularly Southern Health NHS Foundation Trust (SHFT) most vulnerable patients;

Other health care providers and social care;

The safety of estates and buildings;

SHFTs statutory and legal responsibilities; and

SHFTs reputation.

The Business Impact Analysis (BIA) in Appendix 1 enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical). These are then categorised using the Impact Matrix within the BIA. Only those identified as RED, AMBER and YELLOW will be captured within the BIA, as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director, whilst those GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager.

The results of this exercise can then be recorded in Section 1 Assessment of Priority Activities and/or essential business functions, Section 2 Priority Activities and/or essential business functions, and non-Prioritised Activities and/or non-essential business functions that could be suspended for a period of time of the Business Continuity Plan Template. While it is recognised it is difficult to give 100% accurate figures, a robust informed estimate can be made.


3. Analysis of the impact on Priority Activities / business functions of the loss of key resources

There are a number of resources required to run a service that if lost could adversely affect service delivery. These include:

People e.g. sickness due to seasonal or pandemic flu, carer responsibilities, part time/full time staff, distance/time staff travel to work, specialist roles, number of military reservists;

Premises e.g. fire, flood;

Technology e.g. PCs, internet connections, telephone landlines;

Information e.g. referrals in, patient records, access to clinical guidelines;

Supplies and partners e.g. protective equipment, pharmaceutical supplies, disposable instruments, dressing packs, scales, chairs, desks, examination lamps, clinical waste and sharp containers, screens, adjustable couches, catering, unique or long lead time equipment;

Utilities, e.g. electricity, gas, water, vehicle fuel;

Stakeholders e.g. local authority, estates and facilities, IT, procurement team, pharmacy, ambulance service, GPs, acute hospitals; and

Beds, e.g. wards and capacity, emergency beds, PICU (Psychiatric Intensive Care Unit) beds etc. Some services may have service specific risks to their Priority Activities e.g. a building from where services are delivered situated in an area of high flood risk, a reliance on highly specialist equipment or staff. Section 3 Analysis of the impact on Priority Activities / business functions of the loss of key resources in the Business Continuity Plan Template and the Risk Matrix and Consequence Table in this document enables a service to identify risks to their Priority Activities if a key resource is lost, and to prioritise each risk.



Once the risks to Priority Activities and/or essential business functions have been identified and prioritised, how to avoid the risks and contingency planning needs to be considered. Risk avoidance is concerned with proactively putting measures in place to remove or minimise a risk. These include:

People e.g. staff flu vaccination, multi- skill training, ensuring more than one person has specialist skills, succession planning, bank and agency staff;

Premises e.g. alternative premises within the organisation or provided by other organisations, remote access, working from home;

Technology e.g. maintaining the same technology at different locations, holding older equipment as emergency replacement, mutual aid agreements with other services, use of staff computers (Portwise access), use of staff mobile phones, additional chargers;

Information e.g. backing-up, hard copies, electronic copies, patient held records;

Supplies and partners e.g. storage of additional supplies at another location, arrangements for the delivery of supplies at short notice, identification of alternative suppliers, increasing the number of suppliers, ensuring service level agreements are in place with suppliers who have business continuity capabilities (consider out of hours arrangements, cost implications of sudden unexpected ordrs, prior approval, delivery times);

Utilities, e.g. alternative premises, access to back-up generators, alternative heating and water provision arrangements, staff travel to work in the event of vehicle fuel shortages etc.

Stakeholders e.g. strategies to manage relationships with stakeholders, special arrangements for the most vulnerable patients/service users; and

Beds (including PICU beds where appropriate), e.g. early discharges, alternative emergency bed capacity, transport of patients for discharge and to alternative inpatient provision, access to medicines, beds, bedding, towels, chairs, catering etc.

Consider who has lead responsibility and date for completion of contingency measure yet to be put in place. Section 4 Risk avoidance and contingency measures in the Business Continuity Plan Template enables a service to list the risk avoidance and contingency measures it has adopted, or is going to adopt, for each of the Prioritised Activities if a key resource is lost.


5 Minimum amount of resources (people, premises, technology, information, supplies utilities, partners and beds) to maintain that Priority Activities at a basic level and the skills/level of expertise required

Consider the resources required to maintain Priority Activities and/or essential business functions at an acceptable level. Again these will include:

People e.g. how many staff are required to deliver Priority Activities, what is the minimum staffing level, what skill/level of expertise are required to undertake these activities?

Premises e.g. what locations do Priority Activities operate from, what alternative premises are there, what facilities are essential?

Technology e.g. is the service dependant on electrical medical equipment, what IT is essential, what systems and means of communication are required?

Information e.g. what information is essential, how is this information stored?

Supplies and partners e.g. who are the priority suppliers/partners, are key services contracted out, are there mutual aid arrangements in place?

Utilities, e.g. electricity, gas, water, vehicle fuel; and

Beds (including PICU beds where appropriate).


Several Priority Activities and/or essential business functions may be lost at the same time. Therefore it is important to decide the priority and when services will be restored to ensure the impact of a disruption on patients, partners and staff is minimised. The Minimum Tolerable Period of Disruption (MTPD) is the time duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed. The Recovery Time Objectives is a target time set for the resumption of a product, service, activity or resource after an incident and must be less than the MTPD. Section 7 Recovery in the Business Continuity Plan Template enables a service to agree in what order its Priority Activities and non-Priority Activities and/or business functions, will be restored and when.


7. Key stakeholder contact details

All Business Continuity Plans (BCPs) should contain, or provide a reference to, the contact details for all key stakeholders:

Team members e.g. all those staff involved in the implementation of the plan;

Internal e.g. people, managers, staffing agencies, premises, estates, IT, suppliers;

External e.g. local GPs, hospitals, social services; and

Patients/carers/families. This should include how to contact stakeholders out of hours. The data protection of personal information, for example patient contact details and private telephone numbers, should be ensured. Section 7 Key stakeholders contact details in the BCP Template enables a service to list its key stakeholder contact details.

8. Management arrangements

All Business Continuity Plans (BCPs) should contain a description of their service’s management and on call arrangements. This should be in the form of a diagram of departmental through to Divisional management arrangements. Section 8 Management arrangements in the BCP Template enables a service to describe its management and on call arrangements.


9. Exercise and review

All Business Continuity Plans (BCPs) should be validated annually by exercise and reviewed to ensure they are effective and up to date. The frequency of exercise and review will depend on the rate of change to a service, its risk profile, and the outcomes of previous exercise and review i.e. if particular weaknesses have been identified requiring changes to be made. There are four main types of exercising:

Testing. Not all aspects of a plan can be tested, but crucial elements such as the contact list and the activation process can;

Discussion/walkthrough. Staff are brought together to inform them of the plan and their individual responsibilities. Discussion allows problems and solutions to be identified;

Table-top. Staff take decisions as a scenario unfolds in the same way they would in the event of a real incident; and

Live. Ranges from a small scale test of one component, such as evacuation, through to a full scale test of all the components of the plan.

BCPs must be exercised and reviewed annually, and any actions required as a result of this process implemented. In addition BCPs must be reviewed following restructuring, changes to the method of delivery of Prioritised Activities, statutory changes, lessons learnt as a result of an incident, changes to key staff. Exercise and review is the responsibility of the Plan’s owner.


Appendix 4 Training Needs Analysis (TNA)

Training Programme Frequency Course Length Delivery Method

Trainer(s) Recording Attendance

Strategic & Operational Responsibility

Business Continuity Management Awareness

Once at Induction

As part of the Governance and Risk Management induction session

Presentation Face to face

Governance/ Business Continuity Team

LEaD

Strategic: Accountable Emergency Officer Operational: Head of Risk and Business Continuity

Divisional/ Area/ Service Business Continuity Plans

Once at Induction and at least annually thereafter

As part of the local induction process and routine exercising (see section 5.12)

Face to face Line manager

Line manager (LEaD in the future)

Strategic: Appropriate Director Operational: Line manager

Business Continuity Management for Divisional/ Area/ Service Business Continuity Leads

Once on appointment to Divisional/ Area/ Service lead role for Business Continuity and yearly thereafter

Three hours Face to face

Head of Risk and Business Continuity/ Business Continuity Team

LEaD


Business Continuity Management for staff responsible for developing local service Business Continuity Plans

Once at induction and 2 yearly thereafter

Two hours Face to face

Divisional/ Area/Service Lead for Business Continuity

LeAD


Directors on Call

Once on joining the rota and yearly thereafter

One hour Face to face

Head of Risk and Business Continuity/ BC Team

LEaD



Directorate Division Target Audience

MH/LD

Adult Mental Health

All staff to attend Corporate and Service Induction Sessions. Divisional/Area/Service leads for Business Continuity to attend Business Continuity Management training. Divisional/Area/Service leads for Business Continuity to train staff responsible for the development of local service Business Continuity Plans

Learning Disabilities

Older Persons Mental Health

Specialised Services

TQtwentyone

ICS

Adults

Children’s & Wellbeing

Dental

Corporate Services All (HR, Finance, Governance, Estates etc.)


Appendix 5 Equality Impact Assessment

Equality Impact Assessment (or ‘Equality Analysis’) is a process of systematically analysing a new or existing policy/practice or service to identify what impact or likely impact it will have on protected groups.

It involves using equality information, and the results of engagement with protected groups and others, to understand the actual effect or the potential effect of your functions, policies or decisions. The form is a written record that demonstrates that you have shown due regard to the need to eliminate unlawful discrimination, advance equality of opportunity and foster good relations with respect to the characteristics protected by equality law.

For guidance and support in completing this form please contact a member of the Equality and Diversity team

Name of policy/service/project/plan:

Business Continuity Management Policy

Policy Number:

SH NCP 67

Department:

Quality and Governance

Lead officer for assessment:

Head of Risk and Business Continuity

Date Assessment Carried Out:

January 2015

1. Identify the aims of the policy and how it is implemented.

Key questions Answers / Notes

Briefly describe purpose of the policy including

How the policy is delivered and by whom

Intended outcomes

The Business Continuity Management Policy has been developed to provide the strategic framework for Business Continuity Management across the Trust and describes the Trust’s Business Continuity Management programme. The aim is to ensure the Trust meets its legal obligations to protect Prioritised Activities against potential disruption as a result of incidents and emergency situations. The Policy therefore applies to all staff. All Staff are made aware of the policy and its content during mandatory staff Induction Training. The Head of Business Continuity and Resilience has lead operational responsibility for the implementation of the policy. The Policy is publically available on the Trust Web site and Staff Intranet.

2. Consideration of available data, research and information

Monitoring data and other information involves using equality information, and the results of


engagement with protected groups and others, to understand the actual effect or the potential effect of your functions, policies or decisions. It can help you to identify practical steps to tackle any negative effects or discrimination, to advance equality and to foster good relations. Please consider the availability of the following as potential sources:

Demographic data and other statistics, including census findings

Recent research findings (local and national)

Results from consultation or engagement you have undertaken

Service user monitoring data

Information from relevant groups or agencies, for example trade unions and voluntary/community organisations

Analysis of records of enquiries about your service, or complaints or compliments about them

Recommendations of external inspections or audit reports

Key questions

Data, research and information that you can refer to

2.1 What is the equalities profile of the team delivering the service/policy?

All staff members, contractors, visitors and volunteers should comply with this Policy. The Trust’s Equality and Diversity team report on workforce equality monitoring data on an annual basis and this information is available if required.

2.2 What equalities training have staff received? All Trust staff have a requirement to undertake Equality and Diversity training as part of Organisational Induction (Respect and Values) and E-Assessment

2.3 What is the equalities profile of service users? The Trust’s Equality and Diversity team report on Trust patient equality data profiling on an annual basis and this information is available if required.

2.4 What other data do you have in terms of service users or staff? (e.g results of customer satisfaction surveys, consultation findings). Are there any gaps?

The Quality and Safety Committee is a Sub-Committee of the Trust Board, and therefore has a responsibility to receive and scrutinise assurance,


and provide onward assurance to the assurance and Audit Committees and Trust Board. It monitors business continuity management as part of risk management processes to ensure that these are working correctly. Delegated responsibility for specific areas of business continuity management is held by the following groups:

Local Divisional / Directorate / Business and Governance Groups

Health and Safety Committee

Trust EPRR WG

2.5 What internal engagement or consultation has been undertaken as part of this EIA and with whom? What were the results? Service users/carers/Staff

This Section requires completion following completion of the Policy consultation. The EIA will be sent out as part of the policy consultation process.

2.6 What external engagement or consultation has been undertaken as part of this EIA and with whom? What were the results? General Public/Commissioners/Local Authority/Voluntary Organisations

The Trust has embraced the Equality Delivery System and will drive forward a strong engagement plan to involve and communicate with staff and patients so that they can share their skills and expertise on key issues on affecting service delivery.


In the table below, please describe how the proposals will have a positive impact on service users or staff. Please also record any potential negative impact on equality of opportunity for the target: In the case of negative impact, please indicate any measures planned to mitigate against this:

Positive impact (including examples of what the policy/service has done to promote equality)

Negative Impact Action Plan to address negative impact

Actions to overcome problem/barrier

Resources required

Responsibility Target date

Age

Appropriate action is taken to ensure that the work environment is conducive to the needs of all our staff and service users.

No negative impacts have been identified at this stage of screening

Disability

The Trust will support staff with a disability and provide reasonable adjustments Personal Emergency Evacuation Plans (PEEP’S) are available to ensure the safety to staff and patients. The Trust has

There is a potential negative impact in making assumptions about the health and safety implications of a person’s disability as it might not make a difference to business continuity management. People hiding a

The equality and diversity team will provide support and guidance to the Trust

Equality and Diversity Team Estates Department


conducted Disability Access Audits on its services The Trust will provide appropriate interpreting and translation services to respond to requests for information in alternative formats.

disability that might have business continuity implications.

Gender Reassignment

The ethical framework used by the Trust will ensure each staff members and patient’s privacy and confidentiality are preserved


Marriage and Civil Partnership

No negative Impacts identified at this stage of screening.

Pregnancy and Maternity

The Trust will ensure risk assessments are undertaken for all new and expectant mothers to ensure preventative measures are undertaken where significant risks to business continuity



are identified.

Race The Trust responds positively to requests of information in alternative formats. The Equality and diversity Lead can be contacted for information on Interpreting and Translation services

No negative Impacts identified at this stage of screening

Religion or Belief


Sex


Sexual Orientation

The ethical framework used by the Trust will ensure each patient’s privacy and confidentiality are preserved.

No negative Impacts identified at this stage of screening