Crosswords

Business Continuity Management Policy

Categories
Published
of 31
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Description
SH NCP 67 Business Continuity Management Policy Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: This Business Continuity Policy provides the strategic framework for
Transcript
SH NCP 67 Business Continuity Management Policy Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: This Business Continuity Policy provides the strategic framework for Southern Health NHS Foundation Trust s (SHFT) Business Continuity arrangements and describes the SHFT Business Continuity Management programme that will ensure SHFT meets its legal obligations to ensure the organisations Prioritised Activities and Services are protected against potential disruption as a result of incidents and emergency situations and climate change adaption. Business Continuity Policy, Business Continuity Management, Emergency Planning, Business Continuity Plan, Organisational Resilience, Climate Change Adaption All employees of Southern Health NHS Foundation Trust. Non-Executive Directors, Volunteers, Governors and Contractors. Next Review Date: January 2017 Approved and ratified by: EPRR Working Group Date of meeting: 12 January 2015 Date issued: Author: Sponsor: Stuart Brown Business Continuity Advisor Helen Ludford Interim Head of Quality Governance 1 Version Control Document Change Record Date Author Version Page Reason for Change T Pettis 1 Changes to reflect NHS Commissioning Board, NHS England and Public Health England structures following the abolition of Strategic Health Authorities and Primary Care Trusts T Pettis 1 NHS Commissioning Board BC related documents S Brown 1 Replacement of reference to BS with ISO International Business Continuity Standard S Brown Replacement of reference to BS with ISO International Business Continuity Standard T Pettis 1 Review and update of entire document and Business Impact Analysis L Sawyer 1 Integration with Trusts Climate Change Adaption Plan S Brown 2 Review of completed document and inclusion of BIA and BC Plan templates for EPRR WG on 21 Nov S Brown 2 Inclusion of amended Business Impact Analysis (BIA) Reviewers/contributors Name Position Version Reviewed & Date Sharon Gomez Essential Training Lead 1 04 Feb 2013 Fiona Richey Head of Risk and Business Continuity 1 12 Feb 2013 Ricky Somal Equality and Diversity Lead 1 17 Feb 2013 Alida Towns Interim Business Manager 1 18 Feb 2013 Helen McCormack Chief Medical Officer 1 27 Mar 2013 Tim Pettis BCR Manager SHFT 1 01 Apr 2013 David Griffiths EPM (UHS) (External Reviewer) 1 01 May 2013 Libby Beesley EPM DUFT (External Reviewer) 1 01 May 2013 Tim Pettis BCR Manager SHFT 1 24 May 2013 Stuart Brown BC Advisor 1 02 Dec 2013 Stuart Brown BC Advisor 1 31 Jan 2014 Tim Pettis BCRM SHFT 1 29 May 2014 Louise Sawyer Environmental Sustainability Manager 1 10 June 2014 Stuart Brown BC Advisor 2 17 Nov 2014 Stuart Brown BC Advisor 2 05 Jan CONTENTS Page 1. Introduction 4 2. Scope 5 3. Definitions: 3.1 Business Continuity Management 3.2 Business Impact Analysis 3.3 Emergency 3.4 Prioritised Activities 3.5 Maximum Tolerable Period of Disruption 3.6 Recovery Time Objective 4. Duties/responsibilities 4.1 Chief Executive and Board 4.2 Lead Director 4.3 Head of Risk and Business Continuity 4.4 Divisional and Service Managers 4.5 All Staff 5. Main policy content: 5.1 Business Continuity Lifecycle 5.2 Business Continuity Objectives 5.3 Business Impact Analysis 5.4 Risk Assessment 5.5 Recovery Plans 5.6 The Southern Health NHS Foundation Trust Business Continuity Plan 5.7 Incident Identification 5.8 Incident Declaration Normal working hours Out of Hours 5.9 Stand Down 5.10 Recovery and Debrief 5.11 Document Management 5.12 Exercising 6. Training requirements Monitoring compliance Policy review Associated documents Supporting references 16 Appendices A1 Policy Implementation Plan 17 A2 Business Impact Analysis Template 18 A3 Business Continuity Plan Template and Completion Guidance 38 A4 Business Continuity Plan Completion Guidance 49 A5 Training Needs Analysis (TNA) 56 A6 Equality Impact Assessment (EqIA) 58 3 1. Introduction 1.1 Business Continuity Management (BCM) is a legal requirement for all NHS, private and third sector organisations, which under NHS funded Provider status, provide care or services to patients. Business Continuity Management forms part of the Care Quality Commission s essential Standards of Quality and Safety, which all health providers must comply with as a condition of registration and the NHS Commissioning Board, Core Standards for Emergency Preparedness, Resilience and Response 2013 (EPRR). Business Continuity Management is an integral part of EPRR and this discipline sits within the EPRR Core standard Framework in both planning and assurance. Southern Health NHS Foundation Trust has services and facilities which cover a huge geographical area. The following hyperlink provides an interactive google map of the Trust s sites. 1.2 Statutory requirements under the Civil contingencies Act (2004) require all NHS Trusts to have in place Business Continuity Management arrangements that enable them to: Respond to incidents (major and other) and emergencies of any kind; Ensure the health, safety and well-being of its service users and staff; and Support partner agencies in extreme circumstances. 1.3 The Trust s Strategy for Organisational Resilience provides the strategic framework for Southern Health NHS Foundation Trust s (SHFT) Business Continuity arrangements and describes the SHFT Business Continuity Management programme that will ensure that the Trust s Prioritised Activities/Services are protected against potential disruption as a result of incidents, emergency situations, and climate change and ensures that its statutory obligations are met. 1.4 The SHFT Business Continuity Management programme described in this policy is based on the following standards: NHS Commissioning Board Core Standards for Emergency Preparedness, Resilience and Response 2013; and International Standards Organisation ISO: 22301: Business Continuity Management (BCM) is an integral and critical part of the incident response planning process and helps build organisational resilience within an organisation. Business Continuity Management is about identifying an organisation s Prioritised Activities/Services, the appropriate resources required to deliver them, and planning how to maintain and reinstate them as soon as reasonably practicable or possible should an incident occur that causes disruption. Business Continuity Management achieves this by assessing the risks to an organisation s ability to deliver its services, then considering how these risks can be eliminated or reduced, the contingency plans that can be put in place to ensure that those services identified as critical or essential are maintained regardless of the disruption, and how the other services can best be recovered when the disruption ceases. 1.6 The Climate Change Act 2008 also places a mandatory requirement on health care organisations to put in place Climate Change Adaption plans. Our climate is changing and a consequence we are seeing more frequent and severe weather events, such as droughts, heat waves, storms and extremes of cold and hot weather bringing increased disruption to our services and activities. The Business Continuity Management forms part of the Trust s Climate Change Adaption plans by building in 4 organisational resilience within the organisation to deal with severe weather events and other climate change impacts. 1.7 This policy requires ALL Services in ALL Divisions to develop Business Continuity Plans which detail how a service will perform its functions in the event of disruption by defining and prioritising it s Prioritised Activities/Services, detailing contingency arrangements during the disruption and, when the disruption has passed, how all services will be restored (recovered) by. Undertaking a Business Impact Analysis (BIA) to identify Prioritised Activities/Services; Identifying the risks to the delivery of Prioritised Activities/Services and the likely impact if they are affected; Planning how to mitigate against risk to Prioritised Activities and improve the resilience; and Developing a Recovery Plan that details the Minimum Tolerable Period of Disruption (MTPD) to Prioritised Activities, their Recovery Time Objectives (RTO), and the minimum and appropriate resources required delivering them and the order of priority to in which these and other services should be restored to normal. 1.8 Other NHS, private and third sector organisations that provide services to NHS patients on behalf of the Trust, or equipment and goods, which will be used in the treatment of the Trust s NHS patients, are required and must have their own business continuity and resilience arrangements in order to meet the legal and contractual obligations with this Trust. 2. Scope 2.1 This Policy applies to: All Southern Health NHS Foundation Trust (SHFT) services in all Divisions; and All SHFT managers responsible for contracting, commissioning or purchasing goods or services from external organisation(s), defined as NHS Funded Providers. These SHFT managers are responsible for ensuring that contracts and/or service level agreements with providers of goods and/or services include arrangements to ensure that there are robust business continuity arrangements are in place so that the service or product they provide can be maintained thus supporting the Trusts own identified Prioritised Activities. 3. Definitions 3.1 Business Continuity Management (BCM) Business Continuity Management is an all-inclusive management process that identifies potential impacts that threaten an organisation and provides a framework for building organisational resilience readiness and resilience and the capability for an effective response that safeguards the interests of its service users, staff, key stakeholders, Trust brand and reputation. 5 3.2 Business Impact Analysis (BIA) Business Impact Analysis is the process of analysing ALL business functions and the effect that a business disruption might have upon them. 3.3 Emergency For the purposes of this policy an emergency is defined as: An actual or impending situation that may cause injury, loss of life, destruction of property, detrimental environmental impact or cause the interference, loss or disruption of the organisation s normal business operations to such an extent that it poses a threat. 3.4 Prioritised Activities/Services Prioritised Activities/Services are those services, which are necessary for the preservation of life or to ensure the health, safety and welfare of patients and staff. 3.5 Maximum Tolerable Period of Disruption (MTPD) Maximum Tolerable Period of Disruption is the time duration after which an organisation s viability will be irrevocably threatened if product and service delivery cannot be resumed. 3.6 Recovery Time Objective (RTO) Recovery Time Objective is a target time set for the resumption of a product, service, activity or resource after an incident. 4. Duties/Responsibilities 4.1 Chief Executive and Board The Chief Executive and the Board have a legal duty set under the Civil Contingencies Act (2004) and within NHS England Emergency Preparedness, Resilience and Response (EPRR) Core Standards (2014) to ensure Southern Health NHS Foundation Trust (SHFT) is prepared to respond to a major incident or civil contingency event within the local and wider health community, to maintain the public s protection, and maximise NHS in its overall response. Trusts are ultimately accountable to the public and the Secretary of State for Health for ensuring that the organisation consistently follows the principles of good corporate governance and internal control. This ensures that a EPRR programme, of which Business Continuity Management (BCM) is an integral part is in place to ensure that, in the event of a loss or major disruption to core functions, the public continue to receive the best quality and range of services it is reasonably practicable to deliver, and that Prioritised Activities/Services are maintained. 4.2 Accountable Emergency Officer (AEO) for Emergency Planning, Resilience and Response The Accountable Emergency Officer (AEO) for Emergency Preparedness, Resilience and Response (EPRR) has delegated responsibility from the Board to ensure that the 6 requirements of this policy are met, that the Board are provided with reasonable assurance, and are kept informed of any significant concerns. The AEO is supported where appropriate by a non-executive director, or appropriate other board member, to endorse assurance to the board that the organisation is meeting its obligations with respect to EPRR and relevant statutory obligations under the Civil Contingencies Act This will include assurance that the organisation has allocated appropriate resources to meet these requirements, which includes the support of trained and competent emergency planning and business continuity professional staff member(s) as appropriate. 4.3 Head of Risk and Business Continuity The Head of Risk and Business Continuity is responsible for the development and implementation of the Trust s Business Continuity Management programme, advising on compliance with the Civil Contingencies Act and NHS England EPRR Core Standards. The Head of Risk and Business Continuity may delegate some or all of the above to the Business Continuity and Resilience Manager, the organisation s designated Emergency Planning Manager. The Head of Risk and Business Continuity and designated Emergency Planning Manager will also: Develop a Trust wide Incident Response Plan (IRP) from which the Business Continuity element will list the Trust s Prioritised Activities/Services; Provide specialist advice and guidance in respect of Business Continuity Management issues including the co-ordination, development, implementation and review of the business continuity policies, programme, plans and procedures; Interpret the requirements of the Civil Contingencies Act 2004, NHS England EPRR Core Standards and ISO Societal Security - Business Continuity Management System Requirements, and associated guidance to support the Trust s Divisions and service areas and to ensure that these requirements are met; Conduct risk assessments based on current and future threats identified through environmental scanning and intelligence gathering; Embed an EPRR/ Business Continuity culture through communication in concert with the offices of the AEO and the Trust s EPRR Working Group, and through the EPRR WG make the provision of awareness sessions, training and exercises to staff, according to their roles and needs; and Liaise with other NHS organisations and the wider area external agencies as required Audit compliance via the EPRR WG relating to local Emergency Response and Business Continuity Plans, facilitating tests and providing recommendations and other management feedback as appropriate. 4.4 Environmental Sustainability Manager: The Environmental Sustainability Manager is responsible for developing and implementing the Trust s Climate Change Adaption plans, including responsibility for advising the Head of Risk and Business Continuity of any climate change risks and impacts that may affect the Trust s organisational resilience in business continuity. 7 4.5 Divisional and Area/Service Managers: Divisional and Area/Service Managers are responsible for: Implementing and supporting the Business Continuity Management policy; Ensuring a Business Impact Analysis for their services is undertaken; Developing, maintaining and reviewing at least annually or when a new service is undertaken their Divisional Business Continuity Plans, including the BIA; Testing and exercising at least annually the Divisional/Area/Service Business Continuity Plans (see section 5.12); Ensuring sufficient training is given; Participating in exercises where appropriate; and Maintaining all relevant operational Business Continuity Plans as they are developed, ensuring that any significant service changes or risks are reflected in plans, and for understanding all the requirements and responsibilities as detailed in the plans. 4.6 Departmental Managers/Team Leaders Departmental Managers/Team Leaders are responsible for: Ensuring all their staff are familiar with their Divisional/Area/Service business continuity arrangements and Business Continuity Plans; Testing and exercising at least annually Divisional/Area/Service Business Continuity Plans (see section 5.12); Ensuring sufficient training is given; and Participating in exercises where appropriate. 4.7 All Staff: Staff will make themselves aware of their department s Business Continuity Plans, and will participate in training and exercises as required. 5 Main Policy Content 5.1 Business Continuity Lifecycle To align with the required standards, and best practice, the Southern Health NHS Foundation Trust (SHFT) Business Continuity Management (BCM) process will follow the five stages of the BCM lifecycle. Those actions required to deliver this process are captured within the Policy Implementation Plan at Appendix 1. The five stages are: Understanding the organisation; Determining BCM Strategy; Developing and implementing the BCM Response; Exercising, maintaining and reviewing; and Embedding BCM in the organisation. 5.2 Business Continuity Objectives In any situation, the primary Business Continuity objectives for the Trust will be to: 8 Comply with legal, regulatory and contractual obligations; Ensure effective and competent incident management; Ensure Prioritised Activities/Services have been identified, are protected, and their continuity made certain; Ensure staff are trained to respond effectively to an incident or disruption through appropriate exercising; Understand the requirements of key stakeholders and maintain communication with them; Maintain the safety and well-being of service users, staff and estates; Deliver an enhanced level of service to meet the extraordinary demands of an evolving scenario; Ensure the supply chain is secured; and Contribute to whole System/Wide Area Resilience. 5.3 Business Impact Analysis ALL Trust services in ALL Divisions will undertake a Business Impact Analysis (BIA) using the SHFT Business Impact Analysis template (See Appendix 2). Support and training in the use of the template will be provided by the Business Continuity and Resilience Manager. The Business Impact Analysis element of the Business Continuity Management process will analyse the functions/activities of the service and/or Division on the basis of not performing that function. The Business Impact Analysis (BIA) enables a qualitative assessment of risk (likelihood x impact) to services/business functions to identify which elements or functions of their service are Priority Activities (critical). These are categorised using the Impact Matrix at Page 5 within the BIA. Only those identified as RED, AMBER and YELLOW will be captured within the BIA, as these could have a wider impact on the Trust and may require the support by the Trust and the Trust On-Call Director, whilst those GREEN and LIGHT GREEN can be supported internally be each Service and their On-Call Senior Manager. This categorisation system will enable the Division/Area/Service to identify all Prioritised Activities and provides the Decision Maker, the Trusts Incident Gold Commander to determine from a Trust wide perspective those services which need to be Enhanced, Reduced or Suspended. The number and complexity of Prioritised Activities/Services identified will determine the subsequent level of support needed to be provided to Division/Area/Service during an incident. The necessary supporting resources for the delivery of the services will also be analysed and identified, and during an incident via a dynamic process. All services in all Divisions will review their BIA on an annual basis, on undertaking a new service or service provider, post exercise and post incident. 5.4 Risk Assessment All Trust services in all Divisions will undertake a Risk Assessment within the Trust s Business Impact Analysis template and g
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks