- Amendment / Review History
- Introduction
- Scope
- Business continuity management objectives
- Business continuity management principles
- Business impact analysis
- Maximun acceptable outage
- Business continuity plans
- Contingences
- Responsibilities
- Response organisation
- Pick or type role name
- Business unit
- Testing and maintenance
- Training and awareness
- Document owner and approval
| Author: | Jono Erodotou |
| Responsibility: | All Staff |
| Effective Date: | 01 June 2024 |
| Review Date: | 30th May 2025 |
| Approved By: | |
| Version Number: | 01 |
Amendment / Review History #
| Date | Author | Comments |
|---|---|---|
Introduction #
The Leadership Team of K4 Medical Services recognises that the changing nature of the environment in which we operate means that our ability to continue operation uninterrupted may not be entirely within our control. Whilst we may not have experienced a significant interruptive incident in the past, we know from the experiences of others that K4 Medical Services also could be seriously affected by an unforeseen incident.
External issues that drive the need for business continuity include:
- Geo-political issues, E.g. regional or local political instability; severe weather events such as hurricanes, earthquakes, widespread flooding
- Broad market conditions. E.g. competitive landscape; emerging technologies; customer expectations; global shifts in economic power and finance
- Local economic aspirations. E.g. political imperative to boost economy, provide work, attract investment.
- Known threats due to the nature of K4 Medical Services’s products and services from extremists, activists, organised crime, mischief makers
Expectations of clients, interested parties with regard to response to disruption due to [severe weather events, disruption to utilities, transportation, strikes, pandemic illness, product recalls, significant security breaches, major public events]
Known threats due to activities of neighbouring organisations or communities Internal issues that drive the need for business continuity include
- E.g. avoidance of late deliveries and penalty clauses; maintaining reputation for reliable service through disruption; reliance upon critical materials and suppliers; reliance upon vulnerable single sources of critical materials, components or skills; reliance upon vulnerable logistics links (e.g. only one road link)
Our customers are entitled to expect that we do everything possible to ensure minimum disruption to our operations and the delivery of services upon which they rely. To this end, K4 Medical Services has a Business Continuity Management (BCM) programme with a set of interlocking plans and arrangements (the Business Continuity Management System, or BCMS) that will ensure K4 Medical Services has a tried, tested and best practice response to significant disruptions.
The company must be as resilient as possible, so that any incidents outside our control will have little or no effect on our operations and so that, when a major incident occurs, our ability to sustain operations and ultimately recover is founded on a planned and well-thought-out approach, utilising contingency resources that we maintain for such eventualities.
In the event of a major incident, priority will be placed upon the safety and welfare of our Employees and visitors, above the restoration of critical business activities. Whilst the two are not mutually exclusive, management focus and resources will be diverted, where necessary, from business activity recovery to ensuring safety and welfare.
Scope #
The scope of the BCMS is our risk management activities.
For each of the above statement of potential impact related to disruptive incident, e.g. if sole courier service supplier fails, we cannot make deliveries; f sole supplier of mineral X suffers disruption, product Y deliveries will stop when stocks exhausted.
This BCMS policy supports the K4 Medical Services mission by assuring that services are delivered with our best endeavours despite disruptive events, maintaining SLAs wherever possible.
K4 Medical Services risk management strategy is set out in board instruction and the business, legal and regulatory drivers with respect to continuity of operations are defined in board instruction. The BCMS is expected to support compliance with these requirements.
When events outside our control cause disruption, our customers do not expect excuses; they expect our normal high standards of customer care to be extended through disruption so that they suffer minimal inconvenience, hardship and distress. It must be clear to them that we were duly diligent in planning ahead for disruption and;
- Providing adequate emergency response;
- Temporary measures in place of lost products and services;
- Timely recovery.
- Major uncertainties that give rise to risk to K4 Medical Services are:
- External: high-level list from above.
- Internal: high-level list from above.
Risk criteria must prioritise life safety (of employees, visitors to K4 Medical Services’s premises, and of neighbouring communities) and focus upon the preservation of K4 Medical Services’s reputation for proactive, reliable delivery of key products and services. Impacts that could threaten K4 Medical Services’s reputation such that clients or regulators could significantly lose trust in us must be ideally eliminated, or at least mitigated to the extent that we can proudly say we did our best and demonstrate due diligence to regulators, courts and the families of bereaved persons. Severe impacts must be mitigated regardless of likelihood.
The purpose of the BCMS is to assure K4 Medical Services’s survival according to these risk criteria and to aid good governance by including the appropriate checks and balances (for example, but not limited to, exercises and audits) to make due diligence and effective planning for disruption transparent in any discovery process that might be instigated after a disruptive incident. In order to optimise the application of resources to the BCMS, the BCMS scope defines areas of K4 Medical Services that are subject to its measures and that benefit from its additional protection. These areas are set out in the following table.
Areas of K4 Medical Services falling within the scope of the BCMS
| Locations | Identify all geographic areas that are within scope, including internationally. |
| Business Units | All business units – If this policy applies to less than all business units, set this out here together with supporting justification. |
| Activities | All activities conducted by business units at locations within the scope. |
| Supply Chain | All level 1 suppliers involved in critical activities (if you have level 1 suppliers, you will need to create criteria for selecting them and a method of maintaining and managing a list. Documentation for this is outside the scope of this toolkit); all critical suppliers (it may be necessary to manage suppliers of critical components, services or consumables directly to avoid excessive or unrealistic reliance upon level 1 relationships.) Ref: Approved Suppliers List |
| Resources | Telecommunications & Information systems including all data in use. Office buildings & facilities Service facilities, plant & equipment. People. BC-Specific resources – Emergency communications systems, duplicate systems and premises, themselves may need BC planning and risk mitigation. |
| Stakeholders | Group board, including non-executives Shareholders Other stakeholders Customers – Not all customers will necessarily be in scope – you may want to divide them up into groups Staff and their families Suppliers |
| Incidents Scenarios | Key assessed risks on K4 Medical Services’s risk register include Any incident leading directly to the prolonged evacuation or unavailability of company facilities Prolonged failure of the company’s internal and/or customer-facing IT network Major product/service failure Absence due to illness, including pandemic influenza, of significant numbers of staff Political or other prevention of the delivery of services worldwide |
| Timeline Phases | The assessment of impact and planning of response and contingencies will be based upon elapsed time following the interruption of operational activities, constituting the ‘timeline’ to be used for Business Impact Assessment. The earliest point on the timeline is 4 hours – Make sure that this profile works for your overall impact assessment and reflect these timelines in your BIA tool The latest point in the timeline is 24 weeks – Make sure that this profile works for your overall impact assessment and reflect these timelines in your BIA tool The timeline features 3 phases: 1, Incident response – measured in hours 2, Operational continuity – measured in days or weeks 3, Full recovery – measured in weeks or months Incident Response and Business Continuity plans will cover the first two phases. Recovery plans will outline the last phase. |
The requirements of this policy relate only to the areas of K4 Medical Services listed in the table above as being within the scope of the BCMS.
Business continuity management objectives #
The BCM objectives are as follows:
- With life safety as first priority, to ensure the safety and welfare of K4 Medical Services’s Employees and directors and of any visitors who are in K4 Medical Services’s premises at the time of an incident
- To minimise the impact on K4 Medical Services of any interruption to normal activities, to a level which is below the impact tolerance level stated in this policy
- To contain any financial costs associated with interruptions or incidents to levels that will be covered by K4 Medical Services’s insurances
- To protect K4 Medical Services’s reputation as a reliable and resilient supplier of products and services, and to ensure that business following any interruption is not adversely affected by reduced levels of activity during an interruption
- To protect K4 Medical Services’s brand and image during and following any interruption, so that its ability to secure new business in the future is not prejudiced by the interruption or K4 Medical Services’s response to it.
Business continuity management principles #
The BCMS is based upon ISO22301:2012 Business Continuity Management System Requirements and includes the following components:
| BCM Component | Practical Requirement(s) |
| Business Impact Analysis | Assessment and analysis of TC’s operational activities and services, and their relative criticality. |
| Risk Assessment | Assessment and analysis of the risk of occurrence of disruptions to K4 Medical Services’s activities and controls applied to reduce the risk to an acceptable level. |
| Invocation Arrangements |
Documented, tried and tested procedures for invoking aspects of the BCMS arrangements to deal appropriately with incidents. |
| Disaster Recovery | Arrangements for the restoration of services or the provision of alternative enabling resources. |
| BC Planning | Documented plans at group, company, division and service levels – Customise this to reflect your organisational structure, drawn up in conformance with Strategy and BCM Planning, which set out key actions to be taken in response to a variety of scenarios and showing how activities will be restored. |
| Culture | An ongoing programme of training and awareness activities aimed at maximizing the awareness of BCM amongst all staff and stakeholders and securing collaborative ‘buy-in’ so as to ensure the continued and proactive operability and maintenance of the BCMS. |
| Testing | An ongoing programme of activities that test all aspects of the BCMS, thereby proving its adequacy and operability and providing assurance to the Leadership Team |
Business impact analysis #
The key objective of the BCMS is the limitation of impacts arising from a disruptive incident with an appropriate combination of proactive (avoidance) and reactive (response) measures. However, it is recognised that K4 Medical Services must be prepared to accept a certain level of impact in the event of an interruption, not least so as to limit the level of expenditure on risk controls and resilience measures to that which is appropriate for K4 Medical Services’s risk appetite.
The Leadership Team will, from time to time, publish criteria for the assessment of impact. These criteria will include, but will not be limited to, impacts whose nature is:
- Financial
- Reputational
- Affects customer service/satisfaction.
The table below defines the levels of impact that are used in making assessments.
| Level | Impact | |
| Very High | 5 | Impact that is likely to terminate K4 Medical Services’s existence |
| High | 4 | Impact that exceeds K4 Medical Services’s risk tolerance, but from which it would expect to eventually recover |
| Medium | 3 | Major loss of business value |
| Low | 2 | Significant loss of business value |
| Very Low | 1 | Minor loss of business value |
K4 Medical Services’s policy is that any risk with a Very High impact must be mitigated and that very low impact levels are automatically accepted. The approach to risk assessment as set out, focuses on the High, Medium and Low impact categories.
Maximun acceptable outage #
Generally, the impact experienced following a disruptive incident will continue to increase with time, until the service is resumed. The priority and resource resilience given to each activity is established on an objective basis, so the Maximum Acceptable Outage (MAO) is a function of the rate of increase of impact in relation to the Minimum Business Continuity Objective for the activity.
For each activity, the MAO is the point on the timeline at or before which the activity must be resumed, so that the resulting impact will be within the MBCO.
The Recovery Time Objective (RTO) for each activity may be a time period shorter than the MAO, and certainly not longer, allowing for the gradual recovery of activities and where the activity can, in any event, be recovered much more quickly. The Leadership Team may vary MBCO, MAO, and RTO at its discretion.
Business Impact Analysis will be carried out using a BIA Tool and the use of this tool will reflect these principles.
Business continuity plans #
In the event of the Business Continuity Plan (BCP) being activated, the Pick or type role name will use the BCP and its associated documents to guide their decisions on response and recovery actions. The structure of plans is as follows:
- Top level organizational plan
- Business unit (location) plans
- Service / activity level plans.
All plans set out their scope of applicability so that it is always clear which plans should be activated and the response and recovery activities that they cover.
Contingences #
The BCM system includes, and relies upon, a range of contingency resources that may be invoked as required depending upon the nature of any incident. The arrangements for each contingency resource include a specification for invocation and availability, embodied within the relevant plans and procedures.
Advance expenditure on contingency resources is based upon the criticality of the activity in question and upon its RTO, and is approved by the Leadership Team.
For information and any other rapidly changing resources, a Recovery Point Objective (RPO) will also be established, to ensure that the restored resource provides the appropriate level of operational capability.
Responsibilities #
The Ops Manager is accountable to the Leadership Team for the proper development, implementation and maintenance of the BCMS policy.
The Manager is responsible and accountable to the Ops Manager for executing the actions required of them by the Pick or type role name and Head of Risk.
Individuals that have specific responsibilities in terms of the BCMS are identified in the Roles & Responsibilities Register and the Head of HR is responsible for ensuring that the detailed BCMS requirements of individual roles are contained in their job descriptions.
Approvals of any and all material changes to the BCMS policy will be approved by the Board of Directors and approval for changes to procedures that implement the BCMS policy will be approved by the Manager to whom the person responsible for the procedure reports. Any procedural changes that may require changes to K4 Medical Services’s BCMS policy may only be made if the BCMS policy itself is changed in such a way as to allow this.
Response organisation #
The response to incidents will be managed as follows:
Pick or type role name #
The Pick or type role name is responsible for overall leadership and direction of response activities in more serious cases and will normally be mobilized in situations where there is a requirement for media handling or public relations, there are casualties, more than one site or business unit is directly affected by the incident.
Business unit #
Business unit teams are responsible for leadership of response and recovery activities and the recovery of activities within specified RTOs.
They are always mobilised when an incident directly affects their operational activities, and they may be mobilised in certain cases when inter-location or inter-unit collaboration or support is required.
Testing and maintenance #
The BCMS will, will be tested on a regular basis, including.
- Desktop rehearsal of business unit business plans at least every 12 months.
- An exercise at business unit level, including testing of in-house and outsourced disaster recovery arrangements at least every 18 months.
- A ‘group-level’ exercise involving some activation of all business unit plans and testing of in-house and outsourced contingency arrangements at least every 24 months.
A detailed testing plan will be subject to approval annually by the Leadership Team and will be maintained and implemented by the Ops Manager.
Training and awareness #
K4 Medical Services recognises that the BCMS will be most effective when all Employees and stakeholders have an appropriate level of awareness of resilience, contingencies and response plans.
The Head of HR is responsible for developing and implementing a BCMS awareness and education programme, and the completion of relevant training and the execution of actions required to maintain the BCMS will be treated as objectives within K4 Medical Services’s performance management system.
Document owner and approval #
The Ops Manager is the owner of this document and is responsible for ensuring that this policy is reviewed in line with the review requirements of the BCMS.
The current version of this document is available to all/specified members of staff on the corporate intranet and is published enter details.
This document is approved by the Ops Manager on the issue date shown and is issued on a version controlled basis under his/her signature.
