Business Continuity Plan

Open

Purpose

The Patients Know Best (PKB) Business Continuity Policy (BCP) is focused on maintaining the continuity of services, systems and processes. To return to a normal operating state as soon as possible, taking into account the impact of any delay on PKB’s quality of service, reputation and finances, in conjunction with the Disaster Recovery Plan.  The key principles of this BCP are as follows:

• To take all reasonable steps to avoid any activity that might adversely impact service continuity. 

• To ensure continuity planning is an intrinsic component of PKB’s functional methodology and operational approach.

• To ensure employee, stakeholder, customer and provider information is current and sufficient. 

• To make advance arrangements for the recovery of service critical components.

• To make advance arrangements to relocate or reorganise operations to allow critical processes to continue.

• Providing resilience for information systems and data, or alternative ways of working in the event of their failure. 

• All systems and processes must be in line with PKB's Information Governance and Security Policy.

• To protect employees, customers and third-parties where an event is likely to impact their safety. 

• To apply robustness and rigour to BCP testing and for this testing to have a regular and prioritised schedule of adherence. 

• To facilitate and keep up-to-date BCP training materials and regular BCP training sessions. 

• To ensure regularity and method in the sufficient updating of the BCP/ DRP plans; be those organisational, procedural, provider-centric, systems or services. 

• PKB are willing to consider how best to work in conjunction with the Customers' Business Continuity Plan upon their request.

Policy Requirements

Patients Know Best policy requires that:

• PKB's BCP and the objectives herein are understood by all stakeholders and employees.

• A plan and process for business continuity, including the backup and recovery of systems and data, must be defined and documented.

• That employee, provider and system plans are defined to underpin recovery steps in the event of an interruption in service, function and/ or core activities.

• The Business Continuity Plan shall be simulated and tested at least once a year. Metrics shall be measured and identified recovery enhancements shall be documented to improve the process.

• Security controls and requirements must be maintained in two separate Cloud environments, Confluence and Drata.

Roles and Responsibilities

This Policy is maintained by the Patients Know Best Information Governance Teams and SIRO. All executive leadership shall be informed of any and all contingency events.

Response Teams and Responsibilities

The following teams have been developed and trained to respond to a contingency event affecting Patients Know Best infrastructure and systems.

• HR is tasked with promoting the safety, well-being, and support of all Patients Know Best personnel during a crisis or incident or emergency, recognising the limitations of directly ensuring these for remote workers.  HR plays a key role in supporting the safety, well-being, and care of all Patients Know Best personnel during a critical event, while acknowledging the limitations of directly ensuring these for remote workers.

• A cross-functional DR (Disaster Recovery) Team is defined with a designated IC (Incident Coordinator) to ensure recovery and security of critical systems and assets

• Each function within PKB, defined as critical to operational stability or service delivery within the BCP, must maintain a register of services, dependencies, suppliers and vendors to ensure the efficacy of the BCP related to their defined functional responsibilities. 

• All organisations within PKB with responsibility for a critical service must have a defined BCP coordinator responsible for updating registers as an ongoing organisational commitment. 

• DevOps is responsible for assuring all applications, web services, platforms, and their supporting infrastructure in the Cloud. The team is also responsible for testing re-deployments and assessing damage to the environment. The team leader is the Head of Engineering.

• Security is responsible for assessing and responding to all cybersecurity related incidents according to Patients Know Best Incident Response policy and procedures. The security team shall assist the above teams in recovery as needed in non-cybersecurity events. The team leader is the Security Officer.

Members of the above teams must maintain local copies of the contact information of the Business Continuity Plan succession team. Additionally, the team leads must maintain a local copy of this policy in the event Internet access is not available during a disaster scenario.

Policy

Operational Resilience Strategy

Patients Know Best's strategies for operational resilience take a holistic approach to the company and its business process and are developed with consideration of acceptable limits regarding the company's risk appetite and tolerance. These strategies are developed through:

• Risk assessment: to identify internal and external threats to the company's ability to conduct business particularly in the areas of technology, human resources, facilities, and third parties;

• Vulnerability analysis: to identify weaknesses that could raise the level operational disruption risk;

• Business impact analysis:

  1. to define mission critical business processes, along with the technology, people and facilities that enable them; and,

  2. to assess the potential effects on the company if those processes cannot be performed.
       

APPENDIX A - Business Impact Analysis (BIA)

PKB has completed a BIA as part of its Business Continuity Plan. The BIA will determine the criticality of business activities to ensure operational resilience and business continuity during and after a disruption. The BIA will help identify and prioritise system components by correlating them to the business processes that the system supports. It will allow for the characterisation of the impact on the processes if the system becomes unavailable. The BIA has three steps:

• Determine business processes and recovery criticality. Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organisation can tolerate while still maintaining the mission.

• Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.

• Identify recovery priorities for system resources.Based upon the results from the previous activities, system resources can more clearly be linked to critical mission/business processes. Priority levels can be established for sequencing recovery activities and resources.

• See Appendix A for the BIA breakdown.

Work Site Recovery

Patients Know Best’s software development organisation has the ability to work from any location with Internet access and does not require an office provided Internet connection.

Application Service Event Recovery

Patients Know Best maintains a status page to provide real time updates and inform customers of the status of each service. The status page is updated with details about an event that may cause service interruption / downtime. Patients Know Best’s status page:

PKB status

Outage Impacts

Impact categories and values characterise levels of severity to the company that would result for that particular impact category, if the business process could not be performed. These impact categories and values are samples and should be revised to reflect what is appropriate for the organisation.

Estimated Downtime

Downtime factors resulting from a disruptive event will be estimated by working directly with business process owners, departmental staff, managers, and other stakeholders. The following downtime categories will be considered:

• Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time managers are willing to accept for a business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on:

  • Selection of an appropriate recovery method; and

  • The depth of detail which will be required when developing recovery procedures, including their scope and content.

• Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the MTD. Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.

• Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or system outage, to which business process data must be recovered (given the most recent backup copy of the data) after an outage.

Revision History