How networks and individuals can support the country's emergency planning, response and recovery, and keep systems and services running.
Integrated emergency management (IEM) includes anticipation, assessment, prevention, preparation, response and recovery. Resilience is about all these aspects of emergency management, and this guide deals with the resilience of existing entities the UK such as buildings, systems and networks.
The government’s aim is to reduce the risk from emergencies so that people can go about their business freely and with confidence. Civil protection practitioners support the work which goes on across the UK to improve emergency preparedness. The wider UK society - public and private sector, communities and businesses - will find it useful to know how their work fits into a wider framework on resilience for their sector.
The Infrastructure Resilience programme, led by the Civil Contingencies Secretariat, was established in March 2011 to enable public and private sector organisations to build the resilience of their infrastructure, supply and distribution systems to disruption from all risks (hazards and threats) as set out in the National Risk Assessment.
The guide Keeping the country running: natural hazards and infrastructure provides advice on:
- identifying and assessing risks from natural hazards
- standards of resilience
- business continuity and corporate governance
- guidance for economic regulated sectors
- information sharing
- understanding interdependencies
The ‘Keeping the country running’ guide was drawn up in consultation with government departments and agencies, infrastructure owners and operators, trade and professional associations, and regulators. It provides a model of resilience that does not depend on additional regulation or standard-setting, but shares best practice and advice to enable owners and operators of the UK’s critical infrastructure to improve the security and resilience of their assets, with support from the regulators where relevant.
Sector resilience plans
Lead government departments sponsoring each infrastructure sector are required to produce sector resilience plans on an annual basis, alerting ministers to any perceived vulnerabilities and setting out an action plan to improve resilience where necessary.
Individual plans are classified, but each year the Cabinet Office summarises departments’ plans into 1 overall sector resilience plan for critical infrastructure.
- In 2010, sector resilience plans focused on the resilience of the UK’s critical national infrastructure to flooding.
- In 2011, sector resilience plans extended the scope to allow assessment of other natural hazards and / or less critical assets.
- In 2012, sector resilience plans extended the scope to allow assessment of the sector’s most important infrastructure to all risks (hazards and threats)
Read the sector resilience plans.
Other infrastructure resilience publications available to download:
- Strategic framework and policy statement and summary of consultation responses
- Interim guidance for the economic regulated sectors
Community Resilience is about communities using local resources and knowledge to help themselves during an emergency in a way that complements the local emergency services. Answers to the following 3 questions can help to assess how prepared your community is and what can you do:
- Are you aware of the risks you and your community might face? For example, flooding.
- How can you help yourself and those around you during an emergency?
- What can you do to get involved in emergency planning in your community?
Your community will be better prepared to cope during and after an emergency when everyone works together using their local knowledge. Things like understanding what requirements most-at-need groups may have in an emergency can make a real difference. Identifying and planning for the risks you may encounter during a severe flood, heat-wave or snowfall could help in reducing the potential impact on you, your family and the wider community.
The Civil Contingencies Act requires the publication of all or part of a risk assessment for your local area (undertaken by local category 1 responders). This may be a useful point of reference for your own risk assessment.
Being prepared and able to respond to an emergency can often help people recover more quickly. This illustrates how successful community resilience can be and why many communities are already engaged in this planning.
Examples of resilience activities in communities
We are aware that lots of you are already taking steps to prepare your community to cope with an emergency. We would like to hear about these initiatives and share the examples with others. This will raise awareness and understanding amongst other communities, who may seek to adapt these to suit their own local need.
With this in mind, we have developed a case study library. This will enable you to highlight your own local resilience activities and find out what other communities are doing.
If you think that you could provide a relevant community resilience case study, please use the template below and email it to: firstname.lastname@example.org.
Resources and further information
The community resilience programme was established in 2008 to explore ways to support communities in becoming resilient to the range of emergencies which they might face. Our work aims to:
- support existing community initiatives
- disseminate these successful activities in other areas
- raise awareness and understanding of local emergency response capability
A collection of community resilience: resources and tools has been developed to encourage you to take steps to prepare for an emergency and to think about the risks you face. These include:
- Strategic national framework on community resilience
- Preparing for emergencies: guide for communities
- Community emergency plan toolkit
- Community emergency plan template
An awards helpsheet has also been developed if you wish to recognise a community member who has engaged with resilience and recovery work.
Business continuity management (BCM) is a process that helps manage risks to the smooth running of an organisation or delivery of a service, ensuring continuity of critical functions in the event of a disruption, and effective recovery afterwards. The government aims to ensure all organisations have a clear understanding of BCM. This section outlines the importance of BCM, and discusses how best to achieve business continuity.
Good BCM helps organisations identify their key products and services and the threats to these. Planning and exercising minimises the impact of potential disruption. It also aids in the prompt resumption of service helping to protect market share, reputation and brand. In order to be successful, BCM must be regarded as an integral part of an organisation’s normal ongoing management processes. To achieve this top-level buy-in is vital as it disseminates the importance of BCM throughout the organisation. Engaging senior staff is crucial to the success of any major programme because of the influence they have over resource allocation and the culture of an organisation.
Understanding the organisation
Before plans can be written you must understand the organisation’s BCM needs. There are several tools used to inform this process. It is important to first identify the main products and services that the organisation delivers. A Business Impact Analysis (BIA) identifies these critical activities and resources supporting the main products and services and helps identify the impact of a failure of these. Another useful tool is a risk assessment, which helps identify the potential threats to the organisation, and their likelihood. The Civil Contingencies Act requires the publication of all or part of a risk assessment for your local area (undertaken by local category 1 responders). This may be a useful point of reference for your own risk assessment.
Good BCM requires both incident management plans and business continuity plans, although these do not necessarily have to be separate documents. Incident management plans allow the organisation to manage the initial impact of an event, for example staff evacuation or media response. The business continuity plan allows the organisation to maintain or recover the delivery of the key products and services that the BIA identified.
Both generic and specific plans may be required. A generic plan is a core plan which enables an organisation to respond to a wide range of possible scenarios, setting out the common elements of the response to any disruption. These elements would include invocation procedures, command and control structures, access to financial resources etc. Within the framework of the generic plan, specific plans may be required in relation to specific risks, sites or services. Specific plans provide a detailed set of arrangements designed to go beyond the generic arrangements when these are unlikely to prove sufficient.
The Civil Contingencies Secretariat has developed ain partnership with stakeholders to help the commercial and voluntary sector implement BCM.
Plans cannot be considered reliable until they are exercised and have proved to be workable. Exercising should involve: validating plans; rehearsing key staff; and testing systems which are relied upon to deliver resilience (eg uninterrupted power supply). The frequency of exercises will depend on the organisation, but should take into account the rate of change (to the organisation or risk profile), and outcomes of previous exercises (if particular weaknesses have been identified and changes made).
Training and awareness
There is a need to train those responsible for implementing BCM, those responsible for acting in the event of disruption and those who will be impacted by the plans. This training and awareness can be delivered in many ways. Those involved in implementing BCM may require extensive training, whereas those with no direct responsibility may simply need to be made aware.
Reviewing and maintaining plans
Organisations should not only put plans in place, but should ensure they are reviewed regularly and kept up to date. Particular attention may need to be paid to: staff changes; changes in the organisation’s functions or services; changes to the organisational structure; details of suppliers or contractors; and changes in the organisations strategic objectives.
The business continuity management standard (BS25999)
BS25999 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organisation and to provide confidence in business-to-business and business-to-customer dealings.
The British Standard on BCM, BS25999, defines it as ‘a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.’
It provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle, which is illustrated below.
The British Standard sets out 6 elements to the BCM process.
- BCM programme management - programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.
- Understanding the organisation - the activities associated with ‘Understanding the organisation’ provide information that enables prioritisation of an organisation’s products and services, identification of critical supporting activities and the resources that are required to deliver them.
- Determining business continuity strategies - this allows an appropriate response to be chosen for each product or service, such that the organisation can continue to deliver those products and services at the time of disruption.
- Developing and implementing a BCM response - this involves developing incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.
- BCM exercising, maintaining and reviewing BCM arrangements - this leads to the organisation being able to demonstrate the extent to which its strategies and plans are complete, current and accurate and identify opportunities for improvement.
- Embedding BCM in the organisation’s culture - this enables BCM to become part of the organisation’s core values and instils confidence in all stakeholders in the ability of the organisation to cope with disruptions.
BS 25999 was published in 2 parts. BS 25999-1:2006, the code of practice for business continuity management was published in November 2006. This has been developed by practitioners throughout the global community, including the Civil Contingencies Secretariat. Copies of this can be purchased from the BSI website.
BS 25999-2:2007 will specify the requirements for achieving certification which will help ensure that business continuity capability is appropriate to the size and complexity of an organisation. Publication of part 2 was in autumn 2007. Following this the UK Accreditation Service (UKAS) will work hard to ensure that there is an accreditation scheme available to those bodies offering third-party accreditation to Part 2. Usually the reason for obtaining an independent evaluation is to confirm that it meets specific requirements in order to reduce risks. Accreditation by UKAS means that certification bodies have been assessed against internationally recognised standards to demonstrate their competence, impartiality and performance capability.
BCM under the Civil Contingencies Act
The Civil Contingencies Act requires Category 1 responders to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable.
The BCM duty in the Act relates to all the functions of a Category 1 responder, not just its civil protection functions. Hence the legislation requires Category 1 responders to maintain plans to deal with emergencies (see the Emergency planning section) and put in place arrangements to warn and inform the public in the event of an emergency (see the Warning and informing the public section). But it also requires them to make provision for ensuring that their ordinary functions can be continued to the extent required. The regulations also require Category 1 responders to put in place a training programme for those directly involved in the execution of the BCP should it be invoked.
The risk assessment duty for Category 1 responders under the Act should inform the development of appropriate continuity strategies (see the Risk section for further detail on risk assessment).
The Act also requires local authorities to provide advice and assistance to businesses and voluntary organisations in relation to business continuity management. This duty is an integral part of the Act’s wider contribution to building the UK’s resilience to disruptive challenges. It should not be seen as a stand-alone duty, but rather in many ways is a logical extension of the work already undertaken to fulfil other duties under the act (eg working with commercial and voluntary organisations in the development and exercising of emergency plans).
You should refer to:
- copies of BS25999 - this can be purchased from the BSI website
- Pandemic flu checklist for businesses - to assist businesses and other organisations in developing and reviewing plans for a flu pandemic, the government has published a checklist identifying important and specific activities which organisations can do to prepare.
- Cabinet Office guidance - contingency planning for a possible influenza pandemic - provides guidance for all organisations.
- Business continuity management for fuel shortages - to assist businesses and other organisations in developing and reviewing plans for a disruption to fuel supplies the government has published guidance and checklist of preparations and activities
- Chartered Management Institute Business Continuity Management Survey
- CPNI: Good Practice Guide to Telecommunications Resilience - it is vital that an organisation understands which of its telecommunications systems are critical to the business, and how to provide the appropriate level of resilience for these systems. This guide is for those people who have to commission, specify, audit or procure resilient services. It has a series of recommendations aimed at helping an organisation understand why resilience is an issue, what resilience is needed and how it can be delivered.
- Emergency Preparedness * Chapter 6: Business continuity management * Chapter 8: Advice and assistance to business and voluntary organisations
- The Business Continuity Institute
- London Prepared - includes sections with advice to businesses, including on business continuity and risk management
- British Standards Institute website
- The Continuity Forum - established to support and develop a range of resources for continuity professionals within the business community.
- Continuity Central - business continuity information resource website.
- MI5 Security Advice
The Emergency Planning College (EPC) is a training provider for emergency preparedness, attracting delegates with responsibility for preventing, planning for, responding to or recovering from a major incident. The EPC runs courses on the care of people as well as other aspects of civil protection.
You may also wish to refer to:
- OGC successful delivery toolkit - describes proven good practice for procurement, programmes, projects, risk and service management
- Secure in the knowledge: building a secure business - London First and ACPO booklet
- Expecting the unexpected: business continuity in an uncertain world - joint publication from the National Counter Terrorism Security Office, London First and the Business Continuity Institute
- How resilient is your business to disaster? Other Links
- British Bankers’ Association - contains section on business continuity planning
- OfGem website - contains details of domestic and business gas and electricity suppliers
- Northern Ireland Electricity plc
- Electricity Supply Board Ireland
- Water UK - details of water companies
- BT Civil Resilience
- Local Government Association (LGA) website - the LGA promotes the interests of English and Welsh local authorities
Corporate Resilience: SME Resilience Strategy
Led by the Civil Contingencies Secretariat, the Corporate Resilience Strategy aims to promote effective but inexpensive ways to enable SMEs to build resilience to all kinds of hazards and threats.
99.9% of the 4.8 million private sector enterprises are SMEs. Their resilience matters. Yet, as the 2011 Business Continuity Management Survey reported, small businesses are significantly less likely to have business continuity management in place than their larger counterparts.
The importance of SME resilience
The security and resilience of SMEs matters for 3 reasons:
- because community resilience is enhanced when local businesses are able to keep running in emergencies: as the US 9/11 Commission found, during a time of disruption, or local area crisis, the ‘first’ first responders are, in most cases, the local businesses that are so relied upon within the community
- SMEs are also important elements of the supply chain for large organisations, including critical infrastructure operators and government departments, which in turn provide services essential to society
- SMEs may also be entrusted to undertake business critical activities, frequently having privileged access to large amounts of sensitive data on behalf of larger organisations
Obstacles to SME resilience
SMEs are unwilling or unable to conduct effective business continuity planning for these main reasons:
- there is no compulsion or incentive for business continuity practice;
- the current British Standard in this area, which applies smaller businesses, is in a lot of cases not practical
- at present, there is nothing in place to improve this position
- information on the risks to business continuity has until recently been hard to come by