BUSINESS CONTINUITY PLAN - NHS East and North ...€¦ · compliance with the Freedom of Information Act 2000. Training . Staff will be made aware of the emergency and business continuity

OFFICIAL - SENSITIVE

BUSINESS CONTINUITY PLAN

Additional copies of this plan can be found in the Incident Control Room located in MR1.2 on the first floor and also the on-call pack issued to Directors and

Managers.

Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group Page 1 of 37


DOCUMENT CONTROL SHEET Document Owner: Director of Operations Document Author(s): Director of Operations Version: 7.0 FINAL Directorate: Operations Approved By: Governing Body Date of Approval: September 2017 Date of Review: September 2018 Change History:

Version Date Reviewer(s) Revision Description

1.0 July 2013 Valerie Penn Updated following JW comments

2.0 August 2013 Valerie Penn General update following Draft Business Impact Assessments

3.0 October 2013 John Webster Whole Document Review – Updates to Plan, Business Impact Assessments and Policy Statement in line with EPRR Core Standards

4.0 November 2013

Valerie Penn Updated following Exec Comments

4.1 Draft January 2015 Oskan Edwardson Annual Update – for approval

5.0 Final January 2015 Jas Dosanjh Formatting

5.1 Final April 2015 Jas Dosanjh Sharn Elton

Appendix with contacts updated. Critical Functions of the Operations Director added to BIA Appendix

5.2 Final June 2015 Anne Ephgrave Critical Functions of HR added to BIA Appendix

5.3 Final July 2015 Phil Turnock Addition of ‘Objectives for the Recover of Services’ and updated Appendix 4 Critical Functions of HBL ICT Shared Service

5.4 Draft September 2015

Jas Dosanjh Sharn Elton

Update in line with NHSE EPRR Framework and Toolkit requirements

5.5 Draft February 2016 Jas Dosanjh Formatting and updated Business Impact Assessment included

5.6 Draft February 2016 R Steadman (No change recorded) 5.7 Draft March 2016 R Steadman Minor amendment to text on p.1

5.8 Draft July 2016 R Steadman Review of Business Impact assessments to ensure consistent methodology used and minor text changes

6.0 Final July 2016 R Steadman Updates confirmed following approval by Governing Body

6.1 Draft June 2017 R Steadman, Version history tracked and updated,

Business Continuity Plan East and North Hertfordshire Clinical Commissioning Group

Page 2 of 37


Implementation Plan:

Development and Consultation

EPRR Consultant Executive Team

Dissemination Staff can access this policy via the intranet and will be notified of new/revised versions via the staff briefing. This policy will be included in CCG Publication Scheme in compliance with the Freedom of Information Act 2000.

Training Staff will be made aware of the emergency and business continuity response arrangements within the plan at their corporate induction training, and will also be made aware of where the overarching and departmental plans can be located. The skills and knowledge of Incident Commanders and staff at an operational level will be achieved and maintained through regular training and exercising as documented in the training and exercising annual programme which covers:

• Awareness training, including roles/responsibilities, • Incident coordination centre training, • Communications testing and exercising.

If there are any significant changes to the plan, then this will be communicated to departmental leads to cascade to all staff. Business Continuity arrangements w i l l be exercised at least once a year in order to validate the effectiveness and highlight any gaps which can then be corrected.

Monitoring and Review

This document will be reviewed on an annual basis or when there are changes in the working systems of the organisation; or major changes to the contact arrangements of staff or suppliers that affect the content. It is the responsibility of the identified departmental leads to update local departmental plans on an ongoing basis and the Business Continuity Lead to ensure the generic section of this document is kept update. The plan will be used/deployed when the ability of the CCG to carry out its statutory duties are compromised. The plan will be exercised and tested every two years; incident management will account to testing and exercising, in accordance with the processes defined within the Major Incident Plan (including testing with dependent stakeholders).

Darren O’Rourke, Jas Dosanjh

Business Impact Assessments reviewed and updated, contacts reviewed, Real time assessment template added as Appendix

6.2 Draft July 2017 Jas Dosanjh Minor amendments following feedback from team


Page 3 of 37


Equality and Diversity

January 2015 - Equality Impact Assessment (Appendix 6) January 2015 - Privacy Impact Assessment (Appendix 7)

Associated CCG Documents

Major Incident Plan System Escalation Plan Major Incident Action Cards Incident Control Centre Plan CCG on-call folder CCG Strategic Risk Register / Risk Controls and

Assurance Dashboard

References The ISO Standard for Business Continuity (ISO 22301) British Standard NHS Business Continuity Management

(BS25999)


Page 4 of 37


Contents Section No.

Section Name Page No.

1.0 Introduction 5

2.0 Scope 6

3.0 Purpose 7

4.0 Definitions 7

5.0 Role and Responsibilities 8

6.0 Plan Activation 8

6.1 Business Continuity Management Team (Crisis and Recovery Team)

9

6.2 Continuing Services in the Event of a Disruption 10

6.3 Insurance/Incident Costs

14

6.4 Communications and Alerts

14

6.5 Record Keeping

15

Appendix 1 Business Continuity Management – CCG Policy Statement

17

Appendix 2 Business Recovery Template 18

Appendix 3 Real Time Assessment Template

Appendix 4 Key Contacts List 20

Appendix 5 Business Impact Assessment - Template and Summary

21

Appendix 6 Equality Impact Assessment 57

Appendix 7 Privacy Impact Assessment 58


Page 5 of 37


1.0 Introduction

The Civil Contingencies Act 2004 came into force in November 2005 and focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders (such as CCGs) as Category 2 Responders. It is a requirement of the Act that the CCGs have Business Continuity Plans in place to support the CCG’s Major Incident Plan.

1.1 Policy statement

It is the policy of East and North Hertfordshire Clinical Commissioning Group (CCG) to develop, implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.

It is the policy of the CCG to take all reasonable steps to ensure that in the event of a service interruption, the organisation will be able to respond appropriately and continue to deliver its essential functions and that we are able to respond to the needs of our local population. A service interruption is defined as:

‘Any incident which threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions.’ (www.cabinetoffice.gov.uk/ukresilience).

The CCGs Policy Statement is provided at Appendix 1.

1.2 Resources

The CCG recognises its obligations with regards to emergency planning, resilience, responding to major incidents and business continuity. Funds, as identified as being necessary, will be made available in the event of a major incident to ensure the CCG meets its obligations with respect to these.

1.3 Emergency Planning - Business Continuity The Cabinet Office’s “Expectations and Indicators of Good Practice Set for Category 1 and 2 Responders” describes seven expectations regarding the Civil Contingencies Act (2004), Regulations (2005) and guidance:

1. Duty to assess risk

2. Duty to maintain plans – Emergency Plan

3. Duty to maintain plans – Business Continuity

4. Duty to communicate with the public

5. Business Continuity Promotion

6. Information sharing

7. Cooperation

Clinical Commissioning Groups are Category 2 Responders and as such will be required to co-operate with Category 1 Responders in the event of an emergency. They are also required to have Business Continuity Plans and Major Incident Plans. These requirements will be achieved in three stages:


Page 6 of 37

http://www.cabinetoffice.gov.uk/ukresilience)


Stage 1 – A Business Impact Assessment: The impacts of the loss of staff, communications, data systems, transport and buildings. Appendix 5 provides details of the Business Impact Assessments undertaken at Departmental level within the CCG. Some functions are hosted by or delivered through contracts with other organisation’s, and where applicable details have been included within the assessments. The Business Impact Assessments include prioritized activities that have been linked to the Business Continuity Corporate Risks. The Business Impacts Assessments detail: - Responsibilities of key staff and departments, - Responsibilities of the appropriate Accountable Emergency officer or Executive

Director, Stage 2 - A Business Continuity Plan: The measures to be taken internally in the event of such a loss. The Business Continuity Plan will comprise the mitigating actions arising from the Business Impact Assessments, taking into consideration the key risks that could potentially cause service disruption resulting in the plans being evoked. Information of the key contacts that will instigate the relevant mitigating actions and the contact details of all staff that might have to undertake those actions are also included - be it communicating with others or changing their way of working. Stage 3 – A Major Incident Plan: The measures to be taken in support of Category 1 responders in the event of an ‘Emergency’. This details the organisation’s response to: • an event or situation which threatens serious damage to human welfare; • an event or situation which threatens serious damage to the environment; • War, or terrorism, which threatens serious damage to the security of the UK. The CCG is required to equip nominated staff with the Major Incident Plan, the Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans have been built on experience and will be subject to a desktop test, as part of best practice, in order that they are further refined. The result of the desktop testing will be reported to the CCG Governing Body.

2.0 Scope

The scope of this plan is to provide overarching organisational guidance of business continuity management and the invocation process within the CCG, and an outline of responsibilities. The following table indicates the links with other CCG and System Resilience Plans:


Page 7 of 37


Document

Community Risk Register The CCG is a Category 2 responder for Emergency Preparedness Resilience and Response which will be led by the NHS England Midlands and East (Central Midlands) Area Team. These plans will be owned by the Local Resilience Forum with input from the Local Health resilience Partnership. However, the CCG will have a role in planning for and responding to the relevant incident.

LRF Flood Plan

LRF Pandemic Influenza Plan

LRF Severe Weather Plan

3.0 Purpose

The purpose of the Business Continuity Plan is to outline the responsibility of the CCG and their staff in the event of a crisis in order to maintain as normal a service as practically possible. The over-riding aim is to ensure a prompt and efficient recovery of critical activities from any incident or physical disaster that may affect the CCG’s ability to operate and deliver their commissioning service in support of the NHS economy. It must be recognised that any event not only impacts on staff, premises, technology and operations, but also on the CCG’s brand, status, relationships and reputation and that all business continuity arrangements should ensure that the CCGs meet their legal, statutory and regulatory obligations to both their staff and dependent stakeholders.

4.0 Definitions 4.1 Business Continuity Management: Business Continuity Management is the process that helps manage the risks to the

smooth running of the organisation in the delivery of its services, ensuring that essential business can continue in the event of a disruption and can be sustained in the event of an emergency. It is aimed at reducing or eliminating the risks of business interruption and it is necessary to have contingency plans in place to ensure normal business functions can be resumed as soon as possible.

For the NHS, Business Continuity Management is defined as the management process that enables an NHS organization to: • Identify those key services which, if interrupted for any reason, would have the

greatest impact upon the community, the health economy and the organisation. • Identify and reduce the risks and threats to the continuation of these key services. • Develop plans which enable the organisation to recover and/or maintain core

services in the shortest possible time.

There are many and varied possible causes of service disruption; these may range from the loss of infrastructure e.g. offices; buildings; IT systems; managing a power cut or extreme weather to arranging service provision during an emergency or epidemic. These events may not be mutually exclusive i.e. extreme weather can lead to loss of electricity or staff being unable to get to work.

4.2 A Service Interruption can be defined as ‘Any incident which threatens

personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions’


Page 8 of 37


5.0 Roles and Responsibilities

Overall accountability for the smooth running of the organisation lies with the CCG’s Accountable Officer. The Director of Operations is the lead director for Business Continuity and will be responsible for providing positive assurance to the Governing Body on the CCG’s plans.

5.1 Executive Directors The Executive Directors are responsible for maintaining their individual services,

and for alerting the need to activate Business Continuity Plans if such an event occurs within their directorate.

5.2 Designated Associate Directors and Assistant Directors

The Designated Associate Directors and Assistant Directors must ensure that any changes of contact details of key staff noted in their plans are updated as required, that their Directorate plans are reviewed at least annually and that any new services that are developed are included in the plans.

5.3 Lead for Emergency Preparedness, Resilience, Response and Business

Continuity

The Director of Operations is the lead for Emergency Preparedness, Resilience, Response and Business Continuity, providing specialist guidance during the invocation of the Business Continuity Plans in line with the Major Incident Plan. The Chief Finance Officer takes the lead for the day-to-day Business Continuity arrangements within the CCG, which is a critical function of the organisation.

5.4 Communications Team The Communications Team will be responsible for informing the public of events

where necessary, following agreement of the Accountable Officer or Director of Operations (designated deputy), and will also keep staff informed of developments as appropriate.

5.5 CCG Staff All CCG employed staff are responsible for co-operating with the implementation of

the Business Continuity Plans as part of their normal duties and responsibilities. 6.0 Plan Activation

A nominated post holder from each department will decide in discussion with the Heads of Department and the Director of Operations whether the plan or any part of it should be activated using the process in the following flow chart. Out of hours the decision will be made with the direction of the on call CCG director/manager


Page 9 of 37


6.1 Business Continuity Management Team (Crisis and Recovery Team)

A team will be convened t o oversee the process of ensuring essential services are maintained and that recovery plans are put into place, Membership may include the following:

• Director of Operations or nominated Deputy • Associate Director where incident has occurred • Assistant Director of Communications • Estates representation (as required) • Any other personnel deemed necessary, i.e. representative of HR,

specialist advice, etc.

The team will meet initially on a daily basis and will keep notes of the meeting, actions taken, resources committed, and progress made using the template a t Appendix 2.

Incident Control Centre location and resources: located in room MR1.2 on the first floor, Charter House, WGC. Includes additional paper copies of this Plan.

The Major Incident Plan includes the scalable plan setting out how the command and control arrangements will be managed and by whom.


Page 10 of 37


6.2 Continuing Services in the event of a Disruption

As part of the Business Impact Assessment process, a critical function analysis has been carried out to determine those parts of the service that are a priority to maintain or reinstate. The CCG is responsible for commissioning a wide range of patient services to the local population and the following will be restored and maintained as soon as is practically possible.

• Maintaining an emergency response and support to Category 1 responders; • Incident investigation; • Mobilisation of the workforce, and support for staff safety and welfare; • Provision of IT (through a shared service (called Herts Beds and Luton ICT

Shared Service) with ENHCCG as the host for this service); • Maintaining communications with the general public and CCG staff; • Essential Finance functions; including the making and receiving of payments; • Essential HR processes; • Safeguarding adults and children; and • Continuity of contract management responsibilities • System leadership role.

Objectives for the Recovery of Services

The recovery of Services in a Disaster Recovery or Business Continuity scenario is defined by two Objectives:

Recovery Time Objective (RTO): is defined as the time period after a disaster at which business functions need to be restored.

Recovery Point Objective (RPO): is the maximum period of time based data loss (relative to the disaster) which cannot be recovered.

The Business Impact Assessments include details of the activity surge plan to ensure that critical services are maintained in periods of peak activity, including the maximum periods of tolerable disruption for all critical activities, and how the recovery/restoration principles will be managed and by whom. The critical function analysis also identifies those functions that are less critical and could be suspended, in light of the RTO and other timescales that may be identified within the Business Impact Assessments.

Service Function Length of time function can be suspended

Financial management 7 days

Planning services - preparing commissioning plans 28 days Commissioning services through pathway development and redesign 28 days

Contract management – acute contracts 14 days

Contract management – community and third sector 14 days

Performance and data analysis 14 days


Page 11 of 37


Governance duties to ensure continuous compliance with statutory duties 14 days

Partnership working to ensure joined up working to improve the health and wellbeing of patients 14 days

Support and guidance to member practices 14 days

Quality and safety 14 days

Administration 14 days

If an incident occurs and this plan is activated, permission will be sought from the Accountable Officer, or in their absence the Director of Operations (or nominated Deputy) to suspend the mainstream service functions detailed above and release the CCG staff who cover these functions to provide support to critical functions provided in other areas of the CCG.

The plan will be activated in accordance with the processes outlined in the Major Incident Plan and the Incident Control Centre Plan, including the escalation system in place and who assumes responsibility at each stage (as well as action cards and aide memoirs for use by key team members). Through the Business Impact Assessments, each department has identified its own critical functions that are required to maintain its service and have their own local departmental plans which a r e accessible in both paper copy and electronically. It is the responsibility of designated Associate/Assistant Directors to communicate the location of these plans to their staff.

In the event of an emergency, or business interruption, the CCG will endeavor to maintain services as usual or as close to the usual standard as possible. However, where it is clear that this is not achievable, the Head of Service in conjunction with the Director of Operations (or on-call Director/Assistant Director if out of hours) will decide which priority functions of the department must continue, depending on the nature of the business interruption.

There are some generic areas that could potentially affect all departments and these are described below:

6.2.1 Failure of IT Systems

The CCG, like many organisations, rely upon IT systems for their day to day business. A disaster that prevents the organisation from accessing these systems whether caused by the failure of the systems themselves, or being due to an incident such as fire or flooding will potentially have a serious impact on the continuation of the CCG’s functions. IT system failures may include:

• Loss of email, • Loss of internet, • Loss of Microsoft Office Applications, • Loss of access to stored documents (shared server), • Loss of individual IT systems/applications, • Major IT network outage.

While it is impossible to consider and document a recovery plan for every disaster that may occur the impact of the loss of IT systems to each department is covered


Page 12 of 37


in the individual departmental plans and it is expected that they can be adapted to cater for any specific incident. If there is a failure in the IT system or any stand-alone computer for important data for a prolonged period of time, staff will need to change to a paper back-up system where possible to capture the data so that this can be recorded on the system retrospectively.

The development of telecommunications that are reliant upon the IT network makes it likely that telephone failure will also result from any IT network failure. The priority in which restoration is required will depend on the service area and is detailed in individual departmental plans.

If there is a loss of hardware or software through theft or damage then advice should be sought from the IT provider and the incident reported to the CCG’s Governance and Corporate Affairs (via the Company Secretary).

The maintenance of the CCG IT systems is provided by the Herts Beds and Luton ICT Shared Service (HBL ICT) under a Service Level Agreement (SLA). Under the terms of this SLA, HBL ICT will invoke their Emergency Disaster and Recovery Plan to cope with any event causing prolonged interruption of service.

The standard RPO and RTO within the agreed partnership service agreements is:

• RPO – 1 day from date of failure • RTO = 24 hours from the time of failure

Restoration of services will be managed through the agreement ICT Major Incident processes which will include full engagement of the CCG executive. Whereby the standard RPO or RTO cannot be achieved, this will be brokered with the CCG Executive during the respective phases of the Major Incident process.

6.2.2 Failure of Telecommunications

The telephone lines are provided under contract with BT, and the system is under a maintenance contract with Vodafone.

Each departmental plan identifies in more detail the actions required should the telephone systems (including mobile telephony) be inactive. The priority in which restoration of phone lines are required will depend on the service area and if crucial will be detailed in individual departmental plans.

CCG contact in the first instance: HBLICT Service Desk on 07799 895274* (Note:- this number is only activated if the Phone System is down at Charter House).

If electricity has failed then prior consideration needs to be given to the ability to recharge mobile phone batteries.

6.2.3 Loss of Records

Where there has been a loss of records (electronic and paper), the processes defined within Records Management Policy will be followed. Each departmental plan identifies in more detail the actions required should there be a loss of electronic/paper records.


Page 13 of 37


6.2.4 Failure of Utilities – Electricity / Gas / Water Supplies Resolution is via NHS Property Services, the CCG contact in the first instance is NHS Property Services.

The fault should be reported and a request made as to whether they are able to give an indication of the length of time the supply will be unavailable.

If heating is lost an assessment should be made to the effect of the loss of the heating related to the time of year and the forecast temperature as to whether services can continue from the affected location.

For plumbing emergencies: contact NHS Property Services

In the event that the water supply fails, impact of the following must be assessed:

• Toilets • Hand hygiene • Drinking water

6.2.5 Loss of Building

If premises are unable to be used then services may need to be suspended or relocated. Local departmental plans detail who to contact and measures to be taken where there is a denial of premises (including actions taken in the event of a fire or flood).

Alternative locations for staff will include HCT HQ at Howard Court, HPFT HQ at Waverley Road, St Albans and HVCCG HQ at Hemel Hempstead. Initiation of these arrangements will be agreed by the Director of Operations (or nominated Deputy) or by agreement with the on-call Director/Manager. The Incident Control Centre Plan includes information on alternative locations where the service/activity could be delivered from in case of denial of access to Charter House and Fountain House. The plan also includes details of any provisions for staff to be accommodated overnight if the incident dictates and how this would be activated via pre-agreed arrangements.

6.2.6 Fuel Shortages

In the event of a fuel shortage the ability to maintain services may be affected. If it has been necessary for the invocation of the National Fuel Plan then the Business Continuity Management Team will be convened to oversee the management of the situation within the CCG

It is unlikely there will be provision of fuel for staff to get to their work base and the responsibility for alternative travel arrangements is with the individual members of staff in discussion with their line manager.

6.2.7 Staff Shortages

The absence of staff will have a varying effect depending on their role. In some cases roles can be covered by other staff but others may be highly specialised and necessary arrangements will be detailed in departmental plans as to whether a service can continue particularly if the service depends on that person alone. Potential threats related to staff shortages include;


Page 14 of 37


• Loss of staff (>25%), • Serious injury to, or death of, staff whilst in the office, • Significant absence due to severe weather or transport issues, • Pandemic flu, • Simultaneous resignation or loss of key staff.

There may be a scenario when a number of staff are all incapacitated at the same time such as pandemic influenza. The departmental manager will be responsible for assessing the impact on the ability to continue to provide a service and what contingencies can be put in place, and whether some non- critical services can be cancelled as detailed in the individual departmental plans.

6.2.8 Other

Other areas that could potentially affect departments may include the following, this list is not exhaustive:

• Terrorist attack or threat affecting the transport network or office locations • Theft or criminal damage • Chemical Contamination • Infectious disease outbreak • Industrial action • Fraud, sabotage or other malicious acts

The Severe Weather Response Plan includes details regarding the impact of severe weather (including snow, heat wave, prolonged periods of cold weather and flooding), and should be referred to in such circumstances.

6.3 Insurance/Incident Costs The insurance arrangements in place which may apply to incidents are:

• Corporate Liability Insurance • NHS Resolution

The incident costs will be tracked by use of unique cost centres to assist and supplies/replacement equipment will be managed/maintained throughout the disruptive incident via a specific EP cost centre.

6.4 Communications and Alerts

The CCG will respond to a significant incident in line with the formal organisation Communications Strategy and processes defined within the Major Incident Plan.

The Major Incident Plan sets out the alerting mechanism for external and self-declared incidents, including trigger points and escalation procedures. If an event occurs that is so severe that alternative arrangements for the provision of care commissioned by the CCGs need to be communicated to internal and external stakeholders, as well as the local population, this will be carried out via the Assistant Director of Communications after discussion with the Director of Operations.

The internal (Appendix 4) and external stakeholders that could be affected by the disruptive incident, especially around service delivery, could include the following and


Page 15 of 37


specific details have been included within the Business Impact Assessments:

• Providers including Primary Care, • Neighboring CCG’s, • Social Care, County and Borough Council.

The process for receiving and cascading warnings, and other communications before, during and after a disruption or significant event, and any resilient communication systems used is as follows:

• Alerts (i.e. Met Office) received into the CCG’s EPRR mailbox ([email protected]) are cascaded by the Operations Team to all Senior Managers, AD’s and Directors on-call,

• For incident management, the CCG has a secure nhs.net email account, • The Incident Control Centre Plan documents how Senior Managers, AD’s and

Directors can remotely access the account.

Mechanisms for informing the relevant partners including, but not limited to, other CCG’s, NHS care providers, and NHSE detailed in the Major Incident Plan. There is also a Hertfordshire Communications Group in place to support the management of consistent messaging to the public.

6.4.1 CCG On-Call Arrangements

The 24-hour arrangements for alerting managers and other key staff are in place as per the CCG on-call system arrangements in/out of hours, which are as follows:

• All calls centrally received to the CCG on-call phone to be answered by the allocated Senior Manager/AD/Director on-call as per the centrally agreed rota

• 09:00 – 17:00 Monday to Friday (in hours) – Day Manager on-call acts as first point of contact. Although the Director On-call maintains overall responsibility.

• 17:00 – 09:00 Monday to Friday, and weekends/BH (out of hours) – AD/Director on-call acts as first point of contact.

The contact details (including relevant key stakeholders) are updated on a 6-monthly basis as part of the review of the CCG on-call folder, and HR hold a list of all staff contacts which can be accessed remotely via the intranet.

6.4.2 Local Cooperation

The Major Incident Plan documents how the independent healthcare sector may be used in a disruptive incident to assist in service delivery. It also outlines how mutual aid from other NHS providers can be requested if a disruptive incident occurs.

6.5 Record Keeping

The processes for the listed actions below will be managed in accordance with the guidance as outlined in the Major Incident Plan, including details on how the;

• organisation will maintain their incident logs, and minutes of meetings during and after the meeting,

• post incident report will be produced including how a debrief will be held to identify lessons,

• lessons identified from the incident will affect future plans.


Page 16 of 37

mailto:[email protected]


Appendix 1 Business Continuity Management Policy Statement “Business Continuity Management (BCM) is an important part of NHS East and North Hertfordshire CCG’s risk management arrangements. The Civil Contingencies Act (CCA) 20041 identifies all CCGs as ‘Category 2 Responders’, and imposes a statutory requirement on each CCG to have robust BCM arrangements in place to manage disruptions to the delivery of services.

It is the policy of NHS East and North Hertfordshire CCG to develop implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.

The aim of Business Continuity Management is to prepare for any disruption to the continuity of the business, whether directly - i.e. within the responsibility control or influence of the business, or indirectly - i.e. due to a major incident occurring to a partner, supplier, dependent or third party, or from a natural disaster.

It is recognised that plans to recover from any disruption must consider the impacts not only to our staff, premises, technology and operations, but that NHS East and North Hertfordshire CCG must also plan to maintain its brand, status, relationships and reputation.

Business Continuity arrangements should ensure that the CCG continues to meet i t s legal, statutory and regulatory obligations to its staff and to its dependent stakeholders. All NHS East and North Hertfordshire CCG departments are to continue to develop and implement BCM for their areas of business.

In order for this to be achieved, members of each department have been nominated as Business Continuity Leads to represent their part of the business for Business Continuity Management. These individuals are responsible for reviewing and maintaining the departmental Business Continuity arrangements within the CCG. To ensure that the BCMS fully meets the changing needs of the business all Business Continuity Plans will be exercised, reviewed and audited annually.

In accordance with the NHS England Guidance2, NHS East and North Hertfordshire CCG BCMS will be in accordance with and aligned to the ISO 223013.”

…………………………………………………… …………………………… Beverley Flowers Date Accountable Officer

1 NM Government (2004) Civil Contingencies Act 2 NHS England (2013) Board Business Continuity Framework 3 ISO 22301 Societal Security - Business Continuity Management Systems – Requirements


Page 17 of 37


Appendix 2 Business Recovery Template Reason for Invoking Plan: Date: Time: Brief Summary of Situation: Department/s Affected: Other Organisations Involved / Alerted: Date:


Page 18 of 37


Actions Required (including Resources)

By Whom Communication requirements

Status Update

Immediate:

Within 8 Working Hours:

Within 1 Working Day:

Within 3 Days:

Within 1 Week:

Situation to be reviewed every ……….. hrs / ……. days


Page 19 of 37


Appendix 3 Real Time Assessment Template: This form should be completed, during a Major Incident that has affected your working environment, based on the information within the Business Impact Assessments (Appendix 5) and sent to your Executive Director.

Functional Area (Directorate/Team): ……………………………………………………………... Prioritisation category

Essential/ Priority Area (Linked to BIA categories)

Current Impact

Actions Required (Work around including resources required, communications and who is to carry out the activity)

Status Update

Serious impact within the next 24 hours with no work around

Serious impact within the next 24 -48 hours with no work around

Work around that will cover for next 3 days

Work around that is sufficient for >3days

No impact within next 7 days or longer

Situation to be reviewed every ……….. hrs / ……. days



Appendix 4 Key CCG Contacts

On Call Member Role Email Work Mobile Work Number

1 DENISE BOARDMAN Programme Director, ENHCCG

2 HARPER BROWN Director of Commissioning, ENHCCG

3 JO BURLINGHAM Assistant Director Operations, ENHCCG

4 SUNDAY ADENIYI Deputy Chief Finance Officer, ENHCCG

5 SHARN ELTON Director of Operations, ENHCCG

6 SARAH FEAL Company Secretary, ENHCCG

7 BEVERLEY FLOWERS Accountable Officer, ENHCCG

8 JAMES GLEED Associate Director Commissioning Primary Care ENHCCG

9 BARBARA HARRISON AD Commissioning, ENHCCG

10 EDWARD JAMES AD Financial Services, ENHCCG

11 GERRY MOIR Assistant Director Performance, ENHCCG

12 NUALA MILBOURN Assistant Director of Communications, ENHCCG

13 ALAN POND Chief Finance Officer, ENHCCG

14 SHEILAGH REAVEY Director of Nursing and Quality, ENHCCG

15 CATH SLATER Assistant Director of Quality and Patient Safety, ENHCCG

16 HEIN SCHEFFER Director of Workforce

17 JAMIE SUTTERBY Assistant Director, Health Integration, E&N Herts CCG and Hertfordshire County Council

18 TRUDI SOUTHAM Assistant Director of Locality and CCG Commissioning, ENHCCG

19 PHIL TURNOCK ICT Shared Service Director, HBL ICT, ENHCCG

20 PAULINE WALTON Assistant Director - Head of Pharmacy and Medicines Optimisation










mailto:%[email protected]













Appendix 5 Business Impact Assessments * The full Business Impact Assessments can be accessed via the local network drive.

CRITICAL FUNCTIONS*:

Operations Directorate

• Operations and Resilience p.24

• Continuing Healthcare p.24

• Human Resources p.25

Nursing and Quality Directorate:

• Quality Team p.26

Finance Directorate:

• Finance (including Financial Services, Contracting, Information Team) p.28

• Governance and Corporate Affairs p.29

Commissioning Directorate

• Commissioning Team p.30

• Pharmacy and Medicines Optimization p.31

• Programme Office p.32

Chief Executives Office:

• Communications (including Engagement) p.33

HBL ICT p.36

Contingency - Priority for the Restoration of Services [Recovery Time Objective (RTO)]:

1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an

essential service/function 2. Urgent: Within 8 hours – Will degrade to ‘Critical’ if not addressed within this time band 3. Essential: Within 24 hours – Major disruption – no danger to staff and/or patients. Does not

prevent provision of an essential service/function 4. Important: Within 3 days – Will affect services without causing danger to patients 5. Necessary: Within 7 days – Minor disruption to services 6. Routine: Within 14 days – Will not directly disrupt services but will cause inconvenience 7. Non-Urgent: Within 28 days – Will involve non-urgent repair

Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group

Page 22 of 37


Directorate/Team: OPERATIONS DIRECTORATE: Operations and Resilience Team

Key Contacts: Sharn Elton – Director of Operations Jo Burlingham – Assistant Director of Operations and Resilience Phil Lumbard – Assistant Director Urgent Care Gerry Moir – Assistant Director Performance Jo Field – Head of Performance

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Provide System Leadership Quality of services and experiences of our patients System oversight

A2 – Maintain emergency and day to day operational management A3 – Maintain on call response in and out of hours A4 – Maintain category 2 responder role

B – Activities which could be scaled down if necessary

B1 – Performance oversight and delivery Quality of services and experiences of our patients System oversight

C – Activities which could be suspended if necessary

C1 – Attendance at external meetings where the CCG is a partner

Partnership working Service developments/Decision Making

Directorate/Team: OPERATIONS DIRECTORATE:

Continuing Healthcare

Key Contacts: Sharn Elton – Director of Operations Alison Sansom – Assistant Director CHC Alison Rees – Business Process Manager


A1 – Responding to new fast track referrals (case management of care packages) to ensure safety and well-being of patients

If not responded to on the same day there could be a risk to patient care and a delay in discharge effecting patient flow in and out of the acute sector

A2 – Ensuring CHC functions are performed in relation to procurement of placements

Those individuals will not be in receipt of appropriate package of care or would be delayed within a hospital setting


B1 – Responding to new non-fast track referrals (adults case management of care packages)

Delays in transfers of care or risk of patients having an inadequate package of care at home

B2 – Ensuring eligibility and maintenance of Funded Nursing Care process

Care homes will not be reimbursed in a timely manner


C1 – Case management or reviews Delay in review process resulting in patients possibly having an inadequate package of care at home


Page 23 of 37


Directorate/Team: OPERATIONS DIRECTORATE:

Human Resources

Key Contacts: Sharn Elton – Director of Operations Hein Scheffer – Director of Workforce Louise Thomas – AD Human Resources and ODL Wendy Bourne – Senior Humana Resources Business Partner


A1 – Delivering statutory functions, including staff pay

If staff are not paid on time, it may result in difficulties regarding their personal situation and/or non-/limited working

A2 – Performing HR functions ensuring ability to respond to basic HR issues and concerns, including staff wellbeing

Risk of employment tribunal if could not perform HR functions.

A3 – Maintenance of HR compliance for safety of the organisation and staff

Risk of litigation and fines from violation of regulations and lack of compliance.

A4 – Recruitment of staff to core functions

Potentially a gap if critical core functions not recruited to (clinical safety, staff wellbeing)


B1 – Management of ER cases/issues

Legal challenge where management is not within set timescales.

B2 – Reporting to the Executive regarding adherence to statutory governance arrangements

Risk of being unable to roll out a statutory change within required timeframe.


C1 – Corporate Induction training programme

Risk new starters wouldn’t receive some of their mandatory training and not gain the understanding of how the CCG operates.

C2 – Policy reviews Risk that they would not be conducted within required time frame.

C3 – Mandatory Training such as IG training & Learning and Development.

Risk of IG breach due to lack of training and non-compliance with regulations.

C4 – Joint partnership forum Risk of industrial action.


Page 24 of 37


Directorate/Team: Quality and Nursing Directorate:

Quality Team

Key Contacts: Sheilagh Reavey – Director of Quality and Nursing Cath Slater – Associate Director, Quality and Patient Experience (BC

Lead) Jessica Linskill – Lead Nurse, Quality


A1 – Responding to urgent safeguarding alerts, issues and requests for consultation at designated Nurse level

If alerts, issues not actioned potential safety risk to patients

A2 – Complaints and PALS; responding to and actioning urgent concerns raised

If urgent issues not addressed, potential harm to patients could occur A3 – Hotline enquiries relating to patient

safety or urgent issues A4- Serious Incidents; any new SIs identified to be shared with providers for immediate action and investigation A5 – Infection Control – outbreak management; including PIR’s (for MRSA) A6 – Responding to CQC inadequate judgements of primary care facilities, for patient safety reasons A7 – Participating in Risk Summits


B1 – Full range of statutory functions for safeguarding adults and children, e.g. SARS, DHRS, SCRS, etc. Notifications to Designated counterparts for LAC placed out of area

Statutory requirements may not be met. Delay in learning from incidents, deaths, etc. Other providers’ work held up. Risk that Looked After Child could have difficulties accessing health services in local placement

B2 – Complaints and PALS; routine processing of enquires received

Local and national targets may not be met, patients dissatisfied with service provided and concerns remain unresolved.

B3-Serious Incidents; co-ordination and review of provider Sis, Datix inputting

National timescales may not be met. Risk that quality issues in provider RCAs may not be identified, affecting learning from SIs

B4- Hotline; processing of routine enquiries

Risk that local targets will not be met. GPs dissatisfied with service and key themes not identified.

B5 – Infection Prevention and Control: HCAI case reviews and surveillance, C-Difficile appeals

Statutory requirements may not be met, delay in identifying lower level risks, providers have delay in appeal outcome decisions

B6- Quality Assurance; undertaking Quality Review Meetings, Quality Visits, analysing and monitoring providers in relation to wide range of quality standards, such as LAC IHA’s, Quality

Lack of assurance to CCG, may be delay in identifying quality issues. Direct impact on patients if processes such as LAC IHA or


Page 25 of 37


Schedule requirements, etc acute trust target performance deteriorates

B7- Individual Funding Requests, Prior Approval and Choice; processing of funding requests and providing patient choice service (NB: urgent CFT requests not graded in section A above due to protocol enabling retrospective agreement cases where delay will lead to significant harm)

Risk that procedures will be undertaken that would not have been approved for funding. Risk that patients will not be offered choice. Risk that protocol not followed, leading to patient harm

B7 – Reporting to NHSE National timescales may not be met; NHSE action over CCG failure to report


C1 – CQUIN/ Quality Schedules; on-going monitoring and contract negotiation cycle

Lack of development of schemes could affect future provider contracts. Performance issues may not be identified in a timely way, however key issues would be identified via alternative functions.

C2 – Regular reporting to Quality Committee, Governing Body, localities etc.

Low risk, key issues and headlines would be shared with committees and GB as required.

C3 – External and internal meetings on wide range of quality and clinical topics

Lack of assurance to CCG, may be delay in identifying quality issues. Lack of progress on areas of quality improvement Staff effectiveness may be reduced due to lack of coordination.

C4 – Staff training Lack of development of staff, Lack of updating, if mandatory training risk that local targets/national requirements may not be met; loss of money if training place already booked.

C5 – Training delivery Lack of development of provider trust etc. staff, loss of money if venue etc. already booked

Directorate/Team: Finance Directorate:

Financial Management, Contracting, Information Team, Financial Services

Key Contacts: Alan Pond – Chief Finance Officer Sunday Adeniyi – Deputy Chief Finance Officer Holly Fairhurst – Assistant Director of Contracts David Hodson – Head of Information Edward James – Assistant Director Financial Services

Essential/Priority activities undertaken: Risk to activities:


Page 26 of 37


A – Activities which must be continued

A1 – Management of the DoS DoS unable to be re-profiled A2- Authorisation for patient transport Delays to authorising transport

requests A3 – Payments to key suppliers / NHS Trust and other healthcare providers

Payments to staff, key supplies to services & service disruption


B1 – Access to invoicing and payments system within 3 days

Impact on ability to manage the CCG with risk of statutory requirements not being met and other financial objective not being achieved

B2 – Monitoring financial position within 3 days (within 1 day if within first week of month)

Unable to provide support to provider organisations

B3 – Monthly reports to NHSE and Annual Accounts (if the latter in March or April)

Loss of reputation, failure to achieve CCG statutory duty

B4 – Finance support to commissioning Loss of financial control/delays in agreeing contracts if January/February/March

B5 – Financial planning Delays in agreeing investments/savings/contracts

B6- Response to FOIs Delay in responding to FOIs B7- Sending monthly validations to Providers

Financial loss to CCG if providers are not in agreement to revise deadlines for validations to be submitted

B8- Contract sign off No contract in place between CCG and Providers

B9- Enacting Contract Levers (Information Breach Notices and Contract Performance Notices)

Delays to implementing contract levers

B10 Scale down payments frequency and move to urgent payments only

Loss of Reputation. Cash flow issues to small suppliers. Possible impact on delivery goods and services.

B11 Extend the time between reviewing and reconciling ledger to key control accounts

In the short term ledger may not be a true reflection of spend. Cash forecast targets may not be achieved


C1 – Monthly reports to Governing Body and localities

Loss of financial control if long period

C2 – Finance support to business cases and localities

Delays in proceeding with investments or wrong decisions taken

C3 – Production of monthly budget statements re running costs

Loss of financial control if long period

C4 – Attendance at Contract Review Meetings with Providers

Unable to hold Providers to account and implement contractual levers where required

C5 – Credit control Short term cash issues


Page 27 of 37


Directorate/Team: Finance Directorate:

Governance and Corporate Affairs Team

Key Contacts: Alan Pond – Chief Finance Officer Sarah Feal – Company Secretary Jas Dosanjh – Head of Risk Management (BC Lead)


A1 –) Day to day management of On-call rota

Risk that in and out of hours response will not be available centrally

A2 – Letter of claim related to C3 needs to be sent to NHSLA within 24 hours

Risk that CCG will not be adequately protected from legal claims


B1 – Coordination of FOI responses (target of 85% within 20 days)

If target not met, action could be taken by Information Commissioners Office

B2 – Reporting of IG breeches (need to notify ICO within 48 hours)

If target not met, action could be taken by Information Commissioners Office

B3 – Administration of meetings – minutes/ papers for the Governing Body, Governance and Audit Committee, Quality Committee, IG Forum

Loss of record of accountability / decision making/ record keeping / public record

B4 – Managing Conflicts of Interest Requirement to declare in accordance with Health and Social Care Act. CCG Constitution requirement to keep register up to date.


C1 – Provision of Training (Risk Management, including Health and Safety)

Statutory and Mandatory training requirement may not be met

C2 – Managing Gifts and Hospitality Register

Reporting requirement to Governance and Audit Committee

C3 – Coordination of Clinical Negligence Cases from Solicitors to enable reporting to NHSLA

14 day turnaround with NHSLA

C4 – Updating of policies/procedures Staff wellbeing - access to current guidance

C5 – Coordination of the Strategic Risk Register and Risk Controls Assurance Dashboard updates

Information may not be current, however updated three times/year , low risk

C6 – Coordination of Internal Audit reports/recommendations

Head of Internal Audit opinion, if the CCG can’t provide assurance for implementation of


Page 28 of 37


recommendations C7 – Administration of IG toolkit Around annual reporting time (end

of March) Directorate/Team: Commissioning Directorate:

Commissioning Team

Key Contacts: Harper Brown - Director of Commissioning (BC Lead) Trudi Southam - Interim Associate Director Planned Care (Deputy BC

Lead) James Gleed – Associate Director Commissioning and Primary Care

Projects Barbara Harrison - AD Commissioning


A1 – Coordination of Primary Care Capacity and Liaison with Area Team (NHSE)

Managing access to primary care and impact on secondary care, A&E etc.

A2 – Responsiveness to commissioned services for urgent patient specific queries/clinical management

Impact on timeliness in providing advice

A3 – Urgent communications to Primary Care

Public Health Communications / Significant Service Provision Failure / Serious Incidents

A4 – Primary Care Quality Assurance

Delay in investigating / resolving patient safety concern.


B1 – Approval mechanism to authorize payments by finance directorate

Impact on ability to meet financial obligations re payments and risk of Primary Care service disruption

B2 – Management of Locality Meetings and Target Events

Impact on ability to maintain clinical engagement and locality focused commissioning/decision making

B3 – Service Redesign/Development Programmes

Delay in delivery of quality and performance improvements

B4 – Performance monitoring for CF /Enhanced Services

Risk that local targets will not be monitored against agreed timescales.

B5 – Research management and development

Failure to discharge statutory duties with resultant loss of income/ delay to clinical studies.


C1 – Non urgent meetings Disruption to CCG/Directorate programme of work

C2 – Strategic healthcare estates planning

Failure to meet DH Target dates and missed opportunities to secure national funding.


Page 29 of 37


Directorate/Team: Commissioning Directorate:

Pharmacy and Medicines Optimisation Team

Key Contacts: Harper Brown – Director of Commissioning Pauline Walton - AD & Head of Pharmacy & Medicines Optimisation Sue Russell - Lead Pharmacist (CCG Localities) Stacey Golding - Lead Pharmaceutical Advisor – Governance Maxine Davis - Lead Pharmaceutical Advisor - Care Prescribing Colin Sach - Lead Pharmaceutical Advisor - Acute Commissioning


A1 – The provision of clinical support and personnel for ‘front line’ patient facing services at times of pandemic and/or other public health emergencies

Inappropriate/delayed clinical advice and treatment Financial risk


B1 – To ensure the provision of expert prescribing advice in a timely manner to GP practices, non-medical prescribers, pharmacists, Acute and MH Trusts etc

Clinical risk, financial risk, reputational risk

B2 – To ensure the strategic oversight of medicines optimisation and patient safety B3 – The provision of expert advice concerning the clinical pathways

B4 – Non medical prescribing approval of applications and support for prescribers and dispensers around all primary care secure and non-secure supplies B5 – Local/national initiatives such as raising antibiotic awareness

B6 - Signing off invoices B7 – The provision of weekly clinical support to intermediate care beds in St Christopher’s Hatfield, Woodlands Nursing Home Stevenage, and Osbourne Court Baldock)

No medicines reconciliation, patients in intermediate care not receiving the correct medicine. Contractual obligations to BUPA and Four Seasons

B8 – Individual treatment requests, high cost drugs and invoice validation

Financial risk if drugs are funded that would not normally be approved. In breach of NICE guidance Risk of judicial review Reputational risk

B9 – The provision of expert advice to CCG commissioners on the managed entry of new medicines and medical devices

B10 – Clinical medication reviews of care home patients – Vanguard Project

Limit to responding to urgent queries from the quality team. Risk of not meeting outcomes required by Vanguard

C – Activities which could be suspended if

C1 – The oversight of every aspect of financial management in respect of prescribing and medicines usage

Financial risk


Page 30 of 37


necessary C2 – Locality prescribing meetings, Hertfordshire Medicines Management Committee, Primary Care Medicines Management Group

Clinical risk

C3 – Monitoring of prescribing, key performance indicators

Clinical and financial risk

Directorate/Team: Commissioning Directorate:

Programme Office

Key Contacts: Harper Brown – Director of Commissioning Rachel Joyce – Medical Director Grant Neofitou – Head of Programme Office Gillian Catchpole – Senior Project Manager


None identified N/A


B1 – Administration of meetings – minutes/ papers for OPD, Long Term Conditions Committee, Stroke Programme Board

Loss of record of accountability/ decision making/ record keeping/ public record/ access to important documents on the network drive

B2 – Attendance at meetings Loss of face to face to contact as part of normal business processes

B3 – Telephone access Reliance on email or face to face contact with relevant colleagues


C1 – Reporting of projects and work streams

Lack of information to commission and plan services.

C2 – Usual place of work Not all staff have remote access working

Directorate/Team: Chief Executive Office:

Communications (including Engagement)

Key Contacts: Beverley Flowers – Accountable Officer Hari Pathmanathan - Chair of Governing Body Nuala Milbourn – Assistant Director Communications Susan Haigh – Communications Manager Fiona Winspear – Communications Manager (CAMHS) Carol Leach – Communications Manager (Vanguard) Ewan Marshall – Web development and digital communications officer Lynda Dent – Head of Patient Engagement Mark Edwards – Patient Engagement Manager

Essential/Priority activities undertaken: Risk to activities:


Page 31 of 37


A – Activities which must be continued

A1 - Communications to GP practices about service disruption, service suspensions or other issues affecting business continuity. Including :-

1. Acute in-hours home visiting service

2. Problems with capacity at the hospital trust

3. Appeals for doctors to assist with additional shift with Herts Urgent Care

4. Information about industrial action

5. Severe weather advice and guidance

6. Loss of referral routes or services due to factors outside of the CCG’s control

7. Sending messgaes on behalf of HBL ICT on cyber security

8. Assisting the Quality Team with issuing Health Professional Alert Notices (HPAN) which are used to inform NHS bodies and others of healthcare professionals whose performance or conduct gives rise to concern

This would mean that GPs would be unaware of the service disruption, suspensions or other issues resulting in :- - Continuing to refer very poorly patients to the acute in-hours visiting service when there is no capacity for them to be visited at home. -Continuing to refer to patients to A&E where they could experience a long wait for treatment. As a result they might not seek alternative treatment pathways for their patients. - GP practices would not be able to encourage GPs to make themselves available for additional shifts to help Herts Urgent Care to deliver services at pressurised periods. CCG guidance on the implications of industrial action for primary care would not be issued directly to practices. Severe weather information and advice for patients and practices – such as heatwave information for vulnerable patients or changes to pathology sample collection times due to bad weather, could not be issued Urgent changes to referral information, such as a loss of a particular fax or phone number due to technical problems, could not be communicated to practices, which would mean that patients would not be able to access the services they need. Practices that fall victim to cyber-crime are financially and reputationally damaged and patient data may be at risk. Practices need to be aware of an individual that may pose a threat to patients or staff because their conduct compromises the effective functions of a team or local primary care service.

A2 - Communications to the public and Patients and carers would not be


Page 32 of 37


the media via the CCG’s website, the New QEII Hospital website, media releases and social media about service disruption, service suspensions, epidemics, heatwaves or other issues affecting services the public rely on, e.g

1. Disruption to GP services 2. Disruption to hospital services 3. Disruption to pharmacy services 4. Proactive and reactive

communications to the media about issues which could have a negative impact on the CCG’s reputation as a commissioner of NHS services

5. Proactive and reactive communications to the public and the media about circumstances which could have a significant impact on health and wellbeing, such as a heatwave or the outbreak of an infectious disease.

aware of the following should they occur. - That their planned or emergency GP services are not available -That their planned or emergency hospital visits would not be possible - That they could not visit the pharmacy to collect essential medication. -The CCG’s stakeholders and the public would lose confidence in the organization - That they should take precautions or positive action to protect their own health and the health of the family, friends and neighbours

A3 - Communications to GPs and health professionals on policy and protocol updates, including:

1. Updating the Beds and Herts priorities forum, which is accessed through the CCG’s website

2. Supply urgent briefing material in response to requests from NHS England’s Parliamentary hub

Clinicians across Beds and Herts would not have the up-to-date referral information that they need for patients.

ENHGCC would not be able to account for its actions to Ministers and MPs in the House of Commons.

A4 - Communications with other NHS organisations, provider organisations and public sector partners on issues of significant mutual concern and interest where a joined-up approach to messaging is required.

There is a risk that important messages both within the health system and beyond would not be coordinated effectively, leading to public confusion or unnecessary duplication.


B1 - The GP bulletin could be produced more quickly as a word document.

Some of the functionality of the GP bulletin, such as the open rate information and information on which articles have been read, would be lost. Practice staff may not read the information if it is not easily recognisable as being an authentic source of information and does not look professional.

B2 - The staff magazine could be replaced by all-staff emails covering urgent issues specifically.

Staff morale could be negatively affected and the open rate of all-staff emails could decrease.

B3 - Proactive campaign and event work The impact and reach of the Business Continuity Plan –V5.8 East and North Hertfordshire Clinical Commissioning Group

Page 33 of 37


could be scaled down. It could also be replaced with a face to face staff briefing.

CCG’s own campaigns and our support for national campaigns would be diminished. This would mean that fewer people receive important health and wellbeing information. Not all staff may be able to make a face to face event so may miss out on important information.

B4 - The extent of partnership communications work could be scaled back.

This could lead to confusion and duplication of messages or important messages being missed. There is also a reputational risk that the CCG is criticised for not working in a joined up way

B5 – Project websites could be scaled down or management moved to another organisation

There is a risk of incorrect or out-of-date information being available to the public


C1 The weekly staff round-up email could be suspended

Staff would not be as aware of policy updates, health stories in the media or training sessions.

C2 The Friday learning hours

Staff would not be as aware of ‘bigger picture’ health and social care information which could have a positive impact on their day-to-day work or personal circumstances.

C3 The design and printing of leaflets could a) be contracted out to an agency or b) information could be provided on simple word documents instead

This would be more costly and would probably take up more officer time than producing leaflets in-house. Information that is produced to a lower quality might not be as valued or trusted by patients.

C4 Suspension of patient and carer member meetings

Patient and carer members would not be aware of the issues facing local health services and communicate that to their communities. There is also an organisational reputation risk that the CCG does not appear to be meeting its public and patient engagement responsibilities.

Directorate/Team: HBL ICT

(Also see HBL ICT’s specific Business Continuity Policies and Procedures)

Key Contacts: Phil Turnock – HBL ICT Shared Services Director Simon Carey - HBL ICT Assistant Director, Business Relationships &


Page 34 of 37


Assurance Keith Fairbrother – HBL ICT Head of Infrastructure Alex McLaren – HBL ICT Head of Governance and Compliance


A1 – Core Infrastructure Services and Connectivity Services

Loss of IT systems

A2 – Service Desk Unabale to receive and process ICT incidents

A3 – Messaging/ Unified Communications (including email)

Loss of IT systems

A4 – Clinical Applications (Externally hosted)

Loss of IT systems


B1 – Procurement, Finance Loss of IT systems B2 – Asset Management Loss of IT systems B3 – File and Print/ Other applications


None identified N/A

Business Impact Assessment Summary

2017-07-05 BIA Grid.xlsx


Page 35 of 37


Appendix 6 – Equality Impact Assessment Stage 1 Screening 1. Policy EIA Completion Details Title: Business Continuity Plan Names and Titles of staff involved in completing the

EIA: - Sarah Feal - Company Secretary - Jas Dosanjh - Head of Risk Management

Proposed Existing

Date of Completion: June 2017

Review Date: June 2018

2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public

3. Impact on Groups with Protected Characteristics Probable impact on group? High,

Medium or Low

Please explain your answers Positive Adverse None

Age

Being married or in a civil partnership

Disability, inc. learning difficulties, physical disability, sensory impairment etc.

Having just had a baby or being pregnant

Race, ethnicity, nationality, language etc.

Religion or belief

Sex (inc. being a transsexual person)

Sexual Orientation

Other:

No impact on any of the groups above.

No action to be taken/planned as a result of the equality impact assessment as the impact assessment showed that this policy had a neutral effect on each of the protected characteristics.

4. Which equality legislative Act applies to the policy? Human Rights Act 1998 Equality Act 2010 Health and Safety Regulations

Mental Health Act 1983 Mental Capacity Act 2005

5. How could the identified adverse effects be minimised or eradicated? N/A 6. How is the effect of the policy on different Impact Groups going to be monitored? N/A


Page 36 of 37


Appendix 7 Privacy Impact Assessment Stage 1 Screening 1. Policy PIA Completion Details Title: Business Continuity Plan Names and Titles of staff involved in completing the

PIA: - Sarah Feal - Company Secretary - Jas Dosanjh - Head of Risk Management

Proposed Existing

Date of Completion: June 2017

Review Date: June 2018

2. Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public

Yes No Please explain your answers Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards)

Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.)

By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats?

Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations)

Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected)

If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department?

N/A


Page 37 of 37