Hampshire County Council

Business Continuity

Business Continuity Management Strategy

Version Control

BUSINESS CONTINUITY MANAGEMENT STRATEGY

CONTENT PAGE

1.0 MANAGEMENT SUMMARY

1.1 The Civil Contingencies Act 2004 requires Hampshire County Council to ensure that it has prepared so far as is reasonably practicable, to continue to provide critical activities and an emergency response during any emergency or disruptive event.

1.2 This Business Continuity Management Policy provides the framework for Business Continuity Plans to be developed, implemented, tested and reviewed and was approved by Corporate Management Team (CMT) on February 28th 2007. A summary of the policy is to be found at Annex A. This strategy document puts some additional detail to that policy.

1.3 Business Continuity Management is a holistic management process that helps manage the risks to smooth running of the organisation or delivery of a service, ensuring that it can continue to run to the extent required in the event of a disruption. These risks could be from the external environment or from within the organisation. It provides the strategic framework for improving an organisation's resilience to interruption. Its purpose is to facilitate the recovery of key business systems and processes within agreed time frames whilst maintaining the critical activities and delivery of its vital services.

1.4 The government has issued guidance in part one of the Civil Contingencies Act 2004, its associated regulations and non-statutory arrangements `Emergency Preparedness'.

1.5 In addition to the Civil Contingencies Act, the British Standard BS 25999-1:2006 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings. Hampshire County Council will use this standard as a basis for developing its Business Continuity arrangements.

2.0 INTRODUCTION

Hampshire County Council (HCC) has operation's that must be performed, or rapidly and efficiently resumed, in an emergency. While the impact of an emergency cannot be predicted, planning for operations under such conditions can mitigate the impact of the emergency on our people, our office locations and our objectives. To that end, Hampshire County Council is undertaking a continuous programme of work to prepare a Business Continuity Plan (BCP).

Business Continuity Planning is a good business practice and forms part of the fundamental objectives of this organisation as part of its corporate governance regime. The changing threat environment and recent emergencies have created awareness of the need for BCP capabilities that enable services to continue their critical activities across a broad spectrum of emergencies.

Hampshire County Councils Business Continuity Plans aim to:

· Prioritise peoples safety

· Maintain essential services

· Protect buildings and their contents

3.0 SCOPE

The capability to prepare for, respond to and recover from emergencies affecting Hampshire County Council's operations is dependent upon the proficiency and well being of its employees and the clarity of its leadership. To ensure the capability to support employees and contractors, system users, emergency responders, local and regional emergency management agencies, and the general public during emergencies, Hampshire County Council has adopted this strategy.

The strategy describes how Hampshire County Council will sustain the capability to perform critical activities during and after a disruption in internal operations whether caused by severe weather, other natural or man-made disasters, or malevolent attack. This strategy will ensure that Hampshire County Council:

· Has the capability to implement the BCP both with and without warning;

· Includes regularly scheduled testing, training, and exercising of HCC personnel, equipment, systems, processes, and procedures used to support the service during a BCP event;

· Provides for a regular risk analysis of current alternate operating location(s);

· Promotes the development, maintenance, and annual review of service BCP capabilities.

The BCP will support the performance of critical activities from alternate locations (due to the primary location becoming unusable, for long or short periods of time) and also provides for continuity of management and decision-making, in the event that senior management or technical personnel are unavailable, inaccessible or lost to the organization.

4.0 POLICY

It is the policy of Hampshire County Council to respond quickly at all levels in the event of an emergency or threat, to include human, natural, technological, and other emergencies or threats, in order to continue essential internal operations and to provide support to our customers, emergency management and response agencies, and other agencies or services that may be affected by the emergency.

A viable BCM capability identifies critical activities and consists of plans and procedures, alternate locations, and alternate interoperable communications and data support systems, reinforced by comprehensive training and exercise programs. BCP capabilities must be maintained at a high level of readiness, be capable of being activated both with and without warning.

A summary of the policy document is to be found at Annex A .

5.0 CRITICAL ACTIVITIES

Emergencies may occur both with and without warning which result in the:

· Denial of use of premises and locations;

· Loss of power;

· Loss of telecommunications;

· Suddenly unavailable senior management or technical personnel; and/or

· Inaccessible information technology systems.

When confronting events which disrupt the normal operations of Hampshire County Council, its services are committed to providing critical activities which must be continued even under the most challenging emergency circumstances. The individual services will identify as critical activities only those most critical activities which ensure the safety and security of system users, employees, contractors, emergency responders and the general public; support the restoration of internal operations against the criteria defined in the policy document; and facilitate emergency response operations.

During activation of this BCP plan, all other activities will be suspended, to enable the service to concentrate on providing the critical activities and building the internal capabilities necessary to increase and eventually restore operations.

6.0 THE STRATEGIC FRAMEWORK

The diagram below sets out the framework within which business continuity plans will be developed and monitored within the county council:

The delivery of business continuity management in the departments will be based on a principle of central support for a local delivery . Because of the scale of the project, each department will be responsible for producing its own plans, with the Business Continuity Officer providing support, guidance and advice as appropriate. Therefore each department will have nominated a business continuity champion. That person will sit on the Corporate Risk and Business Continuity Steering Group. They will identify service heads within their departments who will undertake a business impact analysis and prepare a service recovery plan. Alternatively the service head may choose to nominate another officer to carry out that task on their behalf.

7.0 ROLES AND RESPONSIBILITIES

7.1 Corporate Management Team (CMT)

The Corporate Management Team will:

¬ Act to ensure/monitor the overall strategic direction of Business Continuity Management across the council

¬ Ensure that the Business Continuity Management Policy, Strategy and development plan is enforced and resourced appropriately for the benefit of all parts of the council

¬ In the event of a serious or widespread disruption to the activities of the council it may be necessary to invoke the Senior Emergency Management Team. In this case the CMT will need to lead the SEMT coordination

7.2 Chief Officers

Have responsibility for business continuity performance in their department and are required to:

¬ Actively sponsor and sign off the implementation of business continuity and resilience provision in their department

¬ Allocate business continuity objectives to senior service managers in the department

¬ Nominate one senior manager with specific responsibility for business continuity in their department

¬ Allocate sufficient resources to the nominated BCM coordinators for development, training, rehearsals and maintenance of business continuity plans.

¬ Ensure that departmental business continuity arrangements are regularly reviewed at DMT level within the department.

¬ Provide or delegate the point of escalation for cross department business continuity issues

¬ Report on department continuity performance as required

7.3 Corporate Risk and Business Continuity Steering Group (CRBCSG)

The CRBCSG will:

¬ Undertake leadership and sponsorship of the Business Continuity Management framework under the direction of the Chief Executive.

¬ Act as a point of strategic leadership and support to the Emergency Planning Unit

¬ Either make decisions regarding assessments and recommendations provided by the Emergency Planning Unit or refer upwards to the Risk Management Board for decision

7.4 Business Continuity Officer (BCO)

The Emergency Planning Unit has the lead responsibility for the provision of assistance and advice regarding business continuity throughout the council. The Business Continuity Officer will:

¬ Work in partnership with service and corporate representatives on Business Continuity Management issues

¬ Support those services in exercising Business Continuity Plans at both corporate and service levels

¬ Assess and deliver Business Continuity training in support of corporate and/or service level plans

¬ Give guidance and advice in the development of corporate business continuity plans

¬ Develop Business Continuity Management documents or templates for use by council services

¬ Maintain the availability of Business Continuity Management expertise, guidance and assistance to corporate and service level planning initiatives within the overall Business Continuity Management Strategy

¬ Manage, monitor and report on the progress of the Business Continuity Management Strategy and Delivery Plan

¬ Promote Business Continuity awareness, advice and assistance to the commercial and voluntary sector within the County

¬ Ensure that where appropriate, sections of Business Continuity Plans are published and accessible to the public

¬ Support county services in undertaking risk and business impact analysis

¬ Monitor, review and maintain Business Continuity Plans

7.5 Department BCM Coordinators

Each department is responsible for producing its own business continuity plans at a recovery level. The coordinator will therefore:

¬ Manage and co-ordinate the business continuity activities of the department to comply with the corporate business continuity policy.

¬ Ensure that written business continuity recovery plans are produced and kept current

¬ Ensure that the completed plans are periodically tested.

¬ To convene any sub groups and support teams that will be required to develop and deliver the objectives and priorities.

7.6 Head of Service

Head of service is responsible for:

¬ Undertaking a Business Impact Analysis for their area of responsibility

¬ Preparing a Service Recovery Plan

8.0 POTENTIAL BCP SCENARIO

The following three generic types of scenarios are suggested as likely to trigger BCP activation:

_ Scenario 1: Office Accommodation Affected. Under this type of scenario, the offices are closed for normal business activities, but the cause of the disruption has not affected surrounding locations, utilities, or the transportation network. The most likely causes of such disruption are fire; system/mechanical failure; loss of utilities such as electricity, telephone, water, or steam; or explosion (regardless of cause) that produces no significant damage to any other locations or systems used by the service. This type of event could significantly impact Hampshire County Council's communications and information technology capabilities. Service resources located at or adjacent to the location may be damaged or destroyed. Senior management, technical and supporting personnel working at the location may be lost, injured, or not accounted for.

_ Scenario 2: Office Accommodation and Surrounding Area Affected. Under this scenario, the normal place of work as well as supporting locations are closed for normal business activities as a result of widespread utility failure; massive explosion (whether or not originating at the normal place of work); civil disturbance; or credible threats of actions that would preclude access or use of the normal place of work and surrounding areas. Under this scenario there could be uncertainty regarding whether additional events (such as secondary explosions, or utility failures) could occur. During this type of event, the [Service]'s normal place of work and the immediate areas surrounding them are inaccessible.

_ Scenario 3: Supporting Resources Affected. Under this scenario, the offices are left unharmed, but supporting resources are inoperable. These may include loss of staff, loss of IT, storage locations, maintenance locations, or other systems. This type of event could be the result of an illness, natural disaster, workplace violence, cyber attack or other event.

Assumptions used to support Hampshire County Council's planning for each of these generic scenarios include the following elements.

· Emergencies or threatened emergencies can adversely impact the services ability to continue to support critical activities and provide support to the operations of clients and external agencies.

· When a BCP event is declared, the service will implement a predetermined plan using trained and equipped personnel.

· Service and non-service personnel and resources located outside the area affected by the emergency or threat will be available as necessary to continue critical activities.

· Normally available staff members may be rendered unavailable by a disaster or its aftermath, or may be otherwise unable to participate in the recovery.

· Procedures are sufficiently detailed so someone other than the person primarily responsible for the work can follow them.

· A disaster may require service users, clients and local agencies to function with limited automated support and some degradation of service, until full recovery is made.

9.0 STRATEGY FOR RECOVERY

The BCP is applicable to all Hampshire County Council services, departments, business units, contractors and personnel. The BCP can be activated during duty and non-duty hours, both with and without warning.

The BCP covers all locations, systems and buildings operated or maintained by Hampshire County Council. The BCP supports the performance of critical activities from alternate locations (due to the primary location becoming unusable, for long or short periods of time) and also provides for continuity of management and decision-making, in the event that senior management or technical personnel are unavailable.

The BCP will be distributed to senior managers within Hampshire County Council. Training will be provided to personnel with identified responsibilities. There are three levels of written recovery plans:

· Corporate Summary (Gold),

· Corporate Incident Management Plan / Department Emergency Management Plan (Silver)

· Departmental Emergency Plan (Bronze Recovery Plan)

10.0 OBJECTIVES OF THE BUSINESS CONTINUITY PLANS

_ Maintain command, control and direction during emergencies;

_ Reduce disruptions to operations;

_ Protect essential locations, equipment, records, and other assets;

_ Assess and minimize damage and losses;

_ Provide organisational and operational stability;

_ Facilitate decision-making during an emergency;

_ Achieve an orderly recovery from emergency operations;

_ Assist affected employees and their families;

_ Provide for the line of succession to critical management and technical positions;

_ Provide resources and capabilities to develop plans for restoring or reconstituting regular activities, depending upon the scope, severity, and nature of the incident; and

_ Fulfil the service responsibilities in local and regional emergency plans and agreements with local emergency response and management agencies.

11.0 OVERVIEW OF EMERGENCY RESPONSE

11.1 The response to a disaster or emergency situation will be delivered through a response structure similar to other disruptive events i.e. Strategic, Tactical and Operational levels. For HCC this means that there will be three levels of incident response, activated according to the degree of severity:

· Strategic Emergency Management Team (SEMT)

· Tactical Management Group (TMG) / Department Emergency Management Team (DEMT)

· Department Management Teams (DMT)

For local events therefore it is envisaged that response will be managed through local recovery teams. In the event that the incident is pan council or locally catastrophic it may be necessary to invoke the TMG or SEMT.

The operational structure for responding to a business continuity event therefore is:

TMG/DEMT

Silver

`

Figure1: Emergency Response framework

11.2 Strategic Emergency Management Team (SEMT)

If the disruptive event is of a severe nature then the Strategic Management Team (SEMT) will direct the County Council's response from the County Council Emergency Centre. The SEMT is made up of nominated senior officers from County Council services, led by the Chief Executive. SEMT officers are empowered to direct the resources of their services in support of the County response.

11.3 Tactical Management Group (TMG) or Department Emergency Management Team (DEMT)

If the disruptive event spans a number of services then the Tactical Management Group will manage and coordinate the recovery of Hampshire County Councils services at a tactical level.

· Developing objectives and priorities relevant to a specific incident,

· coordinating effort and

· maintaining an overview of resources.

If the event affects one department only then the event may be managed by the Department Emergency Management Team (DEMT)

11.4 Department Management Teams (DMT)

At an operational level, the objectives of the Department Recovery Team will be to:

· Re-establish the critical activities within the timescales identified during the Business Impact Analysis

· To provide a level of service such that customers of this function would be otherwise unaware of the disruptive incident

12.0 COMMUNICATION AND AWARENESS

12.1 This Business Continuity Management Strategy , the Policy Statement, a Guide to Business Continuity Management and other supporting information will be placed on the Councils Intranet site (Hantsnet) and will be promoted by department management teams.

12.2 The Business Continuity Officer will provide management, practitioner and validation training in order to familiarise managers with the concept of business continuity management and its processes.

13.0 TRAINING, TESTING AND MAINTENANCE

13.1 Training

It will be obligatory for employees to take part in regular training (e.g. fire drill, evacuation training, plan rehearsals etc.) Organizing such training or test is the responsibility of Chief Officers although the Business Continuity Officer will assist in preparing and facilitating such training . The training should take place at a time when its effect on clients and customers is minimal.

13.2 Rehearsals

To make the plans effective, regular testing is required. Two types of tests are distinguished: technical and user tests. The technical tests are related to the alarm systems, the computer network, the fire extinguishers, etc. The execution of tests is the responsibility of the applicable department (i.e. Building Management, IT). The user test means that the employee's ability to participate in the actions is regularly tested. The results of the tests are reported to the Corporate Risk and Business Continuity Steering Group. In case of unsatisfactory results, the reasons are determined and alterations may be made to the relevant Business Continuity Plan.

13.3 Maintenance

To keep the plans up-to-date and current, alterations may be necessary when procedural changes to service operations occur or when new threats arise; therefore the maintenance of the plans is an ongoing process.

14.0 REVIEW PROCESS

14.1 The key Business Continuity Plans will be completed by as soon as possible and reviewed annually to ensure that information on service functions, contacts and telephone information are kept up to date. In addition a programme of testing and exercising will be developed.

14.2 Any lessons learned from training, exercising or indeed invocation will be incorporated into the rolling annual review process.

15.0 RISKS TO THE BCM PROGRAMME

Delivering and achieving a set of fit for purpose Business Continuity Plans represent a significant challenge for the County Council. There are two main risks:

15.1 The first risk is lack of department cooperation to support the introduction of a business continuity regime. Staff and lack of appropriate IT software may have an impact on the timescales in which the programme can be delivered, however this will only slow not stop the process

15.2 The second risk is that incomplete or out of date risk and business impact analysis information. Business Continuity is an ongoing process, which requires services to review frequently the potential impact of an event on service provision. Managers will need to review their plans and business impact analysis at least annually and identify any changes necessary

ANNEX A

SUMMARY OF HAMPSHIRE COUNTY COUNCIL

BUSINESS CONTINUITY POLICY & OBJECTIVES

1. Introduction

1.1 The Civil Contingencies Act 2004 requires Hampshire County Council to ensure that it has prepared so far as is reasonably practicable, to continue to provide critical activities and an emergency response during any emergency or disruptive event.

1.2 The following is a description of the Business Continuity Policy and Objectives for Hampshire County Council. This Policy shall be implemented in all service areas and locations where Hampshire County Council (HCC) has an office or employees.

1.3 The aim of the policy is to mitigate the effect of any incident that causes a severe disruption to the working environment of a business or organisational unit.

2. Policy Statement

2.1 Each Hampshire County Council Service will develop, implement and maintain Business Continuity Plans to ensure that the following are achieved:

· Development of procedures and information, maintained in readiness for use in an incident to enable Hampshire County Council to continue to deliver its critical activities at an acceptable pre defined level. A critical activity is defined as that which has to be performed in order to deliver the key products and services for HCC in order to meet its most important and time sensitive objectives¹. Service areas should consider whether they undertake activities against the following criteria. In which case for the purposes of Business Continuity Planning only they may be considered a priority service:

Priority 1	Disruption to these activities would have an impact on our ability to deliver where appropriate an emergency response on behalf of the County Council or may result in serious damage to human welfare
Priority 2	Disruption of these activities would have an impact resulting in: · Impact or breakdown of local community services · Damage to the environment · Council loses income · Council suffers a loss of reputation
Priority 3	Activities that do not fall into either of the first two categories

Recovery Time Objectives for critical activities are assessed according to the criteria described in the table below. The maximum combined score is 15 and the impact tolerance threshold for HCC has been agreed as a combined score of 9.

· Development, maintenance and testing of suitable business recovery plans for all subsidiary business units and locations

· Regular review of the continuity requirements and plans to ensure that they reflect the needs of the business

2.2 Each service should assure itself that its key suppliers or partners have effective BCM arrangements in place

2.3 Each Hampshire County Council Service must review and test their business continuity plan(s) at least annually or at more regular intervals dependent on the level of risk.

2.4 The Chief Executive is, overall, responsible for ensuring that the management of business continuity is incorporated in Hampshire County Councils processes and structure. Directors are responsible for ensuring that all business units under their control comply with this policy.

3. Objectives

3.1 Business Continuity Plans must, as a minimum, contain the following:

· Purpose and scope

· Roles and responsibilities

· Plan invocation

· Document owner and maintainer

· Key stakeholder contact details

· Action plan or task lists

· Resource requirements

3.2 Business Continuity Plans must address the following situations:

· Level 1 Incident

Nil or minor disruption to Hampshire County Council service output. An incident that generally requires a local service response

· Level 2 Incident

Significant disruption to Hampshire County Council services requiring local response but may require a cross department response

· Level 3 Incident

Major disruption to services. An incident that requires a wider response than possible from local plans and resources

3.3 The production of the plan must take account of any plans in other offices within Hampshire County Council, which interact with that office, or of plans, or locations within other Hampshire County Council associated companies operating locally.

4. Ensuring Business Continuity

4.1 The provision of business continuity facilities in a given location to meet the above requirements and scope will be based on:

· Critical and outstanding business being transferred to another Hampshire County Council location in the region (subject to meeting regulations applicable to the category of incident which has occurred) or

· Wherever possible, and allowed by regulations, staff carrying out critical business activities or maintaining client contact from home or a location to be obtained after the incident (e.g. hotel or conference locations) or

· The possibility of critical business being transferred to a Hampshire District or Borough location or

· Provision of specific recovery locations locally to Hampshire County Council. Wherever possible these should be outside of the immediate area of the location for which the plan has been produced.

4.2 Where specific recovery locations are to be provided, comparative costings should be obtained and compared to potential risk of business loss as the basis for a decision on acceptability. Where costs cannot be absorbed by Services, the proposals should be passed to the Corporate Risk Group.

5. Audit and Governance

5.1 BCM arrangements form part of Hampshire County Council's overall internal control environment, which are subject to annual review by the Audit and Governance Committee.

Annex B. BCM Framework for Hampshire County Council