Agenda item

A report of the Director of Legal and Governance Services was presented, the purpose of which was to outline the Council’s approach to Business Continuity management, summarised activity in the past year, and planned activity for 2024, in order to provide the Committee with assurance that the Council had robust arrangements in place, as required by the Civil Contingencies Act 2004.

 

Business Continuity planning was separate to emergency planning, which set out how the Council responded to emergency incidents that impacted on residents and businesses, though there would be occasions when the two disciplines interrelated.

 

The Council’s Corporate Business Continuity Plan defined critical functions as those which, if interrupted could result in:

 

•           Risk of serious injury

•           Risk of death

•           Massive financial losses; or

•           Significant damage to the Council’s reputation.

 

The following plans were place to respond to a variety of events that could occur:

 

•           The Corporate Business Continuity plan.

•           Supporting Departmental Business Continuity plans.

•           Relocation Plan.

•           ICT Disaster Recovery Plan.

•           Fuel Plan.

•           Pandemic Plan.

 

The Council did not publish its business continuity plans as they outlined sensitive information around its critical functions and their recovery that could be misused and contained personal information relating to employees who had agreed to share personal contact details to enable the Council to get in touch with them quickly in the event of an incident.   The content of the Council’s plans in broad terms only were outlined in the submitted report.

 

The Council aimed to test its plans at least once every 12 months, or produced a lessons learned report if a live incident had occurred during the past year.  Testing of the plans was completed in January 2024.  This was a live test of business continuity which involved senior managers surrounding a marauding attack and vehicle borne improvised explosive device on critical infrastructure.  This ensured that senior management understood their roles and responsibilities during an incident and tested the robustness of plans.

 

In a normal planning cycle, Business Continuity plans were updated every six months, and reviewed on an annual basis (May and November) with the scale of the review dependent on the level of organisational change that had occurred in the intervening period.  In some years this meant that only minor updates were required.  In other years, fundamental reviews will be required to reflect changes to the Council’s structure or other significant developments for example, where services have been outsourced, or brought back in house.

 

During the 2023 annual review of plans, there was an increased focus on the impact loss of ICT could have on critical activities to ensure services planned effectively for this event.

 

Activity in 2023/2024 included generator failover tests at both the Council’s data centres and an emergency response exercise.  All Corporate Business Continuity Plans were updated in November 2023 and an update and full review of Directorate Business Continuity plans had been completed.  A corporate Business Continuity room has been established in Fountain Court.  A Business Continuity and Emergency Planning mapping portal had been built in the Council’s mapping software, including flood plains, gritting routes and schools.   eLearning portal was developed in relation to Business Continuity capturing basic awareness raising and advancing best practice and all senior management had received face to face training.

 

During 2024/2025, further work would be undertaken to build on progress made in 2023/2024 as part of the Council’s commitment to continual improvement in business continuity planning.   This would include:

 

•           Officers planned to undertake a cyber-attack exercise on a key system as the next ICT Disaster Recovery Plan exercise to test its effectiveness.

•           Increase the number of trained loggists to support Business Continuity responses in an invocation.

•           Refresh eLearning package range in relation to Business Continuity capturing new amendments and best practice from the North East Local Resilience Forum and ISO 22301.

•           Produce and deliver loggist training to all nominated loggists within the Business Continuity Teams.

•           Further training for Senior Leadership relating to decision making and Business Continuity impacts.

•           Undertake the annual full review and update of all business continuity plans to ensure they remain fit for purpose.

•           Review and implement the Business Continuity Policy and Management System.

•           Battle boxes to be updated by business-critical services to enable service delivery to be maintained in the event of a cyber-attack or power cut.

•           Revision of plans to reflect occupation of the new main offices this year.

•           Communications Plan for Business Continuity to be enhanced to cover communications in the absence of ICT system.

 

A query was raised in relation to communication with Elected Members on their role if there was an incident.  It was confirmed that part of the recent test had included communication with Elected Members.  It was suggested that it would be helpful for Members to receive some training on this area.

 

AGREED as follows that:

 

1.     the arrangements in place to manage business continuity within the Council, progress within the last year, and plans to further strengthen those arrangements were noted.

2.     a workshop for Members on what their role would be in a live business continuity incident would be provided.