Issue - meetings

Annual Assurance Report for Business Continuity

Meeting: 16/03/2023 - Corporate Affairs and Audit Committee (Item 66)

66 Annual Assurance Report for Business Continuity pdf icon PDF 264 KB

Minutes:

A report of the Director of Legal and Governance Services (Monitoring Officer) was presented to outline the Council’s approach to business continuity management, summarise activity in the past year and planned activity for 2023, to provide the Committee with assurance that the Council had robust arrangements in place, as required by the Civil Contingencies Act 2004.

 

The Council’s Corporate Business Continuity Plan defined critical functions as those which, if interrupted could result in:

 

  • risk of serious injury;
  • risk of death;
  • massive financial losses; or
  • significant damage to the Council’s reputation.

 

The Council would consider activating its business continuity plans if there was a business interruption event that:

 

  • was likely to last for more than half a working day;
  • affected a vulnerable group of service users;
  • impacted on the delivery of key critical activities;
  • restricted access to one of the key council buildings;
  • could generate significant damage to the Council’s reputation; or
  • was highly likely to escalate into one of the above categories.

 

The Council had the following plans in place to respond to the variety of events that could occur:

 

  • the Corporate Business Continuity plan;
  • supporting Departmental Business Continuity plans;
  • Relocation Plan;
  • ICT Disaster Recovery Plan.
  • Fuel Plan;
  • Pandemic Plan.

 

The Council did not publish its business continuity plans as they outlined sensitive information around its critical functions and their recovery that could be misused and contained personal information relating to employees that had agreed to share personal contact details to enable the Council to get in touch with them quickly in the event of an incident.  Paragraphs 8 to 14 of the submitted report outlined the content of the Council’s plans in broad terms.

 

The Council aimed to test its plans at least once every 12 months, or produce a lessons learned report if a live incident had occurred during the past year.  Due to the ongoing nature of the pandemic, no test was undertaken in 2022, however during 2023 a live test of business continuity was planned to ensure that senior managers understood their roles and responsibilities during an incident and to test the robustness of plans.

 

During the 2022 annual review of plans, there was an increased focus on the impact loss of power could have on critical activities to ensure services planned effectively for this event.

 

Details of the actions delivered in 2022 to ensure good governance in relation to business continuity were detailed in paragraphs 20 to 23 of the submitted report.  During 2023/2024 further work would be undertaken to build on progress made as part of the Council’s commitment to continual improvement in business continuity planning as follows:

 

Training

  • Officers planned to undertake a cyber-attack/power cut exercise on a key system as the next ICT Disaster Recovery Plan exercise to test its effectiveness.
  • Increase the number of trained loggists to support Business Continuity responses in an invocation.
  • Refresh training to implement an eLearning package range in relation to Business Continuity capturing basic awareness raising and advanced practice.
  • Produce and deliver  ...  view the full minutes text for item 66