Agenda Item 14 - NHS Shetland · Key Performance Indicators (KPIs) and outline plans for exercising...

Meeting: Shetland NHS Board

Date: 4th December 2018

Report Title: Resilience and Business Continuity

Reference Number: Board Paper 2018/19/49 Board Paper 2018/19/50

Author / Job Title: Dr Susan Laidlaw, Consultant in Public Health Medicine

(Executive Lead - Susan Webb, DPH for NHS Grampian and NHS Shetland)

Decisions / Action required:

The Board is asked to:

(i) receive and approve the NHS Shetland Resilience and Business ContinuityStrategy 2018-2021 (Board Paper 2018/19/50)

(ii) receive the NHS Shetland Resilience and Business Continuity Annual Reportfor 2017-18 (Board Paper 2018/19/51)

(iii) continue to support resilience and business continuity work within NHSShetland

High Level Summary:

This is the third version of the Resilience and Business Continuity Strategy, which was originally written in 2011. It has been extensively revised to reflect changes in local arrangements for resilience and business continuity planning; national work (specifically the NHS Scotland Standards for Organisational Resilience); recommendations from an internal audit of business continuity management; and new and emerging threats.

The Strategy outlines roles and responsibilities in relation to resilience and business continuity; national guidance and the local implementation of that guidance. It includes Key Performance Indicators (KPIs) and outline plans for exercising and training over the next three years.

The Resilience and Business Continuity Annual Report for 2017-18 is also attached. This outlines work undertaken during last year, including response to incidents and the exercising and training programme. Future Annual Reports will report more specifically on progress against this Strategy, including reporting on the KPIs.

Corporate Priorities and Strategic Aims:

Effective resilience /emergency planning and business continuity planning are essential to the running of any organisation, and are a specific responsibility of NHS Boards as Category 1 responders.

Agenda Item

14

The NHS Scotland Standards for Organisational Resilience set out the requirements the Board is expected to meet in order to ensure resilience and the ability to respond to emergencies; whether external such as a major incident with mass casualties, or internal such as a fire or flood within NHS premises.

Key Issues:

1. This area of work has increased hugely over the past two years, particularly

regarding security and the threat of terrorist activity; cyber-security; the ability to respond to major emergencies with mass casualties and other threats including severe weather and climate change.

2. There is a need to ensure we have a proportionate response to threats and identified risks, but this still requires investment in training of staff and exercising of plans.

3. A number of gaps in planning and training of staff have been identified, but workload and limited resources have to be prioritised to ensure the most significant risks and threats are appropriately addressed.

Implications :

Service Users, Patients and Communities:

Deficiencies in resilience and business continuity planning could affect any / all service users, patients and staff, and the wider community.

Human Resources and Organisational Development:

There are significant training needs, but these need to be prioritised and training opportunities targeted to the right people and teams.

Equality, Diversity and Human Rights:

No specific implications

Partnership Working Partnership working is essential for responding to major emergencies; and also for training and exercising. There are good partnership arrangements in place.

Legal:

The Civil Contingencies Act (2004) and the Civil Contingencies Act 2004 (Contingency Planning)(Scotland) Regulations 2005 require NHS Boards designated as Category 1 and Category 2 responders to demonstrate that they can respond to a range of incidents while maintaining business-as-usual services to patients. NHS Shetland is a Category 1 responder.

Finance:

There are financial implications for implementing this strategy: particularly for training costs (which can be expensive) and releasing staff for training and exercising. However there could also be financial implications if resilience and business continuity planning is not sufficiently addressed.

Assets and Property:

There is some equipment and assets essential for responding to certain emergencies (for example the decontamination tent and suits; telecommunications equipment) which must be maintained and replaced as required. As above, there may be implications for assets and property if resilience and business continuity planning is not sufficiently addressed.

Environmental:

There are environmental risks – primarily severe weather and climate change – that could impact on the organisation. Also the consequences of major incidents could have an environmental impact which we should aim to minimise wherever possible (eg fires, CBRN incidents)

Risk Management:

There will be significant risks to the organisation if emergency planning and business continuity planning is not robust.

Policy and Delegated Authority:

Previously considered by:

Resilience and Business Continuity Working Group Executive Management Team

5/7/2018 22/11/2018

“Exempt / private” item

N/A

NHS Shetland

Strategy for Resilience and Business Continuity

Resilience, is the ability of an organisation to anticipate, prepare for, respond and adapt to

incremental change and sudden disruptions in order to survive and prosper.

Date: November 2018

Version number: 3.3

Review Date: November 2021

Author: Dr Susan Laidlaw, Consultant in Public Health Medicine

Executive Director: Susan Webb, Director of Public Health

If you would like this document in an alternative language or format, please contact Corporate Services on 01595 743069.

Board Paper 2018/19/49

Strategy for Resilience and Business Continuity 2018-21

2

Document Development

Proposed groups to present document to:

Resilience and Business Continuity Working Group

Executive Management Team

Shetland NHS Board

Date Version Group Reason Outcome

05.10.11 Draft 1 SMT For consultation and agreement

Agreed with amendments

10.11.11 Draft 2 Shetland NHS Board For approval Approved

25.09.14 Version 2.0

SMT For consultation and agreement

Agreed with amendments

07.10.14 2.0 final Board For approval Approved

05.07.18 3.0 draft R & BC Working Group For consultation Amendments made

22.11.18 3.2 draft EMT For consultation and agreement

Agreed, minor clarifications

04.12.18 3.3 final draft

Board For approval


3

Changes Made to Document

DATE CHANGES MADE TO DOCUMENT

19.10.11 Amendments made to add links to Winter Planning, KPIs and Rapid Impact Assessment checklist agreed.

13.08.14 Updated version adding recent national guidance; updating organisational groups and titles (Risk Management Group), updated Appendix A of core / non-core services.

25.09.14 Key Performance Indicators redrafted by SMT. Some changes to Clinical and non-clinical services listed – day surgery unit added, and SAS separated out as external service.

05.07.18

Version 3.0

Significant review and update to include;

Changes in roles and responsibilities

Organisational Resilience standards

Business Continuity Planning

Incident management

06.07.18

Version 3.1

Updated appendix 1 of core / non core services. Updated roles and responsibilities

Concept of a critical / strategic incident and the management response

21.11.18

Version 3.2

Removal of reference to BS 25999 Business Continuity Management (BCM) standard as no longer exists. Further revision to include C3 arrangements. KPIs revised

Aim to shift to overarching BCPs and smaller departmental BCPs included.

Addition of Appendix 3 – membership of R&BCWG

22.11.18

Version 3.3

Minor typos and clarifications

Addition of national and regional arrangements under roles and responsibilities


4

1 CONTENTS

1 CONTENTS…………………………………………………………………………….......4

2 ACROYNMS ............................................................................................................. 5

3 PURPOSE ................................................................................................................ 6

4 SUMMARY OF NATIONAL POLICY ........................................................................ 7

5 RISKS ....................................................................................................................... 8

6 ROLES AND RESPONSIBILITIES ........................................................................... 9

7 PLANNING FOR EMERGENCIES ......................................................................... 13

8 RESPONDING TO INCIDENTS AND EMERGENCIES ......................................... 17

9 BUSINESS CONTINUITY MANAGEMENT (BCM) PROCESS .............................. 25

10 COMMUNICATION ............................................................................................. 31

11 ORGANISATIONAL CHART ON REPORTING ARRANGEMENTS ................... 32

12 KEY PERFORMANCE INDICATORS ................................................................. 33

APPENDICES:

APPENDIX 1 CATEGORISATION OF SERVICES FOR BUSINESS CONTINUITY PLANNING

APPENDIX 2 BUSINESS CONTINUITY TRAINING AND EXERCISING PROGRAMME

2018 – 2021

APPENDIX 3 MEMBERSHIP OF RESILIENCE AND BUSINESS CONTINUITY WORKING GROUP

APPENDIX 4 RAPID IMPACT ASSESSMENT CHECKLIST


5

2 ACROYNMS

BCM Business Continuity Management

BCP Business Continuity Plan

CBRN Chemical, biological, radiological, nuclear

CCA Civil Contingencies Authority

CPHM Consultant in Public Health Medicine

DPH Director of Public Health

EMT Executive Management Team

HoDs Heads of Department

HoP&M Head of Planning and Modernisation

H&SCP Health and Social Care Partnership

LRP Local Resilience Partnership

MAIRP Multi-Agency Initial Response Plan

MTPAS Mobile Telecommunications Privileged Access Scheme

R&BCWG Resilience & Business Continuity Working Group

RTO Recovery Time Objectives

RRP Regional Resilience Partnership

SEPF Shetland Emergency Planning Forum

SEPFE Shetland Emergency Planning Forum Executive

SCORDS Scottish Resilience and Development Service

SGCD Scottish Government Communications Directorate

SGoRR Scottish Government Resilience Room

SIC Shetland Islands Council

STAC Scientific and Technical Advisory Cell


6

3 PURPOSE

Resilience and preparedness are outcomes that are achieved over time by adopting a range of best practices to deliver business improvement by building capability across all aspects of the organisation, and making the most of opportunities to learn from experience. Resilience requires recognition and mitigation of risks; the implementation of means to bounce back from disruptive events; and active processes to adapt to change in the short and long term.

This strategy is written to ensure that a robust system is in place within NHS Shetland to identify risks, plan, exercise, and review our response against a range of disruptive challenges.

Business Continuity Management (BCM) is an essential component of resilience and preparedness and a requirement of the Civil Contingencies Authority (CCA). The implementation of effective Business Continuity Plans (BCPs) in a crisis situation is seen as an invaluable step in making sure critical services are maintained for as long as possible, or if lost, can be recovered as quickly as possible.

This Strategy aims to:

Improve business continuity planning and management within NHS Shetland.

Through the adoption of resilience principles, ensure the continuous operational delivery of critical healthcare services when faced with a range of disruptive challenges e.g. staff shortages, denial of access, failures in technology, loss of utility services and failure of key suppliers.

Help drive NHS Shetland’s compliance with the CCA.

Maintain a resilient local healthcare system.

This means that local services will be supported to continue to perform their functions and provide patient care and services in the event of an emergency so far as reasonably practicable: to remain open for business during major incidents and respond to disruptive challenges with confidence.

This is the third version of this strategy, the first version was produced in 2011 and the second in 2014.


7

4 SUMMARY OF NATIONAL POLICY

4.1 Civil Contingencies Act The Civil Contingencies Act (2004) and the Civil Contingencies Act 2004 (Contingency Planning)(Scotland) Regulations 2005 require NHS Boards designated as Category 1 and Category 2 responders to demonstrate that they can respond to a range of incidents while maintaining business-as-usual services to patients. NHS Shetland is a Category 1 responder.

These incidents may vary in scale and complexity, and range from dealing with severe weather, infectious diseases outbreaks (so-called ‘slow burners) and / or major no-notice incidents (so-called ‘big bangs’) such as terrorist attacks or transport accidents. The NHS must plan for, and be prepared to respond and adapt to the short and long-term consequences of these various disruptive challenges.

The Acts place a clear obligation on Category 1 organisations within NHS Scotland, such as NHS Shetland, to respond to disruptive challenges. In addition, all Category 1 and Category 2 organisations within NHS Scotland together with those providers who supply a critical service to NHS Scotland (e.g. GP Practices, Dental Practices, Pharmacies, Care Homes etc.) need to be sufficiently resilient to respond to any threat.

4.2 NHS Scotland National Guidance

NHS Scotland produced national guidance which has informed the production of this strategy: Business Continuity: A Framework for NHS Scotland. Strategic Guidance for NHS Organisations in Scotland. 2009, and Preparing For Emergencies: Guidance for Health Boards in Scotland in 2013.

4.3 NHS Scotland Standards for Organisational Resilience

Preparing for Emergencies set out what NHS Boards should do to comply with duties under the Civil Contingencies Act (2004) and other key legislation, thereby enhancing their resilience. The standards and performance criteria in this document are set in the context of that guidance; they take account of experience gained since that time, recent developments and new information in the professional discipline, and new imperatives on the NHS and delivery partners in Scotland, notably Health and Social Care Partnerships (H&SCP).

The first version of the standards was published in 2016: a set of 42 standards covering every aspect of resilience functions including dealing with terrorism threats, cyber-security, Prevent, critical assets, pandemic flu, BCPs, leadership and governance. These were revised in May 2018 and a second edition published. This included 41 standards, across nine priority areas:

Legal and Regulatory

Strategy and Culture

Identifying and Mitigating Risk

Preparedness


8

Digital Health

Human Capital

Climate Change

Supply Chain

Public Relations and Communication

NHS Boards were required to submit self assessments against these standards using benchmarking criteria to show at what stage the Board was at for meeting each standard : ie planning, implementing, monitoring or reviewing. The self assessment for NHS Shetland showed that we were largely at the implementation stage for most standards, with some at the planning stage and some at the monitoring stage. The gaps in our self assessment have informed the development of an overarching action plan.

5 RISKS

Effective BCM is not only about minimising the likelihood of an event occurring but also about having the ability to recover and restart if the worst happens. The consequences of not having effective BCPs in place could have serious implications, including:

Failure to deliver critical services.

Loss of life or injury.

Lengthy restoration times.

Loss of public confidence.

Impact on staff.

Exposure to potential legal action.

In Shetland, this is captured in risks recorded in the Board’s corporate risk register and risk management system, and more specific resilience risks are recorded in individual departmental risk registers. Risks are updated regularly, and risks relating to business continuity are expected to be refined and updated in the light of incidents and exercising.

Responsibility for monitoring and updating risks lies with the risk owner and is defined within the risk register: in the case of departmental risks this will be the Head of Department, in the case of corporate risks this will be the Executive Director with relevant responsibility. Updating this strategy and related risks is the responsibility of the Consultant in Public Health Medicine (Resilience Lead) – see section on Roles and Responsibilities.

Risks relating to multi-agency preparedness in Shetland are documented in Shetland’s Community Risk Register.


9

6 ROLES AND RESPONSIBILITIES

6.1 National and Regional arrangements

The Scottish Government's Resilience Division supports organisations that work together to build Scotland’s resilience to emergencies. The Scottish Resilience Partnership (SRP) acts as a strategic policy forum for resilience issues, providing collective assurance to Ministers that statutory responders and key resilience partners are aware of significant resilience gaps and priorities, and are addressing these in line with appropriate and available resources. It also provides advice to the resilience community on how best to ensure that Scotland is prepared to respond effectively to major emergencies.

The Scottish Government Health Resilience Unit has a specific role to support NHS organisations in Scotland. The NHSScotland Resilience Forum has a role as a health sector professional network for NHS Boards resilience leads supporting sharing best practice, providing education opportunities and raising awareness of common issues.

In 2013 three Regional Resilience Partnerships (RRPs) were created in Scotland following the formation of the Police Service of Scotland (PSoS) and the Scottish Fire and Rescue Service (SFRS) as single national agencies. The aim of the RRPs was to underpin our local and regional preparedness, and to link into the national structures on resilience. NHS Shetland’s Chief Executive attends the RRP. Each RRP is comprised of Local Resilience Partnerships (LRP) which are aligned with Police, Fire and Rescue and Local Authority boundaries. Shetland is part of the Highlands and Islands LRP, which comes together with Grampian and Tayside to form the North of Scotland Regional Resilience Partnership (NSRRP).

6.2 Community Planning Arrangements

The Shetland Partnership Board consists of representatives of the five agencies with a statutory responsibility to facilitate community planning, namely:

NHS Shetland

Shetland Islands Council (SIC)

Police Scotland

The Scottish Fire and Rescue Service and

Highland and Islands Enterprise

This provides the over-arching framework for relevant partnerships to operate.

The SIC Community Safety and Resilience Board has a specific remit for ensuring that “Shetland stays a safe place to live and we have strong, resilient and supportive communities.” It has representation from NHS Shetland, Shetland Islands Council, Police Scotland, the Scottish Fire and Rescue Service, the Coastguard and Scottish Ambulance Service.

The Shetland Emergency Planning Forum (SEPF). In Shetland, representatives from Category 1and 2 responders, local businesses and other organisations meet together


10

as a formal inter-agency group, the Shetland Emergency Planning Forum. The Forum takes collaborative responsibility for local action and the preparing and testing of local plans. This group is responsible for the local Multi-Agency Initial Response Plan (MAIRP). The Shetland Emergency Planning Forum’s mission statement is to provide the communities of the Shetland Islands with fully integrated, cohesive, efficient, and quality civil contingencies planning, management and response services. The Forum meets biannually to update stakeholders in local emergency planning activity. The Forum has an Executive group (SEPFE) which focuses on multi-agency issues related to resilience , emergency planning and civil contingencies within Shetland.

6.3 Shetland NHS Board

Shetland NHS Board is accountable to Scottish Government and the public for the effective functioning of the NHS within its area. Specifically, the Board has a statutory duty as a Category 1 Responder under Section 2 (1)(c) of the CCA to maintain plans for the purpose of ensuring, so far as reasonably practicable, that if an emergency occurs, it is able to continue to provide critical services. The Board must also ensure that all contracted service providers are capable of providing critical services at an appropriate level.

6.4 NHS Shetland Staff

The broad roles for individual members of staff are set out below.

The Chief Executive has overall accountability and responsibility for the successful implementation and maintenance of Business Continuity Management for the organisation.

The Director of Public Health has overall responsibility for the implementation and maintenance of emergency planning and resilience strategy and arrangements.

Each Director has responsibility for the successful implementation and maintenance of business continuity management arrangements for the services within their area of responsibility.

Head of Departments / Senior Charge Nurses / Local Managers are responsible for the development and maintenance of effective Business Continuity arrangements, through Business Continuity Plans, for their area of responsibility and implementing those plans should an emergency or service disruption occur.

The Consultant in Public Health Medicine is responsible for the development and maintenance of the Resilience and Business Continuity Strategy and has lead responsibility locally for emergency planning and resilience.

The Head of Planning and Modernisation is responsible for ensuring that the Board has effective business continuity planning arrangements and for providing advice and support to managers.

Each individual employee is responsible for ensuring that s/he is familiar with the Business Continuity Plan for the service they work in and her/his role within it.


11

This is shown diagrammatically below.

Specific responsibilities of key staff are described below.

6.5 Executive Directors

The Chief Executive has the responsibility for ensuring that NHS Shetland has a BCM process in place that will address the requirements for ensuring business continuity as required by the CCA. This includes ensuring that arrangements made within the NHS Shetland boundaries are adequate and appropriate to local circumstances. The Chief Executive also has responsibility for ensuring appropriate mutual aid agreements with external partners are in place in the event of a major emergency.

The Director of Public Health is accountable as Lead Executive Director for resilience, emergency planning and civil contingencies within NHS Shetland.

Members of the Executive Management Team are responsible for the implementation and maintenance of BCM within the services in their areas of responsibility.

A Resilience and Business Continuity Working Group has been set up to co-ordinate and oversee resilience and business continuity planning and management work in NHS Shetland, this group reports to EMT.

6.6 Head of Planning and Modernisation

The HoP&M role includes:

Oversight of the BCP process within the Board through the Resilience and Business Continuity Working Group.

Activity

Resilience and Business

Continuity Strategy

Emergency Planning and

Resilience arrangements

Business Continuity Planning

Governance

Board

Executive Management

Team

Heads of Departments / Senior Charge

Nurses

Responsibility

Director of Public Health

Consultant in Public Health

Medicine

Head of Planning and Modernisation

Performance

Annual Report

Six monthly Progress Reports

Quarterly Performance Reports and

Updates


12

Reporting to the Executive Management Team through regular Resilience and Business continuity reports.

Organising a rolling programme of tabletop BCP exercises, including debriefs and reporting.

Ensuring appropriate training on BCP is available to Heads of Department.

Liaising with Executive Directors and senior managers to ensure Heads of Department are fulfilling their responsibilities.

Monitoring of indicators.

6.7 Consultant in Public Health Medicine

The CPHM’s role includes responsibility for:

The Resilience & Business Continuity Annual Report.

Regular (six monthly and as required) reporting to EMT.

Chairing the Resilience and Business Continuity Working Group.

Board wide Emergency Procedures and Plans.

Representing NHS Shetland on the Shetland Emergency Planning Forum.

Planning training and exercises, including debriefs and reporting.

Overseeing compliance with the Organisational Resilience Standards.

6.8 Resilience Advisor

The Resilience Advisor is employed by Shetland Islands Council and provides a service to NHS Shetland through a service level agreement. The advisor has responsibility for:

Providing resilience, emergency planning and business continuity planning advice to the Board.

Representing NHS Shetland at the NHSScotland Resilience Forum meetings.

Planning multi-agency exercises and training, and ensuring appropriate opportunities for NHS Shetland staff.

Supporting the CPHM in their role as Resilience Lead.

6.9 Heads of Department

Heads of Department / Senior Charge Nurses are responsible for oversight and implementation of BCM within their departments / wards.

This includes:

Initial business impact analysis where appropriate.

Reviewing critical services and identifying resources which need to be available to maintain critical services for the first hour, 24 hours, 3 days and for 7 days.


13

Ensuring that all staff are appropriately trained in BCM and practice.

Participating as appropriate in exercising.

Reviewing and updating BCPs on an annual basis, and providing updated copies to the Public Health Department Secretary.

Reviewing and updating BCPs following any relevant incident or exercise and providing updated copies to the Public Health Department secretary.

6.10 Public Health Secretary

The public health secretary has responsibility for :

Maintaining a register of all BCPs within NHS Shetland both electronically and in hard copy (held at GBH Reception)

Producing a regular report of which BCPs are overdue and those due for review

Liaising with the HoP&M where departments do not have up to date BCPs

Administering the R&BCWG.

6.11 Individual employees

Each individual employee is responsible for ensuring that they are familiar with their departmental BCP and their role within it; and their role within the Major Emergency Procedure if applicable.

6.12 External providers All organisations that provide services to NHS Shetland for patient care should also have adequate arrangements in place appropriate to the size and type of the organisation, and should be able to demonstrate this. The responsibility for assurance lies with the NHS Shetland manager responsible for commissioning or contracting for that service, who should ensure that contracting processes with providers and suppliers that require BCM processes, are explicitly described and covered by contracts.

7 PLANNING FOR EMERGENCIES

Organisational resilience requires these five key interlinked components ( leadership, culture, people, systems, settings) to be working well together to create a flexible, integrated, and knowledge-based organisation that can thrive within an environment of constant change and threats.

Leadership: Strong and effective executive leadership that sets priorities, aligns resources and makes the necessary commitment to establishing resilience as a goal throughout the organisation. Leaders and managers strive to achieve a balance between risk taking and risk containment so that innovation can continue, but does so in the context of prudent risk minimisation.

Culture: An organisation’s resilience is influenced by its culture. A resilient culture is built on principles of empowerment, purpose, trust and accountability.


14

People: A workforce that is properly engaged, motivated, equipped and led will be able to deal with almost any disruption. A key component of this is a system that supports staff to work across boundaries.

Systems: A robust IT infrastructure and systems that connect and inform the organisation.

Settings: An adequate level of workplace flexibility and agility within the organisation that mitigates the risk of catastrophic or disruptive incidents impacting various parts of the organisation

Even in the most resilience organisation, major incidents are inevitable and each one will present unique challenges. It is important for NHS Shetland to adopt an all-risks approach to planning for and responding to major incidents, to identify the skills and expertise available and how they will be deployed in various circumstances or scenarios, and to have arrangements in place to manage the uncertainty and unpredictability of events.

The planning process is key to preparing for emergencies. Under the Civil Contingencies Act 2004, Health Boards are obliged to have arrangements in place to plan, exercise and review their capability and responses against a range of disruptive challenges, crises, disasters or emergencies. These obligations involve three key functions as part of the planning process:

assessing risk;

ensuring that (scalable) plans are in place to reduce or mitigate the effects of the emergency situation if/when it occurs; and

identifying other actions to be taken in relation to the emergency.

7.1 Assessing Risk Risk assessment (of hazards, threats and vulnerabilities) is the first stage in organisational resilience and business continuity planning. The Health Board should ensure internal corporate risk management processes include risk to continuation of services that single and multi-agency plans are evidence-based and proportionate. This includes maintenance of an internal organisational Risk Register and participation in the development of multi-agency Local and Community Risk Registers.

7.2 Maintaining emergency/major incident plans NHS Shetland should produce and maintain major incident/emergency plans for a range of potential scenarios. These include the Major Emergency Procedure, the Public Health Outbreak and Incident Plan; the Pandemic Flu Plan and the Graduated Security Plan (GraSP)

In addition, the Board must engage with partners locally in Shetland, in the Highlands and Islands Local Resilience Partnership (LRP) and the Regional Resilience Partnership (RRP), to ensure that the role of NHS Shetland is appropriately reflected in multi-agency plans for various major incidents/emergencies.


15

7.3 Maintaining business continuity plans Business Continuity Management (BCM) is an essential activity in establishing an organisation's resilience by enabling it to anticipate, prepare for, respond to and recover from disruptions and to have a clear understanding of dependencies with other organisations.

7.4 Communicating with the public NHS Shetland should have a communication plan that incorporates:

At the planning stage - informing the public of the likely risks and threats being prepared for and, in general terms, of their potential responses if they occur; and

At the response stage - warning, informing and advising the public using different types of messages and a variety of methods appropriate to the needs of the audience.

7.5 Sharing information

Information-sharing is an integral part of civil protection and interagency cooperation. Health Boards must share information with other categorised responder organisations and their major incident plans should be available in the public domain, accepting that sensitive or confidential information cannot always be shared with partner agencies and/or the public.

Careful consideration must be given to the type of information that is required to plan for a major incident and what information can be shared in the context of the CCA and relevant legislation including the Freedom of Information Act and also General Data Protection Regulation (GDPR).

NHS Shetland must ensure that there are free-flowing, informal channels of communication and information-sharing with other agencies involved in civil contingencies work. It is important that the Caldicott Guardian advises on disclosure of information and are available to support and guide staff.

7.6 Co-operating Health Boards designated as category 1 responders must co-operate with other responders. The principal mechanisms for multi-agency cooperation at local level are the Regional Resilience Partnerships (RRP) and Local Resilience Partnerships (LRP). For Shetland this means the North of Scotland RRP, Highlands and Islands LRP and the Shetland Emergency Planning Forum.

7.7 Legal frameworks, public inquiries and civil action. NHS legal obligations and duty of care for patients does not change during major incidents or emergencies that are likely to generate high profile media attention or scrutiny. In such situations it is likely that legal investigations and challenge such as criminal investigations, fatal accident and/or public inquiries or civil action may follow. These may occur a long time after the incident.

When planning for major incidents it is essential that Health Boards have arrangements in place to record the decisions made and actions taken and store all the records and


16

documentation safely for future reference should they be required for evidential or audit purposes.

7.8 The planning process involves:

Developing appropriate and suitably resourced 'command, control and coordination' (C3) arrangements.

Engaging with key internal and external stakeholders and partner agencies, particularly category 1 and 2 responders and voluntary sector agencies that have an emergency response to develop the major emergency procedure (MEP).

Establishing a programme of training, exercising and testing to ensure effective implementation of the plans.

Ensuring incident-recording arrangements are in place along with a system for identifying and sharing learning from incidents.

Establishing a system for reviewing and updating the plans.


17

8 RESPONDING TO INCIDENTS AND EMERGENCIES

Incidents and emergencies can range from an isolated issue affecting one department or service to a major situation affecting the entire Health Board and partners. Incidents do not necessarily involve casualties, but can be disruption to infrastructure such as a building or IT services which in turn can impact on patients and staff. A major incident response may also be required to manage external threats such as the national threat level being raised to critical or a declaration of pandemic flu.

In general, major incidents, such as transport accidents, are local, time-limited and effectively dealt with by emergency services and acute services. However, in a small Board such as Shetland, resources can be easily overwhelmed by an incident that would be considered routine work in a large Board. Sometimes incidents or threats may extend beyond individual health board areas and may require a higher level of

coordination, initially by the LRP or RRP as well as by the Scottish Government

Resilience Room (SGoRR).

8.1 Command, control and co-ordination (C3)

In order to respond to major incidents, internally or externally, NHS Shetland needs a structure which provides clear leadership, accountable decision-making and arrangements for communicating up-to-date information. ‘C3’ is a structured approach to incident management under pressure.

C3 arrangements (the C3 Plan) should:

include a suitable functional space(s) for making decisions, collecting and sharing information quickly.

be able to be activated with the necessary personnel, standard operating procedures and equipment without undue delay.

have clearly defined roles and (decision-making) responsibilities for Executive-level Directors and other staff delegated to assume control of an internal incident or an external one as part of multiagency strategic command group.

have clearly defined processes for maintaining appropriate, contemporaneous records and documenting the incident.

include an adequate pool of staff should be trained as loggists to support the management of an incident or response. It is essential that incident logs produced reflect best practice standards and that loggists understand the evidential value and rationale of a robust audit trail.

include an appropriate level of training for staff in line with the competencies for the various roles they are expected to fulfil.

8.2 The major incident plan

Major incident plans are the culmination of risk assessment. They reflect that the organisation has an understanding of the challenges that could arise from various types


18

of major incidents or emergencies and is prepared for them. The plan provides the basis for ensuring an effective and efficient response.

A major incident plan should:

be fit for purpose and appropriate to the geographical area it covers.

have appropriate governance arrangements, and set out responsibilities for carrying out the plan.

be based on the principles of integrated emergency management and associated activities (i.e. assessment, prevention, preparation, response and recovery) and encompass all the phases of major incident.

be consistent with multi-agency working, especially with partners represented within the same Regional Resilience Partnership (RRP) and link to any multi-agency response that the Health Board has a role in, such as public communications and the Scientific and Technical Advisory Cell (STAC).

reflect the requirements of the Civil Contingencies Act 2004, the 2005 regulations and other relevant guidance documents and have the capability to deal with all the specific incident scenarios and issues identified in this guidance such as CBRN, mass casualties, communicable diseases, burns injuries and meeting the needs of children, young people and vulnerable people.

identify where and how specialist advice may be obtained or accessed, especially out-of-hours.

describe local command, control and coordination (C3) arrangements identify lead officer posts (at strategic and operational levels) and outline their roles and responsibilities.

identify mutual aid arrangements with neighbouring Health Boards and other key agencies and how/when they should be triggered.

identify reporting procedures and links with RRPs, Scottish Government Health and Social Care Directorates (SGHSCD) NHSScotland Resilience as necessary, and how and when they are to be triggered.

identify the potential source(s) of financial resources that may be needed to respond to various incidents.

identify resources to be allocated or accessed to deal with various types of incidents in line with defined planning assumptions.

identify the staff requirements and mobilisation arrangements to respond to various incidents and how the impact on normal services will be addressed.

be regularly reviewed (in the light of exercising, training, lessons learned from incident debriefs and policy changes), and endorsed by the Health Board.

be exercised in full at least every three years.

be tested through a table-top exercise every year


19

be communicated/cascaded within the organisation and to partners every six months.

NHS Shetland has a Major Emergency Procedure (MEP) which details the Board’s response to a major incident. However further work is needed to ensure that the management (C3) response to an incident is clearly described; and also that there is sufficient detail written into the individual role descriptors and standard operating procedures to ensure staff can fulfil their responsibilities during the incident response.

8.3 Communications systems

Effective and resilient telecommunications systems are essential in enabling responders to communicate with key personnel internally and externally during a major incident. Therefore, Health Boards should ensure that:

appropriate telecommunications systems (which may include Airwave or MTPAS) are available and accessible to the staff who may need them, with accompanying protocols for their use.

all staff who may be called on to fulfil a C3 function are competent to use the telecommunications systems in emergency situations.

communications testing exercises take place regularly.

It should be noted that NHS Shetland has not used Airwave or MTPAS in the past but needs to review communication systems going forward.

8.4 Mutual aid agreements

Mutual aid agreements are an important aspect of emergency preparedness. They ensure that an NHS body will have access to appropriate supplementary and/or specialist resources and support from other health organisations in the event of a major incident. It is the responsibility of the Chief Executive to ensure that the organisation has a mutual aid agreement with other Health Boards, category 2 responders and other relevant organisations not covered by the CCA in the RRP area and beyond if necessary.

As well as the multi-agency arrangements through the Shetland Emergency Planning Forum, NHS Shetland has specific surge capacity arrangements in place across the north of Scotland for Public Health functions via the North of Scotland Public Health Network, and arrangements between the north of Scotland NHS Boards for clinical and support services. These are designed to ensure co-operation and collaboration between Shetland and the other northern NHS Boards in emergency situations where local demands outstrip local capacity, and are formalised through a Mutual Aid Agreement.

A mutual aid agreement should clearly outline what aid might be required, what can be offered, who the partners are, and governance arrangements. It should be reviewed and revised at least annually. Mutual aid requests for support should be formally triggered by the Chief Executive or named Deputy to maintain normal service provision. This should take place only after the Health Board has invoked its surge capacity plans and


20

the incident management (C3) team concludes that the capacity and capability thresholds for operating safely have been reached.

If the incident is likely to be of a longer duration or deemed to require coordination or mutual aid on a larger scale, the Scottish Government Resilience Room will be activated to fulfil a national, strategic coordination function and to ensure that government assistance is provided if required.

In the event of mutual aid resulting in the clinical care of patients being transferred to another Health Board, there must be a clear agreement on clinical accountability and arrangements for follow-up care to ensure that movement across Health Board boundaries are taken in the best clinical interests of the patient and to ensure close, coordinated clinical supervision. However, transfer of patients to another Health Board for treatment is routine for NHS Shetland.

8.5 Reporting major incidents All relevant staff must be aware of the Scottish Government NHSScotland Resilience reporting arrangements using the agreed NHS Situation Report (SitRep) pro-forma. These arrangements must be used when a major incident:

occurs within a Health Board;

has been declared by an RRP partner that requires the deployment of healthcare resources; and

creates significant service pressures for the Health Board and is likely to impact on business as usual.

The reporting frequency will be agreed by the Health Board representative and the Scottish Government depending on the nature of the incident and the assessment of its impact on the Health Board.

8.6 Training and exercising plans

Training and exercising programmes are important in ensuring that incident response plans are up-to-date and will be effective when implemented. They also provide the Health Board with assurance of its capability for various types of major incidents. It is recommended that scenario-specific exercises are undertaken to test particular aspects of the organisation's capabilities. Wherever possible, Health Boards should collaborate with each other to organise and participate in joint exercises, involving multiagency partners where practicable. The lessons-identified and lessons-learned from these exercises should be disseminated across the service via appropriate networks.

Training, testing and exercising should take place in the context of a training needs analysis and a progressive, targeted and graduated training programme that reflects the roles and responsibilities of staff in particular operational settings. Senior managers should ensure that appropriate staff are released to participate in relevant training programmes. The Health Board should ensure that arrangements and resources, including financial commitments, are in place to enable adequate training, exercising and testing of the Board's emergency preparedness.


21

Health Board members should be advised at least annually of the Board's state of preparedness.

The following should be in place and monitored:

an annual training and exercising plan, the implementation of which is monitored and recorded (see Appendix 2 )

a process and system for recording and reporting the outcome of exercises and for ensuring that lessons-identified and lessons-learned are incorporated into revisions of the appropriate plans and protocols; and

training/skills records to help inform capability analysis that are kept up-to-date.

8.7 Communication

During an emergency, the Health Board must cooperate with other agencies to develop a communications strategy and issue information that is clear, timely, relevant and accurate. The public expect to be informed quickly and efficiently and, in an incident that has potential health consequences, they will look to the NHS to communicate with them both directly using websites and social media, as well as the mainstream news media.

Liaising with the media during an emergency is a resource-intensive operation. It requires those involved to have the necessary skills and training to cope with a surge of repeated requests for information, especially in the early stages of a major incident. Effective handling of the media will affect how the emergency and the response to it are reported and that, in turn, can enhance the effectiveness of that response, both immediately and in the longer term.

8.7.1 The Board should:

identify a lead Communications Officer to both manage communication from the Board and also participate in any multi-agency strategic communications group formed to deal with the incident.

have a communication plan that is integral to the major incident plan

ensure that staff who will be involved in media liaison have been appropriately trained and prepared.

have suitably equipped space for use as a Media Centre in the event of an emergency;

have itsown website and identified staff with access to update the website 24 hours a day.

have in place social media platforms, such as Facebook and Twitter

ensure that communications team staff have 24-hour access to the social media outlets and be trained in how to use them to disseminate 'real time' information to the public.


22

Consideration should be given to :

communications departments having the ability to make their websites a low graphic text-only version in the event of an emergency

having a mobile-friendly version of the website so that potentially large numbers of people can visit the site using mobile devices

8.7.2 The communications plan should:

outline the roles and responsibilities of the organisation and staff at various levels, the resources to be made available to them and the use of websites and social media;

indicate the procedures to be followed by the on-call manager in the event of a media enquiry or a statement by a member of the public on social media alerting the Health Board to a possible incident;

indicate how and when NHS 24 emergency helplines and its social media outlets will be used to keep the public informed;

indicate actions to be taken at various phases during and after an emergency has occurred; and

be exercised: the communications arrangements should be tested in as practical a way as possible. All training and exercising should take account of lessons identified from previous emergencies and exercises.

clearly set out the procedure to be followed in the event of a major incident being caused, or suspected to be caused by an act of terrorism, the potential consequences of security being imposed on casualties and the hospitals treating them. the procedures and standards to be followed at first and subsequent media briefings; and

identify the point at which assistance will be required from communications staff from other Health Boards in the event of a major incident/emergency and liaise with the Scottish Government Communications Directorate (SGCD).

be assessed against Equalities and Human Rights Act duties.

It is important that, as far as possible, a communications procedure/protocol is agreed with multi-agency partners in advance. This will help ensure that essential healthcare personnel are not prohibited from entering hospital grounds or reporting for duty; media briefings on site that are coordinated by the police are cleared by the Health Board's senior Communications Officer; and that a clear and timely message is communicated to staff who normally work at the hospitals;

Patient confidentiality and staff's right to privacy must be maintained during an emergency situation. No information about particular patients being treated should be released without first checking with the police and the consultant responsible for their care. Interviews or photographs must not be permitted without the consent of the patient concerned.


23

8.7.3 Internal communications

Internal communications also vitally important during a major incident. Any major incident will have an impact on the local community in which staff live, particularly in a small area such as Shetland, and they will have an obvious need to be informed. While staff will get updates from the external communications channels outlined above it is good practice to disseminate regular updates, including key messages and reassurance, to staff through agreed internal communications channels in line with internal communications protocols.

8.7.4 VIPs

VIPs or other dignitaries will often visit the site of a major incident and hospitals involved in the response to it; they may also be admitted to NHS facilities as patients. The SGCD in consultation with other press offices as appropriate will be responsible for providing advice on media coverage on such occasions. Health Boards should have a VIP protocol for such occasions that has been agreed with the police. In Shetland, this s part of the MEP.

8.7.5 Recovery

It is likely that a major incident could run on for some weeks or months. While local authorities lead during the recovery phase, it may be necessary for health information to be provided by Health Boards in an ongoing, consistent manner during this period as part of a process of public reassurance. This may have resource implications for the organisation. NHS 24 may have a key role in assisting the Health Board on such occasions by acting as a point of contact for disseminating information or providing helpline support.

8.8 Proportionate Response to incidents

Incidents can be categorised as:

a service disruption.

a critical or strategic incident

a major incident or emergency;

The incident response will depend on the actual and likely severity of the disruption / incident. The table below describes the response scenarios and the plans that would be invoked.

Category of Incident Scope Plans Implemented

Service Disruption Single Service or department within NHS Shetland

BCP

Critical / Strategic Incident

More than one service or department within NHS Shetland

BCPs

C3 Plan


24

Critical external threat (not currently impacting on service delivery)

C3 Plan

Major Incident / Emergency

Overwhelms NHS Shetland services may require an inter – agency response

BCPs and C3 Plan

NHS Shetland Major Emergency Procedure

Major Incident requiring an interagency response

BCPs and C3 Plan

NHS Shetland Major Emergency Procedure

Shetland Major Incident Plan

8.8.1 Management of a critical incident or major emergency.

Depending on circumstances, not all levels of response may be required. A localised service disruption may be contained with an operational response or may escalate to requiring a tactical or strategic response. An external threat (eg national threat level raised to critical) may require a strategic response only.

Incident Management Team / Business Continuity Team (C3 Team)

Strategic

Reports to Government

Hospital Management Team / Business Recovery Team

Tactical

Reports to Strategic level

Individual services response teams

Operational

Reports to tactical level

Formed when a serious incident has occurred or is threatened Long term vision and planning. Key communication role. Follows C3 plan. Primarily

senior managers / on-call managers.

Co-ordination of incident response and recovery. Follows MEP and / or organisational BCPs.

Includes managers and team leaders for affected services and other staff as appropriate/necessary. For major emergency with mass casualties would include Hospital Medical Controller and be based

in the Hospital Control Room

Physical recovery at site. Follows departmental BCPs. Compromises of service team(s) affected

by the incident or dealing with the incident ie individual departments and teams

communication

communication


25

9 BUSINESS CONTINUITY MANAGEMENT (BCM) PROCESS

9.1 Response Guidance

BCM in Shetland builds on informal arrangements already in place and used historically, including the usual ‘workarounds’ that enable critical services to be delivered at a time of disruption. This strategy introduces more formal processes that enable faster and more effective responses to maintain and / or recover critical services. It is designed to be used to respond to system wide disruptions below the level of major emergencies, and to inform the internal response to major emergencies.

For further detail on the rationale for this framework see the national guidance document: www.sehd.scot.nhs.uk/emergencyplanning/BusinessContinuity.htm

Successful BCM happens within the environment in which the organisation operates, and in collaboration with other responders. This strategy is written to link into the Shetland Emergency Planning Forum multi-agency response on resilience and emergency planning and should be read alongside other emergency plans. (refer to the Shetland Islands Council web-site Resilience page www.shetland.gov.uk/about_emergency_planning/.)

9.2 Stage 1 – Programme Management

The BCM programme is reported through Executive Management Team which provides the assurance that Shetland’s BCM arrangements are robust . Risks relating to BCM are reported and responses assured through the Board’s Risk Management Group (RMG).

BCM arrangements and plans will be reviewed and updated whenever there is a significant change in the organisation’s operating environment, personnel, processes or technology, and when an exercise or incident highlights deficiencies, and as a minimum on an annual basis. Lessons identified from exercises or incidents carried out by other organisations will also be incorporated.

The aim is for BCM to become part of the NHS Shetland organisational culture, where staff at all levels are encouraged to participate in the identification of alternate methods of working if normality is disrupted. Where appropriate, these ideas should be incorporated into business continuity plans.

9.2.1 Training

Training will be made available as set out in the Training and Exercising Programme (Summarised in Appendix 2) which will be produced annually. Training will include evaluation of its effectiveness in terms of impact on staff.

Individual staff may have business continuity training identified with their line manager as part of their PDP.

http://www.sehd.scot.nhs.uk/emergencyplanning/BusinessContinuity.htm

http://www.shetland.gov.uk/about_emergency_planning/


26

9.2.2 Documentation

All BCPs will be document controlled in line with the Board’s Framework for Document Development. BCPs will be written to the standardised format provided in the national guidance and made available from the Department of Public Health.

This strategy will be made available on the Board’s intranet. Individual BCPs will be held in departments, with one master set on paper held at switchboard and one set held electronically and on paper in the Department of Public Health for access in an emergency.

Responsibility for maintaining the master sets lies with the Department of Public Health secretary. All HoDs will provide updated copies of their BCPs to the Public Health secretary in a timely manner as and when they are revised.

9.3 Stage 2 – Understanding the Organisation

The services are categorised as:

Core Clinical

Core Support and

Non Core Services

It is recognised that all services are important to maintaining a safe and effective healthcare system. However, in times of emergency or significant disruption, it is important to focus attention on the core clinical and support services. These definitions are determined by how critical that service is to safety critical functions, as described below.

Category Definition

Core Clinical Where service failure or service disruption would have a direct and high risk of death, serious injury or harm so Business Continuity Planning is essential to save lives and avoid injury or harm.

Core Support Where service failure or service disruption would have an indirect and high risk of death, serious injury or harm so Business Continuity Planning is essential to contribute to saving lives and avoiding injury or harm.

Non Core Where service failure or service disruption would have no, or an insignificant impact, on the continuity of core clinical and core support services

Appendix 1 sets out the Board’s critical clinical and non-clinical services for the purposes of business continuity.


27

9.3.1 Business Impact Assessments

Business Impact Assessments (BIA) are an important tool in Business Continuity Planning. A BIA is used to ensure that each department’s key services, along with their supporting activities and resources, are identified and documented.

The Business Impact Assessment process includes:

Identification of each department’s key services/processes and the activities on which these depend including supporting resources;

Mapping the workflow of the identified key services/processes ensuring these consider supporting resources; and

Assess the impact on the organisation in the event of department’s key services/process being disrupted.

They are required to set out considerations for improving their resilience under the headings of:

people,

premises,

processes,

providers and

profile.


28

The template is shown in the table below.

People Premises Processes Providers Profile

Key Staff

What staff do you need to carry out your key functions

Buildings

What locations do your department’s key functions operate from?

IT

What IT is essential to carry out your key functions?

Reciprocal Arrangements

Do you have any reciprocal agreements with other organisations?

Reputation

Who are your key stakeholders?

Skills / Expertise / Training

What skills / level of expertise is required to undertake key functions?

Facilities

What facilities are essential to carry out your key functions?

Documentation

What documentation / records are essential to carry out your key functions, and how are these stored?

Contractors / External Providers

Do you tender critical services out to another organisation, to whom and for what?

Legal Considerations

What are your legal, statutory and regulatory requirements?

Minimum Staffing Levels:

What is the minimum staffing level with which you could provide some sort of service?

Equipment / Resources

What equipment / resources are required to carry out your key functions?

Systems and Communications

What systems and means of communication are required to carry out your key functions?

Suppliers

Who are your priority suppliers and whom do you depend on to undertake your key functions?

Vulnerable Groups

Which vulnerable groups might be affected by failing to carry out key functions?

Core Clinical and Core Support services are required to determine their key functions, to identify critical services within their areas of responsibility, and to reflect these in a Business Impact Analysis (BIA) where appropriate using the format provided.

A Business Impact Assessment will not be required for Non-Core Services.

The BIA should include the means to maintain critical services within the critical time-frames of one hour, 24 hours, 3 days and one week; and recovery time objectives (RTO) as the target time set for the resumption of a service; dependencies or links to


29

other crucial services or functions specifically IT and Estates / Facilities; and any resources required for successful resilience and recovery.

Risk assessment of individual BCPs will be recorded in the departmental risk register. Risk assessment of the Board’s overall BCM response will be undertaken via the Executive Management Team and recorded in the Board’s Corporate Risk Register, along with any mitigating actions or management responses.

9.4 Stage 3 – Determining BCM Strategies and response

This strategy is designed to show how operational continuity is to be achieved across NHS Shetland as a whole.

9.4.1 Incident Response Structure:

The structure supports all levels of activities that take place during a disruptive event and is described above in section 8.8.1.

BCPs describe the impacts of and responses to the key continuity threats of:

denial of access to premises.

loss of facility

shortage of staff

failure of technology

failure of key supplier or partner

failure of utility services.

Specific threats including severe weather and industrial action will be taken into account as appropriate, and Business Continuity Plans will relate to wider organisational responses such as Winter Planning Arrangements and specific outbreak plans.

Recovery of services and essential activities will be considered in relation to:

the maximum tolerable period of disruption for each service;

the cost of implementing the strategy;

the consequence of inaction;

the key resources required, e.g. people, premises, technology, information, and supplies.

Key stakeholders will be informed of disruption to relevant services and likely timescales for restoration – see communications strategy in section 5 below.

Plans will include the steps necessary to catch up on backlog work that was set aside during periods of disruption.

9.5 Stage 4 – Developing and Implementing a BCM Response

The outputs from Stages 1 to 3 of the strategy will help to formulate appropriate BCPs.

BCPs should provide answers to the following basic questions:


30

What needs to be done?

When?

Where are the alternative resources located?

Who is involved?

How is continuity to be achieved?

Historically in NHS Shetland, each department has produced its own BCP, and included the response of related services / functions such as Estates / Facilities and IT. However producing the individual BCPs in isolation has meant that they have not always been compatible with the core support service’s own BCPs, or with other departmental BCPs.

The aim therefore is to shift to having comprehensive overarching BCPs for the hospital and other sites which would cover situations where more than one department is affected eg loss of utilities, IT failure, loss of premises. Individual departments would then have shorter BCPs to reflect departmental risks such as staff sickness, specific equipment or IT system failure and very localised estates issues.

9.5.1 Implementation

Awareness raising, training, distribution, and documentation are covered above.

The roles of key local external stakeholders are described in the Shetland Multi-agency Initial Response Plan and for key suppliers in the relevant departmental BCPs.

9.6 Stage 5 – Exercise, Maintenance and Review

9.6.1 Exercises

As a Category 1 responder NHS Shetland is required to regularly exercise its plans. A regular programme of exercising is in place for NHS Shetland, and is outlined in Appendix 2. This will be updated annually and tailored to meet the needs identified through BCP development and review, and training.

In terms of business continuity planning, there will be a rolling programme of testing of BCPs, with those for core services being tested every year, and those for non-core services being tested every three years. Testing may be through a tabletop exercise or activation of the BCP.

Plans are exercised to ensure that errors and omissions within the plan are identified before the plan is used in reality. If errors or omissions are found while exercising plans, timed actions will be created to rectify these problems. Exercising also helps to build confidence in team members by clarifying roles and responsibilities, supplying practical training and awareness and providing individuals with valuable experience of responding to an incident.

Exercising will:

Test the systems.

Test robustness.


31

Exercise the plans.

Rehearse the people.

Exercises will have defined aims and objectives that may include:

Check everyone understands their role and where their role fits into the overall plan.

Check the procedures for invoking plans and callout communications work effectively.

Ensure that the accommodation, equipment, systems and services provided are appropriate and operational.

Test that the critical services can be recovered within the RTO and to levels required.

Exercises will not put the organisation at risk by causing disruptions. They will be practical and cost effective, appropriate to the organisation and designed to build confidence in the plan.

A record of each exercise will be kept, which will include a log of all actions and outcomes. This will be constructed at a hot debrief carried out with the participants so they can express their own views on what went well or otherwise. Independent observers will be used in all exercises and will be tasked with maintaining a ‘diary of events’ throughout the exercise, to contribute to the lessons learnt and the action plan. This will be reviewed at a ‘cold debrief’’ at which time responsibility for actions will be agreed to be included in the exercise report.

A post exercise report will be completed for each exercise which should include actions agreed and recommendations on changes to plans. These will be reported to and signed off by the Board’s Executive Management Team, who will monitor progress against the actions.

9.6.2 Review

NHS Shetland will review its BCM process regularly to ensure continued suitability, adequacy, and effectiveness. This will be done via review of this strategy in line with the Board’s procedures, and updating of the training and exercising programmes. Independent scrutiny and audit (either internal or external) of BCM competence and capability will complement this internal review and self-assessment.

10 COMMUNICATION

Awareness raising of this strategy will be via adoption at the Board, inclusion in Team Brief and posting on the Board’s intranet, to make all staff aware of how they contribute to the business continuity programme, and of their roles and responsibilities.

Individual departmental BCPs will be held in the relevant departments and made available to staff via the Public Health Department or hospital switchboard in an emergency as necessary.


32

It is the responsibility of HoDs to make sure that communication within departments happens appropriately during an incident. This should include key stakeholders to be informed of disruption to relevant services and likely timescales for restoration.

Communication above individual departmental level will be done in line with the Board’s Communications Strategy, through the Chief Executive’s Office or the Senior Manager on call out of hours.

11 ORGANISATIONAL CHART ON REPORTING ARRANGEMENTS

Approves Strategy

Receives Annual Report

BCP Director Responsibility, De-briefs & reporting BCP Operational responsibility

BOARD

EMT DPH

HoDs

Executive Lead Officer & Support


33

12 KEY PERFORMANCE INDICATORS

The following key performance indicators will be monitored through the Resilience and Busness Continuity Working Group and reported to the Executive Management Team on a regular basis, and to the Board via the Emergency Planning Annual Report.

Indicators Targets

12.1 Frequency of review and circulation of Major Emergency Procedure

review the MEP every three years

circulate the MEP every six months

12.2 Frequency of testing of the Major Emergency Procedure

test in full every three years (either through exercise or activation)

test through a table top exercise every year

12.3 Learning from testing of the MEP Evidence of exercise de-brief, action

planning and completion of actions within timescales with feedback to Executive Management Team

12.4 Business Continuity Plans in place for all services as outlined in this strategy

Target 100% compliance

12.5 Frequency of reviews of BCPs Review each BCP every year – target

100% compliance

12.6 Frequency of testing of BCPs (including disaster recovery element)

Target 100% compliance

core services on a yearly cycle

non-core services on a three yearly cycle

12.7 Core activity (including clinical activity) maintained in the event of an emergency or disruption with list of ‘service disruption’ maintained on an exception basis.

Record list of all service disruptions in the event of an incident (of whatever size) eg operations cancelled. Target is to minimise.


34

APPENDIX 1: CATEGORISATION OF SERVICES FOR BUSINESS CONTINUITY PLANNING

Service Area (BCP) Core Clinical Core Support Non-Core

1 Accident and Emergency √

2 Acute medical admissions/Ward 3

√

3 Acute surgical admissions/Ward 1

√

4 Theatres √

5 Laboratory services √

6 Radiology/Medical Imaging √

7 Pharmacy √

8 Central Decontamination Unit

√

9 Maternity services √

(Hospital)

√

(Community)

10 Renal dialysis/ Haemodialysis

√

11 Public Health √

(Public Health)

√

(Health Improvement)

12 Physiotherapy √

13 Occupational Therapy √

14 Community Nursing Services

√

15 Generic Action Plan for Cold Water Stoppage

√

16 Mental Health √

(Mental Health Act)

√

17

18 Levenwick Health Centre √

19 Lerwick Health Centre √

20 Bixter Health Centre √


35

21 Unst Health Centre √

22 Whalsay Health Centre √

23 Brae Health Centre √

24 Yell Health Centre √

25 Walls Health Centre √

26 Hillswick Health Centre √

27 Scalloway Health Centre √

28 Generic Action Plan for Hot Water & Heating Shutdown

√

29 Generic Action Plan for Hospital Staff Shortage & IT outage

√

30 IT / Computing √

(System Integrity)

√

(Operational and Projects)

31 Estates √

32 Facilities √

33 Supplies √

34 Reception / Medical Records

√

35 Catering √

36 Cleaning √

37 Laundry √

38 Personnel √

39 Occupational Health √

40 Board HQ √

41 Medical Physics √

42 Finance including Payroll √

43 Supplies (included in finance)

44 Patient Travel √

45 Staff Development √

46 Orthotics √


36

47 Audiology √

48 Dental √

(Emergency)

√

(Community)

49 Speech & Language Therapy

√

50 Outpatients √

51 Physiological Measurements

√

52 Childrens Services (Paeds Clinic)

√

53 Podiatry √

54 Clinical Governance √

55 Day surgery unit √


37

APPENDIX 2

BUSINESS CONTINUITY TRAINING AND EXERCISING PROGRAMME 2018 – 2021

EXERCISE DATE DEBRIEF / ACTION PLAN

2018

Multi-agency Tabletop Exercise - Lerwick UpHelly AA

12/1/2018 Completed -no specific actions for NHS Shetland

Business Continuity Exercise 1 (Pecking Order) - IT Business Continuity Tabletop Exercise

14/2/2018 Completed – BCPs updated

Business Continuity Exercise 2 - GBH Flood

25/6/2018 In progress

2019

Scatsta airport live exercise TBA

Cruise Ship Exercise (Highlands and Islands)

27/3/2019

Business Continuity Exercise 3 – loss of diagnostic services

April /May 2019

Business Continuity Exercise 4 - to test 3C plan

Autumn 2019

Public Health Incident Exercise TBA

2020

Business Continuity Exercise 5 Spring 2020

Security Incident Tabletop Exercise 2020

Business Continuity Exercise 6 Autumn 2020

2021

Live test of MEP 2021

Business Continuity Exercise 7 2021


38

Training Opportunities available and proposed 2018-2021

Management Bundle: Purpose of Business Continuity (Internal)

1-2-1 Support in developing Business Impact Assessments and Business Continuity Plans (Internal)

Prevent / WRAP training (Internal)

CBRN decontamination training for operators and officers (managing the team / incident). (External training provider)

MIMMS training for Medical Incident Officers (External training provider)

Medical records & reception staff – training in logging / recording and use of casualty identification and tracking documentation. (External training provider)

MAPA training for frontline staff (eg receptionists, lone workers) - in line with GraSP and security procedures (Internal)

Senior manager training including incident response (External training provider)


39

APPENDIX 3

MEMBERSHIP OF RESILIENCE AND BUSINESS CONTINUITY WORKING GROUP

Dr Susan Laidlaw CPHM and Resilience Lead (Chair)

Hazel Sutherland Head of Planning & Modernisation

Lawson Bisset Head of Estates

Craig Chapman Head of IM&T and eHealth

Ingrid Gall Resilience Advisor (SIC / NHS Shetland)

Steven Lamming Maintenance Supervisor

Elaine Maguire Community Nursing Team Leader (North)

Alison Mustard Chief Nurse (Acute and Specialist Services)

Janine Rochester Patient Flow Manager

Robert Wardrop Chief Biomedical Scientist

Edna Mary Watson Chief Nurse (Community)

Lisa Watt Primary Care Manager

Kim Govier Administration


40

APPENDIX 4. RAPID IMPACT ASSESSMENT CHECKLIST

Rapid Impact Checklist NHS Shetland

An Equality and Diversity Impact Assessment Tool:

Which groups of the population do you think will be affected by this proposal? Other groups:

- Minority ethnic people (incl. Gypsy/travellers, refugees & asylum seekers) - Women and men - People with mental health problems - People in religious/faith groups - Older people, children and young people - People of low income - Homeless people - Disabled people - People involved in criminal justice system - Lesbian, gay, bisexual and transgender people

Staff will be affected, and potentially all patient groups.

N.B The word proposal is used below as shorthand for any policy, procedure, strategy or proposal that might be assessed

What positive and negative impacts do you think there may be?

There should be positive impacts in terms of better preparedness and reduction in risks and loss of service.

No negative impacts have been identified.

Which groups will be affected by these impacts?

All groups, none disproportionately.

What impact will the proposal have on lifestyles?

For example, will the changes affect:

Diet, nutrition, exercise and physical activity

Substance use: tobacco, alcohol and drugs?

Risk taking behaviour?

Education and learning or skills?

None

Will the proposal have any impact on the social environment?

Things that might be affected include:

Social status

Employment (paid or unpaid)

Social/Family support

Stress

Income

No


41

Will the proposal have any impact on the following?

Discrimination?

Equality of opportunity?

Relations between groups?

No

Will the proposal have any impact on the following?

Discrimination?

Equality of opportunity?

Relations between groups?

No

Will the proposal have an impact on the physical environment? For example, will there be impacts on:

Living / working conditions?

Pollution or climate change?

Accidental injuries or public safety?

Transmission of infectious disease?

May have positive impact on managing disruptions to working conditions adversely affected by business continuity threats.

Will the proposal affect access to and experience of services? For example,

Health care

Transport

Social services

Housing services

Education

Should have positive impacts in terms of preparedness for and avoidance of disruption of services, and on managing disruptions to services adversely affected by business continuity threats.


42

13 Rapid Impact Checklist: Summary Sheet

Reviewed November 2018

Positive Impacts (Note the groups affected)

There should be positive impacts for staff and all patient groups in terms of better preparedness and reduction in risks and loss of service.

Positive impacts in terms of preparedness for and avoidance of disruption of service.

Positive impact on preventing and managing disruptions to working conditions and to service delivery adversely affected by business continuity threats.

Negative Impacts (Note the groups affected)

No negative impacts have been identified

Additional Information and Evidence Required

None

Recommendations

No specific EQIA recommendations

From the outcome of the RIC, have negative impacts been identified for race or other equality groups? Has a full EQIA process been recommended? If not, why not?

No negative impacts have been identified for any equality group. For this reason, a full EQIA process has not been recommended.

Resilience and Business Continuity Annual Report 2017-18

NHS Shetland

Resilience and Business Continuity

Annual Report 2017-18

Prepared November 2018

Author: Dr Susan Laidlaw, Consultant in Public Health Medicine

Executive Director: Susan Webb, Director of Public Health

If you would like this document in an alternative language or format, please contact Corporate Services on 01595 743069

Board Paper 2018/19/50


2

1 Contents

1 Contents ................................................................................................................ 2

2 Acronyms ............................................................................................................... 3

3 Introduction ............................................................................................................ 4

4 National, regional and local Inter-agency arrangements ........................................ 5

5 Local Planning ....................................................................................................... 6

6 Incidents ................................................................................................................ 8

7 Other issues to report ............................................................................................ 8

8 Exercises ............................................................................................................... 9

9 Training ................................................................................................................ 12

10 Risk Management ............................................................................................. 13

11 Audit and self-assessment ................................................................................ 13


3

2 Acronyms

BCM Business Continuity Management

BCP Business Continuity Plan

CBRN Chemical, biological, radiological, nuclear

CCA Civil Contingencies Authority

COMAH Control of Major Accident Hazards

CPD Continuing Professional Development

CPHM Consultant in Public Health Medicine

DPH Director of Public Health

EMT Executive Management Team

H&I Highlands and Islands

HoDs Heads of Department

HoP&M Head of Planning and Modernisation

H&SCP Health and Social Care Partnership

HPS Health Protection Scotland

LRP Local Resilience Partnership

MAIRP Multi-Agency Initial Response Plan

MTPAS Mobile Telecommunications Privileged Access Scheme

NCP National Contingency Plan

NSRRP North of Scotland Regional Resilience Partnership

R&BCWG Resilience & Business Continuity Working Group

RTO Recovery Time Objectives

RRP Regional Resilience Partnership

STAC Scientific and Technical Advisory Cell

SEPF Shetland Emergency Planning Forum

SFRS Scottish Fire and Rescue Service

SGCD Scottish Government Communications Directorate

SGoRR Scottish Government Resilience Room

SCORDS Scottish Resilience and Development Service

SRP Scottish Resilience Partnership


4

3 Introduction

This Resilience and Business Continuity Annual Report for NHS Shetland reports on resilience, business continuity, emergency planning and civil contingency planning activity for the year April 2017 – March 2018.

The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 create responsibilities on a number of organisations in the event of an ‘emergency’. Under the 2004 Act an ‘emergency’ is defined as an event or situation which threatens serious damage to human welfare in a place in the United Kingdom, the environment of a place in the UK, or war or terrorism which threatens serious damage to the security of the UK.

An event or situation threatens damage to human welfare if it involves, causes or may cause:

loss of human life

human illness or injury

homelessness

damage to property

disruption of a supply of money, food, water, energy or fuel

disruption of a system of communication

disruption of facilities for transport, or

disruption of services relating to health.

An event or situation threatens damage to the environment if it involves, causes or may cause:

contamination of land, water or air with biological, chemical or radioactivematter, or

disruption or destruction of plant life or animal life.

Each statutory emergency service and other agencies have a responsibility to serve and protect the public. In practice, in Shetland, the local emergency plans prepare us for situations which call on responses beyond the usual capacity of our organisations. These cover the range of threats outlined in the Civil Contingencies legislation, including those posed by our remote and rural situation, and the island and maritime context (the DPH and CPHM roles include responsibility for Port Health). The Public Health response is also governed by the Public Health etc. (Scotland) Act 2008.

NHS Shetland is a Category One responder (organisations that provide vital services in an emergency), along with local authorities, police, fire service, ambulance, coastguard, environment protection and weather services.

This Annual Report describes the activities undertaken in the last year to support and deliver the functions of resilience and business continuity planning for NHS Shetland. Resilience and business continuity planning work has expanded considerably in the past two years. This has largely been driven by the publication of the NHS Scotland Organisational Resilience standards, which reflect increasing risks from terrorist


5

activities, cyber security threats and climate change in particular. The work programme has also been driven by an internal audit of business continuity planning and the outcomes of exercises and incidents.

4 National, regional and local Inter-agency arrangements

4.1 National arrangements

The Scottish Government's Resilience Division supports organisations that work together to build Scotland’s resilience to emergencies. The Scottish Resilience Partnership (SRP) acts as a strategic policy forum for resilience issues, providing collective assurance to Ministers that statutory responders and key resilience partners are aware of significant resilience gaps and priorities, and are addressing these in line with appropriate and available resources. It also provides advice to the resilience community on how best to ensure that Scotland is prepared to respond effectively to major emergencies.

The Scottish Government Health Resilience Unit has a specific role to support NHS organisations in Scotland. The NHSScotland Resilience Forum has a role as a health sector professional network for NHS Boards resilience leads supporting sharing best practice, providing education opportunities and raising awareness of common issues. The Resilience Advisor attends the Resilience Forum on behalf of NHS Shetland.

4.2 Regional arrangements

In 2013 three Regional Resilience Partnerships (RRPs) were created in Scotland following the formation of Police Service and the Scottish Fire and Rescue Service (SFRS) as single national agencies. The aim of the RRPs was to underpin our local and regional preparedness, and to link into the national structures on resilience. NHS Shetland’s Chief Executive attends the RRP. Each RRP is comprised of Local Resilience Partnerships (LRP) which are aligned with Police, Fire and Rescue and Local Authority boundaries. Shetland is part of the Highlands and Islands LRP, which comes together with Grampian and Tayside to form the North of Scotland Regional Resilience Partnership (NSRRP).

4.3 Local inter-agency arrangements

4.3.1 Shetland Emergency Planning Forum (SEPF)

In Shetland, the emergency services and other stakeholders come as a formal inter-agency group, the Shetland Emergency Planning Forum that takes collaborative responsibility for local action and the preparing and testing of local plans. This group is responsible for the local Multi-Agency Initial Response Plan (MAIRP). The Shetland Emergency Planning Forum’s mission statement is to provide the communities of the Shetland Islands with fully integrated, cohesive, efficient, and quality civil contingencies planning, management and response services.

The Forum meets biannually to update stakeholders in local emergency planning activity. Meetings in April and October2017 covered:

Severe Weather preparedness, including a presentation from the Met Office on the National Severe Weather Warning Service (NSWWS) and how it relates to Shetland


6

Increasing of national security threat level from Severe to Critical in the wake of terrorist events on the mainland

Communications: 4G coverage and telecommunications

Scottish and Southern Electricity Networks Resilience Communities Fund. Three local projects were awarded funding (Fetlar Community Association – to allow the community hall to act as a support centre in emergency situations; Uyeasound Public Hall – to upgrade facilities to create an emergency hub; and British Red Cross – to purchase and modify a van for patient transport.)

Planned training and exercising

Feedback from local and national exercises and events

National and regional briefings

4.3.2 Shetland Emergency Planning Forum Executive (SEPFE)

The Shetland Emergency Planning Forum Executive met throughout the year, both for planned meetings and in response to issues and incidents. This group includes representatives from the local Cat 1 responders. In 2017-18 the Executive dealt with a range of topics including:

Planning for severe weather

Plans for relocation of the Emergency Helicopter Landing Site;

Response to terrorism events in UK

Problems with communication cascades

Care for People Plan

The training and exercising programme for the year, and planning / supporting its delivery;

Planning for and de-briefing from events and incidents throughout the year.

Regular updating on the work of the North of Scotland Regional Resilience Partnership.

Updating the Community Risk Register

4.3.3 Community Safety and Resilience Board

The local Community Safety & Resilience Board met quarterly during 2017-18 with representation of all Category 1 Responders. Its business fulfils the Local Authority requirement to oversee local Police and Fire plans, and in addition it oversees Community Safety and Resilience issues for Shetland. The Resilience Advisor provided a report for each meeting of the Board, covering the main local issues as noted above.

5 Local Planning

Emergency planning for health services is part of the core public health responsibilities carried out by the NHS Shetland Public Health Directorate. However, since the Director of Public Health for Shetland retired in 2016, there have been some changes


7

to the roles and responsibilities, with a number of individuals now holding specific lead roles . Executive responsibility sits with the Director of Public Health for NHS Grampian and Shetland, and the work is now led locally by the Consultant in Public Health Medicine with the Head of Planning and Modernisation having a specific responsibility for business continuity planning within NHS Shetland. The Public Health Specialist Nurse is the Prevent* lead for the Board; the Head of Estates has responsibility for security and the Head of IM&T and e-Health has responsibility for cyber-security within NHS Shetland. There is support from, the Shetland Islands Council (SIC) Resilience Advisor who provides a service to h NHS Shetland through a Service Level Agreement.

The CPHM chairs a Resilience and Business Continuity Working Group (R&BCWG) which includes key individuals and representatives from services across NHS Shetland. However, it is the responsibility of all staff and managers within the service to be prepared for emergencies, and therefore to plan, train and exercise their preparedness appropriately.

The R&BCWG reports via the CPHM to the Board’s Executive Management Team chaired by the Chief Executive, responsible ultimately to the Board.

5.1 Planning guidance

Local planning is based on national guidance:

Business Continuity: A Framework for NHS Scotland. Strategic Guidance for NHS Organisations in Scotland. 2009

Preparing For Emergencies: Guidance for Health Boards in Scotland. 2013.

Other relevant national guidance is detailed in the Shetland Joint Health Protection Plan (currently under review) and includes:

Management of Public Health Incidents Guidance on the Roles and Responsibilities of NHS led Incident Management Teams October 2011.

Playing Our Part – Implementing the Prevent Strategy: Guidance for Health Boards.

NHS Scotland Standards for Organisational Resilience

Preparing for Emergencies set out what NHS Boards should do to comply with duties under the Civil Contingencies Act (2004) and other key legislation, thereby enhancing their resilience. The Organisational Resilience Standards are set in the context of that guidance; taking into account recent developments, new information in the professional discipline, and new imperatives on the NHS and delivery partners in Scotland, notably Health and Social Care Partnerships (H&SCP). The first version of the standards was published in 2016: a set of 42 standards covering every aspect of resilience functions including dealing with terrorism threats, cyber-security, Prevent , critical assets, pandemic flu, BCPs, leadership and governance. These were revised in May 2018 and a second edition published.

* Prevent is part of the UK counter-terrorism strategy (known as Contest)

http://www.scotland.gov.uk/Publications/2011/11/09091844

http://www.scotland.gov.uk/Publications/2011/11/09091844


8

5.2 Mutual Aid

As well as the multi-agency arrangements through the Shetland Emergency Planning Forum, NHS Shetland has specific surge capacity arrangements in place across the north of Scotland for Public Health functions via the North of Scotland Public Health Network, and arrangements between the north of Scotland NHS Boards for clinical and support services. These are designed to ensure co-operation and collaboration between Shetland and the other northern NHS Boards in emergency situations where local demands outstrip local capacity, and are formalised through a Mutual Aid Agreement.

6 Incidents

There were no major emergencies during 2017-18 that required a full activation of the NHS Shetland Major Emergency Plan. However there were some other incidents and issues to be managed during the year.

6.1 Terrorism Threat level raised to Critical (May 2017)

During the evening of 23rd May the UK security threat level was raised to critical following a terrorism incident in Manchester. An urgent Executive Management Team (EMT) meeting was held the following day, and a number of actions were taking as per national guidance including issuing information to staff, checking the hospital control room, reporting to Scottish Government. However it was evident that the Board did not have a appropriate plan in place for dealing with this type of issue / incident at a strategic level and this is therefore being included in the review of the Major Emergency Procedure. Nationally further guidance was issued on actions to be taken as the threat level changes in the form of a Graduated Security Plan (GraSP).

6.2 Full emergency at Scatsta Airport (July 2017).

The Gilbert Bain hospital was notified of a potential emergency, and although stage 1 alert was not declared (and it was stood down after 20mins), there was some notification of key staff in preparation.

Alert levels and call out in MEP to be reviewed.

Process to be put on place to ensure all incidents and potential incidents are notified to Resilience Lead.

6.3 Major Emergency: RTA with four casualties (August 2017)

This occurred in Brae in the early hours of the morning, with four casualties being brought to GBH: three were subsequently required transfer south. A major emergency was declared for the hospital, however the hospital control room was not required to be set up, and this was not a called as a major incident by the Police. The debrief identified a small number of issues to feed into the review of the MEP.

7 Other issues to report

7.1 Organisational Standards for Resilience

The self assessment for the 2016 standards was submitted in 2017. There was some generic feedback from the Government and a requirement to submit some further


9

evidence. A number of actions were identified through the self assessment which are being taken forward primarily through the R&BCWG and a newly formed Security Group. (The Standards were revised in 2018 with a requirement to submit a further self assessment in August 2018).

7.2 Business Continuity internal audit

An internal audit of business continuity planning and management was carried out in 2017, as follow up to a previous audit in 2014. There is an action plan which is being worked through. (Most of the actions had already been identified as requirements from the Resilience Standards). We now have in place a more robust system for monitoring the annual updating of BCPs and have commenced a rolling programme of exercises to test BCPs.

7.3 Powered Respiratory Protective Suits (PRPS)

These suits are for use by staff undertaking decontamination of casualties in the event of a chemical, biological, radiological or nuclear contamination and have been supplied to Boards by the Scottish Government. In 2017, all the suits in Scotland were due to be replaced as they were reaching their expiry date. However, there was a delay in the manufacture of the new suits which resulted in a number of Boards (including NHS Shetland) organising for a small number of suits to be recertified as they reached the expiry date in September (which had already been extended by three months).

However, it then became apparent that this could only provide ‘on the day’ assurance of the suits’ functionality. This left ourselves, and a number of other Boards with a significant risk of having PRPS which would not adequately protect the staff wearing them should they be required, and indeed could be dangerous to the staff wearing them if not functioning properly. The Scottish Government then procured a small stock of reconditioned suits with an expiry date of March 2018 which were distributed across Scotland, with four coming to Shetland. We did have a period of a few days at the end of September with no certified PRPS. Eventually during March and April 2018, the new suits with a ten year lifespan became available and were distributed across Scotland with NHS Shetland receiving our full stock of 12.

7.4 Cyber attack (May 2017)

In May 2017 a large number of organisations across the world, including the NHS, were subject to international ransomware cyber attack. This resulted in significant disruption to services. In Scotland, all NHS Boards were affected apart from NHS Orkney and NHS Shetland. In response to this attack and continuing threats, there is continuing work to protect our systems locally.

8 Exercises

NHS Shetland staff have been involved in a number of exercises on a local, regional and national level designed to test emergency plans and business continuity plans.

8.1 Sumburgh Airport Exercise ‘Tirrick 2’ (September 2017)

The exercise aimed to test the multi-agency response following an aircraft accident at sea 1km from Sumburgh Airport: specifically transportation, triage and management of


10

casualties through the airport’s Casualty Reception Centre (CRC) and then onto the Gilbert Bain Hospital. A large number of NHS staff took part and there were many actions which are being picked up primarily through the review of the Major Emergency Procedure. These include reviewing all the role descriptors; the location of the emergency control room, reviewing all patient and logging paperwork and producing detailed action cards and checklists for staff, along with training.

8.2 Exercise ‘Border Reiver’ (October 2017) This was a UK tier one live exercise with participation up to and including UK and Scottish Government Ministerial level. The scenario was a multi-site attack with mass casualties in Lothian and elsewhere involving response from emergency services, Scottish Territorial and Special Health Boards and some local authorities. Live play extended over three consecutive days at different UK locations, but most Territorial Boards (including NHS Shetland) were only involved on day one. A Strategic Health Group was called to coordinate cross-board incident responses at a strategic level involving NHS Board Chief Executives from across Scotland (by teleconference). Boards were also required to consider their ability to take casualties as part of a national response. Members of the Executive Management Team played into the meetings of the SHG, with the CPHM and Resilience Advisor observing. There were a number of actions identified nationally as a result of the exercise. Locally we were able to provide an accurate assessment of our capacity to take patients, but questioned whether this would be at all realistic. We also identified an option to potentially send staff to the mainland, only if we were well staffed at the time of an incident.

8.3 Highland and Islands Pandemic Flu Table Top Exercise ‘Odette’ (November 2017)

The aim of this exercise was to exercise the Highlands & Islands Local Resilience Partnership response to an outbreak of Pandemic Influenza affecting the UK. It was held by v/c in four locations. In Shetland there were 22 attendees, including the CPHM and Resilience Advisor. A number of key strategic actions were identified from this exercise:

Managing excess deaths

Managing potential fuel shortages and critical dependencies including power, heating and transport

Staffing issues

De-regulation (relating to staff deployment and waiting times)

Maintaining supply chains – including oxygen, medication and consumables.

Local actions will be taken forward through review of the Pandemic Flu Plan, some actions such as de-regulation need to be addressed nationally.

8.4 Shetland Multi-agency Tabletop Exercise to Test Plans and Risk Assessments for Lerwick Up Helly Aa. (January 2018)

This was a table top exercise with 31 multi-agency participants; attended by a Public Health representative and the Resilience Advisor. The participation and engagement throughout the exercise was excellent with very positive feedback from attendees as to the value of running the exercise. It created a new level of shared understanding of what is in place and available for this event. It was noted that First Aid trained


11

Marshalls should be spread through the procession; and Scottish Fire and Rescue Service offered to help train Marshalls in First Aid before 2019 Up Helly Aa. There were no specific learning actions for NHS Shetland

8.5 NHS Shetland IT Business Continuity Tabletop Exercise ‘Pecking Order’ (February 2018)

This was the first in a rolling programme of exercises being planned to test business continuity within NHS Shetland. The scenario was power loss at the weekend and re-establishment of IT systems. This exercise sought to test how robust the proposed arrangements are, and the inter-dependences involved. Learning points from the exercise included:

Review of departmental business continuity plans to include:

Manual workflow and record keeping

Availability of staff

Communications

Alternative work locations

Length of time a team can ‘survive’ without IT (Recovery Time Objective – RTO)

8.6 National Health Protection Exercise ‘Iris’ ( March 2018)

This table top exercise was to test the readiness of Scotland’s NHS Boards’ structures, facilities and systems to respond to a suspected outbreak of MERS-CoV. Although primarily a health protection scenario, this exercise was run by the Scottish Government rather than Health Protection Scotland. It covered initial management, contact tracing, transfer arrangements and availability of and familiarity with infection control and clinical guidelines. The Infection Control Manager attended on behalf of NHS Shetland.

8.7 Partner exercises

A number of exercises were also undertaken by the local Emergency Planning partnership which did not have direct NHS involvement, but which tested aspects of partner agencies emergency preparedness. These included:

SVT / SIC Pollution Exercise (September 2018)– to test the new Incident Management processes that EnQuest will use after the transition of Terminal Operatorship

Exercise Carrot at Shetland Gas Plant (September 2018) -This was an exercise to test the communications detailed in the Shoreline Protection Plan and the interaction between relevant authorities.

Exercise Hi-Jack – HIAL, Sumburgh Airport (January 2018)

Exercise Eridanus, CoMAH (Enquest) Sullom Voe Terminal (March 2018) - Planned as part of the annual training and exercise programme for Sullom Voe Terminal .


12

In addition the Resilience Advisor attended the following exercises and events outwith Shetland:

Exercise Opus Resilience (July 2017) – this was a multi-agency tabletop exercise, delivered by the UK National Disaster Victim Identification Unit (UKDVI) on behalf of the National Police Chiefs Council - Civil Contingencies business area.

Workshop - Shoreline Response in Scotland (November 2017)–– Industry Shoreline (Oil Spill) Response in Scotland

Exercise Axile Robor – Mass Fatalities Workshop (March 2018)

9 Training

Relevant training is delivered locally both within NHS Shetland and in conjunction with partner agencies. Training in 2017-18 included:

9.1 SCORDS Crisis Management 2 – Decision Making Under Pressure (April 2017).

Multi-agency training attended by members of the Public Health Team and managers on the Senior Manager on call rota.

9.2 SCORDS Crisis Management 3 – Leading & Communicating (April 2017).

Multi-agency training attended by members of the Public Health Team and managers on the Senior Manager on call rota.

9.3 Project Griffin / Security Awareness. (April 2017 and September 2017).

Multi-agency training attended by the CPHM in April and the Prevent Lead in September.

9.4 Move to Critical Workshop (June 2017)

Police Scotland delivered this workshop in Shetland following two episodes where the UK threat level had moved to critical. The SIC and NHS Shetland had developed draft Graduated Security Plans which were reviewed at the workshop. There were 44 attendees from the SIC, NHS Shetland and other local organisations. The feedback was that this was a worthwhile event giving overview of current threat level to the UK and what we are required to do when the threat level changes.

9.5 NHSScotland Prevent Learning Event (October 2017)

The Prevent Lead attended this event.

9.6 Surviving a Public Enquiry (November 2017)

The CPHM / Resilience Lead attended this training in Aberdeen along with public health colleagues from Grampian. The training was very interactive including understanding what a Public Enquiry involves, how to prepare for it and playing the role of a professional witness being cross examined by a (real) barrister. It was an excellent learning experience and it is recommended that the Board considers this training for senior managers who may find themselves in the midst of a Public Enquiry.


13

9.7 Other training

Specific training issues for individuals and departments have been identified from local exercising of plans and are being taken forward through the Resilience and Business Continuity Work Plan.

A local programme of training for managers (Managers Bundles) has been developed and this includes a session on business continuity planning.

10 Risk Management

Local risks are assessed and along with remedial actions, used to inform emergency planning via Shetland’s Community Risk Register in line with the responsibilities outlined in the Civil Contingencies Act 2004 for category 1 and 2 responders. The Community Risk Register is updated annually or whenever an incident occurs, to ensure the risks contained therein are correctly assessed. This correlates with the risks identified within Shetland NHS Board’s Corporate Risk Register (which has been regularly updated through 2017-18 with respect to emergency planning risks), and the process for risk management within the Board. The Public Health Department Risk Register continues to be updated with more detailed risks (and their management) recorded in relation to the public health team’s role in emergency planning and resilience.

11 Audit and self-assessment

Following previous audits of preparedness undertaken by the Board’s public health team and resulting actions, a follow up review of the Board’s resilience and business continuity planning was carried out by the Board’s Internal Audit Team in August 2017. This reviewed the Board’s Business Continuity Planning arrangements in the context of preparedness and resilience, and made a number of recommendations for improvement against which actions are being progressed on staff awareness and understanding, the detail and completeness of business continuity plans in place, testing of plans and updating in the light of learning from incidents, and the connectedness and impact of recovery across functions.

Agenda Item 14 - NHS Shetland · Key Performance Indicators (KPIs) and outline plans for exercising...

Documents

Transcript of Agenda Item 14 - NHS Shetland · Key Performance Indicators (KPIs) and outline plans for exercising...