NHSSHE BCP report final - NHS Shetland · Internal Audit Report 2017/18 Business Continuity...

NHS Shetland

Internal Audit Report 2017/18

Business Continuity Management

September 2017

NHS Shetland

Internal Audit Report 2017/18

Business Continuity Management

Executive Summary 1

Management Action Plan 4

Appendix A – Definitions 13

Audit Sponsor Key Contacts Audit team

Ralph Roberts, Chief Executive

Hazel Sutherland, Head of Planning and Modernisation Susan Laidlaw, Consultant in Public Health Medicine

Paul Kelly, Director Gary Fraser, IT Auditor

scott-moncrieff.com NHS Shetland Business Continuity Management 1

Executive Summary

Conclusion

Our audit has identified a number of areas for improvement in relation to Business Continuity Planning

within NHS Shetland.

The most significant weakness related to the fact that a detailed Business Impact Analysis (BIA) was

not conducted as part of the development of the current Business Continuity Plans (BCPs). Although a

BIA template was created, staff with responsibility for documenting BCPs did not always use that as

the foundation for preparing their BCPs. As a result, whilst most plans set out critical services, they do

not include details of supporting activities, systems and resources. Without this level of analysis it is

difficult to develop effective recovery strategies.

There is a need to reinvigorate business continuity management processes. This includes the need for

development and implementation of a business continuity management strategy and policy as well as

robust governance arrangements to gain assurance that plans are being maintained and tested. This

should include the development of an improved culture towards business continuity within the Board.

NHS Shetland is currently in the process of reviewing and evaluating existing arrangements. A revised

‘Strategy for Resilience and Business Continuity’ has been drafted and is being submitted to the Board

for approval.

Background and scope

The ability to be able to respond to unexpected events and provide continuity of service is critical to NHS

Shetland and it is essential that formal plans and procedures exist to support NHS Shetland in the event of a

disaster.

The effectiveness of these plans requires a structured and methodical approach to identifying critical business

processes, contingent resources, and optimal recovery strategies as well as robust maintenance and test

processes.

Our audit considered the extent to which NHS Shetland has implemented an effective Business Continuity

Management (BCM) framework and testing of these plans.

2 NHS Shetland Business Continuity Management scott-moncrieff.com

Our work identified five improvement actions, one of which related to compliance with existing procedures,

rather than the design of controls themselves. See Appendix A for definitions of colour coding.

1 - Amber

2 - Amber

3- Amber 4 - Amber

5 - Amber

6 - Amber

Control assessment 1. A BCM framework, including policy and governancearrangements, has been implemented with roles andresponsibilities assigned.

2. Business Continuity Plans demonstrate a comprehensiveunderstanding of the organisation, identifying the keyservices, as well as the critical activities that support them.

3. Continuity strategies have been identified for all activities and resources of the organisation, including consideration of the ‘maximum tolerable period of disruption’ and the consequence of inaction.

4. Comprehensive and robust plans have been developed tomanage the initial response to an incident and ensure thecontinuity of critical activities can be maintained.

5. Effective processes exist to ensure business continuityarrangements are kept up-to-date and plans are regularlyexercised and reviewed.

6. Business continuity is embedded within the culture of theorganisation and has strong support from seniormanagement. There is good awareness of businesscontinuity issues.

0

1

2

3

4

5

6

Control Design Control Operation

Improvement actions by type and priority

Grade 4

Grade 3

Grade 2

Grade 1


Key findings

Good practice

We have gained assurance that NHS Shetland’s procedures reflect good practice in the following area:

The prioritisation of key clinical and business systems across the Board.

Areas for improvement

We recognise that the Board currently maintains a number of business continuity plans. However, it would be

enhanced by implementing actions relating to the following issues:

There is a need to reinvigorate business continuity management processes. This includes the

development and implementation of a business continuity management strategy and policy as well as

robust governance arrangements to gain assurance that plans are being maintained and tested. This

should include the development of an improved culture towards business continuity within the Board.

Undertaking a Business Impact Analysis (BIA). This is a vital part of development of BCPs and involves

identification of business critical services. This process is also critical in informing the development of

recovery strategies and development of plans. We found that BCPs have been developed without

conducting a detailed BIA process. Most plans we reviewed did contain a list of critical services but

they were not supplemented with details of supporting activities, systems and resources. Without

conducting a detailed BIA there is a risk that BCPs do not meet the needs of the organisation. By

undertaking a BIA, this will provide the basis to address a number of other weaknesses identified in the

report e.g. recovery strategies, definition of RTOs (Recovery Time Objectives – the expected recovery

timescale) and RPOs (Recovery Point Objective – the maximum amount of data lost measured by

time) and recording of detailed recovery steps.

There is a need to ensure that BCPs are subject to regular review and testing. 8 of 11 BCPs in our

sample were overdue for review and plans have not been subject to any testing.

These are further discussed in the Management Action Plan below.

Acknowledgements

We would like to thank all staff consulted during this review for their assistance and co-operation.


Management Action Plan

Control Objective 1: A BCM framework, including policy and governance arrangements, has been implemented with roles and responsibilities assigned.

1.1 Governance

The Board developed a Strategy for Resilience and Business Continuity in 2014. At the time of our review, this

document was under review. The previous Director of Public Health had responsibility for Business Continuity

until early 2016. Responsibility now rests with the Head of Planning & Modernisation.

The Strategy for Resilience and Business Continuity sets out expected governance arrangements. This

included reporting to the Senior Management Team (SMT) as well as the submission of an annual report to the

Board. Whilst we recognise that there was reporting provided to SMT on, for example, the last review dates of

plans, governance does not appear to have been effective as action was not being taken to update those plans

that were overdue for review. The Strategy also sets out the Director of Public Health as the Executive Lead

for business continuity management policy. However, we did not identify any formal policy in place.

Risk

There is a risk that there is a lack of coherent business continuity management policy and strategy in place

within the Board. This could result in confusion around roles and responsibilities. There is also a risk that the

lack of governance in place around business continuity could result in it not being regarded as an important

element in the overall resilience of Board services.

Recommendation

We recommend that the Strategy for Resilience and Business Continuity is updated as planned and includes

clear guidance on roles and responsibilities as well as governance arrangements for business continuity within

the Board. Governance arrangements should include providing assurance to the Board and SMT on progress

with development, maintenance and testing of business continuity plans.

Management Action Grade 3

(Design)

A draft updated Strategy is being prepared for Board approval.

Action owner: Consultant in Public Health Medicine Due date: March 2018

Amber


Control Objective 2: Business Continuity Plans demonstrate a comprehensive understanding of the organisation, identifying the key services, as well as the critical activities that support them.

2.1 Business Impact Analysis (BIA)

The purpose of a BIA is to identify and document key services and critical activities along with their supporting

activities, systems and resources. This is typically performed for each critical business process within the

organisation where there is a requirement to have a specific Business Continuity Plan (BCP).

Through interviews with relevant stakeholders, we noted that BIA and risk assessment templates were in place

but were not always shared with those personnel responsible for creating BCPs. As a result, BCPs do not

always contain details of critical business processes. From the sample of BCPs we reviewed as part of our

audit, none of them contained details of supporting activities, systems and resources.

Risk

As the BIA is a critical component in developing recovery strategies and BCPs, there is a risk that recovery

plans do not adequately support the response to a business disruption if supporting activities, systems and

resources are not identified.

Recommendation

We recommend that a BIA process is undertaken to ensure that each department’s key services, along with

their supporting activities and resources, are identified and documented This BIA should be completed in a

structured way taking into account the following key steps:

Identification of each department’s key services/processes and the activities on which these depend

including supporting resources;

Mapping the workflow of the identified key services/processes ensuring these consider supporting

resources; and

Assess the impact on the organisation in the event of department’s key services/process being disrupted.


(Design)

NHS Shetland will endeavour to utilise BIAs in a structured way when updating BCPs, where it is

appropriate and proportionate to do so.

Action owner: Head of Planning and Modernisation Due date: June 2018

Amber


Control Objective 3: Continuity strategies have been identified for all activities and resources of the organisation, including consideration of the ‘maximum tolerable period of disruption’ and the consequence of inaction.

3.1 Recovery Strategies

Our audit work identified that the recovery strategies detailed within the current BCP are not aligned to key

business processes. This is primarily due to robust BIAs not being performed (MAP section 2.1).

Our audit testing of a sample of BCPs identified that RTOs (Recovery Time Objective) was defined in all plans,

however, RPO (Recovery Point Objective) was not defined in any plans. We also noted the Maximum Period of

Tolerable Disruption (MPoTD) was not always defined within BCPs.

RTOs relate to the maximum length of time a key service can be unavailable before there is a break in

business continuity; RPOs consider the maximum amount of data (used within a key service) that could be lost

in terms of time, and MPoTDs identify the point in time where the consequences arising are deemed

unacceptable.

Understanding and calculating these metrics allows for more informed recovery strategies to be designed in

addition to helping to guide recovery priorities.

Risk

Without defining detailed recovery strategies for each key business process, there is a risk that the BCP will not

provide appropriate support to a user in the event of disruption.

In the absence of defined RPOs and MPoTDs, departments will not be able to identify when key services/

processes have to be restored.

Recommendation

We recommend management ensure that, once a revised BIA process has been undertaken and completed in

full for each relevant department, detailed and prescriptive recovery strategies are developed. These strategies

should be designed around the return of the identified key services/ processes, ensuring all supporting activities

and resources are included.

In addition, RPOs and MPoTDs should be defined to enable the development of optimal recovery strategies

and to allow recovery allocation priorities to be set. Any RPO and MPoTD information should be cross-checked

with IT to confirm whether resilience and recovery arrangements are aligned with recovery strategies

This process should also seek to identify resource conflicts and recovery interdependencies to ensure these

are addressed as part of any business continuity strategy.

Amber



(Design)

More robust recovery strategies will be put in place through the refresh of the BCPs, including a focus on

inter-dependencies and prioritisation of recovery objectives.

Action owner: Head of Planning and Modernisation Due date: June 2018


Control Objective 4: Comprehensive and robust plans have been developed to manage the initial response to an incident and ensure the continuity of critical activities can be maintained.

4.1 Business Continuity Plan

We noted that BCPs are in place across areas however there is no overall Incident/Crisis Management plan

which sets out roles and responsibilities in the event of an incident which impacts on the delivery of services.

We also noted that steps have been taken to identify and prioritise the key clinical systems however no

assessment has been made on the expected timescale (individually and cumulatively) for the recovery of these.

Our sample testing of BCPs identified that they did not contain detailed procedures on how recovery would be

achieved. For example, our testing noted instances where patients may require to be relocated to the mainland

though the logistics around this were not documented. We also noted recovery actions to revert to manual

systems however procedures for this had not been documented.

Risk

Without an Incident/Crisis Management plan in place, there is a risk of a lack of clarity on the roles and

responsibilities for senior management in the event of an incident that impacted on service delivery.

Without defining recovery timescales for critical IT systems, departments will be unable to gain assurance that

their recovery plans are achievable.

Without detailed recovery procedures in place, BCPs are unlikely to provide sufficient information to support the

restoration of services within recovery timeframes following a business disruption.

Recommendation

We recommend that an Incident/Crisis Management plan is developed. This should set out the roles and

responsibilities of senior management, communication plans, escalation procedures, event logs, authorisation

levels etc.

We recommend that the recovery timescales for recovery of critical IT systems is defined to allow departments

to assess whether their BCPs are achievable.

We recommend that BCPs are supplemented with procedures which define how specific recovery processes.

These should be structured in a clear, concise and logical manner.

Amber



(Design)

Building on the existing Hospital Major Emergency Plan, a NHS Shetland Major Incident Plan for NHS

Board approval is being developed to include the local command, control and coordination (C3)

arrangements for any major incident / crisis.

Action owner: Consultant in Public Health Medicine Due date: June 2018


Control Objective 5: Effective processes exist to ensure business continuity arrangements are kept up-to-date and plans are regularly exercised and reviewed.

5.1 Formal Programme of Testing

The 2014 Strategy for Resilience and Business Continuity states that an annual programme of testing will be

produced which will comply with national guidance. We noted that there has not been any formal programme of

testing developed or exercised in the past three years.

It was noted during the course of our audit work that a formal programme for BCP testing was being developed.

Draft plans identified that consideration is being given to desk checking of plans, peer review by a different

department, supported by a guidance checklist. The plan will also put in place arrangements to quality assure

the result of testing. There were no plans to conduct any formal live testing of plans though.

Risk

Without developing and implementing a formal programme of testing, there is the risk that appropriate levels of

testing are not undertaken to establish the ability of the BCP to support an effective and efficient response to a

business disruption.

Recommendation

We recommend that, once all BCPs have been developed and approved, management introduce a risk-based

programme of testing for BCPs. This should include a range of tests, including live testing, and simulations of

different scenarios. Testing must be targeted at areas most susceptible to an incident and/or would suffer the

most adverse consequences.

Live testing seeks to recreate a realistic threat to business continuity. These tests should, where possible,

closely simulate an actual incident to provide assurance that BCPs will aid the return of disrupted business

critical services.

The outcomes of these tests should be formally documented and identify ‘lessons learned’. Plans should be

confirmed as appropriate following completion of tests.


(Design)

A framework to put in place a risk based programme of testing of BCPs will be presented to the Board for

approval.

Action owner: Head of Planning and Modernisation Due date: March 2018

Amber


Control Objective 5: Effective processes exist to ensure business continuity arrangements are kept up-to-date and plans are regularly exercised and reviewed.

5.2 Maintenance of plans

A key element of successful business continuity management is ensuring that BCPs are subject to regular

review to confirm that their contents continue to be relevant and that they are capable of supporting an effective

response to a disaster.

As part of our audit work, we selected a sample of 11 BCPs for testing. We identified that eight BCPs were

overdue for review, many of which has not been subject to any review since their creation (2013-14). There is a

system in place of regularly reminding BCP holders to update their plans, especially where those are overdue.

Information is provided, by way of performance reporting arrangements on the number of plans which are up to

date, and those which are overdue, to the relevant Directors.

Risk

By not reviewing BCPs on a regular basis, there is a risk that plans and recovery arrangements are not fit for

purpose. This could result in confusion in respect of roles and responsibilities and delays in restoring services.

Recommendation

We recommend management ensure that all BCPs are subject to annual review as a minimum. As part of the

annual report to the Board, management should provide confirmation of the latest review dates of all BCPs.


(Design)

The existing procedures and reporting arrangements will be refreshed and updated in line with these

recommendations and endorsed by Executive Management Team.

Action owner: Head of Planning and Modernisation Due date: January 2018

Amber


Control Objective 6: Business continuity is embedded within the culture of the organisation and has strong support from senior management. There is good awareness of business continuity issues.

6.1 Employee Awareness and Training

Our audit found that there is a need to raise the profile of BCM across the various stakeholders groups within

NHS Shetland. This is highlighted by our findings at 1.1, 5.1 and 5.2.

It was identified that there has yet to be any awareness training provided for relevant staff (typically responsible

managers) in relation to Business Continuity.

Risk

If a positive business continuity culture is not embedded within NHS Shetland, there is the risk that staff

members will not have the required level of knowledge and will not fully understand their responsibilities

effectively should BCPs be invoked.

Recommendation

We recommend that there is active promotion by senior management to emphasise the importance of business

continuity. This could be in the form of emails campaigns or staff newsletters.

In addition to this, we recommend that formal business continuity training is developed and rolled out to

responsible managers. This may be in the form of an eLearning module which staff are required to complete.


(Design)

Promotion of business continuity will be addressed by the rollout of the business continuity strategy as

stated in 1.1.

Investigation of staff training needs will be carried out for formal and informal training and learning

opportunities, with a specific focus on responsible managers.

Action owner: Director of Human Resources / Head of Planning and Modernisation

Due date: 2018-19 Training Plan

Amber


Appendix A – Definitions

Control assessments

Management action grades

Fundamental absence or failure of key controls.

Control objective not achieved - controls are inadequate or ineffective.

Control objective achieved - no major weaknesses but scope for improvement.

Control objective achieved - controls are adequate, effective and efficient.

•Very high risk exposure - major concerns requiring immediate senior attention that create fundamental risks within the organisation.

4

•High risk exposure - absence / failure of key controls that create significant risks within the organisation.

3

•Moderate risk exposure - controls are not working effectively and efficiently and may create moderate risks within the organisation.

2

•Limited risk exposure - controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.

1

R

A

Y

G

© Scott-Moncrieff Chartered Accountants 2017. All rights reserved. “Scott-Moncrieff” refers to Scott-Moncrieff

Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of

independent firms.

Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of

investment business activities by the Institute of Chartered Accountants of Scotland.

Date post:	25-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

NHSSHE BCP report final - NHS Shetland · Internal Audit Report 2017/18 Business Continuity...

Documents