Business Continuity Policy,
Business Impact Analysis,
and Business Continuity Plan
for
Department Chief Executive
Service WYPF Team
Location – Building Aldermanbury House
Location – floor and/or Area Ground Floor
Date Completed January 2020
Responsible Person Yunus Gajra
Telephone Number 01274 432343
APPROVED BY: Name (SD/AD): Rodney Barton Date: 27/1/2020
Version 2 - October 2018 Page 2
FOREWORD
Bradford Metropolitan District Council is one of the top performing Councils in the Country. In order to maintain our high standards it is important to plan how we can deal effectively when faced with any kind of service interruption. Through effective Business Continuity Management we can provide a strategic framework around which staff can work to enable critical functions to be maintained, or quickly restored to minimise any effect on service delivery. We will have an annual programme of training and exercises to ensure staff understand what their roles and responsibilities are, test the effectiveness of the plan and assist with future development.
SUSAN HINCHCLIFFE KERSTEN ENGLAND LEADER OF THE COUNCIL CHIEF EXECUTIVE
DOCUMENT CONTROL Date Revision/Amendment Details and Reason Author
12/1/18 First edition
14/1/19 Review Yunus Gajra
20/1/20 Review Yunus Gajra
Version 2 - October 2018 Page 3
Business Continuity Policy
SCOPE, AIMS and OBJECTIVES
SCOPE Bradford Metropolitan District Council is committed to ensuring robust and effective business continuity management as a key mechanism to restore and deliver continuity of critical key services in the event of a disruption or emergency. The Civil Contingencies Act 2004 placed a statutory duty on the Council to ensure that it can:
respond to an emergency
continue to support emergency response partners
continue to provide critical services to the public.
The Business Continuity Plan provides the operational structure for responding to serious disruption, and can be summarised as follows:
To have an operational document that sets out priorities, management structures and communications mechanisms to ensure an appropriate response to any disruption.
The Plan addresses the full range of the Council's functions and service areas. Where appropriate, it considers the interdependencies of different organisations, mutual aid and partnership arrangements.
Specific strategies have been produced to mitigate the effects of loss of infrastructure including buildings, communications, IT and staff.
Departments will continue to prepare and maintain Business Continuity ‘Service Area Arrangements’ as appropriate.
Version 2 - October 2018 Page 4
AIM
To anticipate risks, mitigate where possible and to have flexible and tested plans in place to minimise disruption when unplanned events significantly interrupt normal business.
OBJECTIVES
To ensure the Council can continue to exercise its critical functions in the event of an emergency.
To identify the potential areas of vulnerability in Council services.
To determine overall priorities for recovery of functions if disruption takes place.
To build on processes already in place for risk management, ensuring that all plans are integrated into the overall framework.
To ensure all Council departments are involved in the preparation of the Plan, so that there is an effective and consistent response to service continuity.
To undertake training and awareness programmes for staff, suppliers and partners as appropriate and carry out regular tests of the Plan to validate the arrangements.
METHODS AND STANDARDS The Council’s business continuity management arrangements currently meet the mandatory requirements within the Cabinet Office document “Expectations and Indicators of Good Practice Set for Category 1 and 2 Responders”.
RESPONSIBILITIES The business continuity management process is designed to ensure it is a mainstream activity rather than simply an emergency response. The Chief Executive champions business continuity management across the authority, however the responsibility for business continuity does not rest solely with the Chief Executive, but is shared by all staff. Assistant Directors have been identified as lead officers for business continuity, responsible for obtaining information and co-ordinating departmental actions, or identifying another officer to undertake the responsibility on their behalf. Information
Version 2 - October 2018 Page 5
gathered is subject to peer review to seek a consistent approach to service prioritisation and a shared understanding of the overall needs.
GOVERNANCE The Business Continuity Plan is reviewed annually to ensure business continuity reflects the current assessment of likelihood of adverse events and to ensure that information on service functions and contact details are kept up to date. The Plan will be reviewed when there are significant changes to accommodation, structural reorganisations within the Council or if new duties or responsibilities are taken on, however it is the responsibility of lead officers within each service area to notify the Emergency Planning Team of any significant changes that occur between these updates. The plan will be reviewed if there is a ‘near miss’ or if the plan is ever invoked and at other times when lessons learned from incidents can be included in the plan. Periodically and in line with the Council’s auditing policy, the Business Continuity Plan may be audited by either the internal audit team or external auditors appointed by the Council.
TRAINING AND EXERCISES Training will take place regularly for those officers likely to be called on to lead or be part of the Business Continuity Management and Support Teams. Lessons learnt from training and exercises are used to determine any amendments or inclusions required when the Plan is updated.
Version 2 - October 2018 Page 6
Business Continuity Management
INTRODUCTION
Business Continuity Management (BCM) is about identifying those elements of the councils business that we can not afford to lose and planning how these services could be maintained if there were an incident. Planning in advance means we will recover in the quickest possible time with the least disruption and minimum damage to the councils reputation. To implement BCM in its simplest format we need to consider the following questions:
What are each teams key activities and services?
Then determine what are critical activities and what resources are required to deliver these?
What are the risks to these critical activities?
How will we maintain these critical activities in the event of an incident?
Critical Activity (a definition) - Those activities and functions which have to be performed to deliver the key products and services which enable you to meet the most important and time sensitive objectives, those which must continue to be delivered during a disruption to protect or address a risk to life and limb, have a reputational risk to the authority, are required as a statutory function, or carry financial risk if not undertaken. BCM has the full support of the Chief Executive and the Senior Leadership Team (SLT) and will be facilitated and managed by the Emergency Management Team (EMT) on their behalf. The Assistant Director with responsibility for the EMT will be the SLT representative on this subject. Each department and team will undertake a Business Impact Analysis for their area of work (to be determined by their relevant AD) which in turn will inform each Business Continuity Plan (BCP).
Version 2 - October 2018 Page 7
Business Impact Analysis
This section is key to the whole process and identifies and documents functions and activities; which of these functions are ‘critical’ and why; the activities and resources required to deliver these functions; the impact that a disruption to these functions would have on the organisation; and the resources required to resume the activities.
SERVICE/DEPARTMENT/TEAM - KEY FUNCTIONS and ACTIVITIES What is/are the main aims/overall goal(s) of your department/team? Consider your mission statement/your main purpose? List up to six key functions and consider the criticality of each. Critical functions are those functions that protect or address a risk to life and limb, have a reputational risk to the authority, are required as a statutory function, or carry financial risk if not undertaken. Additionally you may have functions that only become apparent or necessary during an emergency situation, please also list these. Also consider seasonal aspects to your critical functions and activities. It may be useful to measure your critical functions against one week of downtime.
Ref Function description (Brief) Activity description Critical?
F1 Pensioner Payroll - Prompt payment of pensions to members retiring, pensioners and dependants.
WYPF process 28 Payrolls each month for regular payment of pensions on various dates and a daily payroll to pay lump sum retirement benefits. Most of these payrolls are for external clients that we provide pension services for on a commercial basis.
Yes
F2 Statutory deadlines/submissions to regulatory bodies
WYPF have a number of deadlines that we have to meet:
Issuing Annual Benefit Statements by 31 August
Issuing Pension Saving Statements by 6 October
Payment of tax deducted from pensions under PAYE to HMRC by 22nd of each month
HMRC Event Reporting by 31 January
Submitting pensions Regulator Returns by 31 October
Submitting IAS19 Data Capture information to Fire Authorities by 31 January
Pensions Forecasting information to Fire Authorities by 31 August
Yes
Version 2 - October 2018 Page 8
Quarterly event reporting to HMRC by 30 June, 30 Sept, 31 Dec, 31 March.
F3 Provide an efficient and effective service to all employers whose employees participate towards pension schemes administered by WYPF.
Undertake pensions administration activity such as responding in a timely manner (and within KPI’s) to requests for information, advice, providing estimates, updating records, guidance on legislation changes, producing communications material, updating website, training etc
No
F4 Investment of contribution income and treasury and general dealings in stocks and shares
Investment of contribution income and treasury and general dealings in stocks and shares. Whilst investment activity is crucial to maximise investment income and react to sudden market conditions/movements, staff have access to systems required from home or remote locations.
No
F5 Applications of Pensions Increase Pensions are eligible for increases each April but work on this starts around February to look at errors and warnings. If necessary, payment of increase can be delayed until May pension in which case we would pay the arrears due from April.
No
F6 ,
Version 2 - October 2018 Page 9
CRITICAL FUNCTIONS/ACTIVITIES Critical functions are those functions that protect or address a risk to life and limb, have a reputational risk to the authority, are required as a statutory function, or carry financial risk if not undertaken. Additionally you may have functions that only become apparent or necessary during an emergency situation, please also list these. Also consider seasonal aspects, and time limited aspects to your consideration of critical functions and activities. It may be useful to measure your critical functions against 24 hours of downtime.
Priority Function description Outcome of function being delivered
P1 Pensioner Payroll - Prompt payment of pensions to members retiring, pensioners and dependants.
To ensure Pensioners and beneficiaries get paid on time. For a number of people this will be their only income and they will therefore be relying on this to live off. For new beneficiaries, it will be a traumatic time in their life as they will just have lost a partner and whose income they may have relied on. They will also have bills such as funeral costs to pay. We provide pensions administration for 13 Fire Authorities and 2 Local Authorities (in addition to WYPF) and are therefore contracted to pay their pensioners/beneficiaries on the due date. Failure to do so may result in financial penalties/loss of reputation/loss of contract for us.
P2 Statutory deadlines/submissions to regulatory bodies Compliance with regulatory requirements. Failure to do so may result in fines against WYPF which in turn would lead to reputational risk and potential penalties from clients.
P3
P4
P5
P6
(If your service has no Critical Activities then your BIA ends here)
Version 2 - October 2018 Page 10
IMPACT ASSESSMENT
This section asks you to describe the impact of NOT delivering each of the critical business function by function as you identified above against the listed threats/disruptions. Complete one table for each function. Use APPENDIX 1 to score your assessment
Ref P1: Provide and manage a structure in an emergency
Specific Impact of disruption Impact over time: mark where and when you consider serious impact will occur
Comments/justification (where an impact over time has been identified) Give information why you choose the ‘impact over time rating’
I hr 24 hrs 1 wk 1 m’th
Threat to staff or public safety/welfare
X
For a number of people this pension will be their only income and they will therefore be relying on this to live off. For new beneficiaries, it will be a traumatic time in their life as they will just have lost a partner and whose income they may have relied on. They will also have bills such as funeral costs to pay.
Statutory/regulatory requirements
X
Pension Pay dates are fixed (i.e. 16th of the month for WYPF, 23rd for LPF, 1st and last day of the month for Fire Authorities). Any tax deducted from pensions has also to be paid by a statutory deadline.
Damage to reputation
X
We provide pensions administration and Payroll for 14 Fire Authorities and 2 Local Authorities (in addition to WYPF). As part of the contract we have a number of KPI’s to meet. Failure to do so may result in financial penalties/loss of reputation/loss of contract for us.
Damage to financial viability
Deterioration to service quality (authority wide)
X Contractual obligations for each of our external clients have to be met.
Environmental damage
Other
Version 2 - October 2018 Page 11
Ref P2: Provide and manage a structure in an emergency
Specific Impact of disruption Impact over time: mark where and when you consider serious impact will occur
Comments/justification (where an impact over time has been identified) Give information why you choose the ‘impact over time rating’
I hr 24 hrs 1 wk 1 m’th
Threat to staff or public safety/welfare
Statutory/regulatory requirements
X
Failure to meet statutory/regulatory requirements may result in fines against WYPF which in turn would lead to reputational risk and potential penalties from clients.
Damage to reputation
X
We provide pensions administration and Payroll for 14 Fire Authorities and 2 Local Authorities (in addition to WYPF). Any fines imposed will damage our reputation and may also result in penalties from the clients.
Damage to financial viability
Deterioration to service quality (authority wide)
Environmental damage
Other
Version 2 - October 2018 Page 12
RISK ASSESSMENT Now we know what your critical activities are and what the impacts of not being able to deliver that function are, we now need to measure the risk of occurrence. Score for both Likelihood and Impact is: 1 = Very Low, 2 = Low, 3 = Average, 4 High, 5 = Very High. Risk Score is Likelihood score x Impact Score (Please consider your service area risks against the hazards identified);
Ref P1: Provide and manage a structure in an emergency
HAZARD L/hood Score
Impact Score
Risk Score
Existing Control Measures Proposed Control Measures
Loss of Staff 2 5 10 Adequate number of staff trained to process payroll
Review number of staff trained to process payroll and increase if required.
Loss of, or access to premises
2 2 4 Key staff (and a number of other staff) have the facility to work from home.
Acquire alternative space in other Council Offices or work from home.
Loss of Systems (IT and
Telecommunications)
2 5 10 An offsite backup regime is in place. Onsite backups are kept in a fire proof safe. System failure – protected by service and maintenance contracts.
No change required.
Loss of key suppliers
1 2 2
Disruption to transport
3
2
6
A number of staff have the facility to work from home
No change required
Other
Version 2 - October 2018 Page 13
Business Continuity Plan We now know what our critical functions are and the length of time we can ‘risk’ not delivering these functions. We have measured the likelihood of this ‘collapse’ and the impact on a number of levels. Using information in appendix 2 and 3 we can now look to identify and plan what we need to address business continuity in the face of an event.
BUSINESS CONTINUITY PLANNING Identify the resources required over time to maintain the critical functions at an acceptable level
Ref Function description Consider people, premises, technology, information, suppliers and partners and resources
P1 Pensioner Payroll - Prompt payment of pensions to members retiring, pensioners and dependants.
One experienced staff from the Payroll team and one IT Professional to run the payroll one desk and PC and an ISDN line linked to BACS or internet connection (a new PC can be configured pretty quickly from previous days backups and can be set up anywhere). Communis to print pay advices. HSBC to pay people by cheque. BACS to process data.
P2 Statutory deadlines/submissions to regulatory bodies
The requirements will depend on which deadline needs to be met but as a minimum: one IT Professional, one relevant Manager responsible for that area of work (i.e. TSM/MSM/PSM/CRM/FM), access to UPM system.
P3
P4
P5
P6
Version 2 - October 2018 Page 14
What happens from here on ….. Thank you for providing the information so far which will now be referred to your Assistant Director for them to appraise and comment as they see fit. The detail you have provided will be logged on a spread sheet and used if there is an event that impacts on Business Continuity. The information provided will be collated into a Departmental Business Continuity Plan owned by the AD for each specific Dept. Should an event occur there will be a meeting of Senior Managers who will make strategic decisions on priorities using the information provided. This paper is required to be reviewed annually for change and accuracy by the nominated officer(and author) and forwarded to EMT with changes identified and highlighted. Using the information provided the Emergency Management Team may undertake an (unannounced) exercise to test your preparedness to continue your work with the minimum of disruption. This test and exercise will be sympathetic to your departments work and commitments and will only be undertaken with the full knowledge and consent of your AD.
Version 2 - October 2018 Page 15
APPENDIX 1 - IMPACT ASSESSMENT Criteria and Scores
IMPACT DUE TO THE LOSS OF THE FUNCTION
IMPACT LEVEL
4 Catastrophic
3 High
2 Medium
1 Low
Threat to Staff or Public Safety and/or Welfare
Health and safety is compromised to the point that lives are in danger and/or there is a serious impact on health and/or welfare and/or there are serious injuries with medium to long term effects.
Health and safety is compromised and/or breach of procedures which result in a threat to the safety and/or welfare of staff and/or public with short to medium term effects.
Health and safety guidelines are not adhered to or are compromised which results in potential impacts on the safety and/or welfare of staff and/or public.
No threat to staff or public safety and/or welfare.
Statutory / Regulatory Requirements
Breach in statutory/regulatory requirements with a serious impact to the organisation with legal consequences and/or considerable decline in performance as measured by Key Performance Indicators and/or serious impact on performance with medium to long term consequences for the organisation.
Breach in statutory/regulatory requirements with some short to medium term impact on performance and Key Performance Indicators and/or short to medium term impact on performance.
No breach in statutory/regulatory requirements with minor impact on performance but with no adverse effect on Key Performance Indicators and/or no adverse effect on performance.
No breach in statutory/ regulatory requirements and/or no impact on performance which affects Key Performance Indicators and/or no impact on performance.
Damage to Reputation
Medium to long term damage to the Council’s reputation.
Short to medium damage to the Council’s reputation extending beyond the Service Area.
Minor consequences to reputation specific to the Service Area.
No threat of or damage to reputation.
Damage to Financial Viability
Extensive financial consequences which extend beyond the capacity of the Services areas Directorate to absorb with medium to long term effects for the Council.
Major financial consequences which can be absorbed by the Service areas Directorate with short to medium term impact on financial viability.
Minor financial consequences which can be absorbed by the Service area without adverse impacts and no threat to financial viability.
No financial impact or threat to financial viability.
Deterioration to Service Quality (Authority Wide)
Loss of function has extensive impact on ability of other Services to provide other functions across the Council and/or medium to long term consequences for the Council’s customers and/or partners.
Loss of function has major impact on quality of other functions delivered by other Services across the Council and/or short to medium term consequences to the Council’s customers and/or partners.
Loss of function has minor impact on quality of other functions within host Service area but with no external consequences to the Council’s customers and/or partners.
No impact of loss of function on Service quality.
Environmental Damage
Extensive impact on the environment requiring extensive remediation/restoration work with medium to long term consequences.
Serious impact on the environment requiring major remediation/restoration work with short to medium term consequences.
Minor impact on the environment with only minor remediation/restoration work required and with no lasting effects.
No impact on the environment with any lasting effects.
Version 2 - October 2018 Page 16
APPENDIX 2 - SERVICE DEPENDENCIES
External Supplier Dependencies (who do you rely on to deliver essential supplies to operate fully):
Vendor (Name) Product/Service Provided:
HSBC Banking services
ICT Supplier Dependencies (what software do you rely on to operate your service fully):
Software: (Name) Vendor
UPM Civica
BACS BACS
Service Supplier Dependencies (list the internal departments you utilise to operate your service):
Internal Department: (Name) Service/Product Provided:
ICT Email, Intranet, Telephony
Who are your primary customers? (those to whom you deliver a direct service)
Pension Scheme Members and Employers
External Clients (14 Fire Authorities and 2 Local Authorities)
Version 2 - October 2018 Page 17
APPENDIX 3 - REQUIRED RESOURCES (Resources/Equipment, required to operate your critical activities in the
event of a disruption)
Please use this form as a guide
Items Current Optimum Minimum
People
Managerial 17 2
Operational 100+ 4
Specific skills required Payroll Knowledge, UPM Knowledge, IT knowledge, Pensions Knowledge
Adjustment and/or Special equipment needed (disabled)
Premises
Number of offices 2 1 1
Office Space 14,000Sq feet
Enough to accommodate 1 desk and 1 secure cupboard
Storage Space 1 1 0
Personal Transport for Council business 30 30 5
Council vehicles 0 0 0
Meeting Rooms 6 1 0
Chairs 170 2
Desks 170 1
Tables 10 0
Filing Cabinets 0 0
Secure cupboards 30 1
Whiteboards 4 0
Computers & office equipment
Laptops 30 3
Printers (MFD) 6 1 1
Scanners (MFD) 6 1 0
Confidential Waste Bin 2 1 0
Version 2 - October 2018 Page 18
Network Points & connecting cables 170 2 2
Telecommunications
Mobile Phones 31 2
Telephones 170 1
Outlook e-mail 170 1
Facilities
Off-site storage (how much & where) 1 0 0
