Background

373 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
373
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Background

  1. 1. Page 1 of 17
  2. 2. Wiltshire Fire & Rescue Service Business Continuity Policy If found please return to Corporate Risk Manager Wiltshire Fire & Rescue Service Headquarters, Manor House, Potterne, Devizes, Wiltshire, SN10 5PP Document Control Version Date Editor Comments 1.0 DRAFT for Comment, Circulated to Management Board and Local Resilience Forum Members 1.1 14-06-06 S Carpenter Endorsed by Management Board 1.2 14-07-06 S Carpenter Minor Amendments to text 1.3 03-04-07 D Nixon Minor Amendments to text Page 2 of 17
  3. 3. ........................................................................................................................................1 Wiltshire Fire & Rescue Service....................................................................................2 Business Continuity Policy............................................................................................2 Foreword from the Chief Fire Officer............................................................................4 Background....................................................................................................................5 Purpose.......................................................................................................................5 Scope..........................................................................................................................5 Assumptions...............................................................................................................6 Ownership..................................................................................................................6 Roles, accountabilities and responsibilities....................................................................7 Corporate Risk & Performance Manager ..................................................................8 Governance.....................................................................................................................9 Meetings.....................................................................................................................9 Sign Off......................................................................................................................9 Key Performance Indicators.......................................................................................9 Monitoring and Evaluation.........................................................................................9 Policy............................................................................................................................10 Aim...............................................................................................................................10 Overview of Activities.............................................................................................10 Business Impact Analysis (BIA)..............................................................................10 Risk Assessment.......................................................................................................11 Business Continuity Strategy...................................................................................11 Planning....................................................................................................................12 Training & Awareness.............................................................................................12 Establishing and sustaining the continuity culture...................................................13 Exercising / Rehearsals............................................................................................14 Maintenance.............................................................................................................14 Audit.........................................................................................................................15 Incident Management Framework...............................................................................15 Incident Management Structure...............................................................................15 RED- Emergency Management Team (EMT).........................................................15 ORANGE- Business Recovery Team (BRT)...........................................................15 BLUE –Event control team (ECT) ..........................................................................16 Implementation of the Business Continuity Plan.................................................16 Initial Activation..................................................................................................16 The evaluation stage.............................................................................................16 Full activation.......................................................................................................16 Page 3 of 17
  4. 4. Foreword from the Chief Fire Officer Thank you for taking the time to read this document. Most Fire & Rescue Services only deal with incidents that affect other organisations and/or individuals. This policy details how we will prepare for an event that may affect our organisation. We have an obligation both in law and in our tradition to protect the public in times of crisis. Should an incident disrupt our own operations we need to have first-rate arrangements in place to recover them. This document outlines how we will do this. A key component to our success in making appropriate preparations is to ensure our employees are familiar with the contents of this document. Please read it thoroughly, comment and contribute where you can and encourage all members of Wiltshire Fire & Rescue Service (Wiltshire FRS) to support this important initiative. I am asking you to make it your responsibility to familiarise yourself with this policy. Page 4 of 17
  5. 5. Background Purpose The purpose of this policy is to provide a clearly defined, documented mandatory course of action to be implemented by the Authority in respect of Business Continuity Management (BCM) and to ensure that the following objectives are achieved: • Ensure the ability to respond to events that threaten our services • Protect the organisation from a serious interruption • Recover the organisation in a planned and controlled manner should an unexpected interruption occur The Authority’s BCM activities will focus on the following critical functions that enable it to achieve its vision, strategic aims and comply with statutory requirements. • Responding to 999 emergencies • Delivering statutory fire safety • Supporting national resilience • All support functions that enable the above The BCM process adopted by the Authority is based on standards defined by the British Standards Institute1 and will ensure that the Authority: • Meets public expectations, and continues to provide a service in the event of a disruption or emergency • Meets its statutory requirements • Demonstrates good management practice Scope This policy, being directly linked to corporate governance and establishing good management practice, applies to all activities of the Authority. In particular, it is concerned with the mitigation and management of contingencies and preparation of plans, ensuring the welfare of staff and continuance of business. 1 PAS 56 Guide to Business Continuity Management Page 5 of 17
  6. 6. Assumptions Departments within Wiltshire FRS, and employees in key roles within them, will be responsible for the creation and maintenance of plans and arrangements outlined in this policy. The budget for Business Continuity will contain limited funds for specialist consultancy when required (e.g. annual crisis management testing and auditing of Business Impact Analysis (BIA) and Business Continuity plans). The Business Continuity programme will be allocated a budget sufficient to conduct and maintain the work detailed in this policy. This budget will be reviewed annually and will be subject to the sign off by the policy owner. Ownership The owner of this policy is the Deputy Chief Fire Officer (DCFO) of the Wiltshire FRS. Senior managers within Wiltshire FRS will implement this policy, and are also responsible for ensuring all personnel know of the existence and requirements of the policy. Policy Owner: Deputy Chief Fire Officer Contact Wiltshire Fire & Rescue Service, Details: Wiltshire Fire & Rescue Service Headquarters, Manor House, Potterne, Devizes, Wiltshire, SN 10 5PP Tel: 01380 731102 . Page 6 of 17
  7. 7. Roles, accountabilities and responsibilities Responsibl Role Accountable Consulted Informed e Chair CFA √ √ √ CFO √ √ √ DCFO √ √ √ ACO √ √ √ Head of Corporate √ √ √ Services Area Manager Technical √ √ √ Services Area Manager √ √ √ Risk Health and √ √ √ Safety Advisor Head of Human √ √ √ Resources Communications √ √ √ and IT Manager Wiltshire Fire & Rescue Service √ √ √ Accountant Corporate Risk & Performance √ √ √ Manager Suppliers of business √ √ services or products Local Resilience √ √ Forum (LRF) CFOA BCM √ √ Group Page 7 of 17
  8. 8. Corporate Risk & Performance Manager The Corporate Risk & Performance Manager will be responsible for co- ordinating all BCM activities of the Authority, with specific responsibility for: • Development of the corporate Business Continuity policy in liaison with the Wiltshire FRS Management Board • Development, review and monitoring of the Authority’s Business Continuity plan in liaison with the Wiltshire FRS Management Board • Conducting an annual review of risks threatening the Authority and identifying their impact on the business critical functions of the Authority • To promote and support the implementation of BCM across the Authority • To identify any dedicated inputs and resources required to support the work • To monitor and review the effectiveness of the Authority’s Business Continuity policy • To identify and communicate Business Continuity issues to all departments as necessary • To assist departments in undertaking BCM activity through training and/or direct support • Organising and/or reviewing Business Continuity exercises at Red, Orange and Blue level • Production of quarterly reports on progress and status to Wiltshire FRS Management Board and an annual summary for the Combined Fire Authority • Liaison with other Fire Services through the Chief Fire Officer’s Association (CFOA) Business Continuity group, and ALARM fire sub group Page 8 of 17
  9. 9. Governance Meetings Business Continuity will be addressed by the Authority’s Finance and Performance Management Board. This group will manage the progress of Business Continuity work and will address any issues that arise. The Corporate Risk & Performance Manager will be responsible for managing actions arising from Business Continuity agenda items. At other meetings in the organisation involving new processes or organisational changes, consideration will be given to Business Continuity to ensure plans are maintained and contingency provision is considered from the outset. Sign Off The Corporate Risk & Performance Manager and the identified plan owner will sign off Business Continuity plans. Key Performance Indicators Performance in business continuity will be measured by viewing outputs in the following areas: • Production of an annually reviewed Business Impact Analysis (BIA) • Production of an annual Risk Assessment (or earlier if new risks have been identified), to include documented evidence of sharing this information with the Local Resilience Forum and the Community Risk Register • Production of a statement (signed by the Chief Fire Officer and the Head of Corporate Services) of what is included and excluded from the Business Continuity strategies employed by the Wiltshire FRS • Annually reviewed Business Continuity plans • A documented record of all Business Continuity training • A post exercise report for each Business Continuity exercise carried out • Action plans to address any shortcomings identified by external audits The standard for these outputs are contained within this policy. Monitoring and Evaluation To encourage strong corporate governance, the Business Continuity process Page 9 of 17
  10. 10. will include the following monitoring activity: • Progress reports for each Authority Risk Management Group Meeting • Senior management review • Chief Fire Officer and Head of Corporate Services sign-off on the strategy statement and testing work Periodic external audit by suitably qualified professionals Policy Aim The aim of this policy is to outline the process by which Wiltshire FRS discharges its governance and other obligations under the Civil Contingencies Act 2004. Overview of Activities Business Continuity activity will centre on identifying and protecting Mission Critical Activities (MCA’s). A Mission Critical Activity is determined as a critical operation that enables the Wiltshire Fire & Rescue Service to protect the public, and are those related to: • Responding to 999 emergencies; • Delivering community fire safety; • Supporting national resilience; • All support functions that enable the above. Business Impact Analysis (BIA) A Business Impact Analysis (BIA) will be carried out and maintained annually. Where there is a significant change to the Wiltshire FRS or its operations, the BIA will be reviewed and amended at the time of the change. The BIA will be used to: • Identify, quantify and qualify the impacts on Wiltshire FRS of a loss of, interruption to or disruption of a Mission Critical Activity • Identify the acceptable standard and time (Recovery Time Objectives) to which the Mission Critical Activities need to be recovered • Identify the minimum level of resources needed to enable Wiltshire FRS to meet its Recovery Time Objectives Page 10 of 17
  11. 11. • Assist in defining the risk appetite of Wiltshire FRS. The BIA will, for each operation, identify and document the following: • Aims, objectives and service delivery • Mission Critical Activities • Impacts (on service delivery, reputation, financial etc) resulting from disruption, interruption, or loss of Mission Critical Activities over a period of time; • Critical records and data, storage, location and back up strategy • Authority contacts, key suppliers and relevant regulatory bodies Senior managers within Wiltshire FRS will sign off the following, each of the areas they are responsible for: • The identified Recovery Time Objectives • An outline plan of the recovery activities and resources needed to restore the Mission Critical Activities • The impacts associated with a loss or disruption to the Mission Critical Activity Risk Assessment The Risk Assessment will evaluate the exposures faced by Wiltshire FRS to specific threats such as, flooding, fire, sabotage, utility failure etc. Threats will be considered for both inside premises and in the surrounding environment. The Risk Assessment will be carried out annually or when a new threat has been identified (e.g. the nearby construction of a hazardous facility) and will require sign-off by the Chief Fire Officer. The Risk Assessment should document the mitigating steps that have been taken by Wiltshire FRS to address the identified threats. Missing or inadequate mitigating steps or precautionary measures will be documented and recommendations sought from the relevant professional area. Business Continuity Strategy The Business Continuity Strategy will determine and select means for enabling Wiltshire FRS to recover their Mission Critical Activities. Each strategy will: • Be justified against the potential impact of the loss of service • Involve measures to support Wiltshire FRS, the business process and the resources required to recover the activity; • Form the basis of the Business Continuity plans; Page 11 of 17
  12. 12. • Cover arrangements that may have been outsourced. A written statement will document each Business Continuity strategy. This statement, requiring sign-off by the Chief Fire Officer and the Head of Corporate Services, will detail what is included and excluded from the strategy. Planning The Corporate Risk & Performance Manager will be responsible for managing the Business Continuity plans. The Business Continuity function will manage two types of plans, the Departmental Recovery Plans and the Incident Management Plans. The Incident Management Plans coordinate the activities of the Departmental Recovery Plans. Plans will: • Be in place at all times • Have rigorous version and distribution controls • Have a Wiltshire FRS owner who will sign to confirm the plan is fit for purpose • Identify the Recovery Time Objectives and the tasks and resources required to achieve them • Protect Wiltshire FRS’ reputation and brand image • Demonstrate effective Business Continuity Management and Corporate Governance • Contain current and relevant contact information • Have controlled copies held and maintained offsite Additionally, they will be written: • Detailing who does what, when, where and how • Together with the business unit concerned • To address a ‘worst-case’ scenario, thereby being able to cater for less likely events • With the aim of keeping extraordinary expenditure to a minimum • With reference to functions rather than persons Training & Awareness All Wiltshire FRS personnel will familiarise themselves with this policy and its requirements. Training will be used to communicate Business Continuity strategies and planning to all personnel. Training will seek to increase awareness, skills and competence in Business Continuity. New personnel will Page 12 of 17
  13. 13. be provided with an overview of Business Continuity as part of their induction. A Training Needs Analysis (TNA) will be drawn up and maintained for all personnel in Wiltshire FRS by the Corporate Risk & Performance Manager (with assistance from the Training and Development Department). This TNA will identify what training and rehearsals are required for which personnel. All training will have a clear purpose and objectives, and will seek to make the best use of time available and minimize disruption to normal operational activity. See additional guidelines in the section entitled Test Programme Establishing and sustaining the continuity culture The following activities will be conducted to raise awareness of plans and arrangements and assist with the required culture change: • Let everyone have access to Business Continuity plans via Wiltshire FRS’ internal intranet and external website • Talk through plans with staff regularly so they know what can be expected should a disaster occur, and understand what they themselves need to do • Inform all staff of their BCM status • Update induction material to include details of departmental and Authority Business Continuity arrangements • Produce a small information card, for all staff to carry detailing basic emergency numbers and other relevant information • Publicise any exercises that we have and the learning outcomes • Take advantage of any BCM awareness initiatives, either locally or nationally, to help promote our own BCM arrangements. • Include the embedding of BCM as one of the terms of reference of the risk management group • Disseminate information via the intranet, newsletter’s, E-mails and bulletins to raise awareness Wiltshire FRS will also participate nationally and regionally in the Chief Fire Officers Association BCM Sub group, with particular emphasis on the sharing of best practice ideas and the co-ordination of planning arrangements Page 13 of 17
  14. 14. Exercising / Rehearsals The terms ‘exercising’ and ‘rehearsals’ will be used interchangeably as both are intended to measure and improve the Business Continuity performance of Wiltshire FRS. All Wiltshire FRS personnel will demonstrate positive professional commitment to testing work. Rehearsals will be seen as an opportunity for learning and development. They will be designed to promote continuous improvement. The terms ‘pass’ or ‘fail’ will not be used. Tests will utilise the strategies and planning that currently exists rather than create manufactured environments where a ‘positive’ outcome is almost guaranteed. Business Continuity testing will rehearse the ability of teams to recover mission critical activities within the Recovery Time Objectives defined in the Business Impact Analysis. Rehearsals will validate planning assumptions and as such will be carried out in a robust fashion. Wiltshire FRS will critically rehearse strategies, plans, teams and systems annually. If a major change is made to Wiltshire FRS’ structure, it will be reflected in the Business Continuity plans and tested within six months of the change being made. Maintenance Wiltshire FRS recognise that Business Impact Analysis, Risk Assessments, Strategies and written plans need to be maintained to reflect changes in personnel, systems, vendors and general business strategy. The Corporate Risk & Performance Manager will develop a maintenance schedule annually. This maintenance schedule will detail activities to maintain Business Impact Analysis, Risks Assessments, Strategies and written plans. The Corporate Risk & Performance Manager will provide reports on these activities for review at the Authority Risk Management Group meetings. The Maintenance schedule will also include: • Distribution of plans and Business Continuity documentation; • Costs incurred, budget remaining; • Work carried out; • Changes made to documents; • Risks and Issues; • A list of personnel with Business Continuity responsibilities Human Resources will notify the Corporate Risk & Performance Manager when a person decides to leave the company. The Corporate Risk & Performance Manager will then remove their contact information from documentation held within ten days of this notice. Plans must be reviewed in advance of and/or after: • Major re-structure of the organisation or department Page 14 of 17
  15. 15. • An incident • An exercise or drill The Corporate Risk Manager, under the direction of the Chief Fire Officer, is responsible for ensuring this is done. Audit Audits will be carried out against this policy and the standards detailed in Appendix B of PAS56 or current equivalent Incident Management Framework Incident Management Structure Wiltshire FRS will use an incident management structure based on three levels of response designed to avoid duplication of effort and provide a streamlined decision making process: In order to manage an event impacting the business; • Red - Emergency Management Team • Orange - Business Recovery Team • Blue - Event Control Team RED- Emergency Management Team (EMT) Will assess the impact on the Authority as a whole and provide support from Service Headquarters (SHQ) or the Training & Development Centre (TDC) in the event of a disaster at SHQ. The EMT: • Is the highest level of management in the recovery organisation • Is responsible for deciding: o Whether or not an incident situation exists o Whether or not to invoke the Business Continuity Plan; and the conduct of the recovery • Comprises all management board members • Will have a Leader and Deputy Leader ORANGE- Business Recovery Team (BRT) Will coordinate and manage the internal recovery effort. The Business Recovery Team will carry out the recovery of the critical functions. This team will operate out of SHQ or TDC in the event of a disaster at SHQ. The BRT will report to the EMT. It will consist of key people from the relevant areas and have assigned Leaders and Deputy Leaders. Leaders could be Page 15 of 17
  16. 16. members of the EMT, provided the two roles do not conflict BLUE –Event control team (ECT) The objectives of this team in order of importance are: • To protect lives, prevent injury, provide shelter; and evacuate premises, if necessary • To prevent the incident from escalating to a disastrous level • To contain any damage and reduce the impact • To make sure salvage and emergency repairs are started • The ECT should check that other emergency procedures have been followed if required Implementation of the Business Continuity Plan Implementation of the plan will be broken down into three phases: • Initial activation • The evaluation stage • Full activation Initial Activation Out of hours the Red team leader, who will be the duty Principal Manager, will activate the plan on receipt of information from the Orange team leader, who will be the duty Senior Manager. During normal office hours, normal emergency procedures will be followed and the department manager affected, acting as the Blue team leader will manage the immediate situation. He/she will then contact Wiltshire FRS Control and notify them of the event or disruption asking them to inform the duty Senior Manager. The evaluation stage If not already on site the Red team leader contacted will instruct the Orange team leader to detail the duty officer, or nearest available officer to the scene in order that an initial evaluation of the extent of damage can be made. The other members of the Red team will be placed on standby at this stage. Depending on the extent of damage the Red team leader will either take no further action or will initiate full activation. Full activation If the plan is fully activated the Red team leader will carry out the following actions: Page 16 of 17
  17. 17. • Instruct Wiltshire FRS Control to contact all Red team members and instruct them to rendezvous at SHQ or TDC • Instruct Wiltshire FRS Control to contact Orange team members and put them on standby • Open a log of events • Prepare a preliminary verbal report for principal management and the Authority Page 17 of 17

×