Introduction
This guidance updates and supersedes the NHS England and Business Continuity Management Toolkit published in 2016.
This guidance was developed by a Task and Finish Group convened by NHS England, comprising of representatives from a variety of healthcare service providers and commissioners across the country.
Under the Civil Contingencies Act 2004 and the Health and Care Act 2022, all NHS organisations have a duty to put in place continuity arrangements. The NHS Core Standards for Emergency Preparedness, Resilience and Response (EPRR), last revised 2022 set out these requirements for all NHS organisations and providers of NHS funded care. This means that services should be maintained to set standards during any disruption or recovered to these standards as soon as possible.
This work is referred to in the health service as ‘emergency preparedness, resilience and response’. A Business Continuity Management (BCM) system provides a holistic management process that identifies potential threats to NHS organisations and the impact to business operations those threats, if realised, might cause.
The holistic process of business continuity management is an essential tool in establishing an organisation’s resilience, this toolkit contains a portfolio of supporting materials, which aim to assist NHS organisations and providers of NHS funded care in meeting their business continuity management obligations.
1.1 Purpose
The ISO 22301 standard is designed to help NHS organisations, and providers of NHS funded care, to prepare for, respond and recover from unexpected and disruptive incidents. It also provides a structure for NHS organisations to align and as a result, highlight key areas that must be adopted as part of the Plan, Do, Check, Act (PDCA) cycle.
NHS England recognises that many organisations have well-structured and credible business continuity plans. There is no national mandate for these organisations to utilise this toolkit to deliver a resilient and robust business continuity programme. Although, to maintain consistency across the NHS, organisations should work to the ISO 22301 principles and adopt the PDCA methodology, as this facilitates incorporation of best practice. The toolkit is an off-the-shelf portfolio of supporting materials to be used at the discretion of each NHS organisation.
Through the use of this toolkit, NHS organisations are able to provide factual evidence of robust planning and preparation. This could be either be as part of a NHS organisation’s internal audit assurance function or where evidence of robust BCM processes is required as part of EPRR assurance, or other commissioning activities at NHS England regional or local level (ICBs).
Having robust business continuity plans provides NHS England confidence at all structural levels, that the NHS in England along with NHS provided services (including Community Interest Companies, private providers, primary care providers etc) is resilient. The establishment and maintenance of systems that aid the eventualities of incidents, such as denial of access, lack of people, lack of infrastructure, loss of electricity, fuel disruption and other incidents, ensure that high quality care is being provided by NHS organisations or a provider of NHS funded care.
1.2 NHS business continuity requirements
Some NHS organisations are identified under the Civil Contingencies Act (CCA) 2004 as ‘category one’ or ‘category two’ responders. Category 1 responders are those organisations at the core of an emergency response and are subject to the full set of civil protection duties. Therefore, these organisations have a legal duty to develop robust business continuity management arrangements, which will help them to maintain their services, if there is a major emergency or disruption. This could include, for example, an infectious disease outbreak, severe weather, fuel shortages, industrial action, loss of accommodation, loss of critical information, loss of communication technology (ICT) or supply chain failure.
Not all providers of NHS funded care are covered by the requirements of the CCA. However, the EPRR Framework and NHS EPRR Core Standards both last revised 2022, requires all NHS providers and commissioners to have suitable business continuity arrangements in place. This responsibility extends to services provided through partnerships or other forms of contractual arrangement.
The Accountable Emergency Officer (AEO) in each NHS organisation is responsible for making sure these standards are met.
NHS organisations and providers of NHS funded care must ensure that business continuity planning is a whole-system approach to the patient care pathway. Each organisation will play a part, but realistic resilience and continuity arrangements will only be achieved, if we consider and understand the patient’s whole journey, and plan to maintain an appropriate service level across the pathway.
NHS organisations and providers of NHS funded care will, therefore, need to recognise how their services depend on each other, and to align their plans with all partner organisations.
As with all plans, business continuity arrangements need to be reviewed and updated regularly, annually as a minimum, and immediately post incident. Learning from exercises and incidents should be incorporated into plans.
The business continuity management system must be regularly reviewed by the senior management of the organisation, for its effectiveness and action taken, to address any short comings or changes in requirements.
1.3 Complex business continuity incidents
Complex business continuity incidents are those, where multiple risks are realised at once such as during a pandemic, or a large provider failure. Several of these disruptions occurring simultaneously, will adversely impact upon the measures that the organisation may have considered robust enough to manage a disruption in one of these areas.
Plans therefore must be written to take into account compound failures. In a pandemic for example; loss of staff (staff having ill health or staff having dependents with ill health), loss of location access (travel disruption or the closing of an office due to the spread of disease) and loss of supplier may all occur together and multiple times.
1.4 Primary care
NHS England recommends that all Primary Care Services have plans in place for continued operation of their services during a disruption e.g. Trust plans should feed into Primary Care, to take account of failures within path labs or network failures, to establish joint agreements of returning patient results.
It is recommended that any template used is agreed with the commissioning body, to ensure it meets the relevant needs of local commissioners. Practice managers are encouraged to work collaboratively in the development of arrangements, as any disruption, is likely to have knock on impacts to other Primary and Secondary Care services locally.
1.5 Summary of changes
- Business Continuity Management Framework (Service Resilience) stood down as this is no longer in existence.
- Best practice has been taken from the BC Good Practice Guidelines 2018, replacing the previous guidance.
Business continuity management toolkit updates
- Transferred the Business Continuity Management Toolkit and supporting documentation to the new NHS England document templates.
- Elaborates on the Plan, Do, Check, Act (PDCA) cycle, with a new schematic called PDCA for ISO 22301.
- Further bolstered paragraphs for each heading under the PDCA cycle e.g. Business Continuity Policy, Business Impact Analysis, BC Programme etc.Added new paragraphs into the PDCA cycle to provide additional guidance for each element of the cycle.
- Added a Supplier Service Questionnaire Template provided by North East Ambulance Service (NEAS).
- Provided five new business continuity case studies that have been added to the existing case studies (Part 5).
- Updated standards and references such as:
- ISO 22301:2019 – Business Continuity Management System – Requirements
- ISO 22313:2020 Societal Security – Business Continuity Management Systems – Guidance.
- The Publicly Available Specifications (PAS) 2015
- BCI Good Practice Guidelines (2018)
- Civil Contingencies Act 2004
- Health and Social Care Act 2022
- The NHS Act 2006
- Liaised with the Equalities and Health Inequalities team within NHS England to ensure protected characteristics were considered when updating documentation.
Part 1 Documentation
- Transferred all documentation on to NHS England
- Elaborated on points mentioned within the Business Continuity Management
- Additional Busines Impact Analysis Template (Excel version) added to cater to the wider NHS.
- Updated historic guidance with up to date best practice and in line with ISO
- Added a communications section within the Business Continuity Plan
Part 2 Documentation
- Transferred all documentation onto NHS England templates.
- Updated schematics to reflect the current NHS landscape e.g. replace Clinical Commissioning Group with Integrated Care Boards as well as the abolishing of PHE and replacing with UKHSA.
- Also updated the gradual and sudden mitigated business continuity incident schematics to ensure they are in line with ISO 22301.More recent business continuity incidents were added to the slide pack as they had not been updated for a period of time.
- Notes/comments were added to both the workshop delegate handbook as well as the facilitator notes.
Part 3 Documentation
- Transferred all documentation onto NHS England templates.
- Amended grammatical errors across the exercising slide decks.
- Updated the Internal Audit Checklist to bring in line with the Business Continuity Good Practice Guidelines 2018.
Part 4 Documentation
- Transferred all documentation onto NHS England templates
- After Action Review Template (completed version) added to the suite of documentation.
- Background information in relation to Business Continuity Management Reviews, why they are required and what they compromise of have been added.
Part 5 Documentation
- Transferred all documentation onto NHS England templates
- Five new business continuity case studies have been added. The incidents are reflective of recent business continuity events.
- Previous case studies have also been kept in as the learning from each one is still relevant.
2. Using this toolkit
This toolkit has been designed to support the development of business continuity arrangements. In addition, this toolkit is designed to support implementation of a business continuity management system, exercising of plans, auditing, as well as spearheading improvements to the BCMS of NHS organisations and NHS funded care.
This BCM toolkit is derived from The Plan, Do, Check, Act (PDCA) cycle. It is advised that all NHS organisations including providers of NHS funded care, should refer to this cycle, to drive improvements in planning and raising the standard of business continuity preparedness. In order to maximise the benefits of a successful BCMS, NHS organisations should continually refer to the PDCA cycle.
Organisations should select the appropriate section of the toolkit; this will be dependent upon where each organisation is, in terms of their business continuity arrangements.
Within each area there is guidance and supporting material to help in the development of plans and processes, through to exercising, without predetermining a course of action for your organisation.
Plan
- Establish the business continuity programme/strategy/system
- Develop a business continuity policy
- Create a business impact assessment
- Develop policy and procedures
- Establish a documentation system
- Plan
Do
- Undertake Business Impact Analysis (BIA)
- Implementation of plans
- Develop a communications plan
- Create an exercise programme
Check
- Schedule management reviews
- Undertake internal audits
- Exercise
Act
- Debrief
- Implement corrective actions
- Continuous improvement measures
3. Standards and reference materials
The main guidance for business continuity management, which also applies to this toolkit, is contained in:
- ISO22301: 2019 – Business Continuity Management Systems – Requirements
- ISO 22313:2020 Societal Security – Business Continuity Management Systems – Guidance
Additionally, ISO 22313 provides good practice, guidelines and recommendations based on the requirements of ISO 22301.
The Publicly Available Specification (PAS) 2015 provides a resilience framework for NHS organisations and all providers of NHS funded care. PAS 2015 brings together the different strands of resilience planning within the NHS to create a framework that supports organisations efforts to become more resilient, it does this through:
- Helping to drive compliance with the relevant legislation, particularly the Civil Contingencies Act 2004.
- Adopting a unified and cohesive approach to resilience and business continuity which builds on BS 25999, the British Standard for business continuity.
- Developing resilient relationships with commissioners and providers of health services, which can be benchmarked against other similar sized organisations.
- Outlining the criticality of patient pathways and critical interdependencies by providing robust health services in all circumstances.
- Developing a sound understanding of partnership working within the resilience agenda.
- Helping to protect the reputation of the NHS and related services, and to maintain public confidence.
Other useful guidance or standards includes:
- ISO 27000 (27001, 27002, 27003, 27004, 27005, 27006) series – Standards relating to security management systems.
- ISO 31000:2018 series – Standards guidelines on managing risk faced by organisations. The standards provide a common approach to managing any type of risk and is not industry or sector specific.
- ISO 22301:2019 – This standard specifies the requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond, and recover from disruptions when they arise.
- PD 25888:2011 – Guidance on how best to develop and implement an organisations recovery in response to a disruptive incident.
- PD 25111:2010 – Guidelines on the planning and development of human resource strategies and policies after an incident to ensure business continuity.
- PAS 2015:2010 – Provides techniques for improving and maintaining resilience in NHS funded organisations.
- NHS England Emergency Preparedness, Resilience and Response Framework – This is a strategic national framework containing principles for health emergency preparedness, resilience, and response for the NHS in England at all levels including NHS provider organisations, providers of NHS- funded care, Integrated Care Boards (ICBs), GPs and other primary and community care organisations.
- BCI Good Practice Guidelines 2018 – The global guide to good practice in business continuity.
- BS 65000: 2014 – This standard describes the nature of resilience and ways to build and enhance organisational resilience.
- Data Security and Protection Toolkit – NHS Digital.
4.1 Part one – plan
Business Continuity is defined as the capability of an organisation to continue delivery of products or services, at acceptable predefined levels, following a disruptive incident (ISO).
4.2 Business continuity policy
The policy ‘provides the intentions and direction of an organisation, as formally expressed by its top management’ (ISO 22301). The business continuity policy sets the boundaries and requirements for the business continuity programme, it also states the reasons why it is being implemented. The policy also defines the guiding principles, which the organisation follows and measures its performance against.
Establishing the business continuity policy is critical when developing a business continuity system. The policy should:
- Provide direction and intention by senior management.
- Provide strategic direction from which the business continuity programme is delivered.
- Define the way in which business continuity will be approached by NHS organisations.Identify any standards or guidelines, used as a benchmark for the business continuity programme (see section 3)
- Include Purpose, Scope and Governance.Be used to communicate your key objectives and key deliverables.
- Be communicated and made available to all parties.
4.2 Business continuity policy
The policy ‘provides the intentions and direction of an organisation, as formally expressed by its top management’ (ISO 22301). The business continuity policy sets the boundaries and requirements for the business continuity programme, it also states the reasons why it is being implemented. The policy also defines the guiding principles, which the organisation follows and measures its performance against.
Establishing the business continuity policy is critical when developing a business continuity system. The policy should:
- Provide direction and intention by senior management.
- Provide strategic direction from which the business continuity programme is delivered.
- Define the way in which business continuity will be approached by NHS organisations.
- Identify any standards or guidelines, used as a benchmark for the business continuity programme (see section 3)Include Purpose, Scope and Governance.Be used to communicate your key objectives and key deliverables.
- Be communicated and made available to all parties.
4.3 Business continuity programme/system
The first step in the process of developing a business continuity system is getting your system or programme designed and established, ensuring it has the key elements, to allow the gathering of information needed, to make choices on how to protect services.
The business continuity programme is an ongoing process, which adapts in response to the changing nature, of an organisations internal and external operating environment. The business continuity system is put into place, to implement the business continuity policy when the scope, governance, roles, and responsibilities have been agreed. A vital part of the programme is the ability to manage documentation to aid the implementation, where appropriate.
It is important to understand the context of business continuity within the organisation when designing your system, and work alongside Health and Safety, Risk Management, and Information Governance, amongst others, to ensure that your business continuity processes align and prevent complications, as you implement and embed your business continuity system.
A BCMS should include the key performance indicators (KPIs) to be used to measure the success of the system. This could include the percentage of plans in place and exercised or staff that are aware of their own role with regards to business continuity. These KPIs can be used within the review of the system and management report.
The documentation within the business continuity process has three purposes:
- Manage the BC programme effectively
- Define the effective management of the
- Enable a prompt response to an incident
4.4 Risk assessment
The type and nature of the service provided is widely variable within NHS organisations, so any risk assessment of possible events is organisationally subjective. However, there are critical dependencies between NHS organisations and these need to be identified and considered as part of the overall business continuity lifecycle, throughout every health economy for patient pathways.
A business continuity event can be anything that has the potential to disrupt normal service delivery but essentially, all such events will cause either a loss of a resource (e.g. buildings, people, equipment, etc.), an increase in demand (e.g. road traffic collision, health scare) or possibly both simultaneously (e.g. pandemics). The cause of the problem is usually immaterial. It doesn’t matter whether a building is inaccessible because it has burned down or is completely flooded; it doesn’t matter whether a staff shortage is due to snow or industrial action – in either case the organisation has to respond to a loss of resource.
For some services, completion of the template will produce a functional business continuity plan. For other services, completion of the template will provide a “gap analysis” of issues that need to be further addressed. Organisationally as a whole or at Division/Directorate level as appropriate, remedial actions can be prioritised.
Risks should be linked to those being highlighted on the organisational risk register; however, they may be recorded on this as a single risk or multiple individual risks in order to develop strategies to manage these. This may include links to the corporate business objectives and other specific strategic aims of the organisation.
It is imperative to understand the functions and service interdependencies of the organisation, both internal and external when designing your business continuity system. Therefore, working with key teams such as EPRR, Human Resources, ICT, Health & Safety, Risk Management, and Information Governance, amongst others, is critical to ensure your systems align and prevent complications as they are implemented and embedded. It is also crucial to identify and clarify the scope of the BCMS, as this allows the organisation to identify what the BCMS will factor in and what it will not.
Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) is used to identify gaps between the service delivered and what is required, therefore informing an organisations risk register of further risk. NHS organisations should plan to address risk, but also inform the risk register of residual risk via the RTO/RPO process.
The following page contains an example of one organisations approach to identifying the different risks its services face.
Publication approval reference: PR1254