BUSINESS CONTINUITY MANAGEMENT POLICY · Document Title Business Continuity Management Policy...

Document Title: Business Continuity Management Policy Issue date: Dec 2013 Document Status: Ratified Review date: Dec 2016 File Location: S:/Lambeth Share/Lam/CCG/Governance and Development/Governance/Policy/ Version No: 1.0

This document is uncontrolled once printed.

Please check on the CCG’s Intranet site for the most up to date version

BUSINESS

CONTINUITY

MANAGEMENT

POLICY


DOCUMENT CONTROL

Type of Document Policy

Document Title Business Continuity Management Policy

Description:

This policy and the supporting Business Continuity Management Plan are required to provide the Governing Body with reasonable assurance that the

LCCG is meeting its obligations with regard to business continuity.

Location: File Location: S:/Lambeth Share/Lam/CCG/Governance and

Development/Governance/Policy/

Published version

no. 1.0

Publication date December 2013

Review date December 2016

Author name, job

title and contact

details

Marion Shipman

Assistant Director Governance and Quality

[email protected]

020 3049 4467

Consultation Body /

Persons Andrew Parker / Geraldine Hennighan

Consultation date November – December 2013

Approval Body Integrated Governance Committee

Approval date December 2013

Ratification date

(IGC) 18 December 2013

Readership /

Audience: All staff working for, and on behalf of the CCG

Information

Governance Class

(Restricted or

unrestricted)

Unrestricted

Governance and NHS Lambeth CCG

This document supersedes all pre-existing Business Continuity Management policies and protocols.

This Policy applies to all staff of NHS Lambeth Clinical Commissioning Group.

Details of the Equality & Equity Impact Assessment Checklist can be found in Appendix 3.

mailto:[email protected]


Version / Change History

Version Date Author Approving Committee / Group

Reason

0.1 3/12/13 Marion Shipman Initial draft version for consultation

1.0 6/12/2013 Marion Shipman Integrated Governance Committee

New policy

Consultation History

Consultation Body /

Persons Area of expertise Date sent Date returned Comments / Changes made

Andrew Parker, Director of

Governance and

Development

EPRR lead for LCCG 3/12/13 6/12/2013 Minor amendments – policy is in line with NHSE requirements and

similar CCG Business Continuity Management policies.


CONTENTS

1. Introduction ................................................................................................................................................... 6

1.1 Introduction................................................................................................................................................ 6

1.2 Policy Statement....................................................................................................................................... 6

2. Scope of Document ..................................................................................................................................... 6

3. Equality and Human Rights Statement ..................................................................................................... 7

4. Roles and Responsibilities ......................................................................................................................... 7

4.1 CCG Governing Body .............................................................................................................................. 8

4.2 Chief Officer .............................................................................................................................................. 8

4.3 Directors and Assistant Directors .......................................................................................................... 8

4.4 Commissioning / Contracting Managers ............................................................................................... 8

4.5 All staff ....................................................................................................................................................... 8

4.6 Governance Team ................................................................................................................................... 8

5. Governance Arrangements ........................................................................................................................ 8

5.1 Business Continuity Management ......................................................................................................... 8

5.2 Updating .................................................................................................................................................... 9

6. The Business Continuity Management Plan ............................................................................................ 9

7. Definitions ..................................................................................................................................................... 9

7.1 Business Continuity ................................................................................................................................. 9

7.2 Business Continuity Management System ........................................................................................... 9

7.3 Business Impact Analysis (BIA) ............................................................................................................. 9

7.4 Prioritised Activities ................................................................................................................................ 10

7.5 Products and Services ........................................................................................................................... 10

7.6 Maximum Tolerable Period of Disruption (MTPOD) ......................................................................... 10

7.7 Minimum Business Continuity Objective (MBCO) ............................................................................. 10

7.8 Recovery Time Objective (RTO) .......................................................................................................... 10

7.9 Incident Identification ............................................................................................................................. 10

7.10 All other terms and definitions ............................................................................................................ 11


8. Policy Audit and Monitoring Compliance ................................................................................................ 11

8.1 Policy Review .......................................................................................................................................... 11

8.2 Policy Monitoring and Audit .................................................................................................................. 12

9. Statement of evidence / references ........................................................................................................ 13

10. Implementation and dissemination of document .............................................................................. 13

11. Associated Documents ........................................................................................................................ 14

12. Appendices ............................................................................................................................................ 14

Appendix 1 NHS Core Standards .................................................................................................................... 15

Appendix 2 The Plan-Do-Check-Act (PDCA) Model .................................................................................... 17

Appendix 3 Equality & Equity Impact Assessment Checklist ...................................................................... 18

Page 6


1. INTRODUCTION

1.1 INTRODUCTION

As Category 2 responders under the Civil Contingencies Act 2004, Clinical Commissioning

Groups (CCGs) are required to have a business continuity plan in place to manage the effects

of any incident that might disrupt its normal business.

Following the reorganisation of the NHS under the Health and Social Care Act 2012, all current

BCPs will need to be reviewed to take into account the changes and a re-evaluation of the

criticality of functions and dependencies undertaken. An interim BCP was agreed for the CCG

from 1 April 2013 and the following policy drafted after completion of a Business Impact

Analysis.

For CCGs duties as a Category 2 responder please refer to:

http://www.england.nhs.uk/ourwork/gov/eprr/

1.2 POLICY STATEMENT

The purpose of Lambeth Clinical Commissioning Group (LCCG) is to commission health

services to improve the health of the citizens of Lambeth. It is the Policy of the LCCG to ensure,

so far as is reasonably practicable, that the activities and assets of the LCCG which contribute

to the achievement of that purpose are protected against potential threats, by the

implementation of an effective programme of Business Continuity Management (BCM).

This policy and the supporting Business Continuity Management Plan are required to provide

the Governing Body with reasonable assurance that the LCCG is meeting its obligations with

regard to business continuity.

2. SCOPE OF DOCUMENT

This Policy applies to all LCCG directorates and staff and covers the activities and functions

carried out by NHS Lambeth Clinical Commissioning Group (CCG) including:

Strategic Finance

Corporate Functions including Governance and provider quality monitoring

Medicines Management

Membership Services

Engagement and support services

Strategic commissioning, service redesign work and procurement

Community and Mental Health Commissioning and contract monitoring

http://www.england.nhs.uk/ourwork/gov/eprr/

Page 7


Primary Care Local Enhanced Service Commissioning and contract monitoring

All CCG activities undertaken at 1 Lower Marsh, Lambeth, London SE1 7NT.

This plan does not include the services commissioned or contracted by NHS Lambeth CCG

including but not limited to:

South London Commissioning Support Unit: HR functions; Information and

Communications Technology; Information Governance; Patient PALS and Complaints;

Acute contract monitoring; Out of Hours emergency communications function.

Provider services: Contracted and commissioned services which provide services to

NHS patients on behalf of the LCCG must have their own business continuity

arrangements, which will be set out in contracts

If the Lambeth Business Continuity Plan (BCP) is activated as part of a declared major incident

NHS England London regional team will be strategically and tactically responsible for the

management of the incident and the Lambeth BCP will be activated (as necessary) as part of

the recovery process.

3. EQUALITY AND HUMAN RIGHTS STATEMENT

Promoting equality, eliminating unfairness and unlawful discrimination, and treating colleagues,

partners and the public with dignity and respect, are fundamental to successful performance by

all staff in the CCG, including the Governing Body, who are all expected to actively promote

equality and human rights and challenge racism, homophobia and other forms of discrimination

through their activities, and support others to do the same.

All staff are expected to work with others on effective approaches to ensure strategies, policies

and activities promote and demonstrate equality and human rights.

Equality Impact Assessment and Equality Analysis are to be used as part of developing and

monitoring proposals and projects for their impact on equality and equity.

All staff of Lambeth CCG, including the Governing Body are required to abide by all equality and

human rights legislation and good practice, and will receive appropriate training and support to

do so.

4. ROLES AND RESPONSIBILITIES

Page 8


The authority and responsibility for the establishment, maintenance, support and evaluation of

the BCM policy and strategy is vested in the LCCG Governing Body.

4.1 CCG GOVERNING BODY

The LCCG Governing Body delegates the responsibility for the approval of the BCM policy and

plan and overall implementation to the Integrated Governance Committee.

4.2 CHIEF OFFICER

The Chief Officer is responsible under the Civil Contingencies Act 2004 for ensuring that a BCM

system is in place and working satisfactorily.

4.3 DIRECTORS AND ASSISTANT DIRECTORS

Directors (and Assistant Directors) of operational directorates are responsible for ensuring that

the BCM programme is fully implemented within their areas of responsibility.

4.4 COMMISSIONING / CONTRACTING MANAGERS

Commissioning / Contracting Managers are responsible for ensuring that contracts and or

service level agreements with providers of goods and/or services include the requirement for

BCM.

4.5 ALL STAFF

All CCG employees will be responsible and accountable to their Line Manager for

implementation of the BCM programme including having read this policy and the Business

Continuity Management Plan.

4.6 GOVERNANCE TEAM

The Governance Team is responsible to the Director of Governance and Development for

developing and delivering the LCCG BCM programme. This includes ensuring there is a central

register of Business Continuity Plans.

5. GOVERNANCE ARRANGEMENTS

5.1 BUSINESS CONTINUITY MANAGEMENT

Page 9


BCM arrangements will be monitored through the Lambeth Integrated Governance Committee.

Reports on BCM will be submitted to the LCCG Governing Body at least annually.

5.2 UPDATING

This Policy will be deemed to have expired 3 years from its approval date, and will be subject to

regular review and updating to reflect legislative, organisational or other significant change

6. THE BUSINESS CONTINUITY MANAGEMENT PLAN

The BCMP will be based on the plan-do-check-act (PDCA) model and will:

Establish the organisational context for BCM

Set clear BC strategy and objectives

Outline potential resource requirements

Set out arrangements for communication to and with interested parties

Contain business impact analysis

Be based on risk assessment

Describe the organisation’s incident response structure

Set out arrangements for recovery from an incident

Set out arrangements for exercising and testing

7. DEFINITIONS

7.1 BUSINESS CONTINUITY

ISO 22301 defines Business Continuity as the capability of the organization to continue delivery

of products or services at acceptable predefined levels following [a] disruptive incident.

7.2 BUSINESS CONTINUITY MANAGEMENT SYSTEM

ISO 22301 defines Business Continuity Management System as a holistic management process

that identifies potential threats to an organization and the impacts to business operations that

those threats, if realized, might cause, and which provides a framework for building

organizational resilience with the capability for an effective response that safeguards the

interests of its key stakeholders reputation, brand and value-creating activities.

7.3 BUSINESS IMPACT ANALYSIS (BIA)

Page 10


Business Impact Analysis (BIA) is defined as the process of analysing activities and the effect

that a business disruption may have upon them.

7.4 PRIORITISED ACTIVITIES

Prioritised Activities is defined as those activities to which priority must be given following an

incident in order to mitigate impacts.

7.5 PRODUCTS AND SERVICES

Products and Services is defined as ‘the beneficial outcomes provided by an organization to its

customers, recipients and interested parties.’

7.6 MAXIMUM TOLERABLE PERIOD OF DISRUPTION (MTPOD)

Maximum Tolerable Period of Disruption (MTPOD) is defined as ‘the time it would take for

adverse impacts, which might arise as a result of not providing a product / service or performing

an activity, to become unacceptable.’

7.7 MINIMUM BUSINESS CONTINUITY OBJECTIVE (MBCO)

Minimum Business Continuity Objective (MBCO) is defined as ‘the minimum level of services

and /or products that is acceptable to the organisation to achieve its business objectives during

a disruption.’

7.8 RECOVERY TIME OBJECTIVE (RTO)

Recovery Time Objective (RTO) is defined as ‘the period of time following an incident within

which:

Product or service must be resumed; or

Activity must be resumed; or

Resources must be recovered

The RTO must be less than the MTPOD.

7.9 INCIDENT IDENTIFICATION

Incident Identification is defined as an incident or set of circumstances which might present a

risk to the continuity of a service might be identified by any member of staff.

Page 11


7.10 ALL OTHER TERMS AND DEFINITIONS

All other terms and definitions used in this document are as found in ISO 22301.

8. POLICY AUDIT AND MONITORING COMPLIANCE

8.1 POLICY REVIEW

The Assistant Director Governance and Quality will collate a central register of Business

Continuity Plans and will ensure that compliance is audited.

Page 12


8.2 POLICY MONITORING AND AUDIT

MONITORING / AUDIT REQUIREMENT Area in document for monitoring – e.g. processes Note specifically any monitoring needed to assure equality and equity of delivery

MONITORING / AUDIT METHOD (e.g. statistics, report)

MONITORING REPORT / AUDIT PREPARED BY (job titles)

MONITORING REPORT / AUDIT PRESENTED TO (name of Committee / group)

FREQUENCY OF MONITORING REPORT / AUDIT (e.g. annually, six-monthly)

Implementation of BCM requirements for CCGs

Report Assistant Director Governance and Quality

Integrated Governance Committee

At least annually

Audit compliance against the CCG Business Continuity Plans

Reports Assistant Director Governance and Quality

CCG Operations Group As required

Ensure robust monitoring and management of EPRR risks

Risk Register Assistant Director Governance and Quality

Integrated Governance Committee

Monthly

Page 13


9. STATEMENT OF EVIDENCE / REFERENCES

This Policy and the supporting Business Continuity Management Plan are required to provide

the Governing Body with reasonable assurance that the LCCG is meeting its obligations with

regard to business continuity.

This policy has been written with reference to:

ISO 22301 Societal Security1

The Civil Contingencies Act 2004 (as amended)

The Health and Social Care Act 20122

NHS England (and former NHS Commissioning Board) EPRR documents and

supporting materials including:

NHS CB Emergency Preparedness Framework (2013)3;

NHS England Command and Control Framework for the NHS during significant

incidents and emergencies (2013); and

NHS England Core Standards for Emergency Preparedness, Resilience and

Response (EPRR).

BSI PAS 2015 - Framework for Health Services Resilience

10. IMPLEMENTATION AND DISSEMINATION OF DOCUMENT

Following ratification, the Business Continuity Management Policy will be

uploaded onto the CCG intranet and the document location confirmed to all CCG staff

launched at a Lower Marsh staff briefing

included in all new staff induction sessions

shared with SLCSU contracting leads

In addition, all CCG staff will be required to confirm that they had seen and read the policy

Staff with a role in BCM will be trained according to their level of need following a Training

Needs Analysis (TNA).

The Assistant Director Governance and Quality will ensure that BCM is incorporated into risk

management, health and safety and emergency planning training.

1 This International Standard for business continuity management specifies requirements to

plan, establish, implement, operate, monitor, review, maintain and continually improve a

documented management system to protect against, reduce the likelihood of occurrence,

prepare for, respond to, and recover from disruptive incidents when they arise.

2 http://www.legislation.gov.uk/ukpga/2012/7/enacted

3 www.commissioningboard.nhs.uk/eprr/

http://www.legislation.gov.uk/ukpga/2012/7/enacted

http://www.commissioningboard.nhs.uk/eprr/

Page 14


Significant changes and updates to BCM requirements or processes will be notified through the

Senior Management Team Meeting and usual corporate routes.

11. ASSOCIATED DOCUMENTS

This document should be read in conjunction with the LCCG Business Continuity Management

Plan.

12. APPENDICES

Appendix 1

NHS Core Standards

Appendix 2

The Plan-Do-Check-Act (PDCA) Model

Appendix 3

Equality & Equity Impact Assessment Checklist

Page 15


APPENDIX 1 NHS CORE STANDARDS

NHS Core Standards for Emergency Preparedness, Resilience and Response (EPRR)

1

All NHS organisations and providers of NHS funded care must develop, maintain and

continually improve their business continuity management systems. This means having

suitable plans which set out how each organisation will maintain continuity in its services

during a disruption from identified local risks and how they will recover delivery of key

services in line with ISO22301. Organisations must:

Make sure that there are suitable financial resources for their BCMS and that those

delivering the BCMS understand and are competent in their roles.

Set out how finances and unexpected spending will be covered, and how unique cost

centres and budget codes can be made available to track costs.

Develop business continuity strategies for continuing and recovering critical activities

within agreed timescales, including the resources required such as people, premises,

ICT, information, utilities, equipment, suppliers and stakeholders.

Develop, use and maintain business continuity plans to manage disruptions and

significant incidents based on recovery time objectives and timescales identified in the

business impact analysis.

2

Business continuity plans must include governance and management arrangements linked to

relevant risks and in line with international standards.

Each organisation’s BCMS should be based on its legal responsibilities, internal and

external issues that could affect service delivery and the needs and expectations of

interested parties.

Organisations should establish a business continuity policy which is agreed by top

management, built into business processes and shared with internal and external

interested parties.

Organisations must make clear how their plan will be published, for example on a

website.

The BCMS policy and business continuity plan must be approved by the relevant

board and signed off by the Chief Executive.

There must be an audit trail to record changes and updates such as changes to policy

and staffing.

The planning process must take into account nationally available toolkits that are seen

as good practice.

Page 16


NHS Core Standards for Emergency Preparedness, Resilience and Response (EPRR)

3

Business continuity plans must take into account the organisation’s critical activities, the

analysis of the effects of disruption and the actual risks of disruption.

Organisations must identify and manage internal and external risks and opportunities

relating to the continuity of their operations.

Plans must be maintained based on risk-assessed worst-case scenarios.

Risk assessments should take into account community risk registers and at very least

include worst-case scenarios for:

severe weather (including snow, heat wave, prolonged periods of cold weather

and flooding);

staff absence (including industrial action);

the working environment, buildings and equipment;

fuel shortages;

surges in activity;

IT and communications;

supply chain failure; and

associated risks in the surrounding area (e.g. COMAH and iconic sites).

Organisations must develop, use and maintain a formal and documented process for

business impact analysis and risk assessment.

They must identify all critical activities using a business impact analysis. This should

set out the effect business disruption may have on the organisation and how this will

be overcome, including the maximum period of tolerable disruption.

Organisations must highlight which of their critical activities have been put on the

corporate risk register and how these risks are being addressed.

4

Business continuity plans should set out how the plans will be called into use, escalated and

operated.

Organisations must develop, use, maintain and test procedures for receiving and

cascading warnings and other communications before, during and after a disruption or

significant incident. If appropriate, business continuity plans should be published on

external websites and through other information-sharing media.

Plans should set out:

the alerting arrangements for external and self-declared incidents, including

trigger points and escalation procedures;

the procedures for escalating emergencies to CCGs and the NHS CB area,

regional and national teams;

24-hour arrangements for alerting managers and other key staff, including how

up-to-date contact lists will be maintained;

the responsibilities of key staff and departments;

the responsibilities of the Chief Executive or Executive Director;

how mutual aid arrangements will be called into use and maintained;

where the incident or emergency will be managed from (the ICC);

how the independent healthcare sector may help if required; and

the insurance arrangement that are in place and how they may apply.

Page 17


APPENDIX 2 THE PLAN-DO-CHECK-ACT (PDCA) MODEL

Page 18


APPENDIX 3 EQUALITY & EQUITY IMPACT ASSESSMENT CHECKLIST

The CCGs Equality and Human Rights Statement is included as Section 3 of this document. This

information is also included in CCG job descriptions.

This is a checklist to ensure relevant equality and equity aspects of proposals, policy or guidance have

been addressed either in the main body of the document or in a separate equality & equity impact

assessment (EEIA)/ equality analysis. It is not a substitute for EEIA/ equality analysis which is normally

required unless it can be shown that a proposal has no capacity to influence equality. The checklist is to

enable the policy lead and the relevant committee to see whether the EEIA has covered the ground and

to give assurance that the proposals will not only be legal but also fair and equitable and lead to reduced

health inequality.

Challenge questions

Yes /

No / DK

/ N/A

Comments

1

Does the document set out the health care needs of the groups

intended to benefit from the proposal, including any differences in

need in terms of the legally protected or other characteristics (such

as socioeconomic position)

N/A

2

Does the document set out any known existing inequality in

access, quality, experience and outcome of care for populations

relevant to the proposal (i.e. as defined in 1. and in relation to the

existing health or care service)?

N/A

3 Are there any particular public concerns about equality about the

policy area than need to be addressed? No

4 Has the policy described any gaps in knowledge about 1 -3, and

any action taken to fill gaps (or recommendations for action) N/A

5

Does the document set out risks to equity of access, quality,

experience and outcomes including risk of direct or indirect

discrimination, and risk to good relations between people of

different groups?

N/A

6

Does the document describe any specific opportunities to

promote equality and human rights, good relations between

people of different groups, to enhance participation, etc?

N/A

7 Does the document describe how the proposal, policy etc will

address the identified inequalities, and N/A

8 Does the document make recommendations to mitigate risks and

enhance the opportunities to promote equality and equity? N/A

9

Does the document describe how monitoring and reporting will

take place to assure equality and equity in the future including to

stakeholders? [audit and monitoring table may be used]

N/A

* Race/ ethnicity, gender (including gender reassignment) age, religion or belief, disability, sexual orientation,

marriage or civil partnership, pregnancy and maternity. This will include groups such as refugees and asylum

seekers, new migrants, Gypsy and Traveller communities; and people with long term conditions, hearing or visual

Date post:	01-Aug-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times