Business Continuity Policy - South Western Ambulance Service policies... · Page 2 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy Emergency

Business Continuity Policy

Version: 7.1

Status: Approved

Title of originator/author: Resilience Officer, Business Continuity

Name of responsible director: Executive Director of IM&T

Developed/revised by group/committee and Date:

Business Continuity Steering Group

Approved by group/committee and Date: Directors 16 September 2014

Effective date of issue: (1 month after approval date)

16 October 2014

Next review date: June 2017

Date Equality Impact Assessment Completed:

Regulatory Requirement: Civil Contingencies Act 2004

Emergency Preparedness, Resilience and Response NHS Core Standards (clause 7)

Page 1 of 26 – South Western Ambulance Service Foundation Trust - Business Continuity Policy

Trust Policy Foreword

South Western Ambulance Service NHS Foundation Trust (SWASFT) has a number of specific corporate responsibilities and obligations relating to patient safety and staff wellbeing. All Trust policies need to appropriately include these.

Health and Safety - SWASFT will, so far as is reasonably practicable, act in accordance with the Health and Safety at Work etc. Act 1974, the Management of Health and Safety at Work Regulations 1999 and associated legislation and approved codes of practice. It will provide and maintain, so far as is reasonable, a working environment for employees which is safe, without risks to health, with adequate facilities and arrangements for health at work. SWASFT employees are expected to observe Trust policy and support the maintenance of a safe and healthy workplace. Risk Management - SWASFT will maintain good risk management arrangements by all managers and staff by encouraging the active identification of risks, and eliminating those risks or reducing them to the lowest level that is reasonably practicable through appropriate control mechanisms. This is to ensure harm, damage and potential losses are avoided or minimized, and the continuing provision of high quality services to patients, stakeholders, employees and the public. SWASFT employees are expected to support the identification of risk by reporting adverse incidents or near misses through the Trust web-based incident reporting system. Equality Act 2010 and the Public Sector Equality Duty - SWASFT will act in accordance with the Equality Act 2010, which bans unfair treatment and helps achieve equal opportunities in the workplace. The Equality Duty has three aims, requiring public bodies to have due regard to: eliminating unlawful discrimination, harassment, victimization and any other conduct prohibited by the Act; advancing equality of opportunity between people who share a protected characteristic and people who do not share it; and fostering good relations between people who share a protected characteristic and people who do not share it. SWASFT employees are expected to observe Trust policy and the maintenance of a fair and equitable workplace. NHS Constitution - SWASFT will adhere to the principles within the NHS Constitution including: the rights to which patients, public and staff are entitled; the pledges which the NHS is committed to uphold; and the duties which public, patients and staff owe to one another to ensure the NHS operates fairly and effectively. SWASFT employees are expected to understand and uphold the duties set out in the Constitution. Code of Conduct and Conflict of Interest Policy - The Trust Code of Conduct for Staff and its Conflict of Interest and Anti-Bribery policies set out the expectations of the Trust in respect of staff behaviour. SWASFT employees are expected to observe the principles of the Code of Conduct and these policies by declaring any gifts received or potential conflicts of interest in a timely manner, and upholding the Trust zero-tolerance to bribery. Information Governance - SWASFT recognises that its records and information must managed, handled and protected in accordance with the requirements of the Data Protection Act 1998 and other legislation, not only to serve its business needs, but also to support the provision of highest quality patient care and ensure individual’s rights in respect of their personal data are observed. SWASFT employees are expected to respect their contact with personal or sensitive information and protect it in line with Trust policy.


Emergency Preparedness, Resilience and Response – The NHS needs to be able to plan for and respond to a wide range of incidents and emergencies that could affect health or patient care. These could be anything from severe weather to an infectious disease outbreak or a major transport accident. Under the Civil Contingencies Act (2004), NHS organisations and sub-contractors must show that they can deal with these incidents while maintaining services to patients. This work is referred to in the health service as ‘emergency preparation, resilience and response’ (EPRR). Business Continuity Strategy – The main guidance for business continuity management is contained in:

ISO 22301 Societal Security - Business Continuity Management Systems – requirements

ISO 22313 Societal Security - Business Continuity Management Systems – Guidance

PAS 2015 - Framework for Health Services Resilience In the past, organisations in the UK developed their business continuity management systems in line with BS25999. However, this standard has been replaced by ISO 22301. ISO 22313 provides good practice, guidelines and recommendations based on the requirements of ISO 22301. The aim of PAS 2015 is to provide a resilience framework for NHS organisations and all providers of NHS funded care South Western Ambulance has a Business Continuity strategy which documents how Business Continuity will be delivered in the Trust. This can be found on the Trust intranet. The Strategy is supported by the Business Continuity Policy which obligates staff and management to engage and manage business continuity within their departments and Trust-wide. Departmental Planning – Each Trust department will complete a business impact analysis annually or whenever there is significant change which influences the content in this plan. This plan will be activated in response to an incident causing significant disruption to normal service delivery, particularly the delivery of critical activities. Disruptions to be planned for include the loss of:

People – the loss of personnel due to sickness / pandemic

Premises – denial of access to normal place of work

IM&T and communications / ICT Equipment issues

Suppliers internal and external to the organisation


CONTENTS Purpose 4 Scope 4 Definitions 4-5 Duties, Responsibilities and Reporting 6 Business Continuity Management System 6-10 Business Impact Analysis 11-12 Business Continuity Plans 12-14 Exercising and Evaluations 14-15 Monitoring 16 References 16 Associated Documentation 16 Appendices: Document Version Control Sheet Appendix A - Internal and External issues affecting the BCMS Appendix B - Interested parties relevant to the BCMS Appendix C - Role description for the Departmental Business Continuity Lead Appendix D - SWASFT 5 Appendix E - Communication of Business Continuity Planning


1. Purpose

1.1 South Western Ambulance NHS Foundation Trust (the ‘Trust’) is committed to having in place, a Business Continuity Management (BCM) Programme as required under the Civil Contingencies Act (2004) and Emergency Preparedness, Resilience and Response (EPRR) NHS Core Standards 2014 (clauses 7 & 8)

1.2 The SWASFT Business Continuity Management Programme provides the

framework within which the Trust can comply with the Business Continuity requirements of our patients and stakeholders by aligning the BCM with ISO22301:2012.

1.3 Business Continuity Management has been established to ensure the Trust can

continue to deliver a minimum level of service to our patients and stakeholders in the event of any disruption.

1.4 The Trust is committed to meeting legal and regulatory requirements and

continual improvements of the BCM system. 1.5 It is the intention of the Trust to fully conform to all requirements as stated in

ISO22301:2012 to deliver an effective Business Continuity Management System.

2. Scope

2.1. This policy applies to all employees, interested parties, contractors and suppliers to the Trust to understand the content and must be followed by all Trust departments and directorates.

3. Definitions Activity (activities) a process or set of processes undertaken by the

Trust (or on its behalf) that produces or supports one or more services

Audit a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria is filled

Business Continuity the capability of the Trust to continue delivery of activities at an acceptable predefined level following a disruptive incident

Business Continuity Management (BCM)

the holistic management process that identifies potential threats to the Trust and the impacts to business operations, and which provides a framework for building organisational resilience

Business Continuity Management System

the management system that establishes, implements, operates, monitors, reviews, maintains and improves Business Continuity


Business Continuity Plan documented procedures that guides the Trust to respond, recover, resume and restore to a pre-defined level of operation following disruption

Business Continuity Programme

on-going management and governance process supported by top management and appropriately resourced to implement and maintain Business Continuity management

Business Continuity Steering Group (BCSG)

a forum of departmental Business Continuity leads that contributes and steers the direction and promotion of Trust-wide Business Continuity

Business Impact Analysis process of analysing activities and the effect that a disruption might have upon them

Conformity fulfilment of a requirement

Continual Improvement recurring activity to enhance performance

Corrective Action action to eliminate the cause of a non-conformity and to prevent recurrence

Departmental Business Continuity Lead

identified responsible person(s) from an individual department that contributes to Business Continuity planning and promotes Business Continuity within their respective departments. Attends and contributes to the BCSG and supports a Trust-wide disruptive incident

Interested Party stakeholder

person(s) or organisation(s) that can affect, be affected by or perceive themselves to be affected by a decision or activity

ISO International Standard Organisation

Maximum Tolerable Period of Disruption (MTPD)

time it would take for adverse impacts which might arise as a result of not providing a service or activity to become unacceptable

Non-conformity non-fulfilment of a requirement

Objective result to be achieved

Procedure specified way to carry out an activity or a process

Process set of interrelated or interacting activities which transforms inputs into outputs

Prioritised activities activities to which priority must be given following an incident in order to mitigate impacts

Recovery Point Objective (RPO)

point to which information used by an activity must be restored to enable the activity to operate in resumption

Recovery Time Objective (RTO)

period of time following an incident which activity must be resumed

Requirement need or expectation that is stated, general implied or obligatory

Risk appetite amount and type of risk the Trust is willing to pursue or retain

Risk Assessment overall process of risk identification, risk analysis and risk evaluation


4. Duties, Responsibilities and Reporting

4.1. Overall responsibility and accountability for BCM under the Civil Contingencies Act (2004) remains with the Chief Executive.

4.2. It is identified through the ISO standards that directorates and departments are required to assess their BCM needs as part of an organisational response.

4.3. Each directorate and each Trust department has identified a suitable member of staff to lead on all Business Continuity matters within their respective area of the Trust. A Departmental Business Continuity Lead will work in close partnership with the Resilience Officer – Business Continuity in completing their department’s business impact analysis (BIA) and risk assessment process of analysing business functions and the effects of an incident upon their department and the Trust.

4.4. Corporate Business Continuity Management is provided at Directors level. The Executive Director for IM&T, who is also the Trust Senior Information Risk Owner (SIRO) will ensure that strategic direction in relation to Trust wide Business Continuity issues are addressed and that Business Continuity remains the focus of all staff.

4.5. The Resilience Officer – Business Continuity will advise the Trust on Business Continuity planning and will also provide strategic and tactical advise during in the event of a Business Continuity disruption or incident. The Resilience Officer – Business Continuity will also provide an essential organisational link with the Resilience Team to ensure the sustainability of critical functions during any disruptive challenge.

4.6. All Trust staff have a responsibility of understanding their contribution to the effectiveness of the BCMS, the implications of not conforming with the BCMS requirements and their own role during a disruptive incident.

5. Business Continuity Management System

5.1. Business Continuity is the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.

5.2. The BCMS requirements apply to all directorates, and all Trust departments are expected to adhere to the BCMS and associated processes and procedures.

5.3. To achieve the intended outcome(s) of the BCMS, the Trust has identified internal and external issues that have been taken into account when developing the BCMS.

These issues are listed in Appendix A and detail the risk and impact to the Trust activities in relation to a disruptive incident. Appendix A should be taken into account when making business decisions and incident response decisions to mitigate the potential impact.


5.4. The Trusts risk appetite and management of all Trust related risk is documented in the Risk Management Strategy that can be found on the intranet and should be referred to when completing and assessing risk for Business Continuity

5.5. The Business Continuity objectives can be linked to Trust corporate objectives 2015/2016:

CO4.12 Ensure each Trust Department and the organisation is fully compliant with Business Continuity standards

CO4.13 Demonstrate every Trust department and the organisation has completed an effective cycle of the Business Continuity Management System (BCMS)

CO4.14 Promote and raise trust-wide awareness of general Business Continuity, and especially the Trusts identified critical activities in all business planning and incident management

5.6. Appendix B details interested parties that have been taken into consideration

and are relevant to the BCMS.

5.7. The Trust is committed to ensuring that it meets all legal and regulatory requirements and has processes in place to identify assess and implement applicable legislation and regulation requirements related to the continuity of operations, services as well as the interests of interested parties. The Resilience Officer, Business Continuity is embedded into the National Ambulance Resilience Unit (NARU) National Business Continuity Group will is a network of ambulance Business Continuity Managers who horizon scan and advise on national Business Continuity strategies, which will include any changes to legislative, obligatory or best practice requirements.

5.8. In the event of a legislative or regulatory change to Business Continuity Management or the requirements on the Trust to deliver Business Continuity a full briefing will be provided to the EPRR Team and Directors by the Resilience Officer, Business Continuity to assess the requirements, any impact and identify any processes that need to be added or reviewed.

5.9. A documented process to implement any changes will be completed

5.10. The scope of the BCMS has been determined and agreed, with all interested party and legal requirements considered and include all departments within SWASFT by Trust Directors.

5.11. All products, services, contracts, and activities of all departments are within scope for the BCMS. There is a responsibility on each department to identify critical suppliers, external stakeholders and interested parties, confirm and be satisfied by all Business Continuity plans and arrangements for these external stakeholders. This remains the responsibility of each Trust department to ensure that this is reviewed annually in line with their own Business Continuity Management System review.

http://intranet.swast.nhs.uk/Downloads/SWASFT%20downloads/New%20SWASFT%20policies/Risk_Management_Strategy.pdf


5.12. The Trust will establish, implement, maintain and continually improve the BCMS through management reviews, audit and debriefing (as detailed in section 8)

5.13. To support the BCMS, the Executive Director of IM&T has been identified as the Executive responsible for the effective delivery of Business Continuity.

5.14. Leadership and commitment to the BCMS will be demonstrated by all Executive Directors by;

5.14.1. Ensuring policy and objectives are compatible with the strategic

direction of the Trust. 5.14.2. Ensure integration of the BCMS into the organisations business

processes and decisions. 5.14.3. Ensuring that appropriate resources are made available to

deliver the BCMS. 5.14.4. Communicating the importance of effective Business Continuity

Management and conforming to the BCMS requirements. 5.14.5. Ensuring that the BCMS achieves its intended outcomes. 5.14.6. Directing and supporting persons to contribute to the

effectiveness of the BCMS. 5.14.7. Promoting continual improvement of Business Continuity. 5.14.8. Supporting other relevant management roles to demonstrate

leadership and commitment to their areas of responsibility. 5.14.9. Adhering to Trust risk management strategies when assessing

Business Continuity risks. 5.14.10. Actively engaging in exercising and testing of Business

Continuity Planning. 5.14.11. Ensuring that internal audits of the BCMS are completed. 5.14.12. Conducting management reviews of the BCMS. 5.14.13. Demonstrating its commitment to continual improvement.

5.15. The Resilience Officer – Business Continuity is responsible for ensuring that

the BCMS conforms to the requirements of ISO22301:2012 and will provide reports to the Executive Directors monthly of Trust-wide progress; and when required will provide reviews and reports of incidents; audits; updates to Business Continuity risk assessments.

5.16. The Business Continuity objectives have been agreed for 2014-2017 as:

5.16.1. To develop, maintain and continuously improve a Business

Continuity Management System which satisfies the requirements of ISO 22301. The Trust is committed to conforming to ISO22301 in its entirety across the whole organisation. At this time, accreditation is not being considered.

5.16.2. Use the Business Continuity Management System to identify, protect and maintain prioritised activities, in order to deliver and recover service to an acceptable level


5.16.3. Each identified critical and essential departmental business continuity planning shall complete a cycle of the Business Continuity Management System annually within their respective department.

5.16.4. The Trust-wide Business Continuity planning shall complete a cycle of the Business Continuity Management System annually with associated documentation including all relevant areas of the Trust.

5.16.5. Trust-wide awareness and consideration of Business Continuity will factor in daily activity for all Trust staff. This will be promoted through awareness campaigns, workshops, training and exercising. The awareness and use of the “SWASFT 5” slogan and associated material will be recognised and understood by all Trust staff

5.16.6. To guide the Trust into a position where it can easily demonstrate through audit and peer reviews alignment to Business Continuity standard ISO 22301:2012

5.16.7. To develop and integrate technology to assist with the Business Continuity Management System

5.17. The resources required for the establishment, implementation, maintenance

and continual improvement of the BCMS span the entire Trust and should be made available in all directorates.

5.18. Appropriately competent staff should be identified and allocated Business

Continuity roles as described in the role descriptions in Appendix C to support the BCMS and deliver the Business Continuity objectives

5.19. All Trust staff and any other contractor or supplier to the Trust must be aware

of:

5.19.1. The Business Continuity Policy 5.19.2. Their contribution to the effectiveness of the BCMS 5.19.3. The implications of not conforming with the BCMS requirements 5.19.4. Their own role during a disruptive incident

5.20. The requirements in 5.17 is the responsibility of the relevant Head of

Department for the staff and any persons completing work on behalf of the Trust to be fully sighted, aware and provide access to Business Continuity documentation. For new permanent employees into the Trust, this will be completed at induction. As part of the approved awareness campaign (Appendix D) all staff should be aware of the Business Continuity slogan “SWASFT 5” In addition to the publications in the awareness campaign, annual inclusion into the mandatory training workbook and annual Business Continuity awareness days will be available.

5.21. All BCMS documentation will be available to all staff via the intranet


5.22. The Trust Communications strategy and Information Governance Policy should be referred too when considering communication of Business Continuity documents and processes with interested parties.

Communication of Business Continuity planning is included in each of these documents and in Appendix E.

5.23. Each Business Continuity plan will include:

5.23.1. Appropriate identification and description including title, date,

author and reference number(s) 5.23.2. Appropriate format and media availability 5.23.3. Review and approval details 5.23.4. Adequate document control procedures 5.23.5. Available and suitable for use 5.23.6. Adequately protected (improper use / sensitive information for

example) using recognised NHS Protective Marking Scheme (or the newly introduced Government Security Classifications)

5.24. In addition to the above requirements the following standards will apply to all

Business Continuity documentation:

5.24.1. Distribution, access, retrieval and use will remain with the Head of the Department that owns their Business Continuity Plan. For corporate Trust-wide Business Continuity Plans, this responsibility remains with the Resilience Officer, Business Continuity.

5.24.2. The storage and preservation (including legibility) of all Business Continuity Plan’s is the responsibility of the EPRR Department.

5.24.3. Control of changes will be managed by the plan author and monitored by the Resilience Officer, Business Continuity.

5.24.4. Retention of previous versions of plans will remain in storage for 3 years and will then be appropriately disposed of.

5.24.5. Management of retrieval and use of Business Continuity Plan’s will be managed by the Resilience Officer, Business Continuity through the Business Continuity intranet page, supported by the Public Relations and Communications team

5.24.6. To prevent unintended use of obsolete information, Business Continuity Plan’s will be subject to exercise and testing to confirm accuracy and relevance.

5.25. Documented Business Continuity information received from external origins will

be stored and controlled by the Resilience Officer, Business Continuity in collaboration with other Trust departments.


5.26. Every Trust department will complete a cycle of the BCMS within their department by completing:

5.26.1. Business Impact Analysis (BIA) (Analysis) 5.26.2. Publishing of a Business Continuity Plan (Design) 5.26.3. Awareness training (Implementation) 5.26.4. Exercising (Validation)

5.27. Annually or whenever there is a significant change in the department or Trust,

and after any incident, a review of the Business Continuity system will be performed as detailed in 5.24. This process will be led by the nominated Business Continuity Lead supported by the Resilience Officer, Business Continuity.

6. Business Impact Analysis (BIA)

6.1. The Trust and each Trust department will complete a Business Impact Analysis as part of the Business Continuity Management System.

6.2. Every Business Impact Analysis will follow the same format and will be

completed with the support of the Resilience Officer – Business Continuity.

A Business Impact Analysis will be completed for every Trust department; identified activities that requires an assessment for Business Continuity and identified services outside of the scope

6.3. The Business Impact Analysis will include an analysis of:

6.3.1. The context of the assessment 6.3.2. Criteria defined 6.3.3. An evaluation of the impact of a disruptive incident 6.3.4. Legal requirements 6.3.5. Prioritisation of risk treatment and any associated costs 6.3.6. Definition of the output of the Business Impact Analysis 6.3.7. Process of keeping the information up-to-date

6.4. A formal, documented evaluation process of the Business Impact Analysis shall

also include:

6.4.1. Identification of activities that support the delivery of the department or Trust business area

6.4.2. Assessing the impact over time of not performing the identified activities

6.4.3. Setting timeframes for resuming these activities at a specified minimum acceptable level of operation

6.4.4. Identifying dependencies both internal and external to the Trust


6.5. The Business Impact Analysis is designed to look at specific areas to deliver the requirements in 6.3 & 6.4:

6.5.1. Programme What business as usual is 6.5.2. People Who delivers the activities 6.5.3. Processes How the activities are delivered 6.5.4. Premises Where the activities are delivered 6.5.5. Providers Who the dependencies are 6.5.6. Profile Protecting Trust and personal reputation 6.5.7. Performance Benchmarking and key performance

indicators 6.5.8. Legal Requirements the activities deliver

6.6. As part of the Business Impact Analysis, a risk assessment will be completed

against the prioritised activities, assessing the impact and likelihood of any disruption. This will include identifying any risk treatment that is required to ensure priority activities can continue to be delivered

6.7. Risk treatments should be commensurate with Business Continuity objectives, in accordance with the Trusts risk appetite.

6.8. The Trust should be aware that this analytical information may be requested by

financial or government organisations.

7. Business Continuity Plans (BCP) 7.1. For every BIA there will be an associated BCP detailing the arrangements to

reduce any risks identified and arrangements in place to manage any impact from a disruptive incident, owned by each Trust Directorate.

7.2. The Trust will document procedures for managing and responding to a

disruptive incident and how it will continue or recover its activities within a predetermined timeframe.

7.3. Each BCP will include the arrangements and detail to address:

7.3.1. Roles and responsibilities for people and teams during and following an incident

7.3.2. Activating the BCP 7.3.3. Management of the immediate consequences giving due regard

to the welfare of individuals; strategic, tactical and operational options for responding to a BC incident and prevention of further loss or unavailability of prioritized activities

7.3.4. How and under what circumstances the Trust will communicate with employees, key interested parties and emergency contacts

7.3.5. How the Trust will continue or recover prioritized activities within predetermined timeframes

7.3.6. The media response 7.3.7. A process for standing down once an incident is over


7.4. Each plan shall follow a similar format to enhance familiarity by defining:

7.4.1 Purpose and scope 7.4.2 Objectives 7.4.3 Activation criteria and procedures 7.4.4 Implementation procedures 7.4.5 Roles, responsibilities and authorities 7.4.6 Communication requirements and procedures 7.4.7 Internal and external interdependencies and interactions 7.4.8 Resource requirements 7.4.9 Information flow and documentation processes

7.5. The key headings in the BCP that will collate the detail from the BIA and point

7.4 are:

7.5.1 Business as usual contextualization 7.5.2 Accommodation and relocation 7.5.3 Staffing and options for loss of staff 7.5.4 Vehicle requirements 7.5.5 Equipment and supplies 7.5.6 IM&T requirements 7.5.7 Command 7.5.8 Other considerations

7.6. Corporate level planning shall include Trust wide consideration and include the

detail as given in points 7.3 & 7.4 All of the departmental business continuity planning shall contribute into the

Trust wide planning. As a minimum, the suite of corporate Trust level plans will include:

7.6.1 Incident Management Plan 7.6.2 Constant Care 7.6.3 Constant Contact 7.6.4 Fuel Plan 7.6.5 Severe Weather Plan 7.6.6 Pandemic Influenza Plan

7.7. Procedures will be established through the Business Continuity planning to

manage a disruptive incident and continue activities based on recovery objectives identified in the business impact analysis. Documented procedures (including necessary arrangements) shall:

7.7.1 Establish an appropriate internal and external communications

protocol 7.7.2 Be specific regarding the immediate steps that are to be taken

during a disruption 7.7.3 Be flexible to respond to unanticipated threats and changing

internal and external conditions


7.7.4 Focus on the impact of events 7.7.5 Be developed based on stated assumptions and an analysis of

interdependencies 7.7.6 Be effective in minimising consequences through

implementation of appropriate mitigation strategies

7.8. Specific procedures that shall establish, be documented and implemented across the organisation shall include a response structure that shall:

7.8.1. Identify impact thresholds that justify initiation of a formal

response 7.8.2. Assess the nature and extent of a disruptive incident and its

potential impact 7.8.3. Activate an appropriate business continuity response 7.8.4. Detail activation, operation, coordination and communication of

the response 7.8.5. Detail the resources required 7.8.6. Methods of the detection of a Business Continuity incident 7.8.7. Provide regular monitoring of an incident 7.8.8. Provide internal communication 7.8.9. Record vital information about the incident, actions taken and

decision made

7.9. Recovery from a disruptive incident shall follow a documented procedure to restore and return Trust activities from a temporary state to support normal Trust business following an incident (Business Continuity incident, major or critical incidents)

8. Exercising and evaluation

8.1. As per obligatory requirements, Business Continuity planning will be subjected to exercising and testing to validate planning and ensure that they are consistent with Business Continuity objectives.

8.2. Business Continuity exercising will be conducted to confirm that are:

8.2.1. Consistent with the scope and objectives of the Business

Continuity Management System 8.2.2. Are based on appropriate scenarios that are planned with clearly

defined aims and objectives 8.2.3. Minimise the risk of disruption of operations 8.2.4. Produce formal post-exercise reports that contains the

outcomes, recommendations and actions to provide continual improvement

8.2.5. Reviewed within the context of promoting continual improvement and;

8.2.6. Are conducted at planned intervals and when there are significant changes within the Trust


8.3. The Trust shall conduct evaluations of Business Continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness. These evaluations shall be undertaken through periodic peer reviews, exercising, testing, post-incident reporting and performance audits.

8.4. The evaluations shall measure against compliance with applicable legal and

regulatory requirements; ISO22301:2012 Business Continuity Management System and the Trusts Business Continuity policy and objectives at planned intervals and when significant changes occur.

8.5. Audits will be conducted internally at planned intervals to provide the

information on whether the Business Continuity Management System conforms to the Trusts requirements and the requirements of the ISO.

This will be conducted through a programme to visit a selection of departments

and audit different elements of the Business Continuity Management System. The scope, aim and objectives will be confirmed to each department and/or directorate and will be conducted by appropriate auditors selected for the audit.

8.6. The audit programme, including the schedule shall be based on the results of

risk assessments of the Trust activities and the results of previous audits. 8.7. The management responsible for the department and/or directorate being

audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.

8.8. The Trust will engage with any external auditing that is completed with

transparency in relation to the review of the Business Continuity Management System

8.9. Directors shall review the Trust Business Continuity Management System at

planned intervals to ensure its continuing suitability adequacy and effectiveness. The Directors review shall include considerations of the status of previous reviews, changes in internal and external issues that are relevant to the Business Continuity Management System and information on Business Continuity performance.

8.10. The outputs from the Directors review shall include documented decisions

related to continual improvement opportunities and the possible need for changes to the Business Continuity Management System that includes variations to the scope of Business Continuity Management System and an update of risk assessment, Business Impact Analysis and Business Continuity Plan and related procedures.

8.11. The Trust will continually improve the suitability, adequacy and effectiveness of

the Business Continuity Management System


9. Monitoring

Element to be Monitored Full policy document

Lead Resilience Officer, Business Continuity

Tool Content to be aligned to ISO22301:2012 Societal Security – Business Continuity Management system requirements

Frequency Full policy document review annually

Training Needs As contained in the job description for Resilience Officer, Business Continuity, no further formal training needs required

Reporting Arrangements Consultation and sharing with the Business Continuity Steering Group Approval through the Quality and Governance Committee

Acting on Recommendations and Lead(s)

The Business Continuity Steering Group shall act on any recommendations where relevant. All actions managed by the Resilience Officer, Business Continuity

Change in practice and lessons to be shared

Through the Business Continuity Steering Group

10. References

10.1. British Standards Institute BS ISO 22301:2012 Societal security – Business Continuity Management System first edition

10.2. Previous Trust (GWAS & SWAST) Business Continuity Policy’s 10.3. Business Continuity Institute Good Practice Guidelines 2013

11. Associated Documents

11.1. SWASFT Business Continuity Strategy 2014-2017 11.2. SWASFT Major Incident Plan 11.3. SWASFT Business Continuity Plan : Incident Management Plan

Version Control Sheet – Business Continuity Policy

Version Date Author Summary of changes

[GWAS] Jan 2010 Unknown EOC arrangements

[GWAS] October 2010

Unknown Business Continuity Plan and policy merged into one document

[GWAS] January 2012

Unknown General update, increased information on policy purpose and the BSI Standard BS25999

[SWAST] 1 2006 Vanessa Williams Original document

[SWAST] 2 Sep 2009 Mike Bottone Review in capacity of Acting Business Continuity Manger

[SWAST] 3 March 2010 Mike Bottone Review prior to handover to Mike Killoran

[SWAST] 4 April 2010 Mike Killoran Change of ownership

[SWAST] 5 March 2011 Mike Killoran Annual review for presentation to Quality and Governance Committee meeting

[SWAST] 6 May 2011 Mike Killoran Minor changes following Quality and Governance meeting, change in author and change of responsible individual

7.0 May 2014 Oliver Tovey Change of ownership; review and merge of documents from GWAS & SWAST into one document; update to ISO 22301:2012 standard

7.1 June 2015 Oliver Tovey Annual review – no changes

Appendix A Internal and external issues affecting the BCMS

Internal Issues Issue Impact L C Risk Control

BC Planning will not be updated due to operational pressure

BC Planning will be affected, inaccurate and not effective for a BC incident if allowed to not be updated due to pressures

4 4 16

Consistent support and review from Resilience to ensure BCMS is being followed. Timescales for completion Monthly updates to Directors on progress of departmental BC BC is now included as a corporate objective

Departmental Business Continuity Leads unable to commit to time to complete BCMS or attend BCSG meetings

As above + Trust wide BC planning will continue without departmental input – BC updates will not be received

4 3 12

BCSG meetings planned well in advance Minutes available post meeting Resilience Officer, BC readily available to all departments to advise on BC

BC awareness not effective so access and adherence to planning will not be completed

Awareness of BC not consistent through Trust which may encourage silo decision making without knowledge or intelligence of planning or wider Trust impacts 3 3 9

Intranet page fully available to all Trust staff which will hold all Trust BC planning, process documents and BC information. BCSG membership available for input from each department during an incident Audit programme to include visit to each department to review awareness of staff of department and Trust wide BC planning

Departments unable to allocated suitable member of staff to lead on departmental BC

Departments risk not having adequate planning in place to support a disruption to normal business. If they do have planning there is a risk that this will not be embedded into departments

2 4 8

BC added to Directors job descriptions to ensure accountability for the delivery of BC throughout directorates is consistent and effective.

BC incident that challenges the BCMS process and planning that results in a negative outcome

Credibility of the BCMS will be questioned and not supported Increase in workload and resources to rectify any issues

2 3 6

Regular monitoring of effectiveness of BC planning including exercising and audit. Regular assurance reported to Directors that monitors progress and conformity to the ISO standard

Accessing BC planning through the normal channels not available

If BC planning is not available through the BC intranet page, access and adherence to plan will be limited

1 3 3

Departmental BC Plans emailed for hard copy storage within departments. Exercising programme to include all staff from departments to embed arrangements to support accessing the plan. For SWASFT 5 activities critical action cards to be available to follow for initial staff to manage an incident

External Issues Issue Impact L C Risk Control

National and International BC risks and threats. For example; cyber attacks; weather; mobile communications

Will affect the Trust and its critical services

4 4 16

By all departments and Trust wide planning following the BCMS a robust and effective BC culture and capability will have arrangements in place to continue business at an acceptable level. Monitoring of BCI monthly international risk assessments

Major supplier issue (for example NHS Supply Chain during severe weather; bankruptcy of a supplier for example MIS CAD) not considered and mitigated through normal BC planning

Disruption to SWASFT critical services due to supplier issue. Ad hoc planning resulting in mis-management and non-effective results Continuation of alternative supplier management

3 4 12

Identification of major and critical suppliers included in BC Planning and mitigating actions completed. Engagement with identified critical suppliers to review supplier BC planning and disaster recovery strategies [to be completed]

CCG requirements of the Trust to deliver BC to a different standard or area out of scope of the agreed BCMS

Increase in workload Uncontrolled input and management on areas that have not been agreed to be covered by the BCMS, resulting in processes outside of the BCMS

3 4 12

Regular contact with Directors and constant horizon scanning of requirements and requests locally and nationally. BCMS strategy, documents and programme information to be made available to CCG to manage expectations

Disbandment of the NARU BC Group

Network of BC Managers no longer available through a formal forum to manage national BC

2 4 8

Continue to meet and deliver beneficial products from the group such as peer reviews; BC strategy and training opportunities

Requirement of the ISO. At this time Trusts are able to decide what level of conformity they want to achieve with the ISO. If this lowered or increased may cause issues regarding credibility of the standard and/or resource requirements to deliver the expectation

ISO standard may lose credibility or may require significant resource uplift if for accreditation is mandated

2 4 8

NARU BC Group monitoring and advising on the expectations of the ISO who can remain ahead of any developments and advise on impact and provide mechanisms to support any change to requirements

Liability to the Trust if no BC strategy is developed, implemented and delivered

Not meeting the statutory legislative requirements and obligations (CCA2004, Health and Social Care Act, EPRR Core Standards, European Commission on Human Rights) Not meeting Commissioner expectations or requirements Not meeting patient expectations or requirements

1 5 5

Resilience Officer recruited to coordinate all BC management and arrangements BC Strategy approved BC remains part of the National EPRR Core Standards and a requirement of the Trust under the CCA2004

Change of BC requirements (currently ISO22301) set by the Department of Health / NARU

Work already completed in line with ISO will be reviewed and changed. Robust standard that includes a lot of BC principles already in place

1 4 4

NARU BC Group supporters of ISO22301 and have provided assurance documents and have advised on strategy to deliver the ISO standard principles across all ambulance services

Appendix B Interested parties relevant to the BCMS

Internal External Corporate ownership (Directors) Patients

Every Trust Department Police (within and bordering SWASFT)

Employees of SWASFT Fire & Rescue (within and bordering SWASFT)

Departmental Business Continuity Leads Local Authorities (within and bordering SWASFT)

Business Continuity Steering Group NHS England

Contractors Clinical Commissioning Groups

National Ambulance Trusts

Public Relations and Media

Outsourcing organisations (for example St John)

Suppliers (NHS Supply Chain; British Telecom; Mercedes)

National Ambulance Resilience Unit (NARU)

British Continuity Institute (BCI)

Care Quality Commission

Appendix C Role description for the Departmental Business Continuity Lead

Role: Department Business Continuity Lead

Directorate/Department: Relevant department

Location: Relevant department location

Accountable To: Associate Director of Relevant Department

Responsible For:

Coordinating and documenting the relevant department Business Continuity Plan and arrangements to comply with the Trust Policy, its Legal Obligations set out in the Civil Contingencies Act 2004 and International Standard ISO22301 (Business Continuity standard)

General Summary:

The role will take the lead in coordinating and writing the business continuity plans and arrangements for the relevant department ensuring plans are in place, reviewed and tested as per the requirements of the Trusts Business Continuity Management Policy, to meet the requirements of the Civil Contingencies Act and ISO22301. The BC Lead will work with the all levels of their own department and the BC lead for other departments to develop and deliver sound plan, processes and systems to mitigate the identified risks to the Trust/Departments prioritised activities.

Structure

Associate Director / Head of Relevant Department

Resilience Officer – Business Continuity Business Continuity Lead

Core Responsibilities:

Coordinate and document of the departments business continuity plan, processes and arrangements.

Supported by the Resilience Officer, BC design and deliver an annual exercise which tests the business continuity plans, processes and arrangement

In consultation with the department and the Resilience Officer, BC establish department annual objectives for the development of business continuity services relative to the Trust, the wider health community and other interested parties

Monitor progress and ensure the achievement of these objectives

Ensure effective consultation with interested parties

Represent the department for business continuity at BC meetings.

Take responsibility for own Personal Development Review (PDR) and engage in appropriate learning and development interventions and opportunities that underpin the demands of the role

Ensure new and innovative ideas and good practice are actively encouraged, supported and shared with others, internally and externally where appropriate.

Develop and maintain good working relationships with internal and external suppliers

Coordinate and participate in debriefs for exercises and incidents

Monitor on behalf of the department the action logs for lessons identified and report on progress

Participate in BCSG meetings to manage an incident at short notice

Service Provision: Ensure the delivery of the Business Continuity plans, processes and

arrangements by adhering to the Trust policy and its legal obligations contributes to the highest standards of patient care.

Workforce:

Contribute to putting in place arrangements that actively encourage a patient focused culture within the organisation.

Promote the effective prioritisation of the Trusts activities to ensure its core patient focused activities are protected.

Leadership and Corporate Governance:

Promote and protect the equality diversity and rights of others and assist in the provision of a fair and just culture by being open, honest, supportive and respectful of others.

Embrace high standards of employment practice and act in accordance with the ‘Managers Code of Conduct and Promote the vision, values and goals of the organisation.

Contribute as an active member of the key meetings to ensure successful collaborative working

Organisational Profile:

Establish effective local networks and partnerships with internal departments and other organisations to enable the department to continuously improve and learn

Promote a positive organisation and directorate image

Key relationships:

Develop working relationships with colleagues within own department/organisation and other organisations that are productive in terms of supporting and delivering your work and that of the overall organisation

Attend business continuity meetings and represent the department.

Responsibility to remain informed of developments within the Trust

Key relationships include: o The Trusts Resilience Officer, BC o The Trusts EPRR team o Other Department Business Continuity Leads o Director and head of own department o Key suppliers to prioritised activities

Key areas of portfolio: Own Department Business Continuity

Additional:

This job description is not intended to be exhaustive and it is likely that duties may be altered from time to time in the light of changing circumstances, in discussion with the post-holder, the department Associate Director and the Resilience Officer, Business Continuity

This role is not subject to banding as it forms part of full job description already established for the individual.

COMPETENCY PROFILE

Department Business Continuity Lead

Directors and/or Head of the relevant departments will be required to appoint a Business Continuity Lead of sufficient seniority and competence to carry out the duties for this role. Any training relating to business continuity will be provided, the nominated BC lead is expected to already be competent in the departments own area of business. The Competency Profile below provides a guide of the skills and attributes required for the BC Role within Yorkshire Ambulance Service.

Experience and work achievements

Has a good level of knowledge and experience within the relevant department Essential

Can demonstrate successful partnership working through collaboration Essential

Undertake relevant training programs in the field of business continuity Essential

An understanding of performance and operational demands within Ambulance Services Desirable

Working knowledge of the Civil Contingencies Act 2004 Desirable Working knowledge of best practice and emerging threats including the international Standard ISO22301 Desirable

Experience of Business Continuity Management Desirable

Skills and abilities

Well developed communication skills, both written and oral Essential

Good communicator, able to deal with complex issues when working with interested parties Essential

Ability to handle detail within plans and make informed decisions and judgments Essential

Ability to create and develop effective working relationships with interested parties Essential

Competent in Microsoft applications including Word and Excel Essential

Thorough knowledge of Trust policies and procedures Essential

Ability to empathise with service users Essential

Is credible to interested parties Essential

Ability to assess risks, anticipate difficulties and successfully address them Essential

Ability to develop plans and procedures specific to business continuity Essential

Ability to carry out structured debrief and to recommend changes where required Desirable

Produce timely and accurate plans Essential

Personal attributes

Demonstrates resilience, confidence when working to strict deadlines or new priorities Essential

Committed to promoting diversity and awareness of equal opportunities Essential

Demonstrates commitment to the values, principles of public service and health and social care in particular and seeks continual improvement

Essential

Ability to influence effectively at all levels of the organisation Desirable

Self-motivated – able to work on own initiative Essential

Works effectively as part of a team Essential

Able to travel between work sites Desirable

Knowledge and educational achievements

Educated to Diploma level Essential

Evidence of recent on-going personal development Essential

Knowledge of the Civil Contingencies Act 2004 Desirable

Knowledge of ISO22301 procedures Desirable

Current broad knowledge of the national NHS context Desirable

Appendix D The SWASFT 5

Appendix E Communication process of Business Continuity Planning

Permission denied; requestor updated with rationale

Permission granted; documents forwarded as per GSC*

Resilience contacts plan owner for authorisation

Request sent to Information Governance who contacts

Resilience

External Request for BC documentation

External organisations may request copies of SWASFT BC plans, process documents or strategies for a number of reasons. It is important that this information is handled appropriately when releasing details outside of SWASFT, especially as some plans could contain sensitive information. The Trust Information Governance and Freedom of Information policies apply and any request for information should be directed to: [email protected] The Resilience Officer, Business Continuity can offer advice of information sharing outside of the organisation. Internal sharing of information remains with plan owners to share their planning if appropriate.

* GSC – Government Security Classification and the

management of sensitive information sharing.

mailto:[email protected]