Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
OFFICIAL - SENSITIVE
BUSINESS CONTINUITY PLAN
Additional copies of this plan can be found in the Incident Control Room located in MR1.2 on the first floor and also the on-call pack issued to Directors and
Managers.
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group Page 1 of 37
OFFICIAL - SENSITIVE
DOCUMENT CONTROL SHEET Document Owner: Director of Operations Document Author(s): Director of Operations Version: 7.0 FINAL Directorate: Operations Approved By: Governing Body Date of Approval: September 2017 Date of Review: September 2018 Change History:
Version Date Reviewer(s) Revision Description
1.0 July 2013 Valerie Penn Updated following JW comments
2.0 August 2013 Valerie Penn General update following Draft Business Impact Assessments
3.0 October 2013 John Webster Whole Document Review – Updates to Plan, Business Impact Assessments and Policy Statement in line with EPRR Core Standards
4.0 November 2013
Valerie Penn Updated following Exec Comments
4.1 Draft January 2015 Oskan Edwardson Annual Update – for approval
5.0 Final January 2015 Jas Dosanjh Formatting
5.1 Final April 2015 Jas Dosanjh Sharn Elton
Appendix with contacts updated. Critical Functions of the Operations Director added to BIA Appendix
5.2 Final June 2015 Anne Ephgrave Critical Functions of HR added to BIA Appendix
5.3 Final July 2015 Phil Turnock Addition of ‘Objectives for the Recover of Services’ and updated Appendix 4 Critical Functions of HBL ICT Shared Service
5.4 Draft September 2015
Jas Dosanjh Sharn Elton
Update in line with NHSE EPRR Framework and Toolkit requirements
5.5 Draft February 2016 Jas Dosanjh Formatting and updated Business Impact Assessment included
5.6 Draft February 2016 R Steadman (No change recorded) 5.7 Draft March 2016 R Steadman Minor amendment to text on p.1
5.8 Draft July 2016 R Steadman Review of Business Impact assessments to ensure consistent methodology used and minor text changes
6.0 Final July 2016 R Steadman Updates confirmed following approval by Governing Body
6.1 Draft June 2017 R Steadman, Version history tracked and updated,
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 2 of 37
OFFICIAL - SENSITIVE
Implementation Plan:
Development and Consultation
EPRR Consultant Executive Team
Dissemination Staff can access this policy via the intranet and will be notified of new/revised versions via the staff briefing. This policy will be included in CCG Publication Scheme in compliance with the Freedom of Information Act 2000.
Training Staff will be made aware of the emergency and business continuity response arrangements within the plan at their corporate induction training, and will also be made aware of where the overarching and departmental plans can be located. The skills and knowledge of Incident Commanders and staff at an operational level will be achieved and maintained through regular training and exercising as documented in the training and exercising annual programme which covers:
• Awareness training, including roles/responsibilities, • Incident coordination centre training, • Communications testing and exercising.
If there are any significant changes to the plan, then this will be communicated to departmental leads to cascade to all staff. Business Continuity arrangements w i l l be exercised at least once a year in order to validate the effectiveness and highlight any gaps which can then be corrected.
Monitoring and Review
This document will be reviewed on an annual basis or when there are changes in the working systems of the organisation; or major changes to the contact arrangements of staff or suppliers that affect the content. It is the responsibility of the identified departmental leads to update local departmental plans on an ongoing basis and the Business Continuity Lead to ensure the generic section of this document is kept update. The plan will be used/deployed when the ability of the CCG to carry out its statutory duties are compromised. The plan will be exercised and tested every two years; incident management will account to testing and exercising, in accordance with the processes defined within the Major Incident Plan (including testing with dependent stakeholders).
Darren O’Rourke, Jas Dosanjh
Business Impact Assessments reviewed and updated, contacts reviewed, Real time assessment template added as Appendix
6.2 Draft July 2017 Jas Dosanjh Minor amendments following feedback from team
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 3 of 37
OFFICIAL - SENSITIVE
Equality and Diversity
January 2015 - Equality Impact Assessment (Appendix 6) January 2015 - Privacy Impact Assessment (Appendix 7)
Associated CCG Documents
Major Incident Plan System Escalation Plan Major Incident Action Cards Incident Control Centre Plan CCG on-call folder CCG Strategic Risk Register / Risk Controls and
Assurance Dashboard
References The ISO Standard for Business Continuity (ISO 22301) British Standard NHS Business Continuity Management
(BS25999)
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 4 of 37
OFFICIAL - SENSITIVE
Contents Section No.
Section Name Page No.
1.0 Introduction 5
2.0 Scope 6
3.0 Purpose 7
4.0 Definitions 7
5.0 Role and Responsibilities 8
6.0 Plan Activation 8
6.1 Business Continuity Management Team (Crisis and Recovery Team)
9
6.2 Continuing Services in the Event of a Disruption 10
6.3 Insurance/Incident Costs
14
6.4 Communications and Alerts
14
6.5 Record Keeping
15
Appendix 1 Business Continuity Management – CCG Policy Statement
17
Appendix 2 Business Recovery Template 18
Appendix 3 Real Time Assessment Template
Appendix 4 Key Contacts List 20
Appendix 5 Business Impact Assessment - Template and Summary
21
Appendix 6 Equality Impact Assessment 57
Appendix 7 Privacy Impact Assessment 58
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 5 of 37
OFFICIAL - SENSITIVE
1.0 Introduction
The Civil Contingencies Act 2004 came into force in November 2005 and focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders (such as CCGs) as Category 2 Responders. It is a requirement of the Act that the CCGs have Business Continuity Plans in place to support the CCG’s Major Incident Plan.
1.1 Policy statement
It is the policy of East and North Hertfordshire Clinical Commissioning Group (CCG) to develop, implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.
It is the policy of the CCG to take all reasonable steps to ensure that in the event of a service interruption, the organisation will be able to respond appropriately and continue to deliver its essential functions and that we are able to respond to the needs of our local population. A service interruption is defined as:
‘Any incident which threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions.’ (www.cabinetoffice.gov.uk/ukresilience).
The CCGs Policy Statement is provided at Appendix 1.
1.2 Resources
The CCG recognises its obligations with regards to emergency planning, resilience, responding to major incidents and business continuity. Funds, as identified as being necessary, will be made available in the event of a major incident to ensure the CCG meets its obligations with respect to these.
1.3 Emergency Planning - Business Continuity The Cabinet Office’s “Expectations and Indicators of Good Practice Set for Category 1 and 2 Responders” describes seven expectations regarding the Civil Contingencies Act (2004), Regulations (2005) and guidance:
1. Duty to assess risk
2. Duty to maintain plans – Emergency Plan
3. Duty to maintain plans – Business Continuity
4. Duty to communicate with the public
5. Business Continuity Promotion
6. Information sharing
7. Cooperation
Clinical Commissioning Groups are Category 2 Responders and as such will be required to co-operate with Category 1 Responders in the event of an emergency. They are also required to have Business Continuity Plans and Major Incident Plans. These requirements will be achieved in three stages:
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 6 of 37
OFFICIAL - SENSITIVE
Stage 1 – A Business Impact Assessment: The impacts of the loss of staff, communications, data systems, transport and buildings. Appendix 5 provides details of the Business Impact Assessments undertaken at Departmental level within the CCG. Some functions are hosted by or delivered through contracts with other organisation’s, and where applicable details have been included within the assessments. The Business Impact Assessments include prioritized activities that have been linked to the Business Continuity Corporate Risks. The Business Impacts Assessments detail: - Responsibilities of key staff and departments, - Responsibilities of the appropriate Accountable Emergency officer or Executive
Director, Stage 2 - A Business Continuity Plan: The measures to be taken internally in the event of such a loss. The Business Continuity Plan will comprise the mitigating actions arising from the Business Impact Assessments, taking into consideration the key risks that could potentially cause service disruption resulting in the plans being evoked. Information of the key contacts that will instigate the relevant mitigating actions and the contact details of all staff that might have to undertake those actions are also included - be it communicating with others or changing their way of working. Stage 3 – A Major Incident Plan: The measures to be taken in support of Category 1 responders in the event of an ‘Emergency’. This details the organisation’s response to: • an event or situation which threatens serious damage to human welfare; • an event or situation which threatens serious damage to the environment; • War, or terrorism, which threatens serious damage to the security of the UK. The CCG is required to equip nominated staff with the Major Incident Plan, the Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans have been built on experience and will be subject to a desktop test, as part of best practice, in order that they are further refined. The result of the desktop testing will be reported to the CCG Governing Body.
2.0 Scope
The scope of this plan is to provide overarching organisational guidance of business continuity management and the invocation process within the CCG, and an outline of responsibilities. The following table indicates the links with other CCG and System Resilience Plans:
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 7 of 37
OFFICIAL - SENSITIVE
Document
Community Risk Register The CCG is a Category 2 responder for Emergency Preparedness Resilience and Response which will be led by the NHS England Midlands and East (Central Midlands) Area Team. These plans will be owned by the Local Resilience Forum with input from the Local Health resilience Partnership. However, the CCG will have a role in planning for and responding to the relevant incident.
LRF Flood Plan
LRF Pandemic Influenza Plan
LRF Severe Weather Plan
3.0 Purpose
The purpose of the Business Continuity Plan is to outline the responsibility of the CCG and their staff in the event of a crisis in order to maintain as normal a service as practically possible. The over-riding aim is to ensure a prompt and efficient recovery of critical activities from any incident or physical disaster that may affect the CCG’s ability to operate and deliver their commissioning service in support of the NHS economy. It must be recognised that any event not only impacts on staff, premises, technology and operations, but also on the CCG’s brand, status, relationships and reputation and that all business continuity arrangements should ensure that the CCGs meet their legal, statutory and regulatory obligations to both their staff and dependent stakeholders.
4.0 Definitions 4.1 Business Continuity Management: Business Continuity Management is the process that helps manage the risks to the
smooth running of the organisation in the delivery of its services, ensuring that essential business can continue in the event of a disruption and can be sustained in the event of an emergency. It is aimed at reducing or eliminating the risks of business interruption and it is necessary to have contingency plans in place to ensure normal business functions can be resumed as soon as possible.
For the NHS, Business Continuity Management is defined as the management process that enables an NHS organization to: • Identify those key services which, if interrupted for any reason, would have the
greatest impact upon the community, the health economy and the organisation. • Identify and reduce the risks and threats to the continuation of these key services. • Develop plans which enable the organisation to recover and/or maintain core
services in the shortest possible time.
There are many and varied possible causes of service disruption; these may range from the loss of infrastructure e.g. offices; buildings; IT systems; managing a power cut or extreme weather to arranging service provision during an emergency or epidemic. These events may not be mutually exclusive i.e. extreme weather can lead to loss of electricity or staff being unable to get to work.
4.2 A Service Interruption can be defined as ‘Any incident which threatens
personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions’
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 8 of 37
OFFICIAL - SENSITIVE
5.0 Roles and Responsibilities
Overall accountability for the smooth running of the organisation lies with the CCG’s Accountable Officer. The Director of Operations is the lead director for Business Continuity and will be responsible for providing positive assurance to the Governing Body on the CCG’s plans.
5.1 Executive Directors The Executive Directors are responsible for maintaining their individual services,
and for alerting the need to activate Business Continuity Plans if such an event occurs within their directorate.
5.2 Designated Associate Directors and Assistant Directors
The Designated Associate Directors and Assistant Directors must ensure that any changes of contact details of key staff noted in their plans are updated as required, that their Directorate plans are reviewed at least annually and that any new services that are developed are included in the plans.
5.3 Lead for Emergency Preparedness, Resilience, Response and Business
Continuity
The Director of Operations is the lead for Emergency Preparedness, Resilience, Response and Business Continuity, providing specialist guidance during the invocation of the Business Continuity Plans in line with the Major Incident Plan. The Chief Finance Officer takes the lead for the day-to-day Business Continuity arrangements within the CCG, which is a critical function of the organisation.
5.4 Communications Team The Communications Team will be responsible for informing the public of events
where necessary, following agreement of the Accountable Officer or Director of Operations (designated deputy), and will also keep staff informed of developments as appropriate.
5.5 CCG Staff All CCG employed staff are responsible for co-operating with the implementation of
the Business Continuity Plans as part of their normal duties and responsibilities. 6.0 Plan Activation
A nominated post holder from each department will decide in discussion with the Heads of Department and the Director of Operations whether the plan or any part of it should be activated using the process in the following flow chart. Out of hours the decision will be made with the direction of the on call CCG director/manager
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 9 of 37
OFFICIAL - SENSITIVE
6.1 Business Continuity Management Team (Crisis and Recovery Team)
A team will be convened t o oversee the process of ensuring essential services are maintained and that recovery plans are put into place, Membership may include the following:
• Director of Operations or nominated Deputy • Associate Director where incident has occurred • Assistant Director of Communications • Estates representation (as required) • Any other personnel deemed necessary, i.e. representative of HR,
specialist advice, etc.
The team will meet initially on a daily basis and will keep notes of the meeting, actions taken, resources committed, and progress made using the template a t Appendix 2.
Incident Control Centre location and resources: located in room MR1.2 on the first floor, Charter House, WGC. Includes additional paper copies of this Plan.
The Major Incident Plan includes the scalable plan setting out how the command and control arrangements will be managed and by whom.
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 10 of 37
OFFICIAL - SENSITIVE
6.2 Continuing Services in the event of a Disruption
As part of the Business Impact Assessment process, a critical function analysis has been carried out to determine those parts of the service that are a priority to maintain or reinstate. The CCG is responsible for commissioning a wide range of patient services to the local population and the following will be restored and maintained as soon as is practically possible.
• Maintaining an emergency response and support to Category 1 responders; • Incident investigation; • Mobilisation of the workforce, and support for staff safety and welfare; • Provision of IT (through a shared service (called Herts Beds and Luton ICT
Shared Service) with ENHCCG as the host for this service); • Maintaining communications with the general public and CCG staff; • Essential Finance functions; including the making and receiving of payments; • Essential HR processes; • Safeguarding adults and children; and • Continuity of contract management responsibilities • System leadership role.
Objectives for the Recovery of Services
The recovery of Services in a Disaster Recovery or Business Continuity scenario is defined by two Objectives:
Recovery Time Objective (RTO): is defined as the time period after a disaster at which business functions need to be restored.
Recovery Point Objective (RPO): is the maximum period of time based data loss (relative to the disaster) which cannot be recovered.
The Business Impact Assessments include details of the activity surge plan to ensure that critical services are maintained in periods of peak activity, including the maximum periods of tolerable disruption for all critical activities, and how the recovery/restoration principles will be managed and by whom. The critical function analysis also identifies those functions that are less critical and could be suspended, in light of the RTO and other timescales that may be identified within the Business Impact Assessments.
Service Function Length of time function can be suspended
Financial management 7 days
Planning services - preparing commissioning plans 28 days Commissioning services through pathway development and redesign 28 days
Contract management – acute contracts 14 days
Contract management – community and third sector 14 days
Performance and data analysis 14 days
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 11 of 37
OFFICIAL - SENSITIVE
Governance duties to ensure continuous compliance with statutory duties 14 days
Partnership working to ensure joined up working to improve the health and wellbeing of patients 14 days
Support and guidance to member practices 14 days
Quality and safety 14 days
Administration 14 days
If an incident occurs and this plan is activated, permission will be sought from the Accountable Officer, or in their absence the Director of Operations (or nominated Deputy) to suspend the mainstream service functions detailed above and release the CCG staff who cover these functions to provide support to critical functions provided in other areas of the CCG.
The plan will be activated in accordance with the processes outlined in the Major Incident Plan and the Incident Control Centre Plan, including the escalation system in place and who assumes responsibility at each stage (as well as action cards and aide memoirs for use by key team members). Through the Business Impact Assessments, each department has identified its own critical functions that are required to maintain its service and have their own local departmental plans which a r e accessible in both paper copy and electronically. It is the responsibility of designated Associate/Assistant Directors to communicate the location of these plans to their staff.
In the event of an emergency, or business interruption, the CCG will endeavor to maintain services as usual or as close to the usual standard as possible. However, where it is clear that this is not achievable, the Head of Service in conjunction with the Director of Operations (or on-call Director/Assistant Director if out of hours) will decide which priority functions of the department must continue, depending on the nature of the business interruption.
There are some generic areas that could potentially affect all departments and these are described below:
6.2.1 Failure of IT Systems
The CCG, like many organisations, rely upon IT systems for their day to day business. A disaster that prevents the organisation from accessing these systems whether caused by the failure of the systems themselves, or being due to an incident such as fire or flooding will potentially have a serious impact on the continuation of the CCG’s functions. IT system failures may include:
• Loss of email, • Loss of internet, • Loss of Microsoft Office Applications, • Loss of access to stored documents (shared server), • Loss of individual IT systems/applications, • Major IT network outage.
While it is impossible to consider and document a recovery plan for every disaster that may occur the impact of the loss of IT systems to each department is covered
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 12 of 37
OFFICIAL - SENSITIVE
in the individual departmental plans and it is expected that they can be adapted to cater for any specific incident. If there is a failure in the IT system or any stand-alone computer for important data for a prolonged period of time, staff will need to change to a paper back-up system where possible to capture the data so that this can be recorded on the system retrospectively.
The development of telecommunications that are reliant upon the IT network makes it likely that telephone failure will also result from any IT network failure. The priority in which restoration is required will depend on the service area and is detailed in individual departmental plans.
If there is a loss of hardware or software through theft or damage then advice should be sought from the IT provider and the incident reported to the CCG’s Governance and Corporate Affairs (via the Company Secretary).
The maintenance of the CCG IT systems is provided by the Herts Beds and Luton ICT Shared Service (HBL ICT) under a Service Level Agreement (SLA). Under the terms of this SLA, HBL ICT will invoke their Emergency Disaster and Recovery Plan to cope with any event causing prolonged interruption of service.
The standard RPO and RTO within the agreed partnership service agreements is:
• RPO – 1 day from date of failure • RTO = 24 hours from the time of failure
Restoration of services will be managed through the agreement ICT Major Incident processes which will include full engagement of the CCG executive. Whereby the standard RPO or RTO cannot be achieved, this will be brokered with the CCG Executive during the respective phases of the Major Incident process.
6.2.2 Failure of Telecommunications
The telephone lines are provided under contract with BT, and the system is under a maintenance contract with Vodafone.
Each departmental plan identifies in more detail the actions required should the telephone systems (including mobile telephony) be inactive. The priority in which restoration of phone lines are required will depend on the service area and if crucial will be detailed in individual departmental plans.
CCG contact in the first instance: HBLICT Service Desk on 07799 895274* (Note:- this number is only activated if the Phone System is down at Charter House).
If electricity has failed then prior consideration needs to be given to the ability to recharge mobile phone batteries.
6.2.3 Loss of Records
Where there has been a loss of records (electronic and paper), the processes defined within Records Management Policy will be followed. Each departmental plan identifies in more detail the actions required should there be a loss of electronic/paper records.
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 13 of 37
OFFICIAL - SENSITIVE
6.2.4 Failure of Utilities – Electricity / Gas / Water Supplies Resolution is via NHS Property Services, the CCG contact in the first instance is NHS Property Services.
The fault should be reported and a request made as to whether they are able to give an indication of the length of time the supply will be unavailable.
If heating is lost an assessment should be made to the effect of the loss of the heating related to the time of year and the forecast temperature as to whether services can continue from the affected location.
For plumbing emergencies: contact NHS Property Services
In the event that the water supply fails, impact of the following must be assessed:
• Toilets • Hand hygiene • Drinking water
6.2.5 Loss of Building
If premises are unable to be used then services may need to be suspended or relocated. Local departmental plans detail who to contact and measures to be taken where there is a denial of premises (including actions taken in the event of a fire or flood).
Alternative locations for staff will include HCT HQ at Howard Court, HPFT HQ at Waverley Road, St Albans and HVCCG HQ at Hemel Hempstead. Initiation of these arrangements will be agreed by the Director of Operations (or nominated Deputy) or by agreement with the on-call Director/Manager. The Incident Control Centre Plan includes information on alternative locations where the service/activity could be delivered from in case of denial of access to Charter House and Fountain House. The plan also includes details of any provisions for staff to be accommodated overnight if the incident dictates and how this would be activated via pre-agreed arrangements.
6.2.6 Fuel Shortages
In the event of a fuel shortage the ability to maintain services may be affected. If it has been necessary for the invocation of the National Fuel Plan then the Business Continuity Management Team will be convened to oversee the management of the situation within the CCG
It is unlikely there will be provision of fuel for staff to get to their work base and the responsibility for alternative travel arrangements is with the individual members of staff in discussion with their line manager.
6.2.7 Staff Shortages
The absence of staff will have a varying effect depending on their role. In some cases roles can be covered by other staff but others may be highly specialised and necessary arrangements will be detailed in departmental plans as to whether a service can continue particularly if the service depends on that person alone. Potential threats related to staff shortages include;
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 14 of 37
OFFICIAL - SENSITIVE
• Loss of staff (>25%), • Serious injury to, or death of, staff whilst in the office, • Significant absence due to severe weather or transport issues, • Pandemic flu, • Simultaneous resignation or loss of key staff.
There may be a scenario when a number of staff are all incapacitated at the same time such as pandemic influenza. The departmental manager will be responsible for assessing the impact on the ability to continue to provide a service and what contingencies can be put in place, and whether some non- critical services can be cancelled as detailed in the individual departmental plans.
6.2.8 Other
Other areas that could potentially affect departments may include the following, this list is not exhaustive:
• Terrorist attack or threat affecting the transport network or office locations • Theft or criminal damage • Chemical Contamination • Infectious disease outbreak • Industrial action • Fraud, sabotage or other malicious acts
The Severe Weather Response Plan includes details regarding the impact of severe weather (including snow, heat wave, prolonged periods of cold weather and flooding), and should be referred to in such circumstances.
6.3 Insurance/Incident Costs The insurance arrangements in place which may apply to incidents are:
• Corporate Liability Insurance • NHS Resolution
The incident costs will be tracked by use of unique cost centres to assist and supplies/replacement equipment will be managed/maintained throughout the disruptive incident via a specific EP cost centre.
6.4 Communications and Alerts
The CCG will respond to a significant incident in line with the formal organisation Communications Strategy and processes defined within the Major Incident Plan.
The Major Incident Plan sets out the alerting mechanism for external and self-declared incidents, including trigger points and escalation procedures. If an event occurs that is so severe that alternative arrangements for the provision of care commissioned by the CCGs need to be communicated to internal and external stakeholders, as well as the local population, this will be carried out via the Assistant Director of Communications after discussion with the Director of Operations.
The internal (Appendix 4) and external stakeholders that could be affected by the disruptive incident, especially around service delivery, could include the following and
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 15 of 37
OFFICIAL - SENSITIVE
specific details have been included within the Business Impact Assessments:
• Providers including Primary Care, • Neighboring CCG’s, • Social Care, County and Borough Council.
The process for receiving and cascading warnings, and other communications before, during and after a disruption or significant event, and any resilient communication systems used is as follows:
• Alerts (i.e. Met Office) received into the CCG’s EPRR mailbox ([email protected]) are cascaded by the Operations Team to all Senior Managers, AD’s and Directors on-call,
• For incident management, the CCG has a secure nhs.net email account, • The Incident Control Centre Plan documents how Senior Managers, AD’s and
Directors can remotely access the account.
Mechanisms for informing the relevant partners including, but not limited to, other CCG’s, NHS care providers, and NHSE detailed in the Major Incident Plan. There is also a Hertfordshire Communications Group in place to support the management of consistent messaging to the public.
6.4.1 CCG On-Call Arrangements
The 24-hour arrangements for alerting managers and other key staff are in place as per the CCG on-call system arrangements in/out of hours, which are as follows:
• All calls centrally received to the CCG on-call phone to be answered by the allocated Senior Manager/AD/Director on-call as per the centrally agreed rota
• 09:00 – 17:00 Monday to Friday (in hours) – Day Manager on-call acts as first point of contact. Although the Director On-call maintains overall responsibility.
• 17:00 – 09:00 Monday to Friday, and weekends/BH (out of hours) – AD/Director on-call acts as first point of contact.
The contact details (including relevant key stakeholders) are updated on a 6-monthly basis as part of the review of the CCG on-call folder, and HR hold a list of all staff contacts which can be accessed remotely via the intranet.
6.4.2 Local Cooperation
The Major Incident Plan documents how the independent healthcare sector may be used in a disruptive incident to assist in service delivery. It also outlines how mutual aid from other NHS providers can be requested if a disruptive incident occurs.
6.5 Record Keeping
The processes for the listed actions below will be managed in accordance with the guidance as outlined in the Major Incident Plan, including details on how the;
• organisation will maintain their incident logs, and minutes of meetings during and after the meeting,
• post incident report will be produced including how a debrief will be held to identify lessons,
• lessons identified from the incident will affect future plans.
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 16 of 37
OFFICIAL - SENSITIVE
Appendix 1 Business Continuity Management Policy Statement “Business Continuity Management (BCM) is an important part of NHS East and North Hertfordshire CCG’s risk management arrangements. The Civil Contingencies Act (CCA) 20041 identifies all CCGs as ‘Category 2 Responders’, and imposes a statutory requirement on each CCG to have robust BCM arrangements in place to manage disruptions to the delivery of services.
It is the policy of NHS East and North Hertfordshire CCG to develop implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.
The aim of Business Continuity Management is to prepare for any disruption to the continuity of the business, whether directly - i.e. within the responsibility control or influence of the business, or indirectly - i.e. due to a major incident occurring to a partner, supplier, dependent or third party, or from a natural disaster.
It is recognised that plans to recover from any disruption must consider the impacts not only to our staff, premises, technology and operations, but that NHS East and North Hertfordshire CCG must also plan to maintain its brand, status, relationships and reputation.
Business Continuity arrangements should ensure that the CCG continues to meet i t s legal, statutory and regulatory obligations to its staff and to its dependent stakeholders. All NHS East and North Hertfordshire CCG departments are to continue to develop and implement BCM for their areas of business.
In order for this to be achieved, members of each department have been nominated as Business Continuity Leads to represent their part of the business for Business Continuity Management. These individuals are responsible for reviewing and maintaining the departmental Business Continuity arrangements within the CCG. To ensure that the BCMS fully meets the changing needs of the business all Business Continuity Plans will be exercised, reviewed and audited annually.
In accordance with the NHS England Guidance2, NHS East and North Hertfordshire CCG BCMS will be in accordance with and aligned to the ISO 223013.”
…………………………………………………… …………………………… Beverley Flowers Date Accountable Officer
1 NM Government (2004) Civil Contingencies Act 2 NHS England (2013) Board Business Continuity Framework 3 ISO 22301 Societal Security - Business Continuity Management Systems – Requirements
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 17 of 37
OFFICIAL - SENSITIVE
Appendix 2 Business Recovery Template Reason for Invoking Plan: Date: Time: Brief Summary of Situation: Department/s Affected: Other Organisations Involved / Alerted: Date:
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 18 of 37
OFFICIAL - SENSITIVE
Actions Required (including Resources)
By Whom Communication requirements
Status Update
Immediate:
Within 8 Working Hours:
Within 1 Working Day:
Within 3 Days:
Within 1 Week:
Situation to be reviewed every ……….. hrs / ……. days
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group
Page 19 of 37
OFFICIAL - SENSITIVE
Appendix 3 Real Time Assessment Template: This form should be completed, during a Major Incident that has affected your working environment, based on the information within the Business Impact Assessments (Appendix 5) and sent to your Executive Director.
Functional Area (Directorate/Team): ……………………………………………………………... Prioritisation category
Essential/ Priority Area (Linked to BIA categories)
Current Impact
Actions Required (Work around including resources required, communications and who is to carry out the activity)
Status Update
Serious impact within the next 24 hours with no work around
Serious impact within the next 24 -48 hours with no work around
Work around that will cover for next 3 days
Work around that is sufficient for >3days
No impact within next 7 days or longer
Situation to be reviewed every ……….. hrs / ……. days
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group Page 20 of 37
OFFICIAL - SENSITIVE
Appendix 4 Key CCG Contacts
On Call Member Role Email Work Mobile Work Number
1 DENISE BOARDMAN Programme Director, ENHCCG
2 HARPER BROWN Director of Commissioning, ENHCCG
3 JO BURLINGHAM Assistant Director Operations, ENHCCG
4 SUNDAY ADENIYI Deputy Chief Finance Officer, ENHCCG
5 SHARN ELTON Director of Operations, ENHCCG
6 SARAH FEAL Company Secretary, ENHCCG
7 BEVERLEY FLOWERS Accountable Officer, ENHCCG
8 JAMES GLEED Associate Director Commissioning Primary Care ENHCCG
9 BARBARA HARRISON AD Commissioning, ENHCCG
10 EDWARD JAMES AD Financial Services, ENHCCG
11 GERRY MOIR Assistant Director Performance, ENHCCG
12 NUALA MILBOURN Assistant Director of Communications, ENHCCG
13 ALAN POND Chief Finance Officer, ENHCCG
14 SHEILAGH REAVEY Director of Nursing and Quality, ENHCCG
15 CATH SLATER Assistant Director of Quality and Patient Safety, ENHCCG
16 HEIN SCHEFFER Director of Workforce
17 JAMIE SUTTERBY Assistant Director, Health Integration, E&N Herts CCG and Hertfordshire County Council
18 TRUDI SOUTHAM Assistant Director of Locality and CCG Commissioning, ENHCCG
19 PHIL TURNOCK ICT Shared Service Director, HBL ICT, ENHCCG
20 PAULINE WALTON Assistant Director - Head of Pharmacy and Medicines Optimisation
Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group Page 21 of 37
OFFICIAL - SENSITIVE
Appendix 5 Business Impact Assessments * The full Business Impact Assessments can be accessed via the local network drive.
CRITICAL FUNCTIONS*:
Operations Directorate
• Operations and Resilience p.24
• Continuing Healthcare p.24
• Human Resources p.25
Nursing and Quality Directorate:
• Quality Team p.26
Finance Directorate:
• Finance (including Financial Services, Contracting, Information Team) p.28
• Governance and Corporate Affairs p.29
Commissioning Directorate
• Commissioning Team p.30
• Pharmacy and Medicines Optimization p.31
• Programme Office p.32
Chief Executives Office:
• Communications (including Engagement) p.33
HBL ICT p.36
Contingency - Priority for the Restoration of Services [Recovery Time Objective (RTO)]:
1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an
essential service/function 2. Urgent: Within 8 hours – Will degrade to ‘Critical’ if not addressed within this time band 3. Essential: Within 24 hours – Major disruption – no danger to staff and/or patients. Does not
prevent provision of an essential service/function 4. Important: Within 3 days – Will affect services without causing danger to patients 5. Necessary: Within 7 days – Minor disruption to services 6. Routine: Within 14 days – Will not directly disrupt services but will cause inconvenience 7. Non-Urgent: Within 28 days – Will involve non-urgent repair
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 22 of 37
OFFICIAL - SENSITIVE
Directorate/Team: OPERATIONS DIRECTORATE: Operations and Resilience Team
Key Contacts: Sharn Elton – Director of Operations Jo Burlingham – Assistant Director of Operations and Resilience Phil Lumbard – Assistant Director Urgent Care Gerry Moir – Assistant Director Performance Jo Field – Head of Performance
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 – Provide System Leadership Quality of services and experiences of our patients System oversight
A2 – Maintain emergency and day to day operational management A3 – Maintain on call response in and out of hours A4 – Maintain category 2 responder role
B – Activities which could be scaled down if necessary
B1 – Performance oversight and delivery Quality of services and experiences of our patients System oversight
C – Activities which could be suspended if necessary
C1 – Attendance at external meetings where the CCG is a partner
Partnership working Service developments/Decision Making
Directorate/Team: OPERATIONS DIRECTORATE:
Continuing Healthcare
Key Contacts: Sharn Elton – Director of Operations Alison Sansom – Assistant Director CHC Alison Rees – Business Process Manager
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 – Responding to new fast track referrals (case management of care packages) to ensure safety and well-being of patients
If not responded to on the same day there could be a risk to patient care and a delay in discharge effecting patient flow in and out of the acute sector
A2 – Ensuring CHC functions are performed in relation to procurement of placements
Those individuals will not be in receipt of appropriate package of care or would be delayed within a hospital setting
B – Activities which could be scaled down if necessary
B1 – Responding to new non-fast track referrals (adults case management of care packages)
Delays in transfers of care or risk of patients having an inadequate package of care at home
B2 – Ensuring eligibility and maintenance of Funded Nursing Care process
Care homes will not be reimbursed in a timely manner
C – Activities which could be suspended if necessary
C1 – Case management or reviews Delay in review process resulting in patients possibly having an inadequate package of care at home
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 23 of 37
OFFICIAL - SENSITIVE
Directorate/Team: OPERATIONS DIRECTORATE:
Human Resources
Key Contacts: Sharn Elton – Director of Operations Hein Scheffer – Director of Workforce Louise Thomas – AD Human Resources and ODL Wendy Bourne – Senior Humana Resources Business Partner
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 – Delivering statutory functions, including staff pay
If staff are not paid on time, it may result in difficulties regarding their personal situation and/or non-/limited working
A2 – Performing HR functions ensuring ability to respond to basic HR issues and concerns, including staff wellbeing
Risk of employment tribunal if could not perform HR functions.
A3 – Maintenance of HR compliance for safety of the organisation and staff
Risk of litigation and fines from violation of regulations and lack of compliance.
A4 – Recruitment of staff to core functions
Potentially a gap if critical core functions not recruited to (clinical safety, staff wellbeing)
B – Activities which could be scaled down if necessary
B1 – Management of ER cases/issues
Legal challenge where management is not within set timescales.
B2 – Reporting to the Executive regarding adherence to statutory governance arrangements
Risk of being unable to roll out a statutory change within required timeframe.
C – Activities which could be suspended if necessary
C1 – Corporate Induction training programme
Risk new starters wouldn’t receive some of their mandatory training and not gain the understanding of how the CCG operates.
C2 – Policy reviews Risk that they would not be conducted within required time frame.
C3 – Mandatory Training such as IG training & Learning and Development.
Risk of IG breach due to lack of training and non-compliance with regulations.
C4 – Joint partnership forum Risk of industrial action.
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 24 of 37
OFFICIAL - SENSITIVE
Directorate/Team: Quality and Nursing Directorate:
Quality Team
Key Contacts: Sheilagh Reavey – Director of Quality and Nursing Cath Slater – Associate Director, Quality and Patient Experience (BC
Lead) Jessica Linskill – Lead Nurse, Quality
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 – Responding to urgent safeguarding alerts, issues and requests for consultation at designated Nurse level
If alerts, issues not actioned potential safety risk to patients
A2 – Complaints and PALS; responding to and actioning urgent concerns raised
If urgent issues not addressed, potential harm to patients could occur A3 – Hotline enquiries relating to patient
safety or urgent issues A4- Serious Incidents; any new SIs identified to be shared with providers for immediate action and investigation A5 – Infection Control – outbreak management; including PIR’s (for MRSA) A6 – Responding to CQC inadequate judgements of primary care facilities, for patient safety reasons A7 – Participating in Risk Summits
B – Activities which could be scaled down if necessary
B1 – Full range of statutory functions for safeguarding adults and children, e.g. SARS, DHRS, SCRS, etc. Notifications to Designated counterparts for LAC placed out of area
Statutory requirements may not be met. Delay in learning from incidents, deaths, etc. Other providers’ work held up. Risk that Looked After Child could have difficulties accessing health services in local placement
B2 – Complaints and PALS; routine processing of enquires received
Local and national targets may not be met, patients dissatisfied with service provided and concerns remain unresolved.
B3-Serious Incidents; co-ordination and review of provider Sis, Datix inputting
National timescales may not be met. Risk that quality issues in provider RCAs may not be identified, affecting learning from SIs
B4- Hotline; processing of routine enquiries
Risk that local targets will not be met. GPs dissatisfied with service and key themes not identified.
B5 – Infection Prevention and Control: HCAI case reviews and surveillance, C-Difficile appeals
Statutory requirements may not be met, delay in identifying lower level risks, providers have delay in appeal outcome decisions
B6- Quality Assurance; undertaking Quality Review Meetings, Quality Visits, analysing and monitoring providers in relation to wide range of quality standards, such as LAC IHA’s, Quality
Lack of assurance to CCG, may be delay in identifying quality issues. Direct impact on patients if processes such as LAC IHA or
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 25 of 37
OFFICIAL - SENSITIVE
Schedule requirements, etc acute trust target performance deteriorates
B7- Individual Funding Requests, Prior Approval and Choice; processing of funding requests and providing patient choice service (NB: urgent CFT requests not graded in section A above due to protocol enabling retrospective agreement cases where delay will lead to significant harm)
Risk that procedures will be undertaken that would not have been approved for funding. Risk that patients will not be offered choice. Risk that protocol not followed, leading to patient harm
B7 – Reporting to NHSE National timescales may not be met; NHSE action over CCG failure to report
C – Activities which could be suspended if necessary
C1 – CQUIN/ Quality Schedules; on-going monitoring and contract negotiation cycle
Lack of development of schemes could affect future provider contracts. Performance issues may not be identified in a timely way, however key issues would be identified via alternative functions.
C2 – Regular reporting to Quality Committee, Governing Body, localities etc.
Low risk, key issues and headlines would be shared with committees and GB as required.
C3 – External and internal meetings on wide range of quality and clinical topics
Lack of assurance to CCG, may be delay in identifying quality issues. Lack of progress on areas of quality improvement Staff effectiveness may be reduced due to lack of coordination.
C4 – Staff training Lack of development of staff, Lack of updating, if mandatory training risk that local targets/national requirements may not be met; loss of money if training place already booked.
C5 – Training delivery Lack of development of provider trust etc. staff, loss of money if venue etc. already booked
Directorate/Team: Finance Directorate:
Financial Management, Contracting, Information Team, Financial Services
Key Contacts: Alan Pond – Chief Finance Officer Sunday Adeniyi – Deputy Chief Finance Officer Holly Fairhurst – Assistant Director of Contracts David Hodson – Head of Information Edward James – Assistant Director Financial Services
Essential/Priority activities undertaken: Risk to activities:
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 26 of 37
OFFICIAL - SENSITIVE
A – Activities which must be continued
A1 – Management of the DoS DoS unable to be re-profiled A2- Authorisation for patient transport Delays to authorising transport
requests A3 – Payments to key suppliers / NHS Trust and other healthcare providers
Payments to staff, key supplies to services & service disruption
B – Activities which could be scaled down if necessary
B1 – Access to invoicing and payments system within 3 days
Impact on ability to manage the CCG with risk of statutory requirements not being met and other financial objective not being achieved
B2 – Monitoring financial position within 3 days (within 1 day if within first week of month)
Unable to provide support to provider organisations
B3 – Monthly reports to NHSE and Annual Accounts (if the latter in March or April)
Loss of reputation, failure to achieve CCG statutory duty
B4 – Finance support to commissioning Loss of financial control/delays in agreeing contracts if January/February/March
B5 – Financial planning Delays in agreeing investments/savings/contracts
B6- Response to FOIs Delay in responding to FOIs B7- Sending monthly validations to Providers
Financial loss to CCG if providers are not in agreement to revise deadlines for validations to be submitted
B8- Contract sign off No contract in place between CCG and Providers
B9- Enacting Contract Levers (Information Breach Notices and Contract Performance Notices)
Delays to implementing contract levers
B10 Scale down payments frequency and move to urgent payments only
Loss of Reputation. Cash flow issues to small suppliers. Possible impact on delivery goods and services.
B11 Extend the time between reviewing and reconciling ledger to key control accounts
In the short term ledger may not be a true reflection of spend. Cash forecast targets may not be achieved
C – Activities which could be suspended if necessary
C1 – Monthly reports to Governing Body and localities
Loss of financial control if long period
C2 – Finance support to business cases and localities
Delays in proceeding with investments or wrong decisions taken
C3 – Production of monthly budget statements re running costs
Loss of financial control if long period
C4 – Attendance at Contract Review Meetings with Providers
Unable to hold Providers to account and implement contractual levers where required
C5 – Credit control Short term cash issues
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 27 of 37
OFFICIAL - SENSITIVE
Directorate/Team: Finance Directorate:
Governance and Corporate Affairs Team
Key Contacts: Alan Pond – Chief Finance Officer Sarah Feal – Company Secretary Jas Dosanjh – Head of Risk Management (BC Lead)
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 –) Day to day management of On-call rota
Risk that in and out of hours response will not be available centrally
A2 – Letter of claim related to C3 needs to be sent to NHSLA within 24 hours
Risk that CCG will not be adequately protected from legal claims
B – Activities which could be scaled down if necessary
B1 – Coordination of FOI responses (target of 85% within 20 days)
If target not met, action could be taken by Information Commissioners Office
B2 – Reporting of IG breeches (need to notify ICO within 48 hours)
If target not met, action could be taken by Information Commissioners Office
B3 – Administration of meetings – minutes/ papers for the Governing Body, Governance and Audit Committee, Quality Committee, IG Forum
Loss of record of accountability / decision making/ record keeping / public record
B4 – Managing Conflicts of Interest Requirement to declare in accordance with Health and Social Care Act. CCG Constitution requirement to keep register up to date.
C – Activities which could be suspended if necessary
C1 – Provision of Training (Risk Management, including Health and Safety)
Statutory and Mandatory training requirement may not be met
C2 – Managing Gifts and Hospitality Register
Reporting requirement to Governance and Audit Committee
C3 – Coordination of Clinical Negligence Cases from Solicitors to enable reporting to NHSLA
14 day turnaround with NHSLA
C4 – Updating of policies/procedures Staff wellbeing - access to current guidance
C5 – Coordination of the Strategic Risk Register and Risk Controls Assurance Dashboard updates
Information may not be current, however updated three times/year , low risk
C6 – Coordination of Internal Audit reports/recommendations
Head of Internal Audit opinion, if the CCG can’t provide assurance for implementation of
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 28 of 37
OFFICIAL - SENSITIVE
recommendations C7 – Administration of IG toolkit Around annual reporting time (end
of March) Directorate/Team: Commissioning Directorate:
Commissioning Team
Key Contacts: Harper Brown - Director of Commissioning (BC Lead) Trudi Southam - Interim Associate Director Planned Care (Deputy BC
Lead) James Gleed – Associate Director Commissioning and Primary Care
Projects Barbara Harrison - AD Commissioning
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 – Coordination of Primary Care Capacity and Liaison with Area Team (NHSE)
Managing access to primary care and impact on secondary care, A&E etc.
A2 – Responsiveness to commissioned services for urgent patient specific queries/clinical management
Impact on timeliness in providing advice
A3 – Urgent communications to Primary Care
Public Health Communications / Significant Service Provision Failure / Serious Incidents
A4 – Primary Care Quality Assurance
Delay in investigating / resolving patient safety concern.
B – Activities which could be scaled down if necessary
B1 – Approval mechanism to authorize payments by finance directorate
Impact on ability to meet financial obligations re payments and risk of Primary Care service disruption
B2 – Management of Locality Meetings and Target Events
Impact on ability to maintain clinical engagement and locality focused commissioning/decision making
B3 – Service Redesign/Development Programmes
Delay in delivery of quality and performance improvements
B4 – Performance monitoring for CF /Enhanced Services
Risk that local targets will not be monitored against agreed timescales.
B5 – Research management and development
Failure to discharge statutory duties with resultant loss of income/ delay to clinical studies.
C – Activities which could be suspended if necessary
C1 – Non urgent meetings Disruption to CCG/Directorate programme of work
C2 – Strategic healthcare estates planning
Failure to meet DH Target dates and missed opportunities to secure national funding.
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 29 of 37
OFFICIAL - SENSITIVE
Directorate/Team: Commissioning Directorate:
Pharmacy and Medicines Optimisation Team
Key Contacts: Harper Brown – Director of Commissioning Pauline Walton - AD & Head of Pharmacy & Medicines Optimisation Sue Russell - Lead Pharmacist (CCG Localities) Stacey Golding - Lead Pharmaceutical Advisor – Governance Maxine Davis - Lead Pharmaceutical Advisor - Care Prescribing Colin Sach - Lead Pharmaceutical Advisor - Acute Commissioning
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 – The provision of clinical support and personnel for ‘front line’ patient facing services at times of pandemic and/or other public health emergencies
Inappropriate/delayed clinical advice and treatment Financial risk
B – Activities which could be scaled down if necessary
B1 – To ensure the provision of expert prescribing advice in a timely manner to GP practices, non-medical prescribers, pharmacists, Acute and MH Trusts etc
Clinical risk, financial risk, reputational risk
B2 – To ensure the strategic oversight of medicines optimisation and patient safety B3 – The provision of expert advice concerning the clinical pathways
B4 – Non medical prescribing approval of applications and support for prescribers and dispensers around all primary care secure and non-secure supplies B5 – Local/national initiatives such as raising antibiotic awareness
B6 - Signing off invoices B7 – The provision of weekly clinical support to intermediate care beds in St Christopher’s Hatfield, Woodlands Nursing Home Stevenage, and Osbourne Court Baldock)
No medicines reconciliation, patients in intermediate care not receiving the correct medicine. Contractual obligations to BUPA and Four Seasons
B8 – Individual treatment requests, high cost drugs and invoice validation
Financial risk if drugs are funded that would not normally be approved. In breach of NICE guidance Risk of judicial review Reputational risk
B9 – The provision of expert advice to CCG commissioners on the managed entry of new medicines and medical devices
B10 – Clinical medication reviews of care home patients – Vanguard Project
Limit to responding to urgent queries from the quality team. Risk of not meeting outcomes required by Vanguard
C – Activities which could be suspended if
C1 – The oversight of every aspect of financial management in respect of prescribing and medicines usage
Financial risk
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 30 of 37
OFFICIAL - SENSITIVE
necessary C2 – Locality prescribing meetings, Hertfordshire Medicines Management Committee, Primary Care Medicines Management Group
Clinical risk
C3 – Monitoring of prescribing, key performance indicators
Clinical and financial risk
Directorate/Team: Commissioning Directorate:
Programme Office
Key Contacts: Harper Brown – Director of Commissioning Rachel Joyce – Medical Director Grant Neofitou – Head of Programme Office Gillian Catchpole – Senior Project Manager
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
None identified N/A
B – Activities which could be scaled down if necessary
B1 – Administration of meetings – minutes/ papers for OPD, Long Term Conditions Committee, Stroke Programme Board
Loss of record of accountability/ decision making/ record keeping/ public record/ access to important documents on the network drive
B2 – Attendance at meetings Loss of face to face to contact as part of normal business processes
B3 – Telephone access Reliance on email or face to face contact with relevant colleagues
C – Activities which could be suspended if necessary
C1 – Reporting of projects and work streams
Lack of information to commission and plan services.
C2 – Usual place of work Not all staff have remote access working
Directorate/Team: Chief Executive Office:
Communications (including Engagement)
Key Contacts: Beverley Flowers – Accountable Officer Hari Pathmanathan - Chair of Governing Body Nuala Milbourn – Assistant Director Communications Susan Haigh – Communications Manager Fiona Winspear – Communications Manager (CAMHS) Carol Leach – Communications Manager (Vanguard) Ewan Marshall – Web development and digital communications officer Lynda Dent – Head of Patient Engagement Mark Edwards – Patient Engagement Manager
Essential/Priority activities undertaken: Risk to activities:
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 31 of 37
OFFICIAL - SENSITIVE
A – Activities which must be continued
A1 - Communications to GP practices about service disruption, service suspensions or other issues affecting business continuity. Including :-
1. Acute in-hours home visiting service
2. Problems with capacity at the hospital trust
3. Appeals for doctors to assist with additional shift with Herts Urgent Care
4. Information about industrial action
5. Severe weather advice and guidance
6. Loss of referral routes or services due to factors outside of the CCG’s control
7. Sending messgaes on behalf of HBL ICT on cyber security
8. Assisting the Quality Team with issuing Health Professional Alert Notices (HPAN) which are used to inform NHS bodies and others of healthcare professionals whose performance or conduct gives rise to concern
This would mean that GPs would be unaware of the service disruption, suspensions or other issues resulting in :- - Continuing to refer very poorly patients to the acute in-hours visiting service when there is no capacity for them to be visited at home. -Continuing to refer to patients to A&E where they could experience a long wait for treatment. As a result they might not seek alternative treatment pathways for their patients. - GP practices would not be able to encourage GPs to make themselves available for additional shifts to help Herts Urgent Care to deliver services at pressurised periods. CCG guidance on the implications of industrial action for primary care would not be issued directly to practices. Severe weather information and advice for patients and practices – such as heatwave information for vulnerable patients or changes to pathology sample collection times due to bad weather, could not be issued Urgent changes to referral information, such as a loss of a particular fax or phone number due to technical problems, could not be communicated to practices, which would mean that patients would not be able to access the services they need. Practices that fall victim to cyber-crime are financially and reputationally damaged and patient data may be at risk. Practices need to be aware of an individual that may pose a threat to patients or staff because their conduct compromises the effective functions of a team or local primary care service.
A2 - Communications to the public and Patients and carers would not be
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 32 of 37
OFFICIAL - SENSITIVE
the media via the CCG’s website, the New QEII Hospital website, media releases and social media about service disruption, service suspensions, epidemics, heatwaves or other issues affecting services the public rely on, e.g
1. Disruption to GP services 2. Disruption to hospital services 3. Disruption to pharmacy services 4. Proactive and reactive
communications to the media about issues which could have a negative impact on the CCG’s reputation as a commissioner of NHS services
5. Proactive and reactive communications to the public and the media about circumstances which could have a significant impact on health and wellbeing, such as a heatwave or the outbreak of an infectious disease.
aware of the following should they occur. - That their planned or emergency GP services are not available -That their planned or emergency hospital visits would not be possible - That they could not visit the pharmacy to collect essential medication. -The CCG’s stakeholders and the public would lose confidence in the organization - That they should take precautions or positive action to protect their own health and the health of the family, friends and neighbours
A3 - Communications to GPs and health professionals on policy and protocol updates, including:
1. Updating the Beds and Herts priorities forum, which is accessed through the CCG’s website
2. Supply urgent briefing material in response to requests from NHS England’s Parliamentary hub
Clinicians across Beds and Herts would not have the up-to-date referral information that they need for patients.
ENHGCC would not be able to account for its actions to Ministers and MPs in the House of Commons.
A4 - Communications with other NHS organisations, provider organisations and public sector partners on issues of significant mutual concern and interest where a joined-up approach to messaging is required.
There is a risk that important messages both within the health system and beyond would not be coordinated effectively, leading to public confusion or unnecessary duplication.
B – Activities which could be scaled down if necessary
B1 - The GP bulletin could be produced more quickly as a word document.
Some of the functionality of the GP bulletin, such as the open rate information and information on which articles have been read, would be lost. Practice staff may not read the information if it is not easily recognisable as being an authentic source of information and does not look professional.
B2 - The staff magazine could be replaced by all-staff emails covering urgent issues specifically.
Staff morale could be negatively affected and the open rate of all-staff emails could decrease.
B3 - Proactive campaign and event work The impact and reach of the Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 33 of 37
OFFICIAL - SENSITIVE
could be scaled down. It could also be replaced with a face to face staff briefing.
CCG’s own campaigns and our support for national campaigns would be diminished. This would mean that fewer people receive important health and wellbeing information. Not all staff may be able to make a face to face event so may miss out on important information.
B4 - The extent of partnership communications work could be scaled back.
This could lead to confusion and duplication of messages or important messages being missed. There is also a reputational risk that the CCG is criticised for not working in a joined up way
B5 – Project websites could be scaled down or management moved to another organisation
There is a risk of incorrect or out-of-date information being available to the public
C – Activities which could be suspended if necessary
C1 The weekly staff round-up email could be suspended
Staff would not be as aware of policy updates, health stories in the media or training sessions.
C2 The Friday learning hours
Staff would not be as aware of ‘bigger picture’ health and social care information which could have a positive impact on their day-to-day work or personal circumstances.
C3 The design and printing of leaflets could a) be contracted out to an agency or b) information could be provided on simple word documents instead
This would be more costly and would probably take up more officer time than producing leaflets in-house. Information that is produced to a lower quality might not be as valued or trusted by patients.
C4 Suspension of patient and carer member meetings
Patient and carer members would not be aware of the issues facing local health services and communicate that to their communities. There is also an organisational reputation risk that the CCG does not appear to be meeting its public and patient engagement responsibilities.
Directorate/Team: HBL ICT
(Also see HBL ICT’s specific Business Continuity Policies and Procedures)
Key Contacts: Phil Turnock – HBL ICT Shared Services Director Simon Carey - HBL ICT Assistant Director, Business Relationships &
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 34 of 37
OFFICIAL - SENSITIVE
Assurance Keith Fairbrother – HBL ICT Head of Infrastructure Alex McLaren – HBL ICT Head of Governance and Compliance
Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued
A1 – Core Infrastructure Services and Connectivity Services
Loss of IT systems
A2 – Service Desk Unabale to receive and process ICT incidents
A3 – Messaging/ Unified Communications (including email)
Loss of IT systems
A4 – Clinical Applications (Externally hosted)
Loss of IT systems
B – Activities which could be scaled down if necessary
B1 – Procurement, Finance Loss of IT systems B2 – Asset Management Loss of IT systems B3 – File and Print/ Other applications
C – Activities which could be suspended if necessary
None identified N/A
Business Impact Assessment Summary
2017-07-05 BIA Grid.xlsx
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 35 of 37
OFFICIAL - SENSITIVE
Appendix 6 – Equality Impact Assessment Stage 1 Screening 1. Policy EIA Completion Details Title: Business Continuity Plan Names and Titles of staff involved in completing the
EIA: - Sarah Feal - Company Secretary - Jas Dosanjh - Head of Risk Management
Proposed Existing
Date of Completion: June 2017
Review Date: June 2018
2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public
3. Impact on Groups with Protected Characteristics Probable impact on group? High,
Medium or Low
Please explain your answers Positive Adverse None
Age
Being married or in a civil partnership
Disability, inc. learning difficulties, physical disability, sensory impairment etc.
Having just had a baby or being pregnant
Race, ethnicity, nationality, language etc.
Religion or belief
Sex (inc. being a transsexual person)
Sexual Orientation
Other:
No impact on any of the groups above.
No action to be taken/planned as a result of the equality impact assessment as the impact assessment showed that this policy had a neutral effect on each of the protected characteristics.
4. Which equality legislative Act applies to the policy? Human Rights Act 1998 Equality Act 2010 Health and Safety Regulations
Mental Health Act 1983 Mental Capacity Act 2005
5. How could the identified adverse effects be minimised or eradicated? N/A 6. How is the effect of the policy on different Impact Groups going to be monitored? N/A
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 36 of 37
OFFICIAL - SENSITIVE
Appendix 7 Privacy Impact Assessment Stage 1 Screening 1. Policy PIA Completion Details Title: Business Continuity Plan Names and Titles of staff involved in completing the
PIA: - Sarah Feal - Company Secretary - Jas Dosanjh - Head of Risk Management
Proposed Existing
Date of Completion: June 2017
Review Date: June 2018
2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public
Yes No Please explain your answers Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards)
Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.)
By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats?
Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations)
Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected)
If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department?
N/A
Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group
Page 37 of 37