Post on 10-Jul-2020
transcript
Reference No. P29:2006
Implementation date 30 April 2007
Version Number 2.5
Linked documents
Reference No: Name.
Emergency Preparedness (Chapter 6), Guidance on Part 1 of the Civil Contingencies Act 2004, its associated Regulations and non-statutory arrangements (HMG 2005),
International Requirements Standard BS ISO 22301:2012
P27:2005 Risk Management Policy
Suitable for Publication Policy Section Yes Procedure Section Yes
Protective Marking Not Protectively Marked
PRINTED VERSIONS SHOULD NOT BE RELIED UPON. THE MOST UP TO DATE VERSION CAN BE FOUND ON THE FORCE INTRANET POLICIES SITE.
Business Continuity Management
Policy and Procedure
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Table of Contents
1 Policy Section ............................................................................................................. 4
1.1 Statement of Intent – Aim and Rationale ............................................................... 4
1.2 Our Visions and Values ......................................................................................... 4
1.3 People, Confidence and Equality ........................................................................... 5
2 Standards .................................................................................................................... 5
2.1 Legal Basis ............................................................................................................ 5
2.2 People, Confidence and Equality Impact Assessment .......................................... 5
2.3 Any Other Standards ............................................................................................. 6
2.4 Monitoring / Feedback ........................................................................................... 6
3 Procedure Section ...................................................................................................... 7
3.1 Roles and Responsibilities .................................................................................... 7
3.2 Critical Functions/Activity and Business Impact Analysis ...................................... 8
3.3 Business Continuity Plans (BCPs) ......................................................................... 9
3.4 Training, Writing, Testing and Maintenance of BCPs ............................................ 9
3.5 Locations for keeping BCPs ................................................................................ 10
3.6 Emergencies and Disruptions .............................................................................. 10
3.7 Recovery ............................................................................................................. 12
3.8 General Issues .................................................................................................... 12
4 Consultation and Authorisation .............................................................................. 14
4.1 Consultation......................................................................................................... 14
4.2 Authorisation of this version ................................................................................ 14
5 Version Control ......................................................................................................... 14
5.1 Review ................................................................................................................. 14
5.2 Version History .................................................................................................... 14
5.3 Related Forms ..................................................................................................... 14
5.4 Document History ................................................................................................ 14
Dorset Police - Business Continuity Management Template ....................................... 15
Section 2 - Invocation ...................................................................................................... 17
Section 3 – Activity Summary ......................................................................................... 19
Section 4 - Resources required for each activity with Risk Category 3, 4 or 5 .......... 20
Section 5 - Further Actions ............................................................................................. 25
Section 6 – Recovery Plan for all activities identified .................................................. 26
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Appendix 1 - Key Contacts ........................................................................................... 277
Appendix 2 – Incident Log ............................................................................................ 288
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
1 Policy Section
1.1 Statement of Intent – Aim and Rationale
Dorset Police has a statutory duty to deliver effective and efficient policing. Failure to deliver any of these functions could have a catastrophic effect on the communities of Dorset.
Business Continuity Management (BCM) will ensure continued provision of the force’s core functions and to enhance its ability to withstand any form of disruption.
The potential for disruption to these core functions has been identified by Government and is addressed in the Civil Contingencies Act (2004) (Part 1.Para 2(1) (C). The Act requires Category 1 Responders to maintain plans to ensure that they can continue to perform their functions in the event of an emergency, so far as is reasonably practical.
BCM supports emergency planning and is underpinned by the Force Risk Management policy, providing the framework within which the Force can comply with the Civil Contingencies Act.
Aims
The Business Continuity Management (BCM) policy aims to:
• Ensure that critical functions are maintained or reinstated on a risk based
approach, as soon as reasonably possible, to meet the force strategic objectives while full restoration of service delivery is planned and implemented.
• Set out the roles and responsibilities for implementing and maintaining a BCM system that is compliant with the Civil Contingencies Act and is ‘fit for purpose’
• Promote and maintain an awareness of BCM within the force
The implementation and maintenance of the BCM system will be based on the following guidelines and standards:
• HM Government Emergency Preparedness Manual (Chapter 6) • International Requirements Standard BS ISO 22301:2012
1.2 Our Visions and Values
Dorset Police is committed to the principles of “One Team, One Vision – A Safer Dorset for You” Our strategic priority is to achieve two clear objectives:
To make Dorset safer
To make Dorset feel safer
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
In doing this we will act in accordance with our values of:
Integrity
Professionalism
Fairness and
Respect
1.3 People, Confidence and Equality
This document seeks to achieve the priority to make Dorset feel safer by securing trust and confidence. Research identifies that this is achieved through delivering services which: 1. Address individual needs and expectations
2. Improve perceptions of order and community cohesion
3. Focus on community priorities
4. Demonstrate professionalism
5. Express Force values
6. Instil confidence in staff
This document also recognises that some people will be part of many communities defined by different characteristics. It is probable that all people share common needs and expectations whilst at the same time everyone is different. Comprehensive consultation and surveying has identified a common need and expectation for communities in Dorset to be:-
- Listened to - Kept informed - Protected, and - Supported.
2 Standards
2.1 Legal Basis
The Civil Contingencies Act 2004 (CCA) requires the Police Service, (as a Category 1 responder) to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable. The duty relates to all functions, not just their emergency response functions.
2.2 People, Confidence and Equality Impact Assessment
During the creation of this document, this business area is subject to an assessment process entitled “People, Confidence and Equality Impact Assessment (EIA)”. Its aim is to establish the impact of the business area on all people and to also ensure that it complies with the requirements imposed by a range of legislation.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
2.3 Any Other Standards
The Business Continuity Management International Requirements Standard (BS ISO 22301:2012)
BS ISO 22301:2012 is a standard that specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). It establishes the process, principles and terminology of BCM, providing a basis for understanding, developing and implementing business continuity within an organisation and to provide confidence in business-to-business and business-to-supplier dealings.
BCM is defined in BS ISO 22301:2012 as 'a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.’
2.4 Monitoring / Feedback
The Business Continuity Programme Board and the Business Continuity Co-ordinator have specific roles in monitoring this process, the details of which can be found below in section 3.1 of this document.
The role of BC Co-ordinator is held by a Planning Officer in the Operational and Contingency Planning Section (OCPS). The monitoring will be ongoing.
Feedback relating to this policy can be made in writing or by e-mail to:
OCPS, Poole Police Station
E-mail: ocps@dorset.pnn.police.uk
Telephone: 01202 223153
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
3 Procedure Section
3.1 Roles and Responsibilities
3.1.1 The Police and Crime Commissioner (PCC) and Chief Constable
The PCC and Chief Constable are accountable to the public and central government for ensuring that the Force consistently follows the principles of good corporate governance and internal control. They will ensure that a BCM framework is in place to ensure the public receive an efficient and effective policing service in the event of an emergency.
3.1.2 Assistant Chief Constable (Operations)
ACC (Ops) is responsible to the Chief Constable for the BCM programme.
3.1.3 Business Continuity Co-ordinator (OCPS)
Business Continuity Co-ordinator (OCPS) is responsible for the development and implementation of the BCM programme, compliance with the Civil Contingencies Act and ensuring that Emergency Planning and information Systems resilience are co-ordinated in conjunction with the BCM strategy. OCPS will also –
Provide specialist advice and guidance in respect of BCM issues including the co-ordination, development, implementation and review of business continuity policies, plans and procedures. The Sharepoint BC site will provide a focal point.
Interpret the requirements of the Civil Contingencies Act 2004 (CCA) and associated guidance to support business areas and to ensure that these are met.
Conduct risk assessments based on current and future threats identified through environmental scanning.
Review and develop the template to enable production of the individual plans to a consistent format and structure.
Encourage a Business Continuity culture through marketing and the provision of awareness sessions and training to appropriate staff.
Liaise with other police forces and external agencies as appropriate in respect of the CCA and in particular with regard to it’s overall effect on Business Continuity.
Audit compliance with business continuity plans, facilitating tests and providing recommendations and other management feedback as appropriate
3.1.4 Operations Board
The Operations Board is responsible for setting and monitoring the strategic direction, and management of the BCM implementation. The board is chaired by the ACC (Ops)
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
3.1.5 Commanders, Department Managers and Team Leaders
BC plans should be owned by a Supt (or above) (or police staff equivalent). It is the plan owners responsibility to embed Business Continuity Plans (BCPs) into the workplace and ensure exercises are undertaken to develop understanding of the plan and ensure it is fit for purpose.
Commanders, department managers and team leaders are responsible for implementing and supporting the BCM policy, developing and maintaining their own BCPs, ensuring sufficient training is given and running exercises where appropriate.
3.1.6 Police Officers, Police Staff, Extended Police Family, Volunteers and Contractors
Police officers, police staff, extended police family, volunteers and contractors are required to maintain all relevant operational business continuity plans as developed ensuring that change management is reflected in the “living documents” and understand all requirements and responsibilities as detailed in the plans.
3.2 Critical Functions/Activity and Business Impact Analysis
3.2.1 Critical functions/activities defined by National Police Chiefs Council (NPCC) are:
Call Handling
Command and Control
Response Policing
Community Policing
Crime investigation
Major Incident Response
Public Order
Custody
Security and Protection
Health Safety and Welfare of Staff (including training)
Criminal Case Progression and Management
Communications (internal and external) and Media Handling
3.2.2 What are Dorset Police’s Critical Activities?
Dorset Police will adopt those functions/activities as defined by NPCC (see above)
BS ISO 22301:2012 defines Critical Activity as:- “those activities whose loss, as identified during the Business Impact Assessment, would have the greatest impact in the shortest time and which need to be recovered most rapidly may be
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
termed ‘critical activities’”. Whether an activity is “critical” will be established by conducting a Business Impact Assessment (BIA).
3.2.3 Business Impact Assessment (BIA) and Business Continuity Plan (BCP)
All areas of police business will conduct a Business Impact Assessment (BIA) and subsequently develop a Business Continuity Plan (BCP). This is achieved by each Command Area/Department:
Identifying all its activities.
Categorising these activities in terms of criticality
Developing and maintaining plans for the purposes of ensuring, so far as reasonably practicable, that the Force is able to continue to exercise its functions in the event of an emergency or disruption.
3.3 Business Continuity Plans (BCPs)
3.3.1 “Peel” Template1
In order to conduct a BIA and develop a BCP, the “Peel” template found at Appendix A will be used. Correct completion of this template amount to a BIA and forms the basis of a BCP. The Peel template includes a standardised process by which each activity’s criticality can be measured. Furthermore, this template is designed to facilitate an ongoing programme of review, development and recording of exercises. It enables compliance with current good practice, guidance and legislation.
3.3.2 Generic and Specific Plans
A generic plan is a core plan which provides a response to a wide range of possible scenarios and disruptions. These generic plans can form part of specific plans for dealing with particular risks, sites or services.
3.4 Training, Writing, Testing and Maintenance of BCPs
3.4.1 Maintenance
The Force Operational and Contingency Planning Section (OCPS) is responsible for the policy, guidance and the Force BCP template and will review and update it on an annual basis. Command areas and departments are responsible for the writing, training and exercising of their own plans and any changes to these plans must be notified to the OCPS. Distribution of the completed plans will be by intranet only and classified as restricted.
3.4.2 Exercising and Maintaining of Department Plans
All plans will be exercised annually followed by a de-brief. (Real incidents amount to an exercise and may obviate the need to conduct an exercise). OCPS will be informed prior to any planned exercise in order to assist and monitor where necessary. All learning points raised during debriefs relevant to other departments will be published on SharePoint and it is the manager’s
1 Template based upon that devised by George Cooper of Northamptonshire Police / Vista Training.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
responsibility to update their plans if the learning points are relevant to their department. All plans will be reviewed annually by the plan owner unless due to their role it is required to be reviewed six monthly.
3.4.3 Debriefing
After any plan invocation, whether local or Force level, a debrief will be held. The manager responsible for the invocation will be responsible for arranging a debrief. A ‘hot debrief’ may occur during and will occur immediately after normality has been returned. A formal structured debrief will be held where the invocation has Force wide / national implications
3.5 Locations for keeping BCPs
3.5.1 Storage
Plans will be kept in the following locations
Hardcopy:
Appropriate locally arranged sites, available to those who will need access (individual plans only)
Force Command Centre
Electronically:
SharePoint BC site
W-drive under the folder “BusinessContinuityPlans” (W:\BusinessContinuityPlans)
Local Police station drives, (precise addresses advised by IS)
3.6 Emergencies and Disruptions
3.6.1 Invocation
Invocation will proceed in accordance with the flow chart found within the Peel Template (appendix A)
3.6.2 Initial Response Phase
If there is a significant risk to the continuance of critical and essential police functions, the Gold, Silver and Bronze command structure will be invoked.
Gold should consider assigning a Silver commander dedicated to Business Continuity. This would be in addition to the Silver commander dealing with the incident giving rise to the disruption.
Gold should also consider invocation of the Business Continuity Team (BCT), reporting to the dedicated BC Silver.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
3.6.3 Business Continuity Team (BCT)
The BCT will comprise representatives of each affected department who are familiar with the daily functions of the respective area of business. This would ideally be a supervisor in the team and the BCP writer or manager. Using their BCPs, members of the BCT will be able to quickly identify the critical activities affected by the emergency or disruption and the contingencies in place.
3.6.4 The BCT’s overall responsibilities are:
Evaluating the extent of the situation and the potential consequences.
Providing the Force with reports of the scale / impact on normal service of the incident.
Logging the decisions made.
Authorising recovery procedures in order to maintain its strategic critical functions.
Liaising with users and stakeholders.
Disseminating information through the media
Ordering and acquiring new or replacement equipment.
Maintaining financial information i.e. costs incurred.
Organising the return to normality (or new normality) after the incident response phase has concluded.
3.6.5 Command and Control
The invocation of a BCP is likely to run in tandem with a major incident. The Incident Commander and the Business Continuity Manager must agree their respective roles and responsibilities. These will depend upon the nature of the incident. The agreed responsibilities should be appropriately communicated to the force, (e.g. Intranet) to ensure all staff are aware of the individuals involved in the various processes.
3.6.6 Recording of Information/Decision Logs
For the purposes of debrief, inquiry or legal proceedings all teams should ensure:
Their decision/actions are recorded / logged.
Where mobile phones are used and not recorded, the content of the conversations should be recorded where possible or use alternative means of communication i.e. airwave point to point.
The completed forms and any original documentation should be kept securely.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
3.7 Recovery
3.7.1 Recovery
It is important in the planning stage and during the invocation process to identify the implications for the departments, following the rectification of the problem that led to the invocation of the plan. Part of this will include –
Identifying that all the department’s systems are fully functioning again
Communicating the restoration to stakeholders / agencies,
Identifying the potential for corrupted data in the dept’s processes as a result of the incident and the process for overcoming this
Inputting the backlog of information that has been recorded on paper during any outage.
Identifying the financial implications on the department(s)
Taking part in relevant debriefing processes to identify any learning points and update the plans
3.8 General Issues
3.8.1 Finance
Auditable records of all additional expenses incurred during the incident or recovery phase will be kept.
3.8.2 Welfare, Health and Safety, Crisis Care Management, Staff Associations
Managers should carefully monitor staff for signs of stress and arrange periods of rest and counselling if necessary. An incident of this magnitude is likely to put increased demands on staff involved or who are asked to work long hours in difficult conditions with the resulting disruption to their personal routines. Similarly regard must be had for the working hours of commanders, whose decision making capability cannot be seen to be compromised by fatigue. Close liaison must be maintained with the force Welfare Support Dept concerning the additional psychological support that may be required by those involved. Staff associations and UNISON should be kept informed.
3.8.3 Health and Safety
Care should be taken to manage any additional risks created by staff performing roles they do not normally do during the incident or its aftermath.
3.8.4 Special Constabulary
Departments who have special constabulary officers who are also police staff are requested to release them where possible to support the force in the critical functions unless they are already performing such a role.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
4 Consultation and Authorisation
4.1 Consultation
4.2 Authorisation of this version
Version No: 2.5 Name Signature Date
Prepared: T Taylor-Habgood (8880) 14/04/16
Quality assured:
Authorised: ACC Lewis 18/4/16
Approved:
5 Version Control
5.1 Review
Date of next scheduled review Date: 17 May 2017
5.2 Version History
Version No: Name Signature Date
Police & Crime Commissioner
Police Federation
Superintendents Association
UNISON
Other Relevant Partners (if applicable)
Version Date Reason for Change Created / Amended by
1.0 Initial Document Mr G Brazier
2.0 1/6/11 Review of policy and implementation of new template
Sgt 713 R Niemier
2.1 16/9/13 Interim Review. Review and update of policy due to change in standard from BS 25999 to BS ISO 22301:2012
T Taylor-Habgood (8880)
2.2 17/03/14 Review of policy and minor template change within Invocation of Plan including new diagram
T Taylor-Habgood (8880)
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
5.3 Related Forms
Force Ref. No. Title / Name Version No.
Review Date
5.4 Document History
Present Portfolio Holder ACC Lewis
Present Document Owner Tanya Taylor-Habgood 8880
Present Owning Department OCPS
Details only required for version 1.0 and any major amendment ie 2.0 or 3.0:
Name of Board: Operational Commanders Board
Date Approved: 18.11.11
Chief Officer Approving: ACC Glanville chair of Operations Board
Template version January
2013
2.3 04/03/15 Review of policy. No changes required.
T Taylor-Habgood (8880)
2.4 09/03/15 The policy has been reviewed in preparation for NICHE (RMS) implementation (April 2015) no changes necessary
Policy Co-ordinator (6362)
2.5 14/04/16 Review of Policy. Changed ACPO reference to NPCC
T Taylor-Habgood (8880)
Dorset Police - Business Continuity Management Template
Critical Functions
1. Call Handling 2. Command & Control 3. Response Policing 4. Community Policing 5. Criminal Investigation 6. Major Incident Response 7. Public Order
8. Custody 9. Security & Protection 10. Health, Safety & Welfare of Staff 11. Criminal Case Progression &
Mgmt 12. Communication & Media
Handling
Plan details
Area
Department
Plan Owner
Plan Manager
Plan Writer
Version No.
Version Date
Plan review details
Date of next review
Version Control
Version Date Author Reason for change
The document signatory is responsible for informing all staff of its content, exercising this plan to confirm that it is still fit for purpose and maintaining it in relation to contact details. Records of where business continuity has been embedded into the department will be required during an audit process including minutes of meetings and the risk management process. It is expected the plan will be discussed at management meetings on a regular basis. The BC co-ordinator shall be informed of any invocation and lessons identified, planned exercises and any BC risks that may become organisational issues. OCPS reserves the right to exercise the plan without warning.
Signature
Plan Owner
Date
Based on Template designed by George Cooper of VistaTraining
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Contents Section 1 page 2 Introduction Section 2 page 3 Invocation Procedure and Risk Assessment Criteria Section 3 page 5 Activity Summary (including any contingency arrangements) Section 4 page 6 Resource Summary
Section 4.1 page 6 People
Section 4.2 page 7 Equipment / Facilities
Section 4.3 page 8 Documentation
Section 4.4 page 9 Suppliers Section 5 page 10 Further Action Section 6 page 11 Recovery Plan Appendix 1 page 12 Contact Details Appendix 2 page 13 Example Incident Log
Section 1 - Introduction
Department role
Please provide a brief description of what the department does:
Staff resources day to day
Police Officers Police Staff
Chief Inspector & above Managers
Inspector Staff
Sergeant PCSO
Constable
Department core hours
24hour Mon-Fri 0830-1700 Other
If other, please give details
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Section 2 - Invocation
Invocation of plan
The plan will be implemented in accordance with the Force Overarching Business Continuity Guide.
The level of invocation will be determined by assessing the potential impact of the incident using the criteria defined in the Risk Assessment as described in the following diagram.
Who is responsible for invoking the plan, and who should be consulted?
Where the expected impact of the disruption is likely to fall into category 1 or 2 invocation of the plan and management of the incident will be the responsibility of **(insert title of senior departmental manager)** or in their absence **(insert title of deputy manager)**. If no departmental manager is available the Force Incident Commander (FIC) will be informed.
If the expected impact is likely to fall into category 3 the FIC will be informed who will be responsible for the invocation of the plan and management of the incident, referring upwards and / or invoking a separate command structure as appropriate.
What procedure is required to invoke the plan?
Once the plan is invoked the staff that work in the area affected will be contacted, if not already aware, and asked to either remain on standby and be contactable by mobile phone or other means, or to report to an identified place.
The managers of the department will have the current contact details of the staff with them as point of reference in case of IT failure.
The manager of the department should also ensure that, where appropriate, any key stakeholders, as listed in section 3, are informed of the incident in order to minimise any impact on them.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Risk Assessment
Category Potential or real impact assessment Consequence of Non Delivery
Insignificant (1)
No impact on the performance of any department Minor internal disruption to the department No specialist personnel issues Activity recovered within 30 days
Insignificant
Useful (2)
No impact on the organisation’s service delivery Minor impact on the performance of the department Minor specialist personnel issues, but easily resolved Activity to be recovered within 14 days Potential for complaints from individuals
Minor
Significant (3)
Potential limited impact on the organisation’s service delivery
Internal performance disruption on one or more departments; department may require assistance from one another
Activity must be fully recovered within 2-3 days Potential financial loss in excess of £50,000 Potential for adverse local publicity in an ongoing
nature or effecting local opinion Potential for significant injuries or ill health
Moderate
Essential (4)
Significant impact on the organisation’s service delivery in one or more areas
Significant impact on the performance of several departments
Activity would require in force mutual aid assistance Full recovery must occur within 12 hours Potential loss in up to £2 million Potential for adverse national publicity or local
publicity on a persistence nature affecting the local community
Potential for fatality or serious injury to an individual Potential for major claims which would be outside the
insurance cover
Significant
Critical (5)
Major impact on the organisation’s service delivery in one or more areas
Inability to effectively integrate with other key stakeholders
Inability to meet critical service level demands Activity would rely on external mutual aid Major specialist personnel issues – no resources/no
resilience Recovery must occur within 1 hour Potential loss in excess of £2 million Will attract adverse national publicity or local publicity
on a persistence nature affecting the local community Potential for fatality of one or more or serious injury
to several people Potential for major claims which would be outside the
insurance cover
Catastrophic
Location Codes
A copy of the most recent Property List and Location Codes as maintained by Dorset Police Estates and Building Services can be found on the Business Continuity Management SharePoint site under Documents. A hard copy of this list should be printed and retained with BCP at each BCP review.
Section 3 – Activity Summary
Activ
ity N
o
Ris
k
Cate
go
ry 1
Activity 2
Critic
al
fun
ctio
ns
it su
pp
orts
3
5.4
.1.1
.1.1
.1 RTO 4
Does the activity depend on, or influence the activities of other departments within the force or external agencies?
If YES, list the departments 5
Contingency Arrangements 6
(To cover people, facilities, systems, suppliers, or any other arrangements)
1
2
3
4
5
6
7
8
9
10
11
12
1 all activities should be risk assessed using the criteria in Section
2 list activities with highest scorings first in descending order
3 Any activity directly supporting a critical function should be scored 5
4 Recovery Time Objectives (RTO) should indicate the priority/timescale to restore a process to minimum service levels (for category 3, 4 or 5 activities only – the remainder can be left blank).
5 the Risk Assessment should take into consideration the effect on any interlinked departments or outside agencies
6 contingency arrangements should include any actions that can be implemented locally - i.e. relocation to other premises, transfer of work to other department, manual workarounds - whether agreed or identified as the potential for good practice.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Section 4 - Resources required for each activity with Risk Category 3, 4 or 5
4.1 People
Activ
ity N
o
Minimum number of staff required to
start/maintain activity and rank if necessary Specialist skills/
training required by staff
Can staff from outside the department support this activity and if yes, where from
SPOF1
Police Officers
Police Staff Dept / Organisation
1 are any of these people regarded as a Single Points of Failure (SPOF)
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
4.2 Equipment
Activ
ity N
o
Lo
catio
n C
od
e (s
) 2
Standard Equipment3 Specialist Equipment
4
IT Software5
Vehicles required6 SPOF
1
1 is any of this equipment regarded as a Single Points of Failure (SPOF)
2 location codes are listed in Section 2
3 identify number of workstations, phones, faxes, desktop or laptop computers, printers and any other standard IT hardware required
4 identify any specialist equipment required i.e. scanner, A3 printer etc
5 identify any software required over and above Generic Force Systems (Microsoft Word and Excel, e-mail, Forcenet, H drive and W drive)
6 identify liveried or unmarked and any specialist vehicle required
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
4.3 Activity Documentation
Activ
ity N
o
Essential Documents/Records2 Where are these stored?
3 How are they accessed?
SPOF1
1 is any of this documentation regarded as a Single Points of Failure (SPOF)
2 technical manuals, emergency plans etc
3 identify locations of physical documentation/records and locations on Force IT systems
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
4.4 Supplier Details
Activ
ity N
o
Supplier Services Provided Essential Supplier
Documents/Records2
Where are these stored? 3
SPOF1
1 are any of these suppliers regarded as Single Points of Failure (SPOF)
2 technical manuals, emergency plans, maintenance contracts etc
3 identify locations of physical documentation/records and locations on Force IT systems
Section 5 - Further Actions
Actions arising as a result of any of the above
Activity No
Action Owner Timescale
Have any Single Points of Failure (SPOF) been identified?
Activity No
What is the nature of the SPOF?
Logged on Departmental Risk Register?
Logged on Force Risk Register?
Date to be reviewed?
Exercises
List any exercising of the plan with appropriate debrief information. This information should also be added to the Testing & Exercising page which can be found on the Business Continuity Management site on SharePoint
Date Exercise Description Debrief Information
Any other information that will assist in the implementation of this plan
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Section 6 – Recovery Plan for all activities identified Identify and develop a plan for dealing with any additional work that may be required once the cause of the invocation of the plan has been rectified in order to minimise any adverse effect on the restoration of day-to-day operations.
Areas for consideration might include: -
Inputting paper based information created as a result of the loss of I.T.
Testing of systems to ensure that they are functioning normally
Verifying information held on systems to identify any lost or corrupted data.
Correction of any errors discovered
Prioritised clearance of any backlogs of work that was suspended during the incident
Notification of dependent departments, external agencies, suppliers etc.
Not Protectively Marked
Business Continuity Management Policy and Procedure P29:2006 v2.5
Appendix 1 - Key Contacts
Single Point of Contact
These details are required in case of Forcewide IT failure and must be staffed during the normal working hours of the department.
Extension No. or full mobile phone number and
mobex Fax No.
Department Airwave No. (if applicable)
Key Departmental Contacts
Name Title Telephone No. /
Extension Mobile Mobex Airwave
Other Key Contacts
This should include any stakeholders, dependent departments or suppliers identified in Section 3.
Name Stakeholder /
Supplier Telephone No. Mobile Mobex Airwave
Appendix 2 – Incident Log
Department: Date:
Item No
Time Details of Issue Action Taken / Decision Made Signature