Business Continuity

Management (BCM) Policy

Reference number:
Title:
Version number:
Policy Approved by:
Date of Approval:
Date Issued:
Review Date:
Document Author:
Director:

Corporate 042
Business Continuity Management (BCM)
Policy
Version 2

LLR PCT Cluster Board

th
12 April 2012
April 2012
October 2012
Robert Willott, Resilience Planning
Officer
Dr Peter Marks
Director of Public Health (NHS LCR)

Version Control and Summary of Changes

Version
number

Date

Comments
(description change and amendments)

Version 1

March 2009

Version 1

December
2010
December
2011

NHS Leicester City Business Continuity Management

Policy (Corporate 032).

Version 2

February 2012

Amendments made to reflect organisational changes

across NHS Leicester City and NHS Leicestershire
County and Rutland (including Clinical Commissioning
Groups (CCGs), Commissioning Support Service
(CSS)).

NHS Leicestershire County and Rutland Business

Continuity Planning Policy (PH003).

This policy replaces all previous versions across

Leicester, Leicestershire and Rutland (LLR) PCT
Cluster.
April 2012

Policy presented to and approved by LLR PCT Cluster

Board.

All policies can be provided in large print or Braille, if requested.

Interpreting services are also available for individuals of
different nationalities.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 2 of 20

Contents
Page
Equalities Statement

Policy Statement

Statutory Requirements

Communicating this Policy

Definitions

Business Continuity Management (BCM)

Developing Business Continuity Plans

Business Continuity Plans

10

Records Management

11

Accountability and Responsibility

11

Training, Exercising, Maintaining and Reviewing Business Continuity

Management Arrangements

13

Monitoring, Compliance and Effectiveness of the BCM Policy

15

Reviewing the BCM Policy

17

Appendices
Appendix 1:

18

Equality Analysis template

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 3 of 20

Equalities Statement
1. NHS Leicester City and NHS Leicestershire County and Rutland (collectively
known as the Leicester, Leicestershire and Rutland (LLR) PCT Cluster) and
the Clinical Commissioning Groups (CCGs) across LLR aim to design and
implement policy documents that meet the diverse needs of our service,
population and workforce, ensuring that none are placed at a disadvantage
over others. It takes into account the provisions of the Equality Act 2010 and
advances equal opportunities for all. This document has been assessed to
ensure that no one receives less favourable treatment on the protected
characteristics of their age, disability, sex (gender), gender reassignment,
sexual orientation, marriage and civil partnership, race, religion or belief,
pregnancy and maternity.
2. In carrying out its functions, the LLR PCT Cluster and the CCGs must have
due regard to the different needs of different protected equality groups in
their area. This applies to all the activities for which the LLR PCT Cluster and
CCGs are responsible, including policy development, review and
implementation.
See Appendix 1 for an Equality Analysis.
Policy Statement
3. This policy relates to all employees of NHS Leicestershire County and
Rutland and NHS Leicester City (hereafter referred to as the Leicester,
Leicestershire and Rutland (LLR) PCT Cluster); but with the focus on all the
key staff involved with business continuity management and recovery of key
activities should the PCTs be faced with any type of business continuity
incident.
This policy also covers the three Clinical Commissioning Groups (CCGs)
across Leicester, Leicestershire and Rutland:

East Leicestershire and Rutland CCG

West Leicestershire CCG
Leicester City CCG.

Until further guidance, the scope of the Policy also covers the LLR
Commissioning Support Services (CSS).
Business Continuity Plans are in place across both city and county Public
Health Teams and are covered by the scope of this policy. Work will continue
with both Local Authorities to ensure a smooth transition of business
continuity arrangements.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 4 of 20

4. This policy is intended to establish and support business continuity planning

processes as an integral component of LLR PCT Clusters normal working
practices. It will also ensure the existence of a response driven by command
and control structures commensurate with the level of risk or seriousness of
the event. Due to the changing landscape, it is recommended that this policy
is regularly reviewed to reflect the organisational changes.
5. The objectives of the Policy are as follows:

To identify, plan, resource and implement preventative actions that reduce

the risk of disruption to key services across all areas that fall within the
scope of this Policy.
To establish arrangements to respond to serious disruption, allocating
resources and priorities for action to recover critical functions and prepare
for return to normal working as quickly as possible.
To support effective communication during a service disruption.
To ensure that LLR PCT Cluster, CCGs and the CSS can continue to
exercise its core functions in the event of an emergency.
To link where necessary with local resilience arrangements including
strategic, tactical and operational commands.
To provide assurance that LLR PCT Cluster, CCGs and the CSS have
robust business continuity plans (BCPs) in place.
To ensure that LLR PCT Cluster and CCGs have assurance that its
providers have business continuity plans in place.

Statutory Requirements
6. Business Continuity Management (BCM) is a statutory requirement for NHS
organisations to undertake.
The Civil Contingencies Act 2004, NHS Emergency Planning Guidance 2005
and the interim NHS Guidance on Business Continuity (2008) (for the
purpose of the Act, LLR PCT Cluster is a Category 1 responder) requires that
organisations have Business Continuity Management procedures and plans
in place to ensure that, in the event of a significant service interruption,
critical day-to-day functions can be maintained. Timely recovery and
restoration of key services, systems and processes must also be achieved.
Communicating the Policy
7. Communicating this policy will be conducted through multiple channels
including induction and annual mandatory training. The policy will be
available to staff via the intranet.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 5 of 20

Definitions
8. The following definitions will apply in the policy as shown in Table 1 below:
Table 1:
Term
Business Continuity

Meaning
Business Continuity is the process of facilitating the
recovery of critical business services, systems and
processes within agreed timeframes, while maintaining the
organisations critical functions and delivery of vital
services.

Major Incident

Any occurrence, which presents serious threat to the health

of the community, disruption to the service or causes (or is
likely to cause) such numbers or types of casualties as to
require special arrangements to be implemented by
hospitals, ambulance trusts or primary care organisations.
(NHS Emergency Planning Guidance 2005).

Operational
Command

The Operational Commander directly controls the

organisation's resources at the incident and will be found
with his/her staff working at the scene.

Service Interruption

Any incident which threatens personnel, buildings or the

operational procedures of an organization and which
requires special measures to be taken to restore normal
functions.
An appropriate response would aim to maintain essential
services and restore normal services as soon as possible
under the circumstances prevailing at the time.

Service Recovery

The restoration and support of utilities and services without

which the core organisational functions would not be able to
continue.

Strategic Command

The Strategic Commander is in overall control of the

organisation's resources at the incident. They may not be
on site, but at a distant control room, where they will
formulate the strategy for dealing with the incident.

Tactical Command

The Tactical Commander manages the strategic direction

from the Strategic Commander and makes them into sets of
actions that are completed by Operational command. They
are not located at the scene.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 6 of 20

Business Continuity Management (BCM)

9. The LLR PCT Clusters business or the business of the CCGs or the CSS
may at any time be interrupted by an emergency or other significant event.
This may range from something that affects one area of operations, a more
serious event affecting buildings/staff/service functions or an event affecting
the wider community. Alternatively, while responding to an emergency, a
serious business/service interruption may occur within the organisations
buildings or services. Any one of these scenarios requires a rapid,
proportionate and efficient response to managing the incident in order to
restore normal business functions as soon as possible.
10. There are many varied possible causes of service disruption. As a general
guide, business continuity planning must be carried out to minimise the
effects of a number of potentially disruptive events, for example:

Major accident or incident such as national disaster, epidemic, terrorist

attack;
Fire, flood, extreme weather conditions;
Loss of utilities, including IT and telephone systems;
Major disruption to staffing; e.g. as a result of an epidemic, transport
disruption, industrial action, inability to recruit or mass resignations.

11. Individual directorate level plans have been developed in line with the interim
NHS Guidance for Business Continuity (2008) and to comply with British
Standards Institute Specification (BS 25999). The process is widely accepted
as industry standard. These plans will be modified to represent function
level plans as the LLR PCT Cluster moves through transition. CCG plans will
be developed on a functions basis.
12. The stages in the BCM Lifecycle process are:

Understanding the organisations business, i.e. defining the critical/core

functions of the organisation.
Identifying the risks and establishing how they are to be managed.
Developing a response to risks.
Raising awareness and embedding plans.
Maintaining and auditing plans.

13. The BCM Lifecycle is shown in Figure 1 below. Further details of this can be
found in BS25999.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 7 of 20

Figure 1: Business Continuity Management (BCM) Lifecycle

14. The benefits of an effective BCM programme are that the organisation:

Can identify the impacts of an operational disruption;

Has in place an effective response to disruptions which minimises the
impact on the organisation;
Is able to demonstrate a robust response through a process of training
and exercises;
Will be able to protect and enhance its reputation and competitive
advantage with new and existing customers, with working partners and
other stakeholders by demonstrating reliability and maintaining service
delivery.

15. The outcomes of an effective BCM programme are that:

Key products and services are identified and protected, ensuring their
continuity;
Incidents are managed to enable an effective response;
The organisation understands its relationships and interdependencies
with other organisations and stakeholders (e.g. local acute hospital, local
authorities);
Staff are trained to respond effectively to a disruption through appropriate
training, education and exercises;
Stakeholder requirements are understood and able to be delivered;
Staff are supported by adequate communication strategies;

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 8 of 20

The organisations supply chain is secured;

The organisations reputation is protected;
The organisation remains compliant with its legal and regulatory
obligations.

16. BCP leads or appropriate staff members are required to carry out a Business
Impact Analysis (BIA) to identify key activities and then complete a business
continuity plan for each risk identified.
17. BIAs and BCPs must be reviewed and amended where necessary but at
least annually or sooner if there is a major service development.
Developing Business Continuity Plans
18. Business continuity plans are in place for the LLR PCT Cluster at Directorate
level; these will change into a plan which focuses on functions as the LLR
PCT Cluster transitions into the Local Office towards the end of 2012 2013.
Functions based business continuity plans are also being developed for each
CCG and the CSS.
It is important that each directorate/function:
has ownership of the business continuity plans that relate to the services it
commissions or functions it delivers;
should allocate a plan owner, who will be responsible for reviewing,
amending and updating their plan at least annually. Plan owners will
advise the Resilience Planning Officer (RPO) of amendments to be made
to the plans. To ensure this, each directorate/ department is responsible
for completing a BIA and identifying risks to those functions. From this the
directorates/departments have developed business continuity plans.
19. Elements involved in developing a Business Continuity Plan are as follows:

Having the right team and management support;

Contingencies planned for and in place;
Risk evaluation and control measures are integral to overall risk
assessment;
Writing and testing the plan;
Business impact analysis;
Training and maintenance;
Continuity Strategy.

20. Plans should be cascaded to all staff within directorates / across functions as
appropriate. Plan owners and their deputies have access to their business
continuity plan via S:\Business Continuity Plans. Support to Directors and
Senior Managers will be provided by the RPO should any problems arise in
Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 9 of 20

the development of business continuity plans. Each directorate/function is

responsible for ensuring that staff are given training to assist them to
implement business continuity plans. This training will vary according to the
content of the plans. The RPO will take overall responsibility for ensuring a
corporate plan is produced in a timely manner and is tested regularly.
Business Continuity Plans
21. Plans should be concise and accessible to those with responsibilities defined
in the plans. Plans should be fully understood by the staff and the teams
responsible for specific actions within the plans.
22. Plans should clearly state any interdependencies and reliances, both within
the organisation and with other stakeholders.
23. Plans must also include:

A description of the key activities identified and a RTO (recovery time

objective);
Detailed action plans to control the Key activity;
Details of who is responsible for overseeing contingency planning and
activating plans;
Details of who is responsible for implementing action plans;
Details of external organisations to be involved if appropriate;
A description of escalation procedures if appropriate.

24. Plans should estimate the resources that each activity will need to get started
again. These may include:

People (workers) numbers, skills and knowledge;

Work site (premises) and facilities;
Supporting technology (pay close attention to software needs for IT),
plant and equipment;
Access to previous work or current work-in-progress information;
External services and supplies;
What are the needs of your stakeholders? This may have an effect on
your resource levels.

25. The plan must document how it is to be invoked and how this is to be
achieved in the shortest possible time following the occurrence of a business
disruption. Criteria and clear guidelines to identify individuals with authority to
invoke plans, and under what circumstances, will facilitate a timely, coordinated and consistent approach.
26. Plans must also contain information about how their implementation will be
monitored and recorded.
Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 10 of 20

27. While it is difficult to predict the type of incident, it is assumed that these are
likely to be associated with scenarios including fire, flood, building collapse,
computer failure, telecommunication failures, loss of utilities, fuel shortages,
staff shortages and terrorism. The list is not exhaustive and those dealing
with business continuity within their department or directorate should assume
that they might be called upon to provide an adequate level of their service in
unusual circumstances and to varying degrees.
Records Management
28. All records created during the implementation of a business continuity plan
must be kept by the RPO. These records will be stored in line with the
corporate Records Management and Lifecycle Policy.
Accountability and Responsibility
29. Updates on business continuity will be provided to the LLR PCT Cluster
Board and CCGs Boards annually or following invocation of the Business
Continuity Plan. Detailed oversight and management of the Business
Continuity Plan will be undertaken through the new BC Leads meeting that
has representation from each directorate across the LLR PCT Cluster.
30. Those responsible for Business Continuity Planning must consider the
following general points:
Risk management and Business Continuity Planning work side by side.
Business Continuity Planning must be supported by good management
and not considered in isolation from other working practices.
The first few hours after an incident are crucial and good management
supported by robust Business Continuity Planning plans will considerably
aid recovery.
Business Continuity Planning is not simply about knowing the answers
when an incident occurs, but knowing what questions to ask.
Business Continuity Planning can improve existing procedures, improve
services and assist in the prevention of disruption to service provision.
It is essential to have shared risks covered in any Business Continuity
Plan. Do not try to go it alone - remember to involve other agencies and
similar organisations who will be only too willing to provide support if the
appropriate plans are in place.
31. The duties and responsibilities of the LLR PCT Cluster Board and of key
officers are shown in Table 2 below:

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 11 of 20

Table 2:
Title
LLR PCT Cluster
Board

Duties/ Responsibilities
Setting the strategic context in which the business
continuity policy is developed.
The direction for development of service recovery
procedures and plans.

Chief Executive

The Chief Executive has overall responsibility for ensuring

that LLR PCT Cluster has effective arrangements in place to
respond to an incident that has the potential to affect service
provision.
The direction for development of service recovery procedures
and plans for each CCG.

CCG Board

Director of Public
Health (DPH)

The DPH Director has overall responsibility for ensuring

business continuity management is developed and
embedded within the PCT and our Primary Care contractors.

Resilience
Planning Officer
(RPO)

The RPO supports the PH director in business continuity

planning. Some of the RPOs responsibilities include:
Development and maintenance of BIAs and BCPs
Developing and running business continuity exercises
Running business continuity training programmes
Development of business continuity documents including
policies and guidance documents
Working with partners to enhance business continuity
arrangements across Leicestershire.

Directors/Senior
managers

Directors and senior managers are responsible for ensuring

that:
Directorates and services complete an analysis of critical
functions and risk assessments.
Business continuity plans are completed for each risk
identified.
Activation of their business continuity plans
Business continuity plans are cascaded to appropriate staff
within the directorate and appropriate information and
training is given.
Plans and critical function analyses are reviewed annually
or sooner as appropriate.

(some of these
duties could be
that of the
business
continuity lead)

DPH/Consultant
in Public Health

Provide specialist public health support to Directors and

Senior Managers.

All staff

All staff must make themselves familiar with their individual

roles as set out in this policy and within individual directorate
business continuity plans.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 12 of 20

Training, Exercising, Maintaining and Reviewing Business Continuity

Management Arrangements
32. Managers or staff tasked with Business Continuity Management must
receive appropriate training to enable them to fulfil their management
function. Those responsible for Business Continuity Management must
ensure that training needs are identified and training records maintained.
Staff should receive training during induction, refresher training, when
changing appointment or department and when procedures are amended
/changed.
33. Business Continuity Plans should be tested through exercises to develop
teamwork, competency, confidence and knowledge which will be vital at the
time of an incident of business disruption.
34. Exercises should be realistic and carefully planned with clearly defined aims
and objectives appropriate to the organisations recovery objectives.
35. Exercises should practice the organisations ability to recover from a
disruption and ensure that critical activities, their dependencies and
priorities have been correctly identified.
36. Exercises should highlight assumptions which may need to be questioned,
instill confidence amongst the participants, raise awareness of business
continuity throughout the organizations and validate the effectiveness and
timelines of restoration of critical activities.
37. Example of methods of exercising Business Continuity Management
strategies and plans are shown in Table 3 below.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 13 of 20

Table 3
Complexity
Simple

Medium

Exercise
Desk Top
Exercise.

Process
Review /
amend content
of plan.

Variants
Update plan.

Challenge the
content of the
plan.

Audit / verify the

plan.

Frequency
At least
annually.

Validate plan.

Walk through the Challenge the

service plan.
content of the
plan.

Validate
participants roles.

Simulation
Exercise critical
activities

Incorporate/identify Alternate
associated plans
years.
(dependencies)
e.g. run the service
from a different
location.

Create an
artificial
situation to
validate plan
information
and recovery
arrangements.

Annually.

Invoke a plan
in a controlled
situation
without
jeopardising
business as
usual.
Complex

Exercise
interdependent
plans across a
number of
services.

For example
all services
operating from
one site.

At 3 5 year
intervals.

Exercise frequency will depend on the needs of the organization and its stakeholders.
Exercises should be flexible and should take into account the rate of organisational
change and the outcome of previous exercises.
Exercises may run to test individual plan components, single or multiple plans.
Exercises may include third party providers.

38. The Business Continuity Management Policy and plans should be

maintained to ensure that the organisations competence and capability

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 14 of 20

remain fit-for-purpose and up-to-date. They should take account of any

significant changes, whether internal or external, that may impact on the
organisation and its arrangements.
39. BCM maintenance processes should seek to:

Review and challenge assumptions made in plans;

Document evidence of proactive management and governance in the
way BCM is planned and embedded in the organisation.
Identify that key people have been trained and are competent to
implement plans;
Ensure that updated business continuity policy, plans, and processes
are made available to key personnel under a formal change / version
control process.

Monitoring, Compliance and Effectiveness of the Policy

40. The monitoring, compliance and effectiveness process is shown in Table 4
below.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 15 of 20

Table 4
Systems
Criteria

Monitoring and / or Audit

Measurables
Lead Officer

Systems in place
to ensure the
BCP leads follow
the processes
outlined within
this policy
Systems in place
to ensure that the
BCP links in with
the trusts risk
management
strategy
Systems in place
to identify risks
across the
organisation and
for which a BCP
is needed

Systems in place
to ensure all staff
tasked with BCM
are appropriately
trained

Frequency

Reporting
to

Monitoring
/ action
plan
Monitoring

All directorates
RPO/ BCP
and the
Leads
departments have
completed up to
date BCPs

Annually or
as
necessary

Board of
directors

The BCP policy is

attached an
addendum to the
risk management
strategy and is
reported on the
risk register
Each directorate
risk register
identifies the risks
and places them
on the corporate
risk register and a
BCP is developed
and reviewed
accordingly
Relevant staff
receive training
during corporate
and directorate
induction.

Company
secretary

Ongoing

Board of
directors

Monitoring /
action

Directors/
Heads of
departments

Ongoing

Board of
directors /
Executive
Team

Monitoring /
Action plan

RPO/
Directors/He
ads of
department

On
appointmen
t and
ongoing.

Board of
directors

Monitoring

RPO

Annually

PCTs/
boards

Monitoring

Training is
refreshed
periodically as
and when
necessary.

Systems in place
to conduct
business
continuity
exercises

Register of those
trained is kept up
to date.
Joint exercising
across county
and city for all
Primary Care
providers.
Directorate
exercises.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

LLR board

Page 16 of 20

Reviewing the Policy

41. This policy will be reviewed annually. It will be amended, if necessary, to
take into account new legal requirements and revisions and implementation
of relevant British Standards.

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 17 of 20

Equality Analysis Template

Name of Trust (LPT/LLR PCT Cluster):

LLR PCT Cluster

Name of service, function or policy:

Business Continuity Policy

Purpose of service, function or policy:

The PCT is a category one responder under the terms of the Civil Contingencies Act 2004. It is a statutory duty under
this act for category one responders to have a business continuity management policy as part of their emergency
preparedness responsibilities.
The policy specifies the need for the organisation to identify its critical functions and to plan to be able to maintain
these during an event that interrupts normal working.
This policy is an update from LCR and Leicester City Policies which were previously approved in 2010

Directorate/Division:

Authors directorate Public Health

Equality Act 2010 General Duty

It is a requirement, when making any decisions relating to the shaping of policies, service delivery or as an employer, to have due regard
to the need to:

eliminate unlawful discrimination, harassment, victimisation, and any other conduct prohibited by the Equality Act 2010 (also
to marriage and civil partnership)

advance equality of opportunity and

foster good relations

between people who share any of the protected characteristics and people who do not share them
Socio-economic deprivation is not a protected characteristic but included as best practice
o It is a requirement for LPT/ LLR PCT Cluster to work towards equality objectives to help meet the General Duty and for staff to support and mainstream
them

Human Rights Act 1998

It is a requirement for LPT/ LLR PCT Cluster to protect and promote human rights for service users and staff

Please ensure you are familiar with the Due Regard guidance before completing this equality analysis

Equality
Objective/
s
supported
(1,2,)

A number of hyperlinks have been added to assist you.

What information have you used to analyse the effects on equality, particularly in relation to the protected characteristics? N/A (no
impact on equality issues including protected characteristics)
Provide details of the statistics, research or stakeholder engagement that you have analysed in order to assess the effect of the service,
function or policy on equality
Provide hyperlinks/references to any websites/documents (if analysis is already documented elsewhere, no need to repeat it here
providing you can reference it).
If there are any gaps in the information available how do you aim to address them? If not, why not?
What has this information told you about the potential effect on equality, particularly in relation to access, experience or outcomes
for the protected characteristics? There are no negative impact areas within the policy. Please note -The policy requires staff to work in
different settings to maintain business continuity but any negative impact on staff can be avoided with appropriate planning (including risk
assessments).
Analysis should be as rigorous as possible, although the amount of analysis undertaken should be proportionate to the likely impact on
protected groups.
If you have made a judgment that there is no likely impact, can you justify why you have made this judgment?
Provide hyperlinks/references to any documents where analysis is reported (if analysis is already documented elsewhere, no need to
repeat it here providing you can reference it).
Taking into account your equality analysis, and with the aims of the equality duties, Human Rights Act and Equality Objectives in mind,
what is your overall assessment of the likely impact of the policy/decision on the protected characteristics listed below?

Adjust
Overall finding of equality analysis (


)
Go ahead as planned
Continue regardless
Stop
What are the potential risks/costs (financial or otherwise) of not taking the actions below? N/A
What are the potential savings/ benefits of taking the actions below? N/A
Protected Characteristic
Eliminate unlawful
Advance equality of
Action Plan
Foster good
discrimination
opportunity
relations
Issue/Risk
Actions/
Target date
Outcomes

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 19 of 20

Age
Disability
Gender re-assignment
Marriage & Civil Partnership
Pregnancy and maternity
Race
Religion / Belief
Sex (gender)
Sexual Orientation
Socio-economic deprivation
Human Rights
Date of analysis

Y
Accountable Officer for actions

Action Plan Review Date

Quality Assurance Policy Group (

)
Leicestershire Partnership NHS Trust
LLR Cluster

Officer

Date

Version 1.0 22 September 2011 Review date February 2012

Corporate 042 Business Continuity Management (BCM) Policy, Version 2

Page 20 of 20