SL/BCP/001 Supported Living

Business Continuity Policy

Published: 21 December 2025
Updated: 21 December 2025

Policy Summary

The Business Continuity Policy is essential for ensuring the uninterrupted delivery of critical services in adult social care during emergencies or disruptions. This policy applies to all employees, agency staff, contractors, and volunteers involved in supported living services across England. It establishes a structured framework to effectively respond to various potential disruptions, including natural disasters, health crises, equipment failures, and cyber-attacks.

Policy Content

1. Scope

This Business Continuity Policy applies to all employees, agency staff, contractors, and volunteers working within ’s adult supported living services across England. It covers all aspects of service delivery, including the management and coordination of care, operational activities, IT systems, communications, staffing, and safety measures, ensuring that critical services are maintained in the event of an emergency, disaster, or disruption. The policy aims to provide a structured framework for responding to a range of potential disruptions, such as natural disasters, health crises (e.g., pandemics), equipment failures, cyber-attacks, or other unforeseen events that could impact the safe delivery of services. By setting out clear roles, responsibilities, and procedures, ensures that services remain person-centred, safe, and effective even in times of disruption. This policy is intended to support compliance with CQC Regulation 12 (Safe Care and Treatment) and other relevant regulations, ensuring that service users’ needs are met at all times.

2. Legal and Regulatory Framework

Term/Regulation Description/Definition
Care Quality Commission (Regulated Activities) Regulations 2014, Regulation 12: Safe Care and Treatment Regulation 12 requires to ensure the safety and welfare of service users by having effective systems and processes in place to assess, monitor, and mitigate risks. This includes planning for emergencies and implementing a business continuity plan to maintain safe care during disruptions.
Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17: Good Governance Regulation 17 mandates that providers have systems and processes in place to assess, monitor, and improve the quality and safety of services. This includes having robust business continuity planning to ensure ongoing service delivery and mitigate risks.
Civil Contingencies Act 2004 Requires all organisations providing essential services to develop and maintain business continuity plans to ensure the continued delivery of critical functions during emergencies. This includes identifying risks, preparing for disruptions, and ensuring a coordinated response.
Health and Safety at Work Act 1974 Places a duty on to protect the health and safety of staff, service users, and others who may be affected by its activities. This includes planning for emergencies and ensuring that business continuity plans are in place to manage risks to health and safety during disruptions.
Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) Governs the collection, use, and storage of personal data. Business continuity plans must include measures to protect sensitive data during emergencies and ensure compliance with data protection laws in the event of system failures or cyber incidents.
Public Health (Control of Disease) Act 1984 Provides a legal framework for responding to public health emergencies, including pandemics. Business continuity plans must include procedures for infection control, isolation, and communication with public health authorities during disease outbreaks.
Equality Act 2010 Requires to ensure that business continuity plans consider the diverse needs of service users, staff, and stakeholders, ensuring that no one is disadvantaged during an emergency or disruption.

3. Definitions of Key Terms

Term Definition
Business Continuity The ability of to maintain essential services and functions during and after a disruption or emergency situation. This includes preparing for, responding to, and recovering from a range of potential threats and disruptions.
Business Continuity Plan (BCP) A documented plan that outlines the procedures and resources required to maintain critical services during a disruption. The BCP includes strategies for managing risks, coordinating responses, and restoring normal operations.
Critical Functions The core services and activities that must be maintained during a disruption to ensure the safety, health, and well-being of service users. Examples include medication management, personal care, and safeguarding.
Emergency Response Team (ERT) A designated group of staff members responsible for coordinating the response to an emergency or disruption, implementing the business continuity plan, and ensuring effective communication with stakeholders.
Risk Assessment The process of identifying, evaluating, and prioritising potential risks that could impact service delivery. Risk assessments inform the development of business continuity strategies and control measures.
Incident Response The immediate actions taken to respond to a disruption or emergency. This includes activating the business continuity plan, communicating with stakeholders, and implementing control measures to minimise impact.
Recovery The process of restoring normal operations and services following a disruption. Recovery involves assessing the impact of the disruption, implementing remedial actions, and updating the business continuity plan as needed.
Resilience The ability of to adapt to and recover from disruptions, ensuring that essential services are maintained and that the organisation can continue to operate effectively.

4. Policy Statement

is committed to ensuring the safety, health, and well-being of its service users, staff, and stakeholders by maintaining high standards of care and service delivery, even in times of emergency or disruption. This Business Continuity Policy sets out ’s approach to planning, preparing, and responding to a range of potential disruptions, ensuring that essential services continue to be delivered in a safe, effective, and person-centred manner. The purpose of this policy is to establish a structured framework for business continuity planning, which includes risk assessment, emergency preparedness, response, and recovery. recognises that disruptions can occur in various forms, including natural disasters, health crises, equipment failures, cyber-attacks, and staffing shortages. By implementing a comprehensive business continuity plan (BCP), ensures that it is equipped to manage these challenges and maintain the highest standards of care. This policy is aligned with CQC Regulation 12 (Safe Care and Treatment) and other relevant regulations, ensuring that service users’ needs are met at all times, even during periods of disruption. The Business Continuity Policy supports ’s commitment to good governance, quality improvement, and risk management. It is the responsibility of all staff to be familiar with the contents of the BCP and to act in accordance with the procedures outlined within this policy.

5. Roles and Responsibilities

Role Responsibilities
Board of Directors Oversee the development and implementation of the Business Continuity Policy. Ensure that adequate resources are allocated for emergency planning, risk management, and staff training. Review compliance with the policy and evaluate its effectiveness annually.
Registered Manager Lead the implementation of the Business Continuity Policy within the service. Ensure that all staff are aware of their roles and responsibilities during a disruption. Conduct regular risk assessments and review the BCP to ensure it is up-to-date and relevant.
Emergency Response Team (ERT) Coordinate the response to an emergency or disruption. Implement the BCP, communicate with staff and stakeholders, and manage the allocation of resources during an incident. Conduct debriefings and post-incident reviews to identify lessons learned.
HR Manager Ensure that staff are adequately trained in emergency procedures and business continuity planning. Maintain up-to-date contact lists and support staff welfare during and after a disruption. Assist in reallocating staffing resources as needed.
IT Manager Ensure the resilience and security of IT systems, including data protection measures. Implement strategies for maintaining access to critical systems and information during a disruption. Lead on recovery efforts in the event of IT system failures or cyber-attacks.
Line Managers Support staff in understanding their roles and responsibilities during a disruption. Ensure that service users’ needs are prioritised and that essential services continue to be delivered. Report any issues or concerns to the Registered Manager or ERT.
All Staff Familiarise themselves with the Business Continuity Policy and the BCP. Follow instructions during a disruption and contribute to maintaining a safe environment for service users. Report any risks or concerns to their line manager or the Registered Manager.
Service Users and Families Participate in discussions about business continuity planning and provide feedback on the service’s response to disruptions. Report any concerns or incidents to staff. Follow guidance and instructions provided by during an emergency.

6. Procedures

The following procedures outline the specific steps that will take to prepare for, respond to, and recover from a wide range of disruptions that could affect the safety and continuity of services. These procedures are designed to ensure compliance with CQC regulations and align with best practices in business continuity planning and emergency management. By implementing these procedures, aims to minimise the impact of disruptions on service users, staff, and stakeholders, ensuring that critical services continue to be delivered safely and effectively.

1. Risk Assessment and Business Impact Analysis

Risk assessment and business impact analysis (BIA) are essential components of ’s approach to business continuity. These processes identify potential risks and assess the impact of disruptions on service delivery, enabling to develop targeted strategies to mitigate these risks.
  • Risk Assessment: The Registered Manager, in collaboration with the Emergency Response Team (ERT) and senior management, will conduct a comprehensive risk assessment at least annually, or whenever there are significant changes to the service. The risk assessment will identify potential hazards, such as:
    • Natural disasters (e.g., flooding, extreme weather conditions).
    • Health crises (e.g., outbreaks of infectious diseases).
    • Equipment or utility failures (e.g., power outages, water supply disruptions).
    • Cyber incidents (e.g., data breaches, IT system failures).
    • Staffing shortages (e.g., due to illness or industrial action).
For each risk identified, the likelihood and potential impact will be assessed, and appropriate control measures will be put in place to reduce the risk to an acceptable level.
  • Business Impact Analysis (BIA): The BIA will identify and prioritise the critical functions that must be maintained during a disruption to ensure the safety and well-being of service users. These functions include:
    • Personal care and support services.
    • Medication management.
    • Safeguarding and health and safety monitoring.
    • Communication with service users, families, and stakeholders.
The BIA will also identify the maximum tolerable period of disruption (MTPD) for each function, which is the maximum time that a critical function can be disrupted before it starts to cause significant harm or loss.

2. Developing and Maintaining the Business Continuity Plan (BCP)

The Business Continuity Plan (BCP) is a comprehensive document that outlines the strategies, resources, and procedures required to maintain critical services during a disruption. The BCP will be reviewed and updated at least annually or whenever there are significant changes to the service, staffing, or risk profile.
  • Plan Structure: The BCP will be divided into the following sections:
    • Contact Information: A list of key contacts, including senior management, emergency services, local authorities, suppliers, and utility providers.
    • Incident Response: Step-by-step procedures for responding to different types of disruptions (e.g., power outage, flooding, IT failure).
    • Resource Requirements: A detailed inventory of the resources required to maintain critical functions, including staffing, equipment, and supplies.
    • Recovery Strategies: Specific strategies for restoring disrupted services and returning to normal operations, including alternative care arrangements and relocation plans.
  • Plan Distribution: The BCP will be distributed to all members of the ERT, senior management, and key stakeholders. A copy will be stored securely off-site and accessible in electronic format to ensure availability during a disruption.
  • Plan Testing and Exercises: The BCP will be tested at least annually through tabletop exercises, simulation drills, and scenario-based testing. Testing will help identify any gaps in the plan and provide staff with an opportunity to practice their roles and responsibilities during an emergency.

3. Activation of the Business Continuity Plan

The BCP will be activated when a disruption occurs, and there is a risk that normal service delivery cannot be maintained. The decision to activate the BCP will be made by the Registered Manager or a designated member of the ERT, based on the severity and impact of the disruption.
  • Activation Criteria: The BCP will be activated if:
    • A critical function is disrupted for more than 30 minutes.
    • There is a significant risk to the safety and well-being of service users.
    • Normal operations cannot be maintained due to staff shortages, equipment failure, or environmental hazards.
  • Initial Response Actions: Upon activation of the BCP, the following initial response actions will be taken:
    • Notify Key Personnel: The ERT will be notified immediately, and key personnel will be mobilised to assess the situation and implement the BCP.
    • Assess the Situation: The ERT will conduct a rapid assessment to determine the nature and extent of the disruption, the impact on critical functions, and the immediate actions required.
    • Implement Contingency Plans: The ERT will implement contingency plans to maintain critical services, including reallocating staff, activating backup systems, and using alternative resources.

4. Emergency Response and Communication

Effective communication is critical during a disruption to ensure that staff, service users, families, and stakeholders are informed and reassured. will use a multi-channel communication strategy to keep everyone updated and provide clear instructions.
  • Communication Channels: The following communication channels will be used:
    • Internal Communications: Staff will be kept informed through emails, phone calls, SMS alerts, and face-to-face briefings.
    • External Communications: Service users, families, and external partners will be informed through phone calls, emails, and ’s website.
    • Emergency Hotline: An emergency hotline will be established to provide information and updates to service users, families, and the public.
  • Communication Protocols: All communications will follow a predefined protocol, ensuring that information is accurate, timely, and consistent. The ERT will designate a spokesperson to handle all external communications and media enquiries.

5. Recovery and Restoration of Services

The recovery phase focuses on restoring disrupted services and returning to normal operations as quickly as possible. The ERT will lead the recovery efforts, coordinating with staff, suppliers, and external agencies to minimise downtime and ensure a smooth transition back to normal operations.
  • Damage Assessment: A thorough assessment of the impact of the disruption will be conducted to determine the extent of damage and identify any areas that require immediate attention.
  • Service Restoration: The ERT will prioritise the restoration of critical functions, such as personal care and medication management, before gradually resuming less critical services.
  • Staff and Resource Allocation: Staff will be reallocated as needed to support recovery efforts, and additional resources will be deployed to address any shortages.
  • Post-Incident Review: Once normal operations have been restored, a post-incident review will be conducted to identify lessons learned, assess the effectiveness of the BCP, and update the plan as necessary.

7. Training and Development

Induction Training for New Staff

All new staff members, including permanent employees, agency staff, and volunteers, must complete mandatory induction training on business continuity planning and emergency preparedness within their first four weeks of employment. This training is designed to ensure that staff understand their roles and responsibilities during a disruption and are familiar with ’s Business Continuity Policy and procedures.
  • Core Training Topics: The induction training will cover:
    • An overview of ’s Business Continuity Policy and the legal framework.
    • Key risks and potential disruptions that could impact service delivery.
    • The structure and contents of the BCP, including incident response and recovery strategies.
    • Roles and responsibilities of staff during a disruption.
    • Communication protocols and emergency contact information.
  • Assessment and Certification: At the end of the induction training, staff must complete an assessment to demonstrate their understanding of the policy and procedures. Staff who do not pass the assessment will receive additional support and training until they achieve the required competency level.

Ongoing Training and Professional Development

To ensure that staff remain up-to-date with business continuity planning and are prepared to respond effectively to disruptions, will provide regular refresher training and professional development opportunities.
  • Annual Refresher Training: All staff must complete annual refresher training on business continuity planning and emergency response. This training will revisit core topics, address any changes to the BCP, and include scenario-based exercises to reinforce learning.
  • Role-Specific Training: Staff in specific roles, such as the ERT, line managers, and senior management, will receive additional training tailored to their responsibilities. This may include:
    • Advanced training on conducting risk assessments and business impact analyses.
    • Training on managing complex disruptions and implementing recovery strategies.
    • Workshops on communication and decision-making during emergencies.
  • Scenario-Based Training Exercises: Scenario-based training exercises, such as tabletop simulations and live drills, will be conducted at least annually to test the effectiveness of the BCP and provide staff with practical experience in managing disruptions.
  • Continuous Professional Development (CPD): Staff will be encouraged to participate in external training, workshops, and conferences on business continuity planning and emergency management. This will ensure that stays at the forefront of best practices and maintains a high standard of resilience.
  • Supervision and Reflective Practice: Business continuity planning and emergency preparedness will be regular topics in staff supervision sessions. Line managers will provide feedback, identify any training needs, and support staff in reflecting on their practice to improve their skills and confidence in managing disruptions.
By investing in comprehensive training and professional development, aims to create a knowledgeable, skilled, and confident workforce that is equipped to implement effective business continuity measures and protect the safety and well-being of service users during any disruption.

8. Monitoring and Review

Monitoring Compliance with the Business Continuity Policy

Monitoring compliance involves a systematic approach that includes routine checks, audits, scenario testing, and feedback mechanisms. By systematically evaluating compliance, can ensure that all elements of the Business Continuity Plan (BCP) are being correctly implemented and that any weaknesses are promptly addressed.
  • Routine Checks and Spot Audits: Routine checks and spot audits will be conducted by the Registered Manager and Emergency Response Team (ERT) to ensure that all critical elements of the BCP, such as emergency contact information, resource availability, and staff preparedness, are up-to-date and accessible.
    • Documentation Review: The Registered Manager will review all business continuity documentation, including risk assessments, impact analyses, and contingency plans, on a quarterly basis. This review will focus on ensuring that all information is accurate, current, and aligned with the latest regulatory requirements.
    • Staff Preparedness Checks: Line managers will conduct monthly spot checks to assess staff preparedness for emergencies. This may include asking staff to demonstrate their understanding of emergency roles and responsibilities, testing communication channels, and checking the availability of critical resources (e.g., PPE, backup equipment).
  • Quarterly Scenario-Based Testing: Scenario-based testing is a key component of business continuity monitoring. It involves simulating a range of potential disruptions to test the effectiveness of the BCP and the readiness of staff. The scenarios will vary in complexity and scope, covering situations such as power outages, IT system failures, severe weather events, and pandemics.
    • Testing Process: Scenario-based testing will be coordinated by the ERT, with participation from all relevant staff and external partners (e.g., local authorities, emergency services). The tests will follow a structured process, including:
      • Scenario Development: Develop realistic scenarios that reflect potential risks to service delivery.
      • Response Activation: Activate the relevant sections of the BCP, allocate roles, and implement response actions.
      • Real-Time Assessment: Monitor the response in real-time, documenting any issues or deviations from the plan.
      • Debriefing and Feedback: Conduct a debriefing session to gather feedback from participants, identify strengths and weaknesses, and develop action plans for improvement.
  • Monthly and Annual Compliance Audits: Formal audits of the Business Continuity Policy will be conducted monthly and annually by the Registered Manager, with support from the HR and Compliance teams. These audits will provide a comprehensive evaluation of the effectiveness of the policy and its implementation.
    • Audit Scope: The audits will cover all aspects of the BCP, including risk assessment, emergency response, communication protocols, resource management, and recovery strategies.
    • Reporting and Action Plans: After each audit, a detailed report will be produced, highlighting areas of compliance and non-compliance, as well as recommendations for improvement. An action plan will be developed to address any gaps, with clear timelines and assigned responsibilities.

Evaluating Policy Effectiveness

Evaluating the effectiveness of the Business Continuity Policy involves assessing whether the policy is achieving its intended outcomes, such as ensuring service continuity, minimising disruption, and protecting the safety and well-being of service users and staff. The evaluation process should include both quantitative and qualitative measures to provide a comprehensive understanding of the policy’s impact.
  • Incident Data Analysis: The ERT will review data from past incidents and disruptions to evaluate the effectiveness of the BCP. This analysis will focus on:
    • Response Times: Assess how quickly the BCP was activated and how effectively staff responded to the incident.
    • Service Impact: Determine the extent to which critical services were disrupted and the duration of any interruptions.
    • Recovery Outcomes: Evaluate the success of recovery strategies and the time taken to restore normal operations.
  • Stakeholder Feedback: Gathering feedback from staff, service users, and families is essential for evaluating the effectiveness of the policy and identifying areas for improvement.
    • Staff Surveys: Annual staff surveys will assess their understanding of the BCP, their confidence in implementing it, and their perceptions of the support provided by management during disruptions.
    • Service User and Family Consultations: Service users and their families will be invited to share their experiences and provide feedback on how managed any disruptions to their care.

Formal Policy Review and Updates

The Business Continuity Policy will be formally reviewed at least annually, or sooner if there are significant changes in legislation, CQC guidance, or organisational priorities. The review process will be led by the Registered Manager, in collaboration with the ERT, senior management, and other relevant stakeholders.
  • Review Process: The formal review process will include:
    • Analysis of Audit and Testing Findings: Reviewing findings from audits, scenario tests, and real incidents to identify gaps or areas for improvement.
    • Assessment of Legislative and Regulatory Changes: Ensuring that the policy remains compliant with current legislation, including the Civil Contingencies Act 2004, Health and Safety at Work Act 1974, and CQC regulations.
    • Stakeholder Consultation: Consulting with staff, service users, families, and external partners to gather input and identify any areas that need to be updated or clarified.
  • Documenting and Communicating Changes: Any changes to the policy will be documented in a formal policy update report, which will outline the rationale for the changes, the impact on staff and service users, and the plan for implementation. The updated policy will be shared with all staff, who must sign to confirm their understanding and compliance.
  • Training on Policy Changes: Additional training or workshops will be provided to ensure that all staff are fully aware of any changes to the policy and understand how to implement them in practice.

Continuous Improvement

The findings from audits, evaluations, and policy reviews will be used to drive continuous improvement in ’s business continuity planning and emergency preparedness. This may include updating the policy, refining procedures, or investing in additional training and resources to support staff in adhering to the policy.

9. Reporting Concerns

Types of Concerns to Report

Concerns that should be reported under this policy include, but are not limited to:
  • Non-Compliance with the Business Continuity Policy: Any instance where business continuity procedures are not followed, such as failure to update emergency contact information or conduct regular risk assessments.
  • Inadequate Resources or Preparation: Concerns about a lack of resources (e.g., insufficient PPE, outdated emergency supplies) or inadequate staff training that could compromise ’s ability to respond to a disruption.
  • Failure to Activate the BCP: Any failure to activate the BCP when a disruption occurs, leading to delays or unsafe practices.
  • Safety Concerns During an Emergency: Any practices that put staff or service users at risk during an emergency, such as inadequate communication or failure to follow evacuation procedures.
  • Staff Concerns About Preparedness: Concerns raised by staff about their ability to implement the BCP or the effectiveness of the plan.

Reporting Mechanisms

provides multiple channels for reporting concerns to ensure that all staff, service users, and families can raise issues in a way that is safe, confidential, and accessible.
  • Verbal Reporting to Line Managers: Staff and service users are encouraged to report concerns verbally to their line manager or the Registered Manager in the first instance. Managers receiving the report must document the concern and take appropriate action.
  • Written Reporting: Concerns can also be documented using ’s internal incident or concern reporting form, which should be submitted to the Registered Manager or HR Manager. Written reports should include:
    • A detailed description of the concern.
    • The date and time of the incident (if applicable).
    • The names of any individuals involved or witnesses.
    • Any supporting evidence (e.g., emails, photographs, documentation).
  • Anonymous Reporting: If individuals feel unable to report concerns through standard channels, they may use ’s anonymous reporting mechanism, such as an online reporting tool or a designated confidential suggestion box. Anonymous reports will be treated with the same seriousness as named reports, and a thorough investigation will be conducted based on the information provided.

Investigating Concerns

All concerns will be investigated promptly and fairly, in accordance with ’s grievance and whistleblowing procedures. The Registered Manager or an appointed investigator will lead the investigation, ensuring that the rights and confidentiality of all parties are respected.
  • Initial Risk Assessment: Upon receiving a report, the Registered Manager will conduct an initial risk assessment to determine the severity of the concern and the appropriate course of action. If the concern relates to an outbreak or serious infection risk, immediate measures will be taken to protect service users and staff.
  • Investigation Process: The investigation may involve reviewing documentation, interviewing staff and service users, and gathering additional evidence. The aim is to identify the root cause of the concern and develop a plan to resolve it.
  • Communicating the Outcome: The outcome of the investigation will be communicated to the individual who raised the concern, including a summary of the findings, the actions taken, and any recommendations for improvement. If the concern was raised anonymously, a summary of the outcome will be shared with all staff through internal communications.
By ensuring a comprehensive approach to reporting, investigating, and responding to concerns, aims to create a safe and supportive environment where business continuity risks are effectively managed, and improvements are continuously made.
Generating PDF...