Agenda item

Annual Assurance Report for Business Continuity

Minutes:

A report of the Director of Legal and Governance Services (Monitoring Officer) was presented to outline the Council’s approach to business continuity management, summarise activity in the past year and planned activity for 2023, to provide the Committee with assurance that the Council had robust arrangements in place, as required by the Civil Contingencies Act 2004.

 

The Council’s Corporate Business Continuity Plan defined critical functions as those which, if interrupted could result in:

 

  • risk of serious injury;
  • risk of death;
  • massive financial losses; or
  • significant damage to the Council’s reputation.

 

The Council would consider activating its business continuity plans if there was a business interruption event that:

 

  • was likely to last for more than half a working day;
  • affected a vulnerable group of service users;
  • impacted on the delivery of key critical activities;
  • restricted access to one of the key council buildings;
  • could generate significant damage to the Council’s reputation; or
  • was highly likely to escalate into one of the above categories.

 

The Council had the following plans in place to respond to the variety of events that could occur:

 

  • the Corporate Business Continuity plan;
  • supporting Departmental Business Continuity plans;
  • Relocation Plan;
  • ICT Disaster Recovery Plan.
  • Fuel Plan;
  • Pandemic Plan.

 

The Council did not publish its business continuity plans as they outlined sensitive information around its critical functions and their recovery that could be misused and contained personal information relating to employees that had agreed to share personal contact details to enable the Council to get in touch with them quickly in the event of an incident.  Paragraphs 8 to 14 of the submitted report outlined the content of the Council’s plans in broad terms.

 

The Council aimed to test its plans at least once every 12 months, or produce a lessons learned report if a live incident had occurred during the past year.  Due to the ongoing nature of the pandemic, no test was undertaken in 2022, however during 2023 a live test of business continuity was planned to ensure that senior managers understood their roles and responsibilities during an incident and to test the robustness of plans.

 

During the 2022 annual review of plans, there was an increased focus on the impact loss of power could have on critical activities to ensure services planned effectively for this event.

 

Details of the actions delivered in 2022 to ensure good governance in relation to business continuity were detailed in paragraphs 20 to 23 of the submitted report.  During 2023/2024 further work would be undertaken to build on progress made as part of the Council’s commitment to continual improvement in business continuity planning as follows:

 

Training

  • Officers planned to undertake a cyber-attack/power cut exercise on a key system as the next ICT Disaster Recovery Plan exercise to test its effectiveness.
  • Increase the number of trained loggists to support Business Continuity responses in an invocation.
  • Refresh training to implement an eLearning package range in relation to Business Continuity capturing basic awareness raising and advanced practice.
  • Produce and deliver loggist training to all nominated loggists within the Business Continuity Teams.

 

Documentation

  • Undertake the annual full review and update of all business continuity plans to ensure they remained fit for purpose.
  • Battleboxes to be updated by business-critical services to enable service delivery to be maintained in the event of a cyber-attack or power cut.
  • Revision of plans to reflect occupation of the new main offices this year.
  • Establish a corporate Business Continuity room in Fountain Court and refresh plans for the relocation site to ensure both are fully equipped to respond to a business interruption.

 

Communication

  • Communications Plan for Business Continuity to be enhanced to cover communications in the absence of ICT system.

 

It was clarified that Middlesbrough Council considered disruption events that had taken place in other authorities as part of its planning and testing.  The locations of Middlesbrough Council’s two data centres were confirmed.

 

AGREED that the arrangements in place to manage business continuity

within the Council, progress within the last year, and plans to further strengthen those arrangements were noted.

 

Supporting documents: