Business Continuity Plan – Safeguard Integrated Risk
Management System
Version Control
Review Date
29/11/11
12/12/11
23/01/13
Changes
Policy Review and changes
Agreed by CITS IG Security Manager
Review
Author
Dave Watson
Andrew Mann
Dave Watson
Business Continuity Plan – Safeguard Integrated Risk Management System
1.
Purpose of the Plan
1.1
The objective of this document is to detail the plans to be implemented in the event that the
Safeguard Integrated Risk Management System, for whatever reason, becomes inoperable.
Cornwall Partnership NHS Foundation Trust aims to manage any system failure so that minimal
disruption occurs to the delivery of patient care.
1.2
The document will list responsibilities, key actions and the methodology identified for managing
any downtime incidents.
1.3
The Trust is responsible for the retrospective data entry whilst the system was inoperable. Most
importantly a method of communicating to all concerned the current status of the problem has
been identified.
1.4
The responsible Information Asset Owner is the Trust Information Governance Lead.
2.
Scope of the Plan
2.1
The system provider is Ulysses. The system does not replace any existing computerised system
but allows the user to electronically manage incidents, inquest outcomes, customer service
enquiries, access to health record enquiries and litigation inquiries as is relevant to their role /
authorised access rights.
3.
Risk Assessment
3.1
This risk assessment is based on the system being unavailable for between 0 – 48 hours, if the
system is unavailable for longer period then the consequence score will increase.
Domains
Consequence
Score
Likelihood Score
Risk Score
Risk Grade
Impact on the safety of
patients, staff, or public
1
(physical/psychological
harm)
3
3
Low Risk
Quality/Complaints/Audit
2
3
6
Moderate Risk
Statutory
Duty/inspections
2
3
6
Moderate Risk
4.
Business Continuity Plan Dependencies
4.1
Team Managers are responsible for ensuring that the paper forms are available.
4.2
Key staff to be aware of the contact details for Ulysses, and how / who to contact in the event of
a system failure.
Page 2
4.3
Key personnel (e.g. Team Leaders) will be kept informed of the current state of the System and
the expected timescale of when the system will be available.
4.4
The server is protected by security to prevent unauthorised access (physical and electronic) and
also against environmental threats such as power loss, over heating or water damage and
controls to prevent accidental damage.
5.
Business Continuity Process
5.1
Unplanned Downtime
Time Scale
Action
By Whom
Immediate
Report unavailability of system to Service Lead and
Information Asset Owner, the Trust IM&T Team and the
CITS Service Desk by ringing 01208 834600.
CITS to check local infrastructure problems. If there are
network or hardware issues, then CITS to advise length
of downtime.
Staff member to contact IAO / IAA by contacting the
Governance Dept on 01208 834600.
If there are no network or hardware issues, Information
Asset Owner / Information Asset Administrator to
contact Ulysses on 02392 440540
Service Manager or Team Leader to consider the
authorisation of the use of paper forms for upload when
system back on line.
CITS and / or Ulysses to advise on potential downtime.
Service loss to be reported as an incident.
CFT Staff
0-2 hours
2 – 24 hours
24 – 72
hours
72 hours +
Service
Restored
CITS
CFT Staff
Information Asset Owner /
Risk Management
Coordinator
Service Lead / Team Leader
CITS / Ulysses
Information Asset Owner /
Risk Management
Coordinator
Service Manager or Team Leader to consider the Service Lead / Team Leader
authorisation of the use of paper forms for upload when
system back on line.
CITS / Ulysses to provide continual updates on service CITS / Ulysses
restoration time frames.
IAO / IAA to consider raising this as a Serious Incident Service Lead / Team Leader
(SI) for Executive Awareness and Input.
Request daily restoration reports from suppliers.
Information Asset Owner /
Risk Management
Coordinator
Completion of online Incident Report.
Information Asset Owner /
Risk Management
Coordinator
Manual re key of incidents, enquiries and inquiries Admin Staff
created.
Root cause analysis and any recommendations to Information Asset Owner /
reduce/remove the risk of re-occurrence fed back into Risk Management
Risk Assessment and controls.
Coordinator
Page 3
5.2 Out of Hours
The web incident reporting part of the system is the only part of the system used during out of hours.
There is not a specific out of hours service support service. Any outages will be managed during the
working week.
5.3
Planned Downtime
Any planned downtime will be managed locally by the Information Asset Owner and/ or Risk
Management Coordinator.
6.
Key Contact Numbers
Key Contact
Contact Number
CITS Service Desk
Ulysses
Trust Switchboard
Governance Dept - Information Asset Owner/ Risk Management
Coordinator
01209 881717
02392 440540
01208 251300
01208 834600
Page 4
Downtime Incident Recording Forms



These forms do not replace reporting an incident but provide a solution by which important
information can be captured to enable the reporting of an incident once the system is available.
All forms must be entered into Safeguard once it becomes available.
Once re-entered in Safeguard, this form must be either be securely shredded or disposed of
via the confidential waste service.
Incident details
Date and time:
Location of
incident:
Subject Details:
Incident detail:
Injuries/ restraints/
theft/ breach etc:
TMAV Incident:
Seclusion
Incident:
Mental Health Act
Incident:
Safeguarding
Incident:
Medication
Incident:
Security Incident:
Medical Devices
Incident:
Witness Details:
Police Details:
Page 5