HSPOL13 Business Continuity Policy v6 by Provide Community

Business Continuity Policy

Version: V6

Ratified by: Finance & Investment Committee

Date ratified: 03/01/2024

Job Title of author:

Reviewed by Committee or Expert Group

Equality Impact Assessed by:

1. Introduction

This policy provides assurance that frameworks exist within Provide, to enable it to identify and assess the risk of a business disruption or incident, and should that risk be realised, to respond in an appropriate manner. The policy will detail processes for recording, assessing and managing risk; identifying and prioritising critical services; responding to business disruptions or incidents, regardless of cause; maintaining critical services and restoring services to normal levels. The policy also sets out the requirements for training, exercise, audit and review.

The policy will establish a process whereby the organisation produces continuity plans to ensure it reacts to untoward events in a co-coordinated manner. Whilst business continuity and major incident planning are usually separate processes within an organisation, a major incident may trigger a business continuity issue or could occur at the same time as a separate business continuity issue.

Business Continuity will be part of the on-going and usual business approach taken by Provide. Direction will be provided by the Provide Accountable Emergency Officer (AEO) who will demonstrate the Board’s full obligation by assessing commitment against the desired level, identifying training gaps, promoting awareness, supporting the development of skills and longer-term monitoring

2. Purpose

The aim ofthis policy is to provide a framework that enables the organisation to prepare for, respond to and recover from disruptive incidents when they arise.

The objectives of this policy are to;

• Anticipate and manage changes to business demands

• Identify through business impact assessments the organisation’s critical services and activities

• Reduce risks and threats to the continuation of the organisation’s services through a process of risk assessment, mitigation and management.

• Ensure all provide services develop business continuity plans which are regularly tested to maintain robustness

• Ensure appropriate management overview of the business continuity management arrangements within this policy is maintained

3. Definitions

Business continuity

Business Continuity Incident

Capability of the organisation to continue to delivery of products or services at acceptable predefined levels following a disruptive incident

A business continuity incident is an event or occurrence that disrupts an organisation’s normal service delivery, below acceptable predefined levels, where special arrangements are required to be implanted until services can return to an acceptable level.

Business Documented procedures that guide organisations to respond, recover,

Continuity Plan resume and restore to a pre-defined level of operation following disruption Business Impact Analysis (BIA) Process of analysing activities and the effect that a business disruption might have upon them.

Category One Responder

As defined in the CCA Category One responders are those organisations at the core of emergency response such as emergency services and local authorities and are subject to the full set of civil protection duties. This includes all Acute Trusts and Ambulance Trusts, UK Health Security Agency (UKHSA), Integrated Care Boards (ICB) and NHS England. Although not listed, as a healthcare provider Provide is expected to plan and respond to incidents in the same way as category one responders.

Category Two Responder As defined in the CCA Category Two responders are co-operating bodies (Health & Safety Executive, transport and utility companies).

Civil Contingencies Act 2004 (CCA)

Critical Incident

The Civil Contingencies Act 2004 (CCA) delivers a single framework for the protection of civil protection in the UK.

The Act divides responder organisations into two categories; Category One and Category Two depending on the extent of their involvement in civil protection work

A critical incident is any localised incident where the level of disruption results in the organisation temporarily or permanently losing its ability to deliver critical services, patients may have been harmed or the environment is not safe requiring special measures and support from other agencies, to restore normal operating functions.

Invocation Act of declaring that the organisation’s business continuity arrangements need to be put into effect in order to continue delivery of key products or services

Major Incident

Maximum Tolerable Period of Disruption (MTPD)

Recovery time objective (RTO)

A major incident is any occurrence that presents serious threat to the health of the community or causes such numbers or types of casualties, as to require special arrangements to be implemented.

Time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.

Period of time following an incident within which product or service must be resumed, or activity must be resumed or resources must be recovered

(the RTO must be less time than the time MTPD)

4. Duties

The following specific responsibilities apply within Provide:

Chief Executive

The Chief Executive has the overall responsibility for emergency preparedness (including business continuity) and is accountable to the Board for ensuring that systems are in place to facilitate an effective major incident response including the continuity of essential services.

The Board

The Board is responsible for setting the strategic context in which business continuity and service recovery procedures are developed, and for the formal review and approval of the Business Continuity Policy.

Accountable Emergency Officer (AEO)

The Health Chief Executive Officer is the nominated organisation Accountable Emergency Officer (AEO). Responsibilities include;

• Ensure the full implementation of this policy on behalf of the Chief Executive

• Ensure the Senior Leadership Team (SLT) is regularly updated regarding the level of preparedness relating to resilience which includes business continuity

• Maintain oversight of the business continuity arrangements

• Ensure business continuity is positively promoted throughout the organisation

Executive and Assistant Directors

Directors, Assistant Directors and Senior Managers are responsible for ensuring all their services have business continuity plans in place. Responsibilities include;

• Ensure all their services have a business continuity plan in line with the BCP Policy and is approved by the Emergency Preparedness Resilience & Response (EPRR) Manager

• Provide assistance in the development of plans for all services they manage

• Ensure business continuity is positively promoted throughout the organisation

• To ensure all identified risks are appropriately reported, addressed or accepted in line with the organisation’s Risk Management Policy.

Emergency Preparedness Resilience & Response (EPRR) Manager

The EPRR Manager is responsible for assisting the AEO in implementing this policy. Responsibilities include;

• Develop templates, exercises and audits for the execution of this policy

• Assist in the completion of business impact analysis (BIA) and business continuity plans at a service level

• Ensure the Business Continuity Policy and Corporate Business Continuity Plan are updated, distributed and tested as appropriate

• Monitor and report on the status of all plans and BIA documents and present the status to the relevant groups as required

• Maintain the BIA database for the organisation

• Ensure the completion of corrective and preventative actions required in action plans

• Conduct training needs analysis for all staff in Business Continuity and where necessary provide training or suggest appropriate external training courses

• Prepare specialist advice to ensure projects and service changes take into account business continuity measures

• Participate in audits of the business continuity processes as appropriate

Service Managers

Service Managers are responsible for;

• Completion of local business continuity plans and procedures for the service

• To advise of projects and changes to the service which impact on service resilience

• Completion of BIA and BCPs for their services

• Ensure staff are engaged within the BIA and BCP development and understand their role in response.

• Management of local risks in line with the organisation’s Risk Management Policy

• Ensure the service reviews its plan annually

• Ensure business continuity is positively promoted throughout their services

Provide Staff

It is the responsibility of all Provide staff to ensure, through reading this strategy and by participating in any training or awareness activities available to them, that they understand the principles of business continuity management and their role in a business disruption.

Providers and Contractors

The organisation expects all third parties upon which it relies (including contractors, partners, associates and commissioned independents) to provide and evidence all Business Continuity procedures that relate to services provided and additional support that has been agreed. The organisation ensures this is carried out by making it a part of all contracting, renewal, monitoring and other commissioning processes and thus has the ability to audit such arrangements.

Finance and Investment Committee

Coordination of business continuity and service recovery across all services and aspects of the organisation will form part of the Property Health and Safety Steering Group. This group feeds into the Finance and Investment Committee.

FiC is responsible for overseeing the testing and exercising of the plans and for ensuring that services regularly update service specific information as attached in the appendices of this procedure.

5. Consultation and Communication

This policy has been reviewed by the Property Health and Safety Steering Group and ratified by the Finance and Investment Committee (FIC)

6. Monitoring

NHS England EPRR Annual Assurance Process

All NHS organisations and providers of NHS funded care are held to account by NHS England or having effective EPRR processes and systems in place. An annual assurance process is used by NHS England to seek assurance that organisations are prepared to respond to an emergency and have the resilience in place to continue to provide safe patient care during a major incident or business continuity event. The indicators are set against the EPRR core standards and an action plan is agreed against any standard that is assessed as requiring improvement. Progress against the action plan is monitored through Senior Leadership Team (SLT).

Business continuity or major/critical incidents will be monitored by the EPRR manager through SLT and any lessons identified will be considered for changes to EPRR practice.

Internal Audit Programme

Provides internal auditors may also choose to audit the organisations business continuity arrangements on an annual basis. Any resulting recommendations from the audit will be monitored through the Finance and Investment Committee (FiC)

7. Legal & Statutory Requirements

To ensure resilience across the organisation this policy encompasses both Emergency Preparedness and Business Continuity and covers the whole organisation. The following legislation, regulation and guidance have been used to inform this policy;

• The Civil Contingencies Act 2004 (and its associated Regulation and Statutory and Non- Statutory Guidance);

• The Health and Social Care Act 2012;

• The requirements for EPRR as set out in the applicable NHS standard contract

• NHS England EPRR documents and supporting materials, including

NHS England Business Continuity Management Framework (service resilience) (2013)

NHS England Command and Control Framework for the NHS during significant incidents and emergencies (2013)

NHS England Core Standards for Emergency Preparedness Resilience and Response (EPRR)

NHS England Emergency Preparedness Framework

• ISO 22301 – Societal Security – Business Continuity Management SystemsRequirements;

8. Risk Management

Business continuity risks will be managed in accordance with the organisation’s Risk Management Policy. Full details of the risk grading system and impact guidance can be found within the Risk Management Policy. All services maintain their own risks on the local risk management system.

The Risk Management Review Group (RMRG) is responsible for overseeing the risk register on the local risk management system. The group also reviews significant and high risk on the risk register and inherent risks annually.

The EPRR Manager will be responsible for all EPRR related risks. The organisation’s business continuity risks are based on worst case scenario; all risks rated as significant or high will be considered and agreed by the RMRG (or the Accountable Emergency Officer (AEO)) for inclusion within the risk register

9. Business Impact Analysis

The purpose of the Business Impact Analysis (BIA) is to;

• Obtain an understanding of the organisation’s key products and services and the activities that deliver them

• Determine priorities and timeframes for resuming activities

• Identify the key resources likely to be required for continuity and recovery; and,

• Identify dependencies

The output of the BIA will identify;

• Products, services and activities

• Recovery priorities

• Significant dependencies and supporting resources

The BIA will be used to develop the organisation’s contingency strategies for maintaining and recovering critical activities within agreed timescales.

Business Impact Analysis (BIA) will be conducted in line with the organisation Risk Management Policy. The BIA process will be initiated by the EPRR Manager, who will then collate the BIA information to assist in organisation wide planning.

The combined BIA and business continuity plan will be sent out as a word template for completion by each of the services. A copy of the template is available from the EPRR Manager.

Specific information from the combined BIA and BCP will be captured by the EPRR Manager to create a central database of BIA and plan information. The database will then be used to help inform planning on the business continuity plan and identify resources across the organisation

BIA information will be used to support the minimum operational levels within services and/or boroughs and ensure adequate oversight of all critical services within Provide The BIA and BCP review will be conducted annually as part of a review cycle, when a new service starts or where there is a major reconfiguration of a service that will require the recompletion of the business continuity plans.

10.Business Continuity Plans

Service continuity plans will be developed which will feed into a Corporate Business Continuity Plan will be created to ensure the organisations approach is suitable for the recovery of all services and functions. In order to ensure appropriate recovery, service plans may be invoked without the invocation on the Corporate arrangements.

Each service/directorate will complete a business continuity plan (BCP) and forward to the EPRR Manager

Each BCP will include as a minimum the following information;

• Version control

• Invocation method

• Management of the incident

• Communication methods and channels

• List of functions and their criticality

• Resources required and actions to ensure that services can be maintained

• Actions for the response to disruption to staff numbers, premises, suppliers, IT services, specialist equipment and data

The EPRR Manager will review the plans and will either log the plan within the master document or send back for amendment, providing additional guidance as considered appropriate. Corrective actions identified as part of this will be required in an agreed time frame.

The BCP will be owned by each relevant service/business unit

All BCPs will be reviewed on a regular basis but at least annually by each service. A reminder will be sent to all service plan owners prior to the plan expiry date.

Where changes to BCPs are made, the up to date plans will be subject to version control, this will include a version number and the disposal of past copies of plans. Where expired versions are to be kept they should be marked as such. All plans and documents under the BCP Policy will have a version number, month and year placed upon them. Where a plan is replaced the version number will be increased by 0.1 for a minor change and 1.0 for a major change. All plans will have version number included in the plan name.

A copy of each reviewed/amended plan is to be sent to the EPRR Manager.

The EPRR Manager will develop, maintain and own the corporate business continuity plan.

The EPRR Manager will present review reports to the Property Health & Safety Steering Group and the Senior Leadership Team (SLT) as required by the Accountable Emergency Officer (AEO), to ensure the executive is assured of meeting the statutory obligation to produce business continuity arrangements.

As part of this review management will also be informed of any changes to statutory obligations, guidance and best practice to be considered as part of the review into the plans. Any actions required of the review will be presented in an action plan for monitoring by the AEO and Estates Strategy group when they meet. Action plans will be monitored and updated by the Emergency Preparedness EPRR Manager.

11.Training

The EPRR Manager will advise staff of all business continuity training available either internally or externally via multi-agency partners, as well as any exercises.

The training programme will contain a mix of formal and informal training sessions to ensure it remains flexible and able to adapt to the changing risks, priorities and needs of the organisation

The EPRR Manager will ensure that all training delivered to those with a specific role is based upon all current good practice, the NHS England EPRR Minimum Occupational Standards (MOS) and the National Occupational Skills for Civil Contingencies which relate to business continuity

Training frequency will be determined by the need to ensure that a role can be carried out effectively when needed (frequency of activation) and the level of accuracy required to carry out the task. Training will be delivered at regular intervals, and any new staff that have a specific role will be trained when they take up their role.

The EPRR Manager will maintain a training database which will record who has received training, date of the training, delivered by and what training they have received.

12.Exercises

Provide will put in place an exercise schedule that is consistent with the scope of the business continuity procedures giving due regard to any relevant legislation and regulation.

Exercising involves validating plans, rehearsing key staff, and testing systems which are relied on to deliver resilience (e.g. uninterrupted power supply).

The frequency of exercises will be as a minimum annually for the overarching business continuity plan Service business continuity plans may also be tested within the exercise. It may be necessary for exercises to be conducted more frequently than annually taking into account the rate of change to the organisation and outcomes of previous exercises or incidents.

Following an exercise the EPRR Manager or the exercise lead will produce an exercise debrief report. This report will include an action plan to address any concerns and preventative actions required to improve the business continuity plans.

The EPRR Manager will maintain an exercise database which will record who attended the exercise, date of the exercise and who facilitated the exercise

EQUALITY IMPACT ASSESSMENT

TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

Business Continuity Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

To provide guidance on usage and procedure to follow in the event of a business/ service interruption

Project/Policy Manager: Nicky Mclean

Date:

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

Neutral

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

Neutral

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

Neutral

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

n/a

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

n/a

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

n/a

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

n/a

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

n/a

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

n/a

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.

It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’