Skip to main content

Business continuity policy

Contents

  1. Introduction
  2. Purpose
  3. Scope
  4. Responsibilities, accountabilities and duties
  5. Procedure and implementation
  6. Training implications
  7. Monitoring arrangements
  8. Equality impact assessment screening
  9. Associated documents

Rotherham, Doncaster and South Humber NHS Foundation Trust policy for business continuity.

This policy sets out the specific requirements for establishing and maintaining effective business continuity plans within the trust.

The policy is to be read in conjunction with emergency plans on the trust website (see section 9). It falls under the remit of the trust emergency preparedness, resilience and response (EPRR) policy.

For the purposes of this policy a business continuity incident is an event or occurrence that; disrupts, (or might disrupt) an organisation’s normal service delivery below acceptable predefined levels, where special arrangements are required to be implemented until services can return to an acceptable level.

1 Introduction

This policy sets out the specific requirements for establishing and maintaining effective business continuity plans within the trust.

2 Purpose

The Civil Contingencies Act (2004) (CCA) and NHS England emergency preparedness, resilience and response (EPRR) core standard number 47 requires the trust to have in place a policy which includes a statement of intent to undertake business continuity. This includes the commitment to a business continuity management system (BCMS) in alignment to the ISO standard 22301.

3 Scope

This policy applies to all trust staff across all services and teams within the trust.

The policy is to be read in conjunction with emergency plans on the trust website (see section 9). It falls under the remit of the trust emergency preparedness, resilience and response (EPRR) Policy.

For the purposes of this policy a business continuity incident is an event or occurrence that; disrupts, (or might disrupt) an organisation’s normal service delivery below acceptable predefined levels, where special arrangements are required to be implemented until services can return to an acceptable level.

This policy will ensure the trust maintains compliance with the following NHSE EPRR core standards:

  • 48, the organisation has established the scope and objectives of the BCMS in relation to the organisation, specifying the risk management process and how this will be documented
  • 49, the organisation annually assesses and documents the impact of disruption to its services through business impact analysis(s)
  • 50, organisation’s information technology department certify that they are compliant with the data protection and security toolkit on an annual basis
  • 51, the organisation has established business continuity plans for the management of incidents. Detailing how it will respond, recover and manage its services during disruptions to:
    • people
    • information and data
    • premises
    • suppliers and contractors
    • IT and infrastructure

These plans will be reviewed regularly (at a minimum annually), or following organisational change, or incidents and exercises:

  • 52, the organisation’s BCMS is monitored, measured and evaluated against established Key Performance Indicators. Reports on these and the outcome of any exercises, and status of any corrective action are annually reported to the board
  • 53, the organisation has a process for internal audit, and outcomes are included in the report to the board
  • 54, there is a process in place to assess the effectiveness of the BCMS and take corrective action to ensure continual improvement to the BCMS
  • 55, the organisation has in place a system to assess the business continuity plans of commissioned providers or suppliers; and are assured that these providers business continuity arrangements work with their own

4 Responsibilities, accountabilities and duties

4.1 Accountable emergency officer

The accountable emergency officer will:

  • assume accountability to the board of directors to ensure a suitable and robust business continuity policy is in place
  • provide a strategic lead on business continuity matters ensuring they are discussed at the EPRR group
  • in conjunction with the business continuity and EPRR manager ensure this policy is reviewed every 3 years to ensure its continued relevance and suitability remains in line with core standards produced by NHS England
  • if required, provide a post incident debrief report to the board of directors
  • if required, provide internal audit reports to the board of directors

4.2 Business continuity and EPRR manager

The business continuity and EPRR manager will:

  • ensure the business continuity policy is reviewed every three years to ensure it is aligned to ISO standard 22301 and approved by the EPRR group and corporate policy approval group
  • ensure an annual EPRR risk register is presented to the EPRR group that will provide the basis for risk assessments within individual team business continuity plans
  • liaise with staff at all levels to assist with their understanding of the requirements of the policy
  • ensure all staff are made aware of business continuity e-learning materials on via ESR
  • coordinate the process for the annual update of business continuity plans identifying a named individual responsible for each plan
  • provide all plan authors with an annual business continuity update checklist that provides guidance on how to update their plan
  • provide a business continuity plan template to plan authors where required
  • where appropriate, assist plan authors in completing business continuity plans, for example in completing the business impact analysis
  • provide a template poster to plan authors to raise staff awareness of the location of plans
  • check all plans contain up to date action cards in the appendices that address risks identified in the EPRR risk register
  • check all plans have been agreed and signed off by a person of suitable authority other than the plan author, for example, team manager, area clinical lead, care group director, deputy care group director, corporate head of service or corporate director
  • collate and store business continuity plans submitted by plan authors in electronic format on L drive and make this folder available to on call care group directors, corporate directors and managers as a backup to individual team and care group arrangements
  • ensure business continuity plans for 24 hours a day, 7 days a week services are stored on the resilience direct secure website that is available remotely and is separate to trust provision
  • where possible and in cooperation with the Trust Communications team ensure that staff are made aware of any situation where business continuity plans should be reviewed or activated, for example in the event of a flood warning
  • when made aware of any incidents will perform a formal or informal debrief if required and provide suitable recommendations for agreement at the EPRR group
  • where plans are not produced to deadline or in adherence to quality liaise with the relevant manager or director to ensure work is undertaken to resolve the matter
  • in consultation with the accountable emergency officer ensure that, where appropriate, business continuity matters are raised on the appropriate trust risk register
  • liaise with teams to agree suitable dates to ensure plans are exercised as agreed by the EPRR group
  • liaise with the data protection officer and information technology department to assist with certification of compliance with the data protection and security toolkit on an annual basis
  • cooperate and assist with any internal audit of BCMS systems
  • liaise with the Procurement team to ensure suppliers and contractors provide assurance of business continuity arrangements that fit with our own

4.3 Directors

Directors will:

  • where required seek assurance from care group directors or managers that plans are being completed of sufficient quality to deadline and exercises are undertaken to test business continuity arrangements
  • follow the directions in the appropriate plan in the event of a business continuity incident
  • provide feedback as required in the event of a post incident debrief
  • provide feedback as required following receipt of an internal audit report
  • In the event of care groups experiencing circumstances that:
    • exhaust all available care group resources
    • exceed the provision of business continuity plans (including assistance from pre identified external providers)

require the authority of a more senior member of staff than care group director.

Care group directors will then take direction from trust directors. Trust directors may choose to declare a critical or major incident or use the major incident plan to respond to this situation in order to make strategic decisions on service priority, source mutual aid from other areas and liaise with partners.

4.4 Care group directors

Care group directors will:

  • make suitable checks to ensure that plans are of sufficient quality and completed to deadline signing them off as appropriate
  • liaise with the business continuity and EPRR manager and place business continuity issues on the appropriate risk register if required
  • ensure suitable staff attend the EPRR group as required and provide feedback into care group quality meetings and other care group and team meetings as appropriate
  • ensure managers and staff are aware of the location and content of their business continuity plan and the requirement to participate in exercises
  • ensure plan authors take the business continuity management e-learning course on the electronic staff record (ESR)
  • follow the directions in the plan in the event of a business continuity incident
  • provide feedback as required in the event of a post incident debrief

4.5 Plan authors

Plan authors will:

  • ensure plans are completed in adherence to the procedures listed in section 5
  • act as the business continuity lead for the team(s) for which they are completing the plans
  • if they are new to the subject take the business continuity management e-learning course on ESR
  • review their business continuity plan on an annual basis using the business continuity checklist as guidance
  • share the business continuity plan with team members before each review and request feedback to form new versions
  • ensure the business continuity plan is discussed at team meetings before each review
  • after a business continuity incident ensure that lessons learned are incorporated into a new version of the plan within 4 weeks
  • ensure business continuity plans in hard copy and electronic formats are stored in a suitable location that is accessible to all team staff at all times with other business continuity materials (emergency equipment, evacuation plans etc)
  • where appropriate ensure a poster is visible in staff areas describing the location of the business continuity plan in hard copy and electronic format
  • ensure that new members of staff are made aware of the business continuity plan on their first day with the team
  • act as first point of contact for all business continuity matters within the team including the provision of situation reports (sitreps) when plans are invoked
  • ensure up to date contact details for suppliers and staff are accessible in the plan or clearly referenced elsewhere
  • ensure plans are completed to deadline
  • ensure plans are updated if teams are reorganised in a way that affects location, structure, functions or personnel
  • assist with the development of exercises with the business continuity and EPRR manager as agreed with the care group director, deputy care group director, corporate head of service or corporate director
  • follow the directions in the plan in the event of a business continuity incident
  • provide feedback as required in the event of a post incident debrief

4.6 All staff

All staff will:

  • know the location of the team business continuity plan and have some knowledge of its contents
  • cooperate with the plan author in updating the plan
  • agree to take part in any exercises as required by the business continuity and EPRR manager, team manager or care group director
  • inform the plan author and or manager of any changes to the plan, for example, change in address, personnel, team procedures etc
  • follow the directions in the plan in the event of a business continuity incident
  • provide feedback as required in the event of a post incident debrief

5 Procedure and implementation

All business continuity plans will be updated on an annual basis by the plan author. All plans must be signed off by the care group director, deputy care group director, corporate head of service or corporate director for the team concerned. However, in cases where they have a large number of plans to sign this may be delegated to a modern matron, Service manager or area clinical lead provided that individual is not the plan author. Any member of staff that signs off a business continuity plan must have already completed the business continuity management e-learning course on ESR.

Should a team undergo reorganisation or change its staff, function or procedures in a way that would significantly affect the accuracy of the business continuity plan the plan author will ensure the plan is amended, signed off and submitted to the business continuity and EPRR manager within 1 calendar month of any changes made.

All business continuity plans will include the name of the Team on the cover along with full address details with postcodes of the premises and hours of service given by the team.

5.1 Plans or policies to be read in conjunction with the business continuity plan

Business continuity plans may be invoked due to a variety of reasons so a number of other plans and policies may be read to provide extra guidance to teams. All plans and policies are available via the trust intranet.

5.2 Business continuity plan contact details

Each plan should contain:

  • in table format within the first few pages of the plan full telephone contact details for the team manager(s) so that a member of the team may be contacted in an incident. If the team provides a 24 hours a day, 7 days a week service contact details should include numbers used to contact on call staff. These should be listed in the order that they ought to be contacted. No personal numbers should be included. If personal contact details are required they should be held securely on a separate document to the business continuity plan
  • a staff list containing details of all team members. This is to assist management in periods where staff shortages occur. Staff information need only contain contact telephone numbers (including work mobile) and a home location. A full address is not necessary; a staff member’s area of residence will suffice (for example, name of town or village). If full address details are required in an incident these should be sought via the usual channels and must not be included in the business continuity plan
  • the staff list should also include the type of road fuel used by each member of staff (diesel or petrol) where applicable and if the vehicle used is a 4 by 4
  • full contact details of all suppliers or contractors or service providers should be included with telephone, email and mobile numbers if possible. This includes providers of building services and telecoms providers if not provided by the trust
  • full address details with postcodes of all work premises from where the team operates

5.3 Risk register impacts and contingencies

The business continuity plan will include the following risks:

  • severe weather, low temperatures and heavy snow
  • severe weather, storms and gales
  • severe weather, localised flooding
  • pandemic
  • infectious disease outbreak in the community
  • heatwave
  • actual or threatened disruption to road fuel supply
  • technical failure of electricity networks
  • cyber attack and or IT outage (affecting access to clinical data and network)
  • telecoms outage (landline and, or mobile)
  • mains water supply outage
  • disruption to transport network
  • loss of premises
  • industrial action
  • surge or increase in service users
  • loss of supplier or contractor

The likelihood of each risk is confirmed in the trust EPRR risk assessment and is included in the business continuity plan template.

Plan authors must assess the impact of each risk on their team functions for a period of up to one day, up to one week and over one week. The impact of disruption may be none, minor, moderate, major or catastrophic. Details of how to calculate impact is included in the plan template.

Contingencies to address the impact of each risk may be included on the risk assessment table or refer to action cards in the appendices. It is the responsibility of the plan author to ensure that contingencies are relevant to the team and its functions.

5.4 Exercise and review

This section of the plan records details of exercises. The plan author must record any exercises undertaken. It is recommended that those teams delivering critical services undertake at least one exercise every 3 years. Exercises and business continuity incidents should be followed up in the form of either a formal or informal debrief. Where lessons are learned these should be shared with the business continuity and EPRR manager so that they may be disseminated to other teams. Where risks are identified these should be added to the appropriate internal risk register for action.

5.5 Record of amendments

The plan author should ensure that all amendments to the plan are recorded in full.

6 Training implications

All plan authors should undertake the business continuity management e-learning course on ESR before beginning to write a plan. This training is essential to role. There are no other specific training needs in relation to this policy, but the following staff will need to be familiar with its contents:

  • accountable emergency officer (chief operating officer)
  • business continuity and EPRR manager
  • care group directors
  • deputy care group directors or corporate directors where they are signing off a business continuity plan

Further information is available via guidance on the emergency planning section on the trust internet.

7 Monitoring arrangements

It is the intention of the trust to ensure effective implementation and regular review of this policy.

The business continuity and EPRR manager will continually monitor how this policy is followed by individual teams. This will be done by a number of methods including, but not exclusively:

  • the business continuity and EPRR manager will keep a live record of all Trust business continuity plans
  • the business continuity and EPRR manager will conduct a programme of exercises to test plans
  • the business continuity and EPRR manager will consult with business continuity plan authors and the EPRR group to share learning points and best practice
  • the business continuity and EPRR manager will share lessons learned from any incidents to the EPRR group and plan authors for them to add to existing plans as and when they arise
  • the business continuity and EPRR manager will provide update reports on EPRR and business continuity to trust quality committee three times per year
  • additionally the business continuity and EPRR manager will ensure the Trust adheres to NHS England core standards for emergency planning, resilience and response (EPRR) with regard to business continuity

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

8.1 Privacy, dignity and respect

The NHS constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the Trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.2 Mental Capacity Act

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individuals informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act. For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act 2005 to ensure that the interests of an individual whose capacity is in question can continue to make as many decisions for themselves as possible.

Document control

  • Version: 4.1.
  • Unique reference number: 169.
  • Date approved: 19 August 2021.
  • Approved by: Corporate policy approval group (CPAG).
  • Name of originator or author: Business continuity and EPRR manager.
  • Name of responsible individual or committee: EPRR group.
  • Date issued: 25 August 2021.
  • Review date: August 2024.
  • Target audience: All staff.

Page last reviewed: April 30, 2024
Next review due: April 30, 2025

Feedback

Report a problem