+ All Categories
Home > Documents > Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan...

Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan...

Date post: 06-Mar-2018
Category:
Upload: phungthu
View: 220 times
Download: 2 times
Share this document with a friend
30
Corporate Business Continuity Plan ISO Version – Web June 2014 Page 1 of 30 Corporate Business Continuity Plan Version control Document Owner Assistant Director of Planning, Performance & Engagement – Samantha Williams Initial Approval Corporate Business Continuity Response Team Approval Date Author Emergency Planning Officer - Jim Foster Primary reviewers Emergency Planning Manager - David Broadley Business Continuity Coordinators Group Contacts reviewed and updated 6 monthly (Appendix E, K) Review and update plan Version Reviewed by Approved by Date V2 V3 V4 V5 Note: MAIN ACTIONS TO BE TAKEN IN A BUSINESS CONTINUITY INCIDENT ARE SUMMARISED IN THE TABLES IN SECTIONS 5.3 – 5.7
Transcript
Page 1: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 1 of 30

Corporate Business Continuity Plan

Version control Document Owner

Assistant Direc tor of Planning, Performance & Engagement – Samantha Williams

Initial Approval

Corporate Business Continuity Response Team

Approval Date Author Emergency Planning Officer - Jim Foster Primary reviewers

Emergency Planning Manager - David Broadley Business Continuity Coordinators Group

Contacts reviewed and updated 6 monthly (Appendix E, K)

Review and update plan

Version Reviewed by Approved by Date V2 V3 V4 V5

Note: MAIN ACTIONS TO BE TAKEN IN A BUSINESS

CONTINUITY INCIDENT ARE SUMMARISED IN THE TABLES IN SECTIONS 5.3 – 5.7

Page 2: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 2 of 30

Contents

1 Introduction – aims, scope ........................ .................................................... 3

2 Risk Analysis – Critical Services and Resource Requ irements ................. 6

3 Structure, Responsibilities and Departmental Plans ................................... 7

4 Communications and Contact details ................ ......................................... 11

5 Activation / Invocation ........................... ...................................................... 12

6 Recovery – Returning to normal operation .......... ...................................... 19

7 Review, Exercising and Training ................... .............................................. 20

Appendices

8 Appendix A Agreed Business Continuity Policy ..... ................................. 21

9 Appendix B Corporate Critical Service list ........ ......................................... 22

10 Appendix C Internal Contacts .................... ................................................ 24

11 Appendix D Incident Response Flow Diagram ........ .................................. 25

12 Appendix E Agenda for Corporate B C Response Team. ......................... 26

13 Appendix F Specific Risks – reducing likelihood / mitigating disruption ...... 27

14 Appendix G Quick Reference Checklist............. ....................................... 28

15 Appendix H Log Sheet ............................. ................................................... 29

16 Appendix I Decision Log .......................... ................................................... 30

Page 3: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 3 of 30

1 Introduction – aims, scope 1.1 The Legal Requirement The Civil Contingencies Act 2004 places a duty on the East Sussex County Council to produce Business Continuity plans to ensure it can continue to carry out civil protection functions and maintain critical services in the event of an emergency. The County Council provides a wide range of services which are delivered through five Departments: Adult Social Care and Health, Business Services, Children’s Services, Communities, Economy and Transport, Governance Services. 1.2 Objectives of the Plan The objective of the County Council during a Business Continuity incident is to minimise disruption to the services it provides by firstly, ensuring that critical services continue, and, secondly returning all services to normality in a controlled and timely manner. This plan details the Corporate strategy and actions required to cope with the effects of a business continuity incident which seriously affects normal service delivery. It aims to minimise disruption and aid recovery particularly of critical services. It sets out how the Council meets its relevant statutory duties in respect of business continuity. 1.3 Status of this Plan This is the Council’s overarching business continui ty plan . The business continuity plans of departments and critical services must be consistent with this Plan (or be consistent with approved exceptions). Together these plans set out the Council’s strategy for dealing with a business continuity incident. The plan focuses on how corporately the Council will provide continuity of its critical services. In particular it considers how at least the minimum possible level of service will be provided while the disruption exists or the repairs / reinstatement referred to in 1.5 below are being put in place. (The resources required for the minimum level of service are identified in business impact analyses (BIA) in the critical service plans). The plan meets the business continuity requirements of the Cabinet Office document “Expectations and Indicators of Good Practice Set for Category 1 and 2 Responders” (2009) and also is in line with the International Standard for business continuity, ISO 22301:2012(E)1 (which is based on BS25999 which it has replaced). The Council’s existing Business Continuity Policy (agreed by the Corporate Management Team on 12 December 2005) is attached as Appendix A.

1 ISO 22301:2012(E) Societal Security – Business Continuity Management Systems - Requirements

Page 4: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 4 of 30

1.4 Types of a business continuity incidents - Scope a) Staff shortages – pandemic flu, adverse weather, fuel shortage, responding

to external emergencies b) Loss of a hub building - flooding, fire, malicious act:-

County Hall, Sackville House, St Mary’s House, St Mark’s House, Ocean House, major depot or other key building

c) Technological failure - IT system, Phone system, Power d) Loss of an external service provider These rare incidents are likely to significantly affect a number of critical services or cause very serious disruption to one critical service. This plan does not cover those less serious incidents which would normally be dealt with by the usual management process. 1.5 Business Services Department Responsibilities Because of the corporate services which impact on all departments, the Business Services Department has specific responsibilities in planning for: a) Organising repairs to buildings; b) Facilitating moves of staff to new premises; c) Reinstating ICT services. 1.6 Ownership and Up-dating the plan The Director of Communities, Economy & Transport (‘Director of CET’) is the strategic lead officer for business continuity on the Council’s Corporate Management Team (CMT). The Assistant Director of Planning, Performance & Engag ement is the owner of this plan and is responsible for reviewing and updating this plan in conjunction with the Emergency Planning Manager. The contacts will be reviewed six-monthly and the whole plan reviewed on an annual basis. Responsibility for signing off the plan rests with the Director of Communities, Economy & Transport or the Corporate Business Continuity Team on his behalf. 1.7 Interdependencies and Interested Parties An important element of the Council’s business continuity strategy is to ensure identification of ‘Interdependencies’ i.e. both internal services and external organisations which either (a) support, or (b) are dependent on the critical services provided by the Council. Internal interdependencies have been identified by the Business Continuity Coordinators Group. Departmental and Critical Service Plans should contain details of the interdependencies and interested parties, their contact details and the mitigation

Page 5: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 5 of 30

measures which aim to lessen the effects of disruption on business continuity. (This could include voluntary sector organisations which could be called upon during an emergency to support departments in providing critical services.) 1.8 Business Continuity documents and back-up records Business continuity documents are recorded electronically and saved to the Corporate Business Continuity section of SharePoint. This drive has restricted access to those directly involved in business continuity. Copies of all business continuity plans, risk analyses, lists of critical services, interdependencies, etc should be stored on this drive. Departments are responsible for ensuring they have back-up copies. This includes paper copies where appropriate.

Page 6: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 6 of 30

2 Risk Analysis – Critical Services and Resource Requirements

2.1 Service Impact Analysis The Council’s Service Impact Analysis (SIA) is a risk assessment procedure to identify the services which are considered to be ‘critical’. These are the services where disruption would cause significant adverse effects to human welfare, the environment, legal issues, financial issues or the Council’s reputation. Departments should update this analysis annually. A summary of the risk analysis for each critical service is kept in the Council’s business continuity drive. These are also referred to in the Departmental / Critical Service BC plans. Appendix B is a list of all critical services provided by the Council. The Sussex Resilience Forum (SRF) Community Risk Register has identified a number of scenarios as high risk in Sussex. This can be accessed at (http://www.sussexemergency.info/community-risk-register). 2.2 Business Impact Analysis For all critical services in the Council, a Business Impact Analysis (BIA) has been carried out. Each BIA summarises on a single form the effects of losing each of these services and identifies the essential resources required to provide both a full service and the minimum possible service. Also identified are any other specific requirements. These forms will be vital reference documents if there were a business continuity incident. They are contained within each Critical Service business continuity plan. They should be reviewed annually. 2.3 Specialist Resources Some departments may have specialist equipment or resources of particular use in a business continuity incident. Such resources are recorded in the Business Impact Analysis in Critical Service Plans.

Page 7: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 7 of 30

3 Structure, Responsibilities and Departmental Plan s 3.1 Strategic Direction and Management The Director of Communities, Economy & Transport (‘Director of CET’) is the Council’s strategic officer who will formally invoke and direct the corporate response to a business continuity incident. In carrying out these duties, the Director would liaise with the Corporate Management Team (CMT). If the Director of CET is absent the Chief Executive will nominate a person to undertake this role. The Assistant Director of Planning, Performance & Engag ement is responsible for coordinating the corporate response to a business continuity incident through chairmanship of the Corporate Business Continuity Response Team. If the Assistant Director of Planning, Performance & Engag ement is absent, the Director of CET will nominate a person to undertake this role. 3.2 The Strategic Response Group It is likely that in the early stages of an incident, the Director of CET may wish to bring together a group consisting of members of the Corporate Management Team (CMT), the Emergency Coordinator (if appointed), the Council’s Business Continuity Lead, Head of Communications and Emergency Planning Manager to consider the Council’s strategic response to the incident. Appendix D shows the Incident Response Flow Diagram. 3.3 The Corporate Business Continuity Response Team (CB CRT) - Appendix C Each Department has nominated an assistant director to be the Business Continuity Manager (BCM). These BCMs together form the Corporate Business Continuity Response Team (CBCRT) under the chairmanship of the Assistant Director of Planning, Performance & Engagement. This Team leads the Council’s business continuity planning and management. At the time of a business continuity incident, the CBCRT would coordinate the overall Council response in accordance with the requirements of the Director of CET. Contact details of the CBCRT are given in Appendix C. Individual responsibilities – The members of the CBCRT are each responsible for coordinating their own Department’s response to a business continuity incident. The detailed arrangements for this are contained in the Departmental and Critical Service plans. For a BC incident, the Director of CET will call together this Team and consider the strategic and operational options for responding to the disruption to mitigate the effects and restore services. This Team will meet regularly during the disruption to review progress, consider issues and modify the response to speed recovery. The normal place for this Team to meet and an alternative if this was unavailable is given in Appendix C.

Page 8: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 8 of 30

3.4 The Business Continuity Coordinators Group Each Department has nominated a Business Continuity Coordinator to assist the BCM in carrying out the departmental duties. These officers, together with a representative of the Resilience & Emergencies Team, meet as the BC Coordinators Group. The purpose of this Group is to undertake corporate tasks required by the CBCRT and make recommendations to improve BC within the Council. Contact details of the Coordinators Group are given in Appendix C. 3.5 Departmental Business Continuity Teams The Corporate Business Continuity Response Team will be supported by departmental teams each responsible for the recovery of their own services. In addition common services teams will be provided by the Business Services Department and the Governance and Community Services Department. Departmental Teams will provide regular updates to the Corporate BC Team meetings, where any recovery risks and issues affecting the Council as a whole will be resolved.

3.6 Personnel Team The Assistant Director of Personnel will, upon being notified, identify a team to support the departments in the identification of staff resources and to manage the welfare of any injured 3.7 Emergency Response Secretariat As part of the response to a major incident (either external or internal), it is envisaged that additional specific administrative support may be required. This is to be provided by a group of trained volunteers – the Emergency Response Secretariat. For a BC incident, this Secretariat would be activated by the Director of CET or Assistant Director of Planning, Performance & Engagement. In addition to providing clerical support, the Secretariat can act as a single point of contact (SPOC), collate material relevant to the incident, ensure Business Continuity Managers are kept informed and produce a Common Recognised Information Picture (CRIP). The Secretariat would meet at the Council’s Emergency Control Centres (the Drop-In Room at County Hall

Corporate Business Continuity Response Team

Common Services Recovery Team

(ICT, Facilities and Property)

Departmental BC teams

Personnel, Communications, Emergency Planning

Critical Service Teams

Page 9: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 9 of 30

or in the Training Centre at St Mary’s House) or via teleconference. (Information about the Secretariat has been published separately) 3.8 Due regard for Health and Safety In undertaking their duties, staff must give due regard to the safety and wellbeing of themselves, colleagues and the public; protection of property and the environment; legal and financial implications; and the good name of the Council. 3.9 Minimising loss of service Actions must aim to prevent further loss of service, minimise the disruption and to restore critical services as soon as is reasonably practical and prior to the maximum tolerable period of disruption set out in each of the business impact analysis summaries contained in each Critical Service Plan. 3.10 Specific Risks – reducing the likelihood or mitigat ing a disruption Departments / Critical Services have identified within their plans measures to reduce the likelihood of specific risks or mitigate the effects of disruption if those risks occurred. Appendix F details particular corporate plans for specific risks. 3.11 Financial Implications Records must be kept of any financial effects resulting from the business continuity incident. Any special procurement or financial measures will be advised by the Assistant Director (Finance) via the Director of CET. 3.12 Departmental Plans Each Department will maintain a generic plan together with specific plans for dealing with its critical services. These plans will identify the key personnel responsible for delivering the plan and their roles. They will set out the logical steps to be taken in the event of an incident and will include:- • Activation and management – details of how the plan would be activated;

details of the Departmental Business Continuity Team and the allocation of specific responsibilities.

• Critical services – list of critical services and a risk assessment of service delivery; Outsourced services and Partnerships.

• Resources and data – the essential staff and skills required to deliver the identified critical services; the location and protection of critical information and documentation; ICT requirements, electronic data and Computer software; Telecommunications needs and the equipment required to support the services.

• Communications – the staff and public communications strategy; communications with service users, partners and suppliers

• Departmental response – specific departmental actions and plans; support to other services, home working and travel.

• Recovery – the process of returning to normal operation In view of the size and diversity of departments it is recognised that particular headings may change to suit. Critical Service Managers within the departments will also maintain plans linked to the critical services they deliver and taking into account

Page 10: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 10 of 30

the high risk specific scenarios detailed in 1.4 above. These plans will link into the departmental plan. Where services are outsourced, departments will, as part of their plans, approach the service provider concerned and confirm their ability to continue to maintain their service level or if not to come to other agreements. Specific agreements should be referred to within the departmental plans. 3.13 Checklist of critical actions Checklist of some of the critical actions required is given in Appendix G.

Page 11: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 11 of 30

4 Communications and Contact details 4.1 Communications Invoking the Council’s business continuity process will mean that the relevant corporate, departmental and critical service teams will be set up to mitigate the effects of the disruption and to coordinate recovery. In particular, the Corporate BC Response Team will be receiving information from and giving instructions to the departmental BC team. Similarly, the departmental Business Continuity Manager will be receiving information from and giving instructions to the Heads of Service (HoS). In this way the strategic and operational options for responding to the disruption and minimising loss of critical services will be coordinated within the Council. Invoking the Council’s business continuity process also sets in place the corporate BC Communications Plan which is concerned with coordinating messages to staff, councillors, partner organisations, service users, the public and media. The Council has a statutory requirement under the Civil Contingencies Act to provide information to the public during any major incident and does this in consultation with other Sussex Resilience Forum partners. Each department has a Communications Manager who is part of the Departmental BC Team and will give advice to the BCM, Heads of Service and other managers on appropriate messages and how best to reach the target audiences. There may be a need for a Nominated Spokesperson . It will depend upon circumstances as to whether this should be a Lead Member, one of the Corporate Management Team or the Head of Service. Advice should be sought on this from the Communications Team. The Business Continuity Manager will advise the Head of Service as to who the nominated spokesperson will be. Internal contact details are given in Appendix C. 4.2 Interdependencies + Interested Parties Contact Deta ils In a Business Continuity incident, it is the duty of the relevant Department Business Continuity Manager to ensure that contact is established and maintained with interested parties (see paragraph 1.7 above).

Page 12: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 12 of 30

5 Activation / Invocation 5.1 East Sussex County Council’s Graduated Response A graduated response structure has been adopted by ESCC. Graduated response is designed to help chief officers decide on an appropriate level of readiness for the authority, particularly in response to advanced warnings of disruption (e.g. severe weather warnings, flood warnings, industrial action). In such situations, a major incident has not occurred, but warnings have been received that the possibility of one occurring is higher than normal. Clearly the council will need to increase its readiness in such situations. The aim of graduated response is to provide a framework and mechanism that will enable the adoption of readiness based on an assessment of the overall situation. It will assist the council with resource planning (particularly personnel) and enable an appropriate reaction to any increase in the probability of a major emergency occurring. There are five levels in the Graduated Response:

A1 Normal – nothing unusual is occurring and there are no warnings or alerts in force. This is the planning and preparation stage.

A2 Enhanced Status – the overall assessment is that a business continuity incident is a possibility. If the scenario is likely to develop over a period, actions at this stage are aimed at ensuring preparations are in place without causing any major disruptions which may be unnecessary if the crisis is averted.

A3 Standby – If the assessment is that a business continuity incident is likely

with the potential of it being a major incident, then the Council would move to Standby . Actions are taken to ensure that the Council would be ready for immediate implementation if it were required.

A4 Declared Emergency – a major BC incident has occurred or is expected to

occur and the Director of CET invokes the full measures of this Plan. A5 Recovery – is the process of returning to normal working and review of

actions taken. Some of the important actions required at the various response stages are set out in the tables on the following pages.

Page 13: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 13 of 30

5.2 Activation / Invocation The decision to invoke the Council’s Corporate Business Continuity process and the level within the Graduated Response will be taken by the Director of Communities, Economy & Transport (as indicated in the tables on the following pages). In most cases, the Director will liaise with Corporate Management Team and assemble the Corporate Business Continuity Response Team prior to deciding to invoke the full Business Continuity response. Note that some business continuity incidents may happen suddenly with little or no warning. In this case, as soon as an incident has been identified the Director of CET will be informed. He will decide in consultation with the Departments affected, the Assistant Director Planning, Performance & Engagement and the Emergency Planning Manager whether to immediately move the Council to Response Stage A4 – ‘Declared Emergency’. A business continuity incident may affect one Department more than others in which case that Department may have a ‘Declared Emergency’ while the others may be at Response Stage A3 – ‘Standby’. If the incident is department specific it is likely that the Departmental Business Continuity team will convene and manage the incident. If more than one Department is involved the Corporate BC Recovery Team will lead the recovery. As the incident may take place at the same time as, or be part of, an external emergency, depending on the type of incident and the resources available, the response to the two activities will, as far as practical, be kept separate to ensure focus. However, strategically, both responses will be led by the Director of Communities, Economy & Transport . (If an Emergency Control Centre is required, the Director of CET will set up an Emergency Response Group in consultation with the Emergency Planning Manager – see Appendix D.) 5.3 Common Recognised Information Picture CRIP During an incident it is important that persons involved in making decisions about the response should have the most up-to-date information. This is prepared in the form of a Common Recognised Information Picture or CRIP which is defined as a single, authoritative strategic overview of an emergency or crisis that is developed according to a standard template and is intended for briefing and decision-support purposes. The initial CRIP is likely to be prepared by the Emergency Planning Manager and subsequently be updated by the Corporate Business Continuity Response Team. 5.4 Record keeping As soon as an incident is notified, a record must be started and maintained as to all information, actions or decisions relevant to the incident. A typical log sheet is shown at Appendix H. Record decisions taken (including the reasoning and alternative solutions) in a ‘Decision Log’ (Appendix I)

Page 14: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 14 of 30

5.3 Activation Stage A1 – Situation NORMAL Nothing unusual is occurring and there are no warnings or alerts in force. This is the planning and preparation stage. Departments and Critical Services will be reviewing, updating and exercising their business continuity plans and training staff as necessary. Much of this work will be led by the departmental Business Continuity Managers (BCMs). Advice can be provided by the Resilience & Emergencies Team (R&ET).

1. Action by: Action Required

1a Corporate BC Response Team (CBCRT)

Ensure coordinated approach to BC incidents is in place

1b Resilience & Emergencies Team

Review Corporate BC Plan and propose updates to CBCRT

1c Resilience & Emergencies Team Arrange periodic exercises for CBCRT

1d Department BCM Annually review critical services (SIAs + BIAs) and identify areas for reduced services in BC Plans

1e Department BCM Identify non-critical areas which could be reduced / suspended – include in BC Plans

1f Department BCM Review BC arrangements of critical contractors and identify mitigating arrangements – include in BC Plans

1g Department BCM Review interdependencies – include in BC Plans

1h Department BCM Annually review contact arrangements

1i Department BCM Review communication arrangements for a BC incident

1j Department BCM Arrange departmental / critical services exercises

1k Department BCM Ensure staff are appropriately trained

1l Resilience & Emergencies Team

Arrange a peer review of the Council’s arrangements

Page 15: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 15 of 30

5.4 Activation Stage A2 – ENHANCED STATUS For Enhanced Status the overall assessment is that a business continuity incident is a possibility. If the scenario is likely to develop over a period, actions at this stage are aimed at ensuring preparations are in place without causing any major disruptions which may be unnecessary if the crisis is averted.

2 Action by: Action Required

2a Emergency Planning Manager Prepares an initial CRIP of information available (Common Recognised Information Picture)

2b Director of CET liaises with EP Manager

Consults Assist Director - Planning, Performance & Engagement as appropriate

2c Director of CET Considers calling a meeting of the Strategic Response Group

2d Director of CET Confirms ‘Enhanced Status’ and considers calling meeting of the CBCRT

2e Resilience & Emergencies Team

Monitors the situation and advises as appropriate. Liaises with SRF organisations

2f Department BCM Checks BC Plans are up-to-date

2g Department BCM Reviews critical services which could be reduced

2h Department BCM Reviews non-critical areas which could be reduced or

suspended

2i Department BCM Reviews implications of any specific ESCC plans (e.g. fuel / pandemic flu)

2j Head of Communications Reviews Communications Plan

2k Head of Communications Formulates messages to staff, Members and public

2l Resilience & Emergencies Team

Checks availability and contact details of Emergency Response Secretariat

Page 16: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 16 of 30

5.5 Activation Stage A3 – STANDBY If the assessment is that a business continuity incident is likely with the potential of it being a major incident, then the Council would move to Standby . Actions are taken to ensure that the Council would be ready for immediate implementation if it were required.

3 Action by: Action Required

3a Emergency Planning Manager Prepares an initial CRIP of information available (Common Recognised Information Picture)

3b

Director of CET liaises with EP Manager, Head of Comms and Assistant Director of Planning, Performance & Engagement

Reviews the position and considers initial strategy

3c Director of CET Considers calling a meeting of the Strategic Response Group

3d Director of CET Calls meeting of CBCRT and confirms ‘Standby’ status

3e Corporate Business Continuity Response Team (CBCRT)

Meets to considers preparation for implementing BC Plans

3f All Departments Prepare to implement BC Plans and consider actions needed and possible timescales

3g Resilience & Emergencies Team

Continues to monitor the situation and advises as appropriate. Liaises with SRF organisations

3h Communications Team In liaison with the CBCRT, prepare information for staff and service users to be uploaded onto the Intranet and web-site

3i EP Manager in consultation with Director of CET

Strategic Emergency Response Group members identified and briefed on their duties (App D)

3j Resilience & Emergencies Team Puts Emergency Response Secretariat on ‘Standby’

Page 17: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 17 of 30

5.6 Activation Stage A4 – DECLARED EMERGENCY Declared Emergency – a major Business Continuity incident has occurred or is expected to occur and the Director of CET invokes the full measures of this Plan.

4 Action by: Action Required

4a Emergency Planning Manager Prepares an initial CRIP of information available (Common Recognised Information Picture)

4b Director of CET Declares the emergency and oversees the response

4c Director of CET Considers calling a meeting of the Strategic Response Group

4d Director of CET Nominates strategic officer for Strategic Coordinating Group (SCG) at Police HQ in Lewes if required

4e Corporate Business Continuity Response Team (CBCRT)

Meets regularly to: -

receive updates from Departments;

coordinate ESCC response; and

update CRIP for Director of CET and EP Team

4f All Departments Implement BC Plans

4g All Departments Provide reports for CBCRT on actions being taken and timescales

4h Communications Team In liaison with the CBCRT, uploads information for staff and service users onto the Intranet and web-site

4i Resilience & Emergencies Team

Continues to monitor the situation and advises as appropriate. Also liaises with SRF organisations

4j Strategic Emergency Response Group (App D)

Assists Director of CET and CBCRT as required

4k Resilience & Emergencies Team

Liaises with Emergency Response Secretariat for full activation

Page 18: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 18 of 30

5.7 Activation Stage A5 – RECOVERY Recovery is the stage where the Council is returning to normal working. It will also be a time to undertake a review of actions taken and consider whether there are changes and improvements which could be made to the Council’s plans. If the business continuity incident was the result of a national situation, it is likely that, at a Government level, the national plans would be reviewed and possibly revised which may affect the Council’s proposals. Reference should be made to the Sussex Resilience Forum ‘Recovery Plan for Sussex’ for a detailed recovery strategy which will depend on the nature of the incident. Heads of those services that had a particular role to play in the response will hold a debriefing for their staff within one month after the incident has been declared over, or the end of their involvement, which ever is sooner. They will identify where things went well, where they had problems and what could be done better. They will implement any changes that need to be made and advise Emergency Planning. The Corporate Business Continuity Response Team will hold a debriefing within one month of the incident being declared over. They will identify areas where things went well, where there were problems and what could be done better in future. The Business Continuity plans will be amended accordingly. If a Strategic Coordinating Group has been set up, ESCC will attend the inter-agency debrief represented by a Strategic representative or Emergency Planning Officer.

5 Action by: Action Required

5a Director of CET Declares the emergency moved to recovery phase and oversees the response

5b Corporate Business Continuity Response Team (CBCRT)

Coordinates recovery and re-instatement of services; and prepares updates for Director of CET and EP Team for sit-rep reports

5c Communications Team In liaison with the CBCRT, uploads information for staff and service users on the recovery arrangements

5d Heads of Service, Team Managers + Contract Managers

Review implementation of Critical Service BC Plans

5e Department BCM Review implementation of Departmental BC Plans

5f Resilience & Emergencies Team

Coordinates corporate debrief and prepares report reviewing actions taken and recommendations for improvements

.

Page 19: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 19 of 30

6 Recovery – Returning to normal operation 6.1 Return to normal operations

Following any enactment of Business Continuity plans, the Director of CET will request departments or directorates to provide details of their plans for return to normal operations. These actions are set out in section 5.7.

The Corporate Business Continuity Response Team will continue to meet to review the situation until such time as the scale of the incident has diminished to the extent that departmental teams can continue the recovery independently 6.2 Temporary Measures The time required for temporary measures will depend on the type of incident and its severity. The Council will endeavour to return to normal activities as soon as practicable. Often this will require a phased approach. The aim is to recover all services within a reasonable and appropriate time frame beginning with the critical services. Regular assessments will be carried out by the Departmental BC teams and progress fed back to the Corporate BC Response Team.

Page 20: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 20 of 30

7 Review, Exercising and Training 7.1 Review To be effective this Plan and supporting documents must reflect up-to-date information, e.g. contacts and working arrangements. To ensure this aim, the plan will be reviewed as set out in paragraph 1.6. Periodically and also following a business continuity incident, the Resilience & Emergencies Team will instigate a review of the Corporate Business Continuity Plan (this Plan) and its effectiveness. The Plan will be updated to incorporate any improvements identified. Periodically and also following a business continuity incident, each Department will instigate a review of its department and critical service business continuity plans and their effectiveness. Plans will be updated to incorporate any improvements identified. Advice on business continuity requirements can be provided by the Resilience & Emergencies Team. The Plans will be subject to internal audit in accordance with the Council’s normal procedures. 7.2 Training and Exercising All staff engaged in preparing Business Continuity plans and associated documents should receive appropriate training. It is the responsibility of line managers to ensure suitable training is provided as part of the personal development portfolio. The cost of staff training will remain with departments. The Resilience & Emergencies Team will, where appropriate, arrange update training on the Civil Contingencies Act and any associated documentation and provide sign posting to Business Continuity best practice To ensure robustness of the response and to introduce improvements as required, this Corporate Business Continuity Plan will be exercised regularly as agreed by the CBCRT in consultation with the Emergency Planning Manager. The Resilience & Emergencies Team will facilitate these events. The CBCRT will identify its own business continuity training needs and those of its members and record any training as set out in paragraph 7.3. 7.3 Records Details of Corporate exercises and staff training should be recorded on the Business Continuity drive.

Page 21: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 21 of 30

8 Appendix A Agreed Business Continuity Policy 1. The County Council recognises the importance of an effective Business Continuity Plan and the need for positive leadership in achieving and maintaining that position. There are two key leadership roles:-

• Leading the work of business continuity planning, and • Leading the process of ensuring business continuity in the event of an emergency i.e.

implementation of the plan. This leadership role rests with Director of Law and Performance Management2.

Business Continuity Planning 2. Each Department/Directorate will nominate an Assistant Director to be responsible for their Business Continuity. That officer will ensure that their Department assesses its critical services as part of its risk management strategy and lists them in the Risk Management database3. They will ensure that departmental plans are produced and where services are contracted out suitable arrangements are made with the service providers and contracts amended where appropriate. 3. During a BC incident the risks or services which have previously been determined as critical to the council as a whole will take priority. 4. As well as the availability of key staff, the other main requirements to ensure business continuity are likely to be the physical and information infrastructure to enable those staff to continue to deliver services. In this context, availability and access to business systems, ICT infrastructure, alternative property, and expert support (e.g. personnel, communications and finance) will be vital. 5. The Business Services Department (BSD) has a lead role in both the development of business continuity plans and in responding should such plans have to be put into effect. The BSD business continuity plan will need to plan for and enact the restoration of these essential infrastructure services in the event of a business continuity incident. 6. The Chief Executive's Department similarly will need to plan for and provide corporate personnel and communication support. 7. A corporate BC plan tying the whole process together will be produced by the Emergency Planning Division in consultation with the nominated Chief Officer. The Emergency Planning Officer with responsibility for BC will provide advice and guidance, and arrange appropriate training and exercises as required.

Business Continuity Implementation 8. The nominated Chief Officer will, in the event of a Business Continuity Incident (as defined in the corporate BC plan) lead a Business Continuity Response Team to manage the council’s recovery. As it may take place at the same time as an external emergency the response to the two activities will, as far as is possible, be kept separate. The team will include the Assistant Directors identified at Para. 2 above, supported and advised by the Emergency Planning Officer with BC planning responsibility.

(Agreed by COMT 12th December 2005)

2 Now Director of Communities, Economy,& Transport 3 Departments now maintain their own Risk Registers

Page 22: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 22 of 30

9 Appendix B Corporate Critical Service list Adult Social Care and Health Department

Dept/Ref Critical service Adult Social Care ASC/ Occupational Therapy and Sensory Impairment Reablement Service ASC/ Contact And Assessment - Contact And Assessment Team ASC/ Contact And Assessment - Emergency Duty Service ASC/ Contact And Assessment - Integrated Community Access Point ASC/ Neighbourhood Support Teams ASC/ Directly Provided Services (Older People) - Day Services & Mental Health ASC/ Directly Provided Services (Older People) - Integrated Night Service ASC/ Directly Provided Services (Older People) – Joint Community Rehabilitation ASC/ Directly Provided Services (Learning Disabilities) - Day Services ASC/ Directly Provided Services (Learning Disabilities) - Residential Services ASC/ Learning Disability Assessment and Care Management ASC/ Mental Health Services (including AMHP Services) Public Health PH/01 Contribution to the Public Health on-call rota service (service run by the PHE). PH/02 Public Health advice to partners and public and respond to queries on public

health issues. PH/03 Emergency planning, response coordination, leadership (including for pandemic

influenza), and advice and support Business Services Department

Dept/Ref Critical service BSD/ Personnel Support Unit BSD/ Staff Counselling BSD/ Critical Corporate and Departmental Applications BSD/ ICT Service Support BSD/ ICT Core Infrastructure BSD/ ICT Schools Services BSD/ Office accommodation and Facilities Management BSD/ Reactive Building Maintenance - emergency works BSD/ Bank balances and Electronic transfers (Treasury Management function) BSD/ Pensions payroll - South East Shared Services BSD/ Accounts Payable and Purchasing BSD/ Client Affairs BSD/ SAP System BSD/ Payroll BSD/ Critical Suppliers

Page 23: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 23 of 30

Children’s Services Department Dept/Ref Critical service CSD/1 Duty and Assessment Teams CSD/2 Resilience Management (in crisis mode) CSD/3 Disability Children’s Teams (under 14) CSD/4 Disability Young Persons Team (14+) CSD/5 Child Protection Register CSD/6 Looked After Children – Residential CSD/7 Emergency Duty Service CSD/8 Children’s Services Finance CSD/9 Child Protection (Safeguarding Management Unit) Communities, Economy & Transport Department Dept/Ref Critical service CET/01 Bus network CET/02 Contact Centre CET/03 ESCC Fleet CET/04 Emergency Planning CET/05 Former landfill sites CET/06 Highways Maintenance CET/07 Registration of Deaths CET/08 School and Social Services Transport CET/09 Trading Standards – Animal Health CET/10 Trading Standards – Rapid Action Team CET/11 Traveller sites CET/12 Waste Management Governance Services Department

Dept/Ref Critical service GCS/01 Communications GCS/02 Coroners GCS/03 Democratic Services GCS/04 Legal Services

Page 24: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 24 of 30

10 Appendix C Internal Contacts (Confidential)

Page 25: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 25 of 30

11 Appendix D Incident Response Flow Diagram

Emergency or Business Continuity Incident

Strategic Response Group (meet if necessary)

• Chief Executive or Director of CET (Chair) • Members of Corporate Management Team (CMT) • Emergency Coordinator (where appointed) • Business Continuity Lead • Head of Communications • Emergency Planning Manager

.

Resilience & Emergencies Team alerts Director of CET who consults CMT members

Emergency Control Centre

Secretariat

Emergency Response Group Nominated Emergency Coordinator Departmental Emergency Managers Head of Communications Emergency Planning Manager

Business Continuity Response Team

BC Managers / Coordinators

Departmental Response

Departmental Response

Page 26: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 26 of 30

12 Appendix E AGENDA for CBCRT

Corporate BC Response Team In response to an incident causing a significant issue for business continuity Date……………Time……………Location………………………………………… Attendees Director of Communities, Economy & Transport

Corporate Business Continuity Manager & BCM ASC and Health

BCM BSD BCM CSD BCM CET + GS Emergency Planning Manager Communications Services Manager Personnel Manager Administrative Support

Others

1 Situation update 2 Extent of the departments / critical services affected 3 Initial response strategy 4 Liaison with emergency services 5 Liaison with external agencies 6 Accommodation issues 7 ICT issues 8 Staffing issues 9 Financial issues

10 Communication issues internal – messages to staff / councillors 11 Communication issues external – messages to interested parties 12 Establishing departmental and critical service BC teams 13 Support for at risk critical services 14 Reduction of non-critical services 15 Longer-term issues and recovery process 16 Any Other Business 17 Time and location of next meeting

Page 27: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 27 of 30

13 Appendix F Specific Risks – reducing the likelihood or mitigating a disruption

There are the following corporate plans for specifi c risks. In addition Departments may have identified additional mitigati on arrngements within their departmental Plans. Corporate Plans Communications Plan – for use in all business conti nuity and emergency incidents Emergency Incidence Response Plan (GEP) - used for external emergencies Substantial reduction of staff (for example due to illness or severe weather,

responding to external emergencies) Lack of fuel (staff unable to get to work) – SRF + ESCC Fuel Plan Pandemic Flu (large scale absences) – SRF + ESCC Pa ndemic Flu Plan Adverse Weather – ESCC Snow Linking Document Loss of a main Building from which the critical service is provided for a prolonged period. Identify an alternative site for providing the service Refer to BSD Business Continuity / Emergency Plans

Technologica l failure e.g. Loss of electrical power, water supply, IT and /or telecommunications for a prolonged period. Loss of IT – Disaster Recovery Plan Loss of Electricity – Standby generator at County H all and Generator connection points in hub buildings

Los s of an external service provider Where services are outsourced, departments will, as part of their plans, approach the service provider concerned and confirm their ability to continue to maintain their service level or if not to come to other agreements. Specific agreements should be referred to within the business continuity plans.

Page 28: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 28 of 30

14 Appendix G Quick Reference Checklist Business Continuity Incident: Date: (Insert name of the critical service) Responsibility Initials Started Completed Start a log of actions taken

HoS

Identify any damage

Discoverer / line manager / HoS 4

Liaise with Emergency Services

As above

Identify Functions disrupted

As above

Advise BCM HoS

Advise EPO HoS

Advise Property help desk and/or ICT help desk as appropriate

HoS

Liaise with Department BC team

HoS / BCM / BC Team

Convene your Response / Recovery Team

HoS

Decide on course of action

HoS / BCM

Communicate decisions to staff and business partners

HoS / Comms

Provide public information to maintain reputation and business

HoS / Comms

Plan for return to normality

HoS / BCM / BC Team

Review Business Continuity Plan

HoS / BCM / EPO

HoS=Head of Service; BCM=Departmental Business Continuity Manager; Comms=Departmental Communications Manager; EPO=Resilience & Emergencies Team

4 Initially by person discovering the incident or their line manager followed by a report to the HoS as soon as possible

Page 29: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 29 of 30

15 Appendix H Log Sheet Role / Dept: Page:

Incident: Date:

Time / Date Message / Action taken / Result By whom

Page 30: Corporate Business Continuity Plan - Microsoft · PDF fileCorporate Business Continuity Plan ISO Version ... ISO 22301:2012(E) 1 ... Corporate Business Continuity section of SharePoint

Corporate Business Continuity Plan

ISO Version – Web June 2014 Page 30 of 30

16 Appendix I Decision Log Meeting …………………….. Chair……………….. Loggist…………………….. Date……………Time………Page…… Brief description of issue

Solution 1

Solution 2

Solution 3

Decision Reasoning

Chair Loggist


Recommended