Professional Documents
Culture Documents
SMS-GS-RM2 Business Continuity & Crisis Management- July 2014 - V1.0 – Serco Public
Document Details Contents
Document Details Serco Public 1 Objectives ........................................................................................... 1
2 Policy Standards .................................................................................. 1
Reference Version
SMS GS-RM2: 1 2.1 Policy .......................................................................................... 1
Business Continuity & Crisis Management 2.2 Crisis management planning ......................................................... 1
Approval Date Date for next review
2.3 Business continuity planning ......................................................... 2
July 2014 July 2016
2.4 Document management ............................................................... 2
Applicability
Serco Group covering all business regions, operating companies and business 2.5 Training, awareness and competence ............................................ 2
units throughout the world1 2.6 Exercising and testing .................................................................. 2
Authority 2.7 Embedding a business continuity culture ....................................... 3
Chief Executive, Serco Group plc
3 Responsibilities & Accountabilities ......................................................... 3
Accountable Policy Owner (Group) 4 Processes and Controls ........................................................................ 5
Director Risk and Acquisitions
4.1 Governance processes and controls ............................................... 5
Additional Information
Supporting standards, standard operating procedures and guidance relating to 4.2 Key processes and controls ......................................................... 10
this Group Standard are available on ‘Our World’ under Serco Management 5 Supporting documentation and guidance ............................................ 13
System
Governance 6 Definitions......................................................................................... 13
Our policies and standards, together with any regional or market requirements 7 Further information and support ......................................................... 14
and enhancements to them, are authorised through a robust governance
process. The SMS Quality Manual describes this process and is available on Our
World under Serco Management System.
Consequence Management
As a Group Standard the requirements detailed in this document are mandated
and must be adhered to. Non-compliance will have consequences which may
include disciplinary action. The Consequence Management Group Standard
(Ref: SMS-GS-G1) details how instances of non-compliance will be dealt with.
1
As used herein, Serco Group and its affiliates, subsidiaries and operating companies are referred
to as ‘Serco’, the ‘Company’ or ‘company’, or ‘we’, ‘us’ or ‘our’.
SMS-GS-RM2 Business Continuity & Crisis Management- July 2014 - V1.0 – Serco Public
1 Objectives 2 Policy Standards
Business Continuity Management is a strategic, integrated, business 2.1 Policy
discipline encompassing the tactical capability of the organisation to
plan for and respond to unplanned disruptions, in order to continue S1. Business Continuity and Crisis Management policy, standards and
operating at an acceptable pre-defined level. management systems (including procedures and work instructions) will
be defined, documented, implemented and maintained
Crisis Management is the response to, and management of, an S2. Systems and procedures will be appropriate and proportionate to the
intense, unexpected and unstable state that disrupts normal nature of the organisation’s Business Continuity and Crisis Management
operations and has highly undesirable outcomes which require risks
extraordinary measures to restore order and normality.
S3. Systems and procedures will be regularly reviewed (at least annually) to
Our Business Continuity and Crisis Management objectives are to: ensure they reflect contractual requirements and:
understand the business continuity risk profile of our contracts, a. laws, regulations, approvals, licences and other legal requirements
services and operations b. international, national and regional standards
establish recovery priorities c. industry best practice
document Crisis Management, Business Continuity and Incident d. government framework requirements
Management actions required e. expectations of auditors, customers and interested parties
comply with applicable external requirements, meeting and
exceeding the expectations of our regulators and customers 2.2 Crisis management planning2
build a culture that actively encourages business continuity S4. Comprehensive Crisis Management Plans, including a suitable alert
awareness, builds resilience from the outset and ensures we co- process, will be developed for Serco Group, its Divisions, Business Units
operate with our partners with whom we share responsibilities, and Contracts. These will describe actions to be taken to address
premises or activities unplanned disruptive events
S5. Controls will be applied to manage the development and implementation
of Crisis Management Plans
S6. Plc Board, Executive Committee, Divisional Executive Management
Team members, Business Unit Managing Directors and Contract
Managers will be trained in the use and implementation of Crisis
Management Plans
S7. Crisis Management incidents will be classified, reported, recorded on
ASSURE and investigated in accordance with incident reporting
procedures3
2
See Crisis Management Manual Ref: CMM and Crisis Communications Manual Ref: CCM
1 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
2.3 Business continuity planning4 S16. Business Continuity Incident Management Plans will be established to
control invocation of the Business Continuity Plans
S8. Business Continuity Plans are required at Group, Divisional, Business
Unit and Contract level, which include specific actions required when S17. Business Continuity incidents will be classified, reported, recorded on
responding to a business continuity incident ASSURE and investigated in accordance with incident reporting
procedures7
S9. Contracts and sites under Serco control will develop Business Continuity
Plans that describe actions to be taken to ensure operations and service
delivery can continue during unplanned disruptive events including the
2.4 Document management
loss or unavailability of: S18. All plans and supporting documents created within Serco as part of the
a. physical Business Continuity, Crisis Management, or Disaster Recovery process
b. employee and/or will be held within a secure environment and classified as Serco in
c. information assets Confidence
S10. Where there is a significant IT dependency, Disaster Recovery Plans S19. Requests for copies or access to Business Continuity, Crisis
might also be required5 Management, or Disaster Recovery Plans and supporting documents are
S11. A Business Impact Analysis will be completed to determine the level of not permitted unless authorised by the Group or Division Business
support required to manage business continuity risks and the areas to Continuity and Crisis Management Lead or their nominated deputy
be included within a Business Continuity Plan
S12. For sites not under Serco control, the site management team will ensure
2.5 Training, awareness and competence
that Serco business continuity arrangements are aligned with those of S20. Training needs of employees who have an active role in the
the controlling customer development and implementation of Business Continuity and Crisis
S13. Where Serco outsources to third parties, a review of their Business Management Plans will be identified, with appropriate training delivered
Continuity provisions will take place at least annually
S14. Divisional Executive Management Teams will ensure that Business
2.6 Exercising and testing
Continuity Plans are in place across the Division and reviewed at least S21. At least annually, exercises will be applied to Crisis Management Plans,
annually to ensure existing processes and controls are being Business Continuity Plans and Incident Management Plans; with any
consistently applied corrective or preventative actions implemented as a result
S15. Business Continuity risks will be reviewed in line with Serco Risk S22. Learning from the testing of Crisis Management, Business Continuity
Management requirements in order to ensure risk-based Business and Incident Management Plans will be shared across the organisation
Continuity Plans are developed and maintained6 and with other interested parties
3
See Incident Reporting and Management GSOP Ref: SMS GSOP O1-2
4
See Business Continuity Management Manual Ref: BCM and Business Continuity Self-Assessment
Template Ref: BCSA
5
See Information Technology Group Standard Ref: SMS GS-IT1
6 7
See Risk Management Group Standard Ref: SMS-GS-RM1 See Incident Reporting and Management GSOP Ref: SMS GSOP O1-2
2 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
2.7 Embedding a business continuity culture b. ensuring procedures and key controls, remain fit for purpose, reflect
legislative and regulatory requirements and effectively manage
S23. Management will understand their role in influencing the Business Business Continuity and Crisis Management risks
Continuity culture within their area of responsibility and seek to c. developing, testing and exercising Business Continuity, Crisis
continually improve its performance Management and Incident Management Plans, where appropriate,
for the Division
d. providing oversight and reporting Divisional Business Continuity and
3 Responsibilities & Accountabilities Crisis Management performance and appropriateness of plans
e. providing competent Business Continuity and Crisis Management
S24. The following responsibilities will apply to the delivery of the defined advice and support in the development, testing and exercising of
standards. If these are not completed effectively, the person Business Continuity and Crisis Management Plans
responsible will be accountable for any consequences8. f. influencing the Business Continuity culture by demonstrating the
Group value of Business Continuity and Crisis Management planning
S25. The Group CEO will appoint a Group Business Continuity and Crisis Business Unit
Management lead responsible for:
a. developing and maintaining Group Business Continuity and Crisis S27. The Business Unit Managing Director is responsible for:
Management policy a. complying with Business Continuity and Crisis Management policy,
b. ensuring standards and associated procedures and key controls standards, procedures and key controls
remain fit for purpose, reflect legislative and regulatory b. developing, testing and exercising Business Continuity, Crisis
Management and Incident Management Plans, where appropriate,
requirements and effectively manage Business Continuity and Crisis
Management risks for the Business Unit
c. providing oversight and reporting Business Continuity and Crisis c. ensuring appropriate Business Continuity and Crisis Management
resources are appointed to support the Business Unit, manage
Management performance
d. developing, testing and exercising Business Continuity, Crisis Business Continuity and Crisis Management risks and provide
Management and Incident Management Plans, where appropriate, competent Business Continuity and Crisis Management advice
for Group d. influencing the Business Continuity culture by demonstrating the
e. influencing the Business Continuity culture by demonstrating the value of Business Continuity planning
value of Business Continuity and Crisis Management planning Contract/Function
Division
S28. The Contract Manager (or Corporate Function Head) is responsible for:
S26. The Divisional CEO will appoint a Divisional Business Continuity and a. complying with Business Continuity and Crisis Management policy,
Crisis Management Lead responsible for: standards, procedures and key controls
a. implementing Business Continuity and Crisis Management policy, b. ensuring Business Continuity and Crisis Management responsibilities
standards, procedures and key controls across the Division; which are clearly defined
may include the development of country/region/Divisional c. developing, exercising and testing Business Continuity, Crisis
procedures and management systems Management and Incident Management Plans, as required
8
See Consequence Management Group Standard Ref:SMS-GS-G1
3 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
d. ensuring local controls are implemented for providing assurance
that Business Continuity and Crisis Management risks are being
effectively managed
e. influencing the Business Continuity culture by demonstrating the
value of Business Continuity planning
4 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
4 Processes and Controls
4.1 Governance processes and controls
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
outcomes and/or the delivery of policy outcomes. These are mandated and are operating effectively
the minimum that should be implemented regardless of any local
difference
function (S27)
Division (S25)
All Employees
Business Unit
Group (S24)
Contract /
(S26)
Ref Description
Ref Description
P1 Business Continuity and Crisis Management C1 A Group Business Continuity and Crisis
responsibilities are defined and understood Management Lead is appointed by the Group
CEO with responsibility for:
Developing and maintaining Group business
continuity and crisis management policy
Ensuring standards and associated
procedures and key controls remain fit for
purpose, reflect legislative and regulatory
requirements and effectively manage
business continuity and crisis management
risks
Providing oversight and reporting business
continuity and crisis management
performance
developing, testing and exercising Business
Continuity and Crisis Management Plans,
where appropriate, for Group
Influencing the Business Continuity culture
by demonstrating the value of Business
Continuity and Crisis Management planning
5 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
outcomes and/or the delivery of policy outcomes. These are mandated and are operating effectively
the minimum that should be implemented regardless of any local
difference
function (S27)
Division (S25)
All Employees
Business Unit
Group (S24)
Contract /
(S26)
Ref Description
Ref Description
6 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
outcomes and/or the delivery of policy outcomes. These are mandated and are operating effectively
the minimum that should be implemented regardless of any local
difference
function (S27)
Division (S25)
All Employees
Business Unit
Group (S24)
Contract /
(S26)
Ref Description
Ref Description
7 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
outcomes and/or the delivery of policy outcomes. These are mandated and are operating effectively
the minimum that should be implemented regardless of any local
difference
function (S27)
Division (S25)
All Employees
Business Unit
Group (S24)
Contract /
(S26)
Ref Description
Ref Description
P2 Establish Business Continuity and Crisis C5 Policy, standards and Group procedures are
Management policy defined and published
8 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
outcomes and/or the delivery of policy outcomes. These are mandated and are operating effectively
the minimum that should be implemented regardless of any local
difference
function (S27)
Division (S25)
All Employees
Business Unit
Group (S24)
Contract /
(S26)
Ref Description
Ref Description
P3 Establish Business Continuity systems and C7 Appropriate Business Continuity and Crisis
processes Management systems and supporting
procedures and work instructions are
proportionate to Business Continuity and Crisis
Management risks, defined, published and
communicated
9 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
4.2 Key processes and controls
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy outcomes The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
and/or the delivery of policy outcomes. These are mandated and operating effectively
are the minimum that should be implemented regardless of any
Contract / function
local difference
Division (S25)
All Employees
Business Unit
Group (S24)
Ref Description
(S26)
(S27)
Ref Description
10 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy outcomes The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
and/or the delivery of policy outcomes. These are mandated and operating effectively
are the minimum that should be implemented regardless of any
Contract / function
local difference
Division (S25)
All Employees
Business Unit
Group (S24)
Ref Description
(S26)
(S27)
Ref Description
11 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
Process Controls Responsibility
A set of related activities that must be carried out to achieve policy outcomes The action we put in place to mitigate a risk(s) within a key process for ensuring controls are in place and
and/or the delivery of policy outcomes. These are mandated and operating effectively
are the minimum that should be implemented regardless of any
Contract / function
local difference
Division (S25)
All Employees
Business Unit
Group (S24)
Ref Description
(S26)
(S27)
Ref Description
P8 Training, Awareness and Competence C23 Employees who have an active role in the
development and implementation of Business
Continuity and Crisis Management Plans have
received appropriate training
12 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public
5 Supporting documentation and
guidance 6 Definitions
The following should be read in conjunction with this Standard: Term Definition
Accountability Being accountable means being not only
Ref Document responsible for something but also answerable for
your actions.
SMS-GS-G1 Consequence Management Group Standard
Responsibility A responsible person is the individual who
SMS-GS- RM1 Risk Management Group Standard
completes the task required. Responsibility can be
SMS-GS-IT Information Technology Group Standard shared and delegated.
SMS GSOP O1-2 Incident Reporting & Management GSOP
All responsible persons will also be accountable
ISO/IEC 22301 Business Continuity Management
for completing tasks effectively. Non-compliance
CMM Crisis Management Manual will have consequences which may include
disciplinary action as defined within the
CCM Crisis Communication Manual
Consequence Management Group Standard.
BCM Business Continuity Manual
Group Serco Group plc is the administrative centre of the
BCSA Business Continuity Self-Assessment Template organisation, responsible for setting corporate
strategy, defining governance requirements and
supporting the business in its day to day
operations
Division The Group will define a set of business divisions
which will be responsible for business delivery
within a defined set of markets or geographies.
Business Unit A Business Unit is a cluster of contracts which
provide a similar service e.g. Health, Defence,
Transport etc.
Where appropriate, a separate legal entity wholly
owned or where Serco has a controlling share
may also be referred to as a Business Unit, where
appropriate.
This may also refer to Counties/Territories
SMS-GS-RM2 Business Continuity & Crisis Management- July 2014 - V1.0 – Serco Public
Term Definition 7 Further information and support
Contract A Contract provides specified requirements to a
customer (either directly with Serco or to a If you require any further information or support regarding this Group
consortium/Joint Venture in which Serco is a Standard, or if you have any suggestions for improvement, please contact
party) the Accountable Policy Owner (Group) or email sms@serco.com
A Contract will also refer to a corporate/functional
area.
Corporate/functional areas are functions which
support the business and they include finance,
HR, procurement etc.
Crisis A crisis is an event that impacts on Serco’s ability
to achieve its corporate objectives
Business Continuity A business continuity incident or event impacts on
incident the operation or service delivery of a Business
Unit or Contract
Business Continuity A plan which details how a Business Unit or
Plan Contract will continue to operate in the event of an
unplanned disruption
Business Impact A process of analysing activities and the effect
Analysis (BIA) that a business disruption might have upon them
14 – SMS-GS-RM2 Business Continuity & Crisis Management – July 2014 – V1.0 – Serco Public