IN 23 Business Continuity - North Hertfordshire …...IN 23 Business Continuity 2 Letchworth Leisure Management Contract 5. Exercising, Monitoring & Review. Identify the following

IN 23 Business Continuity

1

Letchworth Leisure Management Contract

NORTH HERTFORDSHIRE DISTRICT COUNCIL LOCAL GOVERNMENT ACT 1988 LEISURE MANAGEMENT NAME OF SCHEDULE: IN 23 Business Continuity

NO AMENDMENT BY ANY TENDERER WILL BE ACCEPTED AND MAY BE CONSIDERED AS INVALIDATING THE TENDER. ADDITIONAL SHEETS WILL SHOW THE PAGE NUMBER AND BE AFFIXED TO THIS SCHEDULE. ALL ADDITIONAL SHEETS WILL BEAR THE NAME AND NUMBER OF THE SCHEDULE AS SHOWN ABOVE.

*************************************** Contractors, must submit a copy of their Business Continuity Plan (BCP) The following explains how the BCP will be marked 1. Does the Company have a Business Continuity Plan?

Yes: Move to Section 2. No: No further evaluation – score Nil. 2.

Understanding the Organisation. Has the Company:-

2a. Identified all its key operations. 2b. Identified risk areas. 2c. Mitigated the risk where possible. 2d. Planned for un-mitigated risk. 3. Business Continuity Strategy 3a. Does the company have a Business Continuity Strategy. 3b. Does the document have the following key elements:

Time Scale Aims @ Objectives Senior managers commitment. Review arrangements Communication arrangements.

3c. Is the strategy embedded throughout the organisation. (Bid to reflect examples of commitment to BCP throughout the company i.e. Training Plan, News Letters etc)

3d. Is there an opportunity to develop the strategy. (bid to include any new company initiatives) 4. BCP identify the following key stages:- 4a. Does the BCP have the following:

Trigger Points Activation Points Call Out Arrangements Command and Control Connect to Client Plans

4b. Alternative sites for Senior Managers. (To be identified within submitted BCP) 4c. Recovery Arrangements.

(To be identified within submitted BCP)


2


5. Exercising, Monitoring & Review. Identify the following key stages 5a. Exercise arrangements i.e. tabletop, live etc.

(Exercise Plan to be submitted with Bid) 5b. Staff training plan.

(Training Plan to be submitted with Bid) 5c. Review and update arrangements. 5d. Training & Exercising with key partners i.e. NHDC.

(Training plan to show partner training arrangements)


3


Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)

At the heart of good BC practice, sits the BCM Lifecycle.

The BCM Lifecycle shows the stages of activity that an organization moves through and repeats with the overall aim of improving organizational resilience. These stages are referred to as the Professional Practices and are made up of Management and Technical Practices.

Business Continuity Management (BCM) is defined as: ‘a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.’ (Source: ISO 22301:2012)

“In the last 12 months, 81% of managers with BCM in place agreed that it successfully reduced disruption and was worth the cost due to the benefits that it brought to their organization” - ‘Planning for the worst’ CMI Business Continuity Management Survey, March 2012

SLL believes in incorporating business continuity within the day to day operations of the company, as SLL’s Managing Director highlights in the Company’s Business Continuity Policy: ‘I will ensure that the BCP policy and plan is embedded into the company’s daily activities, and becomes part of the SLL culture’.

By making it part of the way it manages its centres, rather than having to ‘fire fight’ any emergency, SLL delivers ‘business as usual’ in the quickest possible time, minimising disruption for the benefit of its customers, partners and staff. Business Continuity is about building and improving resilience in your business; it’s about identifying your key products and services and the most urgent activities that underpin them and then, once that ‘analysis’ is complete, it is about devising plans and strategies that will enable you to continue your business operations and enable you to recover quickly and effectively from any type disruption whatever its size or cause. It gives you a solid framework to lean on in times of crisis and provides stability and security.


4


SLL, during the initial stage of the contract, will convert the BCP principle from BS ISO 25999 COP for Business Continuity Management Systems ,BS are issuing Certification until May 2014, using ISO 22313 as guidance and ISO 14001 experience to achieve ISO 22301 2012 Societal security by April 2015. Effective Business Continuity is extremely important to ensure a quick and efficient restoration of normal operations, as well as adherence to the Management of Health and Safety at Work Regulations 1999, and Companies Act 1985 where Directors are responsible for safeguarding company assets. Societal security can be defined as providing protection of society from, and the ability to respond to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures The standard will also be used by SLL to assess its suppliers’ ability to meet continuity needs and obligations.

BS ISO 22301 is based on the ‘Plan-Do-Check-Act’ model that seeks to improve continually the effectiveness of the organization through proficient planning, implementation, supervision, review and maintenance.

The BS ISO 22301 specifies the requirements to:

Identify crucial risk factors already affecting your organization Understand your organization’s needs and obligations Establish implement and maintain your BCMS (Business Continuity Management System) Measure your organization’s overall capability to manage disruptive incidents Guarantee conformity with stated business continuity policy

Core business continuity requirements of SLL’s Business Continuity Management System therefore include: • Business continuity policy (please see below) • Business impact analysis To identify the critical processes that support its key products and services, the interdependencies between processes and the resources required to operate the processes at a minimally-acceptable level. • Risk assessments (please also see IN14) To establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. • Business continuity strategy. After requirements have been established through the BIA and the risk assessment, to develop strategies to identify arrangements that will enable the organization to protect and recover critical activities based on organizational risk tolerance and within defined recovery time objectives. Good practice dictates that the early provision of an overall organizational BCM strategy will ensure that BCM activities are aligned with and support the organization’s overall business strategy. The business continuity strategy is an integral component of an SLL’s corporate strategy, as shown below:


5



6


All of the above are integrated into SLL’s comprehensive business continuity management systems, which deliver reassurance and confidence to its staff, customers and partners that our centres have an effective policy and practice for managing the unexpected. SLL’s Business Continuity systems are regularly tested and assessed to ensure their continuing effectiveness, and the plan is updated regularly as a result of these assessments, any statutory or regulatory changes, or any changes with regards to employees, procedures and suppliers. The plan includes a list of Emergency Contacts, estimated recovery times, a communication plan and comprehensive procedures to minimise disruption and the restoration of service as quickly as possible. The Plan is distributed to all people assigned responsibility across all centres with copies both at site and off site, and is also available on SLL Corporate Documents folder for quick and easy reference. Training is undertaken regularly and Business Continuity forms part of regular team meetings. SLL believes that a comprehensive approach to risk management gives comfort to the various stakeholders (shareholders, customers, employees and so on) that the business is being effectively managed and helps the organisation confirm its compliance with corporate governance requirements. It has allowed SLL to take over the management of facilities at extremely short notice.

Effective risk management must consider both internal and external sources of risk, and SLL’s strategy is to identify and detect risk early, as it is typically easier, less costly, and less disruptive to make changes and corrective work efforts during the earlier, rather than the later, phases of any particular operations. SLL’s approach to risk management can be divided into three parts:

defining a risk management strategy to deliver a consistent approach from Main Board level down to each individual centre and effectively communicating that strategy

identifying and analyzing risks, through a robust risk assessment system, which is formalised and

recorded and regularly reviewed.

handling identified risks, including the implementation of risk mitigation plans when needed through a Business Continuity Policy and Business Continuity Plan and through a Business Risk Management procedure, complete with a site specific risk register, which is held at each centre, as well as a corporate risk register.

Business Continuity/Disaster Recovery Plan

The purpose of the disaster recovery plan and associated documentation is to have in place the policies and procedures to handle any emergency or incident that may impact on any SLL business or operation. Please note that this is a living document and is under constant review and revision. The plan will document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. The procedures will:

establish an appropriate internal and external communications protocol; detail the immediate steps that are to be taken during a disruption; be flexible to respond to unanticipated threats and changing internal and external conditions; focus on the impact of events that could potentially disrupt operations; be flexible enough to be developed based on stated assumptions and an analysis of

interdependencies;

and, as a result of the above, be effective in minimizing consequences through implementation of appropriate mitigation strategies


7


As an example of its approach to risk management and disaster recovery: Stevenage Leisure Ltd (SLL) has over the past 2 years implemented a virtualization of most of its server infrastructure at Head Office. As the final part of its IT 3 year strategy SLL intends to expand this virtualisation to create a Disaster Recovery (DR) implementation. This implementation will take place in the 3rd qtr. of 2013. The intention is to create a 2nd virtualisation setup at Hitchin Centre, this will be capable of running 90% of the head office server service, although at a reduced performance, in the event of access to the main site being unavailable for whatever reason. The 2 sites will be linked by a Wide Area Network (WAN) link that will enable replication of the main site data and infrastructure to the DR site. The DR site will be replicated within 5-10 minutes of the main site and could be capable of taking over the server operation within 20-30 minutes of the decision to relocate. An additional benefit of this DR site is the simplification of the backup plan. By definition the DR site provides an offsite backup. This 2nd site also provides the ability to create backup snapshots without incurring down time at the main site. ___________________________ The plan is tested so that if an incident or emergency were to happen SLL can act in a professional manner and rectify the problem in a systematic approach, and to reduce any business loss to a minimum. Exercising and testing provides validation of our business continuity plans and procedures to ensure the selected strategies are capable of providing response and recovery results within the timeframes agreed to by SLL’s management. There are five distinct stages in the business continuity management process. 1. Risk mitigation and management and understanding the organisation. 2. Plan production. 3. Training, testing and exercises. 4. Crisis management. 5. Monitoring, review and revision. These are not necessarily separate stages, as some of the activities can occur simultaneously. Business Risk Management is a key part of SLL’s integrated Quality Management System.

1. Does the Company have a Business Continuity Plan?

-Yes please see below procedure.

2. Understanding the Organisation. Has the Company:- 2a. identified all its key operations. 2b. Identified risk areas. 2c. mitigated the risk where possible. 2d. Planned for un-mitigated risk. Please see below for extract from SLL’s BCP plus our risk summary sheet. This is an integral part of SLL’s Business Continuity Management System (BCMS)

1. List of Disasters Covered

The list below are the types of incident covered under this plan, the breakdown of each can be seen in section 17 Risk Assessments.


8


The plan attempts to cover for all eventualities but in the event of a disaster not covered under section 9 then the structure and procedure will be in place to handle and to overcome any difficulties. Natural disaster Local disaster Financial crisis Legal crisis Epidemics Fire Bomb Council activation of their plan Loss and/or part loss of services Loss and/or part loss of building Information Technology failure Loss of Company information Supplier and/or contractor failures Loss of key staff

9. Risk Assessments/Priority of Risk

9.1 Purpose

Identify specific individual areas of business continuity risks and to develop control measures.

9.2 Background

SLL need to be in a position to mitigate business interruptions to ensure continuity of our business for the customers, partners and staff.

9.3 Discussions and Outline of Proposals

The risks have been identified in this plan in section 3 and are: Natural disaster Local disaster Financial Crisis Legal Crisis Epidemics Fire Bomb Council activation of their plan Loss and/or part loss of services Loss and/or part loss of building Information Technology failure Loss of Company information Supplier and/or contractor failures


9


Loss of key staff Each of the above risks will be prioritised according to the likelihood of the risk occurring. The following table represents the stages of priority:

Score

Likelihood Description

1

Rare

Highly unlikely to occur only on a rare occasion

2 Unlikely Unlikely to occur 3 Possible Likely to occur as it is clear the risk will probably eventuate 4 Likely

Very likely to occur, circumstances that occur eventuate very occasionally

5 Almost Certain

High likely to occur as the circumstances, which will cause the risk to eventuate, are also very likely to be created

Each Risk will also be prioritised by the impact they will incur on the business. The following table outlines the levels of impact: Score

Impact

Description

1

Insignificant

No, or very little impact on the business

2

Minor

Low impact on the business

3

Moderate

Some impact on the business

4

Major

Considerably high impact on the business

5

Catastrophic

Very High or substantial impact on the business

The likelihood and impact will then be measured and put into a scoring matrix. This then will define how SLL will define the prioritisation of the risks.

Likelihood Impact

Rare (1)

Unlikely (2)

Possible (3)

Likely (4)

Almost Certain (5)

Catastrophic (5)

5

10 15 20 25

Major (4)

4 = 8

12 16 20

Moderate (3)

3= 6

9

12 15

Minor (2)

2= 4= 6

8

10

Insignificant (1)

1= 2= 3= 4= 5

Level of risk Indicated by How the risk should be managed High risk Red Requires Active Management and planning to mitigated risk

Medium Risk Amber requires good Management and planning to mitigated risk

Low Risk Green Requires periodic review to ensure conditions remain unchanged


10


Please see pages 60-69 for detailed risk summary sheets 3. Business Continuity Strategy 3a. Does the company have a Business Continuity Strategy. Yes please see below

3b. Does the document have the following key elements: Time Scale Aims @ Objectives Senior managers commitment. Review arrangements Communication arrangements.

Please see below for SLL’s Business Continuity Policy, which details timescales for testing and review, aims and objectives, the commitment from SLL’s Managing Director to embed this into the company’s culture, how the policy will be communicated to all staff, and the roles and responsibilities of all designations of staff:


11


STEVENAGE LEISURE LIMITED

BUSINESS CONTINUITY PLANNING POLICY

ISSUE: No. 6


12


SECTION ONE: Business Continuity Planning Policy Statement The Business Continuity Planning (BCP) Policy outlines Stevenage Leisure Limited’s forward planning and commitment to its partners, customers, contractors and staff. It aims to ensure that, as far as is reasonably practicable, the company will have the plans in place and tested to meet most emergencies and so ensure business continuity. The Organisation will undertake to provide adequate training and information to all employees to enable them to improve their knowledge and awareness of the BCP and to discharge their responsibilities as part of the process. I will ensure that the BCP policy and plan is embedded into the company’s daily activities and becomes part of the SLL culture. Each Centre will carry out an exercise every six months and a full corporate operational test will be undertaken annually. A review after each test will identify areas for improvement in the policy, procedures or training to ensure we are fully prepared. Both of these tests will include business partners, staff and contractors. I believe that it is important for all staff, whatever their position, to accept their personal responsibilities as detailed in this policy and I seek active co-operation between management and employees to ensure that SLL can handle most emergencies professionally and swiftly to ensure business continuity. Finally, I undertake to review and revise this policy on an annual basis or as required by changing legislation. All changes will be brought to the attention of all employees. Signed: … ………………………………….. Date: 21st January 2013. Ian Morton Managing Director


13


Introduction This document lays down SLL’s aims and objectives in the important area of business planning. It sets out, in broad terms, how to implement these aims and objectives. All employees must co-operate in this endeavour. The policy statement will be displayed on all site H&S & staff notice boards and issued to all new employees as part of their induction pack. SLL will ensure compliance with BS 25999-1 2006 Code of Practice for Business Continuity Management, Management of Health and Safety at Work Regulations 1999 and Companies Act 1985 where Directors are responsible for safeguarding company assets. Aims of the Policy 1. To ensure the continuation of the business, in the event of a disaster, and the swift return to full

operation of the areas affected.

2. To build a positive business continuity culture in all areas of the business. 3. To review operations by business impact analysis, in order to identify areas of risk and vulnerability,

and then develop the plans to overcome these. These aims will be pursued regardless of whether the particular services, which form part of the organisation’s undertakings, are performed by its employees or by outside contractors acting on its behalf. These aims will be borne in mind in all policy and operational decisions made by the organisation, especially in relation to the adequate provision and competency of resources. Objectives of the Policy The organisation expects and requires every one of its departments to work towards achieving the following objectives in Business Continuity Planning: 1. Comply always with Regulations, Codes of Practices, legislation and all other relevant statutory

provisions to ensure business continuity. 2. Identify significant hazards arising from activities; assess all the resultant risks to the business and

partners and to develop the appropriate preventive and protective measures necessary to control these risks.

3. Plan, organise, implement, control, monitor, test and review the preventive and protective measures. 4. Establish emergency procedures that must be followed in situations of serious and imminent danger.

In this respect to co-operate and co-ordinate with the emergency services. 5. Provide and maintain suitable and safe vehicles, plant, equipment, and systems of work. 6. Provide employees with adequate Building Continuity Planning training and supervision and to take

account of employees’ capabilities in respect of Building Continuity Planning matters when assigning tasks to them.

Signed: …………………………….. Date: 21st January 2013 Ian Morton Managing Director


14


SECTION TWO: ORGANISATIONAL RESPONSIBILITIES 2.1 Corporate Risk and Health & Safety Committee will 2.1.1 Be the link between the Main Board and the Management Team. 2.1.2 Meet quarterly to receive regular updates and progress reports from the Managing Director. 2.1.3 Have a strategic input and approve significant policy changes as required. 2.2 Management Team 2.2.1 Accepts its collective role in the development, training and implementation of this policy 2.2.2 Accepts each individual role in providing leadership for their area of responsibility. 2.2.3 Will seek to engage the active participation of employees in the area of Business Continuity

Planning. 2.2.4 Will be the main focus of communication for any incident until normal operations are restored. 2.2.5 Will be Gold Command in the event of any incident either Corporate or Centre related. 2.2.6 Will carry out a review of either a real incident or a test and ensure any identified improvements are

fully implemented and that staff is trained on these modifications in time for the next test. 2.2.7 All Management Team decisions will reflect SLL’s commitment to achieving the objectives set out in

this policy statement. 2.2.8 The Facilities Director will be nominated as the BCP responsible person and will assist with all

incidents as part of the Crisis Management Team. 2.3 Managing Director 2.3.1 Ensure that there is an effective policy for Business Continuity Planning within the organisation,

which is kept up-to-date. 2.3.2 Ensure that relevant risks are assessed and will make available sufficient funds to allow for the

reduction of these business risks. 2.3.3 Lead Gold Command to ensure a professional approach, that team members carry out their duties

and that a successful and timely return to full operation is achieved. 2.3.4 Communicate with the Main Board in the event of and during an incident. 2.3.5 Ensure that each Centre carries out the six monthly exercise and annual full tests are completed and

that an action plan is developed, identified documentation changes are made and that actions are completed.

2.3.6 Ensure that the Business Continuity policy and plan for the Organisation is understood at all levels. 2.3.7 Co-operate fully in the training of the teams required under the policy and plan to ensure they are

competent and equipped to carry out their duties in an emergency. 2.3.8 Report periodically to Main Board on the status of the policies and plan 2.4 Section removed


15


2.5 Marketing Director will 2.5.1 Be a member of Gold Command. 2.5.2 Support staff that are involved and ensure they receive the assistance required both during and after

the incident. 2.6 Operations Director will 2.6.1 Communicate with appropriate Council Officers dependant on the area of the incident. 2.6.2 Be a member of Gold Command. 2.6.3 Be a communication link with the Crisis Management team. 2.7 Regional Contract Manager will 2.7.1 Chair Crisis Management team meetings for their Contract. 2.7.2 Communicate with the Operations Director during the incident and recovery period. 2.7.3 Other Regional Contract Manager’s will take over the running of sites, not affected by the incident, to

ensure business operates normally 2.8 Centre Manager will 2.8.1 Be a member of the Crisis Management team for their Centre. 2.8.2 Manage the incident within their Centre with the help of Crisis Management Team and Gold

Command to ensure a return to normal operations as quickly as reasonably practical. 2.8.3 On return to operation, carry out any repairs/work as required following the incident. 2.9 Crisis Management Team 2.9.1 Will have the following members:

1. Regional Contract Manager responsible for the Centre 2. Centre Manager 3. Financial Controller 4. Facilities Director 5. Marketing Director 6. IT Manager 7. HR Manager

1.1.1Will be responsible for the management of the incident to ensure a speedy return to normal operation. 1.1.2Ensure any repair works are carried out to return the Centre back to normal condition. 1.1.3Ensure that staff related issues are handled effectively. 1.2 Marketing Director will 2.10.1 Be a member of Gold Command

1.2.1Be a member of the Crisis Management team. 1.2.2Be the focal point for media communication


16


2.11 Facilities Director will 2.11.1 be a member of Gold Command. 2.11.2 Assist the Crisis Management team during the incident and recovery period. 2.11.3 Liaise with:

Utility companies Emergency Services Service Providers

2.11.4 Maintain the policy and Business Continuity plan updates and make the appropriate changes after

every incident or test as required. 2.11.5 Review all Business Continuity documentation annually dependent on 2.11.4 2.11.6 Complete the Business continuity risk assessment and annual review in co-operation with

Operational Directors and Regional Contract Managers. 2.12 Managers, Technical Managers and Supervisory Staff will 2.12.1 familiarise themselves fully with the Business Continuity policy and plan in order to ensure that

everyone in their charge complies with them at all times. 2.12.2 ensure that all staff attends training to enable effective operation of the plan. 2.12.3 assist their Manager wherever possible in the event of an incident or during the test. 2.12.4 ensure that those people in their charge are aware of the procedures to be followed in the

event of an incident. 2.12.5 ensure that those people in their charge know the whereabouts of first aid and emergency

equipment 2.12.6 devise safe working practices for tasks under their control and ensure that only safe working

practices are used in order to provide maximum safety for all those people in their charge during any incident.

2.12.7 brief employees regularly on procedures and policies. 2.13 All Employees will 2.13.1 make themselves familiar with the company’s Business Continuity policy and plan. 2.13.2 assist as required to facilitate a return to normal operation as quickly as possible. 2.13.3 make full and proper use of the appropriate safe systems of work, safety equipment and

protective clothing at all times and make full use of appropriate safety devices during an incident or test.

2.13.4 act in a responsible and professional manner during any incident or test period.


17


2.14 New Employees 2.14.1 In addition to the provisions of section 2.12 (inclusive) above, new employees shall: -

(a) Be briefed on the Company Business Continuity policy and plan as part of their induction into the company

(b) Be inducted in all relevant policy and plan requirements before working unsupervised. (c) Ensure that they have read and fully understood instructions that must be carried out in the

event of an incident or other serious or imminent danger. Business Continuity Planning Policy Appendix A Index of Updates of policy Issue No.

Description of revision Date of Issue Action by

1 Original draft of policy JB 2 Live document after test and plan update 3rd Nov. 2008 JB 3 Update 24th Feb. 2010 JB Marketing Manager to Director Section 2.3.8 to Main Board Page 2 relating to exercises Section 2.3.5 relating to Centres and the 6

monthly exercise

4 Annual update 12th Jan. 2011 JB Section 2.4 re – F&SD removed 5 Annual review 4th Jan 2012 JB Section 2.9.1 Financial Controller added 6 Annual update 21st Jan 2013 JB Section 2.10.1 added


18


3c. Is the strategy embedded throughout the organisation.

(Bid to reflect examples of commitment to BCP throughout the company i.e. Training Plan, News Letters etc) From the Managing Director (please see introduction above) downwards there is a clear commitment within SLL to communicate and commit to the benefits of the Business Continuity Plan. As highlighted earlier this forms an integral part of SLL’s Corporate Strategy Document. The Managing Director visits every centre annually for the launch of the Corporate Strategy Document consulting and informing all of the teams at the centres on the various strategies and how they can play their part in delivering those strategies. Copies of the document are available at staff communication points at each centre. The plan is available for all staff to see as a hard copy at all centres with a copy held by Centre Managers and a copy kept in staff communication files. It is also available on SLL Corporate Documents Folder for staff to view or download and print:

The BCP is also communicated to all staff as part of their induction. Please see below for induction checklist:


19



20



21


Training and awareness is undertaken by SLL’s Facilities Director, James Barker, who is the company’s lead for business continuity and disaster recovery. James also facilitates the testing within the company- with a desktop exercise every 6 months and an annual full live operational test. A full review follows both forms of testing. SLL’s current training presentation is shown below (although this is in the process of being changed with the move to BS ISO 22301). Please see section 5b for more details on training:


22



23



24



25



26



27



28



29



30



31



32


The Business Continuity Plan is also communicated through ‘Watch This Space’ SLL’s quarterly staff newsletter which is circulated to all staff, and SLL’s client partners. The newsletter is also available on SLLNET for reference. 3d. Is there an opportunity to develop the strategy. (bid to include any new company initiatives)

SLL is continually looking to evolve and develop its BCP in response to changing needs and events. For example, the company has recently undertaken a training exercise with regards to swine flu and has issued a policy accordingly. This pandemic training exercise was also attended by the Head of Leisure, Community & Children’s Services at Stevenage Borough Council and SLL will be looking to organise further joint exercises with our partners such as North Hertfordshire District Council.

The plan and strategy are reviewed as a minimum every December.

4. BCP identify the following key stages:-

4a Does the BCP have the following: Trigger Points Activation Points Call Out Arrangements Command and Control

Connect to Client Plans

Please see below for SLL’s Business Continuity Plan. This comprehensive plan contains: Clear trigger points leading to activation points with call out arrangements including external contractors, and a clear command and control structure, with the formation of Gold Command and Crisis management teams. SLL managed centres such as North Herts Leisure Centre and the Stevenage Arts & Leisure Centre are designated centres to be used within the Business Continuity Plans of North Hertfordshire District Council and Stevenage Borough Council: therefore is a direct link between SLL’s BCP and those of its clients. For the purposes of confidentiality all home telephone numbers have been removed from the emergency contacts list.


33


Stevenage Leisure Limited

Business Continuity Plan

Revision 6


34


Position No.

M Rev No.

Section Issued

No S

Rev No

Signature

Managing Director 1 6 All Spare 2 All Spare 3 All Regional Contract Manager (Hitchin and Royston)

4 All

Facilities Director 5 6 All Operations Director 6 6 All Regional Contract Manager (Central Beds)

7 6 All

General Manager SALC 8 6 All Regional Contract Manager (Letchworth)

9 6 All

Regional Contract Manager (Stevenage)

10 6 All

Marketing Director 11 6 All Finance Controller 12 6 All IT Manager 13 6 All HR Manager 14 6 All SA&LC 15 6 All 40 6 SA&LC Sports 15a 6 All 41 6 Stevenage Swimming Centre 16 6 All 42 6 Stevenage Golf & Conference Centre

17 6 All 43 6

F.V.P. Sailing Centre 18 6 All 44 6 Shephall Leisure Centre 19 6 All 45 6 JHN Leisure Centre 20 6 All 46 6 Flitwick Leisure Centre 21 6 All 47 6 Saxon Pool and Leisure Centre 22 6 All 48 6 Sandy Sports & Community Centre

23 6 All 49 6

Spare 24 6 All 50 6 North Herts Leisure Centre 25 6 All 51 6 Letchworth Outdoor Pool 26 6 All 52 6 Fearnhill Sports Centre 27 6 All 53 6 Hitchin Leisure Centre 28 6 All 54 6 Royston Leisure Centre 29 6 All 55 6 Rutland Leisure Centre 30 6 All 56 6 Houghton Regis 31 All 57 32 All 58 33 All 59 Paul Raine 34 6 All

Plan Issue Log

Note : No. M – this is the Managers copy No. S – this is the Centre copy The Centre Manager to sign for both copies


35


Contents

1.0 Purpose of Business Continuity Plan 2.0 List of Emergency Contacts 3.0 List of Disasters Covered 4.0 Business Continuity Plan Distribution (extract from Croner) 5.0 Command Structure 6.0 Implementation of Plan 7.0 Classification Requirements/Time tables 8.0 Command Centres 9.0 Risk Assessments/Priority of Risk 10.0 Communication Plan 11.0 Emergency Services 12.0 Update & Review Procedures 13.0 Training and Testing Regime 14.0 Teams 15.0 Information Technology 16.0 Incident Review 17.0 Documentation

17.1 Incident Log 17.2 Incident reporting form 17.3 BCP Implementation form 17.4 BCP Operations reporting form 17.5 BCP Incident log 17.6 BCP Instruction form 17.7 BCP Instruction log 17.8 Organisation Structure 17.9 Process Flow Diagram for an Incident 17.10 Bomb Threat Check List 17.11 Risk Summary sheets

Appendices

(d) Council and staff contact details - Private and Confidential (e) Contractors and suppliers contact details (f) Business Continuity Plan revision sheet.


36


1. Purpose of Business Continuity Plan

The purpose of the disaster recovery plan and associated documentation is have in place the policies and procedures to handle any emergency or incident that may impact on any SLL business or operation. The intent of this is to prepare and test the plan so that if an incident were to happen SLL can act in a professional manner and rectify the problem in a systematic approach, and to reduce any business loss to a minimum. The following is an extract from BS25999-1 2006 on Building Continuity Management (BCM):

“Business Continuity Management is a holistic management process that identifies potential threats to an organisation and the impacts to business operation that those threats if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.”

There are five distinct stages in the business continuity management process. 1. Risk mitigation and management and understanding the organisation. 2. Plan production. 3. Training, testing and exercises. 4. Crisis management. 5. Monitoring, review and revision.

These are not necessarily separate stages, as some of the activities can occur simultaneously. The text below in this section describes each of the above stages in more detail. Note: extracted from Croner Facilities Management Records and Procedures The plan is for the entire company with Centres reviewing their Emergency Action Plans in line with this document and making the appropriate changes involving the Facilities Director. The lead department for this process will be the Facilities Management team. Please note item 5 above, this is a living document and will be under constant review and revision.

2. List of Emergency Contacts

The following are lists of people to be contacted in an emergency; the Communication plan in Section 10 will identify the order in which they should be contacted. NOTE: The contact information must maintained and held as Private and Confidential and must not under any circumstances be given to a 3rd party.

Corporate - see Appendix A Centre - see Appendix A Council Officers - see Appendix A Contractors- see Appendix B Suppliers - see Appendix B


37


3. List of Disasters Covered

The list below are the types of incident covered under this plan, the breakdown of each can be seen in section 17 Risk Assessments. The plan attempts to cover for all eventualities but in the event of a disaster not covered under section 9 then the structure and procedure will be in place to handle and to overcome any difficulties.

Natural disaster Local disaster Financial crisis

Legal crisis Epidemics Fire Bomb Council activation of their plan Loss and/or part loss of services Loss and/or part loss of building Information Technology failure Loss of Company information Supplier and/or contractor failures Loss of key staff

4. Business Continuity Plan Distribution (extract from Croner)

Care must be taken and a register of who holds all or part of this document for updating and control of circulation. The plans will be numbered and distributed as per the table on page 2. The document is to be signed for by the person carrying out the role as designated in the table.

5. Command Structure

The command structure will be based on the responsibilities as identified in the Business Continuity Policy. The Gold Command will direct all incidents both Corporate and Centre related, the Crisis Management team will communicate direct to the responsible Operations Director in the command centre. The Operations Director will be the communication link with Crisis Management team and Gold command. The Gold Command will also include a note taker and two runners. Please see attached process flow chart in Section 17.8

5.1 Gold Command

Gold Command will be the Management Team comprising:

Managing Director Financial Controller (dual role assisting both Gold and Crisis Management team) Marketing Director (dual role assisting both Gold and Crisis Management team) Operations Director Facilities Director (dual role assisting both Gold and Crisis Management team) HR Manager (dual role assisting both Gold and Crisis Management team)


38


5.2 Corporate Incident

The Crisis Management team for a corporate incident or involving more than one Centre will consist of the following

7. Regional Contract Manager 8. Council Client Leisure Officer (dependent on the type of incident) 9. Responsible Centre Managers 10. Finance Controller 11. Facilities Director 12. Marketing Director 13. IT Manager 14. HR Manager 15. Administration Support 16. Runners x 2

(Members of staff or key contractors will be drafted into the team as and when required)

5.3 Centre Incident

The Crisis Management relating to a centre incident will have the following members: 3 Regional Contract Manager responsible for the Centre 4 Centre Manager 5 Council Client Leisure Officer (dependent on the type of incident) 6 Finance Controller 7 Facilities Director 8 Marketing Director 9 IT Manager 10 HR Manager 11 Administration Support 12 Runners x 2

(Members of staff or key contractors will be drafted into the team as and when required)

6 Implementation of Plan

A responsible person can only implement this plan as follows

6.1 Corporate

The corporate plan can only be initiated by the Managing Director or has appointed representative. The MD must be given the required information by a Member of the Management Team so that to he fully understands the type and classification of incident to make the correct decision with the help of the Management Team. The Managing Director with then assemble the Gold Command team.

6.2 Centres

The Centre Manager on being made aware of an incident must notify immediately their Area Manager, if the Area Manager is unavailable they must contact the Operations Director. The Centre Manage will then alert the Crisis Management Team to be ready for implementation of the plan. As with a corporate incident the Operations Director must contact the Managing Director or his appointed representative.


39


7 Classification Requirements/Time tables

The classification of a disaster will naturally depend on the type and severity of the incident and therefore have a two-tier classification.

Class (a) (b)

1 4 Hrs 24 Hrs 2 8 Hrs 3 Days 3 24 Hrs 7 Days 4 Over 24 Hrs Over 7 Days

e.g. Class 2 (a) incident must be back to normal operation in 8 hours. The appropriate Director must report class 4 incidents to the Management Team on a weekly basis unless instructed otherwise by the Managing Director.

The Managing Director will assign the classification to an incident at the start in discussion with the Management Team; this will be based on business impact.

8 Command Centres

The following are the locations for the Command Centres for the Gold Command and Crisis Management Team. The location will be dependent on the type and severity of the incident. Dependent on the type of incident we may contact local Council Leisure Officer for accommodation before taking last resort of a Hotel booking. Gold Command 3 Conference room in SA&LC 4 Golf Centre Trophy Room 5 Local Hotel (as per attached list) Crisis Management Team Centre meeting or training room Nearest unaffected Centre Local Hotel (as per attached list) The room set up for each location is as per the drawing below.

Team Leader

Admin Support

Runners or specialists

Room Set-up


40


9 Risk Assessments/Priority of Risk 9.1 Purpose

Identify specific individual areas of business continuity risks and to develop control measures. 9.2 Background

SLL need to be in a position to mitigate business interruptions to ensure continuity of our business for the customers, partners and staff.

9.3 Discussions and Outline of Proposals

The risks have been identified in this plan in section 3 and are:

Natural disaster Local disaster Financial Crisis Legal Crisis Epidemics

Fire

Bomb Council activation of their plan Loss and/or part loss of services Loss and/or part loss of building Information Technology failure Loss of Company information Supplier and/or contractor failures Loss of key staff

Each of the above risks will be prioritised according to the likelihood of the risk occurring. The

following table represents the stages of priority:

Score

Likelihood

Description

1

Rare

Highly unlikely to occur only on a rare occasion.

2

Unlikely

Unlikely to occur.

3

Possible

Likely to occur as it is clear the risk will probably eventuate.

4

Likely

Very likely to occur, circumstances that occur eventuate very occasionally.

5

Almost Certain

High likely to occur as the circumstances, which will cause the risk to eventuate, are also very likely to be created.


41


Each Risk will also be prioritised by the impact they will incur on the business. The following table outlines the levels of impact:

Score

Impact

Description

1

Insignificant

No, or very little impact on the business

2

Minor

Low impact on the business

3

Moderate

Some impact on the business

4

Major

Considerably high impact on the business

5

Catastrophic

Very High or substantial impact on the business

The likelihood and impact will then be measured and put into a scoring matrix. This then will define how SLL will define the prioritisation of the risks.

Likelihood Impact

Rare (1)

Unlikely (2)

Possible (3)

Likely (4)

Almost Certain (5)

Catastrophic (5)

5

10 15 20 25

Major (4)

4 = 8

12 16 20

Moderate (3)

3= 6

9

12 15

Minor (2)

2= 4= 6

8

10

Insignificant (1)

1= 2= 3= 4= 5

Level of risk Indicated by How the risk should be managed High risk Red Requires Active Management and planning to mitigated risk Medium Risk Amber Requires good Management and planning to mitigated risk

Low Risk Green Requires periodic review to ensure conditions remain Unchanged

Please see attached spreadsheet for the list of risks and the scoring.


42


10. Communication plan The communication plan is as the following, some of which has been mentioned in section 4 and 5, plus section 17.9. Further information can be found in the Business Continuity policy. For clarification please see table below

Discipline Who to Contact When Managing Director Board Members Immediately notified Finance Controller Insurance Company Immediately incident identified Bank As required by incident Operations Director Managing Director Immediately notified Council Officers Immediately after MD Regional CM Operations Director Immediately notified Centre Manager Area Manager or Ops Director Immediately aware of issue Crisis Management team As soon as plan implemented Staff on site As soon as plan implemented Corporate S&M All media communication As required HR Manager All staff As required by incident Facilities Director Emergency Services Dependant on incident Utility companies Dependant on incident Contractors Dependant on incident Support Services Dependant on incident Accommodation and refreshments Dependant on incident All communication must be recorded using the forms in section 17 to keep monitor process. The forms will be vital during the review process and to help update BCP. The use of Goggle meetings to improve communication from the Gold Command and Crisis Centre will be set up by IT, this will speed up process but all information and instruction given must still use the forms to follow any verbal instruction in writing. 11 Emergency Services The point of contact with all emergency services during the incident will be the Facilities Director. The emergency services are to be made aware of the plan for each area of operation. 12 Update and Review Procedures The document including the risk assessments are to be reviewed by the Facilities Director and presented to the Management Team at least every 12 months. When the Management Team are in agreement with any updates the plan will then be presented to the Corporate Risk and Health & Safety Committee. This review is to include any items or issues identified by either the 6 monthly Centre tests or the annual corporate test. 13 Training and Testing Regime The two issues of training and testing regime had been included under one heading as they work hand in hand.


43


13.1 Training The staff taking part in any incident or plan must be trained on this document. The key staff must be trained on Incident Management and be able to handle themselves, customers, staff and contractors during a crisis. A training plan for all staff and especially key staff to be maintained by HR, this must be reviewed on a 6 months basis. 13.2 Testing regime The testing of the BCP and the capabilities of the staff involved must be carried out on a regular basis to ensure both the systems and personnel are ready for any emergency. Therefore the testing regime includes Centre tests and an annual corporate test. Each Centre is to carry out a 6 months test of every BCP year. A corporate test is to be carried out annually. The dates of these tests will be as per attached schedule (Note not included at this point, as we need to get this document approved and staff trained, the plan would be to have a desktop survey at the end of the training for key staff. From this date the schedule can be produced)

Date Centre Test (6 months) Corporate test (annual) e.g. 1st April X e.g. 1st October X e.g. 1st April X 14 Teams The teams are as defined in the command structure in section 5. 15 Information Technology (IT) There are three areas for IT to be involved in. 15.1 Disaster recovery operation The disaster recovery operation is now set at N+2 with real time back up off site back. 15.2 Safety and security of equipment and data It is the IT Managers responsibility to ensure that the equipment is kept secure and maintained and with redundancy of critical system. No data to be kept on the hard drive of PC’s, as the servers are backed in real time. The staff with laptops must synchronise their data daily with the server. 15.3 Command and Crisis Centre set up IT will ensure that each location has the capability to act and a response centre. IT will have the equipment required to convert rooms to become a response centre with PC’s. 16 Incident Review When the MD is closing down the incident, a date must be agreed to carry out a total review of the incident and procedures. This must be no more than 10 days after the close of an incident.


44


17 Documentation

17.1 SLL Incident Log

The SLL Incident log sheet is to record any incidents or crisis that were implemented using this plan. This will give SLL a history of events.


45


17.2 Incident reporting form

Incident reporting form is to be used by the Centre Manager and signed by the Operations Director giving details of the incident to allow MD and MT to make the appropriate decision.

17.3 Implementation form


46


MD giving the instructions and implementing plan will complete this form.


47


17.4 Operations reporting form

The Crisis team leader will use this form to pass information and updates the Gold Command, frequency will be dictated by the incident. MD will give this instruction on the Implementation form.


48


17.5 Incident log

Incidents log records all actions/incidents to give a record of the event for review at the review stage of the incident


49


17.6 Instruction form

The MD is to pass all instructions from Gold Command to the Crisis Management team using this form.


50


17.7 Instruction log

This is a record of all instruction given by MD


51


17.8 Organisation structure

A diagram of the organisational structure of the Business Continuity team

Business Continuity Plan Organisation Structure

Corporate PlanCrisis Management

Team

Centre Plan Crisis Management Team

Council Officer (dependent on the type of incident)Responsible Centre Managers Finance ControllerFacilities DirectorMarketing DirectorIT ManagerHR Manager

Centre ManagerCouncil OfficerFinance ControllerFacilities DirectorMarketing DirectorIT ManagerHR Manager

Gold Command

Area or General Manager

Area or General Manager


52


17.9 Process Flow diagram for an incident

The flow diagram gives a pictorial interpretation of how the incident plan will operate.


53


17.10 Bomb Threat Check list

The document was produced by MI5 for use during a bomb threat; staff must have this document close by key telephones.

This check-list is designed to help your staff to deal with a telephoned bomb threat effectively and to

record the necessary information.

Print it off and fix it to walls or desks so that staff can see it instantly. - Switch on tape recorder (if connected) - Tell the caller which town / district you are answering from - Record the exact wording of the threat: Ask the following questions: - where is the bomb right now? _______________________________ - when is it going to explode? _______________________________ - what does it look like? _______________________________ - what kind of bomb is it? _______________________________ - what will cause it to explode? _______________________________ - did you place the bomb? _______________________________ - why? _______________________________ - what is your name? _______________________________ - what is your address? _______________________________ - what is your telephone number? ________________________________

Record time call completed: _______________________________

Where automatic number reveals equipment is available, record number shown: ___________________ Inform the Duty Manager - Name and telephone number of the person informed:

_________________________________ Contact the police on 999. Time informed:_________________ The following part should be completed once the caller has hung up and the Duty Manager (or, if the Duty Manager is not available, the police) has been informed. Time and date of call: _______________________________ Length of call: _______________________________ Number at which call was received (i.e. your extension number): __________________ ABOUT THE CALLER

Sex of caller: __________Age: ____________Nationality: ____________


54


THREAT LANGUAGE (tick) Well spoken? Irrational? Taped message? Offensive? Incoherent? Message read by threat-maker? CALLER'S VOICE (tick) Calm? Crying? Clearing throat? Angry? Nasal? Slurred? Excited? Stutter? Disguised? Slow? Lisp? Accent? If so, what type?______________________________ Rapid? Deep? Hoarse? Laughter? Familiar? If so, whose voice did it sound like? _____________________ BACKGROUND SOUNDS (tick) Street noises? House noises? Animal noises? Crockery? Motor? Clear? Voice? Static? PA system? Booth? Music? Factory machinery? Office machinery? Other? (specify) _______________

OTHER REMARKS _________________________________________________________________ Signature _______________________________ Date _______________________________

Print name _______________________________


55


17.11 Risk Summary Sheets


56



57



58



59



60



61



62



63



64



65


Business Continuity Planning Policy Appendix A Index of Updates of policy Issue No.


1 Original draft of policy JB 2 Live document after test, policy updated to

include Centre Manager and site copies, drawing for room layout

29th Sept. 2008 JB

3 Updated 24th Feb 2010 JB Testing regime Section 5.1 Gold Command MT changed to MT Page 10 review changed for 6 to 12 months Section 15.1 & 15.2 changed to reflect current

situation

Marketing Manager changed to Director FD Changed to F&SSD Change Gold meeting room to Admin Issue register updated to reflect current

situation

4 Updated 12th Jan 2011 JB F&SSD removed Regional Contract Manager (H&R) added Contractor/Supplier and Emergency contact list

updated

Rutland added 28th Jan 2011 JB 5 Reviewed and updated 4th Jan 2012 JB Management team update Section 5.1 updated Section 8 location for Gold Command changed Section 10 updated “Financial Controller”

changed

Section 15.1 IT revised Section 15.3 Modified Section 17.2 “or Arts” removed Section 17.11 Risk Summary revised Contractor/Supplier and Contacts spreadsheet

updated

6 Annual Review 21st Jan 2013 JB Houghton Regis added Associated documents checked


66



67



68



69



70



71



72



73


4b Alternative sites for Senior Managers. ( To be identified within submitted BCP) As can be seen from the submitted BCP, there are clearly identified sites either SLL’s own managed sites or a range of external hotels that can accommodate our needs at short notice. From SLL’s BCP (as above):

Hotel accommodation Stevenage Ibis, Danestrete, Stevenage, SG1 1EJ 01438 779955 Holiday Inn, Stevenage, SG1 1XB 01438 344300 Biggleswade Crown Hotel, 23 High Street, Biggleswade, SG18 0JE 01767 312228 Stratton House Hotel, London Road, Biggleswade, SG18 8ED 01767 312442 Sandy Holiday Inn, Girtford Bridge, Sandy, SG19 1NA 01767 692220 Flitwick Flitwick Manor, Church Road, Flitwick, MK45 1AE 01525 712242 Holiday Inn, Bedford, MK42 9BF 0870 112 0807Letchworth Broadway Hotel, Broadway, Letchworth, SG6 3NZ 01462 480111 Baldock Travelodge, A1 Great North Road, SG7 5EX 0871 984 6005 Portable Accommodation Portacabin 0845 401 0010

Portable Offices Dunstable LU6 3QT 07720 883291 01582 842915

2. Command Centres

The following are the locations for the Command Centres for the Gold Command and Crisis Management Team. The location will be dependant on the type and severity of the incident. Dependent on the type of incident, we may contact the local Council Leisure Officer for accommodation before taking the last resort of a Hotel booking.

Gold Command

1. SA&LC - Vincent Room 2. Golf Centre - Trophy Room 3. Local Hotel (as per attached list)

Crisis Management Team

1. Centre meeting or training room 2. Nearest unaffected Centre 3. Local Hotel (as per attached list)

The room set up for each location is as per the drawing over page.


74


Team Leader

Admin Support

Runners or specialists

Room Set-up

4c Recovery Arrangements. (To be identified within submitted BCP) Recovery Arrangements are also detailed within the BCP as below:

3. Classification Requirements/Time tables

The classification of a disaster will naturally depend on the type and severity of the incident and therefore have a two-tier classification.

Class (a) (b) 1 4 Hrs 24 Hrs 2 8 Hrs 3 Days 3 24 Hrs 7 Days 4 Over 24

Hrs Over 7 Days

e.g. Class 2 (a) incident must be back to normal operation in 8 hours. The appropriate Director must report class 4 incidents to the Management Team on a weekly basis unless instructed otherwise by the Managing Director. The Managing Director, or his representative, will assign the classification to an incident at the start in discussion with the Management Team; this will be based on business impact.


75


5. Exercising, Monitoring & Review. Identify the following key stages 5a. Exercise arrangements i.e. tabletop, live etc. (Exercise Plan to be submitted with Bid)

As detailed within SLL’s policy and plan, SLL will carry out a desktop exercise every 6 months and a full live operational test on an annual basis.

4. Training and Testing Regime The two issues of training and testing regime have been included under one heading as they work hand in hand.

4.1 Training The staff taking part in any incident or plan must be trained on this document. The key staff must be trained on Incident Management and be able to handle themselves, customers, staff and contractors during a crisis. A training plan for all staff, and especially key staff, is to be maintained by HR. This must be reviewed on a 6 monthly basis.

Testing Regime The testing of the BCP and the capabilities of the staff involved must be carried out on a regular basis to ensure both the systems and personnel are ready for any emergency. Therefore the testing regime includes Centre tests and an annual corporate test. Each Centre is to carry out a 6 months test of every BCP year. A corporate test is to be carried out annually. The dates of these tests will be as per attached

Date Centre Test (6 months) Corporate test (annual)

w/c. 1st April X

wic 1st October X

w/c. 1st April X

5b. Staff training plan (Training Plan to be submitted with Bid) As outlined in section 3c above SLL has a clear commitment to training all its staff on its business continuity strategy and plan. James Barker, SLL’s Facilities Director, currently delivers a half day interactive training course for SLL staff. For the training plan for this course please see below. SLL’s Management Team and senior staff were originally trained on the BCP in June 2008 and all centre staff through a series of roadshows at each centre were trained by 1 August 2008. The BCP is a part of SLL’s induction process for all new staff and training for new staff will be incorporated into SLL’s overall training matrix along with refresher training for existing staff every 6 months or more frequently should the need arise (because of such areas as regulatory or statutory changes).


76



77



78



79


5c. Review and update arrangements. The policy, procedures and associated documentation are reviewed at least annually; interim reviews may additionally be carried out following a training exercise, incident or a change in circumstances.


80


SECTION ONE: Business Continuity Planning Policy Statement The Business Continuity Planning (BCP) Policy outlines Stevenage Leisure Limited’s forward planning and commitment to its partners, customers, contractors and staff. It aims to ensure that, as far as is reasonably practicable, the company will have the plans in place and tested to meet most emergencies and so ensure business continuity. The Organisation will undertake to provide adequate training and information to all employees to enable them to improve their knowledge and awareness of the BCP and to discharge their responsibilities as part of the process. I will ensure that the BCP policy and plan is embedded into the company’s daily activities and becomes part of the SLL culture. Each Centre will carry out an exercise every six months and a full corporate operational test will be undertaken annually. A review after each test will identify areas for improvement in the policy, procedures or training to ensure we are fully prepared. Both of these tests will include business partners, staff and contractors. I believe that it is important for all staff, whatever their position, to accept their personal responsibilities as detailed in this policy and I seek active co-operation between management and employees to ensure that SLL can handle most emergencies professionally and swiftly to ensure business continuity. Finally, I undertake to review and revise this policy on an annual basis or as required by changing legislation. All changes will be brought to the attention of all employees. Signed: … ………………………………….. Date: 21st January 2013. Ian Morton Managing Director


81


Business Continuity Planning Policy Appendix A Index of Updates of policy Issue No.


1 Original draft of policy JB 2 Live document after test and plan update 3rd Nov. 2008 JB 3 Update 24th Feb. 2010 JB Marketing Manager to Director Section 2.3.8 to Main Board Page 2 relating to exercises Section 2.3.5 relating to Centres and the 6

monthly exercise

4 Annual update 12th Jan. 2011 JB Section 2.4 re – F&SD removed 5 Annual review 4th Jan 2012 JB Section 2.9.1 Financial Controller added 6 Annual update 21st Jan 2013 JB Section 2.10.1 added

Update and Review Procedures

The document including the risk assessments are to be reviewed by the Facilities Director and presented to the Management Team at least every 6 months.

When the Management Team are in agreement with any updates, the plan will then be presented to the Main Board.

This review is to include any items or issues identified by either the 6 monthly desktop surveys, or the annual walk through test, or in response to any legislative or statutory changes, new industry guidelines or best practice. 5d Training & Exercising with key partners i.e NHDC (Training Plan to show partner training arrangements) SLL believes in working closely with its partners in this critical area to ensure continuity and minimum disruption to all stakeholders. As a forerunner to this process SLL held a pandemic training exercise which was also attended by the Head of Leisure, Community & Children’s Services and other key staff from Stevenage Borough Council, and SLL will be looking to organise further joint exercises with our partners such as North Hertfordshire District Council. We will be advising the Council shortly on our plans in this area.


82


Notes on the briefing exercise are shown below: SLL had the unfortunate task on Tuesday 15th May 2012 to fully test our BCP in a real life situation; this was a fire in the Sports Reception at the Stevenage Arts & Leisure Centre which, thanks to the efficiency and effectiveness of SLL’s Business Continuity Management Systems, saw the building re- open for business within 2 days and offering a full service to our customers within 3 days.


83


There then followed a process of carrying on business as normal, minimising disruption, and managing customer and staff expectations whilst undertaking the necessary full clean up and project work to restore the Sports Reception and surrounding areas to their former high standard. SLL lost very few members during this process In February SLL took part in a Hertfordshire BCP training day in the Stevenage Arts & Leisure Centre During March 2012 we had a Stevenage Borough Council (SBC) BCP Session and we had an internal training and presentations to all Centres. In September 2012 we attended a Hertfordshire BCP training day held at SBC in Stevenage. Several of SLL’s centres are designated as emergency centres by their respective local authorities, and SLL’s Contract Manager for the Letchworth Contract has attended a North Herts District Council emergency training day


84


Business Continuity Briefing: SA&LC - Ellen Terry Suite 4th June 2009

40 Managers across all 14 sites in attendance

Regional Contract Managers Management Team

1) Welcome and Introduction from Ian Morton

2) James Barker briefly explained the purpose of the session:

To review the BCP To understand the impact that swine flu could have on the BCP and update it accordingly

JB confirmed that there were 318 confirmed cases of swine flu in the UK, with 287 cases under investigation, putting the UK in 2nd place in the table of affected countries behind the USA.

3) Presentation from Suzanne Brightwell, (SBC) responsible for Emergency planning and Business

Continuity. – Presentation to be placed on SLL Net

Suzanne also stated:

There were now 9 confirmed cases of swine flu in Hertfordshire, with 1 in Stevenage. A second wave of swine flu in the autumn is very likely, the effects of which would be greater than the first wave.

Swine flu was similar to Spanish flu Anti viral medicines (Tamiflu/Relenza), will help contain it Most people would only suffer with mild symptoms The spread of catching it, is within 1 metre of someone sneezing Residue stays on surfaces for 2-3 hours Vaccine is being prepared and is likely to be available within 6 months Employees absent from work will also include parents, carers, worried well, malingerers Cobra = Government Cabinet office – currently meeting weekly Individuals who suspect they have the flu virus can contact Health Protection Agency.

They would ask questions i.e. have you visited Mexico recently? If they are concerned they will visit you. Or you can nominate a ‘Flu Friend’ to collect anti virus for you.


85


4) The briefing then went through the supplied scenarios spreadsheet as an aide to discussion:

Issues raised:

The need to refer to the Business Continuity Planning Policy to drive and deal with the Flu

Pandemic process The need to review SLL’s HR policies and procedures with regards to sickness, absence

and the reporting of same. We need to be aware that some employees, whilst not having swine flu, may be scared of catching it. HR will provide advice where necessary.

Consider employee skills and ability to re-deploy The need for SLL to compile a list to prioritise critical services to keep operational and/or

which centres could be closed and the impact/implications of doing so. The need to focus on net income for any potential loss of income claim, although any

compensation received is likely to be minimal. SLL is likely to have 5 centres that could be used as anti-viral collection points: SALC,

NHLC, Flitwick, Biggleswade, Sandy. Staff working in these centres would be eligible for priority vaccinations or anti virals

The effect on sites where sub contracting is in place. I.e. SBC grounds maintenance at the

Golf Centre. Should such teams be unable to carry out work, because of swine flu or extra commitments elsewhere (such as in the Local Authorities case, an increase in the use of cemeteries). Liason with the client will be critical. Affected Centre Managers should consider how this would be monitored. Perhaps with a phone call to confirm who is on site each day and the costs/availability of an alternative sub contractor.

The possibility of having anti bacterial hand washes available in reception areas at each

centre

5) The briefing was concluded with an agreement for individual centres to take the discussions back to their teams to consider how the issues raised today would affect them, particularly with regards to a second wave of swine flu that could hit this autumn/winter.


86



87
