date of meeting: 21st july 2016 governing body …...2016/07/21  · appendix 4 critical functions...

53
Agenda Item No: 13 Date of Meeting: 21 st July 2016 Governing Body Meeting Paper Title: Business Continuity Plan Decision Discussion Information Follow up from last meeting Report author: Richard Steadman – Interim Head of Risk Management Report signed off by: Sheilagh Reavey, Director of Nursing and Quality Purpose of the paper: Updated Business Continuity Plan for ENHCCG Please review the Register of Interests of the Governing Body and highlight to them any potential conflicts, which they need to manage: http://www.enhertsccg.nhs .uk/declarations-interest Conflicts of Interest involved: There are none identified. Recommendations to the Governing Body: The Governing Body is asked to: Approve this plan.

Upload: others

Post on 17-May-2020

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

Agenda Item No: 13

Date of Meeting: 21st July 2016

Governing Body Meeting

Paper Title: Business Continuity Plan

Decision Discussion Information Follow up from last meeting

Report author: Richard Steadman – Interim Head of Risk Management

Report signed off by: Sheilagh Reavey, Director of Nursing and Quality

Purpose of the paper: Updated Business Continuity Plan for ENHCCG

Please review the Register of Interests of the Governing Body and highlight to them any potential conflicts, which they need to manage: http://www.enhertsccg.nhs.uk/declarations-interest Conflicts of Interest involved:

There are none identified.

Recommendations to the Governing Body:

The Governing Body is asked to: Approve this plan.

Page 2: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

BUSINESS CONTINUITY PLAN

Additional copies of this plan can be found in the Incident Control Room located in the office next to the Boardroom, second floor, Charter House and also the

on-call pack issued to Directors and Managers..

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 1 of 59

Page 3: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

DOCUMENT CONTROL SHEET Document Owner: Director of Operations Document Author(s): Director of Operations Version: 5.843 DRAFTFINAL Directorate: Operations Approved By: Governing Body Date of Approval: 15 January 2015 Date of Review: 15 JanuaryJuly 2016 Change History:

Implementation Plan:

Development and Consultation

EPRR Consultant Executive Team

Dissemination Staff can access this policy via the intranet and will be notified of

Version Date Reviewer(s) Revision Description

1.0 July 2013 Valarie Penn Updated following JW comments

2.0 August 2013 Valarie Penn General update following Draft Business Impact Assessments

3.0 October 2013 John Webster Whole Document Review – Updates to Plan, Business Impact Assessments and Policy Statement in line with EPRR Core Standards

4.0 November 2013

Valarie Penn Updated following Exec Comments

4.1 Draft January 2015 Oskan Edwardson Annual Update – for approval

5.0 Final January 2015 Jas Dosanjh Formatting

5.1 Final April 2015 Jas Dosanjh Sharn Elton

Appendix 3 updated. Critical Functions of the Operations Director added to Appendix 4

5.2 Final June 2015 Anne Ephgrave Critical Functions of HR added to Appendix 4

5.3 Final July 2015 Phil Turnock Addition of ‘Objectives for the Recover of Services’ and updated Appendix 4 Critical Functions of HBL ICT Shared Service

5.4 Draft September 2015

Jas Dosanjh Sharn Elton

Update in line with NHSE EPRR Framework and Toolkit requirements

5.5 Draft February 2016 Jas Dosanjh Formatting and updated Business Impact Assessment included

5.8 Draft July 2016 R Steadman Review of Business Impact assessments to ensure consistent methodology used. Minor text changes

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 2 of 59

Page 4: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

new/revised versions via the staff briefing. This policy will be included in CCG Publication Scheme in compliance with the Freedom of Information Act 2000.

Training The plan will be ineffective if the staff expected to implement them at the time are unaware of them. Therefore all sStaff will be made aware of the emergency and business continuity response arrangements within the plan at their corporate induction training, and will also be made aware of where the overarching and departmental plans can be located. The skills and knowledge of Incident Commanders and staff at an operational level will be achieved and maintained through regular training and exercising as documented in the training and exercising annual programme which covers:

• Awareness training, including roles/responsibilities, • Incident coordination centre training, • Communications testing and exercising.

If there are any significant changes to the plan, then this will be communicated to departmental leads to cascade to all staff. Business Continuity arrangements w i l l be exercised at least once a year in order to validate the effectiveness and highlight any gaps which can then be corrected.

Monitoring and Review

This document will be reviewed on an annual basis or when there are changes in the working systems of the organisation; or major changes to the contact arrangements of staff or suppliers that affect the content. The date of the review will be recorded on the front of the document. It is the responsibility of the identified departmental leads to update local departmental plans on an ongoing basis and the Emergency Planning ManagerBusiness Continuity Lead to ensure the generic section of this document is kept update. The plan will be used/deployed when the ability of the CCG to carry out its statutory duties are compromised. The plan will be exercised and tested every two years; incident management will account to testing and exercising, in accordance with the processes defined within the Major Incident Plan (including testing with dependent stakeholders).

Equality and Diversity

January 2015 - Equality Impact Assessment (Appendix 5) January 2015 - Privacy Impact Assessment (Appendix 6)

Associated CCG Documents

Major Incident Plan System Escalation Plan Major Incident Action Cards Incident Control Centre Plan CCG Strategic Risk Register / Risk Controls and

AssuranceManagement Dashboard

References The ISO Standard for Business Continuity (ISO 22301)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 3 of 59

Page 5: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

British Standard NHS Business Continuity Management (BS25999)

Contents

Section No.

Section Name Page No.

1.0 Introduction

2.0 Scope

3.0 Purpose

4.0 Definitions

5.0 Role and Responsibilities

6.0 Plan Activation

6.1 Business Continuity Management Team (Crisis and Recovery Team)

6.2 Continuing Services in the Event of a Disruption

6.3 Failure of IT SystemsInsurance/Incident Costs

6.4 Failure of TelecommunicationsCommunications and Alerts

6.5 Failure of Utilities – Electricity / Gas / Water Supplies Record Keeping

6.6 Loss of CCG Buildings

6.7 Fuel Shortages

6.8 Staff Shortages

6.9 Communications

Appendix 1 Business Continuity Management – CCG Policy Statement

Appendix 2 Business Recovery Template

Appendix 3 Key Contacts List

Appendix 4 Business Impact Assessment - Template and Summary

Appendix 5 Equality Impact Assessment

Appendix 6 Privacy Impact Assessment

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 4 of 59

Page 6: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

1.0 Introduction

The Civil Contingencies Act 2004 came into force in November 2005 and focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders (such as CCGs) as Category 2 Responders. It is a requirement of the Act that the CCGs have Business Continuity Plans in place to support the CCG’s Major Incident Plan.

1.1 Policy statement

It is the policy of East &and North Hertfordshire Clinical Commissioning Group (CCG) to develop, implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.

It is the policy of the CCG to take all reasonable steps to ensure that in the event of a service interruption, the organisation will be able to respond appropriately and continue to deliver its essential functions and that we are able to respond to the needs of our local population. A service interruption is defined as:

‘Any incident which threatens personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions.’ (www.cabinetoffice.gov.uk/ukresilience).

The CCGs Policy Statement is provided at Appendix 1.

1.2 Resources

The CCG recognises its obligations with regards to emergency planning, resilience, responding to major incidents and business continuity. Funds, as identified as being necessary, will be made available in the event of a major incident to ensure the CCG meets its obligations with respect to these.

1.3 Emergency Planning - Business Continuity The Cabinet Office’s “Expectations and Indicators of Good Practice Set for Category 1 and 2 Responders” describes seven expectations regarding the Civil Contingencies Act (2004), Regulations (2005) and guidance:

1. Duty to assess risk

2. Duty to maintain plans – Emergency Plan

3. Duty to maintain plans – Business Continuity

4. Duty to communicate with the public

5. Business Continuity Promotion

6. Information sharing

7. Cooperation

Clinical Commissioning Groups are Category 2 Responders and as such will be required to co-operate with Category 1 Responders in the event of an emergency. They are also required to have Business Continuity Plans and Major Incident Plans. These requirements will be achieved in three stages:

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 5 of 59

Page 7: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Stage 1 – A Business Impact Assessment: The impacts of the loss of staff, communications, data systems, transport and buildings. Appendix 4 provides details of the Business Impact Assessments undertaken at Departmental level within the CCG. Some functions are hosted by or delivered through contracts with other organisation’s, and where applicable details have been included within the assessments. (e.g. PropCo Ltd). These assessments are also provided.. The Business Impact Assessments include prioritisedprioritized activities that have been linked to the Business Continuity Corporate Risks. and are managed via the Risks Controls and Assurance Dashboard which is CCG’s corporate mechanism (see Risk Management Framework/Guidance Procedure for details). The Business Impacts Assessments detail: - Responsibilities of key staff and departments, - Responsibilities of the appropriate Accountable Emergency officer or

Executive Director, Where the incident will be managed from (incident coordination centre).

Stage 2 - A Business Continuity Plan: The measures to be taken internally in the event of such a loss. The Business Continuity Plan will comprise the mitigating actions arising from the Business Impact Assessments, taking into consideration the key risks that could potentially cause service disruption resulting in the plans being evoked. Information of the key contacts that will instigate the relevant mitigating actions and the contact details of all staff that might have to undertake those actions are also included - be it communicating with others or changing their way of working. Stage 3 – A Major Incident Plan: The measures to be taken in support of Category 1 responders in the event of an ‘Emergency’. This details the organisation’s response to: • an event or situation which threatens serious damage to human welfare; • an event or situation which threatens serious damage to the environment; • War, or terrorism, which threatens serious damage to the security of the UK. The CCG is required to equip nominated staff with the Major Incident Plan, the Business Continuity Plan, an incident control centre, an emergency telephone line and a list of all relevant telephone and email contacts. The plans have been built on experience and will be subject to a desktop test, as part of best practice, in order that they are further refined. The result of the desktop testing will be reported to the CCG Governing Body.

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 6 of 59

Page 8: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

2.0 Scope

The scope of this plan is to provide overarching organisational guidance of business continuity management and the invocation process within the CCG, and an outline of responsibilities. The following table indicates the links with other CCG and System Resilience Plans:

Document

Community Risk Register The CCG is a Level 2 responder for Emergency Preparedness Resilience and Response which will be led by the NHS England Midlands and East (Central Midlands) Area Team. These plans will be owned by the Local Resilience Forum with input from the Local Health resilience Partnership. However, the CCG will have a role in planning for and responding to the relevant incident.

LRF Flood Plan

LRF Pandemic Influenza Plan

LRF Severe Weather Plan

3.0 Purpose

The purpose of the Business Continuity Plan is to outline the responsibility of the CCG and their staff in the event of a crisis in order to maintain as normal a service as practically possible. The over-riding aim is to ensure a prompt and efficient recovery of critical activities from any incident or physical disaster that may affect the CCG’s ability to operate and deliver their commissioning service in support of the NHS economy. It must be recognised that any event not only impacts on staff, premises, technology and operations, but also on the CCG’s brand, status, relationships and reputation and that all business continuity arrangements should ensure that the CCGs meet their legal, statutory and regulatory obligations to both their staff and dependent stakeholders.

4.0 Definitions 4.1 Business Continuity Management: Business Continuity Management is the process that helps manage the risks to

the smooth running of the organisation in the delivery of its services, ensuring that essential business can continue in the event of a disruption and can be sustained in the event of an emergency. It is aimed at reducing or eliminating the risks of business interruption and it is necessary to have contingency plans in place to ensure normal business functions can be resumed as soon as possible.

For the NHS, Business Continuity Management is defined as the management process that enables an NHS organization to: • Identify those key services which, if interrupted for any reason, would have the

greatest impact upon the community, the health economy and the organisation. • Identify and reduce the risks and threats to the continuation of these key

services. • Develop plans which enable the organisation to recover and/or maintain core

services in the shortest possible time.

There are many and varied possible causes of service disruption; these may range from the loss of infrastructure e.g. offices; buildings; IT systems; managing

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 7 of 59

Page 9: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

a power cut or extreme weather to arranging service provision during an emergency or epidemic. These events may not be mutually exclusive i.e. extreme weather can lead to loss of electricity or staff being unable to get to work.

4.2 A Service Interruption can be defined as ‘Any incident which threatens

personnel, buildings or the operational procedures of an organisation and which requires special measures to be taken to restore normal functions’

5.0 Roles and Responsibilities

Overall accountability for the smooth running of the organisation lies with the CCG’s Accountable Officer. The Director of Operations is the lead director for Business Continuity and will be responsible for providing positive assurance to the Governing Body on the CCG’s plans.

5.1 Executive Directors The Executive Directors are responsible for maintaining their individual services,

and for alerting the need to activate Business Continuity Plans if such an event occurs within their directorate.

5.2 Designated Associate Directors and Assistant Directors

The Designated Associate Directors and Assistant Directors must ensure that any changes of contact details of key staff noted in their plans are updated as required, that their Directorate plans are reviewed at least annually and that any new services that are developed are included in the plans.

5.3 Head ofLead for Emergency Preparedness, Resilience, Response and

Business Continuity

The Director of Operations takes the role of Head of lead for Emergency Preparedness, Resilience, Response and Business Continuity and will provide specialist guidance during the invocation of any part of the Business Continuity Plans. and will assist in coordinating any actions required The Director of Quality and Nursing Chief Finance Officer takes the lead for Business Continuity arrangements within the CCG, which is a critical function of the organization..

5.4 Communications Team The Communications Team will be responsible for informing the public of events

where necessary, following agreement of the Accountable Officer or Director of Operations (designated deputy), and will also keep staff informed of developments as appropriate.

5.5 CCG Staff All CCG employed staff are responsible for co-operating with the implementation

of the Business Continuity Plans as part of their normal duties and responsibilities. 6.0 Plan Activation

A nominated post holder from each department will decide in discussion with the

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 8 of 59

Page 10: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Heads of Department and the Director of Operations whether the plan or any part of it should be activated using the process in the following flow chart. Out of hours the decision will be made with the direction of the on call CCG director/manager

6.1 Business Continuity Management Team (Crisis and Recovery Team)

A team will be convened t o oversee the process of ensuring essential services are maintained and that recovery plans are put into place, Membership may include the following:

• Director of Operations or nominated Deputy • Associate Director where incident has occurred • Lead for Emergency Preparedness, Response & Business Continuity • Assistant Director of Communications Manager • Estates representation (as required) • Any other personnel deemed necessary, i.e. representative of HR,

specialist advice, etc.

The team will meet initially on a daily basis and will keep notes of the meeting, actions taken, resources committed, and progress made using the template a t

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 9 of 59

Page 11: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Appendix 3.

Incident Control Centre location and resources: located in the Office next to the Boardroom, Second Floor, Charter House, WGC. Includes additional paper copies of this Plan.

The Major Incident Plan includes the scalable plan setting out how the command and control arrangements will be managed and by whom.

6.2 Continuing Services in the event of a Disruption

As part of the Business Impact Assessment process, a critical function analysis has been carried out to determine those parts of the service that are a priority to maintain or reinstate. The CCG is responsible for commissioning a wide range of patient services to the local population and the following will be restored and maintained as soon as is practically possible.

• Maintaining an emergency response and support to Category 1

responders; • Incident investigation; • Mobilisation of the workforce, and support for staff safety and welfare; • Provision of IT (through a shared service (called Herts Beds and Luton ICT

Shared Service) with ENHCCG as the host for this service); • Maintaining communications with the general public and CCG staff; • Essential Finance functions; including the making and receiving of payments; • Essential HR processes; • Safeguarding adults and children; and • Continuity of contract management responsibilities • System leadership role.

Objectives for the Recovery of Services

The recovery of Services in a Disaster Recovery or Business Continuity scenario is defined by two Objectives:

Recovery Time Objective (RTO): is defined as the time period after a disaster at which business functions need to be restored.

Recovery Point Objective (RPO): is the maximum period of time based data loss (relative to the disaster) which cannot be recovered.

The Business Impact Assessments include details of the activity surge plan to ensure that critical services are maintained in periods of peak activity, including the maximum periods of tolerable disruption for all critical activities, and how the recovery/restoration principles will be managed and by whom. The critical function analysis also identifies those functions that are less critical and could be suspended, in light of the RTO and other timescales that may be identified within the Business Impact Assessments.

Service Function Length of time function can be suspended

Financial management 7 days

Planning services - preparing commissioning plans 28 days

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 10 of 59

Page 12: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Commissioning services through pathway development and redesign 28 days

Contract management – acute contracts 14 days

Contract management – community and third sector 14 days

Performance and data analysis 14 days

Governance duties to ensure continuous compliance with statutory duties 14 days

Partnership working to ensure joined up working to improve the health and wellbeing of patients 14 days

Support and guidance to member practices 14 days

Quality and safety 14 days

Administration 14 days

If an incident occurs and this plan is activated, permission will be sought from the Accountable Officer, or in their absence the Director of Operations (or nominated Deputy) to suspend the mainstream service functions detailed above and release the CCG staff who cover these functions to provide support to critical functions provided in other areas of the CCG.

The plan will be activated in accordance with the processes outlined in the Major Incident Plan and the Incident Control Centre Plan, including the escalation system in place and who assumes responsibility at each stage (as well as action cards and aide memoirs for use by key team members). Through the Business Impact Assessments, eEach department has identified its own critical functions that are required to maintain its service and have their own local departmental plans which a r e accessible in both paper copy and electronically. It is the responsibility of designated Associate/Assistant Directors to communicate the location of these plans to their staff.

In the event of an emergency, or business interruption, the CCG will endeavor to maintain services as usual or as close to the usual standard as possible. However, where it is clear that this is not achievable, the Head of Service in conjunction with the Director of Operations ( or on-call Director/ManagerAssistant Director if out of hours) will decide which priority functions of the department must continue, depending on the nature of the business interruption.

There are some generic areas that could potentially affect all departments and these are described below:

6.2.1 Failure of IT Systems

The CCG, like many organisations, rely upon IT systems for their day to day business. A disaster that prevents the organisation from accessing these systems whether caused by the failure of the systems themselves, or being due to an incident such as fire or flooding will potentially have a serious impact on the continuation of the CCG’s functions. IT system failures may include:

• Loss of email, • Loss of internet,

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 11 of 59

Page 13: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

• Loss of Microsoft Office Applications, • Loss of access to stored documents (shared server), • Loss of individual IT systems/applications, • Major IT network outage.

While it is impossible to consider and document a recovery plan for every disaster that may occur the impact of the loss of IT systems to each department is covered in the individual departmental plans and it is expected that they can be adapted to cater for any specific incident. If there is a failure in the IT system or any stand-alone computer for important data for a prolonged period of time, staff will need to change to a paper back-up system where possible to capture the data so that this can be recorded on the system retrospectively.

The development of telecommunications that are reliant upon the IT network makes it likely that telephone failure will also result from any IT network failure. The priority in which restoration is required will depend on the service area and is detailed in individual departmental plans.

If there is a loss of hardware or software through theft or damage then advice should be sought from the IT provider and the incident reported to the CCG’s Risk teamGovernance and Corporate Affairs (via the Associate Director of GovernanceCompany Secretary).

The maintenance of the CCG IT systems is provided by the Herts Beds and Luton ICT Shared Service (HBL ICT) under a Service Level Agreement (SLA). Under the terms of this SLA, HBL ICT will invoke their Emergency Disaster and Recovery Plan to cope with any event causing prolonged interruption of service.

The standard RPO and RTO within the agreed partnership service agreements is:

• RPO – 1 day from date of failure • RTO = 24 hours from the time of failure

Restoration of services will be managed through the agreement ICT Major Incident processes which will include full engagement of the CCG executive. Whereby the standard RPO or RTO cannot be achieved, this will be brokered with the CCG Executive during the respective phases of the Major Incident process.

6.2.2 Failure of Telecommunications

The telephone lines are provided under contract with BT, and the system is under a maintenance contract with Vodafone.

MTPASS SIM cards have been requested for the on-call phone and those of the Emergency Planning Officer and the on-call Directors and managers. This will provide resilience in terms of key staff needing to respond to potential incidents covered by this plan.

Each departmental plan identifies in more detail the actions required should the telephone systems (including mobile telephony) be inactive. The priority in which restoration of phone lines are required will depend on the service area and if crucial will be detailed in individual departmental plans.

CCG contact in the first instance: HBLICT Service Desk on 07748 111561*

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 12 of 59

Page 14: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

(Note:- this number is only activated if the Phone System is down at Charter House).

If electricity has failed then prior consideration needs to be given to the ability to recharge mobile phone batteries.

6.2.3 Loss of Records

Where there has been a loss of records (electronic and paper), the processes defined within Records Management Policy will be followed. Each departmental plan identifies in more detail the actions required should there be a loss of electronic/paper records.

6.2.4 Failure of Utilities – Electricity / Gas / Water Supplies

Resolution is via NHS Property Services, the CCG contact in the first instance: is NHS Property Services.

The fault should be reported and a request made as to whether they are able to give an indication of the length of time the supply will be unavailable.

If heating is lost an assessment should be made to the effect of the loss of the heating related to the time of year and the forecast temperature as to whether services can continue from the affected location.

For plumbing emergencies: contact NHS Property Services

In the event that the water supply fails the impact of the following must be assessed:

• Toilets • Hand hygiene • Drinking water

6.2.5 Loss of Building

If premises are unable to be used then services may need to be suspended or relocated. Local departmental plans will detail who to contact and measures to be taken where there is a denial of premises (including actions taken in the event of a fire or flood). The Lead for Emergency Preparedness, Resilience Response &and Business Continuity will assist in finding alternative accommodation should CCG buildings be affected.

Alternative locations for staff will include HCT HQ at Howard Court, HPFT HQ at Waverley Road, St Albans and HVCCG HQ at Hemel Hempstead. Initiation of these arrangements will be agreed by the Director of Operations (or nominated Deputy) or by agreement with the on-call Director/Manager. The Incident Control Centre Plan includes information on alternative locations where the service/activity could be delivered from in case of denial of access to Charter House and Fountain House. The plan also includes details of any provisions for staff to be accommodated overnight if the incident dictates and how this would be activated via pre-agreed arrangements.

6.2.6 Fuel Shortages

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 13 of 59

Page 15: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

In the event of a fuel shortage the ability to maintain services may be affected. If it has been necessary for the invocation of the National Fuel Plan then the Business Continuity Management Team will be convened to oversee the management of the situation within the CCG

It is unlikely there will be provision of fuel for staff to get to their work base and the responsibility for alternative travel arrangements is with the individual members of staff in discussion with their line manager.

6.2.7 Staff Shortages

The absence of staff will have a varying effect depending on their role. In some cases roles can be covered by other staff but others may be highly specialised and necessary arrangements will be detailed in departmental plans as to whether a service can continue particularly if the service depends on that person alone. Potential threats related to staff shortages include;

• Loss of staff (>25%), • Serious injury to, or death of, staff whilst in the office, • Significant absence due to severe weather or transport issues, • Pandemic flu, • Simultaneous resignation or loss of key staff.

There may be a scenario when a number of staff are all incapacitated at the same time such as pandemic influenza. The departmental manager will be responsible for assessing the impact on the ability to continue to provide a service and what contingencies can be put in place, and whether some non-critical services can be cancelled as detailed in the individual departmental plans.

6.2.8 Other

Other areas that could potentially affect departments may include the following, this list is not exhaustive:

• Terrorist attack or threat affecting the transport network or office locations • Theft or criminal damage • Chemical Contamination • Infectious disease outbreak • Industrial action • Fraud, sabotage or other malicious acts

The Severe Weather Response Plan includes details regarding the impact of severe weather (including snow, heat wave, prolonged periods of cold weather and flooding), and should be referred to in such circumstances.

6.3 Insurance/Incident Costs The insurance arrangements in place which may apply to incidents are:

• Corporate Liability Insurance • NHS Litigation Authority

The incident costs will be tracked by use of unique cost centres to assist and

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 14 of 59

Page 16: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

supplies/replacement equipment will be managed/maintained throughout the disruptive incident via a specific EP cost centre.

6.4.8 Communications and Alerts

The CCG will respond to a significant incident in line with the formal organisation Communications Strategy and processes defined within the Major Incident Plan.

The Major Incident Plan sets out the alerting mechanism for external and self-declared incidents, including trigger points and escalation procedures. If an event occurs that is so severe that alternative arrangements for the provision of care commissioned by the CCGs need to be communicated to internal and external stakeholders, as well as the local population, this will be carried out via the Assistant Director of Communications Manager after discussion with the Director of Operations.

The internal (Appendix 3) and external stakeholders that could be affected by the disruptive incident, especially around service delivery, could include the following and specific details have been included within the Business Impact Assessments:

• Providers including Primary Care, • Neighboring CCG’s, • Social Care, County and Borough Council.

The process for receiving and cascading warnings, and other communications before, during and after a disruption or significant event, and any resilient communication systems used is as follows:

• Alerts (i.e. Met Office) received into the CCG’s EPRR mailbox ([email protected]) are cascaded by the Operations Team to all Senior Managers, AD’s and Directors on-call,

• For incident management, the CCG has a secure nhs.net email account, • The Incident Control Centre Plan documents how Senior Managers, AD’s

and Directors can remotely access the account.

Mechanisms for informing the relevant partners including, but not limited to, other CCG’s, NHS care providers, and NHSE detailed in the Major Incident Plan. There is also a Hertfordshire Communications Group in place to support the management of consistent messaging to the public.

6.4.1 CCG On-Call Arrangements

The 24-hour arrangements for alerting managers and other key staff are in place as per the CCG on-call system arrangements in/out of hours, which are as follows:

• All calls centrally received to the CCG on-call phone number which is diverted to be answered the by the allocated Senior Manager/AD/Director on-call as per the centrally agreed rota

• 09:00 – 176:00 Monday to Friday (in hours) – Day Manager on-call acts as first point of contact. for any

The contact details (including relevant key stakeholders) are updated on a 6-monthly basis as part of the review of the CCG on-call folder, and HR hold a list of

Formatted: Not Highlight

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 15 of 59

Page 17: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

all staff contacts which can be accessed remotely via the intranet. 6.4.2 Local Cooperation

The Major Incident Plan documents how the independent healthcare sector may be used in a disruptive incident to assist in service delivery. It also outlines how mutual aid from other NHS providers can be requested if a disruptive incident occurs.

6.5 Record Keeping

The processes for the listed actions below will be managed in accordance with the guidance as outlined in the Major Incident Plan, including details on how the;

• organisation will maintain their incident logs, and minutes of meetings during and after the meeting,

• post incident report will be produced including how a debrief will be held to identify lessons,

• lessons identified from the incident will affect future plans.

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 16 of 59

Page 18: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Appendix 1 Business Continuity Management Policy Statement “Business Continuity Management (BCM) is an important part of NHS East &and North Hertfordshire CCG’s risk management arrangements. The Civil Contingencies Act (CCA) 20041 identifies all CCGs as ‘Category 2 Responders’, and imposes a statutory requirement on each CCG to have robust BCM arrangements in place to manage disruptions to the delivery of services.

It is the policy of NHS East &and North Hertfordshire CCG to develop implement and maintain a Business Continuity Management System (BCMS) in order to ensure the prompt and efficient recovery of our critical activities from any incident or physical disaster affecting our ability to operate and deliver our services in support of the NHS economy.

The aim of Business Continuity Management is to prepare for any disruption to the continuity of the business, whether directly - i.e. within the responsibility control or influence of the business, or indirectly - i.e. due to a major incident occurring to a partner, supplier, dependent or third party, or from a natural disaster.

It is recognised that plans to recover from any disruption must consider the impacts not only to our staff, premises, technology and operations, but that NHS East &and North Hertfordshire CCG must also plan to maintain its brand, status, relationships and reputation.

Business Continuity arrangements should ensure that the CCG continues to meet i t s legal, statutory and regulatory obligations to its staff and to its dependent stakeholders. All NHS East &and North Hertfordshire CCG departments are to continue to develop and implement BCM for their areas of business.

In order for this to be achieved, members of each department have been nominated as Business Continuity Leads to represent their part of the business for Business Continuity Management. These individuals are responsible for reviewing and maintaining the departmental Business Continuity arrangements within the CCG. To ensure that the BCMS fully meets the changing needs of the business all Business Continuity Plans will be exercised, reviewed and audited annually.

In accordance with the NHS England Guidance2, NHS East &and North Hertfordshire CCG BCMS will be in accordance with and aligned to the ISO 223013.”

…………………………………………………… …………………………… Lesley WattsBeverley Flowers Date Accountable Officer

1 NM Government (2004) Civil Contingencies Act 2 NHS England (2013) Board Business Continuity Framework 3 ISO 22301 Societal Security - Business Continuity Management Systems – Requirements

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 17 of 59

Page 19: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Appendix 2 Business Recovery Template Reason for Invoking Plan: Date: Time: Brief Summary of Situation: Department/s Affected: Other Organisations Involved / Alerted: Date:

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 18 of 59

Page 20: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Actions Required (including Resources)

By Whom Communication requirements

Status update

Immediate:

Within 8 Working Hours:

Within 1 Working Day:

Within 3 Days:

Within 1 Week:

Situation to be reviewed every ……….. hrs / ……. days

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 19 of 59

Page 21: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Appendix 4 Business Impact Assessments

Version: Ratified by: Date ratified: Job title of originator/author: Name of responsible committee/individual: Accountable Officer Date issued: Review date: Target audience: All CCG staff

* The full Business Impact Assessments can be accessed via the local network drive: (add hyperlink)

CRITICAL FUNCTIONS*:

Operations Directorate p • Continuing Healthcare p.

Nursing and Quality Directorate: • Quality Team p. • Human Resources p. • Governance and Corporate Affairs p.

Strategic Partnerships Directorate: • Strategic Planning (including Programme Office) p. Finance Directorate: • Finance (including Financial Services, Contracting, Information Team) p. • Governance and Corporate Affairs p. •

Commissioning Directorate p. • Pharmacy and Medicines Optimisation p.

• Strategic Planning (including Programme Office) p.

Chief Executives Office: • Communications (including Engagement) p.

HBL ICT p.

Contingency - Priority for the Restoration of Services [Recovery Time Objective (RTO)]:

1. Critical: Immediate Response - Danger to staff and/or patients. Prevents provision of an

essential service/function 2. Urgent: Within 8 hours – Will degrade to ‘Critical’ if not addressed within this time band 3. Essential: Within 24 hours – Major disruption – no danger to staff and/or patients. Does not

prevent provision of an essential service/function 4. Important: Within 3 days – Will affect services without causing danger to patients 5. Necessary: Within 7 days – Minor disruption to services 6. Routine: Within 14 days – Will not directly disrupt services but will cause inconvenience

Formatted: Indent: Left: 1.27 cm, No bullets or numbering

Formatted: Indent: Left: 1.27 cm, No bullets or numbering

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 21 of 59

Page 22: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

7. Non-Urgent: Within 28 days – Will involve non-urgent repair

Directorate/Team: Operations Directorate:

Operations and Resilience Team

Key Contacts: Sharn Elton – Director of Operations Jo Burlingham – Assistant Director of Operations and Resilience Phil Lumbard – Assistant Director Urgent Care Gerry Moir – Assistant Director Performance Jo Field – Head of Performance

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Provide System Leadership Quality of services and experiences of our patients System oversight

A2 – Maintain emergency and day to day operational management

Quality of services and experiences of our patients System oversight

A3 – Maintain on call response in and out of hours

Quality of services and experiences of our patients System oversight

A4 – Maintain category 2 responder role Quality of services and experiences of our patients System oversight

B – Activities which could be scaled down if necessary

B1 – Performance oversight and delivery Quality of services and experiences of our patients System oversight

C – Activities which could be suspended if necessary

C1 – Attendance at external meetings where the CCG is a partner

Partnership working Service developments/Decision Making

Directorate/Team: Operations Directorate:

Continuing Healthcare

Key Contacts: Sharn Elton – Director of Operations Chris Badger – Interim Director of Strategic Planning Alison Sansom – Assistant Director CHC

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Ensuring CHC functions are performed in relation to procurement of care to support patient flow through system

A2 – Responding to new fast track referrals (adults and children case management of care packages) to ensure safeguarding

If not responded to on the same day there could be a risk to patient care as these are urgent cases

B – Activities B1 – Ensuring CHC functions are

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 22 of 59

Page 23: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

which could be scaled down if necessary

performed in relation to agreeing funding for children with complex care and contract management B2 – Responding to new non-fast track referrals (adults and children case management of care packages)

B3 – Ensuring eligibility and maintenance of Funded Nursing Care process

Local authority my not be reimbursed with the fees in a timely manner

C – Activities which could be suspended if necessary

C1 – Case management/review to ensure appropriate patient placement and allocation of CHC funding

Patients may not be appropriately placed, or continued payment for CHC where not/no longer eligible

Directorate/Team: Nursing and Quality Directorate:

Quality Team

Key Contacts: Sheilagh Reavey – Director of Quality and Nursing Cath Slater – Associate Director, Quality and Patient Experience Jessica Linskill – Lead Nurse, Quality

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Responding to urgent safeguarding alerts, issues

If alerts, issues not actioned potential safety risk to patients

A2 – Complaints and PALS; responding to and actioning urgent concerns raised

If urgent issues not addressed, potential harm to patients could occur

A3 – Hotline enquiries relating to patient safety or urgent issues

If urgent issues not addressed, potential harm to patients could occur

A4- Serious Incidents; any new SIs identified to be shared with providers for immediate action and investigation

If urgent issues not addressed, potential harm to patients could occur

B – Activities which could be scaled down if necessary

B1 – To ensure statutory functions are maintained for safeguarding adults and children

Statutory requirements may not be met

B2 – Complaints and PALS; routine processing of enquires received

Local and national targets may not be met, patients dissatisfied with service provided and concerns remain unresolved.

B3-Serious Incidents; co-ordination and review of provider SIs

National timescales may not be met. Risk that quality issues in provider RCAs may not be identified, affecting learning from SIs

B4- Hotline; processing of routine enquiries

Risk that local targets will not be met. GPs dissatisfied with service and key themes not identified.

B5- Quality Assurance; undertaking Quality Review Meetings, Quality Visits, analysing and monitoring providers in relation to quality standards

Lack of assurance to CCG, may be delay in identifying quality issues.

B6- Individual Funding Requests, Prior Approval and Choice; processing of funding requests and providing patient

Risk that procedures will be undertaken that would not have been approved for funding. Risk

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 23 of 59

Page 24: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

choice service that patients will not be offered choice.

C – Activities which could be suspended if necessary

C1 – CQUIN/ Quality Schedules; on-going monitoring and contract negotiation cycle

Lack of development of schemes could affect future provider contracts. Performance issues may not be identified in a timely way, however key issues would be identified via alternative functions.

C2 – Regular reporting to Quality Committee, Board, localities etc.

Low risk, key issues and headlines would be shared with committees and Board as required.

Directorate/Team: NURSING AND QUALITY DIRECTORATE:

Human Resources

Key Contacts: Sheilagh Reavey – Director of Nursing and Quality Anne Ephgrave – HR ManagerHead of Human Resources Jenny Holland – Senior HR Advisor

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Delivering statutory functions, including staff pay

If staff are not paid on time, it may result in difficulties regarding their personal situation and/or non-/limited working

A2 – Performing HR functions ensuring ability to respond to basic HR issues and concerns, including staff wellbeing

Risk of employment tribunal if could not perform HR functions.

A3 – Maintenance of HR compliance for safety of the organisation and staff

Risk of litigation and fines from violation of regulations and lack of compliance.

A4 – Management of formal ER cases/issues

Legal challenge where management is not within set timescales.

B – Activities which could be scaled down if necessary

B1 – Recruitment of staff to core functions

Potentially a gap if critical core functions not recruited to (clinical safety, staff wellbeing)

B2 – Reporting to the Executive regarding adherence to statutory governance arrangements

Risk of being unable to roll out a statutory change within required timeframe.

B3 – Informal ER cases/issues Potential to escalate to a formal review where not managed within set timescales

C – Activities which could be suspended if necessary

C1 – Corporate Induction training programme

Risk new starters wouldn’t receive some of their mandatory training and not gain the understanding of how

Formatted: Font: 10 pt, Bold

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 24 of 59

Page 25: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

the CCG operates. C2 – Policy reviews Risk that they would not be

conducted within required time frame.

C3 – Mandatory Training such as IG training & Learning and Development.

Risk of IG breach due to lack of training and non-compliance with regulations.

C4 – Joint partnership forum Risk of industrial action. Directorate/Team: Finance Directorate:

Financial Services, Contracting, Information Team

Key Contacts: Alan Pond – Chief Finance Officer Noreen Coles – Deputy Chief Finance Officer Edward James – Assistant Director Financial Services Holly Fairhurst – Assistant Director of Contracts David Hodson – Head of Information

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Management of the DoS DoS unable to be re-profiled A2- Authorisation for patient transport Delays to authorising transport

requests A3 – Payments to key suppliers / NHS Trust and other healthcare providers

Payments to staff, key supplies to services & service disruption

B – Activities which could be scaled down if necessary

B1 – Access to invoicing and payments system within 3 days

Impact on ability to manage the CCG with risk of statutory requirements not being met and other financial objective not being achieved

B2 – Monitoring financial position within 3 days (within 1 day if within first week of month)

Unable to provide support to provider organisations

B3 – Monthly reports to NHSE and Annual Accounts (if the latter in March or April)

Loss of reputation, failure to achieve CCG statutory duty

B4 – Finance support to commissioning Loss of financial control/delays in agreeing contracts if January/February/March

B5 – Financial planning Delays in agreeing investments/savings/contracts

B6- Response to FOIs Delay in responding to FOIs B7- Sending monthly validations to Providers

Financial loss to CCG if providers are not in agreement to revise deadlines for validations to be submitted

B8- Contract sign off No contract in place between CCG and Providers

B9- Enacting Contract Levers (Information Breach Notices and

Delays to implementing contract levers

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 25 of 59

Page 26: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Contract Performance Notices) B10 Scale down payments frequency and move to urgent payments only

Loss of Reputation. Cash flow issues to small suppliers. Possible impact on delivery goods and services.

B11 Extend the time between reviewing and reconciling ledger to key control accounts

In the short term ledger may not be a true reflection of spend. Cash forecast targets may not be achieved

C – Activities which could be suspended if necessary

C1 – Monthly reports to Governing Body and localities

Loss of financial control if long period

C2 – Finance support to business cases and localities

Delays in proceeding with investments or wrong decisions taken

C3 – Production of monthly budget statements re running costs

Loss of financial control if long period

C4 – Attendance at Contract Review Meetings with Providers

Unable to hold Providers to account and implement contractual levers where required

C5 – Credit control Short term cash issues Directorate/Team: Nursing and Quality DirectorateFinance Directorate:

Governance and Corporate Affairs Team

Key Contacts: Alan Pond – Chief Finance Officer Sheilagh Reavey – Director of Quality and Nursing Sarah Feal – Company Secretary Richard Steadman – Interim Head of Risk Management

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Manual divert of the on-call number twice daily (09:00 and 16:00) Day to day management of On-call rota

Risk that in and out of hours response will not be available centrally

A2 – Letter of claim related to C3 needs to be sent to NHSLA within 24 hours

Risk that CCG will not be adequately protected from legal claims

B – Activities which could be scaled down if necessary

B1 – Coordination of FOI responses (target of 85% within 20 days)

If target not met, action could be taken by Information Commissioners Office

B2 – Reporting of IG breeches (need to notify ICO within 48 hours)

If target not met, action could be taken by Information Commissioners Office

B3 – Administration of meetings – minutes/ papers for the Governing Body, Governance and Audit Committee, Quality Committee, IG Forum

Loss of record of accountability / decision making/ record keeping / public record

B4 – Managing Conflicts of Interest Requirement to declare in accordance with Health and Social Care Act. CCG Constitution requirement to keep register up to date.

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 26 of 59

Page 27: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

C – Activities which could be suspended if necessary

C1 – Provision of Training (Risk Management, including Health and Safety)

Statutory and Mandatory training requirement may not be met

C2 – Managing Gifts and Hospitality Register

Reporting requirement to Governance and Audit Committee

C3 – Coordination of Clinical Negligence Cases from Solicitors to enable reporting to NHSLA

48 hours pass legal papers on to NHSLA, but not official target14 day turnaround with NHSLA

C4 – Updating of policies/procedures Staff wellbeing - access to current guidance

C5 – Coordination of the Strategic Risk Register and Risk Controls Assurance Dashboard updates

Information may not be current, however updated three times/year quarterly, low risk

C6 – Coordination of Internal Audit reports/recommendations

Head of Internal Audit opinion, if the CCG can’t provide assurance for implementation of recommendations

Directorate/Team: Commissioning Directorate:

Commissioning Team

Key Contacts: Harper Brown - Director of Commissioning Trudi Southam - Interim Associate Director Planned Care Helen Edmondson - Associate Directorate Commissioning and Locality

Development James Gleed - Associate Director Commissioning Primary Care

Projects

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Coordination of Primary Care Capacity and Liaison with Area Team (NHSE)

Managing access to primary care and impact on secondary care, A&E etc.

A2 – Responsiveness to commissioned services for urgent patient specific queries/clinical management

Impact on timeliness in providing advice

A3 – Urgent communications to Primary Care

Public Health Communications / Significant Service Provision Failure / Serious Incidents

A4 – Primary Care Quality Assurance

Delay in investigating / resolving patient safety concern.

B – Activities which could be scaled down if necessary

B1 – Approval mechanism to authorize payments by finance directorate

Impact on ability to meet financial obligations re payments and risk of Primary Care service disruption

B2 – Management of Locality Meetings and Target Events

Impact on ability to maintain clinical engagement and locality focused commissioning/decision making

B3 – Service Redesign/Development Programmes

Delay in delivery of quality and performance improvements

B4 – Performance monitoring for CF Risk that local targets will not be monitored against agreed

Formatted: List Paragraph, Indent:Left: 0.19 cm, Bulleted + Level: 1 +Aligned at: 0.63 cm + Indent at: 1.27cm

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 27 of 59

Page 28: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

/Enhanced Services timescales. B5 – Research management and development

Failure to discharge statutory duties with resultant loss of income/ delay to clinical studies.

C – Activities which could be suspended if necessary

C1 – Non urgent meetings Disruption to CCG/Directorate programme of work

C2 – Strategic healthcare estates planning

Failure to meet DH Target dates and missed opportunities to secure national funding.

Directorate/Team: Commissioning Directorate:

Pharmacy and Medicines Optimisation Team

Key Contacts: Harper Brown – Director of Commissioning Pauline Walton - Interim AD & Head of Pharmacy & Medicines

Optimisation Sue Russell - Lead Pharmacist (CCG Localities) Stacey Golding - Lead Pharmaceutical Advisor - Governance Maxine Davis - Lead Pharmaceutical Advisor - Care Prescribing Colin Sach - Lead Pharmaceutical Advisor - Acute Commissioning

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – The provision of clinical support and personnel for ‘front line’ patient facing services at times of pandemic and/or other public health emergencies

Inappropriate/delayed clinical advice and treatment Financial risk

B – Activities which could be scaled down if necessary

B1 – To ensure the provision of expert prescribing advice in a timely manner to GP practices, non-medical prescribers, pharmacists, Acute and MH Trusts etc

Clinical risk, financial risk, reputational risk

B2 – To ensure the strategic oversight of medicines optimization and patient safety B3 – The provision of expert advice concerning the map of medicine

B4 – Non medical prescribing approval of applications and support for prescribers and dispensers around all primary care secure and non-secure supplies Non medical prescribing approval of applications B5 – Local/national initiatives such as raising antibiotic awareness

B6 - Signing off invoices B76 – The provision of weekly clinical support to intermediate care beds in Jubilee Court (Stevenage) and Garden City Court Care Home (Letchworth)

No medicines reconciliation, patients in intermediate care not receiving the correct medicine. Contractual obligations to Quantum Care

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 28 of 59

Page 29: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

B87 – Individual treatment requests, high cost drugs and invoice validation

Financial risk if drugs are funded that would not normally be approved. In breach of NICE guidance Risk of judicial review Reputational risk

B98 – The provision of expert advice to CCG commissioners on the managed entry of new medicines and medical devices

B9 - To provide expert professional advice regarding pharmacy contractors through an SLA with NHS England

Clinical risk, contractual risk, legal risk

B10 - Discharging the statutory functions of the controlled drugs accountable officer (through an SLA with NHS England) B101 – Clinical medication reviews of care home patients – Vanguard Project

Limit to responding to urgent queries from the quality team. Risk of not meeting outcomes required by Vanguard

B12 - Signing off invoices C – Activities which could be suspended if necessary

C1 – The oversight of every aspect of financial management in respect of prescribing and medicines usage

C2 – Locality prescribing meetings, Hertfordshire Medicines Management Committee, Primary Care Medicines Management Group

C3 – Monitoring of prescribing, key performance indicators

Directorate/Team: Strategic Planning (including Programme Office)

Key Contacts: Chris Badger – Interim Director of Strategic Planning

Beverley Flowers – Accountable Officer Harper Brown – Director of Commissioning Jacqui Bunce - Associate Director of Strategy Grant Neofitou – Head of Programme Office

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

B – Activities which could be scaled down if necessary

B1 – Administration of meetings – minutes/ papers for Joint Commissioning Body, OPD, Long Term Conditions Committee

Loss of record of accountability / decision making/ record keeping / public record

B2 – Attendance at meetings Loss of face to face to contact as part of normal business processes

B3 – Telephone access Reliance on email or face to face contact with relevant colleagues

C – Activities which could be

C1 – Reporting of projects and work streams

Lack of information to commission and plan services.

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 29 of 59

Page 30: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

suspended if necessary

C2 – Usual place of work Not all staff have remote access working

Directorate/Team: Chief Executive Office:

Communications (including Engagement)

Key Contacts: Beverley Flowers – Accountable Officer Hari Pathmanathan - Chair of Governing Body Nuala Milbourn – Assistant Director Communications Heather Marshall – Communications Manager Ewan Marshall – Web development and digital communications officer Lynda Dent – Head of Patient Engagement Mark Edwards – Patient engagement manager

Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 - Communications to GP practices about service disruption, service suspensions or other issues affecting business continuity. Including :-

1. Acute in-hours home visiting service

2. Problems with capacity at the hospital trust

3. Appeals for doctors to assist with additional shift with Herts Urgent Care

4. Information about industrial action

5. Severe weather advice and guidance

6. Loss of referral routes or services due to factors outside of the CCG’s control

This would mean that GPs would be unaware of the service disruption, suspensions or other issues resulting in :- - Continuing to refer very poorly patients to the acute in-hours visiting service when there is no capacity for them to be visited at home. -Continuing to refer to patients to A&E where they could experience a long wait for treatment. As a result they might not seek alternative treatment pathways for their patients. - GP practices would not be able to encourage GPs to make themselves available for additional shifts to help Herts Urgent Care to deliver services at pressurised periods. CCG guidance on the implications of industrial action for primary care would not be issued directly to practices. Severe weather information and advice for patients and practices – such as heatwave information for vulnerable patients or changes to pathology sample collection times due to bad weather, could not be issued Urgent changes to referral information, such as a loss of a particular fax or phone number due to technical problems, could

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 30 of 59

Page 31: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

not be communicated to practices, which would mean that patients would not be able to access the services they need.

A2 - Communications to the public and the media via the CCG’s website, the New QEII Hospital website, media releases and social media about service disruption, service suspensions, epidemics, heatwaves or other issues affecting services the public rely on, e.g

1. Disruption to GP services 2. Disruption to hospital services 3. Disruption to pharmacy services 4. Proactive and reactive

communications to the media about issues which could have a negative impact on the CCG’s reputation as a commissioner of NHS services

5. Proactive and reactive communications to the public and the media about circumstances which could have a significant impact on health and wellbeing, such as a heatwave or the outbreak of an infectious disease.

Patients and carers would not be aware of the following should they occur. - That their planned or emergency GP services are not available -That their planned or emergency hospital visits would not be possible - That they could not visit the pharmacy to collect essential medication. -The CCG’s stakeholders and the public would lose confidence in the organization - That they should take precautions or positive action to protect their own health and the health of the family, friends and neighbours

A3 - Communications to GPs and health professionals on policy and protocol updates, including:

1. Updating the Beds and Herts priorities forum, which is accessed through the CCG’s website

2. Supply urgent briefing material in response to requests from NHS England’s Parliamentary hub

Clinicians across Beds and Herts would not have the up-to-date referral information that they need for patients.

ENHGCC would not be able to account for its actions to Ministers and MPs in the House of Commons.

A4 - Communications with other NHS organisations, provider organisations and public sector partners on issues of significant mutual concern and interest where a joined-up approach to messaging is required.

There is a risk that important messages both within the health system and beyond would not be coordinated effectively, leading to public confusion or unnecessary duplication.

B – Activities which could be scaled down if necessary

B1 - The GP bulletin could be produced more quickly as a word document.

Some of the functionality of the GP bulletin, such as the open rate information and information on which articles have been read, would be lost

B2 - The staff magazine could be replaced by all-staff emails covering urgent issues specifically.

Staff morale could be negatively affected and the open rate of all-staff emails could decrease.

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 31 of 59

Page 32: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

B3 - Proactive campaign and event work could be scaled down.

The impact and reach of the CCG’s own campaigns and our support for national campaigns would be diminished. This would mean that fewer people receive important health and wellbeing information

B4 - The extent of partnership communications work could be scaled back.

This could lead to confusion and duplication of messages or important messages being missed.

C – Activities which could be suspended if necessary

C1 The weekly staff round-up email could be suspended

Staff would not be as aware of policy updates, health stories in the media or training sessions.

C2 The Friday learning hours

Staff would not be as aware of ‘bigger picture’ health and social care information which could have a positive impact on their day-to-day work or personal circumstances.

C3 The design and printing of leaflets could a) be contracted out to an agency or b) information could be provided on simple word documents instead

This would be more costly and would probably take up more officer time than producing leaflets in-house. Information that is produced to a lower quality might not be as valued or trusted by patients.

C4 Suspension of patient and carer member meetings

Patient and carer members would not be aware of the issues facing local health services and communicate that to their communities

Directorate/Team: HBL ICT

Key Contacts: Phil Turnock – HBL ICT Shared Services Director

Simon Carey - Assistant Director HBL ICT, Business Relationships & Assurance

Keith Fairbrother – HBL ICT Head of Infrastructure Essential/Priority activities undertaken: Risk to activities: A – Activities which must be continued

A1 – Infrastructure as a Service Loss of Datacentre, loss of networks

A2 –Service Desk as a Service Loss of IaaS, loss of telephony A3 – RA and SmartCard Loss of IaaS, loss of site

B – Activities which could be scaled down if necessary

B1 – Procurement, Finance Loss of Iaas, loss of site B2 – Asset Management Loss of IaaS,

C – Activities which could be suspended if necessary

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 32 of 59

Page 33: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 33 of 59

Page 34: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Business Impact Assessment Summary

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All

2

3 A1 - A4B1 - B6 C1 - C2

A1 – A4B1 – B3C2

B1, B2 B1 A1B2C1

B1, B2, B3, B4, B6, B7, B8, B9,B10, B11

A1-A3,B1-B5

All A1,A3,A4, B2,C1,C4

4 A1-A4

5

6

7

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Failure of IT SystemsLoss of email

Use of NHS.net if available Prioritise responses in terms of date Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment Use of telephone system, Application portals Network and service monitoring in place. Failover to alternative datacentre Communications team needs access to outlook web via Ipad.

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 34 of 59

Page 35: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All

2

3 A2 B8,B9 A1-A4, B1-B4,C1-C4

4 A1 – A4B1 – B6 C1 – C2

A1B1C3

C4 C2 A1A2B2

B1-B5,C1-C3, A1, B10, B11

B3,B5 A1,B1-B7B10C1-C3

5 A2-A3C3

6 A1-A4

7

Loss of internet

Network and service monitoring in place. Failover to alternative datacentre Hard copy also posted Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 35 of 59

Page 36: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1

2 All A1

3 B8,B9

4 A1B1,B3C2

5 A1-A4 A1 – B6C1 – C2

A4 B3C2 to C6

C1 C1 B1-B5, C1-C3, B8-9

B4,C1 A1,B1-B7B10C1-C3

B1,B2

6

7 C1

Loss of Microsoft Office

Copies of key documents stored in PDF format Use of other programmes and saving formats Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 36 of 59

Page 37: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1

2

3 All A1

4 A1-A4 A1 – A4B1 – B6C1 – C2

B1C2C4

B3C1 to C6

C1 C1 B1-B5, C1-C3,B8, B9, B10, B11

B3,B4 All A3,B1,B2,C3,C4

5

6

7

Loss of access to stored documents (servers)

Where available, use of hard copies, desk-top, and email attachments Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment Copies of key documents stored on alternate servers and on intranet

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 37 of 59

Page 38: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All N/A N/A N/A

2

3 A1 All B8,B9

4 A2 – A4B2 – B4B6

B1-B3, C1, C3,A1, B7, B10, B11

A1,B1-B7B10C1-C3

5 A1-A4

6 A1-A4,B1-B4C1-C3

7

Loss of individual IT systems/ applications

Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment Copies of key documents stored on alternate servers and on intranet Recover from backup Restoration of QA plus for CHC team Use of alternative desktop/laptop/other IT interface. Backup system Waverly Road ESR can be accessed remotely via the internet

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 38 of 59

Page 39: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All

2

3 A1-A4B1-B3C1-C4

B8,B9 A1-A4B1-B4C1-C3

4 A1-A4 A1 – A4B2 – B6C1 – C2

B1 to B4C1 to C6

B1 to C2 A1A2B2

A1, B1-B11, C1-C3,

B1-B5 A1,B1-B7B10C1-C3

5

6

7

Major IT network outage

Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment Use of telephone and hard copies Backup system Waverly Road

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Failure of IT Systems

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 39 of 59

Page 40: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All N/A N/A

2

3 A1-A4

4 A1-A4 B2-B6 All A2,B10,B11 A1-A3B2

All A2,A4

5

6 C1-C2 All

7

Failure of TelecomsLoss of telephone communication

Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment Use of email and mobile phones Network and service monitoring in place. Failover to alternative datacentre

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 40 of 59

Page 41: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All A1 B3 N/A N/A

2

3 All A2,A4

4 A1-A4 A1-B6 A1-A3B2

5

6 C1-C2 All

7

Mobile telephony failure

Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment Use of email, landlines & post. Network and service monitoring in place. Failover to alternative datacentre For on-call ICT to complete central divert . If mobile network is not working = a) Divert to landline,b) Use another landline number, communicate to NHSEIf mobile network is working but divert function fails = On-call switchover phone physically passed from one manager to another

Failure of Telecoms

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 41 of 59

Page 42: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 N/A

2

3 All All

4 A1-A4 A1-B6 B1C2C4

B1 - B4C1 - C6

B1 - C2 B1-B9,C1-C3

A4B3-B4

All

5

6 C1-C2

7

Loss of RecordsLoss of electronic reports

Alternative copies stored on email Back up important documents and retain hard copies. Copies of key documents stored on alternate servers and on intranet Report to HBLICT Service Desk - Managed in accordance with actions identified within the ICT Business Impact Assessment

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 42 of 59

Page 43: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 N/A N/A

2

3

4

5

6 A1-C2

7 A1-A4 All B3C4

C1 C1 B8,B11 B4 B6,B7,B8

Loss of RecordsLoss of paper records

Use electronic copies Version control and document stroage processes. Back up important documents

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 43 of 59

Page 44: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All

2

3 A1-A4B1-B4C1-C4

4 A1-A4 A1-B6 A4,B1,B3,C1,C3,C4

A1B1 -B4C1 - C6

All A1A2B1

A1, B7, C4B10,B11

C1 All

5

6 C1-C2

7

Failure of UtilitiesFailure of Utilities

Use alternative premises:HCT,ENHT,HPFTCounty Council,HVCCG,Home working,VPN and RAS Denial of site - RAS token access for users Failover to alternate datacentre Telephone conferencing ICC plan identifies mutal aid provision with HVCCG Increase communication and maintain team stability Prioritise essential tasks in 24hr time frames. Review roles of team to ensure efficient use of resources

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 44 of 59

Page 45: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All

2

3 A1-A4B1-B4C1-C4

4 A1-A4 A1-B6 A1-A4,B1-B3,C1-C4

A1B1 - B4C1 - C6

C2 A1A2B1

A1-A2, B7, B10B11,C4

C1 All

5

6 C1-C2

7

Loss of buildingDenial of premises

Use alternative premises:HCT,ENHT,HPFTCounty Council,HVCCG,Home working,VPN and RAS Telephone conferencing Denial of site - RAS token access for users ICC plan identifies mutal aid provision with HVCCG Increase communication and maintain team stability Prioritise essential tasks in 24hr time frames. Review roles of team to ensure efficient use of resources Managed in accordance with tenancy agreement with NHS Property Services

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 45 of 59

Page 46: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 All

2

3

4 A1-A4 A1-B6 A1-A4,B1-B3,C1-C4

A1B1 - B4C1 - C6

C2 A1A2B1B2

A1-A2, B7,B10,B11

C1 All A1-A4B1-B4C1-C4

5

6 C1-C2

7

Fire or Flood

Use alternative premises:HCT,ENHT,HPFTCounty Council,HVCCG,Home working,VPN and RAS Denial of site - RAS token access for users Failover to alternate datacentre Telephone conferencing ICC plan identifies mutal aid provision with HVCCG Increase communication and maintain team stability Prioritise essential tasks in 24hr time frames. Review roles of team to ensure efficient use of resources

Loss of building

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 46 of 59

Page 47: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1

2

3

4 All

5 A1-A4 A1-C2 A1-A4,B1-B3,C1-C4

A1B1 - B4C1 - C6

C2 A1A2B1

A1-A2,B7B10,B11

C1 All A1-A4B1-B4C1-C4

6

7

Fuel shortagesFuel shortages

Use alternative premises:HCT,ENHT,HPFTCounty Council,HVCCG,Home working VPN and RAS Denial of site - RAS token access for users Telephone conferencing ICC plan identifies mutal aid provision with HVCCG Increase communication and maintain team stability Prioritise essential tasks in 24hr time frames. Review roles of team to ensure efficient use of resources

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 47 of 59

Page 48: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1

2 All

3

4 All B8,B9

5 A1-A4B1-B4C1-C4

6 A1-A4 A1-A4,B1-B3,C1-C4

7 A1-A4B1-B6C1-C2

A1B1 - B4C1 - C6

All A1-A2,B2-B11,C1,C3,C4

A1-A4B1-B5

A1,B1-B7B10,C1-C3

Simultaneous resignation or loss of key staff

Re-assign tasks / responsibilities Formal review of portfolios Consider appointment of successor Resignation period of handover Documentation and cross training to remove SPOF Engage HR for recruitment process Use of Agency staff Review of priorities and team roles

Staff shortage/ Loss of Staff

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 48 of 59

Page 49: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1

2

3 A1-A4 A1B1 - B4C1 - C6

All A1A2

A1-A2B1-B11C1-C4

A1-A4B1-B5

All A1-A4B1-B4C1-C4

4 All A1-A4B1-B6

5

6 C1-C2 A1-A4,B1-B3,C1-C4

7

Significant absence due to severe weather or transport issues

Reassign tasks/responsibilities Severe Weather Policy Use alternative premises depending on where staff live:HCT,ENHT,HPFTCounty Council,HVCCG,Home working VPN and RAS Denial of site - RAS token access for users Telephone conferencing Prioritise essential tasks in 24hr time frames. Formal activation of the incident coordination plan In hours utilize duty manager to support critical functions Out of hours – on call director

Staff shortage/ Loss of Staff

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 49 of 59

Page 50: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 A1

2 A1-A4 A1B1 - B4C1 - C6

All A1A2

A1-A2B1-B11C1-C4

All B1-B10 A1-A4B1-B4C1-C4

3 C1-C3

4 All A1-A4B1-B6

5

6 C1-C2 A1-A4,B1-B3,C1-C4

7

Pandemic Flu

Re assign tasks/ responsibilities Home working VPN and RAS Denial of site - RAS token access for users Cross Training and Documentation removing SPOF Formal activation of the of the Incident coordination Plan Telephone conferencing Invoke Hertfordshire pandemic influenza plan In hours utilize duty manager to support critical functions Prioritise essential tasks in 24hr time frame Out of hours – on call director

Staff shortage/ Loss of Staff

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 50 of 59

Page 51: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 A1-A4 A1B1 - B4C1 - C6

All All A1-A2B1-B11C1-C4

A1-A4B1-B5

All A1-A4B1-B4C1-C4

2

3 A1-C2

4 All

5

6 A1-A4,B1-B3,C1-C4

7

Serious injury to,or death of, staff whilst in the office

Assign responsible officer Provide appropriate response Cross Training and Documentation removing SPOF Identify senior staff to provide support to individuals and teams Level and type of support will be dependent on nature of incident and individual circumstances Consider whether individual or group debrief sessions would be of benefit Reassign urgent work

Staff shortage/ Loss of Staff

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 51 of 59

Page 52: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 A1-A4 A1-A4,B1-B3,C1-C4

A1 N/A All A1-A2,B7 N/A A1 A1-A4B1-B4C1-C4

2 B1-B10

3 A2

4 All A1-B6 B1,B2

5 B3

6 C1-C2 C4 C1-C3

7 B4

OtherTerrorist attack or threat affecting the transport network or office locations

Assign responsible officer Provide appropriate response Invoke Major Incident Plan Denial of site - RAS token access for users Formal activation of Incident Co-ordination Plan Identify senior staff to provide support to individual and teams Level and type of support will be dependent on nature of incident and individual circumstances Consider whether individual or group debrief sessions would be of benefit

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 52 of 59

Page 53: Date of Meeting: 21st July 2016 Governing Body …...2016/07/21  · Appendix 4 Critical Functions of HBL ICT Shared Service 5.4 Draft Update in line with NHSE EPRR September 2015

OFFICIAL - SENSITIVE

Operations and Resilience

ICT Quality Team Human Resources

Governance and Corporate Affairs

Strategic Planning (incl. Programme Office)

Continuing Healthcare

Finance Directorate

Commissioning Directorate

Pharmacy and Medicines Optimisation

Communication (incl. Engagement)

1 A1

2 A1-A4 All All A1-A2, B6-B11C4

All B1-B10 A1-A4B1-B4C1-C4

3 All A2

4 All B1,B2

5 B3

6 C4 C1-C3

7 A1-C2 B4

OtherTheft or criminal damage

Denial of site - RAS token access for users Physical Access barriers to Office/DC Work at other location.

Threat Contingency measures and actions required

RTO in relation to risk

Risk (linked to Essential/Priority activities)

Business Continuity PlanV5.8 – Jan 2015 to Jan 2016 East and North Hertfordshire Clinical Commissioning Group

Page 53 of 59