NHS Shetland
Internal Audit Report 2017/18
Business Continuity Management
September 2017
NHS Shetland
Internal Audit Report 2017/18
Business Continuity Management
Executive Summary 1
Management Action Plan 4
Appendix A – Definitions 13
Audit Sponsor Key Contacts Audit team
Ralph Roberts, Chief Executive
Hazel Sutherland, Head of Planning and Modernisation Susan Laidlaw, Consultant in Public Health Medicine
Paul Kelly, Director Gary Fraser, IT Auditor
scott-moncrieff.com NHS Shetland Business Continuity Management 1
Executive Summary
Conclusion
Our audit has identified a number of areas for improvement in relation to Business Continuity Planning
within NHS Shetland.
The most significant weakness related to the fact that a detailed Business Impact Analysis (BIA) was
not conducted as part of the development of the current Business Continuity Plans (BCPs). Although a
BIA template was created, staff with responsibility for documenting BCPs did not always use that as
the foundation for preparing their BCPs. As a result, whilst most plans set out critical services, they do
not include details of supporting activities, systems and resources. Without this level of analysis it is
difficult to develop effective recovery strategies.
There is a need to reinvigorate business continuity management processes. This includes the need for
development and implementation of a business continuity management strategy and policy as well as
robust governance arrangements to gain assurance that plans are being maintained and tested. This
should include the development of an improved culture towards business continuity within the Board.
NHS Shetland is currently in the process of reviewing and evaluating existing arrangements. A revised
‘Strategy for Resilience and Business Continuity’ has been drafted and is being submitted to the Board
for approval.
Background and scope
The ability to be able to respond to unexpected events and provide continuity of service is critical to NHS
Shetland and it is essential that formal plans and procedures exist to support NHS Shetland in the event of a
disaster.
The effectiveness of these plans requires a structured and methodical approach to identifying critical business
processes, contingent resources, and optimal recovery strategies as well as robust maintenance and test
processes.
Our audit considered the extent to which NHS Shetland has implemented an effective Business Continuity
Management (BCM) framework and testing of these plans.
2 NHS Shetland Business Continuity Management scott-moncrieff.com
Our work identified five improvement actions, one of which related to compliance with existing procedures,
rather than the design of controls themselves. See Appendix A for definitions of colour coding.
1 - Amber
2 - Amber
3- Amber 4 - Amber
5 - Amber
6 - Amber
Control assessment 1. A BCM framework, including policy and governancearrangements, has been implemented with roles andresponsibilities assigned.
2. Business Continuity Plans demonstrate a comprehensiveunderstanding of the organisation, identifying the keyservices, as well as the critical activities that support them.
3. Continuity strategies have been identified for all activities and resources of the organisation, including consideration of the ‘maximum tolerable period of disruption’ and the consequence of inaction.
4. Comprehensive and robust plans have been developed tomanage the initial response to an incident and ensure thecontinuity of critical activities can be maintained.
5. Effective processes exist to ensure business continuityarrangements are kept up-to-date and plans are regularlyexercised and reviewed.
6. Business continuity is embedded within the culture of theorganisation and has strong support from seniormanagement. There is good awareness of businesscontinuity issues.
0
1
2
3
4
5
6
Control Design Control Operation
Improvement actions by type and priority
Grade 4
Grade 3
Grade 2
Grade 1
scott-moncrieff.com NHS Shetland Business Continuity Management 3
Key findings
Good practice
We have gained assurance that NHS Shetland’s procedures reflect good practice in the following area:
The prioritisation of key clinical and business systems across the Board.
Areas for improvement
We recognise that the Board currently maintains a number of business continuity plans. However, it would be
enhanced by implementing actions relating to the following issues:
There is a need to reinvigorate business continuity management processes. This includes the
development and implementation of a business continuity management strategy and policy as well as
robust governance arrangements to gain assurance that plans are being maintained and tested. This
should include the development of an improved culture towards business continuity within the Board.
Undertaking a Business Impact Analysis (BIA). This is a vital part of development of BCPs and involves
identification of business critical services. This process is also critical in informing the development of
recovery strategies and development of plans. We found that BCPs have been developed without
conducting a detailed BIA process. Most plans we reviewed did contain a list of critical services but
they were not supplemented with details of supporting activities, systems and resources. Without
conducting a detailed BIA there is a risk that BCPs do not meet the needs of the organisation. By
undertaking a BIA, this will provide the basis to address a number of other weaknesses identified in the
report e.g. recovery strategies, definition of RTOs (Recovery Time Objectives – the expected recovery
timescale) and RPOs (Recovery Point Objective – the maximum amount of data lost measured by
time) and recording of detailed recovery steps.
There is a need to ensure that BCPs are subject to regular review and testing. 8 of 11 BCPs in our
sample were overdue for review and plans have not been subject to any testing.
These are further discussed in the Management Action Plan below.
Acknowledgements
We would like to thank all staff consulted during this review for their assistance and co-operation.
4 NHS Shetland Business Continuity Management scott-moncrieff.com
Management Action Plan
Control Objective 1: A BCM framework, including policy and governance arrangements, has been implemented with roles and responsibilities assigned.
1.1 Governance
The Board developed a Strategy for Resilience and Business Continuity in 2014. At the time of our review, this
document was under review. The previous Director of Public Health had responsibility for Business Continuity
until early 2016. Responsibility now rests with the Head of Planning & Modernisation.
The Strategy for Resilience and Business Continuity sets out expected governance arrangements. This
included reporting to the Senior Management Team (SMT) as well as the submission of an annual report to the
Board. Whilst we recognise that there was reporting provided to SMT on, for example, the last review dates of
plans, governance does not appear to have been effective as action was not being taken to update those plans
that were overdue for review. The Strategy also sets out the Director of Public Health as the Executive Lead
for business continuity management policy. However, we did not identify any formal policy in place.
Risk
There is a risk that there is a lack of coherent business continuity management policy and strategy in place
within the Board. This could result in confusion around roles and responsibilities. There is also a risk that the
lack of governance in place around business continuity could result in it not being regarded as an important
element in the overall resilience of Board services.
Recommendation
We recommend that the Strategy for Resilience and Business Continuity is updated as planned and includes
clear guidance on roles and responsibilities as well as governance arrangements for business continuity within
the Board. Governance arrangements should include providing assurance to the Board and SMT on progress
with development, maintenance and testing of business continuity plans.
Management Action Grade 3
(Design)
A draft updated Strategy is being prepared for Board approval.
Action owner: Consultant in Public Health Medicine Due date: March 2018
Amber
scott-moncrieff.com NHS Shetland Business Continuity Management 5
Control Objective 2: Business Continuity Plans demonstrate a comprehensive understanding of the organisation, identifying the key services, as well as the critical activities that support them.
2.1 Business Impact Analysis (BIA)
The purpose of a BIA is to identify and document key services and critical activities along with their supporting
activities, systems and resources. This is typically performed for each critical business process within the
organisation where there is a requirement to have a specific Business Continuity Plan (BCP).
Through interviews with relevant stakeholders, we noted that BIA and risk assessment templates were in place
but were not always shared with those personnel responsible for creating BCPs. As a result, BCPs do not
always contain details of critical business processes. From the sample of BCPs we reviewed as part of our
audit, none of them contained details of supporting activities, systems and resources.
Risk
As the BIA is a critical component in developing recovery strategies and BCPs, there is a risk that recovery
plans do not adequately support the response to a business disruption if supporting activities, systems and
resources are not identified.
Recommendation
We recommend that a BIA process is undertaken to ensure that each department’s key services, along with
their supporting activities and resources, are identified and documented This BIA should be completed in a
structured way taking into account the following key steps:
Identification of each department’s key services/processes and the activities on which these depend
including supporting resources;
Mapping the workflow of the identified key services/processes ensuring these consider supporting
resources; and
Assess the impact on the organisation in the event of department’s key services/process being disrupted.
Management Action Grade 3
(Design)
NHS Shetland will endeavour to utilise BIAs in a structured way when updating BCPs, where it is
appropriate and proportionate to do so.
Action owner: Head of Planning and Modernisation Due date: June 2018
Amber
6 NHS Shetland Business Continuity Management scott-moncrieff.com
Control Objective 3: Continuity strategies have been identified for all activities and resources of the organisation, including consideration of the ‘maximum tolerable period of disruption’ and the consequence of inaction.
3.1 Recovery Strategies
Our audit work identified that the recovery strategies detailed within the current BCP are not aligned to key
business processes. This is primarily due to robust BIAs not being performed (MAP section 2.1).
Our audit testing of a sample of BCPs identified that RTOs (Recovery Time Objective) was defined in all plans,
however, RPO (Recovery Point Objective) was not defined in any plans. We also noted the Maximum Period of
Tolerable Disruption (MPoTD) was not always defined within BCPs.
RTOs relate to the maximum length of time a key service can be unavailable before there is a break in
business continuity; RPOs consider the maximum amount of data (used within a key service) that could be lost
in terms of time, and MPoTDs identify the point in time where the consequences arising are deemed
unacceptable.
Understanding and calculating these metrics allows for more informed recovery strategies to be designed in
addition to helping to guide recovery priorities.
Risk
Without defining detailed recovery strategies for each key business process, there is a risk that the BCP will not
provide appropriate support to a user in the event of disruption.
In the absence of defined RPOs and MPoTDs, departments will not be able to identify when key services/
processes have to be restored.
Recommendation
We recommend management ensure that, once a revised BIA process has been undertaken and completed in
full for each relevant department, detailed and prescriptive recovery strategies are developed. These strategies
should be designed around the return of the identified key services/ processes, ensuring all supporting activities
and resources are included.
In addition, RPOs and MPoTDs should be defined to enable the development of optimal recovery strategies
and to allow recovery allocation priorities to be set. Any RPO and MPoTD information should be cross-checked
with IT to confirm whether resilience and recovery arrangements are aligned with recovery strategies
This process should also seek to identify resource conflicts and recovery interdependencies to ensure these
are addressed as part of any business continuity strategy.
Amber
scott-moncrieff.com NHS Shetland Business Continuity Management 7
Management Action Grade 3
(Design)
More robust recovery strategies will be put in place through the refresh of the BCPs, including a focus on
inter-dependencies and prioritisation of recovery objectives.
Action owner: Head of Planning and Modernisation Due date: June 2018
8 NHS Shetland Business Continuity Management scott-moncrieff.com
Control Objective 4: Comprehensive and robust plans have been developed to manage the initial response to an incident and ensure the continuity of critical activities can be maintained.
4.1 Business Continuity Plan
We noted that BCPs are in place across areas however there is no overall Incident/Crisis Management plan
which sets out roles and responsibilities in the event of an incident which impacts on the delivery of services.
We also noted that steps have been taken to identify and prioritise the key clinical systems however no
assessment has been made on the expected timescale (individually and cumulatively) for the recovery of these.
Our sample testing of BCPs identified that they did not contain detailed procedures on how recovery would be
achieved. For example, our testing noted instances where patients may require to be relocated to the mainland
though the logistics around this were not documented. We also noted recovery actions to revert to manual
systems however procedures for this had not been documented.
Risk
Without an Incident/Crisis Management plan in place, there is a risk of a lack of clarity on the roles and
responsibilities for senior management in the event of an incident that impacted on service delivery.
Without defining recovery timescales for critical IT systems, departments will be unable to gain assurance that
their recovery plans are achievable.
Without detailed recovery procedures in place, BCPs are unlikely to provide sufficient information to support the
restoration of services within recovery timeframes following a business disruption.
Recommendation
We recommend that an Incident/Crisis Management plan is developed. This should set out the roles and
responsibilities of senior management, communication plans, escalation procedures, event logs, authorisation
levels etc.
We recommend that the recovery timescales for recovery of critical IT systems is defined to allow departments
to assess whether their BCPs are achievable.
We recommend that BCPs are supplemented with procedures which define how specific recovery processes.
These should be structured in a clear, concise and logical manner.
Amber
scott-moncrieff.com NHS Shetland Business Continuity Management 9
Management Action Grade 3
(Design)
Building on the existing Hospital Major Emergency Plan, a NHS Shetland Major Incident Plan for NHS
Board approval is being developed to include the local command, control and coordination (C3)
arrangements for any major incident / crisis.
Action owner: Consultant in Public Health Medicine Due date: June 2018
10 NHS Shetland Business Continuity Management scott-moncrieff.com
Control Objective 5: Effective processes exist to ensure business continuity arrangements are kept up-to-date and plans are regularly exercised and reviewed.
5.1 Formal Programme of Testing
The 2014 Strategy for Resilience and Business Continuity states that an annual programme of testing will be
produced which will comply with national guidance. We noted that there has not been any formal programme of
testing developed or exercised in the past three years.
It was noted during the course of our audit work that a formal programme for BCP testing was being developed.
Draft plans identified that consideration is being given to desk checking of plans, peer review by a different
department, supported by a guidance checklist. The plan will also put in place arrangements to quality assure
the result of testing. There were no plans to conduct any formal live testing of plans though.
Risk
Without developing and implementing a formal programme of testing, there is the risk that appropriate levels of
testing are not undertaken to establish the ability of the BCP to support an effective and efficient response to a
business disruption.
Recommendation
We recommend that, once all BCPs have been developed and approved, management introduce a risk-based
programme of testing for BCPs. This should include a range of tests, including live testing, and simulations of
different scenarios. Testing must be targeted at areas most susceptible to an incident and/or would suffer the
most adverse consequences.
Live testing seeks to recreate a realistic threat to business continuity. These tests should, where possible,
closely simulate an actual incident to provide assurance that BCPs will aid the return of disrupted business
critical services.
The outcomes of these tests should be formally documented and identify ‘lessons learned’. Plans should be
confirmed as appropriate following completion of tests.
Management Action Grade 3
(Design)
A framework to put in place a risk based programme of testing of BCPs will be presented to the Board for
approval.
Action owner: Head of Planning and Modernisation Due date: March 2018
Amber
scott-moncrieff.com NHS Shetland Business Continuity Management 11
Control Objective 5: Effective processes exist to ensure business continuity arrangements are kept up-to-date and plans are regularly exercised and reviewed.
5.2 Maintenance of plans
A key element of successful business continuity management is ensuring that BCPs are subject to regular
review to confirm that their contents continue to be relevant and that they are capable of supporting an effective
response to a disaster.
As part of our audit work, we selected a sample of 11 BCPs for testing. We identified that eight BCPs were
overdue for review, many of which has not been subject to any review since their creation (2013-14). There is a
system in place of regularly reminding BCP holders to update their plans, especially where those are overdue.
Information is provided, by way of performance reporting arrangements on the number of plans which are up to
date, and those which are overdue, to the relevant Directors.
Risk
By not reviewing BCPs on a regular basis, there is a risk that plans and recovery arrangements are not fit for
purpose. This could result in confusion in respect of roles and responsibilities and delays in restoring services.
Recommendation
We recommend management ensure that all BCPs are subject to annual review as a minimum. As part of the
annual report to the Board, management should provide confirmation of the latest review dates of all BCPs.
Management Action Grade 3
(Design)
The existing procedures and reporting arrangements will be refreshed and updated in line with these
recommendations and endorsed by Executive Management Team.
Action owner: Head of Planning and Modernisation Due date: January 2018
Amber
12 NHS Shetland Business Continuity Management scott-moncrieff.com
Control Objective 6: Business continuity is embedded within the culture of the organisation and has strong support from senior management. There is good awareness of business continuity issues.
6.1 Employee Awareness and Training
Our audit found that there is a need to raise the profile of BCM across the various stakeholders groups within
NHS Shetland. This is highlighted by our findings at 1.1, 5.1 and 5.2.
It was identified that there has yet to be any awareness training provided for relevant staff (typically responsible
managers) in relation to Business Continuity.
Risk
If a positive business continuity culture is not embedded within NHS Shetland, there is the risk that staff
members will not have the required level of knowledge and will not fully understand their responsibilities
effectively should BCPs be invoked.
Recommendation
We recommend that there is active promotion by senior management to emphasise the importance of business
continuity. This could be in the form of emails campaigns or staff newsletters.
In addition to this, we recommend that formal business continuity training is developed and rolled out to
responsible managers. This may be in the form of an eLearning module which staff are required to complete.
Management Action Grade 3
(Design)
Promotion of business continuity will be addressed by the rollout of the business continuity strategy as
stated in 1.1.
Investigation of staff training needs will be carried out for formal and informal training and learning
opportunities, with a specific focus on responsible managers.
Action owner: Director of Human Resources / Head of Planning and Modernisation
Due date: 2018-19 Training Plan
Amber
scott-moncrieff.com NHS Shetland Business Continuity Management 13
Appendix A – Definitions
Control assessments
Management action grades
Fundamental absence or failure of key controls.
Control objective not achieved - controls are inadequate or ineffective.
Control objective achieved - no major weaknesses but scope for improvement.
Control objective achieved - controls are adequate, effective and efficient.
•Very high risk exposure - major concerns requiring immediate senior attention that create fundamental risks within the organisation.
4
•High risk exposure - absence / failure of key controls that create significant risks within the organisation.
3
•Moderate risk exposure - controls are not working effectively and efficiently and may create moderate risks within the organisation.
2
•Limited risk exposure - controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
1
R
A
Y
G
© Scott-Moncrieff Chartered Accountants 2017. All rights reserved. “Scott-Moncrieff” refers to Scott-Moncrieff
Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of
independent firms.
Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of
investment business activities by the Institute of Chartered Accountants of Scotland.