NHS core standards for emergency preparedness, resilience and response guidance

1. Purpose

The purpose of the NHS core standards for EPRR is to:

  • enable health agencies across the country to share a common approach to EPRR
  • allow co-ordination of EPRR activities according to the organisation’s size and scope
  • provide a consistent and cohesive framework for EPRR activities
  • inform the organisation’s annual EPRR work programme.

2. Relevant legislation and guidance

The Civil Contingencies Act 2004, Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005, NHS Act 2006 and Health and Care Act 2022 underpin EPRR within health. All acts place EPRR duties on NHS England and the NHS in England.

Additionally, the NHS Standard Contract Service Conditions (SC30) require providers of NHS-funded services to comply with the NHS EPRR Framework and other NHS England guidance.

3. EPRR annual assurance process

The NHS England Board has a statutory requirement to formally assure its own and the NHS in England’s readiness to respond to emergencies. This is provided through the EPRR annual assurance process and assurance report. This report is submitted to the Department of Health and Social Care and the Secretary of State for Health and Social Care.

As the NHS core standards for EPRR provide a common reference point for all organisations, they are the basis of the EPRR annual assurance process.

Providers and commissioners of NHS-funded services complete an assurance self-assessment based on these core standards. This assurance process is led nationally and regionally by NHS England and locally by Integrated Care Boards (ICBs).

4. NHS core standards for EPRR

The NHS core standards for EPRR cover 10 domains:

  1. governance
  2. duty to risk assess
  3. duty to maintain plans
  4. command and control
  5. training and exercising
  6. response
  7. warning and informing
  8. co-operation
  9. business continuity
  10. chemical biological radiological nuclear (CBRN) and hazardous material (HAZMAT).

The applicability of each domain and core standard depends on the organisation’s function and statutory requirements. Where organisations provide services across multiple organisation types, all the standards in all the applicable organisation types will apply; for example, an NHS111 service provider that also provides urgent treatment services (community) is required to comply with all the standards applicable to NHS111 services and community service providers.

An 11th domain is only applicable to NHS ambulance trusts and covers the ‘interoperable capabilities’ they must have in place

4.1 Governance

An EPRR policy or statement of intent outlining the organisation’s commitment to deliver EPRR must be in place. This statement should be supported by an annual EPRR work programme to ensure all NHS core standards for EPRR are delivered.

Organisations must have an appointed accountable emergency officer (AEO) who is a board-level director and responsible for EPRR in their organisation. Following a national review of non-executive director (NED) champions, the requirement for a non-executive board member to support the AEO has been removed, recognising that the responsibility for EPRR sits with the whole board and all NEDs should assure themselves that requirements are being met.

The AEO must provide reports to the public board on EPRR activity no less frequently than annually and must publicly state its readiness and preparedness activities in annual reports within the organisation’s own regulatory reporting requirements.

Organisations that do not have a public board must instead publicly state their readiness and preparedness activities in annual reports within the organisation’s own regulatory reporting requirements.

4.2 Duty to risk assess

Organisations should have provision in place to regularly assess the risks to the population they serve. This process should consider the community and national risk registers.

A supporting risk management system must be in place to ensure a robust method of reporting, recording, monitoring, communicating and escalating EPRR risks internally and externally with partners.

4.3 Duty to maintain plans

Appropriate and up-to-date plans must set out how the organisation plans for, responds to and recovers from major incidents, critical incidents and business continuity incidents. These should be developed in collaboration with partners and service providers to ensure the whole patient pathway is considered.

4.4 Command and control

A robust and dedicated EPRR on-call mechanism should be in place to receive notifications relating to EPRR. This facility should be 24 hours a day, seven days a week, and provide the ability to respond or escalate notifications to executive level.

Personnel performing the on-call function should be appropriately trained in major incident, critical incident and business continuity response.

4.5 Training and exercising

EPRR training should be carried out in line with a training needs analysis to ensure staff are competent in their role(s).

Arrangements must be exercised through, as a minimum, a:

  • communications exercise every six months
  • tabletop exercise once a year
  • live exercise every three years
  • command post exercise every three years

4.6 Response

Staff trained in incident response should be available to respond to incidents from within an incident co-ordination centre (ICC). This includes having processes in place for receiving, completing, authorising and submitting situation reports (SitReps) and briefings. These arrangements should also include an alternative ICC, should the primary location be affected by the incident itself or be unavailable at the time of response.

4.7 Warning and informing

EPRR and communications planning activity should be co-ordinated to ensure communications align with organisational requirements during an incident. This includes ensuring access to trained communications support for senior leaders during an incident.

Communications plans should be tested alongside incident plans to support communication with partners and stakeholders, and warning and informing public and staff when responding to major incidents, critical incidents and business continuity incidents.

Organisations should also have appropriate media and social media strategies to enable communication with the public. This should include identification of, and access to, trained media spokespeople who can represent the organisation.

4.8 Co-operation

Arrangements should be in place to share appropriate information with stakeholders. This includes participation in local health resilience partnerships (LHRPs) and with local resilience forums (LRFs) and other multiagency planning forums to demonstrate engagement and co-operation with other responders.

4.9 Business continuity

Organisations must set out their intention and methods of undertaking business continuity in a policy and/or business continuity management system (BCMS).

The BCMS is part of the overall management system that establishes, implements, operates, monitors, reviews and improves business continuity.

The system allows organisations to identify prioritised/critical activities by undertaking a business impact analysis (BIA). In addition, it contributes to ensuring an organisation has business continuity plans in place to respond to business continuity incidents.

Each organisation should have in place a process to measure the effectiveness of the BCMS and take corrective action where necessary.

The BCMS should be in line with the International Standards for Organisations (ISO) 22301.

4.10 Chemical, biological, radiological, nuclear (CBRN) and hazardous materials (HAZMAT)

Acute, specialist, mental health and community healthcare providers are required to have planning arrangements in place for the management of CBRN incidents. NHS ambulance trusts also share this requirement and their specific responsibilities in relation to CBRN are set out in ‘interoperable capabilities’.

4.11 Interoperable capabilities

NHS ambulance trusts in England are required to maintain a set of specialist capabilities. These capabilities are nationally specified under the NHS England EPRR Framework.

These capabilities are interoperable between services. They must be maintained according to strict national standards to ensure they can be combined safely to provide an effective national response to certain types of incidents.

The interoperable capabilities include:

  • hazardous area response teams (HART)
  • special operations response teams (SORT)
  • mass casualty vehicles (MCV)
  • command and control
  • joint emergency services interoperability principles (JESIP).

5. Climate adaptation planning

Under the adaptation reporting powers of the Climate Change Act, the Greener NHS programme has been invited by the Department for Environment, Food and Rural Affairs to produce the health and care adaptation reports on behalf of the sector.

The third health and care adaptation report includes the recommendation for adaptation planning to be considered for inclusion in the latest revision of the EPRR core standards to increase systematic scrutiny.

This has been reflected across several existing relevant domains and standards including:

  • the consideration of reasonable worst-case scenario and extreme events for adverse weather as a core component of community risk registers
  • adverse weather arrangements should be reflective of climate change risk assessments and cognisant of extreme events
  • climate change adaption planning to be considered as a longer-term impact on an organisation as part of a business continuity policy statement.

As with all the core standards, it will be important for EPRR leads to engage with relevant local leads for the Greener NHS programme or climate adaptation planning, not only to seek local assurance of these relevant areas, but also to align longer-term planning arrangements.

6. Equality and health inequalities

In complying with the core standards for EPRR, organisations must ensure all EPRR arrangements and planning consider the needs of people with protected characteristics and vulnerable groups, particularly with regard to: access to information, services and premises; increased risk based on health factors; safeguarding implications; and the management of restoration of services.

Equality and health inequalities impact assessments (EHIAs) are tools that can be used to assess the impact of arrangements and plans on the communities and populations the organisation serves.

The use of EHIAs, and any subsequent recommendations made as a result of EHIAs, will assist organisations in developing EPRR plans and arrangements that improve the care and safety, health and wellbeing of all patients, staff, visitors and populations from protected characteristic groups. Their use contributes to the assurances that NHS organisations are meeting their legal duties around equalities and health inequalities under the Equality Act (2010), the NHS Act (2006) and the Health and Care Act (2022).

7. Reviews and updates

The NHS core standards for EPRR are subject to an annual review. This review includes minor amendments and updates according to recent learning and changes in legislation and/or guidance.

A full review of the core standards occurs every three years, involving consultation with a working group. This was last conducted in 2022. The working group for the 2022 review consisted of representatives from a variety of NHS organisations and independent providers of NHS services from across the country, including commissioners, acute, specialist, mental health, community, patient transport and NHS111 service providers. Any amendments/recommendations to future NHS core standards for EPRR can be directed to: england.eprr@nhs.net