As part of the NHS England Emergency Preparedness, Resilience and Response (EPRR) Framework, providers and commissioners of NHS-funded services must show they can effectively respond to major, critical and business continuity incidents while maintaining services to patients.
NHS England has an annual statutory requirement to formally assure its own and the NHS in England’s readiness to respond to emergencies. To do this, NHS England asks commissioners and providers of NHS-funded care to complete an EPRR annual assurance process. This process incorporates four stages:
- organisational self-assessment against NHS core standards for EPRR
- local EPRR assurance
- regional EPRR assurance
- national EPRR assurance.
Based on this process, national EPRR will submit an EPRR assurance report to the NHS England Board. The report is then shared with the Department of Health and Social Care (DHSC) and the Secretary of State for Health and Social Care.
The purpose of this document is to provide guidance to organisations completing the EPRR annual assurance process by:
- providing an overview of the NHS core standards for EPRR
- outlining roles and responsibilities of the organisations involved
- defining the participating organisations
- setting out the EPRR annual assurance process
2. Relevant legislation and guidance
The Civil Contingencies Act 2004, Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005, NHS Act 2006 and Health and Care Act 2022 underpin EPRR within health. All acts place EPRR duties on NHS England and the NHS in England.
Additionally, the NHS Standard Contract Service Conditions (SC30) requires providers of NHS-funded services to comply with the NHS EPRR Framework and other NHS England guidance.
3. NHS core standards for EPRR
The NHS core standards for EPRR are the minimum requirements commissioners and providers of NHS-funded services must meet.
These core standards are the basis of the EPRR annual assurance process. Commissioners and providers of NHS-funded services must assure themselves against the core standards.
The applicability of each core standard is dependent on the organisation’s function and statutory requirements. Each organisation type has a different number of core standards to assure itself against.
The NHS core standards for EPRR cover 10 core domains:
- duty to risk assess
- duty to maintain plans
- command and control
- training and exercising
- warning and informing
- business continuity
- hazardous material (HAZMAT) and chemical biological radiological nuclear (CBRN)
NHS ambulance trusts are required to assure themselves against an additional domain – ‘interoperable capabilities’ – which includes:
- hazardous area response teams (HART)
- special operations response teams (SORT)
- mass casualty vehicles (MCV)
- command and control
- implementation of the joint emergency services interoperability principles (JESIP).
3.1 Deep dive
Each year a deep dive review is conducted to gain additional assurance into a specific area. Previous years have covered the following topics:
- 2015/16 pandemic influenza
- 2016/17 business continuity
- 2017/18 governance
- 2018/19 command and control
- 2019/20 severe weather and climate adaptation
- 2020/21 n/a
- 2021/22 oxygen supply
- 2022/23 evacuation and shelter
In 2023/24 the topic is EPRR training.
The self-assessment against the deep dive standards does not contribute to the organisation’s overall EPRR assurance rating; these should be reported separately.
4. Roles and responsibilities
4.1 Participating organisations
The following organisations are required to undertake the EPRR assurance process:
- NHS acute providers
- integrated care boards (ICB)
- commissioning support units (CSUs)
- NHS community service providers
- NHS mental health providers
- NHS ambulance trusts
- NHS England national
- NHS England region
- other organisations delivering NHS-funded care
- patient transport services
- specialist providers of NHS-funded care
- primary care as directed by its ICB/NHS England regional EPRR.
Participating organisations are asked to rate their compliance via a self-assessment against the relevant individual core standards. These individual ratings are used to inform the organisation’s overall EPRR annual assurance rating.
Local organisations are required to submit their completed self-assessment to their ICB and take part in an agreed review process lead by the ICB to gain confidence with the assurance ratings.
Following the local health resilience partnership (LHRP) peer review process and agreement of the self-assessment with the ICB, the agreed organisational EPRR assurance rating should be reported to the organisation’s public board. Corrective action plans should be submitted to ICBs with a copy of the board report.
4.2 Integrated care boards
ICBs are responsible for monitoring each commissioned provider’s compliance with their contractual obligations in respect of EPRR and with applicable core standards, and will lead the local assurance process as NHS system leads.
ICBs are also responsible for submitting a consolidated assurance report detailing assurance ratings for organisations within the integrated care system (ICS).
4.3 Local health resilience partnerships
The LHRP will ensure there is a mechanism for the peer review of EPRR assurance against the core standards. As LHRP co-chairs, ICBs will work with LHRP partners to agree a process to provide an environment that promotes shared learning and good practice. The outcome of the annual assurance process will also inform the LHRP business plan. The LHRP also allows for a level of external scrutiny with the Local Authority Director of Public Health co-chairing alongside the ICB.
It is within the discretion of LHRPs to invite all appropriate organisations within their partnership to take part in the EPRR annual assurance process.
4.4 NHS England
Using the ICB assurance returns, the region will submit a regional EPRR assurance report to national EPRR.
Regional EPRRs are responsible for:
- ensuring ICBs are actively involved in this process
- establishing the timetable for the assurance in their region
- reviewing and considering ICB assurance returns
- facilitating a confirm and challenge process
- submitting the regional summary assurance return to national EPRR
- identifying both areas of good practice and those where improvement is needed across their geography.
National EPRR will submit a national EPRR annual assurance report to the NHS England Board.
National EPRR is responsible for:
- completing the national EPRR assessment
- reviewing and considering regional assurance returns
- facilitating a confirm and challenge process with regions
- participating in a national confirm and challenge by a nominated region.
5. Assurance process
5.1 Stage 1: self-assessment
5.1.1 NHS core standards for EPRR compliance
Participating organisations are asked to rate their compliance (see table below) via a self-assessment against the relevant individual core standards.
Compliance level: Fully compliant
Compliance definition: Fully compliant with the core standard.
Compliance level: Partially compliant
Compliance definition: Not compliant with the core standard. However, the organisation’s EPRR work programme demonstrates sufficient evidence of progress and an action plan is in place to achieve full compliance within the next 12 months.
Compliance level: Not compliant
Compliance definition: Not compliant with the core standard. The organisation’s EPRR work programme shows compliance will not be reached within the next 12 months.
5.1.2 Overall organisational assurance rating
An overall assurance rating will be assigned based on the percentage of NHS core standards for EPRR that the organisation has assessed itself as being ‘fully compliant’ with. The thresholds for each assurance rating are shown in the table below.
Annex 1 shows the number of core standards for each assurance rating by organisation type.
Overall EPRR assurance rating: Fully
Criteria: The organisation is fully compliant against 100% of the relevant NHS EPRR Core Standards
Overall EPRR assurance rating: Substantial
Criteria: The organisation is fully compliant against 89-99% of the relevant NHS EPRR Core Standards
Overall EPRR assurance rating: Partial
Criteria: The organisation is fully compliant against 77-88% of the relevant NHS EPRR Core Standards
Overall EPRR assurance rating: Non-compliant
Criteria: The organisation is fully compliant up to 76% of the relevant NHS EPRR Core Standards
NHS ambulance trusts should report two assurance ratings, demonstrating compliance with the:
- NHS core standards for EPRR
- interoperable capabilities.
The organisation’s EPRR self-assessment should be shared with the ICB and LHRP and should consist of the following signed off by the accountable emergency officer (AEO):
- self-assessment against individual core standards relevant to its organisation type
- action plans to ensure full compliance with all core standards
- overall assurance rating.
Organisations that operate across LHRP borders should present their complete EPRR self-assessment return to their lead commissioner and host LHRP as appropriate. This documentation should also be shared with other relevant LHRPs and stakeholders as necessary.
Following agreement of the self-assessment with the ICB, the organisation’s final overall assurance rating should be:
- formally reported to, and signed off by, the organisation’s board/governing body/senior management team
- presented at a public board meeting (where one exists)
- published in the organisation’s annual report within the organisation’s own regulatory reporting requirements
5.2 Stage 2: local assurance
As local NHS system leads, the ICBs are responsible for seeking assurance of their system’s constituent organisations’ compliance against the core standards and work with NHS England regional EPRR teams and local organisations to agree a process to gain confidence with organisational ratings.
The LHRP will host a peer review process to review and consider the partnership’s constituent organisations’ EPRR self-assessment return and provide an environment to promote the sharing of good practice. Records of the reviews undertaken should be kept, including any evidence provided.
Where an organisation considers itself less than fully compliant, ICBs are expected to investigate further, and support the development of any corrective actions.
Should an organisation report an overall EPRR self-assessment of ‘non-compliance’, arrangements should be made by the ICB to regularly monitor improvement plans and assist progress, no less than quarterly, to full compliance.
Whilst a provider may be commissioned to deliver services in multiple geographic areas, commissioners must seek their own local assurance of compliance against the relevant core standards for the contracted services from these providers.
ICBs should provide NHS England regional EPRR teams with an overview report outlining the level of preparedness, risks and areas of good practice of all organisations in their geography. Copies should also be shared with the relevant LHRPs.
5.3 Stage 3: NHS England regional assurance
NHS England regional EPRR should conduct a confirm and challenge meeting with all constituent ICBs. Regions should request evidence of the process used to support and/or challenge organisation(s). Records of the reviews undertaken should be kept, including any evidence requested.
Regional EPRR teams should brief their regional leadership team and submit the regional summary assurance return to the national EPRR team.
5.4 Stage 4: NHS England national EPRR assurance
The NHS England national EPRR team will hold review meetings with regional EPRR teams. The national EPRR team will nominate a region to undertake a review of its own assurance assessment.
A national assurance report will be prepared for the NHS England Board. This report will also be used to provide assurance to DHSC and the Secretary of State on the levels of preparedness across the health service in England.
6. NHS England EPRR annual assurance
The organisation’s national and regional EPRR teams are required to assess themselves against the core standards for EPRR that are applicable to them, and include the assurance rating they achieve within the regional or national confirm and challenge meetings. The organisation’s overall assurance rating will be included in the final board report.
Assurance of NHS England’s, and commissioning support units’, business continuity will be undertaken locally by the business continuity lead in conjunction with the NHS England business continuity team
The business continuity team should liaise directly with:
- NHS England national and regional EPRR teams
- commissioning support units (CSUs).
Annex 1: Assurance rating thresholds
|Fully compliant||Substantially compliant||Partially compliant||Non-compliant|
|100%||99-89%||88-77%||76% or less|
|Organisation type||Number of fully compliant core standards to achieve the percentage|
|Acute providers||62||61-55||54-48||47 -0|
|NHS ambulance service providers||Core Standards||58||57-51||50-44||43-0|
|Interoperable Capability Standards||136||135-121||120-104||103-0|
|Community service providers||58||57-51||50-44||43-0|
|Patient transport services||42||41-37||36-33||32-0|
|Mental health providers||58||57-51||50-44||43-0|
|NHS England region||47||46-42||41-36||35-0|
|NHS England national||45||44-40||39-34||33-0|
|Integrated care boards*||47||46-42||41-36||35-0|
|Commissioning support units||39||38-34||33-30||29-0|
|Primary care services – GP, pharmacy||44||43-39||38-34||33-0|
|Other NHS-funded organisations||48||47-43||42-37||36-0|