NPS and CRC business continuity management manual This instruction applies to:- Reference:- NOMS Headquarters Providers of Probation Services AI 01/2016 PI 01/2016 Issue Date Effective Date Implementation Date Expiry Date 07 January 2016 07 January 2016 N/A Issued on the authority of NOMS Agency Board For action by All staff responsible for the development and publication of policy and instructions NOMS HQ Public Sector Prisons Contracted Prisons* National Probation Service (NPS) Community Rehabilitation Companies (CRCs) NOMS Immigration Removal Centres (IRCs) NOMS Rehabilitation Contract Services Team Approved Premises Other Providers of Probation Services Governors Heads of Groups Instruction type Service Improvement For information All NPS staff, CRCs and their Sub-Contractors. Provide a summary of the policy aim and the reason for its development/revisi on This instruction sets out the mandatory actions required of the NPS and CRCs in relation to maintaining Business Continuity in times of disruption. Contact Business Continuity and Resilience Team Email: BC&[email protected]Phone: 0300 047 4082 / 0300 047 6905 Governance and Strategy Group Email: [email protected]Associated PSI 13/2014 AI 11/2014 NOMS Business Continuity
Transcript
NPS and CRC business continuity management manual
This instruction applies to:- Reference:-
NOMS Headquarters Providers of Probation Services
AI 01/2016PI 01/2016
Issue Date Effective DateImplementation Date
Expiry Date
07 January 2016 07 January 2016 N/A
Issued on the authority of
NOMS Agency Board
For action by All staff responsible for the development and publication of policy and instructions
NOMS HQ Public Sector Prisons Contracted Prisons* National Probation Service (NPS) Community Rehabilitation Companies (CRCs) NOMS Immigration Removal Centres (IRCs) NOMS Rehabilitation Contract Services Team Approved Premises Other Providers of Probation Services Governors Heads of Groups
Instruction type Service ImprovementFor information All NPS staff, CRCs and their Sub-Contractors.Provide a summary of the policy aim and the reason for its development/revision
This instruction sets out the mandatory actions required of the NPS and CRCs in relation to maintaining Business Continuity in times of disruption.
Contact Business Continuity and Resilience TeamEmail: BC&[email protected]: 0300 047 4082 / 0300 047 6905Governance and Strategy GroupEmail: [email protected]
Associated documents PSI 13/2014 AI 11/2014 NOMS Business Continuity Management ManualPSI 09/2014 AI 06/2014 Incident ManagementMoJ Business Continuity and Incident Management PlansClive House Business Continuity PlanNOMS Agency Business Continuity Risk Register
Replaces the following documents which are hereby cancelled: NoneAudit/monitoring: Mandatory elements of instructions must be subject to management checks and may be subject to self or peer audit by operational line management/contract managers/HQ managers as judged to be appropriate by the managers with responsibility for delivery. In addition, NOMS will have a corporate audit programme that will audit against mandatory requirements to an extent and at a frequency determined from time to time through the appropriate governance.
Introduces amendments to the following documents: (Copies held on the NOMS Intranet/EPIC will be amended; hard copies must be amended or cross referenced locally.)Notes: All Mandatory Actions throughout this instruction are in italics and must be strictly adhered to.
An overview of Business Continuity Management (BCM)Business Continuity Management (BCM)Clarification of what is meant by a Disruptive Event
All staff involved in BCM
3
3.13.6
3.73.83.9
NPS Responsibility for Business Continuity ManagementOverviewResponsibilities for NPS Business Continuity and Resilience TeamResponsibilities for Governance and Strategy GroupResponsibilities for NPS Deputy Directors Responsibilities for local Business Continuity and Resilience Lead
All NPS staff involved in BCM
44.14.24.3
Providing AssuranceOverviewHead of Local Delivery Unit (LDU) responsibilityDeputy Director responsibility
NPS Heads of LDU’s and Deputy Directors.
5
5.1
CRC Responsibility for Business Continuity ManagementResponsibilities for CRC Business Continuity and Resilience Leads.
All CRC Staff involved in BCM
Annex A Business Impact Assessment (BIA) Template All staff involved in BCMAnnex B Business Continuity Plan (BCP) Template All staff involved in BCMAnnex C Assurance Template Heads of LDU’s and
Deputy Directors.Annex DD.1D.2D.3D.4
Guidance on Developing a Business Continuity PlanBusiness Impact AssessmentBusiness Continuity PlanFeatures of Business Continuity PlanningLocal Resilience Forums
All staff involved in BCM
Annex EE.1E.2
Guidance on Testing and ReviewingReviewing and testingDebrief report
All staff involved in BCM
Annex FF.1F.2F.3F.4F.5F.6F.7
F.8F.9F.10
National Operations Coordination CentresIntroductionCoordination CommitteeRole of NOCCLiaisonOperational ArrangementsConvening a Coordination CommitteeActions for DDCs (which includes DDC High Security Estate) Governing Governors, Heads of Groups and Directors and Controllers of Contracted-out PrisonsStaffing of NOCCCommunication with NOCCContact Details
For NPS/CRC information only
Annex G Glossary All staff involved in BCM
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 2
1. Ex ecutive Summary
Background
1.1 This instruction sets out the arrangements necessary to ensure Business Continuity Management (BCM) is performed in accordance with the current British Standard, BS25999 and ISO 22301. All providers of probation services are required to produce and maintain Business Continuity Plans (BCPs) to ensure critical business activities and locations remain operational and that a prompt and efficient recovery of “business as usual” activities takes place in the event of an incident or other disruption affecting premises or resources (including both staff and information).
1.2 It should be noted that this Probation Instruction relates to the management of staff, building premises, data and IT infrastructure, utilities and third-party suppliers in anticipation of, or following a disruptive event, and is intended to link risk assessments, resilience planning, incident management and overall contingency arrangements to return to “business as usual” in a planned, controlled and effective manner.
1.3 The annexed tools must be completed at all NPS locations. CRC locations may utilise them as guidelines. This instruction is not applicable to Electronic Monitoring Services (EMS) and Bail Accommodation and Support Service (BASS) providers as they have their own processes that sit outside the processes described in this instruction.
Desired outcomes
1.4 All staff understand and comply with the BCM processes set out here and ensure that:
Business Impact Assessments (BIAs) are completed. The BIA tool attached at Annex A is designed for the NPS, and must be used and submitted to the Business Continuity & Resilience Team using the BC&R functional mailbox: BC&[email protected]
Potential local and national threats/risks to critical operations are identified and proactively monitored, and where necessary a strategy should be developed for dealing with these eventualities should they materialise.
Business Continuity Plans (BCPs) commensurate with the level of threat/risk are developed and implemented at all NPS and CRC locations and business units. A BCP tool designed for NPS locations is at Annex B and guidance on developing a plan at Annex D.
There is increased awareness of what is meant by BCM and how BIAs and BCPs should be formulated.
Application
1.5 Sections 2 – 4 of this Instruction explain the actions required to implement this policy. Senior managers in the NPS and CRCs must ensure that all relevant staff are familiar with this Instruction.
All staff involved with Business Continuity Management must be familiar with this PI and understand the mandatory nature of the instructions. NPS Deputy Directors and CRC Chief Executives must ensure that all staff are made aware of this instruction.
NPS Deputy Directors and CRC Chief Executives must ensure that all relevant staff are given the opportunity to contribute towards the BIA process, that BCPs are in place and that all staff are made aware of the BCP covering their location.
For BCPs to remain effective they must be regularly reviewed and tested. Staff with responsibility for maintaining BCPs must review and test their plans. As a minimum one risk/scenario every twelve months ensuring that they meet the requirements of ISO 22301. Further guidance on testing can be found in Annex E.
NPS Deputy Directors must ensure that completed BIAs are returned to NOMS BC&R team as detailed in section 3 using the BC&R functional mailbox: BC&[email protected]
NPS Deputy Directors and CRC Chief Executives must ensure that each NPS and CRC location notifies the NOMS BC&R team via the shared mailbox: BC&[email protected], of any major business continuity disruptive events that will significantly affect operations for monitoring purposes. Please note that only those events that meet the definition and scope of disruptive event as specified at section 2.6 and 2.7 of this PI need to be reported using this methodology.
Resource impact
1.7 Maintaining readiness will involve some cost and staff time will need to be allocated to maintaining and updating plans and contract arrangements, and to undertake periodic desktop and live tests.
(Signed)
Digby GriffithDirector of National Operational Services, NOMS
2.1 BCM is a continuous process of risk assessment and management with the purpose of ensuring that the probation service can continue to operate if risks materialise. These risks could be from the external environment (over which we have no control, such as power failure, pandemic flu or extreme weather) or from within, such as deliberate or accidental damage to systems. Business continuity is not just concerned with disaster recovery; it addresses anything that could impose a denial of service or facility (i.e. affect the continuity of service), such as staff shortages.
2.2 BCM centres on a BCP, which must be endorsed by senior management, maintained and subjected to rigorous testing, with at least one test/review every twelve months.
2.3 BCM is about:
Identifying Critical Activities; Understanding the business and establishing what is vital for its continued operation.
Increasing Resilience; Determining how best to reduce the likelihood of a disruptive event.
Robust Planning to minimise the impact of an incident/disruptive event by developing and implementing a response to ensure critical activities and services remain operational
Proactively Monitoring arrangements by exercising, maintaining and reviewing arrangements
2.4 When developing plans for BCM the needs of staff and offenders with disabilities/special requirements must be taken into account and appropriate arrangements must be established.
2.5 NPS and CRC operations have many internal and external dependencies (these include providers, customers, other major stakeholders, IT systems and business processes). These dependencies must be identified at an early stage in the BCM process to ensure the effectiveness of the finalised BCPs.
Clarification of what is meant by a Disruptive Event
2.6 A disruptive event could be:
a threat to staff, safety, buildings or the organisational structure of the NPS/CRC that requires a level of intervention to be taken to restore normal operations.
2.7 A number of different circumstances may lead to a disruptive event, however the impact on the business is likely to involve one of, or a combination of the following issues, which will vary in their degree of severity. Examples of the most likely impacts are:
Loss of, or loss of access to buildingso environmental threats: flooding, storm or other severe weather conditions;o acts of offender/civil disruption or terrorism either aimed directly at locations
or occurring in the surrounding area;o fire or contagion affecting the location or nearby buildings
Staff shortageso industrial action by staffo severe transport disruption
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 5
o serious outbreak of a contagious illness o inability of staff to attend workplace owing to environmental factors
(flood/severe weather) Loss of utilities
o electricity, heating, cooling, gas for cooking or water supply. Loss of data/IT systems
o failure of IT systems/applicationso damage to, or unavailability of paper records
Disruptive events affecting third party suppliers, o financial or contractual difficultieso any of the above impacts affecting suppliers premises
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 6
3. NPS Res ponsibility for Business Continuity Management
3.1 Although all relevant staff must be given the opportunity to contribute to the BIA process, certain groups of staff have specific responsibilities for the formulation and maintenance of plans.
3.2 NPS Deputy Directors are accountable for nominating appropriate staff to develop and manage a BCP for each location within their division. The nominated staff member(s) must be conversant with the local contingency arrangements and incident management procedures. Further guidance on developing a BCP is at Annex D.
3.3 Staff who are based in shared accommodation, either with other Government departments and/or with private sector organisations, must ensure that their requirements are included in the BCPs for their building as a whole. This must also include the arrangements for dealing with emergencies/incidents in the building, such as, fire evacuations.
3.4 Any member of staff who has responsibility for introducing a new team, system (manual or IT based) or procedure, must consider the impact on business continuity and the arrangements that may need to be put in place.
3.5 National level events that are likely to affect large parts of NOMS’s core business (e.g. Industrial Relations disputes or widespread environmental issues) are covered by the arrangements set out at Annex F which is provided for information.
3.6 Responsibilities for NOMS Business Continuity and Resilience Team (NOMS BC&R)
Act as a focal point at HQ for all business continuity matters. Maintain the Initial Response Team arrangements for Clive House. Act as a central resource for co-ordinating, mentoring and sharing of good practice
to support NPS locations and business units in achieving ISO 22301. Act as central liaison for MOJ Business Continuity Planning on behalf of NOMS. Maintain the NOMS Agency level Business Continuity Risk Register. Maintain a NOMS agency-wide register of Business Continuity and Resilience
Leads (BCRLs). Disseminate relevant Business Continuity information via the network of BCRLs. Gather the product of the BIA tool attached at Annex A. Gather data in the event of a widespread disruption. Arrange any nationally led desktop exercises testing BCP’s.
3.7 Responsibilities for NOMS Governance and Strategy Group
Provide assurance that the NPS has functional BIAs and BCPs in place. Co-ordinate and share good practice to support NPS locations and business units in
achieving ISO 22301. Assist the NOMS BC&R team in data collection in the event of a widespread
disruption.
3.8 Responsibilities for NPS Deputy Directors
Appoint a Business Continuity Lead to co-ordinate Business Continuity Management for each location within their division.
Ensure that the completed BIAs are submitted to NOMS BC&R team. Ensure lessons learned from any divisional tests and invoked plans are shared
with the NOMS Business Continuity and Resilience Team. Ensure that local Business Continuity and Resilience Lead notifies the NOMS
BC&R team (copying in [email protected]) of any major Business Continuity disruptive event that may affect a location, in line with points 2.6 – 2.7 above.
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 7
For major disruptive incidents, send immediate notification to the Director of Probation
3.9 Responsibilities for local Business Continuity and Resilience Lead
Carry out a BIA for their office or location using the tool attached at Annex A, and review at least annually
Produce, maintain and test local BCP (Annex B and Annex E) Submit copies of the completed BIA to the NOMS BC&R team and the Deputy
Director (or their nominated representative) for that region. Hold copies of BIA/BCPs. (As per Annex B) Engage with Local Resilience Forum (Annex D) Ensure lessons learned from local level tests or implemented plans are shared
with the Deputy Directors. Notify the Deputy Directors of any Business Continuity related issues that may
affect their local offices. Regularly review the BIA and BCP to ensure information remains up to date. To notify the NOMS BC&R team (via BC&[email protected], copying in
[email protected]) at the earliest possible opportunity of any Business Continuity disruptive event that will significantly affect a location, in line with points 2.6 – 2.7 above.
4.1 It is essential that assurance can be given that individual locations have in place robust and comprehensive BCPs enabling them to maintain business functions following a disruptive event. The assurance template (Annex C) should be used by NPS Heads of Local Delivery Units (LDUs) and Deputy Directors to monitor the completion of plans for individual locations and LDUs respectively.
4.2 Each Head of LDU is responsible for providing assurance to the Deputy Director by populating the annexed template for their area. The assurance template should be submitted to the Deputy Director on completion.
4.3 Deputy Directors are required to provide assurance to the Governance & Strategy Group that each LDU within their region has completed and submitted the template at Annex C. Deputy Directors should utilise Annex C to track the submission rate for completed assurance templates. Once completed this Deputy Director-level assurance template should be submitted to the Governance & Strategy Group.
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 9
5. CRC Responsibility for Business Continuity Management
5.1 All providers of probation services are required to maintain adequate business continuity management systems to ensure critical business activities and locations remain operational. It is also essential that prompt and efficient recovery of “business-as-usual” activities takes place in the event of an incident or other disruption affecting premises or resources (including both staff and information). CRCs are required to ensure that their Business Continuity Arrangements are appropriate and are implemented as defined in the services agreement (Clause 19 – 19.3 a to e inclusive) in accordance with the current British Standard, BS25999 and ISO 22301.
5.2 The assurance responsibilities of Community Rehabilitation Companies in relation to this Probation Instruction will be carried out by the contract managers of each contracted provider.
5.3 As per section 19.3(e) of the Amended and Restated Service Agreement (ARSA) each CRC Chief Executives must ensure that each CRC location notifies the NOMS BC&R team via the shared mailbox: BC&[email protected], of any and all business continuity disruptive events for monitoring purposes in line with the definition and scope of disruptive event as specified at section 2.6 and 2.7 of this PI.
Annex A – Business Impact Assessment (BIA) template
Business Impact Assessment (BIA) for:
Purpose:
All NPS locations need to complete a BIA which identifies critical activities, assessing them against the business continuity risks, as a first step towards the development of a detailed BCP.
This document is for information purposes only. In the event of a disruptive incident the BCP should be consulted.
Date of BIA Date created.Version number & type (e.g. draft, final etc) Current status and version of the document.
File path/hard copy location Details of where this document is stored.Date of Annual BIA Review Details of when this BIA is due to be reviewed.
Name and Title of Officer signing off BIA: The BIA should be signed off by a suitably senior person in the service/organisation.
Document Author Who created the plan.
Details of staff involved in the BIA process
Name Role Contact detailsE.g. Director, Head of Service
Document Control
Date Revision/Amendment Details & Reason Author
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 11
[The following information is important because it can provide you with a lot of the data that will be needed when you populate your Business Continuity Plan.]
[Add more alternative contact lines as appropriate]
Title Contact details Deputy DirectorGovernance and Strategy GroupSenior ManagerAlternative/Out of office Contact (1)Alternative/Out of office Contact (2)
[Give details of locations where your business/service(s) is/are delivered and the approximate numbers of staff based in each location. (Add/delete additional rows as required). Please also indicate whether staff could work remotely and whether arrangements to do so are already in place.]
[Information like this is useful because it can help identify alternative locations or ways of working that might be available. It will also help identify gaps in alternative working arrangements.]
Location and Type
(LDU/Court/AP)
Shared buildin
gY/N
Number of NPS staff
working at
location
Number of NPS
staff that could work
remotely/ from home
Number of NPS
staff that can work
at an alternative location
Number of staff without alternative
arrangements
Details of alternative
working arrangements (I.e. laptops, alternative
working location).
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
Section 1: KEY CONTACT INFORMATION
PAGE 12
Section 2: IMPACT ASSESSMENT
[This section asks you to rate the impact and process for dealing with events that impact on your ability to deliver your business functions. The five categories for events are listed under section 2.7 of PI 01/2016; LOSS OF, OR LOSS OF ACCESS TO BUILDINGS, STAFF SHORTAGES, LOSS OF UTILITIES, LOSS OF DATA/IT SYSTEMS and DISRUPTIVE EVENTS AFFECTING THIRD PARTY SUPPLIERS .
These are only guideline examples, include here anything that may impact on your ability to carry out your business functions. When assessing the strategy for dealing with a disruptive event ensure that the needs of staff/offenders/stakeholders with special requirements are addressed. Include additional sections as necessary.]
Activities
EventDetails of the event i.e fire, loss of IT, staff sickness
Length of time
Impact (High/
Medium/Low)
Likelihood of event occurring (High/Medium/Low)
Justification Give some further information about why you have decided upon the impact rating)
Strategy Key contacts
Loss of access to building
1-2 Days
Low Low This would have a relatively low impact on deadlines.
Arrange for staff capable of working from home to work from home. Inform staff there is no building access.
Senior managerXXXXXX
3-5 Days
Low Low As above. As above. Arrange for parts of workload to be distributed to other teams.
As above
5-7 Days
Medium Low Deadlines may begin to be missed, which would impact on other areas of business.
Arrange for staff to work from alternative locations. For staff with specific requirements ensure the alterative location is suitable – i.e. wheelchair access.
Senior managerXXXXXXDivisional Hub XXXX
8 Days +
High Low Deadlines would be missed which would impact on other areas of the
Ensure as many staff are working from home and
As above
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 13
business. other locations as possible.
High staff sickness level
1-2 Days
Medium Work can be distributed amongst existing staff, dependant on level of work.
Distribute work amongst current staff. Monitor staffing situation.
Human Resources XXXXXXLine ManagerXXXXXX
3-5 Days
High Longer term viability of work sharing is not viable with continued level of sickness. Potential impact upon targets.
As above. Inform senior management. Take steps towards sharing workload. Maintain contact with those off sick.
Senior Management XXXXXX
5-7 Days
High Share workload with other areas. Request emergency staff secondment from other areas/teams.
APU/Court/LDUXXXXXXDDXXXXXX
8 Days +
High Second additional team members from alternative locations.
XXXXXX
1-2 Days
3-5 Days
5-7 Days
8 Days +
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 14
Section 3: RESOURCE REQUIREMENTS
[This section asks you to list the resources required to restore a function to normal. It is useful to communicate any relevant findings of this section with IT service providers (either internal or external) to help specify your technology requirements and the service levels you would expect in a recovery situation. You can add/remove resource types according to your needs.]
Resource Type Normal Amount Requirement
Impact on the function if this resource is unavailable
Likelihood of this resource being unavailable
Minimum requirement by timescale in the event of a disruption
What kind of contingency arrangement is in place to manage the loss of the resource? Write the word Formal/Informal/None as appropriateLow Medium High Low Medium High 1hr 3hrs 1 day 3 days 1week 1week +
Staff E.g. 30 X X 7 15 25 30 30 30E.g. agreement with temp agency to supply staff within 3 hours
Buildings (e.g. for delivery of frontline service)Work station (Desk, PC & Telephone)
E.g.30 0 0 1 1 1 5 E.g. All staff set up to work from home
Specialist IT applications (please specify)Specialist equipmentData (shared files)Internet/Email AccessNetworked PCsLaptopsLandlines
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 15
Mobile PhonesFax MachineWork VehiclesOffice Space (e.g. customer reception points)Car ParkingPaper RecordsOther
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 16
Annex B – Business Continuity Plan template
Business Continuity Plan (BCP)
for:
Purpose: The aim of a BCP is to ensure the organisation has in place documented plans that detail how the organisation will manage a disruptive event, maintain its critical activities to a predetermined level and recover its activities to business as usual. The plan should be easily accessible and contain clear instructions to follow in the event of an incident. It sets out your critical activities and requirements, allowing the NPS Division to manage its priorities.Once completed this document should be stored as follows: 1) A copy within easy access - should you need to evacuate the building in an emergency.2) A copy in the safe.3) A copy in a 'limited access' folder on the shared drive.4. Select staff to maintain a copy in a secure location at home.
Date of BCP Date createdVersion number & type (e.g. draft, final etc) Current status and version of the documentFile path/location Details of where this document is stored.Date of BCP Review Details of when this BCP is due to be
reviewed.
Name and Title of Officer signing off BCP:
The BCP should be signed off by a suitably senior person in the service/organisation.
Document author Who created the planTASKS THAT MUST BE COMPLETED IN ANY MAJOR INCIDENT
1. Inform the Deputy Director XXXXXXX2. Inform the NOMS Business Continuity and Resilience team bc&[email protected] copying in [email protected]. Inform BCP Team members (include details below)4. Contact the MoJ Press Office XXXXXXX ( do not respond to Press enquiries directly ) 5. Contact all relevant contacts (‘Section 4 Internal Staff Contacts’ & ‘Section 5 External Contacts’)6. During incident: Record all critical decisions ('Section 3 Decision Logs')
7. After the incident: Record all lessons learned ('Section 3 Decision Logs')
BUILDINGS – Loss of or loss of accessPopulate the tables in the following sections using the information from the BIA using a headline title. Detailed information on the event will be included in the BIA. Below is a quick reference overview of the arrangements in place.
Event Arrangements in place Key Contacts Resources RequirementsStructural damage
Contact senior management to make them aware. Senior management to contact DD, Estates and building managers to inform of structural damage. If risk of injury to persons contact emergency services. Where no vehicles are available relocate staff/residents via local approved transport method. Where public transport/taxis are not acceptable due to risk contact police.
Agreed alternative working location(s) IT/TelephonyAgreed alternative resident accommodation.Relocate residents/staff using approved transport method.
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 19
STAFF SHORTAGES
Event Arrangements in place Key Contacts Resources RequirementsTransport disruption
Contact staff to ascertain who is available to work. In case of severe shortage contact senior management. Senior management to liaise with local managers to access short term staff cover.
Additional staffAlternative working locationLaptops
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 20
LOSS OF UTILITIES Event Arrangements in place Key Contacts Resources Requirements
Loss of water Contact water boardContact senior management. Senior management to liaise with local areas/Deputy Directors to organise alternative working. Relocate residents/staff to pre-approved location X
Alternative water source (bottled)Alternative working location
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 21
LOSS OF DATA/IT SYSTEMS Event Arrangements in place Key Contacts Resources Requirements
OASYS failure
Forward OASYS checks to divisions/areas/units with access as per arrangements.
Senior Manager XXXXXXXXXXXXXLocal LDU/Court/AP XXXXXXXXGovernance and Strategy Group XXXXXXXDD XXXXXXXIT support XXXXXX
OASYS
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 22
DISRUPTIVE EVENT AFFECTING THIRD PARTY SUPPLIERS Event Arrangements in place Key Contacts Resources Requirements
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 23
Section 2 TEMPORARY RELOCATION SITES
Maintain an up to date list of locations where staff/residents may be relocated to in emergencies. Extra rows can be added as required.
Location Type (Court/AP/LDU)
Address Contact details
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 24
All incidents must be reported as soon as possible to the Deputy Director and the Business Continuity and Resilience team.
It is appreciated that at the time of the initial reporting, not all of the information may be available. Reporting staff MUST ensure incidents are updated and amended as soon as further information becomes available.
Every effort should be made to ensure that all the information contained in this log is accurate and correct as far as possible.
Details of all staff members involved should be included at the time of reporting.
The details of any offender involved in the incident and the role they had in the incident should be included.
Critical decision logDate Details of decision made Decision made by
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
Section 3 DECISION LOGS
PAGE 25
Lessons learned logDate Details of lessons learned Action taken to
implement lessons
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 26
Section 4 INTERNAL STAFF CONTACTSMaintain an up to date contact list for staff and external contacts and suppliers. Extra rows can be added as required.Function Company/
department Name Contact details
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 27
Section 5 EXTERNAL CONTACTSMaintain an up to date contact list for external contacts and suppliers. Extra rows can be added as required.Function Company/
department Name Contact details
Police Area Control room XXXXXXXX
Building contractor
Amey Area Manager X XXXXXXXX
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 28
Annex C – Assurance Template
Assurance Template ANNEX C
This document is to be kept up to date and used to monitor the number of completed and outstanding BIAs and BCPs. In the case of shared premises ensure your plans are aligned locally.
Signed off by Date Review Date
Approved Premises
Total Number of APsTotal Number of Completed BIAs
Total Number of Completed BCPs
Courts
Total Number of
CourtsTotal Number of Completed BIAs
Total Number of Completed BCPs
Offices
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 29
Total Number of
OfficesTotal Number of Completed BIAs
Total Number of Completed BCPs
Approved Premises Checklist
No: Name:BIA
CompletedDate BIA Approved
BCP Completed
Date BCP Approved
BIA / BCP Completed
by:Review
date Single Point of Contact:1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16 17 18 19 20
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 30
Courts Checklist
No: Name:BIA
CompletedDate BIA Approved
BCP Completed
Date BCP Approved
BIA / BCP Completed
by:Review
date Single Point of
Contact:Aligned Locally
1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16 17 18 19 20
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 31
Offices Checklist
No: Name:BIA
CompletedDate BIA Approved
BCP Completed
Date BCP Approved
BIA / BCP Completed
by:Review
date Single Point of
Contact:Aligned Locally
1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16 17 18 19 20
PI 01/2016 AI 01/2016 ISSUE DATE 07/01/2016
PAGE 32
Annex D – Guidance on developing a Business Continuity Plan
Developing a Business Continuity Plan
D.1 Business Impact Assessment (BIA)All NPS locations need to complete a BIA which identifies critical activities, assessing them against the business continuity risks, as a first step towards the development of a detailed BCP.
D1.1 BIAs should focus on critical operations that will need to be continued in the event of business disruption. Consideration should be given to the fact that a location/office may be reliant upon systems, information and/or staff located elsewhere, for example at a data centre, which if lost, would have a knock on effect on performance.
D1.2 Where staff and offenders are considered it is important to take into account any special requirements these individuals may have, for example specialist assistive technology, wheelchair access.
D1.3 The BIA tool attached at Annex A must be used and submitted to NOMS BC&R team using the following functional mailbox: BC&[email protected]
D.2 Business Continuity PlanThe aim of a BCP (Annex B) is to ensure the organisation has in place documented plans that detail how the organisation will manage a disruptive event, maintain its critical activities to a predetermined level and recover its activities to business as usual. The plan should be easily accessible and contain clear instructions to follow in the event of an incident.
The instruction to develop a BCP does not negate the requirement to produce risk assessments.
D2.1 Each plan shall:
have a defined purpose and scope be readily accessible to and understood by those who use it be owned by the nominated BCP lead who is responsible for its review, update and
approval be aligned with NOMS Agency Level Risks contained on the NOMS Business
Continuity Risk Register which can be obtained from: BC&[email protected] ; and must also cover other relevant locally identified risks.
D2.2 Plans shall collectively contain:
Key information and resourcing requirements Key tasks and reference information Defined roles and responsibilities, contact details for people and teams having
authority during and following an incident. A method for recording key information about the incident, actions taken and
decisions made. Details of actions and tasks that need to be performed. Details of the resources required for business continuity and business recovery
at different points in time. Details of business continuity arrangements for staff and offenders who have
disabilities and/or special requirements. Prioritised objectives in terms of the critical activities to be recovered, the
timescales in which they are to be recovered and the recovery levels needed for each critical activity.
Implementation and communications Identified lines of communications, including NOMS press office, who must be
informed of any incident likely to generate media interest. Up to date contact details for any organisations that might be required to support
the response. Contact details for all key stakeholders. Details for managing an incident including; (a) provision for managing issues
that arise during an incident; and (b) processes to enable continuity and recovery of critical activities.
Details on how and under what circumstances the organisation will communicate with; a) employees and their families; b) key stakeholders; and c) emergency contacts.
Details on the organisation’s media response following an incident.
D2.3 Although disruptive events are relatively uncommon, it is essential to be prepared and have plans in place to restart critical operations with the minimum of delay. All staff should know whether they are a key member of staff and what may be expected of them both during and immediately after a disruptive event.
D.3 Features of Business Continuity Management
D3.1 Risk reduction: T he management of risks Once BIAs have been used to identify critical activities, work can progress to assess the likelihood/probability and level of impact of a range of relevant risks to vital operations. This is achieved by identifying and assessing the impact of risks to NPS at both an organisational level, for example, a widespread industrial dispute affecting the whole Service and at a local level - for example, localised high levels of staff sickness in an a particular area affecting the ability to carry out normal business. Once the impacts are understood, the probability of both local and national risks impacting on each critical service will need to be identified and monitored.
D3.2 The types of risk, as well as the likelihood of the level of impact will fluctuate over time. It is therefore important to monitor risks regularly to ensure mitigation plans are prioritised, proportionate and up to date.
D3.3 Planning: Robust Business Continuity Planning (BCP)When considering what a BCP should contain, the following should be considered:
accommodation – alternative location; information technology and telephony; resource implications - human and other resources; ensuring that staff are
aware of the alternative arrangements, have the resources they need and can be productively employed;
third parties – relocation and management arrangements for residents of Approved premises, within pre-approved expenditure levels;
utilities; and recovery of the whole business
D3.4 When drafting the BCP staff should be aware that environmental threats such as flooding or severe weather are some of the most common causes of disruption.
D3.5 Regular review of plans will minimise the impact of any disruptive event, if it occurs. Staff with responsibility for BCPs must ensure that the information contained in plans is as relevant and up to date as is practicable.
D3.6 Plans will need to include developing and implementing a local, divisional and/or national response to ensure critical activities and locations remain operational during a disruptive event.
AI 01/2016 PI 01/2016 ISSUE DATE 07/01/2016
PAGE 34
D3.7 Proactive MonitoringAll BCM activities need to be monitored, maintained and reviewed on a regular basis. Annex E contains further information regarding testing.
D.4 Local Resilience ForumsThe Local Resilience Forum (LRF) makes arrangements for the deployment of mutual aid and resources between its members in times of civil emergency.
The LRFs are composed of representatives of local community public-sector services. They attempt to ensure that available resources are deployed in priority order during emergencies. The NPS/CRC should make contact with the appropriate LRF (via the link below) to ensure their requirements have been taken into account should such an incident occur.
E1.1 For BCPs to remain effective they must be regularly reviewed and tested.
E1.2 At least one risk/scenario and the associated plans must be tested every 12 months as a minimum by means of desktop exercises to ensure they are coherent, logical and practical.
E1.3 To support testing, a suitably detailed, representative incident scenario should be prepared. This will include information as to the date, time and current workload.
E1.4 A full test needs to replicate as far as possible the way in which all stand-by arrangements would be implemented during the recovery of a critical business process or processes including the involvement of external parties. This process tests the completeness of the plans and enables an assessment of:
time objectives, for example to recover the key business processes within a certain time period;
staff preparedness and awareness;
the appropriate allocation of staff and key resources to the implementation of the BCP; and
the awareness, responsiveness and effectiveness of external parties.
E1.5 Even the most comprehensive test cannot cover everything. For example, where a disruptive event may result in an injury of a member of staff, the reaction of other staff to a crisis cannot be tested and the plans will need to make allowance for this.
E1.6 These tests form part of the quality assurance process, ensuring that the BIA and BCP are kept up to date. The BIA and BCP should be reviewed regularly to ensure that key information, such as telephone numbers, remains current.
E1.7 It is the responsibility of the named member of staff, responsible for signing off the BCP to ensure that the BIA and BCP documents remain up to date.
E.2 Debrief Report
E2.1 Debrief sessions should be held immediately after the test has concluded, and minutes of these sessions taken. The minutes will then form the basis of a debrief report. The report will provide a general account of the discussions and should include: performance against test objectives, agreed corrective action, and who will take the action and within what timescales. A follow-up, lessons learned meeting should then be held within a week of the test to consider issues once participants have had time to reflect.
E2.2 The details and results of the test and debrief report should be kept on file and the Business Continuity and Resilience Team informed upon completion. For quality assurance purposes a copy of this information should be retained and may be requested at any time
AI 01/2016 PI 01/2016 ISSUE DATE 07/01/2016
PAGE 36
Annex F – RESPONDING TO BUSINESS CONTINUITY EVENTS ON A NATIONAL SCALE (NATIONAL OPERATIONS COORDINATION CENTRES)
F1 Introduction - This section applies to all establishments and other NOMS sites and business units. The Prison Service needs to have effective systems in place to deal with Business Continuity events on a national scale. These could be events that affect the country as a whole, for example, severe weather conditions, or events that are specific to the Service, for example, industrial disputes. In both cases these events will, to a greater or lesser degree, affect the Service’s ability to carry out normal operations. These systems will:
ensure the Service’s operational capabilities remain intact;
allow the potential impact of any nationwide Business Continuity event to be adequately assessed and responded to; and
enable the Service to participate fully in any government-wide response.
F1.1 National Operations Coordination Centre (NOCC) is situated in Gold Command 7 th Floor, Clive House. The suite acts as the focal point for the receipt, analysis and dissemination of information relating to any Business Continuity event. Information will be received into the suite primarily by the internal email system. However contact can also be made by telephone or fax (see E10 for contact details).
Arrangements for handling national Business Continuity events fall outside the scope of normal incident control procedures.
F2 Coordination Committee - Dependant upon the nature of the Business Continuity event a Coordination Committee (CC) may or may not be set up. The role of the CC is to consider the impact assessment information being received into the centre and to decide upon the most appropriate strategy for responding, for example, if it clear that a situation is escalating to the point where there is a risk to the safe running of prisons then the CC would take the necessary steps to mitigate the risk, for example, invoking mutual aid arrangements.
F2.1 Where prior warning has been received about an event and there is sufficient time to put in place contingency measures, thus reducing the impact on normal operations, there would normally be no need for a CC. In such circumstances the NOU and the NOMS BC&R team in conjunction with the lead business area, would monitor and report on the event. By contrast, a CC would oversee no-notice, longer term or high impact events, such as a fuel crisis or wide scale industrial unrest.
F3 Role of NOCC – Whatever the nature of a specific event, NOCC has five main aims:
AI 01/2016 PI 01/2016 ISSUE DATE 07/01/2016
Annex F is included for NPS / CRC information only.
The text below is an extract from AI 11/2014 / PSI 13/2014 (NOMS Business Continuity Manual) and details NOMS’ approach to business continuity events on a national scale.
PAGE 37
I. to obtain relevant information from across the Service, as well as from contractors and suppliers, about projected and actual problems caused by the Business Continuity event;
II. to collate and analyse the data received to obtain an overview of the Service-wide position and to identify specific problems that require immediate action;
III. to brief and present situation reports to senior staff, Ministers and, where appropriate, other Government departments, for example, the Cabinet Office, Department of the Environment, Food and Rural Affairs (Defra), Metropolitan Police and other police forces;
IV. to commission and coordinate action to deal with problems caused by the Business Continuity event, for example, reallocation of resources between establishments; and
V. to maintain accurate records of all relevant communications to and from the field. F4 Liaison - NOCC will handle initial liaison with contacts outside the Service. In cases where
central coordination between government departments is required, the Cabinet Office usually takes the lead – managing the process from its Cabinet Office Briefing Room (COBR). Officials from the main government departments, including the Home Office, attend COBR meetings. In turn, staff in MOJ will coordinate the activities of the Department as a whole, including its executive agencies, through its arrangements at 102 Petty France.
F4.1 COBR and MOJ’s respective reporting requirements will usually dictate the frequency of situation reports sought by NOCC from the field.
F4.2 NOCC, either through the CC or NEMC will seek to ensure that the Service’s concerns are given due consideration and that its interests are safeguarded.
F5 Operational Arrangements - NOU must maintain NOCC in a state of operational readiness. The NOU must carry out regular checks of the IT and telephony systems (these are detailed in local NOU work instructions) and organise for an annual live test of the arrangements.
F5.1 If there is sufficient time to prepare for a Business Continuity event i.e. notice is given of future events, then the NOU will work with key stakeholders to produce an impact assessment form. This form will then be sent out to the target audience, normally Governors and Heads of Group, ahead of time, for completion and return to NOCC at the time of the event.
F5.2 In the event of a no notice Business Continuity event, contact will initially be made with either the NOU Duty Officer or the Duty Director who will then make contact with Gold Command/NOMS BC&R team. Any decision to open NOCC will, ordinarily, be taken by the Head of Operations, in consultation with the Duty Director and/or other members of NEMC.
F5.3 NOU and NOMS BC&R team, in consultation with the Duty Director, will consider establishing a CC.
F6 Convening a CC - The membership of any CC will reflect the specific Business Continuity event facing the service. In general however it will comprise:
I. Head of Public Sector Prisons;
II. Head of Operational Services;
AI 01/2016 PI 01/2016 ISSUE DATE 07/01/2016
PAGE 38
III. Head of Security;
IV. Member(s) of NOMS BC&R team
V. Legal Advisors representative;
VI. Humans Resources representative;
VII. Commissioning and Commercial representative;
VIII. Prisoner Escort and Custody services (PECS) representative;
IX. PS Press Office representative; and
X. Other representatives depending on the nature of the event
F7 Actions for DDCs, Governing Governors, Heads of Group and Directors and Controllers of contracted-out establishments – all will be placed on notice and informed as to what information (usually in the form of an impact assessment) will be required from them. This information must be sent into the NOCC suite, usually as an e-mail attachment, in the correct format and by the time requested.
F7.1 DDCs, Governing Governors, Heads of Group and Directors and Controllers of contracted-out establishments must establish contingency plans to deal with NOCC’s requirements. Most importantly this will include nominating an individual/s with responsibility for a) collating any information required by NOCC and b) acting as a liaison point for the duration of the event. NOU will be responsible for reporting on the performance of establishments to DDCs and the Deputy Director for Contracted-out Prisons i.e. whether or not they provided the required information and on time.
F8 Staffing of NOCC
F8.1 NOCC at Clive House - NOU will organise the staffing of the suite. They will maintain a call out list of trained personnel that can staff the suite 24/7. Other HQ Groups with vested interests in a specific Business Continuity event will also be expected to provide staff, for example, Human Resources have provided staff to monitor the impact of industrial disputes.
F9 Communication with NOCC - The normal means of communicating with NOCC will be by internal e-mail. If however, as result of a breakdown in the IT system e-mail communication cannot be made, then contact would be made by fax, phone or to a standalone Internet address.
F10 Contact Details - The main contact details referred to in this chapter are:
NOCC A internal email Nocc, 1 Nocc, 2
Nocc, 3Nocc, 4
Initial Telephone Contact Number 0207 147 4021
Advice Line 0207 147 4024
AI 01/2016 PI 01/2016 ISSUE DATE 07/01/2016
PAGE 39
Annex G – Glossary
ARSA - Amended and Restated Service Agreement BASS - Bail Accommodation and Support ServiceBCM - Business Continuity ManagementBC&R - Business Continuity and ResilienceBCP - Business Continuity PlanBCRL - Business Continuity and Resilience LeadBIA - Business Impact Assessment CC - Coordination CommitteeCOBR - Cabinet Office Briefing RoomCRC - Community Rehabilitation CompanyEMS - Electronic Monitoring ServiceLRF - Local Resilience ForumNEMC - NOMS Executive Management CommitteeNOCC - National Operations Coordination CentreNOU - National Operations UnitNPS - National Probation ServicePECS - Prisoner Escort and Custody Services
