03 April 2014 17 April 2014 02 April 2018

Transcription

03 April 2014 17 April 2014 02 April 2018
NOMS BUSINESS CONTINUITY MANAGEMENT MANUAL
This instruction applies to:-
Reference:-
NOMS Agency HQ
All prisons
AI 11/2014
PSI 13/2014
Issue Date
Effective Date
Implementation Date
Expiry Date
03 April 2014
17 April 2014
02 April 2018
Issued on the authority of
For action by
NOMS Agency Board
All staff responsible for the development and publication of
policy and instructions
NOMS HQ
Public Sector Prisons
Contracted Prisons*
Governors
Heads of Groups
*If this box is marked, then in this document the term Governor also
applies to Directors of Contracted Prisons
Instruction type
For information
Provide a summary of the policy
aim and the reason for its
development/revision
Contact
Service Improvement
All NOMS Agency staff
To bring NOMS in line with the current ISO 22301 (formerly
British Standard BS25999)
Email: NOMS Business continuity and resilience
Phone: 0300 047 4082 / 07973 457213 / 0300 047 6905
Quantum Intranet Site
PSO 1400 Incident Management Manual
PSI 09/2014 Incident Management Manual
MoJ Business Continuity and Incident Management Plans
PSI 20/2009 Flu pandemic
Clive House Business Continuity Plan
NOMS Agency Business Continuity Risk Register
Replaces the following documents which are hereby cancelled: Replaces PSO 1401
Audit/monitoring: To be monitored by Governors, Directors of Contracted Out prisons, Deputy
Directors of Custody and Heads of Directorates using Local Assurance Frameworks (LAF). The
PSI and LAF will be subject to independent review by Internal Audit and Assurance.
Associated documents
PAGE 1
CONTENTS
Section
Subject
Applies to
1
1.1
1.4
1.5
1.6
1.7
Executive summary
Background
Desired outcome
Application
Mandatory actions
Resource impact
All staff
2
2.1
2.6
An overview of Business Continuity Management
Business Continuity Management
Clarification of what is meant by a Disruptive Event
All staff involved in BCM
3
3.1
3.7
All staff involved in BCM
3.10
3.11
Annex A
Responsibility for Business Continuity Management
Overview
Responsibilities for NOMS Business Continuity and
Resilience Team
Responsibilities for Establishment Business
Continuity/Resilience Lead
Responsibilities for DDCs’ Business Continuity and
Resilience Leads
Responsibilities for other NOMS sites and business units
Responsibility for HQ
Simple Business Impact Assessment (BIA) template
Annex B
Prison Establishments Business Impact Assessment
Annex C
C.1
C.2
C.3
C.4
Guidance on Developing a Business Continuity Plan
Business Impact Assessment
Business Continuity Plan
Features of Business Continuity Planning
Local Resilience Forums
Annex D
D.1
D.2
Guidance on Testing
Reviewing and testing
Debrief report
All staff involved in BCM
Annex E
E.1
E.2
E.3
E.4
E.5
E.6
E.7
All staff
E.8
E.9
E.10
National Operations Coordination Centres
Introduction
Coordination Committee
Role of NOCC
Liaison
Operational Arrangements
Convening a Coordination Committee
Actions for DDCs (which includes DDC High Security
Estate) Governing Governors, Heads of Groups and
Directors and Controllers of Contracted-out Prisons
Staffing of NOCC
Communication with NOCC
Contact Details
Annex F
Glossary
All staff
3.8
3.9
PSI 13/2014-AI 11/2014
All staff involved in BCM
Prison Establishment staff
involved in BCM
All staff involved in BCM
issue date 03/04/2014
PAGE 2
1.
Executive Summary
Background
1.1
This PSI 13/2014 – AI 11/2014 replaces PSO 1401 (issued February 2006) and sets out the
arrangements necessary to ensure Business Continuity Management (BCM) is performed in
accordance with the current British Standard, BS25999 and ISO 22301. All parts of NOMS
are required to maintain Business Continuity Plans (BCPs) to ensure critical business
activities and sites remain operational while a prompt and efficient recovery of “business as
usual” activities takes place in the event of an incident or other disruption affecting its
premises or resources (including both staff and information). Some elements of BCM are
already covered by PSI 09/2014-AI 06/2014 (Incident Management Manual) and at
establishment level; governors must ensure the remaining BCM elements covered in this PSI
are factored into their overall Business Continuity Plans.
1.2
It should be noted that this PSI refers to the management of staff, building premises, data
and IT infrastructure, utilities and third-party suppliers after a disruptive event, and is
intended to link risk assessments, resilience planning, incident management (PSI 09/2014
Incident Management Manual) and overall contingency arrangements to return to “business
as usual” in a planned, controlled and effective manner.
Desired outcomes
1.4
That all staff understand and comply with the BCM processes set out here and ensure that:

Business Impact Assessments (BIAs) are completed at all levels of the organisation,
including prison establishments (mandatory tool attached at Annex B), DDC offices
(which throughout includes the DDC High Security Estate), other NOMS sites and
business units (optional tool at Annex A), and HQ (BCM co-ordinated by MOJ,
using Business Area Continuity plans, [BACPs]).

The BIA tool attached at Annex B is designed for prison establishments, and must
be used and submitted to the Business Continuity & Resilience team using the
BC&R functional mailbox: NOMS Business continuity and resilience
Potential local and national threats/risks to the critical operations are identified and
proactively monitored, and where necessary a strategy should be developed for
dealing with these eventualities should they materialise.


Business Continuity Plans (BCPs) commensurate with the level of threat/risk are
developed and implemented in establishments, DDC offices, HQ, and other NOMS
sites and business units.

There is increased awareness of what is meant by BCM and how BIAs and BCPs
should be formulated.
Application
1.5
All senior managers and appointed Business Continuity and Resilience Leads need to read,
and where necessary implement, all sections of this policy.
Mandatory actions
1.6
All mandatory actions are shown in italics.
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 3

All staff involved with Business Continuity Management must be familiar with this
PSI and understand the mandatory nature of the instructions. Chief Executives,
Assistant Directors, Heads of Groups and Governors must ensure that all staff are
made aware of this instruction.

All staff must be given the opportunity to contribute towards the BIA (Business
Impact Assessment) process and be aware of the BCP covering their area.

For BCPs to remain effective they must be regularly reviewed and tested. Those
with responsibility for maintaining BCPs at NOMS sites and business units must
review and test their plans; as a minimum one risk/scenario every six months
ensuring that they meet the requirements of ISO 22301. Further guidance on testing
can be found in Annex D.
Resource impact
1.7
There are costs in maintaining readiness across establishments, DDC offices, HQ, and
other NOMS sites and business units. Time will have to be devoted to maintaining and
amending plans and contract arrangements, and to deliver occasional desktop and live
tests. It is assumed that most prison service establishments and DDCs offices are carrying
out much of this work already as part of local contingency planning (PSO 1400 refers). HQ
is already resourced for this work.
Contacts
Please refer to front cover.
(signed)
Digby Griffith
Director of National Operational Services, NOMS
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 4
2.
An overview of Business Continuity Management
Business Continuity Management
2.1
BCM is a continuous process of risk assessment and management with the purpose of
ensuring that NOMS can continue to operate if risks materialise. These risks could be from
the external environment (over which we have no control, such as power failure, pandemic
flu or extreme weather) or from within the NOMS organisation, such as deliberate or
accidental damage to systems. Business continuity is not just concerned with disaster
recovery; it addresses anything that could impose a denial of service or facility (i.e. affect
the continuity of service), such as staff shortages.
2.2
BCM centres on a BCP, which must be endorsed by senior management, maintained and
subjected to rigorous testing.
2.3
BCM is about Policy and Programme Management of:




Identifying Critical Activities; Understanding the business of NOMS and
establishing what is vital for its continued operation.
Increasing Resilience; Determining how best to decrease the likelihood of a
disruptive event materialising and impacting critical activities
Robust Planning to minimise the impact of an incident/disruptive event by
developing and implementing a local, regional and/or HQ response to ensure
critical activities and sites and services remain operational
Proactively Monitoring arrangements by exercising, maintaining and reviewing
arrangements
2.4
NOMS has many internal and external dependencies (these include providers, customers,
other major stakeholders, IT systems and business processes). These dependencies must
be identified at an early stage in the BCM process to ensure the effectiveness of the
finalised BCPs.
2.5
To achieve the required standard, this must be embedded in the organisation’s culture.
Clarification of what is meant by a Disruptive Event
2.6
A disruptive event could be:

2.7
A threat to staff, safety, buildings or the organisational structure of NOMS that
requires a level of intervention to be taken to restore normal operations.
There are a number of different circumstances that may initiate a disruptive event, however
the impact on the business is likely to be one of, or a combination of the following issues,
which will vary in their degree of severity. Examples of the most likely impacts are:

Loss of, or loss of access to buildings
o
environmental threats: flooding, storm or other severe weather conditions;
o
acts of offender/civil disruption or terrorism either aimed directly at sites or in
the immediate vicinity or surrounding area;
o
fire or contagion affecting the site or nearby buildings

Staff shortages
o
industrial action by staff
o
severe transport disruption
o
serious outbreak of flu or food poisoning
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 5
o
inability of staff to attend workplace due to environmental factors
(flood/severe weather etc)

Loss of utilities
o
electrical, heating, cooling, gas for cooking, water supply, lighting and IT
systems etc;

Loss of data/ IT systems
o
failure of IT systems/applications
o
damage to, or unavailability of paper records

Disruptive events affecting third party suppliers, or
o
financial or contractual difficulties/collapse (including catering)
o
any of the above impacts affecting their premises
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 6
3.
Responsibility for Business Continuity Management
3.1
Although all staff must be given the opportunity to contribute to the BIA process, certain
groups of staff have specific responsibilities for the formulation and maintenance of plans.
3.2
The staff and the activities they are responsible for are detailed below. Each responsibility
must be recorded in the nominated lead’s SPDR or equivalent. It is recommended that the
Lead for DDC’s offices and Prison establishments is conversant with the local contingency
arrangements, Incident Management procedures and is able to represent the
establishment/DDC at Local Resilience Forums. It is envisaged that these duties are
performed by a member of the SMT or equivalent (current recommendation from Job
Evaluation and Support team is minimum Band 7 – final recommended grade to be
confirmed).
3.3
Individual sites/business units must ensure a nominated person is given the responsibility
of Business Continuity and Resilience Lead (BCRL), who must develop and proactively
maintain a BCP and ensure that effective links are made with Local Resilience Forums
(LRFs) and the NOMS Business Continuity and Resilience team (BC&R). Further guidance
on developing a BCP is contained in Annex C
3.4
Staff who are based in shared accommodation, either with other Government departments
and/or private organisations, must ensure that their requirements are included in the BCPs
for their building. This must also include the arrangements for dealing with
emergencies/incidents in the building, for example, fire evacuations.
3.5
National Business Continuity events that are likely to affect large parts of NOMS’ core
business (e.g. Industrial Relations disputes, widespread environmental issues etc) are
covered by the arrangements set out in Annex E (NOCC).
3.6
Any member of staff who has responsibility for introducing a new team or system (manual
or IT based) or procedure, must consider the business continuity arrangements that need to
be put in place and consult with their local Business Continuity and Resilience Lead if any
of the tasks are assessed to be critical.
3.7
Responsibilities for NOMS Business Continuity and Resilience Team









3.8
To act as a focal point at HQ for all BC matters
To maintain the Initial Response Team arrangements for Clive House
To act as a central resource for co-ordinating, mentoring and sharing of good
practice to support NOMS sites and business units in achieving ISO 22301
To act as central liaison for MOJ Business Continuity Planning on behalf of NOMS
To maintain the NOMS Agency level Business Continuity Risk Register
To maintain a NOMS agency-wide register of BCRLs
To disseminate relevant Business Continuity information via the network of BCRLs
To collate the product of the BIA tool attached at Annex B
To collate data in the event of a widespread disruption
Responsibilities for Prison establishment Business Continuity and Resilience Lead






To carry out a BIA for their establishment using the tool attached at Annex B, and
review at least annually
Produce, maintain and test local BCP
Provide their contact details to the NOMS Business Continuity and Resilience Team
Feed individual prison BIAs/BCPs into DDC Continuity Plans
Act as liaison with Local Resilience Forum
Ensure lessons learned from establishment level tests and invoked plans are
shared with NOMS Business Continuity and Resilience Team
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 7

3.9
Responsibilities for DDCs’ (including DDC High Security Estate) Business Continuity
and Resilience Lead






3.10
DDC level Business Continuity and Resilience Lead to produce DDC level BIA/BCP,
and review annually.
Hold copies of individual establishment’s BIA/BCPs
Provide their contact details to the NOMS Business Continuity and Resilience Team
Ensure lessons learned from any regional tests and invoked plans are shared with
NOMS Business Continuity and Resilience Team
Notify the NOMS BC&R team (via functional mailbox) of any BC-related issues
affecting the DDC’s area of responsibility.
The assurance responsibilities for Contracted Out prisons in terms of the Business
Continuity PSI will be carried out by the Custodial Services Directors of each
contracted provider.
Responsibilities for any other NOMS sites and business units (e.g. Newbold Revel,
JSAC Training Centres in Wakefield and Birmingham, etc)







3.11
Notify the NOMS BC&R team (via functional mailbox) of any BC-related issues that
may affect their establishment
To carry out a BIA for their site (optional tool at Annex A), and review on an annual
basis
Produce, maintain and test local BCP
Provide their contact details to the NOMS Business Continuity and Resilience Team
Feed individual BIAs/BCPs into relevant regional or national plans
Act as liaison with Local Resilience Forums
Ensure lessons learned from site level tests and invoked plans are shared with
NOMS Business Continuity and Resilience Team
Notify the NOMS BC&R team (via functional mailbox) of any BC-related issues that
may affect their site
Responsibility for HQ

NOMS HQ BCP’s are managed by the MOJ. A copy of the Clive House BCP is
available on request (note “Protect” marking).
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 8
Annex A – Simple Business Impact Assessment (BIA) template
The table below could be used to identify critical activities which will impact the establishment’s
business. Each critical activity should have its own separate table.
Critical activity
Staff/role required
Impact of loss 1-2 days (H/M/L)
Impact of loss 3+ days (H/M/L)
Resources required (eg. IT,
desk accommodation etc)
Dependencies
Contact details (24/7) - internal
Contact details (24/7) - external
Contact
details
(24/7)
stakeholders
Contact details (24/7) - staff
–
Any existing BC arrangements
in place
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 9
Annex B – Prison Establishments Business Impact Assessment
Prison
tablishment BIA tool
(NEW VERSION)
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 10
Annex C – Guidance on developing a Business Continuity Plan
Developing a Business Continuity Plan
C.1
Business Impact Assessment (BIA)
NOMS sites and business units need to complete a BIA which identify critical activities,
assess them against the business continuity risks, establish where necessary a strategy,
leading to the development of a detailed BCP.
C1.1
BIAs should focus on critical operations that will need to be continued in the event of
business disruption. Plans may be invoked once it is known that the disruption will last for
a pre-determined period of time. Consideration should also be given to the fact that a site
may be reliant upon IT & telephony systems housed at another location, for example at a
data centre, which if lost, will have a knock on effect. A simple BIA template is attached at
Annex A which may be of assistance to non-prison sites.
C1.2
The BIA tool attached at Annex B is designed for prison establishments, and must be used
and submitted to the BC&R team using the BC&R functional mailbox: NOMS Business
continuity and resilience
C.2
Business Continuity Plan
The aim of BCP is to ensure the organisation has in place documented plans that detail
how the organisation will manage a disruptive event, maintain its critical activities to a
predetermined level and recover its activities to business as usual.
C2.1
Each plan shall:




C2.2
have a defined purpose and scope
be accessible to and understood by those who use them
be owned by the Director, DDC or Prison Governor who is responsible for their
review, update and approval
be aligned with NOMS Agency Level Risks contained on the NOMS Business
Continuity Risk Register which can be obtained from: NOMS Business continuity
and resilience; and must also incorporate other relevant locally identified risks.
Plans shall collectively contain:
Key information and resourcing requirements
 Key tasks and reference information
 Defined roles and responsibilities and contact details for people and teams
having authority during and following an incident
 A method for recording key information about the incident, actions taken and
decisions made
 Details of actions and tasks that need to be performed
 Details of the resources required for business continuity and business recovery
at different points in time
 Prioritised objectives in terms of the critical activities to be recovered, the
timescales in which they are to be recovered and the recovery levels needed for
each critical activity
Implementation and communications
 Identified lines of communications
 Meeting locations with alternatives, and up to date contact and mobilisation
details for any relevant agencies, organisations and resources that might be
required to support the response
 A reference to the essential contact details for all key stakeholders
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 11



Details for managing an incident including; (a) provision of managing issues
during an incident; and (b) processes to enable continuity and recovery of
critical activities.
Details on how and under what circumstances the organisation will
communicate with; a) employees and their relatives; b) key stakeholders; and c)
emergency contacts.
Details on the organisation’s media response following an incident, including; (a)
the incident communication strategy; (b) preferred interface with the media; (c)
guideline or template for drafting a statement to the media; and (d) appropriate
spokespeople.
Escalation and execution of plan
 Guidelines and criteria regarding which individuals have the authority to invoke
each plan and under what circumstances
 A method by which each plan is invoked.
Recovery and stand down
 An outline plan of how a full recovery will be initiated. (This may be difficult to
describe in detail as it will vary hugely depending on the disruptive event).
 A process for standing down once the incident is over.
Lessons learned
 Arrangements for hot (immediate) and cold (after time for reflection) debrief
sessions.
Maintaining and exercising
 A documented process describing timescales for maintaining and formally
exercising the plan.
C2.3
Although the likelihood of a disruptive event occurring is low, they do happen and it is
necessary to be prepared and have plans in place to restart critical operations with the
minimum of delay. All staff should know whether they are a key member of staff and what
may be expected of them both during and immediately after a disruptive event.
C.3
Features of Business Continuity Management
C3.1
Risk reduction: The management of risks to prevent a disaster
Once BIAs have been used to identify critical activities, work can progress to assess the
likelihood/probability and level of impact from a range of relevant threats/risks to vital
operations. This is achieved by identifying and assessing the impacts of risks to NOMS at
both an organisational level, for example, a widespread industrial dispute affecting the
whole Service and at a Business Group/Unit/Local level, for example, localised high levels
of staff sickness affecting the ability to carry out normal business.
Once the impacts are understood, the probability of both local and national risks impacting
each critical service will need to be identified and monitored.
C3.2
The risks themselves and the probability/impact levels will fluctuate over time dependant on
a number of variables e.g. time of year (when assessing the probability of severe snow) or
when a threat of a fuel strike increases (when assessing likelihood of staff availability)
therefore it is important to monitor risks regularly to ensure mitigation plans are prioritised,
proportionate and up to date.
C3.3
Planning: Robust Business Continuity Planning
A BCP plan is used for the fast, efficient resumption of essential business operations by
directing the recovery actions of specified recovery teams. You will need to consider the
following:
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 12





Building/office accommodation – alternative relocation site;
Information technology – IT and telephony;
Human and other resources – ensuring that staff are aware of the alternative
arrangements, have the resources they need and can be productively
employed;
Utilities; and
Recovery of the whole business
C3.4
It should be noted that one of the common causes of business continuity events are caused
by environmental threats, e.g. flooding, severe weather etc.
C3.5
Proactive reviewing of risks and mitigation plans will reduce the impact of any disruptive
event and increase the service/business group/unit’s resilience.
C3.6
Plans will include developing and implementing a local, regional and/or HQ response to
ensure critical activities and sites remain operational during a disruptive event. For
example, if a flood alert is triggered, this may involve invoking local business continuity
plans to deploy sandbags, request additional food/medicine/fuel supplies and refreshing
staff levels/regimes (if access is likely to become an issue). Regional plans may include
deploying additional resources to assist; while HQ plans may include reducing inter-prison
transfers.
C3.7
Incident/Crisis Management (PSO 1400)
If a significant incident occurs, support arrangements (PSO 1400 refers) are designed to
prevent incidents from developing into disasters and to lessen the impact.
C3.8
Proactive Monitoring
All BCM activities (prison, other NOMS sites and business units, HQ) need to be
proportionately and proactively monitored by exercising/testing, maintaining and reviewing
arrangements on a regular basis (see Annex D).
C.4
Local Resilience Forums
Your Local Resilience Forum (LRF) makes arrangements for the deployment between its
members of mutual aid and resources such as fresh water in times of civil emergencies.

They comprise of local community public-sector services and can assist
Prisons and other NOMS sites and business units as part of their
planning. They attempt to ensure available resources (for example,
supplies of coaches for evacuation) in any given region are deployed in
priority order and as such Prisons and other NOMS sites and business
units are encouraged to make contact with their LRF to ensure their
requirements have been taken into account should such an incident
occur.

All sites are also encouraged to consider the effects of their plans on
other parts of NOMS and the wider CJS (eg Courts, NPS etc).

The hyperlink below will direct the user to the Cabinet Office website
page which lists the details of each LRF for each region of the UK and
provides a name, contact telephone number and website link for further
information. A guidance document from the Cabinet Office is also
attached which sets out the role and areas of responsibilities of LRFs.
http://www.cabinetoffice.gov.uk/content/local-resilience-forums
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 13
Annex D – Guidance on Testing
Reviewing and Testing of Plans
D.1
Reviewing and Testing
D1.1
For BCPs to remain effective they must be regularly reviewed and tested.
D1.2
One risk/scenario and associated plans must be tested every 6 months by means of
desktop exercises to ensure they are coherent, logical and practical. It is recommended
that prison establishments link the testing of business continuity plans to their
contingency/incident scenario tests (PSO 1400 refers) to minimise disruption and make
best use of resources.
D1.3
To support testing, you should have prepared a suitably detailed, representative incident
scenario which will include aspects such as date, time, current workload, accounting period
end etc.
D1.4
A full test needs to replicate as far as possible the way in which all stand-by arrangements
would be invoked during the recovery of a critical business process/es and the involvement
of external parties. This tests completeness of the plans and confirms:

time objectives; for example to recover the key business processes within a
certain time period;

staff preparedness and awareness;

staff duplication and potential over-commitment of key resources, during
invocation of the BCP; and

the responsiveness, effectiveness and awareness of external parties.
D1.5
It should be noted that even the most comprehensive test does not cover everything. For
example, where a disruptive event may result in an injury of a colleague/s, the reaction of
staff to a crisis cannot be tested and the plans need to make allowance for this.
D.2
Debrief Report
D2.1
There should be minuted debrief sessions held immediately after the test has concluded,
which will then form the basis of a debrief report. The report will provide a general minute
of the discussions and include: performance against test objectives, agreed corrective
action, who will take the action and within what timescales. Best practice would be for a
follow-up, lessons learned meeting to be held within a week to consider issues once
participants have had time to reflect.
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 14
Annex E – RESPONDING TO BUSINESS CONTINUITY EVENTS ON A NATIONAL
SCALE (NATIONAL OPERATIONS COORDINATION CENTRES)
E1
Introduction - This section applies to all establishments and other NOMS sites and
business units. The Prison Service needs to have effective systems in place to deal with
Business Continuity events on a national scale. These could be events that affect the
country as a whole, for example, severe weather conditions, or events that are specific to
the Service, for example, industrial disputes. In both cases these events will, to a greater
or lesser degree, affect the Service’s ability to carry out normal operations. These systems
will:

ensure the Service’s operational capabilities remain intact;

allow the potential impact of any nationwide Business Continuity event to be
adequately assessed and responded to; and

enable the Service to participate fully in any government-wide response.
National Operations Coordination Centre (NOCC) is situated in Gold Command 7th Floor,
Clive House. The suite acts as the focal point for the receipt, analysis and dissemination of
information relating to any Business Continuity event. Information will be received into the
suite primarily by the internal email system. However contact can also be made by
telephone or fax (see E10 for contact details).
E1.1
Arrangements for handling national Business Continuity events fall outside the scope of
normal incident control procedures.
E2
Coordination Committee - Dependant upon the nature of the Business Continuity event a
Coordination Committee (CC) may or may not be set up. The role of the CC is to consider
the impact assessment information being received into the centre and to decide upon the
most appropriate strategy for responding, for example, if it clear that a situation is
escalating to the point where there is a risk to the safe running of prisons then the CC
would take the necessary steps to mitigate the risk, for example, invoking mutual aid
arrangements.
E2.1
Where prior warning has been received about an event and there is sufficient time to put in
place contingency measures, thus reducing the impact on normal operations, there would
normally be no need for a CC. In such circumstances the NOU and the NOMS BC&R team
in conjunction with the lead business area, would monitor and report on the event. By
contrast, a CC would oversee no-notice, longer term or high impact events, such as a fuel
crisis or wide scale industrial unrest.
E3
Role of NOCC – Whatever the nature of a specific event, NOCC has five main aims:
I.
to obtain relevant information from across the Service, as well as from contractors
and suppliers, about projected and actual problems caused by the Business
Continuity event;
II.
to collate and analyse the data received to obtain an overview of the Service-wide
position and to identify specific problems that require immediate action;
III.
to brief and present situation reports to senior staff, Ministers and, where
appropriate, other Government departments, for example, the Cabinet Office,
Department of the Environment, Food and Rural Affairs (Defra), Metropolitan Police
and other police forces;
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 15
IV.
to commission and coordinate action to deal with problems caused by the Business
Continuity event, for example, reallocation of resources between establishments;
and
V.
to maintain accurate records of all relevant communications to and from the field.
E4
Liaison - NOCC will handle initial liaison with contacts outside the Service. In cases where
central coordination between government departments is required, the Cabinet Office
usually takes the lead – managing the process from its Cabinet Office Briefing Room
(COBR). Officials from the main government departments, including the Home Office,
attend COBR meetings. In turn, staff in MOJ will coordinate the activities of the Department
as a whole, including its executive agencies, through its arrangements at 102 Petty France.
E4.1
COBR and MOJ’s respective reporting requirements will usually dictate the frequency of
situation reports sought by NOCC from the field.
E4.2
NOCC, either through the CC or NEMC will seek to ensure that the Service’s concerns are
given due consideration and that its interests are safeguarded.
E5
Operational Arrangements - NOU must maintain NOCC in a state of operational
readiness. The NOU must carry out regular checks of the IT and telephony systems (these
are detailed in local NOU work instructions) and organise for an annual live test of the
arrangements.
E5.1
If there is sufficient time to prepare for a Business Continuity event i.e. notice is given of
future events, then the NOU will work with key stakeholders to produce an impact
assessment form. This form will then be sent out to the target audience, normally
Governors and Heads of Group, ahead of time, for completion and return to NOCC at the
time of the event.
E5.2
In the event of a no notice Business Continuity event, contact will initially be made with
either the NOU Duty Officer or the Duty Director who will then make contact with Gold
Command/NOMS BC&R team. Any decision to open NOCC will, ordinarily, be taken by the
Head of Operations, in consultation with the Duty Director and/or other members of NEMC.
E5.3
NOU and NOMS BC&R team, in consultation with the Duty Director, will consider
establishing a CC.
E6
Convening a CC - The membership of any CC will reflect the specific Business Continuity
event facing the service. In general however it will comprise:
I.
Head of Public Sector Prisons;
II.
Head of Operational Services;
III.
Head of Security;
IV.
Member(s) of NOMS BC&R team
V.
Legal Advisors representative;
VI.
Humans Resources representative;
VII.
Commissioning and Commercial representative;
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 16
VIII.
Prisoner Escort and Custody services (PECS) representative;
IX.
PS Press Office representative; and
X.
Other representatives depending on the nature of the event
E7
Actions for DDCs, Governing Governors, Heads of Group and Directors and
Controllers of contracted-out establishments – all will be placed on notice and informed
as to what information (usually in the form of an impact assessment) will be required from
them. This information must be sent into the NOCC suite, usually as an e-mail attachment,
in the correct format and by the time requested.
E7.1
DDCs, Governing Governors, Heads of Group and Directors and Controllers of contractedout establishments must establish contingency plans to deal with NOCC’s requirements.
Most importantly this will include nominating an individual/s with responsibility for a)
collating any information required by NOCC and b) acting as a liaison point for the duration
of the event. NOU will be responsible for reporting on the performance of establishments to
DDCs and the Deputy Director for Contracted-out Prisons i.e. whether or not they provided
the required information and on time.
E8
Staffing of NOCC
E8.1
NOCC at Clive House - NOU will organise the staffing of the suite. They will maintain a call
out list of trained personnel that can staff the suite 24/7. Other HQ Groups with vested
interests in a specific Business Continuity event will also be expected to provide staff, for
example, Human Resources have provided staff to monitor the impact of industrial
disputes.
E9
Communication with NOCC - The normal means of communicating with NOCC will be by
internal e-mail. If however, as result of a breakdown in the IT system e-mail communication
cannot be made, then contact would be made by fax, phone or to a standalone Internet
address.
E10
Contact Details - The main contact details referred to in this chapter are:
NOCC A
internal email
Nocc, 1
Nocc, 2
Nocc, 3
Nocc, 4
Initial Telephone Contact Number
0207 147 4021
Advice Line
0207 147 4024
PSI 13/2014-AI 11/2014
issue date 03/04/2014
PAGE 17
ANNEX F – Glossary
BA – Business Area
BCM – Business Continuity Management
BC&R – Business Continuity and Resilience
BCP – Business Continuity Plan
BCRL – Business Continuity and Resilience Lead
BACP – Business Area Continuity Plan
BACT – Business Area Continuity Team
BCT – Business Continuity Team
BIA – Business Impact Analysis (a systematic way of accessing the needs of an organisation prior
to an incident)
CA – Critical Activities (as defined in your BIA)
COBR – Cabinet Office Briefing Room
CRC – Community Rehabilitation Company
CSBCB – Corporate Security and Business Continuity Branch
DDC – Deputy Directors of Custody
EM – Electronic Monitoring
FICO – Fire and Incident Control Officer
IRT – Incident/Initial Response Team
LRF – Local Resilience Forum
NEMC – NOMS Executive Management Committee
NOCC – National Operations Coordination Centre
NOU – National Operations Unit
NPS – National Probation Service
PECS – Prisoner Escort and Custody Services
PSI 13/2014-AI 11/2014
issue date 03/04/2014