04 Business Continuity and Emergency Planning
- The purpose of emergency planning is to ensure the effective management of response to emergencies.
- Emergency planning is at the heart of the civil protection duty on Category 1 responders at the local level.
- Emergency plans must be developed in accordance with a risk assessment and the responder's functions.
- Generic plans are required. Specific plans are permitted, but not required.
- Category 1 responders must consider the benefits of developing multi-agency plans.
- Category 2 responders, others involved with the Strategic Co-ordinating Group and voluntary organisations should be included at all stages of planning arrangements.
- Training and exercising is a formal requirement of emergency plans.
Planning for response to emergencies
4.1 The purpose of emergency planning is to prepare for the effective management of response to emergencies. Preparation for emergency response lies at the heart of the Civil Contingencies Act 2004 provisions and the Regulations.
4.2 The objectives of emergency response are:
- to preserve life, property and the environment
- to reduce to a minimum the harmful effects of the emergency
- to bring about a swift return to normal life
- to maintain normal services at an appropriate level.
To meet these objectives the Act places a duty to plan for emergencies on Category 1 responders. 1
4.3 The basis for planning and response will be Integrated Emergency Management ( IEM). Under the principles of IEM preparation and response to emergency should concentrate on the effects of the emergency rather than its cause and, wherever possible, should be planned and undertaken as an extension of normal day to day functions of local responders. An underlying aim of the process will be to develop flexible arrangements which will enable agencies to deal with any crisis whether foreseen or unforeseen.
4.4 Emergency plans do not necessarily need to be single documents that describe, in detail, response to particular emergencies. They can also be based on discrete arrangements that fit within an agreed co-ordinating management structure. However, they must be auditable and demonstrate the ability of the Category 1 responder to perform its duties under the Act. 2
The duties to plan for emergencies
4.5 The Act lays two duties on Category 1 responders related to planning for emergencies:
- Category 1 responders must maintain plans for the purpose of ensuring that, so far as is reasonably practicable, if an emergency occurs it is able to continue to perform its functions 3; and
- Category 1 responders must maintain plans for the purpose of ensuring that if an emergency occurs or is likely to occur, it is able to perform its functions, as necessary or desirable, 4 for the purpose of:
- Preventing the emergency;
- Reducing, controlling or mitigating its effects; or
- Taking other action in connection with it.
4.6 A duty to maintain arrangements to warn and provide information for the public is dealt with under Chapter 5 of this guidance.
4.7 Each Category 1 responder's plans should be integrated with their organisation's internal management arrangements and should be aligned with the management framework for response established by each Strategic Co-ordinating Group.
4.8 For a plan to be valid, it must be accepted as the stated policy of the organisation or organisations, for which it has been produced. For this to happen, the key decision makers in an organisation should have an awareness of the plan and acknowledge ownership.
4.9 The duty to maintain plans for response to emergencies is determined by the definition of emergency in the Act and the risk assessment carried out under Part 3 of the regulations. 5 The duty applies only to those events or situations that threaten serious damage to human welfare, the environment or national security that cannot be dealt with by normal operating procedures and resources.
4.10 The duty to plan and co-operate rests with Category 1 and 2 responders but all organisations with a potential part to play should be involved in planning, whenever possible. It would be ineffective if organisations such as the Armed Forces, Scottish Executive, voluntary organisations and local businesses were not involved in local emergency planning where it affected their business.
4.11 The duties to plan for response to emergencies require the maintenance of plans, where necessary, to address the risks assessed under the Regulations and the responder's functions.
4.12 Each Category 1 responder must have regard to any relevant risk assessment it has carried out. This will include Community Risk Registers produced in other Police areas. 6
4.13 In preparing its plans a Category 1 responder should consider the capabilities required to deal with the risks. As part of the risk management process lack of capability may require risk treatment. However, under the terms of the Act, the sole risk treatment activity which must be taken is to maintain plans where these are necessary or desirable. 7
Planning to continue to perform functions (Business Continuity Management)
4.14 The Act requires Category 1 responders to maintain plans (business continuity plans) to ensure that they can continue to perform their functions in the event of an emergency to ensure that:
- Category 1 responders can mobilise the functions they need to perform to deal with the emergency;
- the impact of the emergency on the responder's day-to-day activity is kept to a minimum; and
- vital services for the community can be maintained at an appropriate level.
4.15 This duty relates to all the functions of a Category 1 responder, not just its civil protection functions. Category 1 responders need to maintain their own crisis response capabilities in order to help others in the event of an emergency. However, Category 1 responders also need to be able to continue to deliver critical aspects of their day-to-day functions (e.g. law enforcement, looking after vulnerable people, attending minor fires) in the event of an emergency, if the impact on the community is to be kept to a minimum.
4.16 This duty applies to each Category 1 responder. The ability to perform functions and support emergency response should be owned corporately and plans should be supported by senior managers.
4.17 Business Continuity Management ( BCM) is a flexible management framework designed to help organisations to continue operating in the face of a wide range of different types of disruptions. It can assist in dealing with a range of disruptions from "normal" internal business crises to the major emergencies caused by external events.
4.18 However, the BCM duty is determined by the definition of emergency in the Act and requires planning for a much narrower range of disruptive challenges. While the legal definition of the duty focuses on the most challenging situations, it is likely that the arrangements made will enhance responders' resilience to a much wider range of day-to-day interruptions.
4.19 The BCM duty is qualified. It requires Category 1 responders to maintain plans to ensure that they can continue to perform their functions in the event of an emergency "so far as is reasonably practicable". There are three aspects to this qualification:
Criticality - Category 1 responders should focus on ensuring that they can deliver critical functions. Which of its functions are critical is a matter that can be determined only by the organisation itself and may depend on the nature of the emergency in question. The following guiding principles may assist when deciding whether or not a service or activity is critical. It is not intended to be a definitive list, but rather a series of useful indicators:
- Emergency management/civil protection - Functions that underpin the Category 1 responder's capability to respond to the emergency itself and take effective action to reduce, control or mitigate the effects of the emergency.
- Impact on human welfare, the environment and security - The significance of services, for the community, in an emergency.
- Legal implications - Statutory requirements on Category 1 responders and the threat of litigation if a service is not delivered, or is delivered inadequately.
- Financial implications - Loss of revenue and payment of compensation.
- Reputation - Functions that impact on the credibility and public perception of a Category 1 responder.
Service levels - The Act does not require Category 1 responders to continue to deliver their functions at ordinary levels in the event of an emergency. Some critical functions may need to be scaled up, while others (which are non-critical) may need to be scaled down or suspended. Acceptable levels of service in the event of an emergency are a matter for the Category 1 responder itself to determine in the light of its capabilities, constraints and the needs of the community. Arrangements made under the duty provide an opportunity to address these matters and provide the community with prior information regarding the service they can expect at a time of crisis.
Balance of investments - No organisation will be in a position to commit unlimited resources to BCM. It is the role of the Category 1 responder itself to decide the level of protection sought in the light of resource availability and risk appetite.
4.20 Category 1 responders must therefore put in place a process for effectively managing the prioritisation of services - and achieving high-level endorsement for it - prior to an emergency occurring.
4.21 In preparing its plans to continue to perform its functions the Category 1 responder must have regard to the arrangements made to perform them in response to an emergency and to the framework for response established by the Strategic Co-ordinating Group in its Police area.
Planning to respond to emergency
4.22 Category 1 responders must maintain plans for the purpose of ensuring that if an emergency occurs or is likely to occur, it is able to perform its functions, as necessary or desirable, for the purpose of:
- preventing the emergency
- reducing, controlling or mitigating its effects, or
- taking other action in connection with it. 8
4.23 The first element of the duty deals with the short time before an emergency occurs, when it might be avoided by prompt or decisive action. Plans should ensure that if an emergency is likely to occur the Category 1 responder can perform its functions to prevent the emergency.
4.24 Prevention, in this context, means carrying out functions in such a way as to prevent an emergency which is about to occur or reduce its impact. Emergencies should be "nipped in the bud" in the way that fire fighters stop a fire from spreading, highways authorities close a road or a bridge in the face of imminent collapse, the emergency services mobilise on New Year's Eve in readiness to deal with incidents and health services take action to immunise against the spread of disease.
4.25 The Act does not impose a duty on a Category 1 responder to prevent all emergencies nor does it require it to undertake remedial works which might prevent a possible emergency at some future date. Such actions may be desirable and they may be a logical outcome of the risk assessment process at the risk treatment stage but they are not required by the Act.
4.26 The second element deals with mitigating, controlling or reducing the effects of an emergency. Prompt remedial action will reduce the impact of an emergency. Effective management of response will mitigate its effects and support quality decision making regarding the controlling of its effects.
4.27 Plans must therefore enable rapid mobilisation and management of resources. They must be flexible and adaptable to the circumstances of an emergency. They should enhance the functional response to an emergency from the earliest stages of its development to the long term rehabilitation and recovery of the affected communities.
4.28 Plans must also address the third element of the duty, enabling responders to take other action in connection with an emergency. The effects of emergencies are not all predictable. The immediate effects are obvious and will be identified through the risk assessment process. However, secondary and longer term effects are largely determined by the circumstances of an emergency and matters such as the timing, location, season and the community affected. These things may require a responder to take action by performing its functions in innovative and unforeseen ways.
4.29 Some subordinate arrangements and procedures that support emergency plans might not be captured by the earlier requirements. By including a third duty to maintain plans for taking other action in connection with an emergency the Act ensures that there can be no doubt that these types of secondary arrangements and supportive procedure are required by statute.
4.30 Subordinate arrangements required in support of plans are necessary to ensure effective and sustained response. They may include, for example, emergency control centres, internal communications, contractual arrangements with third parties, information management systems, media relationships or stress management for staff.
Duty to have regard to plans to warn, inform and provide advice for the public
4.31 A Category 1 responder must have regard to its plans to warn, inform and provide advice for the public in carrying out its duties to maintain emergency plans. 9 Both sets of plans should be fully integrated into the responder's arrangements.
4.32 Under the Act plan maintenance procedures must ensure that plans for business continuity and response to emergencies are kept up to date.
4.33 Plans must be reviewed and amended, as necessary, in the light of changes in the environment in which the plan is set. For example, these may include new risks, 10 roles and responsibilities, lessons learned from emergencies or exercises, changes in the organisation, personnel, legislation or regulation.
4.34 Any modification of plans and arrangements must be supported by complementary procedures to ensure that documentation is current, personnel are made aware of changes and, when necessary, that exercises and training are carried out. 11
Generic and specific plans
4.35 The risk assessment process will identify many hazards and threats. It would not be sensible to require Category 1 responders to prepare a specific plan for each possible event. Therefore, regulations distinguish between a generic plan which relates to any emergency and plans which relate to a particular emergency or a particular kind of emergency.
4.36 Generic plans enable a responder to perform its functions in relation to a wide range of possible emergencies. Each Scottish Category 1 responder must maintain generic plans for business continuity and response to emergencies. 12
4.37 The Strategic Co-ordinating Group will produce an integrated emergency response framework for any emergency that may affect its Police area. This will formalise the strategic, tactical and operational arrangements currently in place. The generic arrangements of Category 1 responders must have regard to the framework and should support the combined response it establishes.
4.38 A specific plan is one that relates to a particular emergency, or a particular kind of emergency. Specific plans are detailed arrangements designed to address any special needs of particular emergencies. The special needs may relate to a variety of matters including processes and procedures, management arrangements, public safety, specialist plant and equipment or establishing specialist teams. It is expected that specific plans will build upon but not duplicate generic plans. The Category 1 responder must decide whether the risk assessment makes a specific plan necessary or desirable. 13
Multi-agency emergency plans
4.39 A multi-agency plan may be maintained by more than one Category 1 responder acting jointly. Multi-agency plans are developed when partners agree that a successful combined response would be aided by joint arrangements.
4.40 Category 1 responders must, together, consider whether it would be appropriate to maintain multi-agency plans in performing functions or duties in relation to an emergency or a particular kind of emergency, 14 including those emergencies in which a Category 2 responder may have a lead role by virtue of its functions and regulatory regime.
4.41 As noted above, Strategic Co-ordinating Groups will establish a framework for combined response that should be supported by the generic arrangements of Category 1 responders. Category 1 responders must consider whether it would be beneficial to build that local framework into a generic multi-agency plan for its Police area, or for discrete parts of a large area. Such plans would describe the management structures and co-ordination of a combined response and supporting arrangements such as establishment of strategic or tactical centres. The arrangements would build on the functional response of Category 1 and 2 responders and form the basis of multi-agency response for any event including those for which specific plans are required.
4.42 Consideration must also be given to preparing multi-agency specific plans for a particular emergency or type of emergency.
4.43 Category 1 responders may perform their duty to maintain an emergency plan by way of a multi-agency specific plan.
The emergency planning role of Category 2 responders
4.44 Category 2 responders, such as utilities and transport companies, are governed by their own legislation and regulations in regard to emergency planning.
4.45 However, the requirements of the Act are that they should co-operate with Category 1 responders in the performance of the Category 1 responders' duties and provide information for them in connection with those duties. In consequence, Category 2 responders may be expected to assist the Category 1 responders in all aspects of plan preparation and maintenance. Category 2 responders can be invited to play a part in multi-agency plans and to take part in multi-agency exercises. Requests should seek to minimise the burdens on Category 2 responders who, in turn, should consider them carefully and in a positive manner.
4.46 In performing its duties to plan for emergencies each Category 1 responder must have regard to the activities of voluntary organisations that are relevant in response to an emergency. 15 Relevant activities are those employed in preventing, reducing, controlling or mitigating the effects or taking other action in connection with an emergency, regardless of any other activity of the voluntary organisation.
4.47 It is expected that the voluntary sector will be involved in all aspects of emergency planning insofar as they wish to be involved. Category 1 responders should seek to integrate the activities of voluntary organisations at all stages of preparation, to ensure a co-ordinated approach and response to emergencies. There is no duty on the voluntary sector to assess risk, co-operate, share information or maintain plans.
Procedure for determining when an emergency has occurred
4.48 Any plan maintained by a Category 1 responder, under the Act, must include a procedure for determining when an emergency has occurred that makes it necessary or desirable for it to perform its functions. 16 The responder's senior management should be involved in the procedure.
4.49 The procedure must: 17
- identify the person who should formally determine whether an emergency has occurred or describe how that person will be identified. This is likely to be a Chief Officer of the emergency services or Chief Executive of the non-emergency services,
- specify the procedure which that person should adopt in taking that decision. This will usually involve consultation with specialist personnel experienced in emergency management and/or responsible for the functions affected by the emergency,
- specify the persons who should be consulted about the decision. The procedure should ensure that the person identified is able to contact named individuals or their deputies at any time,
- specify the persons who should be informed about the decision. This procedure relates to key personnel and not to every individual or organisation with a part to play. Effective use of cascade systems should enhance the effectiveness of informing individuals and organisations.
4.50 In the case of generic plans the procedure should be sufficiently flexible and adaptable to meet the needs of a range of emergencies by consideration of their consequences. The procedures may be built upon the current major incident procedures established by key responders for a range of disruptive events.
Training and exercising
4.51 Every business continuity or emergency plan must include provision for carrying out exercises and for the training of staff and other persons considered necessary for their implementation. 18 Plans and arrangements must, therefore, contain a policy statement and schedule regarding the nature of the training and exercising, the timing of events and the people for whom they are intended.
4.52 Training should ensure that relevant people are prepared to respond to emergency. People should be aware of the plan's objectives, their roles and the part they play in the plan. Training should raise awareness about emergency response and promote confidence in the plans and the ability of individuals to carry them out successfully. Generally, plans should aim to place individuals in positions where they perform their normal functions. Additional training may be required to equip people to perform their functions under special arrangements if required by the plan.
4.53 Training should extend beyond those employed by the Category 1 responder and include opportunities for others, such as contractors and the staff of voluntary organisations who would be involved in support of the plan to participate.
4.54 People taking part in exercises should be trained beforehand, so that they know what is expected of them and they are able to contribute effectively.
4.55 Exercises should ensure that the emergency plans are current, valid and effective. The nature and timing of exercises should form a programme that will ensure that plans are current and fit for their purpose at all times.
4.56 Every plan must be exercised regularly. Exercises to test discrete parts of plans will meet requirements but the effectiveness of all parts must be demonstrated. It will not be necessary to duplicate exercising of elements of a generic plan if they contribute to specific plans. However, it will be expected that Category 1 responders will be able to demonstrate that the integration of generic and specific plans has been exercised and is effective. Exercises must include procedures for evaluation, identifying lessons, establishing improvement programmes (if necessary), monitoring progress on actions taken and reporting results to senior management.
4.57 If plans have been implemented in response to an emergency and if there has been a formal debriefing, report and, if necessary, an action programme to take forward lessons learned, such implementation will be considered as complying with the duty to exercise for those plans.
4.58 The outcomes of all joint exercises should be reported to the Strategic Co-ordinating Group.
4.59 The requirements of the Act in regard to exercising and training apply to Category 1 responders, but Category 2 organisations are obliged to co-operate with them in the delivery of their civil protection duties. In seeking co-operation from Category 2 bodies in their exercise programmes, Category 1 responders should ensure that their requests are reasonable and do not overburden them.
4.60 In the event that a lead responder's arrangements require exercising or training to comply with a duty, Category 1 responders must assist. 19
4.61 Category 1 responders must consider whether a new risk assessment issued by Scottish Ministers makes it necessary or expedient to add to or modify their business continuity or emergency response plans, in addition to the general requirement to maintain plans. 20
Existing emergency planning duties
4.62 Three pieces of legislation which pre-date the Act were introduced separately under legislation operated by the Health and Safety Executive. Regulations made by HSE relate to major accident hazards at industrial establishments (Control of Major Accident Hazards), to fuel pipelines (Pipeline Safety) and to radiation hazards (Radiation (Emergency Preparedness and Public Information)).
4.63 The HSE regulations, listed above, have established multi-agency emergency planning regimes in co-operation with operators, which are specific, well-defined and more prescriptive than the emergency planning requirements contained in the Act. To avoid duplication the Regulations under the Act do not require Category 1 responders to perform a duty in relation to any emergency which is within the meaning of major accidents and radiation emergencies under HSE's regulations. 21