Probation Circular

BUSINESS CONTINUITY PLAN
PURPOSE
To request Probation Areas to provide an update on the state of readiness in the event of any emergency. REFERENCE NO: 46/2005 ISSUE DATE: 23 June 2005 IMPLEMENTATION DATE: Immediate EXPIRY DATE: June 2010 TO: Chairs of Probation Boards Chief Officers of Probation Secretaries of Probation Boards CC: Board Treasurers Regional Managers AUTHORISED BY: Roger McGarva, Head of Regions and Performance Management ATTACHED: 1. Appendix A – Guidance note on BCP and feedback form 2. Appendix B – General issues to consider when formulating BCP 3. Appendix C – BCP advice for businesses with over 250 employees 4. Appendix D – Example of a BCP Document from West Yorkshire PB

ACTION
Chief Officers to complete attached feedback to confirm the state of readiness in the event of emergency. Completed feedback to be returned by 29 July 2005.

SUMMARY
The Business Continuity and Contingency Management is an ongoing process which must provide confidence that your organisation could continue to deliver its business objectives in all unexpected circumstances. A Business Continuity Plan (BCP) is about understanding your business and establishing what is vital/critical for its survival. Your BCP must focus on your key objectives. A Probation Area has many dependencies, both internally and externally that support its process and functions such as providers, customers, other stakeholders, IT systems, Estates. All these must be identified in the plan. All these stakeholders provide services that have clearly been defined in their contracts or through legislation. The plan should identify the contacts for all parties who you will want to respond and help you deal with the situation. The attached information is designed to: • Prompt you to review your existing plans by flagging up areas you need to consider. • Allow you to assess and feedback to NPD your state of readiness in an emergency. • Provide an example of a good BCP document which your Area might wish to adopt if you have not written one.

RELEVANT PREVIOUS PROBATION CIRCULARS
N/A

CONTACT FOR ENQUIRIES
Ayodele Kayode (Corporate Risk Manager) Room 333, Horseferry House 020 7217 8395 Ayodele.Kayode@homeoffice.gsi.gov.uk

National Probation Directorate
Horseferry House, Dean Ryle Street, London, SW1P 2AW

Formulating your Business Continuity Plan
1. The issue of Estate: Many issues have been raised on this particular subject matter. It is important to point out that the responsibility for making adequate alternative arrangements in the event of any emergency situation or on issues of Health and Safety is that of the Probation Areas. After ensuring the Safety of all your personnel and visitors inform the help desk of your Facilities Management Contractor. Where a closure of a significant portion of a building is involved also inform the NOMS Property Regional Property manager or Regional Facilities Manager. NOMS Property are responsible for the reinstatement of any works and will provide short leasehold facilities in the case of a protracted closure. 2. The issue of IT: The loss of the Probation Area Data Centre even in the short term can have a significant impact on the Probation Area’s ability to carry out critical business affairs, where as the long term loss of a small office may be a minor inconvenience. Currently the responsibility for maintenance of the BCP in terms of Information Systems rests with the Probation Area. To assist in defining the IT service requirements in support of the Probation Service’s Business Continuity Plans, it is necessary to identify:

A. The events that will invoke the BCP and the potential impacts upon the Probation Area business B. The likely duration of the event and its aftermath. Is the duration likely to be hours, days, weeks or months? C. The priority for re-establishing critical IT services. Which are the most critical services required by the
affected offices? What automated functions can be performed manually and over what duration? With this information to hand the Centre (NPD) will be better able to assess the provision of support requirements during adverse events. 3. Support Arrangements: Consider having arrangements with neighbouring Probation Areas, NPD or other Home Office Organisations in your Area in advance on various issues, so that support can be provided in the event of any emergency.

PC46/2005 – Business Continuity Plan

2

APPENDIX A
The information below is designed to:1. Give the Business Continuity Planning Team (BCPT) some key information about your Area/ Unit including good practice. 2. Prompt you to review existing plans by flagging up areas you need to consider. 3. Allow you to assess and feedback to your Boards and NPD, your state of readiness in an emergency.

Pages 1 and 2 details the prompts for your consideration. Only Pages 3, 4 and 5, are to be returned to the NPD by 29 July 2005 Appendix B on pages 6, 7 and 8 describe other issues of interest on drafting Business Continuity Plan. The completion of this short exercise should not be time consuming, although, depending on your state of readiness, further future work may be required.

1. Prompts – areas you need to review, consider further and action as needed.
(The overall planning assumption is a non- specific disruption lasting beyond a few days/one week. Your consideration is to plan to minimise this and keep your business going. The prompts below need to be considered alongside your responses on Page 3 and 4, particularly the appropriate action for each key activity within your unit).
CONSIDER THE FOLLOWING KEY ISSUES:1.1 The organisations, both internal and external, which depend upon your services. (Examples: Courts, NPD, Offender Management, voluntary organisations, local authorities)

1.2 1.3 1.4

The organisations, internal and external, you depend on. (Examples: NPD, Courts, RDS, Treasury, banks) The information and systems, you rely on to deliver the activities listed on Page 3. The individuals or groups of staff with specialist skills that you are dependent upon and cannot be readily replaced Whether your plans include contingency for the loss of your normal accommodation Whether your plan includes contingency for the loss of staff. Whether your plan includes contingency for the loss of your normal IT. Whether your plan has considered electronic communication, in its widest sense, where physical 1

1.5 1.6 1.7 1.8

BCP - 2005 – Business Continuity Arrangement

accommodation is not available to you. 1.9 How long you can operate with a contingency plan covering the points in 1.1- 1.7, and whether you could indefinitely operate with this plan or at what point you would need full restoration of normal resources. How you would continue to communicate if your normal means of communication was interrupted How you would contact staff in the event that they are not able to work from their normal location? (including arrangements for short term –up to one week- transport problems etc).

1.10 1.11

1.12

Where will your staff work if your accommodation is not available? business partner's accommodation).

(e.g. home, remote access laptop,

PLEASE COMPLETE BELOW INFORMATION AND RETURN BY 29 JULY 2005 TO: Ayodele A Kayode – Corporate Risk Manager National Probation Directorate Room 333, Horseferry House Dean Ryle Street London SW1P 2AW Tel - 020 7217 8395 E-mail address - ayodele.kayode@homeoffice.gsi.gov.uk

BCP - 2005 – Business Continuity Arrangement

2

PLEASE RETURN BELOW INFORMATION TO NPD
Probation Area: No of staff: No of locations/buildings occupied:
Name of officer completing business continuity update, contact number

2. – Status information
2.1 List the key activities of your Area/Unit (both internal and external).
Activity Number 1. 2. 3. 4. 5. 6.

DESCRIPTION

YES 2.2 Have you a remote location to store copies of critical documents, stationery/forms etc either in hard print copy, floppy disk or CD-ROM? Have you prepared a contact list forr?

NO

2.3

2.4

External Have you identified essential equipment or supplies and made plans for procurement/access if you are relocated or use alternative working arrangements to continue business?

• • •

Staff Internal/NPD

2.5 2.6 2.7 2.8 2.9

Could your Areas operate if key officers have IT at home? Does your staff know about how you will continue business after a disaster? Do you have arrangements in place to provide an accurate and comprehensive list of staff accounted for, and those missing, in the event of a disaster? Do your staff have a copy of the plan Do key members of your management team have a copy of the plan and contact details kept at home? 3

BCP - 2005 – Business Continuity Arrangement

YES 2.10 Have you tested or exercised your plan? When? How frequently do you check the details of your plan?

NO

2.11

2.12

When was the plan last reviewed?

State of readiness assessment and details of good practice
Having considered the prompts and the status information on above pages, please assess your current state of readiness to respond to an emergency. Please tick in the final column of the table below your assessment against current readiness.

Rating 1 2 3 4

DESCRIPTION OF READINESS
Well-developed plans with little or no further work required. Sound overall plans but some detailed arrangements to be developed Outline plans only and details to be developed. Arrangements not adequate/lack of plans –work required.

Current readiness (please tick )

Please provide below any examples of good practice, which might be of interest to others.

BCP - 2005 – Business Continuity Arrangement

4

Question to test the criticality of IT and Accommodation
Given you had to invoke your BC plan now in the following circumstances:• • • Your usual workplace in is not available for some time. IT infrastructure is out of action for seven days, including remotely . (This is a planning assumption to help you think about your critical applications. Using what you currently have available from outside your normal workplace, including any pre-planned relocation sites, working from home arrangements, - after seven days- , standalone laptops, home PCs etc. How long could you deploy your alternate BC arrangements and maintain an acceptable minimum level of business delivery?

Less than 2 days

For at least 2 days For at least one week For at least 2 weeks For at least 4 weeks For at least 2months For at least 3 months For at least 6 months Longer than 6 months

If you have indicated that alternative arrangements could be deployed for a week at most, i.e. you need full restoration of business by the second week or earlier, please list the critical IT applications needed.

BCP - 2005 – Business Continuity Arrangement

5

APPENDIX B: GENERAL ISSUES TO CONSIDER WHEN FORMULATING BC PLAN
General issues to consider
Introduction/ Overview Objectives Provide an outline of your business and the key priorities (not more than one side of A4.………………………. List your objectives:1. 2. 3. 4. ……………………….. ……….. ……… ……. Consider the different areas of your business and their locations and whether they need separate BC plans Consider/decide your objectives in the event of a major incident. For example: • to protect staff and prevent further casualties • to ensure key business areas are given priority for recovery, (consider any known ongoing priorities which require additional consideration/attention and reflect this throughout this plan) to set in train business recovery effort as soon as possible, to ensure statutory duties continue to be met,

• • • Planning Assumptions List your planning assumptions:1. .. 2. .. 3. .. Explain in what circumstances you will invoke the plan and how.

to keep others, external and internal informed about the situation Do NOT assume accommodation, IT or all your staff will be available. For example where it seems that your normal office accommodation/IT is not accessible/out of action for more than 24 hours. Decide who has the authority to activate the plan. Normally Head Of Unit or deputies. Consider who would lead your crisis management/business recovery team, what responsibilities the team will have, and who would be in the immediate team. Make sure you also have their emergency phone numbers

Invocation/ Activation

Leadership/Roles/ Responsibilities

List those who are authorised to activate;• • List positions and names of crisis management team :Leader, Deputies etc

Relocation options

List relocation arrangements- with addresses/maps as needed

Consider your range of options, alternative accommodation, 6

BCP - 2005 – Business Continuity Arrangement

twinning with others, working from home etc. Confirm outline arrangements with those involved. DO NOT assume that accommodation or IT will be available. Muster Point Record Muster Point location address and any named contact at that address Consider in the possible event of an incident precluding you from meeting at your normal place of work, a muster point, known to all, where you can meet to discuss/decide next steps prior to any activation of your plans. Consider what activities will need to be covered in this way if those currently with the formal authority or powers are not available. This may need some work in getting prior agreement if the authority is based in statute, and cannot be left until a disaster occurs. Some staff so identified might well need some briefing or training if they are going to be able to perform in this fashion. Warrants and other specific forms might also need to be provided. Are any stamps, seals or other items needed? Consider what IT you need and could use from your relocation sites. This could include use of official laptops and home computers. Make arrangements to provide and fund any essential IT needed. Liaise with Probation ICT as needed. Do NOT assume that accommodation or IT will be available.

Authorities

Identify who will have authority to approve procurement, expenditure, payments, issue licences or warrants.

Essential IT needs

List details of arrangements:-

List who should have access to RAS and detail any swap over arrangements of RAS laptops. Arrange training for any additional users via IMTU.

Consider whether any existing IT, RAS and standalone laptops should be re-distributed within the unit to support crisis management /business recovery.

Essential Data needs

List what it is and where you can get it from if normal access is not possible:

Consider arrangements to back up important data, and store off site/at home/elsewhere, including frequency of doing this. Make 7

BCP - 2005 – Business Continuity Arrangement

List details of arrangements, where stored, by whom and frequency of updating: Essential business needs and key documentation Key skills Communication/ Review arrangements List arrangements, what you need and where it will be kept. Identify essential documentation that you will need access to and where you will keep it. Detail any procurement contacts and arrangements. Set out how you would arrange succession or augmentation. Record details of how you will inform your team initially and maintain their awareness, including arrangements to induct new people. List names of people holding copies of plan and where plans kept. List review arrangements, frequency and who will take responsibility to instigate review/update plan if circumstances require change to plan.

arrangements to put this in place. This needs to be thought out in consultation with staff. You will need to consider whether to use hard copy, disks or both. Similarly back-up contact lists need to be held in a safe remote location. Consider other non-IT equipment/stationery/stores. Consider what is needed and whether to procure/store in advance or have procurement arrangements planned to allow urgent activation as needed. Consider key skills and/or experience that you require if staff are unavailable and how to acquire in an emergency. Consider how you will ensure that everyone will know their role in the plan, including what they will do in an emergency, whom they will contact, who will contact them. Consider how you will inform new people joining your unit. Keep plans up to date and review regularly. Consider on a need to know basis who should hold copies of the plan (these should be kept off site/at home). Ensure that everyone has a chance to read the plan and understand where they fit in.

Testing arrangements

List details of your testing programme, date held, those involved and lessons learned

Consider how to test your plan. Draw up a testing programme involving elements of the plan (for example test contact phone numbers and check that both key staff and others know the part they play) Consider a desk top exercise to provide you with assurance that the plan is understood and can be successfully invoked when needed.

Key Contacts

List key contacts, to include office, home, mobile phone numbers, pagers and home E-mail addresses. You may wish to produce one list incorporating the additional details from the senior management list. (Note- That this should only be seen and information retained on a need to know basis for key players. Information is only to be used in a major incident and should be classified as "Restricted".)

Draw up a list of key contacts to support your plan.

BCP - 2005 – Business Continuity Arrangement

8

PC46/2005 – Business Continuity Plan – Appendix C Business Continuity Planning Advice for Businesses with over 250 employees
Where to begin? You can compose an effectual business continuity plan in a relatively short period and for little expenditure. This is a five-step guide to help businesses commence business continuity planning. The steps are: 1. Analyse your business 2. Assess the risks 3. Develop your strategy 4. Develop your plan 5. Rehearse your plan

STEP 1 - Analyse Your Business
This step, also known as business impact analysis, determines which areas of the Probation Area’s activities are crucial to running the business. Business impact analysis enables an organisation to focus its risk assessment on the mission critical activities of the organisation rather than conducting a traditional all risks analysis. The key to analysing a business is understanding its: A. Mission critical activities B. Internal factors C. Singular problems to unique activities D. External influences

A. Mission Critical Activities To assess mission critical activities consider which operations are crucial to the running of your business. 1

Grade the following essentials to the running of your business on a scale of I to 5: What is essential to the running of the Probation Area’s Business? • Employees? • Products? • Services you provide • Major Client(s)? • Main Suppliers? • Specialist Equipments? • Unique Premises? • Time Sensitive processes? • Partners/Stakeholders? Grades on a scale 1 to 5

B. Internal factors Consider the factors which influence the impact of an incident on your business. Try to establish where your business is at it’s most vulnerable if an incident occurs. Consider the following: • • • Staff Systems & processes Stakeholders • • • Customers Partnerships Timescales • • Suppliers Buildings

Sample list of questions for you to consider: Some questions to consider with regards to your staff Grade departmental importance — which department is most/least vital? When is the departmental function most essential? Which people are most essential and when? Consider different timescales of a few hours, 24 hours, 5 days etc. Do you have contact details at another location for all your staff and key employees? Are the up-to-date? Do you have a plan of who needs to do what in case of an incident? Do you have a crisis team? Have you nominated deputies for the members of the crisis team in case they are not available? 2 Answer

What if scenarios:
Grade on a scale of 1 to 5 What if scenarios: Define: Suggest preventive action

If you could not deliver a programme to your stakeholder? If your staff could not get to work? If your partners or stakeholders could not get access to your premises? If your IT system was damaged? If your specialist equipment was damaged? If your telecoms were down? If a key partner fell ill? If you could not get access to your building? If you could not operate from your location? If you or any key worker became ill over a long period of time? If you are unable to pay your suppliers? Think of reputation, not only the short term Worst case scenarios What is the worst-case scenario for Define: your organisation? How long before your service would be severely affected: hours days months Would it survive the disruption? Do you have insurance against this eventuality? Do you have copies of insurance papers off-site? Suggest preventative action:

3

What is the worst-case scenario for Define: your organisation? How much can you afford to lose if unable to run your service for days weeks months What do you need to do to stay operational? Do all heads of departments agree that this is the worst-case scenario? C. Singular problems to unique activities

Suggest preventative action:

An activity may be unique to your business or have a unique aspect due to its complexity. You may have to take some time to consider probable resolutions and any implications. D. External influences What external factors are likely to affect your business during a crisis? Aspect affecting you Local community Your competitors Government Transport War in a different country The way it’s affecting you: Mixed opinion about your services Preventative Action Community project/local help

Do they have a BCP? How did the Research deal with things? New legislation Need to comply? Cancelled public transport Have a list of employees with their own transport. Organise shuttle bus; organise accommodation etc. Reduced customer confidence Have money in reserve for special affecting imports/exports advertising campaign etc.

4

Step 2 - Assess the Risks
Before proceeding to this stage, ensure a senior member of staff/board member agrees with the business impact analysis. This stage should involve a senior member of staff and co-coordinators. Risk assessment identifies: A. Internal and external threats, liabilities and exposure, including risk concentrations that could cause the disruption, interruption or loss to an organisation’s mission critical activities.
Grade 1 - 5 Most/least prepared What if Questions: Grade 1 - 5 least/most likely

Does your plan work if the power fails? Does it work when there is a fire? Does it work if you cannot gain access to the premises? What if your customers/ suppliers cannot contact you? What if your suppliers cannot get to you due to floods/ cordons? What if your suppliers cannot get to you due to their problem — do you have alternative suppliers as a back up? What if your customers cannot pay you? What if your employees cannot get to work for a few days in a row? Does your plan cover criminal damage? Are you insured? B. The likelihood of an incident occurring: is there a concentration of risk for a particular area/task?
Examples of risk concentration scenarios: Yes/No If yes, preventative action; Extra Security Extra safety devices/alarms/ security

Do you have a lot of expensive equipment in one room? Do you have a lot of crucial machinery in one area of the building?

C How vulnerable an organisation is to the various types of incident - Examples of possibilities to think about in terms of how different elements of your business will be affected in case an incident occurs:
How will your service users be affected?

If there are delays in delivering the services? If you cannot contact them? Will they switch over to our competitors? If it’s an organisational-related incident, will this damage your reputation? Do you have a planned PR response? 5

Have you reassured them that you have a business continuity plan in place? Is your PR department aware of its content? How will other stakeholders be affected? Staff - have you assured them that you have a business continuity plan in place and that their jobs will be secure in case of an incident? Are your staffs aware of the role they have to Ia in case of an incident? Suppliers - have you assured them that you have a business continuity plan in place and that you will be able to pay them on time in case an incident occurs? Shareholders? Local community? Business neighbours? If you share your premises with other companies in the building Have you thought about working with your neighbours to create a joint business continuity plan? What’s the nature of their business? What will happen if you are denied access to the building due to another corn an ‘s accident? Can you do anything to mitigate the risk from another’s business? Does our landlord have a BCP? Is your landlord complying with their responsibilities under law? How will your financial systems be affected? Do you have financial company details off-site? Back ups of recent transactions? Do you have an extra copy of your chequebook? Will you be able to pay your staff!/suppliers? Other issues to consider Will you be able to get hold of your vital papers — do you have copy details of your insurance cover off-site? Do you keep staff trees/ lists off- site?

D. A basis to establish a risk appetite and risk management control programme and action plan. Establish how long your business can bear functioning at reduced capacity and what level that is. What needs to be done to make sure it can function at minimum capacity? 6

Define your risk strategy. Remember that you can’t prepare yourself against all types of incidents, however much you spend, but here is a selection of approaches you could take: • Accept the risks — change nothing, e.g. close the office down for while and have a disaster recovery plan in place to sweep up the damage and get your service fully operational after some time has passed after an incident. Accept the risks, but make a mutual arrangement with another Probation Area to ensure that you have help after an incident. It is common that for business continuity purposes they become a ‘buddy’. Attempt to reduce the risks, e.g. by for instance changing or ending ‘risky’ processes or by taking out insurance. Although do note that insurance provides financial recompense and support in the event of loss, but does not provide protection for brand and reputation. Attempt to reduce the risks and make arrangements for help after an incident Reduce all risks to the point where you should not need outside help, e.g. through implementing broad continuity management principles in case of an incident.

• •

E. Worst event scenarios - What is the worst that could happen? What are the worst likely things for your organisation and how likely are they to happen? If you are prepared for the worst, then you can deal with incidents of lesser scale. This will also help you put in perspective how to insure your business, how to develop your contingency plans and how to put preventative measures in place.
Consider:

Answer:

What is the likelihood of this happening? Does our plan cope with it? What can you do to prevent it? How much can you afford to lose if unable to run our service for Days Weeks Months F. What functions and people are essential, and when. Consider which departments, divisions and members of staff are essential to running the service. Experienced and multi - skilled members of staff can be a vital resource, are you aware of everyone’s skills, experience and knowledge? What functions need to be covered during an emergency and thereafter? Are there any time sensitive operations or specialist procedures that need to be performed? Ensure that you consult with department heads and at ‘ground level’ to get a comprehensive analysis. 7

Step 3 - Develop Your Strategy
From the beginning of creating the business continuity plan, aim to embed a business continuity management culture throughout the organisation to ensure that business continuity management becomes an integral part of organisation’s strategic day-to-day business as usual operational management. Achieve this by winning over middle management and building awareness that BCM is a company-wide specialisation, not just an IT function. As a guide each business continuity plan should aim to contain the following: a) Statement of clear purpose of the plan • • The plan should outline the direction to take in the event of an incident. It should include a clear statement on how risk averse you are and you may want to include a statement on what your definition of a disaster is, for example: “any unwanted significant incident which threatens personnel, buildings, or the operational structure of an organisation which requires special measures to be taken to restore things back to normal”, definition taken from part 2, ‘How Resilient is Your Business to Disaster ~ Home Office publication, 1997.

To instill confidence amongst employees, it is vital that the plan is viable and will have the involvement and support of senior management. b) The structure of the crisis team(s) • • • • It must be clear when emergency plans are to be implemented and who has the authority to implement them. The plan should include all persons responsible for initiating the plan’s implementation, both junior and senior. It must be clear who is responsible for what in the plan’s execution and who has the key roles. It must also be clear to whom everyone answers.

The team could be divided as follows: Gold, Silver and Bronze personnel, and might include the likes of a chairperson, security, HR, media relations, transport, and finance and facilities If you have nominated a team to create, co-ordinate and deliver the plan, it might be helpful to divide the personnel involved in the plan into three different categories: • Gold — the thinkers responsible for the strategy, such as the CEO. • Silver — the planners and co-ordinators who will deal with the tactical aspects of the plan. These will include a senior management team of experts within your business. They are involved in your BCM approach and specific planning and responsible for co-ordinating and directing the resources of the business to ensure that the plans are properly implemented. Silver people will link with Gold and keep them updated on the developing situation. Bronze — the doers who will be responsible for recovering/restarting crucial business functions. They are responsible for ensuring that their specific business continuity plans 8

are implemented. They take direction from the Silver people and keep them updated. • You may decide that you will need a set of plans for each of the Gold, Silver and Bronze teams, or a set of different plans for different Bronze teams, such as a separate IT department plan, which will, for instance, include more technical jargon and specific data.

In your contingency planning, make sure that all levels of staff involved in business recovery understand the nature of threats and the importance of planning. Allocate a list of suitable locations where your Business Continuity team should meet, if an incident occurs. This should consist of a room on-site, a place in a public building, e.g. a local pub, someone’s house or a meeting room at your alternative fall-back site. If an incident occurs, meet with everyone from the Business Continuity team as soon as you can, probably after the first planned emergency procedures have been implemented, and then continue meeting every 24 or 48 hours. c) Business Recovery Develop practices and procedures needed to mitigate risk and reputation if service operations have been affected. It includes the priority tasks that must be addressed if the service has to relocate and needs to communicate with clients and other service providers during the period of disruption. It is essential that such lists are updated regularly, at least quarterly, and preferably monthly, and they must recognise the likely availability of staff ‘out of hours’ and weekends and during holiday periods. The members of the ‘crisis team’ should be supplied with a simple check list of the actions they must take during and after an incident. Using brightly coloured cards or paper is a cheap and way of ensuring that people know they are using the most up-to-date version. The lists should be accessible and available at all times and in several locations, electronically and in hard copy. d) Work area recovery This could be the key aspect of your plan. If you intend to work from another site, there are several options to consider: • You might decide some staff can work from home temporarily • • You might have made arrangements with another Probation Area to use their facilities. Choose a ‘cold site’ agreement, usually provided by a business continuity supplier. This involves erecting a temporary building. You will usually be able to move in after about 12 days. Or a ‘hot site’, also usually provided by a specialist continuity company, makes desks available within about 4 hours. This option is easy to rehearse, but relatively expensive.

9

e) Technology recovery Most businesses nowadays have complex IT, telecommunications and utilities’ structures in place. Information Technology: It is imperative to keep inventory lists of software and hardware materials, as well as your suppliers so that you can replace equipment immediately if needed. Customise inventory lists according to your needs. It is worth checking in advance if your insurance covers the replacement of damaged items immediately, or whether you need the insurance company’s consent. Telecommunications: You may have the capability to access your telephone system remotely, from another site. Make sure all relevant programming is undertaken as soon as possible. Make a list of all the access numbers and keep them safely with all your important documents on and off-site. Utilities: In case of a utilities failure, make sure you have a list of all of your utilities’ providers, their contact details and your account numbers. Make sure you have an ‘old style’ telephone handset which you can plug directly into a telephone socket. This has its own power source via the line and will not be affected by a power cut. f) Public Relations The PR process can make or break your reputation. PR will influence how the public, existing and potential customers, partners, suppliers and all other stakeholders will react to the incident. • Nominate a PA spokesperson, and ensure that all staff knows who it is. For resilience, make sure more than one staff member is nominated and that they have some training in media handling. Make certain the story is the same from all sources: if the emergency services are involved, co-ordinate your information with them. Possibly hire a PR consultant. Consider the production of an emergency newsletter to staff. If it is a seriously disruptive incident and you cannot keep all your staff on site during recovery, it is essential to keep them well informed about progress. Have a pre-prepared list of facts on the organisation’s functions, safety record, etc. Place advertisements in local or national papers as needed.

• • •

• •

10

g) Staff Focus Consult your staff when drawing up the plan. This will ensure that they feel part of the plan and will therefore be more willing to participate fully when something does happen. Be sensitive how you communicate your plan: the phrasing ‘essential staff or ‘vital departments’ suggests that some of your staff aren’t as important as others. Obviously, they all are, but some priority needs must be met. Make sure that you have plans in place to take care of your employees once an incident does occur. Make the following contingencies:

• •

Petty cash for travel home in case of evacuation Counseling

h) A description of the premises This is important for evacuation purposes. Clearly mark where the emergency exits are. Also, include lists of the contents of your premises for insurance purposes. Damage Minimisation Remember that there is a common law duty to minimise loss and this requirement is often invoked under a contract of insurance. It therefore follows that expense controls should not be abandoned in the anxiety to make the business operational again.

11

Step 4 - Develop and keep developing your plan
In the process of developing your plan, make sure you have consulted all the decision makers in the business and involved your staff. Also, make sure you use non-technical language when writing up the plan, making it accessible to all your employees. Has your business continuity plan incorporated all the necessary components? Check our business continuity plan against the following : Tick off Does your organisation have a clearly defined, up-to-date business continuity plan for its weak links, mission critical activities and their dependencies? Does your plan reflect the most up-to-date business impact analysis and risk analysis? Does your plan clearly define the role of the accountable business owner of the plan? (This could be the MD, CEO or business owner...) Has your plan been approved and signed off? Is it clear who is responsible for the pIan’s maintenance? Is the plan regularly reviewed in terms of its mission critical activities b the agreed person, such as the legal rep? Does the plan establish a clearly predefined response if an incident occurs until the point of full operation? Does the plan clearly define how to recover critical activities within the specified time frame? Does your plan clearly define personnel roles, their accountability, responsibility and authority? Have you established an appropriate time frame for review of the plan? Does the plan provide and define clear aims and objectives? Are there clear instructions on how to use our plan? Does the plan contain a diagram of the business continuity management structure? Does the plan clearly state the appropriate responses according to the emergency? Do you have clear details regarding purchasing, expenditure, and authority? Do you have a list of contents? Distribution list? Glossary of terms?

12

Developing your plan: You may wish to divide your plan into tasks to do immediately following an incident and those thereafter to avoid confusion. To develop the plan you should have input from a cross section of your organisation ensuring that you include all grades within the hierarchy. This is vital to ensure a practical and workable plan. Large organisation’s often consult with outside organisation’s that may be able to provide assistance when drawing up the plan: • Find out from your local authority emergency planning officer what they would do in response to a major incident or terrorist attack. • • • Keep in touch with neighbouring businesses. How can you help each other? Find out what information will utility companies need in case of an incident. What information will your insurer need from you? Please make sure that you create inventory lists according to your needs. It is worth checking in advance if your insurance cover will allow replacing damaged items immediately, or whether you need the insurance company’s consent. Think of who else will be affected by your decisions: your customers, partners, stakeholders and suppliers? Involve them if you can in the planning process. How will they want the information communicated if an incident occurs?

Liaison with the emergency services and other organisation’s • Talk to the local liaison officer of the respective emergency services to find out what their procedures are and what they will need from you if an incident occurs. Emergency services are often willing to visit companies and perform seminars on such subjects as evacuation procedures or safety to your employees. The Fire Protection Association has published a useful guide: “Safety at Scenes of Fire and Related Incidents” which also covers problems of chemicals, biological hazards and building safety.

Additional Analysis Tools

For those seeking more analysis tools, the following are examples of methods, tools and techniques that you can use to help you develop your business continuity plan (as
listed in “Business Continuity Management -. Good Practice Guide “, p54, © The Business Continuity Institute 2002) • • • • • • • • •

A Strategy Planning Process Model SWOT Analysis (Strengths/Weaknesses/Opportunities/Threats) Porter’s Value Chain Analysis PEST Analysis (Political! Environmental! Social! Technical) Scenario planning Cost Benefit Analysis Business Impact and Risk Assessment Quartile Matrix Financial Management Benchmarking (metrics and process)

13

Current State Assessment ‘Gap’ Analysis o Questionnaires o Scorecards o Interviews (structured and unstructured)

External Advice For the more complex business, it is worthwhile consulting an expert for advice. There are companies who specialise in providing this type of service, ranging from providing advice to devising the whole plan from start to finish. Technology Resources There are companies providing information back-up services. You can arrange them to collect data! Copies of information every day, week or month. Alternatively, you can store back ups at another site, at your buddy’s site or at home. Some organisation’s will want to give instructions over a central audio system to all employees, it is useful to have recorded messages for all types of incidents, including testing of fire alarm, but also instructions of what to do in case of an external incident. It is also worthwhile having pre-prepared messages for relatives and next of kin, what to say to them over the phone, in person or in writing. This will be useful if some staff could not be found or taken to hospital for treatment etc.

14

Step 5 - Test your Business Continuity Plan and Train your Staff
Once the plan has been developed, it has to be subjected to rigorous testing. Testing should be carried out in an environment to reproduce authentic conditions. Although it might not be practicable to change premises for a few days, it might be a good idea to test operating at other premises with the key staff for a few hours. You may believe this is costly or unproductive but it is a practical investment for your company’s survival: should an incident happen for real you will be better able to cope with it. It is important to instill a culture of business continuity management awareness from the very beginning throughout the company. A truly effective BCP must reflect ‘business as usual’ management process and be driven from the top of the organisation. It should be clearly set out in the organisation vision statement that is fully endorsed and actively promoted by the Board or the Executive Committee. It is vital to test the plan with all the appointed business continuity team persons to make sure each is fully aware of their own responsibilities. They should be given a copy to read through and to understand their own particular responsibilities. By training your team in the details of the plan they will be much more efficient at implementing it should the need arise, and they may well have useful feedback to give about their own area of company expertise. It is also important to revise your plan regularly, to reflect staff turnover and updates in technology, for example. Assign the duty of updating the plan to a member of staff and make sure it is regarded as an important regular activity. There are numerous ways in which you could test your plan. Here are a few simple examples: • Paper-based exercises: Read through the plan, questioning each action Test the plan using what if scenarios. (New pieces of information can be added as the scenario unfolds, in the same way that more details would become clear in a real incident.

• Telephone Cascading:
This involves testing your Staff Communication Tree: initiate the process of phoning or texting people at the top of the tree. Measure the time it takes for the last people to receive the message. This also allows you to test the whole communication structure (are there any people on the list who have left your organisation?). • Full rehearsal: If it’s carried out in similar conditions to a real incident, it will show you how the different elements of the plan fit together. This may be expensive, especially if it involves changing sites, but planning will reduce costs and the efforts might pay off in the future. How often should the plan be tested? Your plan will need a full rehearsal at least once a year and will also need to be maintained and updated regularly by an appointed person(s). 15

West Yorkshire Probation Board Business Continuity Plan

Head Office Version 1.0

Head Office Business Continuity Plan Summary A major incident that affects the running of WYPB Head Office (HO) may hinder the services provided to field offices, thereby undermining the effectiveness of probation services throughout the area. This will in turn, affect WYPB ability to meet the NPS aims detailed in the WYPB Area Plan. This Business Continuity Plan identifies the essential services provided by Head Office; and in the event of a serious incident it details plans on how to maintain these services. The plan is broken-down into two parts: Part 1 – HO Business Impact Analysis. Part 2 – HO Disaster Recovery Plan. Part 1 determines the key services WYPB provide to its customers, and the Head Office facilities these key services are dependent upon. These in turn determine the essential business assets at the Head Office and the likely incidents that threaten these assets. From this analysis a Business Continuity Strategy is developed. Part 2 is a plan that directs and assists staff to restoring the essential support facilities, identified in Part 1, following a serious incident at the HO. It also initiates the process for returning to normal business. In the event of a serious incident at Head Office, follow the directions at Part 2 – HO Disaster Recovery Plan.

Note – This document contains Personal Sensitive Information and must be treated as Private and Confidential. Keep in a locked office or filing cabinet or on your person at all time. Do not leave in public place or in a vehicle.

Contents

Page No

Part 1 – HO Business Impact Analysis.
Introduction Categorisation of Key Business Services and HO Support Facilities HO Key Business Assets Threats to Key Business Assets Business Continuity Strategy Appendix A – Category Tables Appendix B – Risk Assessment Tables 1 1 3 3 5 7 11

Part 2 – HO Disaster Recovery Plan
Introduction Responsibilities Initial Response to a Serious Incident Business Continuity Management Team (BCMT) BCMT Objectives Appendix C – BCMT Contact Details Appendix D – BCMT Role and Responsibilities Appendix E – Re-Location Appendix F – NPD and Prime Contractor Contact Details Appendix G – Restoring the STEPS LAN Appendix H – Restoring Tele-Communications Appendix I – Restoring Mail Service Appendix J – Staffing and Office Facilities Appendix K – Restoring Payroll and Finance Systems Appendix L – Mitie Disaster Recovery Model Appendix M – Public Relations Guidelines Appendix N – HO General Information Appendix O – HO Floor Plans Annex A – Telephone Number and Address Directory 13 13 13 14 15 17 20 22 23 24 25 26 27 28 30 31 33 37 38

WYPB Head Office Continuity Plan – Part 1 Head Office Business Impact Analysis 1.0 Introduction This document considers the impact on WYPB business in the event of a major incident at the Head Office (HO). It determines the key services WYPB provide to its customers, and the Head Office facilities that the key services are dependent upon. This in turn determines the essential business assets at the Head Office and the likely incidents that threaten these assets. This analysis is required to develop the Business Continuity Strategy and a Disaster Recovery Plan. 2.0 Categorisation of Key Business Services and HO Support Facilities A survey of senior operational and administrative staff identified eighteen Key Business Services (KBS) and their related HO Support Facilities. The survey also determined the effect the loss of HO facilities would have on each KBS over three set time periods; 48 hours, five working days and ten working days. For example the running of Accredited Programmes would not be adversely affected if HO support was lost for 48 hours, but it would be if the support was lost for five working days. This formed the basis for categorising each KBS. The categorisation was also influenced by the contribution the KBS makes to WYPB achieving the NPS aim of Protecting the Public. For example ensuring accommodation of High Risk Offenders is a more immediate concern than the collation of Accredited Programmes data. The categories are: a. Category A – Key Business Services that require HO Support Facilities to be reinstated in 48 hours. b. Category B – Key Business Services that require HO Support Facilities to be reinstated in five working days. c. Category C – Key Business Services that require HO Support Facilities to be reinstated in ten working days. The category tables populated with related KBS and HO Support Facilities are at Appendix A. 2.1 Essential Head Office Support Facilities The tables at Appendix A clearly show the HO Support Facilities are essential to ensure that Districts can effectively deliver the Key Business Services. Should a serious incident result in the closure of HO, the following Support Facilities must be re-established in 48 hours:

1

a. IT Network Applications i. ii. iii. iv. v. vi. vii. Windows 2000 – Local Area Network Lotus Notes (e-mail) CRAMS Word (Contact Logs, Case Folders Templates) Excel (MAPPA database) e-OASys IAPS

b. Telephone, fax, mail/post. c. Elements of Policy and Practice Unit to assist in the management of High Risk Offenders. d. Accommodation Services. e. Elements of the Secretary’s Section to provide legal support. Should a serious incident result in the closure of HO, the following Support Facilities must be reinstated in five working days: a. Hardware and software to run Resource Link back-up tapes and pay staff via BACS. (Process payroll and expenses) b. Hardware, software and stationary to print pay slips. c. Elements of Policy and Practice Unit to provide assistance in the running of Accredited Programmes and DTTO Programmes. Should a serious incident result in the closure of HO, the following Support Facilities must be reinstated in ten working days: a. IT Network Applications i. Series X (APM Database, PSR Monitoring Database). ii. Excel (Basic Skills Database, NSMART Database). iii. Hardware and software to run MIS (finance) back-up tapes. b. Elements of Information Services to carry out collation and processing of the following: i. ii. iii. iv. v. Accredited programmes. DTTO programmes. Basic Skills commencement and award data. PSR recommendations on minority ethnic offenders. NSMART.

e. Elements of Policy and Practice Support to assist in the running of Basic Skills. f. Elements of the SOS Unit to run Contracts and Partnerships.

2

3.0 Head Office Key Business Assets The identification of essential HO Support Facilities enables the key HO Business Assets to be determined. These are: 3.1 Primary Assets: a. b. c. d. e. The STEPS Network. The HO Building. Land line telephone communications and related equipment. Mail. Primary Staff – Elements of Chief Offices Section, IT, Policy and Practice Unit, Accommodation Services and the Secretary’s Section.

3.2 Secondary Assets: a. Payroll IT hardware and software. b. Finance IT hardware and software. c. Secondary Staff – Elements of the Finance Section, Information Services, Human Resources and the Chief Officers section. 4.0 Threats to Key Business Assets The following discusses the potential threats to each HO Key Business Asset and the likelihood of an incident. 4.1 The STEPS Network A comprehensive study of the potential threats and risks to WYPB’s Local Area Network (STEPS) has been carried out as part of the National Probation Service network accreditation program (Accreditation Document Set Parts 2 – Risk Management Document (Ref.: Generic Probation Service ADS Part 2 v0.4) dated 16 January 2004. The following is an extract from the document’s summary: The threat and vulnerability assessment considered many potential problem areas, each of which may affect different parts of the system. Threat categories can be grouped into the following areas: Logical infiltration (data compromised when stored or processed on the system); Communications infiltration (data compromised when in transit on the network); Failures of equipment; Errors by people; Physical threats.

3

“The greatest risks to the West Yorkshire Probation Area and its information systems identified in the review are listed below: Embedding of malicious software; Introduction of damaging and disruptive software; System and Network Software failure; Operations Error; (Operator errors? Or define) Hardware and software maintenance errors; Theft. The first two threats led to high measures of risk because experience has shown that incidents of malicious software being sent by e-mails or introduced by floppy disks are amongst the most common security incidents, and so the level of these threats has been judged to be high. The threat of theft has led to a high risk particular with respect to portable computers being stolen. Such devices are judged to be ‘attractive’ items and there have been several cases where this type of equipment has been stolen in the past. As stated above, overall the measures of risk determined in the risk assessment are range from a medium to a high level. These types of levels indicate the need for strong and well-enforced protective measures, which have been regularly tested and can be demonstrated to withstand determined attacks.” 4.2 Risk Assessment Table The risk to the remaining HO Key Business Assets is assessed in the Risk Assessment Table at Appendix B. In assessing the risk business from a specific incident, three elements are measured; impact on business, likelihood of occurrence, and business vulnerability. An impact analysis has already being carried out to identify WYPB key services. The table in Appendix B measures the Likelihood of a specific threat and the Vulnerability of WYPB business assets. Likelihood is assessed on the following scale:
a. Very Low (considered to be unlikely to ever occur) – score 1; b. Low (considered to be likely to occur only in unusual circumstances) – score 2; c. Medium (considered to be likely to occur occasionally) – score 3; d. High (considered to be likely to occur regularly) – score 4; e. Very High (considered to be likely to occur very frequently) – score 5.

4

Impact is assessed on the following scale:
f. Very Low (considered to be unlikely to ever occur) – score 1; g. Low (if the threat did occur, it is felt unlikely that it damage / disrupt the system) – score 2; h. Medium (if the threat did occur, it is felt could damage / disrupt the system) – score 3; i. j. High (if the threat did occur, it is felt would definitely damage / disrupt the system) – score 4; Very High (considered to be likely to occur very frequently) – score 5.

The measure of risk is determined by adding the two scores of likelihood and impact. A very low risk score is 2 and a very high risk score is 10. The table in Appendix B shows the greatest risks to all assets, with the exception of Mail, comes from the loss of electrical power and the threat of fire. Additionally, Payroll and Finance data are at a medium to high risk from malicious or accidental corruption by internal or external staff. 5.0 Business Continuity Strategy In the event of a major incident seriously affecting WYPB’s ability to operate, the Boards overruling mission is to continue to meet the aims of the National Probation Service, as detailed in WYPB Area Plan. The strategy to meet these aims is as follows. 5.1 Objectives In the event of an incident at the Head Office, WYPB objectives will be: a. To re-establish the Primary HO Key Business Assets, listed at paragraph 3.1, within 48 hours. b. To re-establish the Secondary HO Key Business Assets, listed at paragraph 3.2, within five to ten working days. c. Within ten working days to have initiated the planning process to reestablish normal business. 5.2 Business Continuity Management Team The objectives will be achieved through establishing a Business Continuity Management Team (BCMT) consisting of senior managers. The BCMT’s role is to manage the Disaster Recovery Plan; it must assess the situation and determine the best course of action to meet the objectives. It must also initiate the process to return to normal business.

5

5.3 Disaster Recovery Plan The Disaster Recovery Plan will provide: a. b. c. d. e. f. Instructions on when the Plan should be initiated. Roles and responsibilities of the BCMT members. Detailed objectives and the time in which they have to be achieved. Guidance and relevant information on how to achieve the objectives. Personnel contact details (including next of kin). Contact details of prime contractors, statutory organisations, and partners.

Whilst the Recovery Plan will provide guidance on how to respond to incidents, it can not predict all eventualities. It is the responsibility of the BCMT to assess the situation and determine the best course of action to meet the objectives and, there by, allowing WYPB to fulfil its mission. 5.4 Review Date The HO Business Impact Analysis and assessment of threats to key business assets should be reviewed on a 6 monthly basis – next review Sept 05. Should the review show a change in the analysis or assessments then alterations to the Disaster Recovery Plan should be considered.

6

Appendix A

Key Business Services

Category A Key Business Services HO Support Facilities to be re-established in 48 hours

Management (assessment and supervision) of High Risk offenders.

Accommodation of High Risk offenders.

Enforcement of Orders and Post Release licenses.

Supervision of Orders.

IT Network Applications – Word (Contact Logs, Case Folders, Templates), CRAMS, Lotus Notes (e-mail), Excel (MAPPA database), e-OASys. Telephone, fax, mail. Department – Policy and Practice Support (Public Protection) IT Network Applications – Word (Contact Logs, Case Folders, and Templates), CRAMS, Lotus Notes (e-mail). Telephone, fax, mail. Departments – Policy and Practice Support & SOS (Accommodation). IT Network Applications – Word (Contact Logs, Case Folders, and Templates), CRAMS, Lotus Notes (e-mail). Telephone, fax, mail. Department – Secretary’s Section (Legal assistance). IT Network Applications – Word (Contact Logs, Case Folders, Templates), CRAMS, Lotus Notes (e-mail), e-OASys. Telephone, fax, mail. IT Network Applications – Word (Contact Logs, Case Folders, and Templates), CRAMS, Lotus Notes (e-mail). Telephone, fax, mail.

Preparation of reports for courts.

7

Category B Key Business Services HO Support Facilities to be re-established in 5 working days

Key Business Services

Pay roll and HR services.

The running of Accredited Programmes.

The running of DTTO Programmes.

Maintaining contact with victims.

IT Network Applications – Word, Lotus Notes (e-mail). Specific IT Applications – Resource Link, BACS link plus server. Payroll pay slips plus printer. Telephone, fax, mail. Department – Finance Section (Payroll/Expenses) IT Network Applications – Word (Contact Logs, Case Folders, Templates), CRAMS, Lotus Notes (IAPS,e-mail). Telephone, fax, mail. Department – Policy and Practice Support (Accredited Programmes). IT Network Applications – Word (Contact Logs, Case Folders, Templates), CRAMS, Lotus Notes (e-mail). Telephone, fax, mail. Department – Policy & Practice (DTTO). IT Network Applications – Word (Contact Logs, Case Folders, Templates), CRAMS, Lotus Notes (e-mail). Telephone, fax, mail.

8

Category C Key Business Services HO Support Facilities to be re-established in 10 working days Collation of Accredited Programmes. IT Network Applications – Word, CRAMS, Lotus Notes (IAPS,email), Series X (APM Database). Telephone, fax, mail. Department – Information Services (Database Admin and Information Management). Collation of DTTO Programmes. IT Network Applications – Word, CRAMS, Lotus Notes (e-mail), Series X (APM Database). Telephone, fax, mail. Department – Information Services (Research). Running of Basic Skills. IT Network Applications – Word (Contact Logs, Case Folders, Templates), CRAMS, Lotus Notes (e-mail). Telephone, fax, mail. Department – Policy and Practice Support (Basic Skills). Collation of Basic Skills commencement and award data. IT Network Applications – Word, Lotus Notes (e-mail), Excel (BS Database). Telephone, fax, mail. Department – Information Services (Information Management). IT Network Applications – Word, Lotus Notes (e-mail), Series X (PSR Monitoring Database). Telephone, fax, mail. Department – Information Services (Information Management).

Key Business Services

Collation of recommendations in PSRs written on minority ethnic offenders.

9

Collation of contact with victim’s data.

IT Network Applications – Word, Lotus Notes (e-mail). Telephone, fax, mail.

Finance Ledger.

NSMART

IT Network Applications – Word, Lotus Notes (e-mail). Specific IT Applications – MIS plus server. Telephone, fax, mail. Department – Finance Section. IT Network Applications – Word, Lotus Notes (e-mail), Excel (NSMART Database). Telephone, fax, mail. Department – Information Services (Information Management). IT Network Applications – Word, Lotus Notes (e-mail). Telephone, fax, mail. Department – SOS Unit (Contracts and Partnerships).

Contract Management

10

Appendix B Risk Assessment Table
Threats to Key Office Assets The Head Office Building Electrical Power failure Fire Water damage Terrorist Server Room Electrical Power failure Fire Water Damage Malicious or accidental corruption by internal staff Malicious or accidental corruption by external staff High Low Medium Low Medium High High High High High 8 6 7 6 7 High Medium Low Very Low High High Low High 8 7 4 5 Likelihood Impact Measure of Risk (2-low, 8-high)

Land Line Telephone Communications and Related Equipment Area wide failure Local failure Electrical Power failure Terrorist Mail Mail staff strike Incident at local sorting office Incident with delivery van Medium Low Low Medium Medium Medium 6 5 5 Low Medium High Low High Medium High High 6 6 8 6

Payroll and Finance IT Hardware and Software Hardware failure Software failure Malicious or accidental corruption by internal staff Malicious or accidental corruption by external staff Introduction of virus or other malicious software Low Low Medium Medium Medium Low High High 5 4 7 7

Low

Low

4

11

Threats to Key Office Assets Staff Large section of the staff from one section leaving Large section of the staff being affected by illness eg SARS Strike by staff Severe weather stopping staff getting to work. Fuel shortage stopping staff getting to work.

Likelihood

Vulnerability

Measure of Risk (2-low, 8-high)

Low Low

Medium Medium

5 5

Medium Medium Low

Medium Medium Medium

6 6 5

12

WYPB Head Office Continuity Plan – Part 2 Disaster Recovery Plan 1.0 Introduction WYPB Head Office (HO) provides support facilities to the District Offices that ensure services are effectively delivered to probation customers. In the event of a serious incident that affects the physical location, assets, data and staff at the HO it will be necessary to restore the essential support facilities, as soon, as is practicably possible. The purpose of this plan is to direct and assist staff in restoring the essential support facilities and to start the process of returning to normal business. 2.0 Responsibilities It is the responsibility of Chief Officer to ensure that: a. b. c. d. The HO Continuity Plan (Part 1 - Impact Analysis and Part 2 - Disaster Recovery Plan) is reviewed and tested annually. Each member of the Business Continuity Management Team (BCMT) has a copy of the Plan. Every Duty Chief Officer has a copy of the plan. Any 24 hour site (i.e. Hostel) has a copy of the plan.

Human Resources are responsible for updating the file containing staff names, contact details and next of kin details on a weekly basis and password protecting it. IT to put it onto a USB dongle and take to the Wakefield branch of Lloyds bank and stored with the STEPs back-up tapes in a safe deposit box. The USB dongle brought back from the bank will be formatted and stored in the IT safe. 3.0 Initial Response to a Serious Incident Should a serious incident occur at the HO out of normal working hours, the contact address for the Police is ……………... If the incident results in any the outcomes listed below, the Hostel Duty Manager must contact the Duty Assistant Chief Officer and inform them of the situation, and who in turn must contact one of the following senior managers: Chief Officer, Deputy Chief Officer, Secretary to the Board, Director of human Resources or Director of Finance. The responsibility for activating the Disaster Recovery Plan (Part 2) is then passed to him/her. Should an incident occur during working hours which results in any of the following, it is the responsibility of the Chief Officer or Deputy Chief Officer to activate the Disaster Recovery Plan (Part 2). If neither are available, any Senior Manager at HO can activate the plan. Activating the Disaster Recovery Plan (Part 2) should be considered if a serious incident results in any of the following:

13

a. b. c. d. e. f.

WYPB Head Office is damaged. This could be the result of a fire, severe weather or terrorist attack. WYPB Head Office is inaccessible. This could be the result of a bomb scare, chemical spillage or crime scene. Electricity supply has failed and is unlikely to be restored in the next 24 hours. Telecommunications have failed and are unlikely to be restored in the next 24 hours. A large element of the staff will not be able to attend work. This could be result of illness e.g. SARS, severe weather or terrorist attack. The STEPS Local Area Network fails and is unlikely to be restored in the next 24 hours.

On activating the Disaster Recovery Plan the first task is to inform members of the Business Continuity Management Team (BCMT). This is the responsibility of the officer who activates the plan, (contact telephone numbers can be found at Appendix C). 4.0 Business Continuity Management Team (BCMT) The BCMT is made up of staff with the knowledge and authority to implement the Recovery Plan, but is small enough to be conducive to quick and timely decisions. The BCMT should be established immediately after the incident. Should the incident happen outside normal working hours, team members should meet at the earliest opportunity, if necessary before the start of normal work hours. The BCMT’s role is to manage the Disaster Recovery Plan; it must assess the situation and determine the best course of action to meet the objectives. It must also initiate the process to return to normal business. The roles and responsibilities of each member of BCMT are at Appendix D. 4.1 BCMT Members a. b. c. d. e. f. g. h. CO – Chairperson Director of Offender Management – BCMT Co-Coordinator Director of Human Resources Director of Finance Public Relations Officer Policy and Practice Unit ACO Secretary to WYPB Senior Information Services Manager

To assist the BCMT on specific issues, the following should be available to attend meetings: a. IT Project Mangers b. Health and Safety Officer c. Personnel Manager d. Administration Manager e. Deputy Director of Finance f. Senior Admin Officer (Payments) g. Accommodation Services ACO h. Contracts and Partnerships Manager 14

5.0 BCMT Objectives Not all the objectives will be relevant to every incident. The BCMT must determine the objectives that need to be achieved. 5.1 Immediate Objectives The Immediate Objectives must be achieved within 24 hours of the incident occurring. a. b. c. The BCMT’s location, see Appendix E. Informing District Officers, Hostels, NPD, Steria, Mitie, Prisons and Partners about the incident, see Appendix F and Annex A Safe Working Conditions – The Health and Safety Officer should conduct a survey of work areas affected by the incident to assess staff working conditions. A verbal report, with recommendations, should be given to the BCMT, followed by a written report. Appendix D. Secure Information and Valued Assets – The Senior Information Services manager should conduct a survey of areas affected by the incident to assess any security threats to information and valued assets. A verbal report, with recommendations, should be given to the BCMT, followed by a written report. Appendix D. The Public Relations Officer to prepare a Press Release if necessary. Director of HR and Personnel Manager to inform the families of staff affected by the incident, and arrange counselling for staff that may require it. Appendix D.

d.

e. f.

5.2 Primary Objectives The Primary Objective is to re-establish the Primary Assets (see paragraph 3.1 HO Business Impact Analysis) within 48 hours. The Primary Assets (minus the HO Building, see paragraph 5.1a) are: a. b. c. d. The STEPS LAN Network, see Appendix G. Land line telephone communications and related equipment, see Appendix H. Mail, see Appendix I. Establishing Primary Staff with office facilities, see Appendix J.

5.3 Secondary Objectives The Secondary Objective is to re-establish Secondary Assets (see paragraph 3.1 HO Business Impact Analysis) within five to ten working days. The Secondary Assets and target times are: a. b. c. Payroll IT hardware and software in five working days, see Appendix K Finance IT hardware and software in ten working days, see Appendix K. Establishing Secondary Staff with office facilities, Appendix J. 15

5.4 Return to Normal Business The final objective for the BCMT is to establish a management team with the role to plan for the return to normal business. Some of the issues that may be addressed in the plan are: a. b. c. Permanent building and office facilities. Permanent IT facilities. Restoration of non-operational support services e.g. monitoring, training.

16

Appendix C
…………. Contact Details for Chief Officers/Senior Managers CHIEF OFFICERS TEAM

17

18

SENIOR MANAGERS

FOR INFORMATION

19

Appendix D Business Continuity Management Team (BCMT) Role and Responsibilities Chairperson – CO (Deputise – Director of Interventions) Activate Disaster Recovery Plan and assemble the BCMT. Chair the BCMT. To control, direct and manage the Disaster Recovery Plan. Assessment of the impact on the business. Implementation of part or the entire plan immediately following an incident. Key decision-maker at site level. Liase with the NPD. BCMT Co-Coordinator – Director of Offender Management (Deputise - at the Chair’s discretion) or Deputy Chief Officer Deputise for the Chairperson as necessary. Co-ordinate movement to BCMT location. Ensuring BCMT minutes are accurate and up to date Central contact point for BCMT for all calls and enquiries. Liase with emergency services. Provide updates to probation, CS and court offices. Report to and advise the BCMT Chair. Delegate the following: Health and Safety Report of incident site – H&S Officer, see paragraph 5.1c Informing probation offices, hostels, prisons, and partners of the incident and keep updated – HO Administration Manager, see Appendix F. Incident site liaison with emergency services – ACO Restore tele-communication – HO Administration Manager, see Appendix H. Restore mail service – HO Administration Manager, see Appendix I. Senior Information Services Manager Re-establishing and maintaining the STEPS LAN, see Appendix G. Co-ordination of IT, research and security staff, and delegate as necessary, see Appendix J Inform IT Prime Contractor, Steria of incident and liase. Report to and advise the BCMT Chair. Delegate the following: o Security Report on incident site – see paragraph 5.1 d To review the HO Business Impact Analysis and assessment of threats to key business assets annually, and make any necessary changes resulting from the review. Annually test the BCP to ensure its effectiveness and to make any necessary changes resulting from the tests.

20

Director of Human Resources (Deputise – Personnel Manager) Safety and well-being of staff. Responsibility to update on a weekly basis all staff details, including next of kin and to liase with IT to make sure the information exists on a USB Dongle held in the bank for security reasons. Employment of temporary staff. Enforcement of disciplinary procedures. Contact with staff and the family of staff, see paragraph 5.1f. Co-ordination of HR staff and delegate as necessary, see Appendix J. Resolve local staff issues. Counselling of staff, see paragraph 5.1f. Report to and advise the BCMT Chair. Director of Finance (Deputise – Deputy Director of Finance) Re-establishing and maintaining staff pay and financial processors, see Appendix K. Co-ordination of Finance staff and delegate as necessary. Assessment of damage to the building and services. Inform NPD FM/BM Contract Managers and Mitie of the incident and liase. Report to and advise the BCMT Chair. Emergency purchasing facilities. Public Relations Officer (Deputise – Assistant PR Officer) To prepare and release an initial press report, see Appendix M. To liase with the press, see Appendix M. Report to and advise the BCMT Chair. Secretary to WYPB (Deputise – Area Manager, Contacts and Enforcement) Co-ordination of Secretary’s Section staff and delegate as necessary, see Appendix J. Report to and advise the BCMT Chair.

21

Appendix E Re-Location Responsibility of the Director of Offender Management or Deputy Chief Officer 1. The BCMT should be located in an office with internal and external telecommunication facilities, secretarial facilities and an area where staff can congregate whilst awaiting instructions. Several meeting and conference rooms at Head Office meet these requirements. However, if no facilities at Head Office can be used due to the incident, the BCMT should be established at the Other Site or Other Site Three rooms are available for use at Other Site. Conference room. Used by the BCMT. Anti-room. Used by staff waiting for instructions from the BCMT. Quiet room. Used by IT staff and administration staff. 2. 3. If Other Site can not be used because it is also affected by the incident, e.g. electrical power failure throughout Area, then Other Site should be used. In a sealed enveloped and stored in the Lloyds safe deposit box is a USB dongle containing a list of all staff with home addresses, telephone numbers and next of kin details. A copy of the file is held in the HR Department at HO. Any additional equipment required by the IT staff, e.g. desktops, monitors, and by administration staff can be supplied by HO or Other Site.

4.

22

Appendix F NPD and Prime Contractors Contact Details When contacting the organisations for the first time after the incident, report the following: o o o o o What has happened What facilities are affected What is being done New WYPB contact details i.e. address, telephone numbers, fax, etc Regular updates will follow.

NPD, Mitie and Steria NPD ………… Contract Manager ………… Tel: ………… ……. FM/BM Contract Manager ……. Tel: ………… Mitie (See Mitie Disaster Recovery Model at Appendix L) HelpDesk Tel: 01257 236576 (24 hours) Contracts Manager ……….. Tel: 07979 702162 Steria Steria Help Desk Tel: 01142 885300 (0800 – 1800) District Manager ……….. Tel: ……… Mobile: ………. Contact details for District Offices, Hostels, Prisons, Partnerships and Emergency Services can be found in the Directory at Annex A.

23

Appendix G Restoring the STEPS LAN. Responsibility of Senior Information Services Manager. 1. Three sets of back-up tapes are maintained: a. b. 2. 3. Daily back-up tapes are made each evening and stored in a fire proof safe located in the server room. The weekly and monthly back-up tapes are stored off site at the Wakefield Westgate branch of Lloyds Bank.

If the incident resulted in loss of software applications and data, the last known good back-up tape should be used to restore the network. Should the server farm, located at Head Office, be rendered inoperable due to the incident, the LAN should be restored through the installation of the back-up tapes into the Model Office / TRTF Rig located at Steria, Hemel Hempstead. An IT staff member should take the previous day’s back-up tapes (if available) and the previous week’s tapes to the Hemel Hempstead offices and install on the back-up hardware with the aid of Steria staff. Steria should be informed immediately allowing them to prepare the ‘Test Rig’. Work is in progress by NPD to make sure this is a viable option, which would require the WAN link into Steria’s offices upgrading from the current 2Mb link. Also the test rig would need upgrading to be able to cater for all areas including the extra large ones such as West Yorkshire. The Escala CRAMS server is backed-up as per the other servers. However, due to the re-introduction of using CRAMS instead of the WORD contact sheet there is a need to make sure the server can be replaced / relocated within 48 hours. Steria are currently contracted to replace / repair the server on a high priority call. There is a project ongoing to see if we could co-locate with South Yorkshire as they also have a primary link of 34Mb. This would allow both areas to have a means of cover.

24

Appendix H Restoring Tele-Communications Responsibility of the Director of Offender Management or Deputy Chief Officer and Head Office Administration Manager The service provider for landline telephone telecommunications at Head Office and Other Site is ……….. Contact details are:

Help Desk telephone number: …………………… If it is necessary to have telephone calls redirected, new lines established or to initiate the repair to existing lines, contact the HelpDesk at the above number. It should be possible to have redirected from ……… to Other Site within a few hours. WYPB contract number with Telephone Provider is: ………………………..

25

Appendix I Restoring Mail Service Responsibility of the Director of Offender Management or Deputy Chief Officer and Head Office Administration Manager The service provider for mail delivery is the Royal Mail. If it is necessary to have mail addressed to the Head Office redirected or held at the Wakefield Delivery Office, this can be arranged through the Royal Mail Customer Service, but will take two or more days to establish. Royal Mail Customer Service telephone number: 08457 740740 Until then the mail will continue to be delivered to the Head Office address. If it is not possible for the mail to be delivered it will automatically be held at the Wakefield Delivery Office for up to two days. During this period, and before the arrangements made through Customer Service take effect, arrangements can be made to collect the mail from the delivery office by contacting the Delivery Office direct.

Telephone: ………………………

26

Appendix J. Staffing and Office Facilities 1.0 Minimum HO Facilities required 48 hours after the Incident. 1.1 Primary Staff consisting of elements from: o Chief Officers Section. Members of JSU can be re-established at work as needs arise and facilities become available. o IT o Secretary’s Section (to provide legal support) o Policy and Practice Unit (to provide support in the management of High Risk Offenders) o Accommodation Services 1.2 Equipment will be requisitioned as needed 1.3 Staffing of the limited facilities is at the discretion of the BCMT members responsible for above departments. 2.0 Minimum HO Facilities and Staffing Five Days after the Incident. 2.1 Secondary Staff consisting of elements from: o Finance Section (Payroll) o Policy and Practice Support (Accredited Programmes and DTTO Programmes) o Human Resources. 2.2 Staffing of the limited facilities is at the discretion of the BCMT members responsible for above departments. 3.0 Minimum HO Facilities and Staffing Ten Days after the Incident. 3.1 Secondary Staff consisting of elements from: o o o o Information Services Policy and Practice Support (Basic Skills) Secretary’s Section (Contracts & Partnership) Finance Section

3.2 Information Services to assist in the collation and processing of: o o o o o Accredited programmes. DTTO programmes. Basic Skills commencement and award data. PSR recommendations on minority ethnic offenders. NSMART.

27

Appendix K Restoring Payroll Systems To be achieved in five working days Responsibility of Director of Finance and Senior Information Services Manager The BCMT have five options for replacing the payroll with a temporary system: 1. Have the bank repeat the previous month’s payroll via the BACS system. 2. Issue hand written cheques to each employee using bank records from previous payments. 3. Northgate re-build the Resource Link server. This will take approximately seven days. 4. IT staff re-build the Resource Link computer. 5. Delay paying the staff. Which option is the best solution will be determined by a number of factors, such as how close to ‘pay day’ the incident occurs, what IT staff are available and what funds are available. The specification of the Resource Link server is: WIN 2000 Compaq Proliant Server ( 2 x processors ) 3 x Hard drive c: - 8.5Gb d: - 8.5Gb e: - 35Gb 1.5 Gb RAM 4mm DAT Tape Drive Modem BACS link A dot-matrix printer, Printronix P5205, would also be required to print off the staff pay slips. The printer can be bought locally. All the drives are backed up daily and weekly. The weekly backup tapes are stored off site at the Wakefield Westgate branch of Lloyds Bank. The system could be reloaded to a new server directly from the backups with minimal intervention from (service provider), although there would be some re-configuration needed by (service provider). The only software we would need to load directly from CD would be Oracle. We have a copy of Oracle supplied by (service provider). Blank pay slips can be acquired from the suppliers at short notice. They hold sufficient stocks to meet our needs. The supplier’s details are: Econo-Mail LTD Tel: 01902 396600 Fax: 01902 396601

28

Restoring Finance Systems To be achieved in ten working days Responsibility of Director of Finance and Senior Information Services Manager Data is backed-up and held offsite as per Payroll backups. The options for restoring the finance ledger with a temporary system are: 1. A manual system which pays creditors by cheque. 2. Northgate builds a server to run the MIS software and back-up tapes on. 3. The IT department build a server. The MIS finance package needs a similar server to Resource Link payroll system. Unfortunately, MIS back-up tapes cannot be run on the same server as Resource Link because the MIS settings will over-write the previous settings making Resource Link inoperable. Therefore, a second Windows 2000 Server may be required. The hardware for the finance server is currently under review as the current operating system, Windows NT 4.0, is obsolete and not supported anymore. The options are: 1. buy the server outright 2. rent the server. MIS have also given some documentation for the disaster recovery aspect of this server: Option 1 – Full Server Replacement and Restart Service In the event of a disaster MIS would deliver a replacement server to any location within the UK and take responsibility for reloading all backup tapes and configuring users/printers. The Systems Engineer would remain onsite until the system is fully functional and working releasing the Customers IT Staff to concentrate on other critical issues in what would be an undoubtedly stressful time. MIS have a unique policy of maintaining a set of operating system disks configured specifically for each customer which allows us to have the replacement server operational within a few hours of arriving onsite. Option 2 – Restart Service on Customers Hardware This is similar to Option 1 with the exception that the Customer is responsible for providing all the hardware and operating system disks/media etc. MIS Systems Engineers would rebuild the Universe RDBMS, reload our Applications and configure any users/printers remaining onsite until the server was fully functional. With both options we provide a test day in which we attend a mutually agreed location to undertake a ‘dummy’ reload of the system (MIS provide hardware with option 1). This is recommended to prove confidence for both organisations in the recovery procedures and practices.

29

Appendix L

Business Continuity Planning

Disaster Recovery Model

Area Business Continuity Plan

Area to Contact MITIE Helpdesk 01257236576

MITIE Senior Management Team Informed. Co-ordinator appointed

MITIE Helpdesk to Initiate Disaster Recovery plan

NPD DFM informed

MITIE Mobilize Service Provision a. Mechanical & Electrical b. Cleaning c. Security d. Fire Alarms e. Subcontractors

Colliers CRE Mobilize Service Provision a. Temporary Accommodation b. Accommodation c. Landlords Responsibility

30

Appendix M Public Relations Guidelines The following is an extract from WYPB’s ‘A Rough Guide to Public Relations’. CRISIS PR: 1 Anticipate Notify your line manager and the PR Section of any anticipated crisis. The ostrich position does not work. You cannot manage a crisis on your own. 2 Manage Ensure press enquiries are channelled to PR Section. Agree one principal spokesperson, media trained, ideally the CO or most senior Chief Officer available. 3 Assess Deploy responsible member of staff to take press messages and promise to call back. Take time out to assess situation and plan approach. Meet with designated Chief Officer (see above). Establish what has happened. Identify who can fill in the background to crisis. Consider what press might say/ask. Inform others: Committee/Board, staff, Home Office, NPD . Deploy member of staff to supply beverages/sandwiches/phone messages/typing and faxing assistance. Agree press statement, to include: Reassurance/sympathy Action being taken Context

4

Respond
Return all press calls. "No comment" will not do. Use agreed spokesperson/statement only. If interest justifies it, consider press conference to provide all interviews etc, at once.

31

5

Keep In Touch
Log all press calls/responses. Monitor press/crisis developments. Issue further statements if necessary. Cross check other planned PR.

6

Review and Evaluate
Debrief and feedback session with all staff involved. Consider issuing closing, positive press statement. Monitor media coverage.

32

Appendix N

WYPB Head Office, Wakefield General Information Address: Cliff Hill House Sandy Walk Wakefield

Postcode: Telephone Number: Fax Number: Grid Reference: Directions to Site: Type of Accommodation: Number of Staff based on site: Location of Site Plans: Office Manager: Official Key Holders: Utility Contact Numbers: Mitie HelpDesk (24 hours): 01257 236576 Electricity Water: Gas (Transco) 0800 111 999 Mitie HelpDesk (24 hours) Tel: 01257 236576 Tel: Appendix O

33

…. Head Office …… Disaster Recovery Plan – Access to Probation Properties Information Sheet Properties Common Name E.g. HQ etc Office Manager Responsible for Building 1.1.1

Property Address:

Door location for initial entry & final exit:

Key Holders

Light Switch location(s) [To access alarm panel only]: 1.1.2

34

Burglar Alarm Key / control panel location: 1.1.3

Burglar Alarm Disable code and procedure: 1.1.4 1.1.5 1.1.6 1.1.7

Burglar Alarm Set code and procedure:

Entry and Exit walk times for Burglar Alarm

Alarm Monitor Station Tel No. & security code:

Fire Alarm Disable/Silence procedure:

File server room location: 1.1.8

35

Utilities main switch locations

GAS cut off Valve:

ELECTRICITY Main isolator:

ELECTRICITY Secondary isolator:

WATER stop valve:

36

APPENDIX O Head Office Floor Plans

37

Annex A Telephone Number and Address Directory Part 1 Emergency Services
Only in an emergency use 999 where there is danger to life or a crime in progress. West Yorkshire Police For non-emergency calls or to report a crime dial 0845 6060606. If you do not require Police attendance, but you need Police help and advice, call the local HelpDesk (available 24 hours). For …….. dial For …….. Casualty

Fire Brigade

Wakefield Metropolitan District Council

Floodline Advice and information dial 0845 9881188 Yorkshire Water

Gas If you smell gas telephone Transco on 0800 111999 Electricity

38

Part 2 WYPB

Offices

Hostels

39

Part 3

Partnership Addresses

40

West Yorkshire Probation Board Business Continuity Plan

(OFFICE NAME) Version 1.0

Name of Office Continuity Plan – Part 1 Name of Office Business Impact Analysis 1.0 Introduction This document considers the impact on probation services provided by Name of Office in the event of a major incident. It prioritises the key functions and services the Name of Office provides to its customers and the facilities these services are dependant on. This analysis is required to develop the Business Continuity Strategy and a Disaster Recovery Plan. 2.0 Key Business Functions and Assets The Key Business Functions of Name of Office are: Full range of Offender Management Intervention Services for Name of District; Receptionist, admin officer, Office Manager, one duty officer for each team, CP Team, Court Team, CRO Team, Resettlement Team 2.1 Key Business Assets Name of Office ability to provide these functions would be seriously affected if a major incident damaged some or all of the following assets: a. The Probation Centre Name of Office building. b. Land line telephone communications and related equipment. c. Staff – Operational and Administration. Name of Office ability to operate would also be effected, but to a less degree, if an incident damaged some or all of the following assets: a. The STEPS Network. b. Mail. 3.0 Threats to Key Business Assets 3.1 Risk Assessment Table The risk to the Key Business Assets is assessed in the Risk Assessment Table at Annex A. In assessing the risk to business from a specific incident, three elements are measured; impact on business, likelihood of occurrence, and business vulnerability. An impact analysis has already being carried out to identify the Key Business Functions. The table at Annex A measures the Likelihood of an incident and each asset’s Vulnerability. Likelihood is assessed on the following scale: a. b. c. d. Very Low (considered to be unlikely to ever occur) – score 1; Low (considered to be likely to occur only in unusual circumstances) – score 2; Medium (considered to be likely to occur occasionally) – score 3; High (considered to be likely to occur regularly) – score 4;

e. Very High (considered to be likely to occur very frequently) – score 5. Vulnerability is assessed on the following scale: a. Low (if the threat did occur, it is felt unlikely that it damage / disrupt the system) – score 1. b. Medium (if the threat did occur, it is felt could it damage / disrupt the system) – score 2; c. High (if the threat did occur, it is felt would definitely damage / disrupt the system) – score 3. The measure of risk is determined by adding the two scores of likelihood and vulnerability. A very low risk score is 2 and a very high risk score is 8. 3.2 The STEPS Network A comprehensive study of the potential threats and risks to Name of Office Local Area Network (STEPS) has been carried out as part of the National Probation Service network accreditation program (Accreditation Document Set Parts 2 – Risk Management Document (Ref.: Generic Probation Service ADS Part 2 v0.4) dated 16 January 2004. 4.0 Business Continuity Strategy The primary objective in the Probation Service, and other Criminal Justice Organisations, is the protection of the public. In the event of a major incident seriously affecting the ability of Name of Office to operate, Name of Office can best achieve this objective by the immediate relocation of its residence which replicates the Name of Office enhanced level of residential supervision. 4.1 Objectives In the event of an incident at Name of Office the objectives will be: A Enforcement B Public Protection C Protect Staff and Visitors

4.2 Senior Management Implementation Team (SMIT) The objectives will be achieved through establishing a Senior Management Implementation Team (SMIT) consisting of senior managers from Name of Office. The SMIT role is to manage the Disaster Recovery Plan; it must assess the situation and determine the best course of action to meet the objectives. It must also initiate the process to return to normal business.

4.3 Disaster Recovery Plan The Disaster Recovery Plan will provide:

a. b. c. d.

Instructions on when the Plan should be initiated. Roles and responsibilities of the SMIT members. Detailed objectives and the time in which they have to be achieved. Guidance and relevant information on how to achieve the objectives.

Whilst the Recovery Plan will provide guidance on how to respond to incidents, it can not predict all eventualities. It is the responsibility of the SMIT to assess the situation and determine the best course of action to meet the aims. 4.4 Review Date It is the responsibility of the ACO to review the Business Impact Analysis and assessment of threats to key business assets no later than September 2005. Should the review show a change in the analysis or assessments then alterations to the Disaster Recovery Plan should be considered.

Name of Office Continuity Plan – Part 2 Disaster Recovery Plan 1.0 Introduction In the event of a serious incident affecting the physical location, assets, data and staff at Name of Office, the capability to deliver key services must be maintained. The purpose of this plan is to direct and assist staff in achieving this and to start the process of returning to normal business. 2.0 Responsibilities It is the responsibility of the Office Manager to ensure that: a. b. c. Name of Office Continuity Plan (Part 1 - Impact Analysis and Part 2 - Disaster Recovery Plan) is reviewed and tested annually in conjunction with Business Continuity Group @ Head Office. Each member of the Senior Management Implementation Team (SMIT) has a copy of the Plan. CP Weekend Duty Officer Folder/Instructions

3.0 Initial Response to a Serious Incident Activating the Disaster Recovery Plan (Part 2) should be considered if a serious incident results in any of the following: a. b. Name of Office is damaged. This could be the result of a fire, severe weather or terrorist attack. Name of Office is inaccessible. This could be the result of a bomb scare, chemical spillage or crime scene.

The person responsible for activating the plan is the Name of Office SMIT member at the time of the incident. If the incident occurs out of normal working hours, the person aware must inform Duty ACO If the incident occurs during working hours, the person aware must inform their ACO, if they are not available, another ACO at Head Office. On activating the Disaster Recovery Plan the immediate concern is the delivery of Key Services: OM, DAM, ACO Public Protection Programmes ECP

4.0 Senior Management Implementation Team (SMIT) The SMIT is made up of staff with the knowledge and authority to implement the Recovery Plan, but is small enough to be conducive to quick and timely decisions. The SMIT should be established immediately after the incident. Should the incident happen outside normal working hours, team members should meet at the earliest opportunity, if necessary before the start of normal work hours. The SMIT role is to manage the Disaster Recovery Plan; it must assess the situation and determine the best course of action to meet the objectives. It must also initiate the process to return to normal business. The roles and responsibilities of each member of BCMT are at Appendix D. 4.1 SMIT Members – Suggestions for the team if not large disaster eg power cut. a. Office Manager – Chairperson b. DAM - SMIT Co- ordinator c. ACO or Head Office staff as required To assist the SMIT on specific issues, the following Head Office staff should be available to attend meetings: a. b. c. d. e. f. g. h. Deputy Chief Officer Public Relations Officer (see Appendix H). Health and Safety Officer Senior Information Services Manager Personnel Manager Deputy Director of Finance Accommodation Services ACO Contracts and Partnerships Manager

5.0 SMIT Objectives Within 24 hours of the incident occurring the SMIT must inform: a. b. c. All relevant HO Departments, Prime Contractors, Hostels, Prisons, Police, Courts and Partners in the district about the incident, see Appendix F and Annex A. Director of HR and Personnel Manager to inform the families of staff affected by the incident, and arrange counselling for staff that may require it. Deputy Chief Officer to inform the families of residents affected by the incident.

5.1 Return to Normal Business The final objective for the SMIT is to establish a management team with the role to plan for the return to normal business.

Appendix A Temporary Relocation Site A relocation site must be chosen which, for 24 hours, can provide: Telephones plus basic office services In this appendix include the sites address, telephone numbers and directions if necessary. Also liase with staff at the site to ensure they agree with the selection. Suggestions are: Need to contact local council Check if possible to rent short term

Appendix B Transport Arrangements Local Taxi firms ……………..

Appendix C SMITContact Details Determine who will be members of the SMIT and list their names, home address, and home and mobile telephone numbers. Office Manager

DAM

ACO

Appendix D Senior Management Implementation Team (SMIT) Roles and Responsibilities Chairperson - Name of Office Manager Chair the SMIT. To control, direct and manage the Disaster Recovery Plan. Assessment of the impact on the business. Implementation of part or the entire plan immediately following an incident. Key decision-maker at site level. Safety and well-being of staff and residence. Annually test the BCP to ensure its effectiveness and to make any necessary changes resulting from the tests. To review the Business Impact Analysis and assessment of threats to key business assets annually, and make any necessary changes resulting from the review. SMIT Co-Coordinator – Name of Office Deputy Manager Deputise for the Chairperson as necessary. Co-ordinate movement to SMIT location. Ensuring SMIT minutes are accurate and up to date Central contact point for SMIT for all calls and enquiries. Liase with emergency services. Report to and advise the SMIT Chair. Delegate the following: o Health and Safety Report of incident site – H&S Officer. o Security Report of incident site – Senior Information Services Manager. Restore mail service – HO Administration Manager, see Appendix G.

Appendix E Residence Semi-Permanent Relocation Accommodation Responsibility of ACO 1. Keystaff should be located in an office with internal and external telecommunication facilities, an area where staff can congregate whilst awaiting instructions. Meeting and conference rooms at Other Offices meet these requirements. In a sealed enveloped and stored in the Lloyds safe deposit box is a USB dongle containing a list of all staff with home addresses, telephone numbers and next of kin details. A copy of the file is held in the HR Department at HO.

2.

Appendix F Prime Contractors and HO Contact Details When contacting the organisations for the first time after the incident, report the following: o o o o o What has happened What facilities are affected What is being done New WYPB contact details i.e. address, telephone numbers, fax, etc Regular updates will follow.

HO Treasurer’s Section

NPD

Mitie (See Mitie Disaster Recovery Model at Appendix J) Help Desk Tel: 01257 236576 (24 hours)

Contact details for District Offices, Hostels, Prisons, Partnerships and Emergency Services can be found in the Directory at Annex A.

Appendix G Restoring Mail Service All problems with telephone communication should be put through the Finance Section at HO on 01924 885316. The service provider for mail delivery is the Royal Mail. If it is necessary to have mail addressed to Name of Office redirected or held at the local Delivery Office, this can be arranged through the Royal Mail Customer Service, but will take two or more days to establish. Royal Mail Customer Service telephone number: 08457 740740 Until then the mail will continue to be delivered to the Name of Office address. If it is not possible for the mail to be delivered it will automatically be held at the local Delivery Office for up to two days. During this period, and before the arrangements made through Customer Service take effect, arrangements can be made to collect the mail from the delivery office by contacting the Delivery Office direct.

Appendix H Public Relations Guidelines Creating awareness among offenders and victims of changes in reporting arrangements and addresses will be essential. The following is an extract the WYPB Rough Guide to Public Relations’.

CRISIS PR:
1 Anticipate
Notify your line manager and the PR Section of any anticipated crisis. The ostrich position does not work. You cannot manage a crisis on your own.

2

Manage
Ensure press enquiries are channelled to PR Section. Agree one principal spokesperson, media trained, ideally the CO or most senior Chief Officer available.

3

Assess
Deploy responsible member of staff to take press messages and promise to call back. Take time out to assess situation and plan approach. Meet with designated Chief Officer (see above). Establish what has happened. Identify who can fill in the background to crisis. Consider what press might say/ask. Inform others: Committee/Board, staff, Home Office, NPD . Deploy member of staff to supply coffee/sandwiches/phone messages/typing and faxing assistance. Agree press statement, to include: Reassurance/sympathy Action being taken Context

4

Respond
Return all press calls. "No comment" will not do. Use agreed spokesperson/statement only. If interest justifies it, consider press conference to provide all interviews etc, at once.

5

Keep In Touch
Log all press calls/responses. Monitor press/crisis developments. Issue further statements if necessary. Cross check other planned PR.

6

Review and Evaluate
Debrief and feedback session with all staff involved. Consider issuing closing, positive press statement. Monitor media coverage.

Appendix I Site plans To be added later.

Appendix J

Building Information Address:

Postcode: Telephone Number: Fax Number: Type of Accommodation: Number of Staff based on site: Location of Site Plans: Office Manager: Official Key Holders: Utility Contact Numbers: Mitie HelpDesk (24 hours): 01257 236576 Electricity Water: Gas (Transco) 0800 111 999 Mitie HelpDesk Tel: 01257 236576 (24 hours)

District Office Name Disaster Recovery Plan – Access to Probation Properties Information Sheet Properties Common Name E.g. HQ etc Office Manager Responsible for Building

Property Address:

Door location for initial entry & final exit:

Key Holders

Light Switch location(s) [To access alarm panel only]: Burglar Alarm Key / control panel location:

Burglar Alarm Disable code and procedure:

Burglar Alarm Set code and procedure:

Entry and Exit walk times for Burglar Alarm

Alarm Monitor Station Tel No. & security code:

Fire Alarm Disable/Silence procedure:

18

Utilities main switch locations

GAS cut off Valve:

ELECTRICITY Main isolator:

ELECTRICITY Secondary isolator:

WATER stop valve:

19

Annex A

Threats to Key Office Assets The Office Building Electrical Power failure Fire Water damage Terrorist

Likelihood

Vulnerability

Measure of Risk (2-low, 8-high)

2 2 4 1

3 2 2 3

5 4 6 4

Land Line Telephone Communications and Related Equipment Area wide failure Local failure Electrical Power failure Terrorist Mail Mail staff strike Incident at local sorting office Incident with delivery van Staff Large section of the staff from one section leaving Large section of the staff being affected by illness eg SARS Strike by staff Severe weather stopping staff getting to work. Fuel shortage stopping staff getting to work. 1 2 1 1 3 3 3 3 2 1 1 1 4 4 3 2 3 2 1 2 2 3 3 4 5 5 4

2 4 2

1 1 1

3 5 3

20

Annex B Telephone Number and Address Directory Part 1 Emergency Services
Only in an emergency use 999 where there is danger to life or a crime in progress. …………….. Police For non-emergency calls or to report a crime dial 0845 6060606. If you do not require Police attendance, but you need Police help and advice, call the local HelpDesk (available 24 hours). For (office name) dial: This will put you through to ………… local police station. Casualty

Fire Brigade

Council Offices

Floodline Advice and information dial 0845 9881188 Yorkshire Water

Gas If you smell gas telephone Transco on 0800 111999

Electricity

21

Part 2 WYPB

Offices

Hostels

Part 3

Partnership Addresses

22

West Yorkshire Probation Board Business Continuity Plan

(OFFICE NAME) Version 1.0

Hostel Name Continuity Plan Disaster Recovery Plan 1.0 Introduction In the event of a serious incident affecting the physical location, assets, data and staff at Hostel Name, the capability to manage residents must be maintained. The purpose of this plan is to direct and assist staff in achieving this and to start the process of returning to normal business. 2.0 Responsibilities

It is the responsibility of Hostel Name SPO/Manager to ensure that: a. b. c. 3.0 The Hostel Name Continuity Plan (Part 1 Impact Analysis and Part 2- Disaster Recovery Plan) is reviewed and tested annually. Each member of the Senior Management Implementation Team (SMIT) has a copy of the Plan. The Hostel Name Deputy Manager has a copy of the Plan

Initial Response to a Serious Incident

Activating the Disaster Recovery Plan (Part 2) should be considered if a serious incident results in any of the following: a. b. Hostel Name is damaged. This could be the result of a fire, severe weather, public protest or terrorist attack. Hostel Name is inaccessible. This could be the result of a bomb scare, chemical spillage, crime scene, public protest.

The person responsible for activating the plan is the Hostel Name Duty Manager at the time of the incident. If the incident occurs out of normal working hours, the Duty Manager must inform Other Hostel. It is the responsibility of the Other Hostel Duty Manager to inform the Duty ACO, the Hostel Manager and the Prisons and Hostels ACO. If the incident is at Other Hostel, the Duty Manager should contact duty ACO for similar assistance. If the incident occurs during working hours, the Duty Manager must inform the Prisons and Hostel ACO or, if they are not available, another ACO at Head Office. On activating the Disaster Recovery Plan the immediate concern is the relocation of residence. Duty Manager must: Ensure all the residents are present or their location is known eg. Hospital, police cells. Inform the Resident Relocation Site of the Incident and the imminent arrival of the residents. See Appendix A. Arrange transport for the resident to the Relocation Site. See Appendix B. On arrival at the Relocation Site ensure all the residents are present or their location is known.

Once the above has been achieved and all the residents are accounted for, the Duty Manager must contact any members of the Senior Management Implementation Team (SMIT) who are not already aware of the incident. See Appendix C. 4.0 Senior Management Implementation Team (SMIT)

The SMIT is made up of staff with the knowledge and authority to implement the Recovery Plan, but is small enough to be conducive to quick and timely decisions. The SMIT should be established immediately after the incident. Should the incident happen outside normal working hours, team members should meet at the earliest opportunity, if necessary before the start of normal work hours. The SMIT role is to manage the Disaster Recovery Plan; it must assess the situation and determine the best course of action to meet the objectives. It must also initiate the process to return to normal business. The roles and responsibilities of each member of SMIT are at Appendix D. 4.1 SMIT Members – a. b. c. d. Hostel Name Manager- Chairperson Deputy Manager – SMIT Co-ordinator Prisons and Hostels ACO Other Hostel Name or Head Office staff as required

To assist the SMIT on specific issues, the following members of the Business Continuity Managers Team (BCMT) should be available to attend meetings: a. b. c. d. e. f. g. h. 5.0 Deputy Chief Officer Public Relations Officer (see Appendix H). Health and Safety Officer Senior Information Services Manager Personnel Manager Deputy Director of Finance Accommodation Services ACO Contracts and Partnerships Manager

SMIT Objectives

Within 24 hours of the incident occurring the SMIT must: a. b. Be located at Residents Temporary Relocation Site. Arrange relocating the residents to semi-permanent accommodation, which provide supervision and a supportive environment relative to the threat each resident presents to the public. Priority must be given to residence considered a High Risk to the public, probation staff and /or themselves. Options for semi-permanent accommodation are at Appendix E. Informing all relevant HO Departments, Prime Contractors, Hostels, Prisons, Police, Courts and Partners in the district about the incident, see Appendix F and Annex A. Director of HR and Personnel Manager to inform the families of staff affected by the incident, and arrange counselling for staff that may require it. Deputy Chief Officer to inform the families of residents affected by the incident.

c. d. e.

5.1

Return to Normal Business

The final objective for the SMIT is to establish a management team with the role to plan for the return to normal business.

Appendix A Residents Temporary Relocation Site A relocation site must be chosen which, for 24 hours, can provide: enhanced supervision moderate comfort (sleeping facilities are not required) food and refreshment 24 hour staff In this appendix include the sites address, telephone numbers and directions if necessary. Also liase with staff at the site to ensure they agree with the selection. Name, Address and Telephone number of re-location site

Appendix B Transport Arrangements Local Taxi firms

Appendix C SMIT Contact Details Determine who will be members of the BCMT and list their names, home address, and home and mobile telephone numbers.

Appendix D Senior Management Implementation Team (SMIT) Roles and Responsibilities Chairperson – Hostel Name Manager Chair the BCMT. To control, direct and manage the Disaster Recovery Plan. Assessment of the impact on the business. Implementation of part or the entire plan immediately following an incident. Key decision-maker at site level. Safety and well-being of staff and residence. Annually test the BCP to ensure its effectiveness and to make any necessary changes resulting from the tests. To review the Business Impact Analysis and assessment of threats to key business assets annually, and make any necessary changes resulting from the review. SMIT Co-Coordinator – Hostel Name Deputy Manager Deputise for the Chairperson as necessary. Co-ordinate movement to SMIT location. Ensuring SMIT minutes are accurate and up to date Central contact point for SMIT for all calls and enquiries. Liase with emergency services. Report to and advise the SMIT Chair. Delegate the following: o Health and Safety Report of incident site – H&S Officer. o Security Report of incident site – Senior Information Services Manager. Restore mail service – HO Administration Manager, see Appendix G.

Prisons and Hostels ACO Co-ordination with IT, HR and other HO Departments. Inform estates Prime Contractor, Mitie, of incident and liase. Inform district offices, Hostels, Prisons, Police and partners of the incident and keep updated, see Appendix F and Annex A. Employment of temporary staff. Report to and advise the BCMT Chair.

Appendix E Residence Semi-Permanent Relocation Accommodation Within 24 hours of the incident occurring, the BCMT must have relocated the …….. residents to appropriate semi-permanent accommodation. This accommodation must be suitable for the Risk the resident represents to the public, staff and/or themselves. Priority on relocation must be given to those considered High Risk. Options for relocation include: Other Hostels in (Area) Hostels outside (Area) Prison Bail addresses

Appendix F Prime Contractors and HO Contact Details When contacting the organisations for the first time after the incident, report the following: o o o o o What has happened What facilities are affected What is being done New (Area) contact details i.e. address, telephone numbers, fax, etc Regular updates will follow.

HO Treasurer’s Section

NPD

Board hostels – Mitie (See Mitie Disaster Recovery Model at Appendix J) Help Desk Tel: 01257 236576 (24 hours) Contracts Manager

Contact details for District Offices, Hostels, Prisons, Partnerships and Emergency Services can be found in the Directory at Annex A.

Appendix G Restoring Mail Service All problems with telephone communication should be put through to the Finance Section at HO The service provider for mail delivery is the Royal Mail. If it is necessary to have mail addressed to the Hostel Name address redirected or held at the local Delivery Office, this can be arranged through the Royal MAIL Customer Service, but will take two days or more to establish. Royal Mail Customer Service telephone number: 08457 740740 Until then the mail will continue to be delivered to the Hostel Name address. If it is not possible for the mail to be delivered it will automatically be held at the local Delivery Office for up to two days. During this period, and before the arrangements made through the Customer Service take effect, arrangements can be made to collect the mail from the delivery office by contacting the Delivery Office direct.

Appendix H Public Relations Guidelines 1. Creating awareness among offenders and victims of changes in reporting arrangements and addresses will be essential. The following is an extract from WYPB Rough Guide to Public Relations’. CRISIS PR:
1 Anticipate

2.
2.1

Notify your line manager and the PR Section of any anticipated crisis. The ostrich position does not work. You cannot manage a crisis on your own.
2.2 2 Manage

Ensure press enquiries are channelled to PR Section. Agree one principal spokesperson, media trained, ideally the CO or most senior Chief Officer available.
2.3 3 Assess

Deploy responsible member of staff to take press messages and promise to call back. Take time out to assess situation and plan approach. Meet with designated Chief Officer (see above). Establish what has happened. Identify who can fill in the background to crisis. Consider what press might say/ask. Inform others: Committee/Board, staff, Home Office, NPD . Deploy member of staff to supply coffee/sandwiches/phone messages/typing and faxing assistance. Agree press statement, to include: Reassurance/sympathy Action being taken Context

2.4

4

Respond

Return all press calls. "No comment" will not do. Use agreed spokesperson/statement only. If interest justifies it, consider press conference to provide all interviews etc, at once.

2.5

5

Keep In Touch

Log all press calls/responses. Monitor press/crisis developments. Issue further statements if necessary. Cross check other planned PR.
2.6 6 Review and Evaluate

Debrief and feedback session with all staff involved. Consider issuing closing, positive press statement. Monitor media coverage.

Appendix I Site plans

Appendix J

Building Information Address: Postcode: Telephone Number: Fax Number: Type of Accommodation: Number of Staff based on site: Location of Site Plans: Office Manager: Official Key Holders Utility Contact Numbers:

Electricity Water:

Gas (Transco) 0800 111 999

2.7

Approved Premises Name:

Disaster Recovery Plan – Access to Probation Properties Information Sheet Properties Common Name E.g. HQ etc Office Manager Responsible for Building

Property Address: Elm Bank Hostel Bradford Rd Cleckheaton BD19 3LW Door location for initial entry & final exit:

Key Holders

Light Switch location(s)access alarm panel only]:

Burglar Alarm Key / control panel location:

Burglar Alarm Disable code and procedure:

Burglar Alarm Set code and procedure:

Entry and Exit walk times for Burglar Alarm

Alarm Monitor Station Tel No. &

security code:

Fire Alarm Disable/Silence procedure:

2.7.1 Utilities main switch locations

2.7.2 GAS cut off Valve:

2.7.3 ELECTRICITY Main isolator:

2.7.4 ELECTRICITY Secondary isolator:

2.7.5 WATER stop valve:

Annex A Telephone Number and Address Directory Part 1 Emergency Services
Only in an emergency use 999 where there is danger to life or a crime in progress. …………….. Police For non-emergency calls or to report a crime dial 0845 6060606. If you do not require Police attendance, but you need Police help and advice, call the local HelpDesk (available 24 hours). For (Hostel name) dial: Casualty

Fire Brigade

Local council office

Floodline Advice and information dial 0845 9881188 Water

Gas If you smell gas telephone Transco on 0800 111999 Electricity

Part 2 ……… Offices

Hostels

Part 3

Partnership Addresses