Guidance

Resilience in society: infrastructure, communities and businesses

How networks and individuals can support the country's emergency planning, response and recovery, and keep systems and services running.

Overview

Integrated emergency management (IEM) includes anticipation, assessment, prevention, preparation, response and recovery. Resilience is about all these aspects of emergency management, and this guide deals with the resilience of existing entities the UK such as buildings, systems and networks.

The government’s aim is to reduce the risk from emergencies so that people can go about their business freely and with confidence. Civil protection practitioners support the work which goes on across the UK to improve emergency preparedness. The wider UK society - public and private sector, communities and businesses - will find it useful to know how their work fits into a wider framework on resilience for their sector.

Infrastructure resilience

The Infrastructure Resilience programme, led by the Civil Contingencies Secretariat, was established in March 2011 to enable public and private sector organisations to build the resilience of their infrastructure, supply and distribution systems to disruption from all risks (hazards and threats) as set out in the National Risk Assessment.

The guide Keeping the country running: natural hazards and infrastructure provides advice on:

  • identifying and assessing risks from natural hazards
  • standards of resilience
  • business continuity and corporate governance
  • guidance for economic regulated sectors
  • information sharing
  • understanding interdependencies

‘Keeping the country running’ was drawn up in consultation with government departments and agencies, infrastructure owners and operators, trade and professional associations, and regulators. It provides a model of resilience that does not depend on additional regulation or standard-setting, but shares best practice and advice to enable owners and operators of the UK’s critical infrastructure to improve the security and resilience of their assets, with support from the regulators where relevant.

Sector resilience plans

Lead government departments sponsoring each infrastructure sector are required to produce sector resilience plans on an annual basis, alerting ministers to any perceived vulnerabilities and setting out an action plan to improve resilience where necessary.

Individual plans are classified, but each year the Cabinet Office summarises departments’ plans into 1 overall sector resilience plan for critical infrastructure.

  • in 2010, sector resilience plans focused on the resilience of the UK’s critical national infrastructure to flooding
  • in 2011, sector resilience plans extended the scope to allow assessment of other natural hazards and / or less critical assets
  • in 2012, sector resilience plans extended the scope to allow assessment of the sector’s most important infrastructure to all risks (hazards and threats)

Read the sector resilience plans.

Other infrastructure resilience publications available to download:

Community resilience

Community resilience is about communities using local resources and knowledge to help themselves during an emergency in a way that complements the local emergency services. Answers to the following 3 questions can help to assess how prepared your community is and what can you do:

  1. Are you aware of the risks you and your community might face, eg flooding?
  2. How can you help yourself and those around you during an emergency?
  3. What can you do to get involved in emergency planning in your community?

Your community will be better prepared to cope during and after an emergency when everyone works together using their local knowledge. Things like understanding what requirements groups most at need may have in an emergency can make a real difference. Identifying and planning for the risks you may encounter during a severe flood, heat-wave or snowfall could help in reducing the potential impact on you, your family and the wider community.

The Civil Contingencies Act requires the publication of all or part of a risk assessment for your local area (undertaken by local category 1 responders). This may be a useful point of reference for your own risk assessment.

Being prepared and able to respond to an emergency can often help people recover more quickly. This illustrates how successful community resilience can be and why many communities are already engaged in this planning.

Examples of resilience activities in communities

We are aware that lots of you are already taking steps to prepare your community to cope with an emergency. We would like to hear about these initiatives and share the examples with others. This will raise awareness and understanding amongst other communities, who may seek to adapt these to suit their own local need.

With this in mind, we have developed a case study library. This will enable you to highlight your own local resilience activities and find out what other communities are doing.

If you think that you could provide a relevant community resilience case study, please use the template below and email it to: community.resilience@cabinet-office.x.gsi.gov.uk.

Resources and further information

The community resilience programme was established in 2008 to explore ways to support communities in becoming resilient to the range of emergencies which they might face. Our work aims to:

  • support existing community initiatives
  • disseminate these successful activities in other areas
  • raise awareness and understanding of local emergency response capability

A collection of community resilience: resources and tools has been developed to encourage you to take steps to prepare for an emergency and to think about the risks you face. These include:

An awards helpsheet has also been developed if you wish to recognise a community member who has engaged with resilience and recovery work.

Contact us

Email: community.resilience@cabinet-office.x.gsi.gov.uk

Business Continuity

Background

Business continuity management (BCM) is a process that helps manage risks to the smooth running of an organisation or delivery of a service, ensuring continuity of critical functions in the event of a disruption, and effective recovery afterwards. The government aims to ensure all organisations have a clear understanding of BCM. This section outlines the importance of BCM, and discusses how best to achieve business continuity.

Good BCM helps organisations identify their key products and services and the threats to these. Planning and exercising minimises the impact of potential disruption. It also aids in the prompt resumption of service helping to protect market share, reputation and brand. In order to be successful, BCM must be regarded as an integral part of an organisation’s normal ongoing management processes. To achieve this top-level buy-in is vital as it disseminates the importance of BCM throughout the organisation. Engaging senior staff is crucial to the success of any major programme because of the influence they have over resource allocation and the culture of an organisation.

Understanding the organisation

Before plans can be written you must understand the organisation’s BCM needs. There are several tools used to inform this process. It is important to first identify the main products and services that the organisation delivers. A Business Impact Analysis (BIA) identifies these critical activities and resources supporting the main products and services and helps identify the impact of a failure of these. Another useful tool is a risk assessment, which helps identify the potential threats to the organisation, and their likelihood. The Civil Contingencies Act requires the publication of all or part of a risk assessment for your local area (undertaken by local category 1 responders). This may be a useful point of reference for your own risk assessment.

Developing plans

Good BCM requires both incident management plans and business continuity plans, although these do not necessarily have to be separate documents. Incident management plans allow the organisation to manage the initial impact of an event, for example staff evacuation or media response. The business continuity plan allows the organisation to maintain or recover the delivery of the key products and services that the BIA identified.

Both generic and specific plans may be required. A generic plan is a core plan which enables an organisation to respond to a wide range of possible scenarios, setting out the common elements of the response to any disruption. These elements would include invocation procedures, command and control structures, access to financial resources etc. Within the framework of the generic plan, specific plans may be required in relation to specific risks, sites or services. Specific plans provide a detailed set of arrangements designed to go beyond the generic arrangements when these are unlikely to prove sufficient.

The Civil Contingencies Secretariat has developed a Business Continuity Management Toolkit (PDF, 569 KB, 19 pages) in partnership with stakeholders to help the commercial and voluntary sector implement BCM.

The Civil Contingencies Secretariat has also produced the national Business resilience planning assumptions to help businesses to plan their resilience building activities. This sets out the risks identified in the National Risk Register in terms of how they might affect a business. It allows organisations to check that their resilience planning is in line with the government’s assessment of the impact of a range of potential hazards.

Exercising plans

Plans cannot be considered reliable until they are exercised and have proved to be workable. Exercising should involve: validating plans; rehearsing key staff; and testing systems which are relied upon to deliver resilience (eg uninterrupted power supply). The frequency of exercises will depend on the organisation, but should take into account the rate of change (to the organisation or risk profile), and outcomes of previous exercises (if particular weaknesses have been identified and changes made).

Training and awareness

There is a need to train those responsible for implementing BCM, those responsible for acting in the event of disruption and those who will be impacted by the plans. This training and awareness can be delivered in many ways. Those involved in implementing BCM may require extensive training, whereas those with no direct responsibility may simply need to be made aware.

Reviewing and maintaining plans

Organisations should not only put plans in place, but should ensure they are reviewed regularly and kept up to date. Particular attention may need to be paid to: staff changes; changes in the organisation’s functions or services; changes to the organisational structure; details of suppliers or contractors; and changes in the organisations strategic objectives.

The business continuity management standard (BS25999)

BS25999 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organisation and to provide confidence in business-to-business and business-to-customer dealings.

The British Standard on BCM, BS25999, defines it as:

a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.

It provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle, which is illustrated below.

Diagram showing the Business continuity management lifecycle

Diagram showing the Business continuity management lifecycle - understanding the organisation, determining BCM strategy, developing and implementing BCM response, and exercising, maintaining and reviewing.

The British Standard sets out 6 elements to the BCM process.

  1. BCM programme management - programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.
  2. Understanding the organisation - the activities associated with ‘Understanding the organisation’ provide information that enables prioritisation of an organisation’s products and services, identification of critical supporting activities and the resources that are required to deliver them.
  3. Determining business continuity strategies - this allows an appropriate response to be chosen for each product or service, such that the organisation can continue to deliver those products and services at the time of disruption.
  4. Developing and implementing a BCM response - this involves developing incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.
  5. BCM exercising, maintaining and reviewing BCM arrangements - this leads to the organisation being able to demonstrate the extent to which its strategies and plans are complete, current and accurate and identify opportunities for improvement.
  6. Embedding BCM in the organisation’s culture - this enables BCM to become part of the organisation’s core values and instils confidence in all stakeholders in the ability of the organisation to cope with disruptions.

BS 25999 was published in 2 parts. BS 25999-1:2006, the code of practice for business continuity management was published in November 2006. This has been developed by practitioners throughout the global community, including the Civil Contingencies Secretariat. [Copies of this can be purchased from the BSI website.

BS 25999-2:2007 will specify the requirements for achieving certification which will help ensure that business continuity capability is appropriate to the size and complexity of an organisation. Publication of part 2 was in autumn 2007. Following this the UK Accreditation Service (UKAS) will work hard to ensure that there is an accreditation scheme available to those bodies offering third-party accreditation to Part 2. Usually the reason for obtaining an independent evaluation is to confirm that it meets specific requirements in order to reduce risks. Accreditation by UKAS means that certification bodies have been assessed against internationally recognised standards to demonstrate their competence, impartiality and performance capability.

BCM under the Civil Contingencies Act

The Civil Contingencies Act requires Category 1 responders to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable.

The BCM duty in the Act relates to all the functions of a Category 1 responder, not just its civil protection functions. Hence the legislation requires Category 1 responders to maintain plans to deal with emergencies (see the Emergency planning section) and put in place arrangements to warn and inform the public in the event of an emergency (see the Warning and informing the public section). But it also requires them to make provision for ensuring that their ordinary functions can be continued to the extent required. The regulations also require Category 1 responders to put in place a training programme for those directly involved in the execution of the BCP should it be invoked.

The risk assessment duty for Category 1 responders under the Act should inform the development of appropriate continuity strategies (see the Risk section for further detail on risk assessment).

The Act also requires local authorities to provide advice and assistance to businesses and voluntary organisations in relation to business continuity management. This duty is an integral part of the Act’s wider contribution to building the UK’s resilience to disruptive challenges. It should not be seen as a stand-alone duty, but rather in many ways is a logical extension of the work already undertaken to fulfil other duties under the act (eg working with commercial and voluntary organisations in the development and exercising of emergency plans).

Useful documents

You should refer to:

Training

The Emergency Planning College (EPC) is a training provider for emergency preparedness, attracting delegates with responsibility for preventing, planning for, responding to or recovering from a major incident. The EPC runs courses on the care of people as well as other aspects of civil protection.

Other documents

You may also wish to refer to:

Corporate resilience: SME resilience strategy

Led by the Civil Contingencies Secretariat, the Corporate Resilience Strategy aims to promote effective but inexpensive ways to enable SMEs to build resilience to all kinds of hazards and threats.

99.9% of the 4.8 million private sector enterprises are SMEs. Their resilience matters. Yet, as the 2011 Business Continuity Management Survey reported, small businesses are significantly less likely to have business continuity management in place than their larger counterparts.

The importance of SME resilience

The security and resilience of SMEs matters for 3 reasons:

  • because community resilience is enhanced when local businesses are able to keep running in emergencies: as the US 9/11 Commission found, during a time of disruption, or local area crisis, the ‘first’ first responders are, in most cases, the local businesses that are so relied upon within the community
  • SMEs are also important elements of the supply chain for large organisations, including critical infrastructure operators and government departments, which in turn provide services essential to society
  • SMEs may also be entrusted to undertake business critical activities, frequently having privileged access to large amounts of sensitive data on behalf of larger organisations

Obstacles to SME resilience

SMEs are unwilling or unable to conduct effective business continuity planning for these main reasons:

  • there is no compulsion or incentive for business continuity practice
  • the current British Standard in this area, which applies to smaller businesses, is impractical in many cases
  • at present, there is nothing in place to improve this position
  • information on the risks to business continuity has until recently been hard to come by
Published 20 February 2013
Last updated 10 December 2014 + show all updates
  1. Added link to Business resilience planning assumptions.

  2. First published.