Business Continuity Scrutiny
The Authority formed a Scrutiny Panel in July 2009 to review and scrutinise the Force's Business Continuity Management planning and processes. The Terms of Reference document and Final Reports are available at the bottom of this page.
The Audit, Risk and Governance Committee will monitor and evaluate the progress made against these recommendations on a quarterly basis.
What is Business Continuity?
The British Standard on Business Continuity Management (BCM), BS25999, defines BCM as “a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.”
The Scrutiny Panel Objective
The Scrutiny Panel aimed to achieve the following:
- Understand the Business Continuity Management and Planning processes the Force has in place and identify where improvements can be made to increase the ability of the Force to maintain critical operational activities when these face disruption.
The Scope of the Scrutiny
In order to maximise the benefits from the scrutiny process, the Panel explored the following specific areas relating to Business Continuity:
- The Force’s current and in-development business continuity management processes including planning, governance, risk management, business/disaster recovery strategy and allocation of responsibilities.
- The Force’s arrangements for staff awareness and training.
- The Force’s arrangements for maintaining, reviewing and updating business continuity plans and their testing.
- Identify best practice (other Forces, NPIA, ACPO, British Standards Institute)
- Consider opportunities for collaboration, both regionally with other Police Forces and locally with LAA partners and the formalisation of these through agreed protocols.
- Consider the Business Continuity Planning requirements of the Authority given the Authority’s dependency on the Force for key services (e.g. ICT, telephony) and accommodation.
Findings and Recommendations
The Panel identified the following 26 recommendations. The Audit, Risk and Governance Committee will monitor and evaluate the progress made against these recommendations on a quarterly basis.
Recommendation 1: It is recommended that the Force embeds a corporate, consistent and centrally led approach to BCM throughout the Force.
Recommendation 2: It is recommended that the Emergency Planning Officer be located in Strategic Development.
Recommendation 3: It is recommended that following formal approval of the new BC policy, the Force adopt a project management approach to managing the work necessary to deliver the project’s objectives.
Recommendation 4: It is recommended the Force forms a business continuity management board to oversee the implementation of BC arrangements within the Force.
Recommendation 5: It is recommended that the Force assures itself that the oversight, ownership and management of risks relating to BC which appear on the Force risk register are properly aligned with the role of the proposed Business Continuity Management Board to ensure clarity and eliminate duplication.
Recommendation 6: It is recommended the Force introduces force-wide business continuity plans that address generic loss likely to impact the organisation as a whole e.g. ICT, utilities, people and estate in addition to divisional/departmental BCPs.
Recommendation 7: It is recommended the Force
- a) maps and defines its critical functions,
- b) defines the desired and minimum acceptable levels of service for these functions,
- c) conducts business impact analyses to understand the risks to these functions, the likelihood of disruption occurring and the consequences and
- d) prioritises the continuity and recovery of these functions. This work should then inform both Force-wide and departmental/divisional BCPs. This approach should be clearly outlined in policy and co-ordinated and led by the BC Management Board.
Recommendation 8: The Business Continuity Management Board review and approve departmental/divisional BCPs to ensure consistency with the above methodology and that interdependencies between parts of the Force have been properly assessed and accounted for.
Recommendation 9: It is recommended that the ICT and FCCC disaster recovery projects be overseen by the Business Continuity Management Board, that a clear remit and timeline prioritise this work and that any mitigation requiring capital investment be appropriately prioritised within the Capital Programme. (para 3.36, pg 16)
Recommendation 10: It is recommended that the Force procurement process for business critical service contracts (such as ICT support) include an assessment of the contractors’ own business continuity arrangements to enable the Force to satisfy itself that contractors would be able to deliver in the event of their own operations being compromised.
Recommendation 11: It is recommended that the Force seek to formalise any agreements with other forces or agencies for the provision of mutual aid where this forms part of the Force’s business continuity planning. Formalising these agreements should be prioritised in line with the business impact analysis referred to elsewhere in this report, i.e. focussing on the areas of greatest risk and impact first. (para 3.38, pg 17)
Recommendation 12: It is recommended that the Force ensure any formal protocols/agreements for mutual aid be properly documented in the relevant business continuity plans.
Recommendation 13: It is recommended Force business continuity plans include recovery strategies for the first 90 days following an incident which aim to return functions to preferred service levels. This should be co-ordinated by the BC Management Board.
Recommendation 14: It is recommended that BCM responsibilities be reflected in relevant job descriptions of police officers and staff in management and leadership roles.
Recommendation 15: It is recommended that the Force develop and implement a Force-wide Business Continuity training and awareness raising strategy, overseen by the Business Continuity Management Board.
Recommendation 16: It is recommended that the Force develop co-ordinated testing and maintenance strategies for business continuity plans, monitored by the Business Continuity Management Board. Testing should comprise live and table-top testing proportionate to the criticality of the functions individual plans cater for.
Recommendation 17: It is recommended the Force gives due consideration to the long term personnel resources required to deliver the objectives it is setting itself for BCM and the appropriateness of current arrangements.
Recommendation 18: It is recommended the Force consider expediting the disaster recovery project for the FCCC and ICT provision and that resultant recommendations requiring capital outlay be accurately factored into the capital programme and prioritised appropriately following further consultation with the Authority.
Recommendation 19: It is recommended that the Force continues to attend the regional business continuity forum and that they give thought to wider opportunities for collaboration once BCM internally is more robust.
Recommendation 20: It is recommended that the Force considers whether its generic business continuity planning offers sufficient robustness to deal with large scale redeployment or abstractions to either major incidents within Lincolnshire or to other Forces.
Recommendation 21: It is recommended that the disaster recovery project for ICT and FCCC gives due consideration to the following:- ICT power supply back-up, detailed ICT disaster recovery plans, increased server resilience via dual-siting, options for increasing FCCC resilience, and that the Force provide the Authority with a detailed action plan and timeline for this work, providing recommendations to the Authority on any changes to the existing capital programme.
Recommendation 22: It is recommended that the Force agrees with the Authority appropriate prioritisation of its provision of key services (accommodation, utility supplies, telephony and ICT) to the Authority within its critical functions and BCPs.
Recommendation 23: It is recommended that the Audit, Risk and Governance Committee consider whether the lack of business continuity and disaster recovery plans should feature on the Authority’s risk registers.
Recommendation 24: It is recommended the Authority a) maps and defines its critical functions, b) defines the desired and minimum acceptable levels of service for these functions, c) conducts business impact analyses to understand the risks to these functions, the likelihood of disruption occurring and the consequences d) prioritises the continuity and recovery of these functions e) considers and agrees appropriate control measures and f) implements a BCM policy and BCP, ensuring Officers and Members are appropriately trained, subject to an agreed timeline and resourcing.
Recommendation 25: It is recommended the Force provides the Audit, Risk and Governance Committee with on-going progress updates against the recommendations outlined in this report.
Recommendation 26: It is recommended this scrutiny panel conducts a formal review of the Force’s progress with the recommendations and the implementing of its BCM policy no later than November 2010.
Related Documents
-
Business Continuity Scrutiny Cover Report (PDF, 31.5 KB)
A short cover report to support the Business Continuity Scrutiny that includes the recommendations and an overview of the process. -
Business Continuity Scrutiny Full Report (PDF, 240.8 KB)
The 58 page full report from the Scrutiny Panel. -
Business Continuity Scrutiny Terms of Reference (PDF, 43.1 KB)
This document provides the Business Continuity Scrutiny Terms of Reference that including the following sections: definitions, purpose, objectives, scope, approach, derivation, composition, format, exclusions, timescales, membership, resource implications and a bibliography.