D1002 Procedure - Operations Centre – Business continuity Management
Number: D1002 Date Published: 10 March 2020 Version 8 – March 2020
1.0 Summary of Changes
This procedure has been updated on its yearly review as follows:
Changes to the requirement for external suppliers and their own business continuity plans;
Changes to the frequency of reviews;
Changes to the identified critical activities for Essex Police, aligned with the College of Policing’s approved professional practice;
Clarification of roles and responsibilities for business continuity in Essex Police;
Changes to the risk assessment for the business continuity procedure;
Changes to the list of those involved in the consultation of the procedure;
Changes to the timescales for reviewing business impact assessments, the strategic plan due to the significant and regular changes taking place in policing;
New paragraphs added within section 8 regarding data security and retention and disposal of records;
Owner and author details updated.
2.0 What this Procedure is about
This procedure outlines the approach that Essex Police will take to business continuity management and is aimed at all members of Essex Police. The National Police Chiefs Council’s current guidance is that all police forces should align their business continuity management processes with ISO standard 22301.
Effective business continuity management is a holistic process that will recognise Essex Police’s priorities, as detailed in 3.1, and prepare solutions to address disruptive impacts to the activities that support those priorities. It will provide a framework for building resilience and ensure a capability for an effective response that safeguards the interests of our key stakeholders and the Force’s critical activities.
Business Continuity Planning is the planning and preparation necessary to identify the impact of potential disruptions, formulate and implement viable continuity strategies and develop business continuity plans to recover and restore critical activities within a pre-determined time.
Business continuity will be implemented and embedded throughout Essex Police and will include our relationship to external suppliers of goods and services. External suppliers, whose services impact or support our identified critical activities must provide evidence of their alignment to ISO 22301, or equivalent business continuity procedures to reassure continued supply.
The process of verifying this must be audited by the department approving that service or contract, generally this will be the Essex Police procurement services department. If the suppliers or contractors do not have sufficient business continuity processes in place to ensure continuation of those services a decision must be made, with accompanying rationale, as to whether that contract will continue or not.
The business continuity department will be available to provide support and advice in this matter.
Essex Police recognises the need to work in collaboration with other partnership agencies to develop our business continuity arrangements, in particular the National Police Business Continuity Forum, Essex Resilience Forum, South Eastern & Eastern Police Regions and other Police Forces to effectively discharge our duties as a ‘Category 1 Responder’ under the Civil Contingencies Act 2004.
Compliance with this procedure and any governing policy is mandatory
3.0 Detail the Procedure
Chief Officers recognise the need for increased resilience for police forces in order to be able to continue providing critical activities during a disruption that could impact on the force’s own business processes.
The Civil Contingencies Act 2004 creates a statutory duty requiring the development and maintenance of plans to enable us to:
Exercise our civil protection functions ‘in the event of an emergency as far as is reasonably practicable’ (for example following a terrorist incident or environmental disaster);
Plan for and respond to other incidents or disruptions that affect our ability to perform our day to day functions and maintain our vital services (‘critical activities’) at an appropriate level;
Plan for restoration to normality (or the new normal depending on the incident repercussions) once the business continuity incident has been resolved.
These may be caused through loss of utility services like power and water, denial of access to buildings through fire or flood, loss of staff due to strike or ‘flu pandemic or loss of IT or other vital equipment and services.
Business continuity will be implemented in accordance with the ISO 22301 and statutory guidance - Chapter 6 of Emergency Preparedness.
Business continuity management is a core management function and a key strand of corporate governance. It must be an integral part of the planning and management process undertaken within each area command and department in the force.
Business continuity management is most effective if awareness levels are high and if all staff understand what is expected of them. All managers are responsible for fostering a business continuity culture and must provide staff with the opportunity to acquaint themselves with the local business continuity arrangements.
Business continuity will be included as a standing agenda item in all quarterly health and safety meetings.
3.1 Critical Activities
The purpose of business continuity management is to protect the delivery of identified critical activities, and to enable those activities to be restored promptly should an incident or serious disruption occur.
The starting point for business continuity plans is that normal business cannot be achieved in extraordinary circumstances. It is therefore important that resources are deployed and reallocated to critical activities. Business continuity plans will list the minimum resources and staffing levels required to fulfil only those critical activities, not business as normal.
In the event of such an incident or disruption occurring, the force will endeavour to maintain the following critical activities:
To maintain effective communications with the public;
To answer all 999 calls;
To provide an appropriate response to immediate and priority incidents, in order to save life and secure public safety;
To maintain our ability to deal with: a. major, critical and emergency incidents; b. serious crime; c. firearms incidents; d. serious public order; e. fatal and serious road traffic collisions
To provide custody facilities, and associated criminal justice and administration functions;
To deal effectively with all matters which impact on: a. community cohesion; b. confidence in policing.
To provide effective command and control of incidents;
To actively support the health, safety and wellbeing of staff.
These will be subject to review annually, they are based on National Guidance contained within The College of Policing’s authorised professional practice (APP) for civil emergencies.
3.2 Business Continuity Governance
The Assistant Chief Constable with Operational Policing Command as part of their portfolio will be the strategic lead for business continuity in Essex Police.
The strategic lead will annually review, in consultation with the business continuity department, the Essex Police critical activities to ensure they remain relevant to Essex and in line with the APP for business continuity.
The business continuity team will attend, six monthly, the senior leadership team meeting to provide updates on the business continuity status across all areas of Essex Police.
Each local Chief Superintendent, or police staff employee equivalent, has ultimate responsibility for ensuring there is sound business continuity management in their command or departments.
They will ensure that suitable individuals are identified and allocated to the roles of business continuity plan owners and business continuity SPOCs/plan authors. This includes arranging any training those staff require to assist them in writing, updating and testing their business continuity plans:
Business Continuity Plan owner – as a minimum this will be a C/Insp, Police Staff Employee (PSE) equivalent, or departmental head. They will be responsible for ensuring the business continuity plan is reviewed annually (or when amended) and that local testing and understanding of the plan takes place;
Business SPOC/Plan Author – this will be a suitable member of staff, identified by the plan owner, who will carry out the annual business continuity plan review and testing. They will also be the main point of contact with the business continuity team;
Business Continuity Department - The Business Continuity department will provide advice, support and guidance in the creation of business continuity plans, and the business impact assessment. The department will quality assure changes and updates within the plans, and host them on the force Intranet site for 24/7 access. They will also ensure electronic back up versions are available on the Essex Police page of Resilience Direct. Guidance and support will be provided by the Business Continuity department, as required, to assist with testing the plans.
Training should be given to senior managers in the most effective methods to respond to a disruption interrupting the normal business of the force. The Business Continuity Management Computer Based Training (CBT) package has been developed to assist with this. Police officers of Inspector level and above, and police staff of PO2 grade and above, must complete this training package – this has been agreed as a Mandatory Package to all staff / officers at those specified grades.
3.3 Business Continuity Incident Classification
A disruption to business as normal will not necessarily be catastrophic, and therefore may not require a full business continuity plan invocation.
Accordingly the business continuity procedure will use a scalable approach based upon the impact of the business continuity incident or event, and its likely effect on the identified critical activities.
Essex Police will adopt a three tier process for assessment of the type of business continuity incident, incorporating its impact on Essex Police and therefore the response required.
Category A (Major/Critical Incident, force-wide disruption)
BC Plan Activation Procedure
A Category ‘A’ incident will be managed by a Strategic (Gold) Commander. This is when any incident, or pre-planned event, has significantly impacted on, or has the potential to significantly impact on the force as a whole and Essex Police’s ability to perform its critical activities.
In an incident that impacts on more than one local area and requires force-wide coordination (potentially with multi-agency involvement).
The strategic (Gold) Force level Business Continuity Plan, and any appropriate tactical or local (operational) plan should also be activated as part of the response.
Category B (Local or departmental disruption)
BC Plan Activation Procedure
A Category ‘B’ incident will be managed a Tactical (Silver) Commander, who in turn will advise the duty Strategic (Gold) Commander if they feel it is appropriate.
This is when any incident, or pre-planned event, has impacted or has the potential to impact Essex Police’s ability to deliver its critical functions at a local or departmental level but can also be managed locally.
Local level Business Continuity Management plans should be activated in discussion with the Strategic (Gold) Commander and managed by LRT.
Category C (any potential for disruption)
BC Plan Activation Procedure
A Category C incident will initially be managed by the individual identifying the issue.
This type of issue is one that it is believed could potentially impact on critical activities if it materialises or develops– the issue requires assessing and monitoring e.g. industrial action, severe weather, a major event, building work etc.
If the initial manager of the incident believes there is the potential for this to manifest into a category A or B type incident they must consider raising it the appropriate level of command.
3.4 Business Continuity Incident Command & Control for Category A Incidents
During the response to a business continuity incident the type and scale of the incident will dictate the roles required to manage that incident. In line with standard command protocols, Essex Police will adopt the Bronze, Silver, Gold command structure as detailed below:
Strategic (Gold Group) Chaired by Duty Gold Commander
Externally focused activities:
This is the organisation’s Gold Group that will provide strategic guidance and direction for those incidents impacting at a county wide level.
Emergency Management team (Tactical- Silver) Chaired by nominated silver commander
Internally focused management of the incident and recovery
The silver group will include area/department representatives for the areas affected/staff associations/media & PR/finance/HR/facilities management/IT;
In addition EMT membership will include those heads of department and areas (or deputy) who have the specialist knowledge required to recover the force from the incident.
Local Response Team (Operational – Bronze) Chaired by appointed departmental lead
Incidents impacting at the local level managed by the LRT
Operational responsibility for the business continuity operation;
Assess the impact of the incident or disruption on critical activities;
Establish an incident management control as single point of contact for the recovery of the critical activity/activities affected;
Report to the chair of the EMT or Gold Commander;
Ensure that a log is initiated, maintained and preserved to provide a clear audit trail;
Liaise with the media team concerning a publicity plan to warn and inform;
Arrange and conduct a debrief;
Update the BC plan if required;
Manage the recovery.
3.5 Business Continuity Plans
The Essex Police business continuity plans will be hosted on the business continuity intranet page, managed by the contingency planning and business continuity team at Boreham. Hard copies of the all the plans will kept by each department locally and be easily accessible to staff who must be made aware of its contents. Business continuity plans are collated into three areas, following the Gold, Silver & Bronze command structure.
The Gold plan is the strategic overview and guidance on how business continuity incidents will be led and directed. The Silver plan(s) will cover those Force wide areas of business as assessed as requiring a plan by the business continuity team, in consultation with Chief Officers. The Bronze plans will be local departmental plans.
To ensure corporate design compliance, and maintenance of consistent standards, business continuity plan owners and SPOCs will only use the BC plan template(s) as provided by the business continuity department.
3.6 Testing and Exercising of Plans
It is the joint responsibility of the plan owner and the business continuity department to ensure plans are tested and exercised regularly. An audit log of this testing and exercising will be maintained by the business continuity department, the data must be supplied by the plan owner or point of contact during the annual review.
The business continuity department will support plan owners and points of contact in this process. They will promote annual business continuity workshops to assist in the testing and exercising of the bronze and silver plans.
Gold (Strategic) Business Continuity Plan
Silver (Tactical) Business Continuity Plan
Loss of Staff Loss of Custody Fuel Shortage Flu Pandemic Loss of IT Loss of Estate Media
In order to reduce duplication departments can use any existing testing arrangements in place (such as annual ISO standard adherence) to qualify as having tested their local business continuity plans.
4.0 Equality Impact Assessment
EIA – January 2020
5.0 Risk Assessment
A failure to create effective business continuity plans, or keep them regularly reviewed and tested, would amount to non-compliance with the Civil Contingencies Act 2004. It will also lead to a significant increase in the risk of a failure to respond in a timely and coordinated manner, with the potential that individuals and the wider community may be exposed to increased levels of harm.
It would also cause confidence in the police, by the public and partner agencies, to fall significantly.
The following have been consulted during the formulation of this document:
Essex Diversity and Inclusion Manager
Health & Safety
Strategic Change Team
Strategic Force Crime & Incident Registrar
Learning & Development
Departmental BC SPOCs
7.0 Monitoring and Review
This procedure will be reviewed by or on behalf of the Operations Centre every 12 months to ensure that it remains consistent with current legislation and that it reflects best practice concerning the provision of Business Continuity Management. Version control of the document will be maintained by the review date on the cover of the plan.
The Business Continuity Management cycle will be reviewed, as a minimum, by the following timescales:
Business Impact Analysis – 36 months;
Operational Business Continuity plans – 12 months;
Tactical Business Continuity plans – 12 months;
Strategic Business Continuity plans – 12 months.
8.0 Governing Force policy. Related Force policies or related procedures
D 1000 Policy – Force Operations Centre
8.1 Data Security
Essex Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.2 Retention & Disposal of Records
Essex Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
We will only hold data for as long as necessary for the purposes for which we collected. Victims/public should be reminded that Essex Police take the protection of personal data seriously as described in the privacy notice.
9.0 Other source documents, e.g., legislation, Authorised Professional Practice (APP), Force forms, partnership agreements, (if applicable)
Civil Contingencies Act 2004
Business Continuity website.
College of Policing Authorised Professional Practice – Civil Emergencies