Business continuity

Information last updated: 20 April 2023

NHS England business continuity management toolkit

This document highlights the need for Business Continuity Management (BCM) in NHS organisations so that they can maintain continuity of key services in the face of disruption from identified local risks. Under the Civil Contingencies Act 2004 and the Health and Care Act 2022, all NHS organisations have a duty to put in place continuity arrangements. The toolkit is driven by the Plan, Do, Check, Act (PDCA) cycle along with being updated in line with both ISO 22301 principles, as well as the Business Continuity Good Practice Guidelines 2018.

Below are sets of supporting documentation to be used as part of the NHS England business continuity management toolkit.

Part 1

Part 1 of the supporting documentation refers to the ‘Plan’ aspect of the PDCA cycle. Here is where an organisation establishes the Business Continuity Management System (BCMS) by developing a policy, as well as using documentation and templates. This section also allows organisations to embed Business Continuity into their culture.

Part 2

Part 2 of the cycle is attributed to ‘Do’ element of the PDCA cycle. This section defines business continuity requirements, determines how to address them and develop procedures to manage a disruptive incident. Once your BCMS is designed, it is necessary to implement it successfully. In order to do this, NHS organisations should understand their role and how to complete documentation that is required for the BCMS to be effective.

Part 3

Part 3 focusses on the ‘Check’ aspect of the PDCA cycle. This part of the cycle summarises the requirements necessary to measure business continuity management performance for an organisation. It also links to the BCMS compliance and seeks feedback from top management regarding expectations, gaps and inconsistencies.

Part 4

Part 4 of the PDCA cycle refers to ‘Act’. It identifies and acts on BCMS non-conformance through corrective action. The review of your system also allows the potential to make changes based on updated guidance and changes to the organisation.

Part 5

Case studies have been put together from various incident debriefs across NHS organisations. This is to provide examples of approaches to incident reports and allow identification of learning across organisations. There are a wide range of examples including WannaCry, utility disruption, power loss etc.