Hampshire County Council

Business Continuity

Business Continuity Management Policy

Version Control

BUSINESS CONTINUITY MANAGEMENT POLICY

CONTENTS PAGE

1.0 CHIEF EXECUTIVES STATEMENT OF INTENT

Business Continuity Management (BCM) helps manage the risks to the smooth running of an organisation or delivery of a service both in the private and public sector, by ensuring that the business and the services it delivers can continue in the event of a disruption. The source of the disruption may be internal such as loss of key staff or a technological systems failure, or it might be an external influence such as a weather-related or utility-related incident or even the business failure of one of our key suppliers. BCM provides a framework for improving our resilience to interruption so that key business systems and processes can be recovered while at the same time ensuring we can provide business critical functions and vital services.

The Civil Contingencies Act 2004 requires Hampshire County Council to ensure that it has prepared so far as is reasonably practicable, to continue to provide critical activities and an emergency response during any emergency or disruptive event.

In addition to the Civil Contingencies Act, the British Standard BS 25999-1:2006 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings. Hampshire County Council will use this standard as a basis for developing its Business Continuity arrangements.

Therefore each of our services will need to:

· Identify their vulnerabilities and where they are exposed

· Reduce their exposure

· Be prepared by having alternative arrangements in place

This Business Continuity Management Policy provides the framework for Business Continuity Plans to be developed, implemented, tested and reviewed and was approved by Hampshire County Council Risk Management Board on February 28^th March 2007.

Whilst we believe all our work is essential to our corporate objectives, if a disruptive event does affect Hampshire County Council then we will need to be able to prioritise the order in which we recover our services and utilise our resources in order to continue to deliver those critical activities.

Chief Executive

1.0 INTRODUCTION

1.1 The Civil Contingencies Act 2004 requires Hampshire County Council to ensure that it has prepared so far as is reasonably practicable, to continue to provide critical activities and an emergency response during any emergency or disruptive event.

1.2 Hampshire County Council's Business Continuity Policy shall be implemented in all service areas and locations where Hampshire County Council (HCC) has an office or employees.

1.3 The aim of the policy is to describe how Hampshire County Council intends to mitigate the effect of any incident that causes a severe disruption to the working environment of a department, service or functional area.

1.4 Assumptions used to support Hampshire County Council's planning process include the following elements.

· Emergencies or threatened emergencies can adversely impact the services ability to continue to support critical activities and provide support to the operations of clients and external agencies.

· When a BCP event is declared, the service will implement a predetermined plan using trained and equipped personnel.

· Service and non-service personnel and resources located outside the area affected by the emergency or threat will be available as necessary to continue critical activities.

· Normally available staff members may be rendered unavailable by a disaster or its aftermath, or may be otherwise unable to participate in the recovery.

· Procedures are sufficiently detailed so someone other than the person primarily responsible for the work can follow them.

· A disaster may require service users, clients and local agencies to function with limited automated support and some degradation of service, until full recovery is made.

2.0 SCOPE

Hampshire County Council (HCC) undertakes activities and services that must be performed, or rapidly and efficiently resumed, in an emergency. While the impact of an emergency cannot be predicted, planning for operations under such conditions can mitigate the impact of the emergency on our people, our office locations and our objectives. To that end, Hampshire County Council is undertaking a continuous programme of work to prepare a Business Continuity Plan (BCP).

Business Continuity Planning is a good business practice and forms part of the fundamental objectives of this organisation as part of its corporate governance regime. The changing threat environment and recent emergencies have created awareness of the need for BCP capabilities that enable services to continue their critical activities across a broad spectrum of emergencies.

Hampshire County Councils Business Continuity Plans aim to:

· Prioritise peoples safety

· Maintain essential services

· Protect buildings and their contents

3.0 POLICY STATEMENT

Each Hampshire County Council Service will develop, implement and maintain Business Continuity Plans to ensure that the following are achieved:

3.1 Development of procedures and information, maintained in readiness for use in an incident to enable Hampshire County Council to continue to deliver its critical activities at an acceptable pre defined level. A critical activity is defined as that which has to be performed in order to deliver the key products and services for HCC in order to meet its most important and time sensitive objectives¹. Service areas will prioritise and group their critical activities against the following criteria;

¬ Priority 1 - Disruption to these activities might have an impact on our ability to deliver an emergency response on behalf of the county council or may result in serious damage to human welfare

¬ Priority 2 - Disruption to these activities might have an impact resulting in impact or breakdown of local community services, damage to the environment, loss of income to the council or loss of reputation for the council

¬ Priority 3 - Activities that do not fall into either of the first two categories

3.2 Recovery Time Objectives for critical activities are assessed according to the criteria described in the risk impact matrix below. The maximum combined score is 15 and the impact tolerance threshold for HCC has been agreed as a combined score of 9.

3.3 Development, maintenance and testing of suitable business recovery plans for all subsidiary business units and locations

3.4 Regular review of the continuity requirements and plans to ensure that they reflect

the needs of the business

3.5 The production of a plan must take account of any plans in other offices within Hampshire County Council, which interact with that office, or of plans, or locations within other Hampshire County Council associated companies operating locally.

3.6 Each service should assure itself that its key suppliers or partners have effective BCM arrangements in place

3.7 Each Hampshire County Council Service must review and test their business continuity plan(s) at least annually or at more regular intervals dependent on the level of risk or if there has been significant change in the infrastructure of a service.

3.8 The Chief Executive is, overall, responsible for ensuring that the management of business continuity is incorporated in Hampshire County Councils processes and structure. Chief Officers are responsible for ensuring that all services under their control comply with this policy.

4.0 IMPLEMENTATION FRAMEWORK

The delivery of business continuity management in the departments will be based on a principle of central support for a local delivery . Because of the scale of the BCM project, each department will be responsible for producing its own plans, with the Business Continuity Officer providing support, guidance and advice as appropriate. Each department will have a nominated business continuity champion. That person will sit on the Corporate Risk and Business Continuity Steering Group. They will identify service heads within their departments who will undertake a business impact analysis and prepare a service recovery plan. Alternatively the service head may choose to nominate another officer to carry out that task on their behalf.

5.0 ROLES AND RESPONSIBILITIES

5.1 Corporate Management Team (CMT) will:

¬ Act to ensure/monitor the overall strategic direction of Business Continuity Management across the council

¬ Ensure that the Business Continuity Management Policy, Strategy and development plan is enforced and resourced appropriately for the benefit of all parts of the council

¬ In the event of a serious or widespread disruption to the activities of the council it may be necessary to invoke the Senior Emergency Management Team. In this case the CMT will need to lead the SEMT coordination

5.2 Chief Officers

¬ Actively sponsor and sign off the implementation of business continuity and resilience provision in their department

¬ Allocate business continuity objectives to senior service managers in the department

¬ Nominate one senior manager with specific responsibility for business continuity in their department

¬ Allocate sufficient resources to the nominated BCM coordinators for development, training, rehearsals and maintenance of business continuity plans.

¬ Ensure that departmental business continuity arrangements are regularly reviewed at DMT level within the department.

¬ Provide or delegate the point of escalation for cross department business continuity issues

¬ Report on department continuity performance as required

5.3 Corporate Risk and Business Continuity Steering Group (CRBCSG) will:

¬ Undertake leadership and sponsorship of the Business Continuity Management framework under the direction of the Chief Executive.

¬ Act as a point of strategic leadership and support to the Emergency Planning Unit

¬ Either make decisions regarding assessments and recommendations provided by the Emergency Planning Unit or refer upwards to the Risk Management Board for decision

5.4 Business Continuity Officer (BCO)

The Emergency Planning Unit has the lead responsibility for the provision of assistance and advice regarding business continuity throughout the council. The Business Continuity Officer will:

¬ Work in partnership with service and corporate representatives on Business Continuity Management issues

¬ Support those services in exercising Business Continuity Plans at both corporate and service levels

¬ Assess and deliver Business Continuity training in support of corporate and/or service level plans

¬ Give guidance and advice in the development of corporate business continuity plans

¬ Develop Business Continuity Management documents or templates for use by council services

¬ Maintain the availability of Business Continuity Management expertise, guidance and assistance to corporate and service level planning initiatives within the overall Business Continuity Management Strategy

¬ Manage, monitor and report on the progress of the Business Continuity Management Strategy and Delivery Plan

¬ Promote Business Continuity awareness, advice and assistance to the commercial and voluntary sector within the County

¬ Ensure that where appropriate, sections of Business Continuity Plans are published and accessible to the public

¬ Support county services in undertaking risk and business impact analysis

¬ Monitor, review and maintain Business Continuity Plans

5.5 Department BCM Coordinators

Each department is responsible for producing its own business continuity plans at a recovery level. The coordinator will therefore:

¬ Manage and co-ordinate the business continuity activities of the department to comply with the corporate business continuity policy.

¬ Ensure that written business continuity recovery plans are produced and kept current

¬ Ensure that the completed plans are periodically tested.

¬ To convene any sub groups and support teams that will be required to develop and deliver the objectives and priorities.

5.6 Head of Service

Head of service is responsible for:

¬ Undertaking a Business Impact Analysis for their area of responsibility

¬ Preparing a Service Recovery Plan

¬ Ensuring that arrangements are made to test, maintain and review service recovery plans that are their responsibility

6.0 STRATEGY FOR RECOVERY

The BCP is applicable to all Hampshire County Council services, departments, business units, contractors and personnel. The BCP can be activated during duty and non-duty hours, both with and without warning.

The BCP covers all locations, systems and buildings operated or maintained by Hampshire County Council. The BCP supports the performance of critical activities from alternate locations (due to the primary location becoming unusable, for long or short periods of time) and also provides for continuity of management and decision-making, in the event that senior management or technical personnel are unavailable.

The BCP will be distributed to senior managers within Hampshire County Council. Training will be provided to personnel with identified responsibilities. There are three levels of written business continuity plans:

· Corporate Summary (Gold),

· Corporate Incident Management Plan / Department Emergency Management Plan (Silver)

· Departmental Emergency Plan (Bronze Recovery Plan)

7.0 COMMUNICATION AND AWARENESS

7.1 The Business Continuity Management Policy, a Guide to Business Continuity Management and other supporting information will be placed on the Councils Intranet site (Hantsnet) and will be promoted by department management teams.

7.2 The Business Continuity Officer will provide management, practitioner and validation training in order to familiarise managers with the concept of business continuity management and its processes.

7.3 Promoting business continuity awareness throughout the organisation will primarily be achieved through an e learning package on Hantsnet, together with articles in staff magazines.

8.0 TRAINING, TESTING AND MAINTENANCE

8.1 Training

It will be obligatory for employees to take part in regular training. Organizing such training or test is the responsibility of Chief Officers, although the Business Continuity Officer will assist in preparing and facilitating such training . The training will take place at a time when its effect on our customers is minimal.

8.2 Rehearsals

To make the plans effective, regular testing is required. The results of the tests will be reported to the Corporate Risk and Business Continuity Steering Group. In case of unsatisfactory results, the reasons are determined and alterations may be made to the relevant Business Continuity Plan.

8.3 Maintenance

To keep the plans up-to-date and current, alterations may be necessary when procedural changes to service operations occur or when new threats arise; therefore the maintenance of the plans is an ongoing process.

9.0 REVIEW PROCESS

9.1 The key Business Continuity Plans will be completed by as soon as possible and reviewed annually to ensure that information on service functions, contacts and telephone information are kept up to date. In addition a programme of testing and exercising will be developed.

9.2 Any lessons learned from training, exercising or indeed invocation will be incorporated into the rolling annual review process.

10.0 AUDIT AND GOVERNANCE

BCM arrangements form part of Hampshire County Council's overall internal control environment, which are subject to annual review by the Audit and Governance Committee.

The diagram below sets out the framework within which business continuity plans will be developed and monitored within the county council:

Annex A. BCM framework for Hampshire County Council