Guidance

Emergency preparedness, resilience and response concept of operations

Updated 15 January 2025

Introduction

UK Health Security Agency (UKHSA) prevents, prepares for and responds to:

• infectious diseases
• environmental, radiological and chemical hazards

We work to keep all our communities safe, save lives and protect livelihoods.

Purpose of the concept of operations

The emergency preparedness, resilience and response (EPRR) concept of operations (CONOP) sets out UKHSA’s approach to systematically preparing for, responding to and recovering from health security incidents. These include:

• infectious diseases
• pandemics
• chemical, biological, radiological and nuclear (CBRN) events
• extreme adverse weather events
• business continuity challenges
• cyber security events

The CONOP applies across the whole of UKHSA.

It sets out the principles underpinning incident preparedness, response and recovery. It also describes roles and responsibilities within UKHSA to achieve this systematic approach. The CONOP provides the strategic ‘why and what’ of prevention, preparedness, response and recovery. The details of the operational ‘how’ are provided in the:

• UKHSA Preparedness Plan
• UKHSA Incident Response Plan
• supporting plans and threat specific plans as illustrated in Figure 1 below

Figure 1. UKHSA’s systematic approach to preparedness and response

Figure 1 shows a pyramid-shaped model. It has UKHSA’s goals at the apex. The next tier down sets out the 3 core EPRR documents (the UKHSA EPRR Concept of Operations, UKHSA Preparedness Plan, and UKHSA Incident Response Plan) and how these describe:

• our (the UKHSA’s) response to our EPRR statutory duties
• how we prepare our people, plans and infrastructure to be ready to respond
• how our all-hazards response arrangements will function during an incident response

The tier below this sets out the ‘supporting plans’ which include the:

• Training and exercises plan
• Continuous improvement plan
• EPRR assurance assessment
• Business continuity framework
• Response centre interoperability plan

The final tier sets out the ‘threat-specific plans’ including the:

• National power outage plan
• Cyber attack plan
• Chemical, biological, radiological, and nuclear (CBRN) plan
• High consequence infectious disease plan
• Pandemic plan

It notes that additional threat-specific plans may be appropriate as described in the Preparedness plan.

The CONOP covers UKHSA’s responsibilities:

• under the Civil Contingencies Act 2004 (CCA 2004)
• as an executive agency of the Department of Health and Social Care (DHSC)
• with respect to its relationship with the devolved administrations (DAs)

Throughout this document the term ‘threat’ is used to describe all health security hazards and threats, either naturally occurring or malicious.

Our EPRR responsibilities

Under the CCA 2004

The CCA 2004 delivers a single framework for civil protection in the UK. UKHSA is designated a Category 1 responder under CCA 2004 and has the following duties:

• risk assessment
• business continuity management
• emergency planning
• maintaining public awareness and arrangements to warn, inform and advise the public
• cooperation
• information sharing

As an executive agency

We are an executive agency of the DHSC and provide the UK with the ability to prepare for, prevent and respond to a range of threats. We work closely with lead agencies and other government departments in the UK.

As set out in our annual strategic remit and priorities letter, EPRR is one of our core capabilities. The 2023 to 2024 letter states that we are required to:

• take lead responsibility for infectious and endemic diseases in incident planning and response – this includes leading the response across government and the health and care system
• prepare, plan and respond robustly and rapidly to the public health impacts of all non-infectious disease incidents including any chemical, biological, radiological, or nuclear (CBRN) events
• provide expert scientific advice to ensure the impact on public health and public health delivery of environmental incidents and emergencies, including flooding, meteorological hazards and terrorism is considered as part of the response
• provide expert advice on, and as appropriate undertake, public health activities at the borders including seaports, airports and rail crossings to aid the local detection and management of outbreaks and help prevent wider community transmission
• establish a routine UKHSA emergency response exercise programme to test our preparedness on the key public health threats and hazards, that are identified in the National Security Risk Assessment (NSRA) and through UKHSA’s All Hazards Intelligence horizon scanning programme

To devolved administrations

UKHSA is responsible within England for devolved health security matters and across the UK on reserved health security matters^{[footnote 1]}. The relationship between the 4 countries for health security is governed by the UK Health Security Regulations (EU Exit) 2021, which is applied through the UK Common Framework for Public Health Protection and Health Security.

The Common Framework is an agreement between all 4 UK governments and public health agencies to enact the legal obligations under the regulations in order to strengthen UK’s health security, including mutual aid arrangements for response. It is implemented through the UK Health Protection Committee, which is a statutory Committee established by the regulations.

Additional statutory and legal responsibilities

These include:

• Public Health (Control of Infectious Diseases) Act 1984 (as amended), which provides that government may, by regulations, make provision for the purpose of preventing, protecting against, controlling or providing a public health response to spread of infection or contamination
• Public Sector Equality Duty, which means that public bodies have to consider all individuals when carrying out their work, and requires giving due regard to the need to eliminate discrimination, advance equality of opportunity, and foster good relations between different people when carrying out their activities
• International Health Regulations (IHR) 2005 which is an international instrument that is legally binding on all World Health Organization Member States – the purpose and scope of the IHR 2005 is to prevent, protect against, control, and provide a public health response to the international spread of disease

UKHSA approach to preparedness and response

Integrated emergency management

UKHSA takes a systematic approach to preparedness, response and recovery based on the Cabinet Office principles of integrated emergency management (IEM). These are aligned to the requirements of the CCA 2004. The IEM model has been modified following learning from the COVID-19 pandemic to include validation and assurance (Figure 2 below).

Figure 2. UKHSA’s integrated emergency management (IEM) model

Figure 2 represents UKHSA’s ‘Integrated Emergency Management’ model, the centre of which lists the criteria against which each phase of the model is aligned. These include:

• generic legislation, leadership and governance
• generic structures
• generic doctrine and guidance
• generic plans and procedures
• professional standards
• generic training and exercising

The outer circumference of the diagram sets out the integrated emergency model cycle with colour-coded stages divided into preparedness and response. In order, the preparedness stages include:

• learn and improve
• anticipate
• assess
• prevent
• prepare
• validate and assure

The response stages include respond and recover, the cyclical nature of the approach returning back to the first stage listed, learn and improve.

EPRR principles

The 7 principles underpinning UKHSA’s EPRR arrangements are as follows:

Direction

Clarity of purpose comes from a strategic aim and supporting objectives that are agreed, understood and implemented by all involved. Protecting the public’s health is the principle strategic outcome of health security incidents. This clarity enables the prioritisation and focus of our preparedness, response and recovery effort.

Co-operation

To achieve appropriate health security outcomes, we must prepare and respond cooperatively across all its functions, groups and with external partners.

Health equity

We prioritise people and places most at risk from health security incidents, to reduce avoidable harm and improve health security outcomes for all.

Precautionary

UKHSA has a ‘no regrets’ approach to decision making based on risk assessment.

Subsidiarity

Decisions are taken at the lowest level closest to where they have impact, with coordination at the highest necessary level.

Proportionality

Oversight, influence and demands on teams are proportionate to risk.

Continuous Improvement

We consistently improve our ability to prepare for, respond to and recover from health security threats by appropriately applying learning identified from incident response, simulation exercises, research and evaluation.

Preparedness

The UKHSA preparedness plan sets out how the agency prepares its people, its plans and its infrastructure to be ready to respond to all threats and hazards. This includes the requirement for everyone in the agency to have a role that supports incident response, compliance with its Category 1 responder duties and how UKHSA supports the DHSC and NHS England with their own EPRR responsibilities.

The plan describes our systematic approach to preparedness and includes an annual 4-stage preparedness cycle which begins with identifying prioritised threats and ends with an assessment of readiness against those threats. This process informs resource allocation, including the business planning cycle, as well as the our annual EPRR training and exercise programme.

Figure 3. UKHSA annual preparedness cycle

Figure 3 shows a circle with 4 components. Component 1 is risk identification, which takes place in March. It includes text saying that there is “an agreed list of prioritised top threats informed by NSRA, UKHSA’s Health Security Risk Assessment, continuous improvement lessons and other sources”.

The next component (clockwise) is an initial readiness assessment. This takes place in March and April. It includes an “initial assessment of capacity and capability” against the threats identified in component 1 in the circle.

Component 3 is “decide and implement”. This takes place from April to January. It involves “strategic and tactical changes determined in response to the assessment”.

Component 4, the final component in the circle, is a “final readiness assessment”. It happens in February. It concerns an “evaluation of progress and preparation for the next cycle.

Response

Responding to health security incidents is UKHSA’s day to day business activity. The agency has a risk based, all threats approach to escalation. This ranges from a “business as usual” routine response – up to a severe response for a pandemic. To achieve this, the Agency responds collectively by co-operating between appropriate functions, groups and with external partners to activate its Incident Response Plan (IRP), which is supported by threat specific plans.

The national IRP is UKHSA’s over-arching, agency-wide response plan. It outlines the arrangements for the our response to all hazards and threats. These include:

• infectious diseases

• pandemics

• CBRN events

• extreme adverse weather events

• business continuity challenges

• cyber security incidents

The IRP applies across the whole of the agency and is supported by a number of threat-specific plans that provide additional detail.

To implement our EPRR principles of Precautionary and Proportionality, the IRP includes the dynamic risks assessment (DRA) process that informs the appropriate UKHSA response level, as illustrated in Figure 4 below.

Figure 4. UKHSA incident response levels

Figure 4 shows the the 4 levels of incident response severity. The levels increase in severity from top to bottom. They are recreated, and slightly abridged, in table 1.

Severity	Description	Who can approve
Severe	Exceeds the threshold for an enhanced incident. The majority of UKHSA is reprioritised for the incident response	Chief Executive (CEX)
Enhanced	The scale of the incident response requires a more significant mobilisation of resources and a greater strategic response. It is supported by a strategic response group with oversight from a strategic response director	CEX
Standard	Require co-ordination and/or resources over those provided by normal operational capacity and capability. They are managed by an incident management team (IMT) and lead by an incident director (ID)	Chief Medical Advisor (CMA)
Routine	Manageable within normal operational capacity and capability	DRA chair

Recovery

The Cabinet Office defines recovery as “the process of rebuilding, restoring and rehabilitating the community following an emergency”. They emphasise that recovery planning must start during the initial response. Within UKHSA, recovery planning is therefore incorporated within the IRP arrangements.

Our internal post-response recovery arrangements also emphasise the importance of staff well-being and the need for ‘staff decompression.’

Co-operation

To achieve its mission, UKHSA must respond collectively across groups, functions and with multiple external stakeholders.

We have well-established relationships with multiple preparedness and response structures at multiple geographies. These include Local Resilience Fora (LRFs), Local Health Resilience Partnerships (LHRPs) and NHS Integrated Care Partnerships (ICPs).

At a national level, we contribute to the shared understanding of risk by co-ordinating advice to:

• Cabinet Office
• DHSC
• other government departments
• NHS England
• Animal and Plant Health Agency^{[footnote 2]}
• Food Standards Agency^{[footnote 3]}
• National Security Risk Assessment

UKHSA works with the 4 UK countries, the World Health Organization, other national public health institutes and global public health organisations.

UKHSA works collaboratively with external partners in areas such as:

• preparing, developing, and maintaining generic and specific national and regional response plans
• sharing intelligence to support decision-making in preparing for and responding to incidents and emergencies
• leading the response to public health incidents at the local, regional and national levels in partnership with Directors of Public Health and other government departments and agencies
• the mobilisation of Science and Technical Advice Cells (STACs) to support local Strategic Coordination Groups (SCGs) and contributions to SAGE^{[footnote 4]} and other national expert committees

Business continuity

To achieve its mission, UKHSA needs robust and resilient systems. Director generals and/or directors are responsible for ensuring business continuity for the infrastructure, services, and functions they oversee. UKHSA’s Business Continuity Management Framework outlines how groups and directorates should complete business impact assessments to protect critical systems and supporting functions. The framework also describes the agency-wide business continuity assurance arrangements.

UKHSA’s response to a business continuity incident is assessed and managed in accordance with the Incident Response Plan and in threat specific plans such as a national power outage and cyber attack.

EPRR accountabilities and responsibilities

UKHSA strategic priority (SP)	ExCo lead
SP1. Be ready to respond to all hazards to health	DG Health Protection Operations
SP2. Improve health outcomes through vaccines	DG Science and Research and Chief Scientific Officer
SP3. Reduce the impact of infectious diseases and antimicrobial resistance	Chief Medical Adviser
SP4. Protect health from threats in the environment	DG Science and Research and Chief Scientific Officer
SP5. Improve action on public health through data and insight	DG Data, Analytics and Surveillance
SP6. Develop UKHSA as a high performing Agency	DG Strategy, Policy, and Programmes

UKHSA’s Strategic Plan 2023 to 2026 has 6 strategic priorities, each with a designated lead at Executive Committee (ExCo) who is responsible for strategic oversight, monitoring progress and for providing appropriate challenge across the UKHSA.

UKHSA’s specified EPRR capabilities as described in its 2023 to 2024 strategic remit and priorities letter include:

Specified EPRR Responsibility	ExCo Lead
Pandemic Preparedness	DG Strategy, Policy, and Programmes
Data flows and novel methods for insight	DG Data, Analytics and Surveillance
Infectious and Endemic Diseases	Chief Medical Adviser
CBRN threats	DG Science and Research and Chief Scientific Officer
Environmental Hazards	DG Science and Research and Chief Scientific Officer
Borders and Ports of Entry	DG Health Protection Operations
Preparedness	DG Health Protection Operations

The ExCo-level EPRR accountabilities and responsibilities framework is in Annexe A. Within this framework, ‘accountability’ refers to the resource owner and ‘responsibility’ refers to the UKHSA Executive Committee’s strategic lead.

1. Devolved matters are those areas of government where decision-making has been delegated by Parliament to the devolved institutions such as the Scottish Parliament, the Assemblies of Wales, Northern Ireland and London or to local authorities. Reserved matters are decisions that are still taken by the UK Parliament at Westminster even though they have effect in Scotland, Wales, Northern Ireland or the regions of England. Devolved and reserved matters ↩

2. APHA is an executive agency of Department for Environment, Food and Rural Affairs ↩

3. FSA is a non-ministerial department ↩

4. Scientific Advisory Group for Emergencies provides scientific and technical advice to support government decision makers during emergencies. ↩