Internet explorer is no longer supported

We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.

Part of Data Security Standard 7 - Continuity planning

  • Business continuity and disaster recovery - part 1 (7.1.2)

Previous Chapter

  • Know your services (7.1.1)

Current Chapter

Current chapter – Business continuity and disaster recovery - part 1 (7.1.2)

Next Chapter

  • Business continuity and disaster recovery - part 2 (7.1.2 - 7.1.4)

Definition and background

The terms business continuity and disaster recovery are often interchanged and sometimes viewed as the same thing. A business continuity plan (BCP) is concerned with how you keep the organisation going and could involve relocation and reshaping services.

Disaster recovery is effectively a plan of attack of how you fix the problem and return the organisation back to normality.

In the care system, organisation business continuity tends to focus on:

  • "Acts of God" – such as flooding or high winds
  • staffing – such as medical virus outbreak or industrial action
  • major incidents – such as a terrorist attack or major fire
  • site unavailability – such as a power outage or road issues
  • extreme demand – such as winter pressures or service closures elsewhere

The global WannaCry cyberattack in May 2017 has reaffirmed the potential for cyber incidents to impact directly on patient care and the need for our health and care system to act decisively to minimise the impact on essential frontline services.

Your Data: Better Security, Better Choice, Better Care, government response.

Whereas the IT tends to focus on disaster recovery, with a focus on:

  • identifying IT objectives and timescales
  • priority of recovery
  • the recovery team
  • actions for recovery

For smaller organisations, there tends to be one type of plan which would mitigate against their most common risks.

Last edited: 27 September 2022 11:31 am

  • Data Security Standard 7 - Continuity planning
  • Business continuity and disaster recovery - part 3 (7.2.1 - 7.2.2)
  • Business continuity and disaster recovery - part 4 (7.3.1 - 7.3.6)

Cookies on the NHSCFA website

We have put some small files called cookies on your device to make our site work. We would also like to use analytics cookies. These send information about how our site is used to a service called Google Analytics. We use this information to improve our site. Let us know if this is OK. We’ll use a cookie to save your choice. You can read more about our cookies before you choose .

Business Continutity Management

How we plan for resilience in our services., introduction, strategic objectives, monitoring compliance with the strategy.

This strategy sets out the approach to be taken within the NHS Counter Fraud Authority (NHSCFA) to provide a robust business continuity management framework that establishes a strategic and operational framework that:

  • proactively improves the NHSCFA’s resilience against the disruption of its ability to achieve its key objectives
  • provides a rehearsed method of restoring the NHSCFA’s ability to supply its key services to an agreed level, within an agreed time period following disruption
  • delivers a proven capability to manage business disruption and protect the NHSCFA’s reputation

There are two key components that underpin this strategy:

  • the NHSCFA’s Business Continuity Plan (BCP); and
  • NHS Digital’s Data Security and Protection Toolkit which sets out a baseline assessment standard for business continuity management.

The Head of Business Support has overall responsibility for overseeing the implementation of this strategy and the BCP. They will report to the Senior Management Team (SMT) to ensure that the BCP is embedded within the organisation.

This strategy should not be considered in isolation as continuity of business processes play a key part in governance, strategic risk, service planning and performance management. The strategy therefore links into all aspects of the organisation and its implementation can help to reduce the overall level of these risks.

Fundamental to the success of delivering the business continuity strategy will be raising awareness and developing a business continuity culture within the organisation. Awareness training will be provided to all staff utilising ‘information’ in their day-to-day work to successfully promote this culture.

Any associated resource implications that may be incurred as result of implementing the BCP, will be identified by the Head of Business Support, as the BCP Manager. A business case will then be developed and submitted to the Board for approval.

Adherence and performance information will be shared with the Information Governance Lead, with appropriate details submitted to NHS Digital as part of the Data Security and Protection Toolkit return, which is submitted on an annual basis.

NHSCFA’s organisational objectives are set out in its 2020 to 2023 organisational strategy. The organisation’s on-going strategic objectives for business continuity management are to:

  • Adopt a proactive approach to improve the resilience against disruption to achievement of the organisation’s vision, values and strategic objectives
  • Provide a framework to identify the core services of the organisation and to understand the critical functions, processes resources that support the resilience of the core functions
  • Deliver the DH Strategy strategic plan and lead the counter fraud activity in the NHS in England, through effective business continuity arrangements
  • Have a planned and effective governance structure in place to support and assure BCP arrangements
  • Have documented systems, technology and procedures in place to support BCP arrangements
  • Ensure that BCP arrangements are fit for purpose by ensuring there is a planned schedule of testing
  • Ensure its staff is made aware of the organisation’s BCP arrangements and their role within it, through a structured training and awareness programme; and
  • Have the above arrangements reviewed to ensure continued effectiveness, at an interval agreed after consultation with the Governance and Assurance team and/or other internal or external auditors, but not exceeding a three year period.

Compliance will be monitored as follows:

  • Business continuity planning will be included as part of the organisation’s internal audit programme
  • The results of exercises and tests will be formally documented and relevant action plans developed. Recommended actions will be tracked via the Board Assurance Framework and any un-actioned matters will be added to the Corporate Risk Register and those risks managed in accordance with the organisations Risk Management Policy .
  • Assurance on business continuity planning will be presented to the Board annually.

The implementation of the business continuity strategy will ensure that business continuity management is effectively managed within NHSCFA.

Each year the BCP will be reviewed by the Information Governance Lead and where required, an action plan developed against the Data Security and Protection Toolkit to identify key areas for continuous improvement.

We estimate that the NHS is vulnerable to £1.198 billion worth of fraud each year.

Report any suspicions or concerns about fraud against the NHS to the NHSCFA.

Help stop NHS Fraud. Start an online report >>

Share this page

Was this page helpful?

There is something wrong with this page

Help us improve cfa.nhs.uk

Thanks for the feedback.

Cookies on the NHS England website

We’ve put some small files called cookies on your device to make our site work.

We’d also like to use analytics cookies. These send information about how our site is used to a service called Google Analytics. We use this information to improve our site.

Let us know if this is OK. We’ll use a cookie to save your choice. You can  read more about our cookies before you choose.

Change my preferences I'm OK with analytics cookies

NHS England business continuity management toolkit

This document highlights the need for Business Continuity Management (BCM) in NHS organisations so that they can maintain continuity of key services in the face of disruption from identified local risks. Under the Civil Contingencies Act 2004 and the Health and Social Care Act 2012 (as amended), all NHS organisations have a duty to put in place continuity arrangements. The toolkit is driven by the Plan, Do, Check, Act (PDCA) cycle along with being updated in line with both ISO 22301 principles, as well as the Business Continuity Good Practice Guidelines 2018.

NHS England business continuity management toolkit

NHS England is not responsible for content on external websites.

Accessible version of version 2.

Published 20 April 2023.

NHS England business continuity management toolkit

PDF version of version  2.

Supporting documentation

NHS England business continuity management toolkit: part 1 – plan

NHS England business continuity management toolkit: part 1 – plan

Part 1 of the supporting documentation refers to the ‘Plan’ aspect of the Plan, Do, Check, Act (PDCA) cycle. Here is where an organisation establishes the Business Continuity Management System (BCMS) by developing a policy, as well as using documentation and templates.  This section also allows organisations to embed Business Continuity into their culture.

NHS England business continuity management toolkit: part 2 – do

NHS England business continuity management toolkit: part 2 – do

Part 2 of the cycle is attributed to ‘Do’ element of the PDCA cycle. This section defines business continuity requirements, determines how to address them and develop procedures to manage a disruptive incident. Once your BCMS is designed, it is necessary to implement it successfully. In order to do this, NHS organisations should understand their role and how to complete documentation that is required for the BCMS to be effective.

NHS England business continuity management toolkit: part 3 – check

NHS England business continuity management toolkit: part 3 – check

Part 3 focusses on the ‘Check’ aspect of the PDCA cycle. This part of the cycle summarises the requirements necessary to measure business continuity management performance for an organisation. It also links to the BCMS compliance and seeks feedback from top management regarding expectations, gaps and inconsistencies.

NHS England business continuity management toolkit: part 4 – act

NHS England business continuity management toolkit: part 4 – act

Part 4 of the  PDCA  cycle refers to ‘Act’. It identifies and acts on  BCMS  non-conformance through corrective action. The review of your system also allows the potential to make changes based on updated guidance and changes to the organisation.

IMAGES

  1. 40 Detailed Contingency Plan Examples (& Free Templates) ᐅ

    business contingency plan nhs

  2. Where Does a Business Continuity Plan Fit with Emergencies

    business contingency plan nhs

  3. What is a Business Contingency Plan

    business contingency plan nhs

  4. An Overview of Business Contingency Plans

    business contingency plan nhs

  5. Healthcare Business Continuity Plan Template

    business contingency plan nhs

  6. Free Contingency Plan Templates

    business contingency plan nhs

COMMENTS

  1. NHS England » Business continuity

    This document highlights the need for Business Continuity Management (BCM) in NHS organisations so that they can maintain continuity of key services in the face of disruption from identified local risks. Under the Civil Contingencies Act 2004 and the Health and Care Act 2022, all NHS organisations have a duty to put in place continuity ...

  2. PDF TRUST WIDE BUSINESS CONTINUITY AND CONTINGENCY PLANNING Policy

    The decision to implement the Business Continuity Plan is inextricably linked to the possibility that activation of the Trust's Major Incident Plan will be required, therefore the decision flow chart found in Appendix 1 will be followed in making any decision to implement all or part of the Trust Business Continuity Plan.

  3. PDF NHS England Business Continuity Management Toolkit

    1.2 NHS Business Continuity Requirements Some NHS organisations are identified under the Civil Contingencies Act (CCA) 2004 as 'category one' or 'category two' responders. Category 1 responders are those organisations at the core of an emergency response and are subject to the full set of civil protection duties.

  4. NHS England business continuity management toolkit

    NHS organisations and providers of NHS funded care must ensure that business continuity planning is a whole-system approach to the patient care pathway. Each organisation will play a part, but realistic resilience and continuity arrangements will only be achieved, if we consider and understand the patient's whole journey, and plan to maintain ...

  5. PDF Business Continuity Management Policy and Plan

    NHS Coventry and Warwickshire Clinical Commissioning Group, Business Continuity Management Policy and Plan, Governing Body 1st April 2021 V1.0 Review Date: April 2024 Page 6 of 26 includes leading on Business Continuity issues and reporting into the Clinical Quality and Governance Committee.

  6. PDF Corporate Business Continuity Plan Version: V7

    The standard for Business Continuity BS259999 has been superseded by ISO 22301. The standard outlines the requirements for business continuity management and is recognised by the Department of Health as best practice. All NHS Trusts are required to align their business continuity to these standards. This plan is working

  7. PDF Team Business Continuity Plan

    1.0 Function Analysis of your Team. It is important to identify and record the functions that your service provides and the support processes needed for these functions. This should be documented in the Function Analysis section of your Business Continuity Plan. Key functions may be determined by legislation, trust policy or team plans.

  8. PDF Business Continuity Management Policy

    2. Audience. 2.1 The policy applies to all company employees, contractors, consultants, agency staff and Board members when acting on behalf of the NHSBSA. 3. Scope. 3.1 All NHSBSA services are included in scope of the BCM programme but at varying levels of detail.

  9. Business continuity guidance

    1.3 Where healthcare organisations use the NHS e-Referral Service, access to this service should be specifically considered as part of existing contingency and continuity arrangements. 1.4 This guidance sets out areas that local commissioning organisations, providers and referrers should consider as part of a review of the content and ...

  10. Business continuity and disaster recovery

    Disaster recovery is effectively a plan of attack of how you fix the problem and return the organisation back to normality. In the care system, organisation business continuity tends to focus on: "Acts of God" - such as flooding or high winds. staffing - such as medical virus outbreak or industrial action. major incidents - such as a ...

  11. DOC BUSINESS CONTINUITY PLANNING TEMPLATE

    The healthcare business continuity plan will be shared with all staff to ensure there is a full understanding of expectations in a crisis 12 If you do have a crisis do you know the particular needs of your staff? ... Numbers Hayley Peek Practice Educator Work 020 8588 4342 Mobile 07762254322 e-mail [email protected] Alternate Deputy ...

  12. NHS case study: contingency plans COVID-19

    Quick Takes. In response to the rapid progression of SARS-CoV-2 transmission, contingency plans have been mobilized across healthcare systems; Initial key learnings from the NHS reveal that providing essential point of care services to help alleviate health system pressures relies on measures that include protecting staff, effective communication, and rapid expansion of testing accessibility

  13. PDF Business Continuity Contingency Plan

    Page 6 of 26 Risk Management - in some incidents this may be suspended Safeguarding Adults and Children Continuity of care for commissioned services Implementation of the Business Continuity Plan All of the above during certain incidents may be critical functions. Some of the above services would be critical to supporting the response in Pandemic Flu, an infectious diseases outbreak,

  14. Business Continutity Management

    the NHSCFA's Business Continuity Plan (BCP); and; NHS Digital's Data Security and Protection Toolkit which sets out a baseline assessment standard for business continuity management. The Head of Business Support has overall responsibility for overseeing the implementation of this strategy and the BCP.

  15. PDF Business Continuity Plan

    This risk assessment can be a standalone corporate risk register or sit as part of the plan. The business continuity plan should ensure this is sign posted to if it is a separate document. An example is also given below. For example: - at flood risk - having a small staff base, - being in an old building with less resilient infrastructure

  16. PDF NHS Sheffield CCG Business Continuity Policy and Business Continuity Plan

    NHS Sheffield CCG Business Continuity Policy and Business Continuity Plan IF YOU ARE RESPONDING TO A BUSINESS CONTINUITY INCIDENT, GO STRAIGHT TO PAGE 20 AND USE THE FLOWCHART ON PAGE 22 February 2022 Version: 2.3 Policy Number: CO001/04/2023 Date ratified: 23 February 2022 Name of originator/author: This policy is based on NHS Doncaster

  17. PDF business-continuity-plan-template-Jan-2020 NHS Borders

    Complete or update your Business Continuity Planning (BCP) using this template as a guide (Section 1 to 5) inserting and deleting information as appropriate. Keep one copy of the BCP in the pharmacy, one copy at the house of the Manager/Owner and one copy at the house of the designated deputy. Review the emergency scenarios and control measures ...

  18. Business Continuity Planning Guidance

    Business Continuity Plan (Template) Appendix C: 62 IM&T Systems Supporting Clinical Boards . Document Title: Business Con1nuity Planning Guidance 5 of ... Email: [email protected] or [email protected] . Document Title: Business Con1nuity Planning Guidance 6 of 72 Approval Date: 30th Jan 2018

  19. PDF Business Continuity Policy

    NY-117 - Business Continuity Policy - October 2020 Page 6 of 20 The plan holder (Accountable Emergency Officer) is responsible for coordinating any response under the plan. If the plan holder is unavailable, this duty will fall to the Head of Finance. 2.1 Objectives of the Business Continuity Plan

  20. PDF CCG Business Continuity Policy & Plan

    to document and implement Business Continuity Plans in order to minimise the impact of incidents when they do occur. Business continuity management is an essential tool in establishing our organisation's resilience. 1.7. This policy statement provides a framework for the CCG to follow in the event of a business continuity incident.

  21. NHS England business continuity management toolkit

    Under the Civil Contingencies Act 2004 and the Health and Social Care Act 2012 (as amended), all NHS organisations have a duty to put in place continuity arrangements. The toolkit is driven by the Plan, Do, Check, Act (PDCA) cycle along with being updated in line with both ISO 22301 principles, as well as the Business Continuity Good Practice ...

  22. PDF Policy

    • Follow the directions in the plan in the event of a Business Continuity Incident. • Provide feedback as required in the event of a post incident debrief. 4.6 All Staff • Know the location of the team business continuity plan and have some knowledge of its contents • Co-operate with the plan author in updating the plan.

  23. Crisis Business Continuity Policy

    Act (Maintain and improve) - Maintain and improve the Crisis and Business Continuity plan by taking corrective action, based on the results of the review and reappraising the scope of the plan and the policy objectives. 6.2 All staff involved in the planning a response to an emergency will receive appropriate training.

  24. Covid inquiry's biggest revelations of first Wales week

    The inquiry heard the Welsh government didn't expect to be in charge of Wales' pandemic restrictions until three days before were handed the reigns The UK Covid Inquiry has spent its first week in ...

  25. Patients have 15 to 1 chance of seeing a GP in NHS same-day access plan

    NHS launches same-day GP access plan - but you're still not likely to see a doctor Health officials claim new hub will boost access for 3 million people - but most work will be done by less ...