Business Continuity (Policy & Procedure) NOT PROTECTIVELY MARKED

Transcription

Business Continuity (Policy & Procedure) NOT PROTECTIVELY MARKED
Business Continuity
(Policy & Procedure)
NOT PROTECTIVELY MARKED
Publication Scheme Y/N
Department of Origin
Policy Holder
Author
Related Information
Date first approved at BMG
This Version
Date of Next Review
Can be published on Force Website
Force Operations
Ch Supt Head of Force Ops
Business Continuity Coordinator – Force Ops
Authorised Professional Practice: Decision
Making
Civil Contingencies Act 2004
British Standard Business Continuity Management
System – Requirements ISO 22301: 2012
Business Continuity Institute Good Practice
Guidelines
21/11/2007
V 3.0 – Created 06/06/2013
06/06/2016
June 2013
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
Policy
Statement
The ability of all organisations, large or small, to survive disruptions to everyday business
practice is essential in the 21st Century. It guards the publics’ expectation of an acceptable
standard of service and quality of life.
For most organisations Business Continuity Planning just makes good business sense but for
the police service it is an obligation imposed by the Civil Contingencies Act 2004.
Merseyside Police has based its Business Continuity Management on the Guidelines issued
by HM Government Emergency Preparedness Manual, the Business Continuity Institute and
the British Standard Business Continuity Management System – Requirements ISO
22301:2012
Through Business Continuity Planning, Merseyside Police is not only able to respond
effectively to emergencies but also be in a position to continue normal policing functions to
agreed minimum service levels.
Aim
This policy aims to ensure a formal, coordinated and consistent approach is adopted
regarding all Business Continuity Management activities throughout the Force. The policy is
underpinned by procedures that aim to detail responsibilities, processes and structures for
delivering effective Business Continuity Management.
Objectives
The primary objective of the policy is to manage business disruptions in a way that reduces
their impact on the organisation to an agreed acceptable level.
Associated objectives are to:
Improve our force wide Business Continuity Management Programme
Improve the forces Business Continuity Planning Processes
Improve our Business Continuity test, maintenance, audit and review processes
Improve Business Continuity Management awareness within the organisation
___________________________________________________________________________________
Status: V3.0
2
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
Application & Scope
All police officers and police staff, including the extended police family and those working
voluntarily or under contract to Merseyside Police must be aware of, and are required to
comply with, all relevant policy and associated procedures.
This policy particularly applies to: All officers and staff nominated as Business Continuity Champions
All officers and staff attending Business Continuity meetings
Outcome Evaluation
Outcomes will reflect specific objectives and be measured against these objectives at least
annually. Individual measures are set out in a separate Deployment Plan managed by the
Business Continuity Manager.
In broad terms, measurement will be done through observation and analysis of tests and
exercises at Strategic, Tactical and Operational levels throughout the force. Review of the
success of Business Continuity Management will be conducted via the Force Business
Continuity Management Board.
Overall, adherence to this policy should:
Strengthen the forces ability to deal with internal/external disruptions to our key
services and critical functions
Protect the image and reputation of the Force
Strengthen the forces Business Continuity Management Processes
Improve Business Continuity awareness within the organisation.
___________________________________________________________________________________
Status: V3.0
3
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
Procedure
Version History
06/06/2013
V 3.0 – Amended to reflect requirements of ISO 22301
___________________________________________________________________________________
Status: V3.0
3
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
Contents
Introduction
Business Continuity or Major Incident
Support Training
BCM Process
BCM Infrastructure
Analysis
Design
Implementation
Embedding Business Continuity
Validation
Policy & Programme Management
Appendix A - Force Roles & Responsibilities
Appendix B - Invocation & Escalation
Appendix C - Risk Notification Procedure
Appendix D - Process Aide Memoir
___________________________________________________________________________________
Status: V3.0
4
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
1.
Introduction
1.1
The Civil Contingencies Act 2004, places a statutory duty on the police to have
Business Continuity Management (BCM) in place to ensure continued service
delivery of essential services. BCM is also a regulatory requirement for compliance
with the ACPO Community Security Policy and an integral part of the Force’s risk
management framework.
1.2
Merseyside Police has aligned its BCM arrangements with the British Standard ISO
22301. This sets out the process and principles of BCM and enables the Force to
measure its BCM capability in a consistent and recognised manner.
1.3
That document, which should be read in conjunction with the BCM Policy, provides
high-level guidance on the methodology for developing and implementing BCM within
Merseyside Police. For detailed practical application reference should be made to the
BCM Guidance Manual.
2.
Business Continuity or Major Incident
2.1
All business activity is subject to disruptions, such as technology failure, flooding,
utility disruption and terrorism. BCM provides the capability to adequately react to
operational disruptions, while protecting the welfare and safety of staff.
2.2
However, it is important not to confuse BCM with the Force’s operational response to
major incidents. BCM focuses on internal issues to maintain the Force’s
organisational capabilities, whereas the Force’s response to major incident focuses
on external events.
3.
Support & Training
3.1
Individuals who have responsibility for BCM will receive training and support from the
force Business Continuity Coordinator. This training will ensure that individuals have
the experience to deliver an effective BCM Plan. They will receive support and
guidance throughout the year, particularly when a Plan is to be reviewed annually.
___________________________________________________________________________________
Status: V3.0
5
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
4.
BCM Process
4.1
BCM is proactive and concentrates on everything needed to continue the critical
business processes in the event of an interruption. It focuses on the effects and not
the cause of the disruption.
4.2
The relevant stages are:
4.2.1
Analysis – The Force will identify all key business processes and activities, including
interdependencies and other influences that might impact on them. These will be
assessed and prioritised to enable the focusing of resources to ensure that the most
critical are restored promptly in the event of disruption.
4.2.2
Design – Having established its priorities the Force will identify and choose options
for continuing the Force’s critical processes and activities after an incident, to an
agreed minimum level.
4.2.3
Implementation – Business Continuity Plans will provide an effective, predefined and
documented framework and process to respond to disruptive incidents affecting the
Force’s critical processes and activities.
4.2.4
Validation – No matter how well designed and thought out a BCM plan is, it must be
exercised to ensure its effectiveness. Maintenance and auditing are essential to
ensure the compliance with the standards adopted by the Force. The Force will
continually review its arrangements and test the plans on an annual basis.
4.2.4
Embedding BC – BCM will become an integral part of the Force’s strategic and dayto-day management activity by the introduction of awareness and training. This will be
a continuous process.
4.2.5
Policy & Programme Management – The Force’s BCM Programme will provide a
clearly defined and documented process for the co-ordination and governance of all
BCM activity.
___________________________________________________________________________________
Status: V3.0
6
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
5.
BCM Infrastructure
5.1
An essential element of developing a successful BCM is the proactive support of
Senior Management. By demonstrating commitment and playing an active role in the
BCM process they can ensure its successful implementation.
5.2
Before undertaking the various stages of the BCM process, BCU Commanders and
Heads of Departments will need to establish a supporting infrastructure.
5.3
Consideration must be given to the necessity of maintaining business as usual, whilst
dealing with a disruption requiring business continuity management and the potential
for a major incident response should the disruption escalate or a separate event
occur.
5.4
Therefore the BCM infrastructure should mirror existing arrangements, as far as
possible, without assigning individuals more than one role. This should be integrated
into the existing risk management and planning framework.
5.5
The Force BCM Roles & Responsibilities are listed in Appendix A. However, two
critical roles in the BCU or departmental BCM infrastructure are detailed below.
5.6
Business Continuity Management Team (BCMT) Leader
5.6.1
The BCMT should reflect all the processes and activities undertaken by the BCU or
department.
5.6.2
In the event of the Plan being invoked the BCMT leader will co-ordinate the
responses and provide general support and instruction to those involved in the
response. The Leader of the BCMT will provide a link to the BCU Commander or
Head of Department.
5.6.3
Whilst the Force is not prescriptive in who should conduct which role in the BCMT,
the Team Leader should have appropriate seniority and authority to be accountable
for BCM implementation.
5.7
Business Continuity Champion
5.7.1
The Business Continuity Champion, has responsibility for the ongoing administration
and maintenance of the BCM arrangements, including exercising, auditing and
amending the plan, at a BCU or departmental level. The BCC is also the single point
of contact with the force Business Continuity Coordinator.
6.
Analysis
6.1
Identifying Critical Business Processes
6.1.1
The key to understanding the organisation is to identify the key business processes.
This must be completed annually or on any occasion there is a significant change to
business processes.
6.1.2
The objective of this stage is to identify and rank in priority order the critical processes
and activities.
___________________________________________________________________________________
Status: V3.0
7
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
6.1.3
Using the Business Plan and Strategic Assessment, BCU’s and Departments should
identify their core operational objectives and how they align with the Force’s strategic
objectives. Those critical processes and activities, which are crucial to achieving the
objectives, should be identified and given the highest priority.
6.2
Risk Assessment & Business Impact Analysis (BIA)
6.2.1
Based on risk assessment the BIA determines, in specific timeframes, the impact on
the Force’s service delivery if critical processes were disrupted. It also details the
minimum resource requirements to recover the critical processes within the
timeframes. A Business Impact Analysis must be completed for each process
identified.
6.3
Maximum Tolerable Period of Disruption (MTPD)
6.3.1
The BIA should identify the MTPD. Each critical process requires examination to
establishing when (hours, days or weeks) an interruption to the process would
become critical to its service delivery. The critical processes should then be ranked
according to MTPD, with the shortest MTPD being given the highest priority for
recovery.
6.4
Prioritisation
6.4.1
By combining the Risk Assessment priorities with the MTPD a prioritised matrix for
recovery is established. This forms the basis of the business continuity plan (BCP).
6.5
Interdependency Requirements
6.5.1
Some processes might be dependent on activities elsewhere in the Force or on
external dependencies such as suppliers, contractors, regulators and agency
partners. It is essential that these interdependencies are included in the BIA.
6.6
Single Point of Failure
6.6.1
Consider whether any single point of failure exists. Examples include any piece of
equipment, communication link, key document or even a person, which if lost or
absent, would halt a critical process. If identified, an alternative or back up for this
single point of failure should be introduced.
6.7
Backlogs
6.7.1
During the planning stage consideration ought to be given to the impact of clearing
any backlog, which develops during the disruption.
6.8
Vital Equipment & Backup Procedures
6.8.1
The BIA should record details of vital equipment, records and systems essential to
the critical process, together with any back up procedures or other special
arrangements.
___________________________________________________________________________________
Status: V3.0
8
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
6.9
Senior Management Sign Off
6.9.1
The BIA identifying the critical processes and the recovery prioritisation list must be
submitted to senior management for approval and ‘sign off’.
7.
Design
7.1
The BCM options to be considered are those alternative methods and workarounds
that enable the minimum level of service delivery. An example would be reverting to
manual when IT is disrupted or moving to an alternative site. Alternative options might
be required for the following resources:
7.2
People;
Workspace;
Information & Communications Technology;
Equipment / Resources:
Critical Information / Documentation:
Resources supplied by third parties / internal contracts.
It is crucial that the selected BCM options:
Ensure employee safety;
Protect the viability of the organisation;
Reduce or mitigate exposures, confusion or chaos;
Position the organisation to respond to a disruption.
7.3
The options should be realistic. Consideration must be given to the challenges that
staff will face during a disruptive event. The aim is to provide the minimum level of
performance necessary, in the event of a significant disruption.
7.4
Options are required for three phases:
Planning Phase
Primary Goal
Trigger
Time Frame
Emergency
Response
(Immediate)
Continuity
Response (Interim
Processing)
Protect life and
property
Initial disruption
0-24 hours
Resume critical
processes and
activities & suspend
non critical functions
The staged return to
pre-disruption levels
of operation or
improved capability
Maximum Tolerable
Period of Disruption
exceeded
24 hours – 1 week
(or until critical
processes restored)
End of emergency,
runs in parallel with
the continuity
response
Beyond 1 week
(or until processes
restored)
Recovery
Procedure
(Restoration)
7.5
If reciprocal arrangements have been made regarding relocation to a back up site
these should be clearly documented and signed off by both parties. The agreement
should specify the terms of access, accommodation, transfer procedures, equipment,
timescales, cost reimbursement and any constraints or special conditions, as well as
any other mutual arrangement.
___________________________________________________________________________________
Status: V3.0
9
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
8.
Implementation
8.1
Business Continuity Plans
8.1.1
Merseyside Police has a hierarchy of plans with different command and control levels
and owners.
Plan
C&C Level
Tier 3
Strategic
Tier 2
Tactical
Tier 1
Operational
Control
Document
Force Business
Continuity Plan Corporate
Framework
Business
Continuity Plans
for
BCU’s
Departments
Geographical Sites
Specific work area
recovery plan
Purpose
Provides
overarching
structured
approach to BCM
Pre-determined
responses to
restore service
capability,
according to force
priorities
Station/Work Units
Local recovery
arrangements
Owner
ACC Operations
Business
Continuity
Management
Team (BCMT)
BCU Commander
or Head of Dept’s
Local
OIC/Manager
8.1.2
A BCP template has been developed for use throughout the Force. The completed
plan should be flexible enough to enable responses to a wide variety of potential
generic disruptions.
8.1.3
The BCP should always be based on the worst-case scenario, i.e. a major disruption
will happen at the worst time on the worst day possible.
8.1.4
The development of the plan does not signify the end of the BCM process. The
process is dynamic. Nor does the plan provide BCM competence or capability, but
rather it provides the approach to an effective capability to respond/recover.
8.1.5
Business Continuity Coordinators are responsible for version control of the completed
BCP and providing a copy to the Business Continuity Department, annually or after
every amendment. The template can be obtained from the Business Continuity
Department.
8.2
Off-Site Storage & Battlebox
8.2.1
Copies of the BCP and essential equipment required for its implementation should be
stored off site.
8.2.2
Consideration should be given to establishing a ‘battlebox’ containing all information
and portable equipment required in the early stages of a disruptive incident, which
could be accessed in the event of an incident or easily transported to another site, if
circumstances dictate. Content might include BCP, documentation for manual
processing, IT back up and recovery arrangements, staff lists, relocation maps etc.
___________________________________________________________________________________
Status: V3.0
10
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
8.3
BCPs Invocation & Escalation Procedure
8.3.1
The detection of an event that could result in a critical disruption of service provision
is the responsibility of whoever first discovers or receives information about an
emergency situation.
8.3.2
Upon discovery the Business Continuity Champion should be informed. If necessary
the departmental duty manager or BCU duty officer should also be notified. If out of
hours, the Force Duty Officer must be informed.
8.3.3
A tiered approach to escalation is in place and the apparent scale of the incident will
determine the notification procedure required. For example, a disruption may begin at
a station but escalate to having implications for the Force. In every case the BC
Champion will conduct an initial assessment and notify the BCMT Leader. If
necessary the BCMT Leader will authorise the call out of the remaining team
members.
8.3.4
Appendix B sets out the notification, invocation and escalation procedures for a
disruption that may escalate from a station to having force implications.
8.3.5
In the event of a disruption or a near miss the BCC has a responsibility for completing
the governance report as detailed in Appendix ‘C’.
9.
Embedding Business Continuity
9.1
BCU Commanders and Heads of Departments should seek to develop a BCM culture
in their BCU or Department by:
Giving proactive support to the BCM process;
Encouraging training and awareness in BCM;
Ensuring ownership of BCM ;
Demonstrating a commitment to the annual programme of audit,
maintenance and review of the BCM plans;
Communicating the importance of BCM to all staff and their roles and
responsibility.
10.
Validation
10.1
Exercise Programme
10.1.1 Exercising allows the evaluation of the plan, identifying any gaps or weaknesses. It
provides an opportunity for key personnel to rehearse and gain familiarity with the
Business Continuity processes.
10.1.2 The Exercise Programme should be a progression of exercise types, each one
building on the lessons of the previous exercise, finally culminating in a full test of the
BCP annually. The component parts of the plan should be exercised more frequently.
The BC Champion is responsible for organising the component tests.
10.1.3 The force Business Continuity Coordinator will manage the Force BCM Exercise
Programme. Support and guidance in preparing for the annual BCP test will also be
provided.
___________________________________________________________________________________
Status: V3.0
11
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
10.2
Maintenance & Review
10.2.1 The Force exists in a dynamic environment. It is subject to changes in people,
processes, supplies, risk and environment. To remain current, BCM arrangements
must be reviewed and updated, as well as being subject to audit and inspection.
10.2.2 BCU Commanders and Heads of Departments are responsible for the maintenance of
their BCP and should ensure that:
BCM is a standing item on the agenda for Senior Management Team Meetings;
BCM is included in the BCU or Department’s formal induction process;
BCM should be aligned to the Risk Management arrangements;
The BCMT meets to review the BCU/Department BCM arrangements at least once
every 12 months;
The Business Continuity Champion regularly reviews the currency of the BCP and
revises it as necessary;
The components of the BCP are tested regularly and the full plan annually;
BCU/Departmental BCM is subject to local audit by the BC Champion;
Governance Reports are forwarded to the Force BC Coordinator.
11.
Policy & Programme Management
11.1
A fundamental element of the BCM Programme is the need to continually monitor,
evaluate and assure its performance. BCU’s and Departments should ensure their
plans meet the required standard by regularly measuring them against the Force’s
policy and guidance.
11.2
The force will ensure that its BCM arrangements are aligned with BCM British
Standard ISO 22301.
11.3
The Assistant Chief Constable (Operations) is responsible for Executive oversight of
the BCM programme.
11.4
Appendix D summarises the entire process and is a useful aide memoir.
___________________________________________________________________________________
Status: V3.0
12
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
APPENDIX A
FORCE ROLES & RESPONSIBILITIES
Chief Constable
a) Ensure that BCM is effectively implemented in line with agreed policy and strategy;
b) Monitor and review effectiveness of the Force’s BCM;
c) Ensure the continued and consistent use of the Force's BCM policy and on a
corporate basis;
d) Promote the overall commitment of the Force to BCM.
Assistant Chief Constable (Operations)
Responsible for Executive oversight of the BCM programme.
BCU Commander & Head of Department
a)
b)
c)
d)
e)
Implement the requirements of BCM on a local basis;
Ensure the production of Business Continuity Plans on a BCU or departmental basis;
Maintain and review BCM arrangements to ensure they remain current;
Promote BCM awareness at a local level;
To monitor any trends and patterns occurring under the seven strands of diversity.
Force Business Continuity Manager
a)
b)
c)
d)
Support staff on aspects of BCM policy;
Monitor and report the results of BCM activity to the Force Executive;
Promote BCM best practice across the Force;
To monitor any trends and patterns occurring under the seven strands of diversity..
BCU / Department Business Continuity Champions
a) Promote procedures and practices that comply with the BCM Standard Operating
Procedures
b) Provide advice on business continuity situations through a process of risk
assessments, impact analysis and resource implications, producing
recommendations to senior management when required
c) Facilitate exercises throughout the year to test component parts of the BCP
d) Liaise with the Force BC Coordinator
e) Review, maintain & update each section within the BCP
f) Carry out any other task necessary for the efficient functioning of Business Continuity
Plans
Force Business Continuity Coordinator
a)
b)
c)
d)
e)
f)
Support staff on aspects of BCM;
Monitor and report the results of BCM activity to the Force BC Manager;
Provide staff with advice and training in BCM;
Develop and coordinate the Force’s BCM exercise programme;
Promote BCM best practice across the Force;
To monitor any trends and patterns occurring under the seven strands of diversity..
___________________________________________________________________________________
Status: V3.0
13
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
Independent Assurance
Internal Audit
a) Carry out an independent examination of the BCM arrangements and processes, with
the objective of providing assurance to the Force Executive.
b) The nature and extent of audit coverage will be determined via the Internal Audit
planning process.
Information Security Officer
Ensure that the BCM policy and related activity, including amendments, meets the
compliance requirements of BS 7799 & ISO 1799:2000(E).
Individual Officers and Support Staff
a) Awareness of the BCM policy and procedure, including the implications for their
activities;
b) Undertake BCM processes as required by Force policy;
c) Ensure that BCM arrangements are kept current and effective, reflecting changes in
working practices or processes.
___________________________________________________________________________________
Status: V3.0
14
Last Update: 06/06/2013
NOT PROTECTIVELY MARKED
Business Continuity Procedure
NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________________________________________________________________
ALERT, INVOCATION & ESCALATION DIAGRAM
Unit / Section / Work Area
BCU / Department
Incident
Does it affect
only the Unit?
APPENDIX B
Affects
BCU / Dept
only?
Force
N
Notify Force BC Coordinator
Force BCC will inform
Head of BC & ACC Ops Support
N
BC Strategic
Command Team
formed if required
Y
Y
Can it be resolved
Locally with existing
control measures
N
Notify BCU /
Dept Head
Disruption believed
could go beyond
MTPD
Affects Force
only?
Y
N
Notify CC
Y
Y
DO NOT invoke
BCP
DO submit
Governance
report to Force
BC Coordinator
Notify BC
Champion &
Invoke BCP
Does it impact
at BCU / Dept
Level
Can it be contained
within BCU / Dept?
Y
N
Y
Follow BCP &
resolve
Follow BCP &
resolve
Service resumed
BC Procedure ends
Submit Governance Report
N
Service resumed
BC Procedure ends
Submit Governance Report
Follow BCP &
resolve
Service resumed
BC Procedure ends
Submit Governance Report
___________________________________________________________________________________________________________________________________________
Status: V3.0
15
Last Update: 06/06/2013
Business Continuity Procedure NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
APPENDIX C
RISK NOTIFICATION PROCEDURE
Background
Part of the responsibility of the Force BC Coordinator is to assess the business continuity
risks faced by the Force. In order to do this the BC Coordinator needs to know of any events
occurring throughout the Force, which may indicate a risk that requires to be monitored.
This document identifies the factors that should be considered when assessing if an incident
should be reported to the Force BC Coordinator.
Notification Process
The decision to notify should be based on three factors:Time – how long the incident lasts for or how long the outage is for;
Effect – the effect the incident has on service, process or system;
Scale – does the incident impact upon the Force, BCU/Department or work area.
•
•
•
To calculate the score the following applies:
Time + Effect + Scale
These factors should be graded and scored, and incidents or occurrences that attract a score
on or above the designated benchmark, must be notified to the Force BC Coordinator using
the attached reporting form (BCM Incident Record/Governance Report).
Score
3
2
1
Time (outage)
4 hours +
1-4 hours
Effect
Total system failure
Substantial
significant failure
0-1 hour
No or limited failure
or
Scale
High - Force wide or above
Medium - Confined to a BCU or
department
Low - Local effect only
Should the incident or occurrence concerned attract a combined added score of ‘5’ or more,
it will be required to be notified to the Force BC Coordinator.
Incidents such as, but not limited to, the following should be reported to the Force BC
Coordinator:
• Power outage
• IT outage
• System failure
An incident that impacts on your ability to deliver a key service should be reported.
The following shows some examples of incidents laid out in a table format. These are shown
for guidance purposes using the criteria listed above.
Incident
Loss of email system within force
Total loss of power to Lea Green for 45
mins
High sickness level of staff e.g. 30%
involving more than one BCU.
Loss of Niche system at BCU for 30 mins
Time
3
1
Effect
3
3
Scale
3
1
Total
9
5
Report
Yes
Yes
3
2
3
8
Yes
1
1
1
3
No
____________________________________________________________________________________
Status: Draft V3.0
16
Last Update: 06/06/2013
Business Continuity Procedure NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
Incident Reporting Responsibilities
Any incidents meeting the above criteria should be reported to the BC Coordinator as soon as
is reasonably practical following the event.
BCU Reporting
•
•
•
•
Head of BCU
Duty Officer
Business Continuity Champion
Ensure a Copy is forwarded to BCU Admin Manager
Departmental Reporting
•
•
Head of Department
Business Continuity Champion
There is a possibility that this could result in duplicate reporting following the initial
implementation of this procedure. This process will be reviewed after six months to ensure
that it is effective and efficient.
____________________________________________________________________________________
Status: Draft V3.0
17
Last Update: 06/06/2013
Business Continuity Procedure NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
BCM INCIDENT RECORD/GOVERNANCE REPORT
Time & Date of
Incident
Location
Discovered By
Contact No.
OIC of Incident
Contact No.
State whether: Near Miss, Local Resolution or BC Plan Invoked
Type of Incident (tick appropriate box)
Total Loss of Building
Significant / Partial Damage to Building
Significant / Partial failure of IT / Comms
Loss of / damage to Information / Data
Loss of / damage to Primary Utilities
Loss of Staff
Loss of Suppliers
Other (specify)
Summary of Circumstances
Initial Actions
Lessons Learned
Reported sent to BC Coordinator by:
Date:
____________________________________________________________________________________
Status: Draft V3.0
18
Last Update: 06/06/2013
Business Continuity Procedure NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
Appendix D
BCM PROCESS AIDE MEMOIR
This diagram outlines in more detail how to conduct the various stages of the BCM process. It
also highlights the key questions that should be asked.
Start Up:
• Senior management support
• Establish a BCM team
• Identify Business Continuity
Champion
Monitor & Review
Risk Assessment:
• Determine critical processes of
BCU/Department
• Identify what assets are
essential to deliver these
processes
Conduct
Business
Impact
Analysis
• Determine Business
Processes
• Determine Critical Functions
• Determine MTPD
• Prioritise Critical Functions
Response Options
• For emergency phase
• For continuity phase, and
• For recovery phase
Develop Business Continuity
Plan
• Complete the template with a
set of easy to follow, easy to
understand steps
What is important to the
business of my
BCU/Department?
What else could affect
those critical processes?
What or who else does the
critical process depend on
i.e. the interdependencies?
What are the minimum
critical business resources?
What threatens the
BCU/Department’s ability to
operate?
When would a disruption
critically impact on the
BCU/Department’s ability to
operate?
Are there any single points of
failure?
What alternative
workarounds are there?
What strategies or
workarounds could deal with
each phase, e.g. manual
rather than IT?
What other information should
be in the plan?
Exercise & Maintain Plans
• Provide a regular training
schedule that tests
understanding & use of the
plans. Update accordingly.
What can others learn from
your experience?
Governance Reporting
• Notify BC
Coordinator of all
____________________________________________________________________________________
reportable inciden
Status: Draft V3.0
19
Last Update: 06/06/2013
Business Continuity Procedure NOT PROTECTIVELY MARKED
Force Ops Dept
___________________________________________________________________________________
____________________________________________________________________________________
Status: Draft V3.0
20
Last Update: 06/06/2013