report template for business continuity planningmoderngov.merseytravel.uk.net/documents/s3924/report...

$: Report Template for Business Continuity Planningmoderngov.merseytravel.uk.net/documents/s3924/Report Template for... · Business Continuity Planning (DCD\48\12) Report of the Director$
Business Continuity Planning (DCD\48\12)

Report of the Director of Corporate Development 1. Introduction

1.1 The purpose of this report is to seek approval for Merseytravel‟s Business Continuity Policy (Appendix A) and the Business Continuity Strategy (Appendix B). The policy document sets out the scope and approach Merseytravel will adopt whilst the strategy document will form the basis of how business continuity management is delivered in the future.

2. Background

2.1 Work towards producing a Business Continuity Plan (BCP) for the whole organisation was halted when the decision was taken to relocate to a centralised headquarters. Both the ICT Manager and the Property Services Manager, who were principle members of the Business Continuity Plan facilitation team, were tasked with working on the relocation and production of the BCP curtailed.

2.2 Given that the BCP proposal was based upon recovery from a crisis

utilising the existing portfolio of buildings; Hatton Garden, Beetham House, Beetham Court and Georges Dock building it was clear that a new approach would be required once the relocation was complete.

2.3 In addition, the changes in structure driven by the One Team One

Family organisational development programme have had sufficient time to normalise that production of a new BCP should now recommence.

3. Proposals

3.1 The primary objective of the BCP will be to manage any potential crisis in a way that reduces the likelihood of them occurring and minimises their impact should they materialise.

People, Organisational Development and Governance Delivery Committee 7 June 2012

3.2 Associated objectives are to:-

(a) Integrate business continuity management into Merseytravel‟s management processes and specifically the Risk Management process

(b) Prevent or reduce events that could damage reputation and public confidence

(c) Reduce losses and dependency on external insurers (d) Protect Merseytravel‟s assets, employees and customers. (e) Protect against financial loss. (f) Demonstrate an effective Governance process

3.3 Business Continuity Management should become an integral part of

Merseytravel‟s internal control framework building additional resilience into existing processes, identifying potential crisis threats to the organisation and implementing appropriate activities to reduce the potential for or aid the recovery from such perils. Business continuity should not be viewed in isolation but as part of an ongoing process of risk assessment and management with the purpose of ensuring the organisation can continue to function if risks materialise.

4. Financial Implications It is difficult to assess the full implications that this work could generate. The

work in producing the BCP will incur staff time but should generate benefits in operational efficiency through increasing resilience. Any additional expenditure required to meet the BCP will be subject to a separate reporting and approval process.

5. Equality Impact Assessment A rapid screening has been completed and there are no adverse outcomes. 6. Environmental Implications

The planning process itself will not have any environmental impact but the proposed plans may. Therefore the proposed plans will be shared with the Environmental Team and their guidance sought.

7. Risk Implications Whilst the risk of a major incident may be very low its impact could be

catastrophic in a number of ways, personal injury or death, performance delivery, financial loss, etc. Merseytravel has in place processes and procedures to manage, minimise and mitigate such risks but does not have a coordinated approach to how the organisation should recovery from such instances.

8. Conclusions

8.1 “It won‟t happen to us”, “We will cope – we always do”, is a frequent response to why organisations have failed to prepare for a crisis. Others believe their insurance company will pay for everything and others that they haven‟t got the time to prepare for something that may never happen. The catalogue of organisations that have failed following an incident suggests that these responses are based on false assumptions.

8.2 Whilst bombs, fires and floods capture the headlines almost 90% of

business-threatening incidents are „quiet catastrophes‟ which go unreported in the media but can have a devastating impact on an organisation‟s ability to function. Many of the causes are outside of an organisation‟s control and they are often at the mercy of the emergency services or suppliers who define the timescale of an interruption.

8.3 The main purpose of BCM is to ensure that the organisation has a

response to major disruptions that threaten its survival. Whilst this must be worthwhile in itself, there are other benefits that can be gained by embracing BCM as a management discipline.

Merseytravel is a Category Two responder and would be involved in any response that affects the transport sector. The implementation of an effective Business Continuity Strategy will serve to provide additional robustness to Merseytravel‟s ability to meet our role and responsibilities under the Civil Contingencies Act. 2004 The primary driver for business continuity planning should be that it will add value to the organisation and the services we deliver by:- (a) undertaking a thorough review of the business through Business

Impact Assessments and (b) conducting reviews that can highlight business inefficiencies and (c) focussing on priorities that would not otherwise have come to

light.

9. Recommendations It is recommended that Members:-

(a) approve the Business Continuity Policy and Strategy attached as Appendix A and

(b) agree that updates are provided to this Committee at six monthly intervals monitoring the deployment of the strategy.

Background Papers None Report Prepared By Keith Eustace, Head of Governance Contact for Media and Public Enquiries Ian Kenyon, Head of Media and Communications

Merseytravel

Business Continuity Policy

Document Title Business Continuity Policy

Document Owner Head of Governance

Author Keith Eustace

Document Version v1.0

Approved By POD&GD Committee

Created Date May 2012

Review Date May 2013

This document is confidential and the property of Merseytravel. It may not be reproduced or used for any other purpose that that for which it is supplied

without the written permission of Merseytravel.

Uncontrolled when printed – for latest version please check One Place

Commencement date of the policy and date of any revisions and defined review intervals This policy will become active on 1 July 2012 and continue in operation until superseded. Merseytravel‟s Business Continuity Policy and Strategy will be reviewed on an annual basis by the Risk Management Forum and reported to Members. The internal control procedures which include the business continuity management process will be evaluated for effectiveness annually as part of the production of the Annual Governance Statement. Purpose of Policy The policy aims to ensure Merseytravel has a planned and systematic approach to identify, evaluate and manage the whole range of potential crises facing the organisation. Merseytravel is committed to providing the people of Merseyside and visitors to the City Region world class transport services that are of high quality and delivered in the most efficient and cost effective way. However, Merseytravel recognises that events occur that can impact on the organisations ability to deliver its services. Whilst it‟s easy to think of large scale disasters such as a large road/rail/ferry accident that attracts the media‟s attention, for most organisations the cause of a crisis is more likely to be a localised incident. Such events could include; fire, loss of power, flooding, staff shortages (pandemics), severe weather, loss of a building, denial of access to a facility, etc. The probability of a crisis occurring is uncertain and hopefully remote but by having good arrangements in place Merseytravel will be in the best position to recover. Policy Statement A Objectives

The primary objective is to manage potential crises in a way that reduces the likelihood of them occurring and minimises their impact should they materialise.

Associated objectives are to:-

Integrate business continuity management into Merseytravel‟s management processes and specifically the Risk Management process

Prevent or reduce events that could damage reputation and public confidence

Reduce losses and dependency on external insurers

Protect Merseytravel‟s assets, employees and customers.

Protect against financial loss.

Demonstrate an effective Governance process

Business continuity should not be viewed in isolation but as part of an ongoing process of risk assessment and management with the purpose of ensuring the organisation can continue to function if risks materialise.

B Business Continuity Management and the System of Internal Control The System of Internal Control refers to the policies, codes, checks and

balances devised by management to help ensure the organisation‟s objectives are achieved in a manner that promotes the economical, efficient and effective use of resources and ensures the organisation‟s assets and interests are safeguarded.

Business Continuity will become an integral part of Merseytravel‟s internal

control framework building additional resilience into existing processes, identifying potential crisis threats to the organisation and implementing appropriate activities to reduce the potential for or aid the recovery from such perils.

C Civil Contingencies Act 2004 Part 1 of the Civil Contingencies Act 2004 establishes a clear set of roles and

responsibilities for those organisations involved in emergency preparation and response at the local level. The Act divides local responders into two categories, imposing a different set of duties on each.

Merseytravel is a Category Two responder and would be involved in any

response that affects the transport sector. The implementation of an effective Business Continuity Strategy will serve to provide additional robustness to Merseytravel‟s ability to meet our role and responsibilities under the Act.

Scope This Policy will be implemented through the Business Continuity Strategy and both documents apply to all members, directors and employees. Responsibilities Heads of Service are responsible for maintaining effective systems of internal control which incorporates Business Continuity Management. Heads will ensure those individuals identified within a Service‟s Business Continuity Plans are aware of their roles and responsibilities. Heads are responsible for ensuring their plans are up to-date, robust and deployed within their Service area.

Merseytravel

Business Continuity Strategy

Document Title Business Continuity Policy

Document Owner Head of Governance

Author Keith Eustace


Approved By POD&GD Committee

Created Date May 2012

Review Date May 2013

This document is confidential and the property of Merseytravel. It may not be reproduced or used for any other purpose that that for which it is supplied

without the written permission of Merseytravel.


Contents 1. Introduction

1.1 What is Business Continuity Management? 1.2 What are the objectives of this Strategy? 1.3 How will these objectives be met?

2. Strategic Aims 1.2 Strategic Aim 1: To develop and maintain a systematic and

consistent approach to business continuity management.

2.2 Strategic Aim 2: To develop a culture that will support the

continuous improvement of our staff’s continuity and resilience building management skills.

2.3 Strategic Aim 3: To ensure our business continuity

management processes replicate best practice. 2.4 Strategic aim 4: To provide a lead and champion business

continuity with our partners.

3. Outline Action Plan: What needs to be done?

1. Introduction

1.1 What is Business Continuity Management (BCM)?

The Business Continuity Institute currently defines business continuity management as:-

“an holistic management process that identifies potential impacts that

threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation and value creating activities.”

It is important to recognise that to be the most effective, business

continuity planning should be incorporated into Merseytravel‟s normal management processes. Just as Merseytravel‟s Risk Management Strategy details how risks can be identified and appropriate mitigations put in place to prevent or reduce the effect of adverse impacts, building resilience into existing processes should be recognised as good management and not as an additional burden.

"Plans are useless but planning is everything. "General Eisenhower,

(D-Day preparations)

1.2 What are the objectives of this Strategy? This strategy seeks to ensure:-

(a) business continuity and resilience building becomes an integral element in the organisation‟s culture;

(b) officers at all levels are encouraged to make decisions based on a rational awareness of the risks that could affect the achievement of their aims;

(c) the reputation of the organisation is protected; (d) there is a framework that enables all officers to manage

continuity and resilience at an appropriate level.

1.3 How will these objectives be met?

Experience has demonstrated that those organisations that have undertaken contingency planning usually recover successfully. When plans are available and officers are appropriately trained and experienced in using them, potential perils can be controlled, response times reduced and coordination improved.

The Business Continuity strategic objectives will be achieved by:-

(a) preparing and maintaining business continuity and recover plans;

(b) ensuring that business continuity and resilience considerations form an integral part of the organisation‟s planning and performance management processes;

(c) providing guidance and training to staff to enable them to undertake relevant crisis response activities;

(d) ensuring a robust and effective risk management process ; (e) ensuring risk management is incorporated into all decision

making processes; (f) monitoring and measuring what we do.

2. Strategic Aims

The overall aim of this strategy is to give all officers the appropriate tools, guidance, knowledge and encouragement to enable them to make effective decisions based upon a proper evaluation of the risks that they may face in delivering the organisation from a crisis situation. This will be achieved through the following strategic aims.

Strategic Aim 1: To develop and maintain a systematic and consistent

approach to business continuity management.

Strategic Aim 2: To develop a culture that will support the continuous improvement of our staff’s continuity and resilience building management skills.

Strategic Aim 3: To ensure our business continuity processes replicate

best practice.

Strategic Aim 4: To provide a lead and champion business continuity management with our partners.

2.1 Strategic Aim 1: To develop and maintain a systematic and consistent approach to business continuity management

1.2.1 Merseytravel‟s Business Continuity Management Process

(a) Introduction

How does Business Continuity Management help?

(i) By planning to cope with unplanned incidents, we increase the organisation‟s ability to deal with planned changes.

(ii) The organisation‟s efficiency and effectiveness is increased as we concentrate our attention on key systems and processes.

(iii) Building resilience into our systems will help make certain we always provide the most excellent service we can.

(iv) If a crisis does happen, we will know what we have to do. This will help prevent confusion and disorder.

Business Continuity planning is about developing the

organisation‟s ability to respond in a planned and structured manner should the unexpected happen. It gives the organisation the ability to restore critical functions as quickly as possible.

(b) What‟s involved? Merseytravel‟s Business Continuity Management process

will follow six main phases, as illustrated in the diagram: The BCM lifecycle (Figure A), from the BSI 25999 standard. Following this standard will provide a sound basis upon which to develop our plans and support our strategic aims, 3 and 4.

Figure A - The BCM lifecycle

(c) An Outline of the Six Phases of Merseytravel‟s BCM Process

(i) BCM Programme Management Implementation of business continuity across the

organisation will require a programme of information gathering, evaluation exercises, formulating appropriate responses, testing and practise exercises. Programme management involves allocating roles and responsibilities across the organisation, managing the implementation of business continuity and ensuring the on-going management and maintenance of the programme.

(ii) Understanding the organisation To be effective business continuity activities

should concentrate on those aspects of the organisation the Senior Management consider critical to the delivery of key aims and objectives. This will necessitate the undertaking of Business Impact Assessments, the identification of potential risks that would prevent delivery of key aims and objectives and the identification of critical activities. There will inevitably be some prioritisation of critical activities.

(iii) Determining BCM options Determining BCM options enables a range of

strategies and tactical options to be evaluated. This allows an appropriate response to be chosen for each critical product or service, such that the organisation can continue to deliver those products and services at an acceptable level of operation during and following a disruption. The choice made will take account of the resilience and countermeasure options already present within the organisation.

(iv) Developing and Implementing a BCM Plan Producing and implementing a planned response

to a crisis situation will not only necessitate creating business continuity plans across the organisation but will also require undertaking a proactive approach to threat mitigation to reduce or eliminate the impact and likelihood of potential

threats. Merseytravel‟s Risk Management framework should assist in this process.

(v) Embedding BCM into the organisation‟s culture To ensure BCM is embedded into the

organisation‟s culture skills and awareness training will be deployed across the organisation. The aim will be to equip all officers with both the capacity and the confidence to make the necessary decisions required to deal with a crisis.

(vi) Testing and Maintenance Any business continuity plans require testing to

ensure their robustness and suitability for delivering the organisation out of a crisis. A variety of tests ranging from desk top reviews to scenario and simulation exercises will be undertaken, particularly in critical activities, at least annually to ensure strategies and plans deliver their expected outcomes.

(d) The Six Phases of Merseytravel‟s BCM Process – the

Detail

(i) BCM Programme Management The Risk Management Forum (RMF) will take the

lead on the delivery of the BCM Strategy and the Head of Governance will project manage the implementation of the forum‟s wishes.

Any management process is only as good as the

individuals who operate it. To provide clarity of purpose the following identifies the role and responsibilities for BCM within Merseytravel:

People Organisation Development and Governance Delivery Committee of the Integrated Transport Authority and Elected Members

Consider the effectiveness of Merseytravel‟s Business Continuity Policy and Strategy.

Receive regular reports on the implementation and maintenance of business continuity management.

Input into the BCM process at a corporate level.

Monitor the corporate risk register.

Executive

Implement the Business Continuity Policy and Strategy requirements.

Input into the BCM process at a corporate level

Ensure that the BCM process is in place and operational.

Directors

Review strategic and operational risks and continuity plans on a regular basis.

Ensure that the BCM process is in place and operational.

Ensures regular review of BCM plans within their area of responsibility.

Input into the BCM process at a corporate level.

Ensure new risks or changes to existing risks are responded to as appropriate including the amendment of BC plans.

Risk Management Forum

The “owners” of the Business Continuity Strategy.

Responsibility for programme management of the BCM process.

Responsible for maintaining and regularly reviewing the BCM process.

Prepare reports concerning BCM issues for consideration by the Executive and Authority.

Heads of Service

Responsible for implementing the BCM Strategy.

Ownership of BCM within their Service area.

Monitoring the implementation of the strategy in the everyday activities of their operations.

Encourage good risk management practice within their respective areas of responsibility.

Staff

Responsible for the ownership and undertaking of business continuity plans allocated to them individually or as a team.

Consider how Merseytravel might reduce its exposure to risk, or improve its BCM.

Report new or changed risks to their line managers.

Governance

Facilitate the delivery of the BCM Strategy.

Provide guidance to Directors and Heads of Service on BCM

Undertake an annual review of BCM.

(ii) Understanding the organisation

An absolute key component of a good business continuity management process is the understanding of what is critical to the organisations success and continuance. It is the critical activities that BCM should focus on; ensuring increased resilience to crises and speedy recovery if a crisis occurs.

To identify Merseytravel‟s critical activities requires

the undertaking of Business Impact Analysis‟ (BIA) and Risk Assessments (RA). The aim is to consider what are the organisation‟s key objectives and deliverables, what processes and services support the delivery of the these key objectives and consider what would be the impact if these processes or services failed due to a crisis event. Much of this information will already be available from the Service Performance Plans. Whilst the actual threat may never materialise undertaking the planning process will make the organisation better prepared for any threat, whether it was pre-identified or not. It is the process of review that will strengthen the organisations resilience.

Business Impact Analysis To facilitate production of BIA‟s a template has been produced, Appendix A. This will help undertake the following steps:

The Service area‟s business processes should be clearly defined, what are the processes trying to achieve, to whom, how, when, where and why.

Identify potential points of failure and in particular identify where a single point of failure exists.

Establish the impact of a failure to deliver the service.

Establish how quickly the service must recommence. (BE REALISTIC)

Establish what resources would the organisation need to supply to get the service resumed.

Risk Assessment The risk assessment aims to understand how threats may interrupt the provision of the service. The assessment will follow the same framework as used in Merseytravel‟s Risk Management process, namely; RISK = Likelihood X Impact.

To facilitate production of the Risk Assessments a template has been produced, Appendix B.

(iii) Determining BCM options

BCM establishes how the service will continue to be delivered during a crisis situation. The plan should incorporate activities to both reduce the risk likelihood and impact and to stage any recovery.

The options a BCM plan should consider include:

Do Nothing (Tolerate).The risk‟s low likelihood or impact (or both) may be such that it is acceptable to do nothing.

Reduce the risk (Treat). The Risk Management framework could be used to prevent or reduce the risks likelihood and impact. (Insurance could form part of the treatment).

Remove the risk (Terminate). If the risk of a crisis situation arising is so highly likely and of such an impact to the organisation that its existence is threatened, the organisation should consider ceasing this activity.

Manage the risk (Tolerate). This should establish the need to create a BCM Plan.

(iv) Developing and Implementing a BCM Plan

A BCM plan will seek to provide the necessary procedures for the resumption of the activities following a crisis situation. Any such plan must address two main issues:

A coordinated organisation wide response to the incident, including communication with outside parties and

The restoration of the necessary activities to deliver the organisation‟s aims and objectives.

The organisation wide response will be led by the Directors (supported by appropriate Heads of Service) either collectively or individually as circumstances dictate. The recovery activity will be split into two distinct but interdependent groups. One will comprise the functional area affected by the crisis; the Functional Recovery Team, the other will comprise the Resource Recovery Team. The Functional Recovery Team will be made up of the individuals identified as key to returning the activity back to normal operations. The Resource Recovery Team will contain members of ICT and Asset Management whose role it will be to provide the necessary resources that the Functional Recovery Team‟s BCM plan has identified as necessary for resumption of priority activities. Merseytravel‟s functional BCM Plans will follow a corporate format and an example outline template of such a plan is attached in Appendix C. In addition workshops reviewing opportunities for increasing resilience in areas identified as key priorities, focusing on single points of failure will be held on an on-going basis.

(v) Embedding BCM into the organisation‟s culture

To embed BCM into the organisation‟s culture will require it to become a vital part of the way the organisation operates. Successful BCM should become part of the way we do things, part of the everyday management of Merseytravel. For example; introducing job enrichment and enlargement schemes into a Service‟s activity would build increased resilience in the event of a crisis as well as benefiting employees and the everyday delivery of the service.

A programme of training will be agreed with the L & D Team for future delivery. In additional the Head of Governance will review Merseytravel‟s existing policies and procedures to suggest recommendations for incorporating BCM principles. Training, Education and Awareness Merseytravel‟s culture is the product of many formal and informal processes and structures and to achieve any change will require an extended programme of education and development. Whilst identifying which staff require what training and the actual information that requires transferring to staff can be provided by the Head of Governance, the actual delivery of training will be via the Learning and Development Team. A course of education and appreciation of BCM will be introduced to make sure:

All officers understand the risks that could affect their service delivery and are able to react accordingly;

Functional and Resource Recovery Team members are confident in their roles and responsibilities.

The Directors and Heads of Service are aware of the scheme of delegation required by the crisis incident.

(vi) Testing and Maintenance

To ensure plans will meet desired outcomes a continuous programme of testing will be carried out. The actual test structure could be via desk top exercises, workshops with relevant staff, or a test exercise. Testing will be undertaken across all three types of plan; the organisation wide response, the Functional Recovery Team plans and the Resource Recovery Team plans. There will also be an occasional testing of all three aspects together. Obviously this will be a infrequent event given the potential disruption to organisational delivery. Testing is a great opportunity to raise awareness and educate staff on BCM requirements, helping to

embed the BCM culture. There is evidence that the better the quality and frequency of testing the greater the experience gained in BCM by those involved. Review Merseytravel‟s Business Continuity Policy and Strategy will be reviewed on an annual basis by the Risk Management Forum. The internal control procedures which include the business continuity management process are evaluated for effectiveness annually as part of the production of the Annual Governance Statement.

2.2 Strategic Aim 2: To develop a culture that will support the

continuous improvement of our staff’s continuity and resilience building management skills.

2.2.1 Clearly to change the organisation‟s culture will require time and

sustained effort. The main ingredient in influencing that change will be through training.

• Induction Training

All new staff should be introduced to the organisation‟s

business continuity management process as early as possible. Guidance will be provided to HR on what form such an introduction should take.

• Training

Training should be provided to all staff commensurate

with their level of engagement with the business continuity management process. Guidance will be provided to Learning and Development, Heads of Service and Senior Officers on the form of training necessary and available.

• Information and Guidance Documents

A series of documents will be published on the intranet

site (and available as hard copy) providing reference material for all users. A programme of email/poster/ leaflet circulars will raise awareness of BCM issues and resilience building.

2.3 Strategic aim 3: To ensure our business continuity processes replicate best practice.

2.3.1 To ensure our processes replicate best practice we will

undertake an annual review against BS25999 and ISO 22301(when issued) and seek to meet their requirements.

2.3.2 We will identify suitable third parties to benchmark against and seek to be within the upper quartile in any comparison category.

2.4 Strategic aim 4: To provide a lead and champion business

continuity management with our partners.

2.4.1 An aim of the organisation over the medium to long term (5 years) will be to develop the skills and knowledge to enable Merseytravel to be become a champion of business continuity management.

2.4.2 In pursuing this Merseytravel will develop its staff and ensure

that business continuity management is an integral part of all its activities including those in which it engages with Partners.

2.4.3 In the short term Merseytravel will ensure that all Partnering

Agreements identify business continuity management as an integral activity of the partnership and ensure appropriate processes are developed to maintain business continuity. To assist in this regard Merseytravel will produce guidance documents identifying suitable actions.

3. Outline Action Plan: What needs to be done?

Activity Specific Task Responsible Officer

Date for Achievement

Business Impact Assessments

All Service areas to undertake BIA‟s

Head of Service 31 Dec 2012

Risk Assessments

All Service areas to undertake RA‟s

Head of Service 31 Dec 2012

Decide BCM Options

All Service areas to consider options Risk Management Forum to Review

Head of Service Risk Mgmt Forum

31 Mar 2013 30 Apr 2013

Develop BCM plans

All priority service functions to develop plans Risk Management Forum to Approve

Head of Service Risk Mgmt Forum

30 Jun 2013 31Jul 2013

Testing Programme

Desk Top Workshops Live Exercise

Risk Mgmt Forum

30 Sep 2013 31 Dec 2013

Review Policy and Strategy BCM – via Annual Governance Statement process

Risk Mgmt Forum Head of Governance

31 May 2013 31 Mar 2013

Resilience Workshops

Programme of workshop sessions to be delivered, aimed at increasing resilience

Head of Governance

31 Dec 2012

Training General Risk Management Specific Team Requirements Directors and Heads of Service

Head of Governance and Learning and Development Team

Initial training to all areas by 31 Nov 2012, then on-going training

Culture

Awareness Raising Policy Review

Head of Governance and Learning and Development Team

Initial training to all areas by 30 Jun 2012, then on-going training

Appendix A

Business Impact Analysis Template – Example

1. Service: Human Resources – Payroll System

2. Describe the service: what is provided, how, from where and to whom.

The Payroll System is part of the Transactional HR Section within the HR Service and encompasses all activity related to the payment of weekly and monthly salaries. The team comprises three individuals who are based at Room 323b, 4th Floor Hatton Garden. The service utilises an external third party to process payroll data, to calculate and transfer monthly and weekly salaries to the organisations employees and members

3. List the resources (people, accommodation and systems) normally employed in the delivery of the service.

People Accommodation Systems

Transactional Manager 30 square meters, of office accommodation with network access.

Merseytravel‟s internet system.

Payroll Process Officer CMG – Payroll Provider

Payroll Process Assistant Inland Rev. - Guides/Tables.

4. Produce a simple process map which to show the stages involved in the delivery of the service. From this, any dependencies and single points of failure should become apparent.

Individual Service Area HR Service Payroll Section

1. Send Monthly Payroll Amendments to Payroll Section, ie overtime,

2. Send Monthly Payroll Amendments to Payroll Section, ie new starters, leavers, etc.

3. Collate and enter Payroll adjustments onto CMG Software Interface.

4. Process Monthly Payroll Run

5. Receive and Review Monthly Payroll Run

6. Authorise Transmission to BACS

7. Print and Distribute Payslips

5. Identify the impacts on the service, of a disruption / interruption to each stage of the end-to-end process.

Examples of impacts: FINANCIAL IMPACTS: NON-FINANCIAL IMPACTS: Financial loss; Heath and Safety; Financial penalties; Loss of goodwill; Reduced income; Loss of Reputation; Increased cost of working; Breach of law; Loss of

operational capability

6a. Determine recovery objectives for each stage of the process according to the following classifications.

Class 1 – Resume service operations within 1 HOUR Class 2 – Resume service operations within 4 HOURS Class 3 – Resume service operations within 1 DAY Class 4 – Resume service operations within 1 WEEK Stages 4 – 6. In an emergency continued payment of the existing payroll details would maintain goodwill and continued operational commitment by employees for the short term, 2-3 months. Class 5 – Resume service operations within 1 MONTH Stages 1 – 3, & 7

6b. Detail the minimum resources required to meet the recovery objectives, as detailed above.

Access to the CMG Software Interface, whilst it may be helpful this does not require a link to the Merseytravel Network and could be undertaken off site. Therefore any internet access and appropriate access codes could maintain the payroll system for 2-3 months. After which there would be gradual deterioration of the Payroll database. Key individuals required, Transactional Manager or Payroll Process Officer.

Appendix B

The Risk Assessment Template The risk assessment aims to understand how threats may interrupt the provision of the service. The assessment will follow the same framework as used in Merseytravel‟s Risk Management process, namely;

RISK = Impact X Likelihood

In BCM, there are FOUR major risk scenarios that require assessment and help to frame the issues Directors and Heads of Service should consider:

Damage or denial of access to premises;

Loss or damage to IT systems/voice networks/hardware/software/data;

Non-availability of key staff,

Loss or damage to other resources. Whilst it is recognised that Directors and Heads of Service will deal with risks as a matter of everyday business management, the risk assessment provides a formal, documented, standardised process to managing these risks. Scoring the risk quantifies the level of risk and identifies the appropriate action needed to minimise or prepare against occurrence. For example:- The likelihood of power loss to the organisation could be low but the severity of the impact if it did occur would be very high even in the short term. Planning for such an occurrence, such as having alternative power supply arrangements could reduce the impact. The likelihood of key staff not being available to work due to a winter flu epidemic could be medium whilst the impact could be high. The risk could be reduced through training and sharing knowledge, job enlargement/enrichment. Two templates are provided to help guide how you should score the potential Impact and Likelihood. These templates reflect the organisations approach to risk management as well as business continuity. This approach should assist the integration of BCM into everyday service management. Once you have scored you continuity risks the following chart will direct how you should develop you BCM plan to meet the challenge your risks present. The options are to Reduce, Plan for or Manage the potential impact or likelihood of the incident occurring.

BCM Risk Assessment Matrix

I m

p a

c t

5 5 10 15 20 25 REDUCE (Terminate, Treat)

4 4 8 12 16 20

3 3 6 9 12 15 PLAN (Tolerate)

2 2 4 6 8 10

1 1 2 3 4 5 MANAGE (Tolerate, Treat)

1 2 3 4 5

Likelihood

BCM Risk Assessment Action Guide

1 - 6 MANAGE Director and/or Head of Service to manage/monitor

8 - 12 PLAN Contingency plans must be produced to aid service recovery

15-25 REDUCE The risk to the organisation is too great and needs active reduction

Worked example Event: Loss of Payroll Software availability. Risk Score = Impact 5 X Likelihood 3 = 12 Therefore plans should be developed to manage this potential situation and thereby reduce the overall risk score.

Impact

No. Risk Area

1

Minor

2 Moderate

3 Significant

4 Substantial

5 Catastrophic

1 Effect on Service Brief disruption to

important service areas Complete loss of

non-crucial service

Complete loss of a non-crucial service area for a protracted

period or an important service area for a short period

Major loss of service for less than one month

Major loss of service for over one month

2 Financial Loss

Up to £10,000

£10,001 to £100,000 £100,001 to £1,000,000 £1,000,001 to £25,000,000 Over £25,000,000

3 Reputational Contained within

directorate

Contained within Merseytravel, reported

to Committee

Adverse local public or press interest; complaints

Adverse national public or press interest

Officer(s) and / or Trustee(s) forced to resign. Adverse central government

response

4 Health & Safety Minor injury or discomfort

to an individual Minor injury or discomfort to

several people Major injury to an individual

Major injury to more than

one individual

Death

5 Performance Plans One minor element of the

Performance Plan not achieved in one plan cycle

Several minor areas of the Performance Plan not

achieved in one plan cycle

Significant area of the Performance Plan not

achieved in one plan cycle

Repeated failures to meet key areas of the

Performance Plan over several plan cycles

Complete failure to deliver Performance Plan

6 Governance

One-off minor non-compliance with the

organisation‟s governance requirements

Several minor governance failures, eg Occasional

Board/Committee meetings not held, etc.

Repeated governance failures, eg, Board /

Committee meetings not held; dysfunctional Board

relationships etc.

Merseytravel‟s governance structures (ITA, Exec, Committee, Directors, Others) are repeatedly

failing to effectively govern the organisation

Total breakdown in the organisation‟s governance

arrangements

7 Customer Service One-off minor customer

service problem Several customer service

problems Significant customer service

problems

Systematic breakdown in one area of customer

service

Total breakdown in the organisation‟s customer

services

8 Legislative and

Regulatory

One-off minor breach

resulting in minor adverse publicity / regulatory

attention

Several minor infringements of regulations / legislation resulting in minor fines or

adverse publicity

One-off moderate breach resulting in moderate fines or

adverse publicity

Systematic non-compliance resulting in significant

Litigation / Fines or Court appearance

Forced closure of Merseytravel

9

Business Continuity

Occasional minor disruption to services in

one service area

Occasional disruption to services in several service

areas

Repeated disruption to a service area

Severe systematic disruption to one or more

service areas Complete failure of service

10 Performance

Delivery

One-off minor reduction in performance in one

service area

Sustained reduction in performance in one area or reduction in performance

across several service areas

Sustained reduction in performance in more than one

service area

Sustained systematic non-performance resulting

against most performance targets

Complete performance failure

Likelihood

5 Almost Certain

Extremely likely

The event is expected to occur in almost all circumstances

There has been a history of regular occurrences at Merseytravel, ie on multiple occasions in the last twelve months

If new event, likelihood of occurrence regarded as almost inevitable

4 Highly Probable

There is a strong possibility the event or risk will occur

The event is expected to occur in a majority of circumstances

There is a history of several occurrences at Merseytravel, ie on more than one occasion in the last twelve months

If new event, likelihood of occurrence regarded as very likely

3 Probable

There is a reasonable probability the event or risk will occur

There may be a history of frequent occurrences at Merseytravel

Everyone with knowledge of issues in this area knows this could happen

No or little effective measures to reduce likelihood can be and/or have been taken

If new event, likelihood of occurrence will probably occur in most circumstances

2 Unlikely

The event might occur at some time

There could be a history of ad hoc occurrences at Merseytravel

Most of the team know that the whilst unlikely the risk might occur

Measures that reduce likelihood have been taken but are not fully effective

If new event, likelihood of occurrence regarded as unlikely but possible.

1

Almost impossible

Not expected but there‟s a slight possibility it could occur at some time

Some of the team consider that this is a risk that might occur

Team consider there is an appropriate control framework in place

Conditions exist for this to occur but is highly unlikely

Probably requires more than two coincident events

Appendix C

Merseytravel

Business Continuity

Functional Plan

For

Document Title Business Continuity Functional Plan for

Document Owner Head of Service

Author


Approved By Director

Created Date

Review Date

This document is confidential and the property of Merseytravel. It may not be

reproduced or used for any other purpose that that for which it is supplied without the written permission of Merseytravel.


Contents Purpose and Scope (Generic)

Introduction (Generic)

Outline Roles and Responsibilities (Service Specific)

Mobilization procedures (Service Specific)

Action plans/ task lists (Service Specific) Resource requirements (Service Specific) Vital information (Service Specific) Key Personnel required for service recovery and delivery (Service Specific)

Document owner and maintainer (Generic) Forms and annexes (Service Specific)

Purpose and Scope The aim of this plan is to enable XYZ to maintain or resume operational activity as soon as possible following an adverse incident or event. This plan relates solely to the activities and functions of the XYZ Service but recognises that no single or grouped service functions can operate in isolation in the long term. The plan has been developed to deliver the critical service activities within the timescales identified in XYZ‟s business impact assessment and recorded in the business impact template. Introduction

If a major incident or event occurs, the Directors (or most Senior Officer(s) available) will meet to assess the situation. It will be the responsibility of this group to decide whether or not to implement this Business Continuity Plan. When the Business Continuity Plan is implemented a series of Resource Recovery Teams will undertake damage assessments to identify the resources needed to be recovered in order to ensure that business functions can resume. The Recovery Teams will then set about acquiring and delivering the necessary resources.