Catch22 reserves the right to amend this policy, following consultation, where appropriate.
Date of last review: April 2023
Date of next review: July 2024
This policy outlines the scope and approach to business continuity management (BCM) within Catch22. For the purpose of this policy, business continuity is defined as a framework for creating and improving resilience and which will enable Catch22 to continue to deliver an acceptable level of service of its critical activities in the event of any unexpected disruption.
As a social business and a supplier of services to local and national government, Catch22 is required to align with or meet the standards that these commissioning authorities work to including, but not limited to, the Security Policy Framework, (SPF) and ISO 22301. Under the Mandatory Requirement 70 of the SPF, Catch22 “must have robust, up to date, fit for purpose and flexible business continuity management arrangements that are regularly tested and reviewed and supported by competent staff that allow them to maintain, or as soon as possible resume provision of, key products and services in the event of disruption.”
ISO 22301 states that, “Top management shall establish and demonstrate commitment to a business continuity policy. The policy shall make reference to:
- the organisation’s business continuity objectives; and
- the scope of business continuity, including limitations and exclusions
The policy shall be:
- approved by top management;
- communicated to all persons working for and on behalf of the organisation; and
- reviewed at planned intervals and when significant changes occur.”
The aim of this policy is to ensure that the appropriate business continuity management system framework is in place within each department/service so that it can meet these requirements and, by doing so,
- reduce the risk of interruption or negative impact on delivery to key business services;
- minimise disruption and enable full restoration of services within locally agreed recovery time objectives;
- ensure that business continuity management principles are embedded in the daily operational activities and culture of the organisation.
This policy will apply to all aspects of Catch22, which, in addition to all corporate and office-based activities will include:
- staff based at home;
- staff based at remote or 3rd party locations;
- all external facilities, suppliers, contractors and third parties that the organisation/services rely upon for business services and products.
The Business Continuity Policy has been developed to comply with the requirements of the ISO 22301 Business Continuity standard and to meet established standards for corporate governance.
The organisation’s corporate services business groups, frontline services and any other offices will develop, implement and maintain their own risk based business continuity plans and will ensure that they identify:
- key internal staff, business critical activities, systems and services;
- key external contacts and emergency contact points;
- any internal or external service dependencies;
- the risks associated with those dependencies and how they can be addressed;
- recovery time objectives;
- potential fall-back options in the event of denial of access to buildings;
- out of hours contact arrangements.
All business continuity plans must be owned and signed off by a senior member of the relevant operational or corporate support management team (minimum Assistant Director/Head of Service/Vice Principal or above) who will be responsible for ensuring that:
- plans are maintained and provide an ongoing capability for responding to unexpected incidents;
- a programme is in place to ensure plans are regularly tested and reviewed (at least annually);
- the necessary in-house resource and expertise are provided to develop, implement and manage the plan, as well as post incident recovery;
- staff are made aware of the BCM process and that those with business continuity roles receive regular training;
- roles and responsibilities are clearly defined within the plan;
- plans contain a risk based business impact analysis that identifies all critical activities and time sensitive business objectives, key suppliers and interdependencies;
- that key suppliers or business partners which support a critical activity have effective BCM arrangements in place and can evidence this;
- a business continuity risk register is developed and maintained;
- a business continuity coordinator/practitioner is appointed to liaise with the Organisational Business Continuity Team Secretariat* during an emergency/post incident recovery when required to do so.
Arrangements will be developed to independently audit BCM governance processes at regular intervals (at least annually) to ensure that they conform to the core principles of ISO22301 and this policy.
*The Organisational Business Continuity Team Secretariat would be comprised of senior Directors plus co-opted individuals as required depending on the incident. It is envisaged that this group would only be convened in the event of a serious and significant threat or disaster.
This policy is designed to provide a clear commitment by Catch22 to business continuity management across the whole organisation. Effective business continuity will enable Catch22, its partners, suppliers and affiliates to:
- continue to provide critical services to service users, the public, business partners and other stakeholders during unexpected incidents;
- minimise disruption and enable full restoration of services in the event of an incident;
- comply with accepted standards of corporate governance;
- reduce the operational and financial impact of any period of disruption;
- ensure that all key personnel are identified and made aware of their responsibilities in regard to any recovery procedure;
- improve the resilience of the organisation’s infrastructure to reduce the likelihood of disruption; and,
- ensure that the business continuity management structure is embedded in the day-to-day operational activities and culture of the business.
Ensuring continuity – a summary of action
Catch22 recognises the increasing importance of IT systems to the successful delivery of our business; particularly a reliance on email communication and data management software.
To ensure the security and continuity of our IT systems Catch22 will require any third party IT supplier to provide us with a system resilience and disaster recovery plan that includes a full risk and impact assessment, details of any dependencies and fail over arrangements, target recovery times and out of hours arrangements.
As a minimum standard Catch22 will ensure the following measures are implemented and maintained:
Hybrid Cloud data solution
- Replication of data to an off-site co-location, facilitating the restoration of data if required.
- Backups made to tape and sent off-site at regular intervals. For long term storage.
- A hybrid Cloud solution that replicates both off-site data centres with instant failover.
- In the event of a physical disaster, servers can be brought up in a co-location data centre.
- High availability O365 systems which keep both the data and system replicated off-site, enabling continuous access to systems and data, even after a disaster.
- UPS and back-up generator to keep systems going in the event of a power failure for sensitive equipment.
- Core backbone internet for private cloud infrastructure.
- Wanstor as the managed service provider will be the main point of contact for recovery to be carried out.
Local site setups
- Azure domain-joined devices using MS OneDrive, TEAMS and SharePoint apps to store, backup and protect company data.
- Surge protectors — to minimise the effect of power surges on delicate electronic equipment.
- UPS to keep systems going in the event of a power failure for sensitive equipment.
- Fire prevention/mitigation systems such as alarms and fire extinguishers.
- Anti-virus software and other security measures.
- Access to 4G LTE modems or mobile tethering for failover in the event of internet-related outages.
In the event of core infrastructure communications failure, alternative (off band/out-of-band) communications will be utilised e.g. WhatsApp, mobile phone and face to face contact.
Disease epidemics / pandemics
Catch22 have recognised the possible impact of a disease / flu / infectious disease epidemic or pandemic as potentially drastically reducing a healthy work force and placing significant strain and change on working arrangements. In order to ensure that Catch22 can minimise the risk of infection to our work force, and reduce potential disruption to our services some basic criteria have been identified:
- Awareness of World Health Organisation and Government controls in the case of an epidemic or a pandemic – first and foremost to realise the importance of complying with these control measures to minimise the risk to the larger population and health of our own workforce. In the most extreme cases we recognise that we would unavoidably have to shut our premises / sites down if instructed and facilitate alternative working arrangements (e.g. working from home) as permitted or advised by Government or other lead agency.
- Education of the staff base – an agreed percentage of staff will be trained in first aid to ensure that they are aware of the basics involving the transfer of disease / infections.
- Local safeguards – all managers will ensure that wash areas are kept clean and available at all times and that any repairs or re-charging of soap or hand towel dispensers is carried out as a priority.
- Monitoring of direct and subcontract staff, volunteers and service users in the incident of a possible outbreak – if the Government raises the possibility of an epidemic or pandemic all managers will be instructed to monitor all those present for signs of infection and to send them home where there is a relevant case and notify the H&S team. In these circumstances managers will ensure that a report is sent immediately to the H&S team and that all due precautions are taken to avoid further infection/contamination. Any guidance from the World Health Organisation or the Chief Medical Officer of Great Britain will be disseminated widely using all communications systems available as required.
- Ability to work remotely / at home – where work does not have to be carried out in the office, staff can access documents / email from home based computers, meaning that even if a site cannot open, information exchange can continue, and core administrative activities can be undertaken remotely.
- Details of local and national key contacts and emergency contact points to be available and accessible for the management and monitoring of any actual or suspected infectious disease incident
Natural disasters / extreme weather / fire
Catch22 recognises that such events are likely to be localised, notwithstanding the effects of flooding which can cover wide geographical areas.
In such an event our priority will be to ensure the safety of our workforce and the general public (if affected) through co-ordination with the relevant emergency services. Once we are satisfied that all parties are safe and the disaster / event is over we will aim to assess the damage to our sites / business premises as soon as possible, and put together specific contingency plans to put our services back on track. Where the disaster has damaged a building, we will go through the proper channels with our insurers to identify costs and carry out remedial works.
Industrial action / mass resignations
Catch22 has assessed the risk of mass industrial action / staff walk out as extremely unlikely, especially for key management staff, given our staff turnover and ‘open’ communication culture which encourages early resolution of any dissatisfactions or staff problems.
We also recognise the importance of holding regular supervision and contribution reviews to sustain employee motivation.
We recognise that any action that affects all employees, such as pay cuts or redundancies, must be carried out with appropriate consultation and recognition of their rights and relevant legislation.
Catch22 recognises the risk that an economic downturn poses to the continued successful operation of our business. In the case of such a downturn a structured financial review will be implemented in all our operations and support functions to target cost efficiency savings, identify any potential need for redundancies, and to forecast future cash flow and its effect.
Continuous monitoring of the economic environment in which we operate and our own financial performance is embedded in regular reporting to senior management and the Trustee Board.
Frequency of testing
Catch22 recognises that it is important to test our continuity mechanisms so that we can be sure that they will operate effectively in ‘real’ circumstances.
We implement disaster recovery testing on our IT systems once a year.
We maintain up to date Fire Marshall & First Aid training and records for all of our services and office locations in line with the minimum necessary requirements.
- Annual and special leave policy
- Controlling and safeguarding assets in services policy
- Data management & protection policy
- Employee well-being policy
- Fire safety policy
- First aid policy
- Flexible working policy
- Gas safety policy
- H&S management arrangements
- Home working policy
- Incident and near-miss reporting policy
- Infection prevention and control policy
- Lone working policy
- Personal protective equipment (PPE) policy
- Personal safety and service user risk management policy
- Property management policy
- Risk assessment & management policy
- Organisational risk policy
- Severe weather policy
- Travel and subsistence expenses policy
- Water safety policy
- Workplace environment policy