Documente Academic
Documente Profesional
Documente Cultură
Notice:
Compliance Record
Contents
1. Purpose
2. Business Continuity Management Overview
3. Business Continuity Management System (BCMS) Lifecycle
4. Scope of the Business Continuity Management System
5. Understanding of the Organisation and its Context
6. Legal and Regulatory Requirements
7. Understanding the Needs and Expectations of Interested Parties
8. Leadership and Commitment
9. Control of Documented Information
10. Resources
11. Competence
12. Business Impact Analysis
13. Establishing Resource Requirements
14. Protection and Mitigation
15. Fall-back Site
16. Service Level Agreement / Mutual Aid
17. Risk Assessment
18. Business Continuity Strategy
19. Incident Response Structure
20. Business Continuity Plans
21. Exercising and Testing
22. Evaluation of Business Continuity Procedures
23. Internal Audit
24. Continual Improvement
25. Management Commitment
26. BCM Roles and Responsibilities
Appendices
1. Purpose
1.1. This Standard Operating Procedure (SOP) supports the Police Service of
Scotland, hereafter referred to as Police Scotland, Policy for Business
Continuity Management.
1.2 The Civil Contingencies Act 2004, places a statutory duty on the police, as a
Category 1 responder, to have a Business Continuity Management System
(BCMS) in place to ensure continued delivery of essential services.
1.3 Police Scotland shall align its BCMS arrangements with the International
Standards BSI ISO 22301. The Standard sets out the process and principles
of BCM and enables the Organisation to measure its Business Continuity
Management (BCM) capability in a consistent and recognised manner.
1.4 This SOP provides practical guidance on the methodology for developing and
implementing BCM within Police Scotland and aims to provide an overview on
BCM from initial development to the on-going maintenance of our Business
Continuity capability.
1.5 BCM supports emergency planning and is underpinned by the Service’s Risk
Management Procedures, providing the overall framework within which the
Service can comply with the Civil Contingencies Act 2004.
2.2 However, BCM has evolved and now includes the concepts of risk
management and corporate governance. Consequently, it now takes a
proactive approach, seeking to identify those potential impacts that could
adversely affect the service delivery capability of Police Scotland before they
occur.
2.3 The Business Continuity Plan (BCP) identifies the essential resources needed
to ensure that critical functions can continue in the event of a disruption.
2.4 Resource, time and capability constraints will mean that Police Scotland has
to focus its business continuity activity on those processes most important to
the objectives of the organisation. Prioritisation is a key element of business
continuity and this may mean the disruption of some business processes for
defined periods, until resources are available to restore them.
2.5 All levels of management within the Service need to appreciate that they have
a responsibility in maintaining service delivery and therefore need to consider
how they would manage disruptions to their functions.
2.7 Any functions that support the Strategic Processes must be maintained and
are known as Critical Functions.
3.2 Police Scotland will establish, implement, maintain and continually improve a
BCMS, including the processes needed and their interactions, in accordance
with the requirements of the International Standard BS ISO 22301.
3.5 Figure 1 below illustrates how a BCMS takes inputs (interested parties and
requirements for continuity management) and, through the necessary actions
and processes, produces continuity outcomes (i.e. managed business
continuity) that meet those requirements.
Identify products and services and all related activities within the scope of
the BCMS; and
Take into account interested parties’ needs and interests, such as the
supply chain, public and/or community input and needs, expectations and
interests (as appropriate).
5.1 Police Scotland will determine external and internal factors that are relevant to
its purpose and that affect its ability to achieve the intended outcome(s) of its
BCMS.
5.2 These factors shall be taken into account when establishing, implementing
and maintaining the BCMS. Police Scotland will identify and document the
following:
Processes, functions, services, products, partnerships, supply chains,
relationships with interested parties, and the potential impact related to a
disruptive incident;
Links between the BCMS and Police Scotland priorities and objectives
and other policies, including its overall risk management strategy; and
Risk appetite.
6.2 Police Scotland will ensure that these applicable legal, regulatory and other
requirements are taken into account in establishing, implementing and
maintaining its BCMS.
6.3 Police Scotland shall document this information and keep it up-to-date. New
or variations to legal, regulatory and other requirements shall be
communicated to affected employees and other interested parties.
10. Resources
10.1 Police Scotland will determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of
the BCMS.
11. Competence
11.1 Police Scotland will:
Ensure that those involved in the overview, co-ordination and
management of the BCMS are competent on the basis of appropriate
education, training, and experience;
Where applicable, take actions to acquire the necessary competence, and
evaluate the effectiveness of the actions taken; and
Retain appropriate documented information as evidence of competence.
11.2 Training will be made available to all individuals who have a responsibility
within the BCMS and will be tailored to their particular needs or involvement in
the system.
12.3 The process to prioritise functions must also identify the impact of the loss of,
or a reduction in the ability to deliver that function and the impact over time in
the business cycle of a particular function.
12.4 Two particular timescales must be considered. They are the Maximum
Tolerable Period of Disruption, (MTPD) and the Recovery Time Objective,
(RTO). In Business Continuity terms the MTPD is defined as the “time it would
take for adverse impacts, which might arise as a result of not providing a
product/service or performing an activity, to become unacceptable”.
12.6 When considering this, it is clear that the aim must be to recover the function
prior to reaching the MTPD.
12.7 A RTO must therefore be set for each function, which will always be less than
the MTPD. In Business Continuity terms the RTO is defined as “the period of
time following an incident within which product or service must be resumed, or
activity must be resumed, or resources must be recovered”.
12.8 The RTO must be set at a realistic timescale so that there can be a staged
recovery and thereafter resumption to normal service. Recovery times should
be selected from the Recovery Time Objective Table which can be found in
the Business Continuity Plan Template. The Business Continuity Plan
template can be obtained from the Business Continuity Officer(s) at Risk and
Business Assurance.
Note: Battle Boxes / Grab Bags must be secured within Police Premises.
16.2 The Business Impact Analysis template will be used to complete and record
the above described process. Business Impact Analysis template can be
obtained from the Business Continuity Officer (s) at Risk and Business
Assurance.
Fallback arrangements.
20.3 The degree of detail required to be contained within a Plan for a function shall
be commensurate with the critical nature of that function.
20.4 Plans shall also consider arrangements needed to ensure smooth transition
from Business Continuity mode to the resumption of “normal business”.
20.5 Once approved the Plan must be signed off by the Plan Holder and copies
circulated as necessary. A copy of the plan must be submitted to the
Business Continuity Management Officer(s). Further copies will be distributed
as necessary and detailed on the Distribution Record of the plan. A hard copy
plan will be kept at the fall-back site.
20.6 The Business Continuity Plan template will be used to complete and record
this process. All BCM templates can be obtained from the Business Continuity
Officer(s).
21.2 A programme of exercising of plans shall be implemented and will ensure that
all plans are subject to an exercise at least once every year. In addition to this
further exercises may be arranged. The level and number of exercises shall
be commensurate with the level of risk associated with a Business Area or the
critical nature of the functions of that Business Area.
22.3 As part of the BCM process it is essential that consideration be given to the
impact on the relevant 9 protected characteristics (disability, race, age,
gender, gender reassignment, maternity / paternity, marriage / civil
partnership, sexual orientation) during the emergency, continuity and recovery
phases for each BIA created for a Critical Function.
22.4 If this is sufficiently recorded in an auditable format i.e. within the BIA / BCP,
then there will be no need to complete an EIA as this would be evidence of
streamlining equality considerations in the process. Please refer to the
Equality Impact Assessment SOP for further guidance on this subject.
22.5 The responsibility for this will lie with the Business Continuity Management
Team and will be co-ordinated by the Business Continuity Management
Officer(s).
22.7 When a disruptive incident occurs which requires the invocation of business
continuity procedures, there must be a post-incident review by the Business
Areas affected. The results must be explored to determine whether any
amendments to procedures is required and to assist in the sharing of good
practice where it is identified.
22.9 The following three criteria should be applied in considering whether or not an
incident should be reported:
Time – how long the incident lasts for or how long the outage is for;
22.10 Using the table below the following formula should be used:
Time + Effect + Scale = Score
22.11 These factors should be graded and scored, and incidents or occurrences that
attract a score of ‘5’ or more, must be reported.
Score Time Effect Scale
(Outage)
3 4 hrs + Total failure High - Force wide or more than one
Command Area
2 1>4 hrs Substantial or significant failure Med - Division / Department or one
Command Area
1 0>1 hrs No or limited failure Low – local effect only
22.12 Examples
22.12.1 The following table shows some examples of incidents/disruptions. These are
shown for guidance purposes using the criteria listed above, however, it
should be noted that any incident/disruption regardless of its Score should be
reported if it is believed to be in the best interest of Police Scotland.
Furthermore, if an incident/disruption falls below the “score” criteria but is
reoccurring consistently or regularly it should be reported.
Incident Time Effect Scale Total Report
Loss of Crime Recording system for 6hrs 3 2 3 8 Yes
at a Public Service Centre
Total loss of power at Divisional Office for 1 1 2 4 No
45 mins
High sickness level of staff (30%) involving 3 2 3 8 Yes
more than one Command Area
Loss of email system at an HQ Department 1 1 2 4 No
for 50 minutes
22.13 The Governance Report (018-003) will be use to complete and record the
process of post-incident review. Once complete the Governance Report
should be submitted to the Business Continuity Management Officer(s).
Appendix ‘A’
Appendix ‘B’
Appendix ‘C’
Appendix ‘D’