Transcription
Chapter 6 Business ContinuityManagementRevision to Emergency PreparednessCivil Contingencies Act Enhancement ProgrammeMarch 2012V3: Last updated 09/12/2010Last updated:March 2012PAGE 1
Emergency Preparedness Business Continuity ManagementChapter 6 (Business Continuity Management) of EmergencyPreparedness, Revised VersionSummary The Act requires Category 1 responders to maintain plans to ensure that theycan continue to exercise their functions in the event of an emergency so faras is reasonably practicable. The duty relates to all functions, not just theiremergency response functions (paragraphs 6.1 – 6.13). Category 1 responders must have regard to assessments of both internal andexternal risks when developing and reviewing business continuity plans (BCPs)(paragraphs 6.14 - 6.16). Business continuity plans may take the form of generic plans - which set out thecore of a Category 1 responder’s response to any BCM event - or specific plansdealing with particular risks, sites or services (paragraphs 6.17 - 6.19). There must be a clear procedure for invoking the business continuity plan(paragraphs 6.20). BCPs must include arrangements for exercises for the purpose of ensuring the planis effective, and arrangements for the provision of training to those involved inimplementing the plan. Plans must be reviewed and kept up to date (paragraphs6.21 - 6.28).PAGE 2Last updated:March 2012
Emergency Preparedness Business Continuity Management Category 1 responders are required to publish aspects of their BCPs insofar as makingthis information available is necessary or desirable for the purposes of dealingwith emergencies (paragraph 6.29 - 6.31). The British Standard for Business Continuity (BS25999) is widely acknowledged asindustry best practice. It provides a generic framework that is applicable across thepublic, private and voluntary sectors. (paragraphs 6.43 - 6.107).WHAT THE ACT AND THE REGULATIONS REQUIREScope of the duty6.1.The Act requires Category 1 responders to maintain plans to ensure that theycan continue to perform their functions in the event of an emergency, so far as is1reasonably practicable.6.2.The duty to maintain plans relates to all the functions of a Category 1 responder,not just its civil protection functions. For Category 1 responders to help othersin the event of an emergency, they first need to be able to keep their own crisisresponse capabilities going. However, Category 1 responders also need to beable to continue to deliver critical aspects of their day-to-day functions (e.g. lawenforcement, looking after vulnerable people, attending minor fires) in the eventof an emergency, if the impact on the community is to be kept to a minimum.1s.2(1)(c)Last updated:March 2012PAGE 3
Emergency Preparedness Business Continuity Management6.3.It may, therefore, be helpful to think of the business continuity management(BCM) duty in the Act as being separated into two strands. In practice, the Actrequires Category 1 responders to maintain plans to ensure that they can:ocontinue to exercise their civil protection functions: The legislationrequires Category 1 responders to maintain plans to deal withemergencies (see Chapter 5) and put in place arrangements to warnand inform the public in the event of an emergency (see Chapter 7).The BCM duty requires Category 1 responders to maintain plans toensure that they can deliver these capabilities when they are required.ocontinue to perform their ordinary functions: Category 1responders perform a range of functions that are important to thehuman welfare and security of the community and its environment (e.g.provision of health care, detection of crime, fighting fires). This isparticularly true in an emergency situation, where operationaldemands often increase and the operating environment canbecome more challenging. The legislation requires Category 1responders to make provision for ensuring that their ordinaryfunctions can be continued to the extent required.6.4.Organisations should not only look at the resilience of internal structures andprocesses, but also those of organisations they rely on, or deliver services through.6.5.The Act requires Category 1 responders to put in place plans to ensure that2they can continue their functions in the event of an emergency. This requiresthem to ensure that those organisations delivering services on their behalf (e.g.contracted-out services) or capabilities which underpin service provision (e.g.information technology and telecommunications providers) can deliver to theextent required in the event of an emergency. This is because services remain part2s.2(1)(c)Last updated:March 2012PAGE 4
Emergency Preparedness Business Continuity Managementof an organisation’s functions even if they do not directly provide them.Limits of the dutyDefinition of emergency6.6.BCM is a flexible framework designed to help organisations to continue operating in theface of a wide range of different types of disruptions right the way along the spectrum ofseverity. BCM does not however embrace all dimensions of an organisation’s resilience,and one important distinction is between BCM and crisis management. The PubliclyAvailable Specification on Crisis Management (PAS200) identifies crisis management aswider ranging and inherently strategic in nature. BCM in turn is a more operationallyfocused activity to ensure that service disruptions are managed, potentially cascadingimpacts are mitigated and services are maintained. For further details and for guidanceon developing a crisis management capability see ment---new-guidance-for-crisis/ (including link to the BSI website).6.7.The BCM duty, however, is determined by the definition of emergency in the Act. The Acttherefore imposes a duty on Category 1 responders to put in place plans to ensure thatthey can continue to exercise their functions in the event of a much narrower range ofdisruptive challenges.36.8.The duty applies only to those events or situations defined as an emergency in section1 of the Act - events or situations that threaten serious damage to the human welfare,environment or security of a place in the United Kingdom. This should be read inconjunction with section 2(2) of the Act, which provides that an event or situation isonly an emergency when it overwhelms existing response arrangements, and cannotbe dealt with within existing resources or procedures (see Chapter 1 for an in-depthdescription of the definition of “emergency” underpinning Part 1 of the Act).3s.2(1)(c) and s.2(2)Last updated:March 2012PAGE 5
Emergency Preparedness Business Continuity Management6.9.While the duty focuses on the most challenging situations, it is likely that plansput in place to fulfil their duty under the Act will help Category 1 responders toprepare for a much wider range of day-to-day (i.e. non-emergency) interruptions.By putting in place plans to keep themselves going in the event of an emergency,Category 1 responders will build resilience to a wider range of less serious events.Practicability6.10.Ideally, Category 1 responders would be able to continue all of their functionsat ordinary service levels in the event of an emergency. In practice, this may notprove possible, and therefore the duty is qualified.6.11.The Act requires Category 1 responders to put in place arrangements to ensurethat they continue to exercise their functions in the event of an emergency so far4as is reasonably practicable.6.12.The qualification “so far as is reasonably practicable” has three elements to it:oCriticality: Category 1 responders should focus on ensuring thatthey can deliver critical functions. Which of its functions are critical is amatter that can be determined only by the organisation itself, and maydepend on the nature of the emergency in question. Category 1responders should not lose sight of the common supportinginfrastructure underpinning these functions. The following guidingprinciples should be used when deciding whether or not a serviceor activity is critical. It is not intended to be a definitive list, butrather a series of useful indicators:4s.2(1)(c)PAGE 6Last updated:March 2012
Emergency Preparedness Business Continuity Management Emergency management/civil protection: Functions thatunderpin the Category 1 responder’s capability to respondto the emergency itself, and take effective action to reduce,control or mitigate the effects of the emergency. Impact on human welfare, the environment and security: Thesignificance of services to the effective functioning of thecommunity in the event of an emergency, or an adverse effecton the environment. Legal implications: Statutory requirements on Category 1responders and the threat of litigation if a service isnot delivered, or is delivered inadequately. Financial implications: Loss of revenue and paymentof compensation. Reputation: Functions that impact on the credibilityand public perception of a Category 1 responder.oService levels: The Act does not require Category 1 responders tocontinue to deliver their functions at ordinary levels in the event ofan emergency. Some critical functions may need to be scaled up,while others (which are non-critical) may need to be scaled down orsuspended. Acceptable levels of service in the event of an emergencyare a matter for the Category 1 responder itself to determine in thelight of its capabilities, constraints and the needs of the community.oBalance of investments: No organisation will be in a position tocommit unlimited resources to BCM. It is the role of the Category 1responder itself to decide the level of protection sought.PAGE 7Last updated:March 2012
Emergency Preparedness Business Continuity Management6.13.Category 1 responders must therefore put in place a process for effectivelymanaging the prioritisation of services - and getting high-level endorsementfor these decisions - prior to an emergency occurring. The business impactanalysis (BIA) process described later in this chapter gives a methodology forundertaking this work.Risk assessment6.14.It is important that Category 1 responders identify the significant risksthreatening the performance of critical functions in the event of an emergencyor disruption, as this will enable them to focus resources in the right areas, anddevelop appropriate continuity strategies. 56.15.In this context, there are two strands to risk assessment, relating to externalthreats (i.e. risk of an emergency occurring) and internal risks (i.e. businessrisks) that could cause loss or disruption of critical services required to control,reduce or mitigate the effects of an emergency or disruption.6.16.The Act requires Category 1 responders to identify and assess significant risks6of an emergency occurring in their area - in accordance with their particularfunctions - as a basis for performing their other civil protection duties (seeChapter 4). The Regulations require Category 1 responders to have regard toassessments of risk maintained pursuant to the Act when developing BCPs.7The Act requires Category 1 responders to consider whether a risk assessmentmakes it necessary or desirable to review a BCP. 8 It is good practice, in anyinstance, to review BCPs in conjunction with risk registers and vice versa.5678regulation 21s.2(1)(a)regulation 19s.2(1)(e)Last updated:March 2012PAGE 8
Emergency Preparedness Business Continuity ManagementGeneric and specific plans6.17.As with emergency plans, the Regulations provide that Category 1 responders mayuse generic plans, specific plans, or a combination of the two in business continuityplanning. A generic plan is a core plan which enables a Category 1 responder torespond to a wide range of possible impacts, setting out the common elements ofthe response to these (e.g. invocation procedure, command and control, access tofinancial resources).6.18.Specific plans may be required in relation to specific risks, sites or services. Specificplans provide a detailed set of arrangements designed to go beyond the genericarrangements when these are unlikely to prove sufficient.6.19.Specific plans will usually operate within the framework established by the genericplan. It is a matter for Category 1 responders themselves to decide - in the light ofassessments of risk - what, if any, specific plans are required.Plan invocation6.20.The Regulations specifically require Category 1 responders to establish aprocedure for determining when an emergency has occurred which affects itsability to continue to perform its functions.9 In other words, there must be aclear procedure for invoking the plan. Where continuity of critical functions isthreatened in the event of an emergency, there should be a clearly laid outescalation procedure. This should be identified, agreed and documented withinthe plan. The Regulations specifically require this procedure to:9regulation 24PAGE 9Last updated:March 2012
Emergency Preparedness Business Continuity Managementoidentify the person who should determine whether such anemergency has occurred;ospecify the procedure that person should adopt in takingthat decision;ospecify the persons who should be consulted before such adecision is taken; andospecify the persons who should be informed once a decision hasbeen taken.Exercising BCPs6.21.Exercises provide demonstrable evidence of a business continuity and incidentmanagement competence and capability. A BCP cannot be considered reliableuntil it is exercised and has proved to be workable. As part of the BC processthere is a continual need to prove plans and strategies by testing. No matter howwell designed and thought-out a BCM strategy or BCP appears to be, a series ofrobust and realistic exercises will identify areas that require amendment.6.22.The Regulations require Category 1 responders to put in place arrangements forexercising BCPs in order to ensure that they are effective.10 These arrangementsshould encompass the three principal purposes of exercising:ovalidating plans - to verify that the plan works;orehearsing key staff - to familiarise key staff with what is expectedof them in a crisis and preparing them for crisis conditions; andotesting systems - to ensure that systems relied upon to deliverresilience (e.g. uninterrupted power supply) function correctly andoffer the degree of protection expected.10 regulation25(a)PAGE 10Last updated:March 2012
Emergency Preparedness Business Continuity Management6.23.As a simple rule, if it has not been tested it does not work. Exercising must bemaintained to hold credibility and encourage ownership across the organisation.Tests should build on the organisation’s past experience. The exercisingprogramme should be flexible, and the focus and frequency of exercises shouldbe responsive to:othe rate of change - where the pace of change (e.g. to theorganisation or risk profile) is particularly rapid, exercises may needto be more frequent; andooutcomes of previous exercises - the identification of particularweaknesses and subsequent changes to plans may necessitatefurther exercising.Training key staff6.24.It is important to ensure that relevant people across the Category 1 responder- and in other organisations where appropriate - are confident and competentconcerning the plan. It is particularly important that staff receive appropriatetraining prior to exercising. This will ensure that they are adequately preparedfor what can be a challenging experience.6.25.The Regulations require Category 1 responders to put in place a trainingprogramme for those directly involved in the execution of the BCP should it be11invoked. This should be reflected in plans. This should cover:othe contents of the plan - how is the plan invoked? What arethe key decision-making processes? Who else needs to be involved?11 regulation25(b)PAGE 11Last updated:March 2012
Emergency Preparedness Business Continuity Managementotheir role in implementing the plan - what is expected of them? Howdo they fit into the wider picture?okey skills and knowledge required in crisis response.Reviewing and maintaining BCPs6.26.The Act specifically requires Category 1 responders to maintain businesscontinuity plans to ensure that they can continue to deliver key services in theevent of an emergency.12 This means that Category 1 responders must not onlyput plans in place, but ensure that they are reviewed and kept up to date.6.27.Category 1 responders exist in a dynamic environment - organisations themselvesand the environment they operate in are subject to change. BCPs need to bereviewed and updated to ensure that they remain valid. The following aspectsof plans should be reviewed:opersonnel - staff turnover means that contact details will needconstant updating;othe responsibilities of the Category 1 responder - where a Category 1responder takes on new functions or delivers new services, thisshould be reflected;oorganisational structures - where responders have experiencedrestructuring this may need to be reflected in plans;osuppliers or contractors - ensuring that the details of suppliers andcontractors are kept up to date;orisk assessments - the Act requires Category 1 respondersto review plans in the light of changes to risk assessments; 13 andobusiness objectives/processes.12 s.2(1)(c)13 s.2(1)(e)PAGE 12Last updated:March 2012
Emergency Preparedness Business Continuity Management6.28.The frequency of plan review will depend on the rate of change within theorganisation and the environment it operates within. Plan maintenance shouldtake place on an ongoing basis, but all business continuity plans should becomprehensively reviewed at appropriate intervals.Publication of BCPs6.29.Communication with customers or service users - who may need informationabout service continuity in the event of an emergency - is important to communityresilience. Emergencies cause serious disruption to people’s lives and increasereliance on public sector bodies - provision of information about what they canand cannot expect from Category 1 responders in the event of an emergency, mayhelp to minimise this disruption.6.30.The Act requires the publication of aspects of BCM plans in so far as this isnecessary or desirable for the purposes of preventing, controlling or mitigating14the effects of an emergency or otherwise responding to the emergency.6.31.Category 1 responders need only publish information where there is a positivebenefit in doing so. For example, a Category 1 responder need not publishinternal management information which would be of little relevance or interestto the public. Furthermore, the Regulations prohibit the publication of sensitiveinformation (e.g. commercially confidential information, personal data) whereconsent has not been received from the originator of the information, orwhere the public interest in disclosure fails to outweigh the interests of theorganisation or individual concerned.14 s.2(1)(f)PAGE 13Last updated:March 2012
Emergency Preparedness Business Continuity ManagementBox 6.0: Further advice and informationAlso included in this chapter is further advice about BCM and informationthat is not supported directly by the Act, but responders may find it useful infulfilling their duties under the Act. These sections of text are distinguishedby inclusion in a text box like this one.How the Act and Regulations apply in Scotland, Wales and Northern Ireland6.32.The Act and the Regulations apply in Scotland to bodies outside devolved competencein the same way as they apply in England.6.33.The Regulations made by the Scottish Ministers make provision as to how Category1 responders in Scotland that fall within devolved competence, should exercise theirduty under the Act to maintain business continuity plans.Wales6.34.The Act and the Regulations apply in Wales in the same way as they apply in England.Northern Ireland6.35.The Act and the Regulations apply to Category 1 responders exercising functions inNorthern Ireland in the same way as they apply in England, but see information inChapter 12 in relation to the Police Service of Northern Ireland.PAGE 14Last updated:March 2012
Emergency Preparedness Business Continuity ManagementHOW THE REQUIREMENTS OF THE ACT AND THEREGULATIONS MAY BE CARRIED OUT6.36.This section provides practical guidance on taking forward a BCM programme withina Category 1 responder organisation. It describes the discipline of BCM and outlinesa methodology for implementing it. Category 1 responders must have regard tothis material and may find it useful in fulfilling their duties under the Act. While theGovernment considers this to be a sound approach, Category 1 responders may useother models to deliver statutory requirements where there are compelling reasonsfor doing so.6.37.The Government is keen to give Category 1 responders the flexibility to makethe best use of the resources and expertise available to them. The Regulationspermit Category 1 responders to enter into collaborative arrangements in orderto fulfil the BCM duty.15 Category 1 responders may:odeliver the duty separately;odeliver the duty jointly (e.g. by forming a joint BCM unit or resource);oagree that one Category 1 responder will facilitate the delivery ofa BCM programme on behalf of a number of other Category 1responders; oroenter into collaborative arrangements in which one or moreCategory 1 responder gives assistance to others in fulfilling theirBCM duties (e.g. managing the overarching programme, developingframework plans).15 regulations8 and 9PAGE 15Last updated:March 2012
Emergency Preparedness Business Continuity Management6.38.However, BCM must be owned and driven within the organisation itself - and engagethe expertise and resources of its staff - in order to be effective. While collaborativearrangements can be used to make use of BCM expertise or resources in otherCategory 1 responders, responsibility for the robustness of BCM arrangements mustremain within the organisation.What is business continuity and business continuity management?6.39.Business continuity 16 is the strategic and tactical capability of the organisation toplan for and respond to incidents and business disruptions in order to continuebusiness operations at an acceptable predefined level.6.40.Business continuity management provides the strategic framework for improvingan organisation’s resilience to interruption. Its purpose is to facilitate the recoveryof key business systems and processes within agreed time frames, while maintainingthe delivery of the Category 1 responder’s identified critical functions. It assistsorganisations to anticipate, prepare for, prevent, respond to and recover fromdisruptions, whatever their source and whatever aspect of the business they affect.6.41.BCM is a holistic management process that identifies potential threats to anorganisation and the impacts to business operations that those threats, if realised,might cause. It also provides a framework for building organisational resiliencewith the capability for an effective response that safeguards the interests of its keystakeholders, reputation, brand and core business activities.Business continuitymanagement involves managing the recovery or continuation of activities in theevent of a disruption, and management of the overall programme through training,exercises and reviews, to ensure business continuity plans stay current and up-to-date.16 BS25999definition of business continuityPAGE 16Last updated:March 2012
Emergency Preparedness Business Continuity Management6.42.BCM is valid across the public, private and voluntary sectors. It is about maintainingthe essential business deliverables of an organisation in an emergency. The primary‘business’ of private sector organisations is the generation of profit, a process thatBCM seeks to protect. Category 1 responders provide services to the public, and it isequally important that these are protected and resilient.BCM methodology6.43.The British Standard for business continuity (BS25999) works on a six-stage processwidely acknowledged as best practice. This model provides a generic frameworkthat is applicable across the public, private and voluntary sectors. This standard, orits equivalent in the water industry, the Security and Emergency Measures Direction(SEMD), provide a good basis for BCM.6.44.Figure 6.1 illustrates this approach. The rest of the chapter describes thisprocess, and supports Category 1 responders in using this framework to fulfiltheir duties under the Act.Figure 6.1: The business continuity management lifecycleBS 25999-1:2006 BRITISH STANDARD business continuity management Part 1: Code of Practice 1717 Permissionto reproduce extracts from BS25999 is granted by BSI. British Standards can be obtained in PDF or hard copy formats from the BSI online shop:www.bsigroup.com/Shop or by contacting BSI Customer Services for hardcopies only: Tel: 44 (0)20 8996 9001, Email: cservices@bsigroup.com.PAGE 17Last updated:March 2012
Emergency Preparedness Business Continuity Management6.45.As Figure 6.1 shows, the six stages of the process are:oStage 1: BCM programme management: Programme managementis at the heart of the process. It requires the participation of seniormanagement and establishes the organisation’s approach tobusiness continuity.oStage 2: Understanding the organisation: This element assists in theunderstanding of the organisation through the identification of itskey products and services and the critical activities and resources thatsupport them. This element ensures that the BCM programme isaligned to the organisation’s objectives, obligations andstatutory duties.oStage 3: Determining business continuity strategy: This elementallows the organisation to select its strategies in order to meetits objectives.oStage 4: Developing and implementing a BCM response: This stagelooks at the need for Category 1 responders to develop and implementplans and arrangements to ensure continuity of critical activities,and the management of an incident.oStage 5: Exercising, maintaining and reviewing BCM arrangements:An organisation’s arrangements cannot be considered reliableuntil exercised. This element ensures that an organisation’s BCMarrangements are validated by exercise and review and thatthey are kept up-to-date.oStage 6: Embedding BCM in the organisation’s culture: Businesscontinuity must become part of the way an organisation is managedto be effective. This stage provides the overarching element thatensures that opportunities are used at the various stages of theBCM process.PAGE 18Last updated:March 2012
Emergency Preparedness Business Continuity ManagementDelivering BCM arrangementsStage 1: BCM programme management6.46.In order to be successful, BCM must be regarded as an integral part of aCategory 1 responder’s normal management processes.6.47.Achieving top-level buy-in is vital to developing robust BCM arrangements.Engaging senior officers is crucial to the success of any major programmebecause of the influence they have over resource allocation and the cultureof an organisation. However, the commitment of the top level is particularlyimportant in relation to BCM because:oit requires the leverage they exert across the organisationin order to be effective;oit requires decisions about attitudes to risk and serviceprioritisation that can only be taken at the top level; andothe top team is responsible for ensuring that effectivegovernance arrangements are in place.Leadership6.48.Experience has shown that there is merit in giving a member of the executivemanagement board overall responsibility for the BCM process by being appointedas the champion within the organisation. This will ensure that the profile of BCMissues is increased and decisions are made at the appropriate level.PAGE 19Last updated:March 2012
Emergency Preparedness Business Continuity Management6.49.BCM is an ongoing process and it is important to gain the support andendorsement of the board at the end of each stage of the cycle. Critically, it shouldbe the responsibility of senior management to provide the assurance that BCMarrangements are robust and meet the requirements of the Act.BCM co-ordinator6.50.Governance is about accountability, responsibility and control. A person withthe appropriate seniority and authority should be identified as accountablefor BCM policy, implementation and operation.6.51.Implementation planning should include arranging appropriate training forstaff and exercising the capability; this stage is best carried out using a projectmanagement method to ensure that the implementation is effectively managed.6.52.Ongoing management of your BCM arrangements will contribute to businesscontinuity becoming embedded within the organisation.Regular review,exercise and updating plans will ensure this happens. A review must takeplace of arrangements after change in the organisation; such as operatingprocedures, environment personnel, technology, and after an incident orexercise. If the change is significant to the organisation then a review of theBusiness Impact Analysis is also advised.Stage 2: Understanding the organisation6.53.An accurate assessment of the Category 1 responder’s organisation and itsbusiness is critical, as it will provide the basis upon which all subsequent BCMpolicies and processes are based.PAGE 20Last updated:March 2012
Emergency Preparedness Business Continuity Management6.54.An understanding of the organisation comes from:othe organisation’s objectives, obligations, statutory duties andoperating environment;othe activities, assets and resources that support the delivery of keyproducts and services;oassessing the impact and consequences of failure of theseactivities; ando6.55.identifying and evaluating the threats that could disrupt these.Category 1 responders should carry out a business impact analysis that assessesover time the impact
develop appropriate continuity strategies. In this context, there are two strands to risk assessment, relating to external threats (i.e. risk of an emergency occurring) and internal risks (i.e. business risks) that could cause loss or disruption of critical services required to control, reduce or mitigate the effects of an emergency or disruption.
