Information last updated: 20 April 2023
NHS England business continuity management toolkit
This document highlights the need for Business Continuity Management (BCM) in NHS organisations so that they can maintain continuity of key services in the face of disruption from identified local risks. Under the Civil Contingencies Act 2004 and the Health and Care Act 2022, all NHS organisations have a duty to put in place continuity arrangements. The toolkit is driven by the Plan, Do, Check, Act (PDCA) cycle along with being updated in line with both ISO 22301 principles, as well as the Business Continuity Good Practice Guidelines 2018.
Below are sets of supporting documentation to be used as part of the NHS England business continuity management toolkit.
Part 1 of the supporting documentation refers to the ‘Plan’ aspect of the PDCA cycle. Here is where an organisation establishes the Business Continuity Management System (BCMS) by developing a policy, as well as using documentation and templates. This section also allows organisations to embed Business Continuity into their culture.
- Resource A – Business continuity management system
- Resource B – Business impact analysis templates (basic, directorate and interruption)
- Resource B – NHS business impact analysis template
- Resource C – business continuity plan checklist
- Resource D – site business continuity plan template
Part 2 of the cycle is attributed to ‘Do’ element of the PDCA cycle. This section defines business continuity requirements, determines how to address them and develop procedures to manage a disruptive incident. Once your BCMS is designed, it is necessary to implement it successfully. In order to do this, NHS organisations should understand their role and how to complete documentation that is required for the BCMS to be effective.
- Resource A – business continuity management NHS workshop slides
- Resource B – business continuity workshop delegate book
- Resource C – business continuity facilitators guide
Part 3 focusses on the ‘Check’ aspect of the PDCA cycle. This part of the cycle summarises the requirements necessary to measure business continuity management performance for an organisation. It also links to the BCMS compliance and seeks feedback from top management regarding expectations, gaps and inconsistencies.
- Resource A – business continuity exercise staffing reduced availability
- Resource B – business continuity exercise services and suppliers
- Resource C – business continuity exercise – premises unavailable
- Resource D – business continuity exercise – information (unobtainable) and information systems (unavailable)
- Resource E – internal audit checklist
Part 4 of the PDCA cycle refers to ‘Act’. It identifies and acts on BCMS non-conformance through corrective action. The review of your system also allows the potential to make changes based on updated guidance and changes to the organisation.
- Resource A – business continuity debrief template
- Resource B – business continuity action plan template
- Resource C – business continuity management review and potential evidence
Case studies have been put together from various incident debriefs across NHS organisations. This is to provide examples of approaches to incident reports and allow identification of learning across organisations. There are a wide range of examples including WannaCry, utility disruption, power loss etc.