Skip to main content

Section 2 - Mandatory Requirements and Recommended Good Practice

Section 2 - Mandatory Requirements and Recommended Good Practice

Introduction and purpose

This section sets out:

  • the mandatory requirements, as described in the Act and the Regulations (see below), for Category 1 and Category 2 responders
  • a range of issues and recommended good practices that responders, and occasionally others, should consider as they work to fulfil their duties and wider resilience objectives
  • some suggested indicators of good practice, supporting assessment of performance and effective, ongoing realisation of regulatory obligations.

 

This guidance is aimed first and foremost at those bodies that have duties under civil contingencies legislation. Whilst the guidance aims to cover the full range of duties and associated good practices, it should not be considered exhaustive or as a substitute for each organisation having a thorough understanding of legislation in relationship to its role and obligations, both on an individual and collective basis.

 

The Civil Contingencies Act 2004

The Civil Contingencies Act 2004 (“the Act”6), seeks to minimise disruption in the event of an emergency and to ensure that the UK is better prepared to deal with a range of emergencies. The Act applies to the whole of the UK, reflects the various devolution settlements and is separated into two substantive parts:

  • Part 1: focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders
  • Part 2: focuses on emergency powers, establishing a framework for the use of special legislative measures that may be required to deal with exceptionally serious emergencies.

 


6http://www.opsi.gov.uk/acts/acts2004/pdf/ukpga_20040036_en.pdf


 

The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005

In Scotland, the Civil Contingencies Act 2004 (Contingency Planning)(Scotland) Regulations 2005 (“the Regulations”7) as amended in the Civil Contingencies Act 2004 (Contingency Planning)(Scotland) Amendment Regulations 2013 and the Civil Contingencies Act 2004 (Amendment of List of Responders) (Scotland) Order 2021, set out further detail on the application of the Act in Scotland, with particular regard to the duties and roles of responders.

Whilst responsibility for most resilience and civil contingencies matters is devolved, some key issues, such as national security, counter-terrorism and energy policy, are reserved to the UK. In 2006 the UK and Scottish governments agreed a concordat to ensure effective cooperation on civil contingencies issues and consistent application of the Act across the UK. Whilst this is not a legally binding document, there is a strong expectation that both governments will continue to observe its terms.

 


7http://www.opsi.gov.uk/legislation/scotland/ssi2005/ssi_20050494_en.pdf


 

Definition of emergency

The Act’s concern is how to deal with the consequences of emergencies, which it defines as events or situations that threaten serious damage to:

  • human welfare. For example, loss of life, injury, illness or homelessness; disruption to food, money or energy supplies; disruption to communication systems, transport systems or health services
  • the environment. For example, contamination of land, water or air with biological, chemical or radioactive matter or the destruction of animal or plant life
  • the security of the UK. For example acts of war or terrorism.

 

There is no further definition of serious damage in the Act, however, Category 1 responders shall apply their duties if an emergency would be likely seriously to obstruct a responder in the performance of its functions, or it is likely that the responder would consider it necessary or desirable to take action to prevent the emergency, to reduce, control or mitigate its effects or otherwise in connection with it, and the responder would be unable to take that action without changing the deployment of resources or acquiring additional resources. See Section 2 (1) (2) of the Act.

An emergency inside or outwith the UK is covered by the Act and the Regulations, provided it has consequences in the UK.

 

Responders

The Act imposes specific duties on two categories of responders:

  • Category 1 responders are defined as the police, ambulance, fire and rescue services, local authorities, NHS Health Boards, the Scottish Environment Protection Agency, the Maritime and Coastguard Agency and Integration Joint Boards. Whilst the majority of Category 1 responders operate exclusively within Scotland, some have a broader range. For example the responsibilities of the Maritime & Coastguard Agency extend to the entire UK.
  • Category 2 responders are defined as gas and electricity companies, rail and air transport operators, harbour authorities, telecommunications providers, Scottish Water, the Health and Safety Executive and NHS National Services Scotland.

 

The Act refers to the roles and duties of Category 1 responders as “functions” (Section 2(1) (c) & (d). Functions are described as “any power or duty whether conferred by virtue of an enactment or otherwise” (Section 18(1)). This includes statutory duties and discretionary powers, as well as common law powers that relate to the business of the responder.

Whilst the Act places specific duties on these two categories of responders, it states also that other organisations, such as the voluntary and private sectors, can have an important role to play in consolidating our overall resilience and contributing to effective preparation for, response to and recovery from an emergency incident.

Whilst responsibility rests first and foremost with the responders that have statutory duties under the Act, there may be instances where the scale or nature of the event means that the Scottish Government (or, possibly, the UK government) is best placed to coordinate the emergency. Examples of this may include incidents that affect a wide geographical area, possibly escalating to national and/or transnational8 scale or that put very intense pressures on local responders.

 

The seven duties of the Civil Contingencies Act

There are seven main duties under Part 1 of the Act, aimed at ensuring effective arrangements are in place for planning for emergencies, responding to emergencies and the continued delivery of services.

The following tables set out:

  • mandatory requirements under the Act and the Regulations
  • issues to consider and recommended good practice
  • suggested indicators of effectiveness.

 


8 Transnational: meaning other UK and/or international nations.


 

The tables cover the Act’s seven duties:

  1. Duty to assess risk
  2. Duty to maintain emergency plans
  3. Duty to maintain business continuity plans
  4. Duty to promote business continuity
  5. Duty to communicate with the public
  6. Duty to share information
  7. Duty to co-operate.

 

Other Legislation

Other legislation exists which shares the characteristics and practices of civil contingencies legislation, notably:

  • Control of Major Accident Hazards Regulations 2015 (COMAH)
  • Pipelines Safety Regulations 1996 (PSR)
  • Radiation (Emergency Preparedness and Public Information) Regulations 2001 (REPPIR).

 

Duties imposed by the Act or the Regulations need not be performed in relation to an emergency within the meaning of the above legislation (Regulation 9). However, whilst there are specific legislative demands posed by COMAH, PSR and REPPIR, there is much within civil contingencies activity which will be relevant to this other legislation.

Preparation, response and recovery processes developed by responders in the context of the Act and the Regulations will, in large part, be applicable to the demands of COMAH, PSR and REPPIR and the potential hazards associated with this legislation. There is no requirement to duplicate planning and preparation required by both sets of legislation.

 

i) DUTY TO ASSESS RISK

Mandatory requirements: Category 1 Responders must:

1. From time to time assess the risk of an emergency occurring - Section 2(1)(a)9- but need only perform this duty in relation to an emergency which affects or may affect the area in which the organisation exercises its functions - Regulation 10 10.

2. From time to time assess the risk of an emergency making it necessary or expedient for the organisation to perform any of its functions - Section 2(1)(b).

3. Consider whether a risk assessment is necessary in relation to an emergency or type of emergency. A risk assessment is necessary if:

  • the emergency would be likely to seriously obstruct the performance of your functions - Section 2(2)(a)
  • the organisation considers it necessary or desirable to take action to prevent the emergency, to reduce, control or mitigate its effects or take other action in connection with the emergency
  • the organisation would be unable to act without changing the deployment of resources or acquiring additional resources - Section 2(2)(b).

4. Take into account any guidance and adopt any assessment issued by Scottish Ministers in relation to:

  • the likelihood of a particular emergency or emergency of a particular kind occurring
  • the extent to which such an emergency would or might cause damage to human welfare or the environment in Scotland or the security of the UK - Regulation 11.

5. Co-operate with other Category 1 responders operating in your Regional Resilience Partnership (RRP) area to maintain a Community Risk Register (CRR) - Regulation 12 (1). This involves:

  • from time-to-time sharing your individual risk assessments, where possible, with the other Category 1 responders in your RRP area - Regulation 12(2);
  • having regard to the CRR when producing your own risk assessments - Regulation12(4).

6. Arrange for the publication of any risk assessments made where publication is necessary or desirable to:

  • prevent an emergency
  • reduce, control or mitigate the effects of an emergency
  • enable another action to be taken in connection with an emergency - Section 2(1)(f).

 


9 References to “Sections” relate to the Civil Contingencies Act 2004

10 References to “Regulations” relate to the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations


 

Issues to consider and recommended good practice (duty to assess risk):

7. Adopting a systematic risk assessment process for threats and hazards11 in the local area. This process should cover:

  • the context within which risks exists. This includes:
    • area-specific health, social, economic, and environmental factors
    • the wider risk context, drawing on government guidance (Scottish and UK, as appropriate)
  • the likelihood of occurrence
  • possible impacts
  • capabilities that exist to prepare for, respond to and recover from emergencies caused by the identified threats and hazards
  • the identification of potential capability and capacity gaps
  • the sharing of information amongst all relevant bodies.

The risk assessment process should be monitored and reviewed on a regular basis and in accordance with guidance below.

For further information see Guidance for Scotland’s Regional Resilience Partnerships(RRPs) on Risk and Preparedness Assessments (RPAs)

8. Reviewing the Risk and Preparedness Assessments and the public-facing Community Risk Register (CRR) and individual risk assessments as often as is necessary to ensure that you are in a reasonable position to maintain and update your emergency and business continuity plans and comply with your CCA duties.

9. Setting up a regional multi-agency group to co-operate in the risk assessment process for the area and to develop and maintain the Risk and Preparedness Assessment and the public facing Community Risk Register (CRR).

10. Being aware of potential security considerations around some risk related matters - notably but not exclusively relating to threats - and ensure information is handled appropriately.

11. Within the constraints of information security, consulting widely (internally and externally) during the risk assessment process.

12. Consultation could include (but is not restricted to):

  • key officers responsible for delivering your organisation’s functions in an emergency
  • Category 1 and 2 responders
  • Scientific/subject matter experts – both from national agencies and academia
  • the voluntary sector or parts of the wider community
  • Scottish Government policy officials.

13. Taking account of “out of area” hazards (including across RRP boundaries, national or transnational 12) which could affect your organisation and its locality.

14. Sharing the area’s RPA with neighbouring Category 1 responders in contiguous resilience/RRP areas and publishing your CRR.

15. Considering sharing your RPA, or sections of it, with other non-neighbouring resilience areas.

16. Ensuring that the Scottish Government is kept properly apprised of risk assessment in your area and by your organisation and are sent a completed Regional RPA annually.

 


11 ‘Threats’ relate to malicious risks; ‘hazards’ relate to natural or non-malicious risks.

12 Transnational: meaning other UK and/or international nations.


 

Indicators of good practice (duty to assess risk):

17. Collectively, being able to demonstrate that responders in the area work together effectively, maximising the use of relevant expertise and avoiding duplication of effort.

18. Being able to provide documentary evidence of a regular process for monitoring, reviewing and updating risk assessments. This should include:

  • audit trails recording any updates made
  • version control
  • a list of contributors
  • reference and list sources used (including government guidance).

19. Being able to demonstrate that your risk assessment – as an organisation and collectively within the area – is based on a rigorous analysis of threats and hazards within the organisational and local context.

20. Being able to show how your risk assessment – as an organisation and collectively within the area – aligns with national risk assessments (Scottish and UK, as appropriate) and more generally with relevant government guidance.

 

ii) DUTY TO MAINTAIN EMERGENCY PLANS

Mandatory requirements: Category 1 Responders must:

1. Maintain plans for the purpose of ensuring that, if an emergency occurs or is likely to occur, the organisation is able to continue to perform its functions so far as is necessary or desirable for the purpose of:

  • preventing the emergency
  • reducing, controlling or mitigating its effects
  • taking other action to be taken in connection with it - Section 2(1)(d).

2. Maintain plans which relate to more than one emergency or particular kind of emergency and may maintain plans relating to a particular emergency or kind of emergency – Regulation 15.

3. Consider whether it would be appropriate to plan by way of a multi-agency plan – Regulation 16.

4. In planning for emergencies, have regard to the activities of the relevant voluntary organisations – Regulation 17(1).

5. Include a procedure for determining whether emergency or business continuity plans require to be implemented, and must identify the person or persons responsible for taking that decision – Regulation 18.

6. Include arrangements for the carrying out of exercises to ensure the plan is effective – Regulation 19(a).

7. Provide training to an appropriate number of staff considered necessary to carry out plans effectively – Regulation 19(b).

8. Consider whether plans should be modified in the light of guidance and/or assessment made by Scottish Ministers under Regulation 11 – Regulation 20.

9. Have regard to the importance of not alarming the public unnecessarily when undertaking its duty to publish plans – Regulation 21.

 

Issues to consider and recommended good practice (duty to maintain emergency plans):

10. Ensuring that plans:

  • are concise and easy to use. (Plans will need to be read and understood in challenging situations. They should introduce the reader to the topic in logical steps)
  • use consistent unambiguous terminology – avoid jargon, especially any which is unique to an organisation
  • include references to other sources of information and supporting documentation
  • allocate ownership for key tasks
  • contain realistic planning assumptions
  • have a review process and version control.

11. Including information on:

  • Why the plan is needed – plan description, its purpose and, where appropriate, some reference to the risk assessment on which the plan is based
  • How the plan works – the main elements of the plan in hierarchy of importance, how activities will be coordinated, main facilities, equipment, locations and communications, how additional resources may be obtained if required
  • Who has responsibility in the plan (by title) – the main emergency teams (from both within and outside the organisation), their roles and responsibilities
  • When the plan will be activated – procedures for alerting, placing on standby and activating teams and a procedure for determining when an emergency has occurred
  • What will be done and by whom – specific actions to be taken and how these contribute to the overall response, check-lists or aide memoirs
  • include a communications strategy - i.e. a communication plan, including contact details and how to communicate with stakeholders
  • How to support staff – training, exercising, briefings
  • A measure or standard against which performance can be assessed
  • Crisis management from response through to recovery.

12. Whether to produce generic plans which relate to more than one emergency, specific plans which relate to a particular emergency or type of emergency or a mixture of both.

13. Considering the extent to which particular types of emergencies will place demands on your resources and capacity.

14. Giving vulnerable people (people who are less able to help themselves in the circumstances of an emergency) special consideration when producing plans. Preparing Scotland: Scottish Guidance on Preparing for Emergencies: Care for people affected by emergencies provides further guidance.

15. Giving those affected by emergencies, including survivors and families and friends of those directly affected by emergencies, special consideration when producing plans.

16. Developing the plan with the full engagement and cooperation of the main parties who have a role in the plan and securing their agreement to its content.

17. Treating emergency planning as a systematic and continuous process, and having a procedure for updating and maintaining plans to ensure that they reflect:

  • any changes in risk assessments (see the section on risk assessment)
  • lessons identified - and learned - from exercises and emergencies
  • restructuring and changes in organisations, their procedures and technical systems identified in the plan
  • changes in key personnel.

18. Considering how to publish your plans – see the section on communicating with the public.

19. Considering whether it is appropriate to produce, maintain and update an emergency plan in relation to a particular emergency or type of emergency in collaboration with other Category 1 responders, i.e. a multi-agency plan – Regulation 22. It is essential that any such plans contain arrangements for co-operation and coordination at management level.

 

Indicators of good practice (duty to maintain emergency plans):

20. Being able to demonstrate that plans are regularly and systematically updated, based on sound assumptions. This can be achieved by filing associated documentation

including:

  • a record of key decisions made and agreed
  • in some circumstances, a record of options considered but rejected, and why
  • a record of changes and modifications
  • a programme and schedule for future updates.

21. Asking your peers to review and comment on your plans.

22. Using identified good practice examples to develop emergency plans.

23. Adopting flexible plans which allow for the unexpected and can be scaled up or down to cope with varying scales of emergency.

24. Being able to demonstrate that lessons identified from exercises and emergencies have been taken forward13.

25. Being able to demonstrate that the people responsible for carrying out the roles in the plan are aware of those roles.

26. Developing and documenting a training and briefing programme for staff and key stakeholders (including elected members and responders from the private and voluntary sectors, if applicable).

27. Referring to the National Occupation Standards for Civil Contingencies (www.skillsforjustice.com ) and the Emergency Planning Society when identifying training needs. Further information is also available from the Scottish Resilience Development Service (ScoRDS: www.scords.gov.uk)

 


13 The Scottish Government has developed a coordinated lessons process to establish a record of lessons identified, promulgate those lessons across the resilience community and oversee and support the learning and application of those lessons.


 

iii) DUTY TO MAINTAIN BUSINESS CONTINUITY (BC) PLANS

Mandatory requirements: Category 1 Responders must:

1. Maintain plans for the purpose of ensuring, so far as is reasonably practicable, that if an emergency occurs the person or body is able to continue to perform his/her or its functions – Section 2(1)(c).

2. Consider whether a risk assessment makes it necessary or expedient for the person or body to add to or modify a business continuity plan – Section 2(1)(e).

3. Have regard to the relevant risk assessments when carrying out duties to maintain business continuity – Regulation 13.

4. Maintain plans which relate to more than one emergency, or particular kind of emergency, and may maintain plans relating to a particular emergency or kind of emergency – Regulation 15.

5. Include a procedure for determining whether emergency or business continuity plans require to be implemented, and identify the person or persons responsible for taking that decision – Regulation 18.

6. Have regard to the activities of the relevant voluntary sector when planning for emergencies – Regulation 17.

7. Test the effectiveness of plans and include arrangements for carrying out exercises – Regulation 19(a).

8. Provide training to an appropriate number of staff considered necessary to carry out plans effectively – Regulation 19(b).

9. Consider whether plans should be modified in the light of guidance and/or assessment issued by Scottish Ministers under Regulation 11 – Regulation 20.

 

Issues to consider and recommended good practice (duty to maintain business continuity plans):

10. Ensuring that the structures that support Business Continuity Management include and engage with other Category 1 responders, other partner agencies and external suppliers. This may in part be facilitated by the collective support of the RRP.

11. Having provision for the carrying out of regular exercises specifically designed to validate and test BCM arrangements to ensure effectiveness.

12. Giving consideration to the type of plans you produce, e.g. generic plans, which relate to more than one type of emergency, or specific plans which relate to a particular emergency type, or a mixture of both (Regulation 15). The nature of the plans should be based on the risk assessments you have carried out and the critical functions of the organisation (Regulation 13).

13. Having in place a documented BCM strategy and operational business continuity plans that set out how your organisation will reduce risks to its key functions and to continue to perform these at the time of an emergency or in the face of disruption.

14. Having procedures in place to determine whether an event has occurred which is likely to seriously obstruct your organisation in performing its day-to-day functions, including who should make this determination and what actions will follow from this.

15. Being able to demonstrate that a systematic approach is being taken to developing and maintaining business continuity management in your organisation.

16. Having an identified BCM coordinator with the necessary skill set and experience to champion BCM and work with managers to deliver your organisation’s BCM strategy and related plans.

17. Being able to demonstrate in that any internal risks (as opposed to the risk due to an external emergency) are addressed in your BCM arrangements

18. Being able to demonstrate that process for monitoring, reviewing and updating Business Continuity Plans, involves the necessary range of stakeholders and remains directly relevant to the delivery of a practical BC capability.

19. Being able to demonstrate that recovery time objectives (RTOs) and acceptable level of service have been agreed for critical functions.

20. Being able to demonstrate that all dependencies which underpin critical functions have been identified.

21. Being able to demonstrate that all risks to critical functions have been identified, assessed and mitigated.

22. Being able to demonstrate that the organisation’s supply networks and external subcontractors have been considered as a source of risk and that mitigation of any such risks is in place.

23. Being able to demonstrate that, in the event of their loss, realistic plans are in place to recover critical functions within their RTOs.

24. Being able to demonstrate that staff, and both external and internal stakeholders, are aware of the BCM strategy and that it is fully embedded in the organisational culture. A comprehensive programme of awareness raising, education and skill specific training is recommended.

25. Being able to demonstrate that sufficient staff with the correct skill mix have been trained and are available to ensure BCPs are effective – Regulation 19(b). Training should include the contents of the plan, roles and responsibilities and the skills and knowledge required.

 

Indicators of good practice: (duty to maintain BC plans):

26. An agreed and documented corporate Business Continuity policy is in place and is:

  • led at strategic level
  • part of mainstreamed management processes
  • part of the corporate governance structures
  • appropriately resourced.

27. Business Continuity Plans are updated and maintained, through a documented process, both at regular intervals and in response to :

  • updates to your risk assessments (see the risk assessment section above)
  • lessons identified from incidents, training or exercising.
  • organisational and structural changes
  • changes in your organisation’s objectives, functions and processes
  • changes in supplier and contractual arrangements
  • significant changes to staff, equipment or premises.

28. Emergencies and impacts in your risk assessments are addressed in your BCM arrangements especially critical functions and resource requirements for:

  • emergency response and
  • continuation of critical day-to-day functions at the time of an emergency.

29. Critical functions of your organisation have been identified. Functions might be critical because they:

  • are an essential part of the response to external emergencies
  • help to prevent emergencies and/or reduce and mitigate the risk of them occurring
  • impact immediately on human welfare or the environment
  • have immediate and significant security, legal or financial implications
  • have significant implications for your organisation’s reputation.

30. Your organisation’s BCM arrangements are consistent with recognised standards. Consider benchmarking your BCM arrangements against such standards or gaining accreditation to the standard.

 

iv) DUTY TO PROMOTE BUSINESS RESILIENCE

Mandatory requirements - Local Authorities, as defined at Schedule 1 Part 2 (13), must:

1. Provide advice and assistance to the public in connection with the making of arrangements for the continuance of commercial activities by the public, in the event of an emergency – Section 4 (1).

2. Provide advice and assistance for the continuance of the activities of bodies (other than public or local authorities) whose activities are not carried out for profit, in the event of an emergency – Section 4 (1).

3. Advise and assist the business community at large, insofar as these are businesses which carry out commercial activity in the area in which the functions of the relevant responder are exercisable – Regulation 33 (2) and 33 (3)(a).

4. Consider whether to provide advice to individual business as well as to the business community as a whole – Regulation 33(3)(b).

5. Advise and assist appropriate voluntary sector organisations, which operate in the area in which the responder functions, on making arrangements for the continuance of their activities in the event of an emergency – Regulation 34 .

6. Consider whether to provide advice to the voluntary community at large or provide advice to individual organisations separately – Regulation 34(3).

7. Consider whether to provide advice and assistance to voluntary organisations or to businesses in connection with identifying an appropriate “business continuity consultant” – Regulation 33(3) (c) and Regulation 34 (3) (c).

8. Consider whether it is necessary to charge for any business continuity advice that you provide on request under section 4(1) of the CCA. The charge must not exceed the direct costs of providing the advice or assistance and a reasonable share of any costs indirectly related to the provision of the advice or assistance – Regulation 38.

9. Cooperate with other Local Authorities in your resilience area (i.e. RRP area) in carrying out the duty. Other responders in the area must cooperate with local authorities in carrying out the duty – Regulation 35.

10. Consider whether the advice or assistance given by other responders to businesses or the voluntary sector in the area would be duplicated by the local authority carrying out this duty – Regulation 37.

 

Issues to consider and recommended good practice (duty to promote business continuity):

11. Considering who within your organisation is responsible for BC promotion. A collaborative effort between staff involved in emergency planning and staff involved in economic development or voluntary sector support functions may be required.

12. Ensuring that your own business continuity advice (both to businesses and voluntary organisations) dovetails with that being undertaken by other local responders.

13. Providing advice and assistance which will allow organisations (business and voluntary) to make judgements on:

  • the risks associated with emergencies
  • their ability to positively affect their position in the event of an emergency.

Information likely to help the organisation make these judgements includes information on:

  • the kind of disruptions which might occur as a result of the occurrence of emergencies
  • the likely implications of arrangements in place to deal with these emergencies (including risk assessment, planning, recovery) for their organisation
  • the steps they can take to prepare for or mitigate the effects of an emergency (e.g. implement BCM)
  • sources of warnings, information and advice in the event of an emergency.

14. Considering whether generic or specific BC advice is most appropriate.

15. When a targeted approach is adopted, considering whether the materials used are appropriate to the needs of the businesses targeted. For small and medium scale businesses (SMEs) research has shown that terminology is often confusing and they benefit most from common sense, tailored and practical solutions preferably face to face and a joined up approach where the same or similar advice is coming from different sources. A number of practical suggestions can be found at: Ready Scotland - Ready Business.

16. In co-operating with other local authorities ensuring that:

  • the message given out is consistent
  • the means of delivery are co-ordinated where appropriate
  • external partners are not unduly burdened
  • lessons are identified and learned and best practice is shared.

 

17. Avoiding definitive recommendations when referring organisations to a third party for advice or assistance. Instead Local Authorities should (a) direct firms/bodies to organisations who could provide assistance and (b) suggest criteria for selecting a service provider. This might include professional qualifications, membership of professional organisations, and experience in relevant aspects of BCM, track record and adequate professional indemnity insurance. The Business Continuity Institute (BCI) http://www.thebci.org provides a certification scheme for business continuity professionals. It publishes a list of consultants it deems to be qualified and competent. The Continuity Forum http://www.continuityforum.org provides a similar service.

18. Considering the merit of adopting formal cooperation, including via the RRP, to ensure coordinated BCM advice and assistance activity and the buy-in of all Local Authorities in your area. Cooperation may take the form of:

  • regular discussion at working-level liaison groups
  • establishing a RRP subgroup
  • discussions at RRP meetings.

19. Considering the merits of engaging with other partners as well as Local Authorities in the process of providing BC advice and assistance. Some or all of this might be done via the RRP. Other partners could include:

  • representative groups
  • individual businesses
  • Business Continuity Institute
  • commercial BCM providers
  • agenda groups
  • professional bodies
  • public sector partners.

For example, the Federation of Small Businesses host annual workshops and other events as well as having case study banks available. Other resources and advice are available from the BCI (http://www.thebci.org) and the Continuity Forum (http://www.continuityforum.org).

20. Considering which voluntary sector organisations are appropriate recipients of advice and assistance. To decide this you must consider:

  • whether the organisation carries out functions in the area in which you operate as a responder
  • whether their activities would contribute to the prevention of an emergency; the reduction, control or mitigation of its effects; otherwise taking action in relation to the emergency; or social welfare
  • the number of staff employed by the organisation
  • the turnover of the organisation
  • the nature of the organisation – in particular whether advice and assistance is likely to improve the organisations ability to continue its activities in the event of an emergency.

21. Considering the impact of charging on the take-up of your advice and assistance.

Indicators of good practice (duty to promote BC):

22. Having a clear policy for dealing with requests for detailed BC advice.

23. Making best use of staff with existing experience and responsibilities in liaising with local businesses and voluntary organisations.

24. Having a BC network or forums and regular meetings and engagement with key stakeholders.

25. Identifying any lessons by consulting a full range of stakeholders and taking these forward, reviewing and updating BC promotion arrangements if appropriate.

26. Making best use of relevant promotional materials, such as those provided at national Scottish or UK level, for example Ready Scotland - Ready Business and Preparing Scotland: Guidance on Business Continuity Management: It's Your Business.

27. Being able to demonstrate that you consulted businesses and voluntary organisations to assess BC understanding and uptake and thus the level of advice required.

28. Being able to demonstrate that you have assessed the profile and role of commercial and voluntary organisations in your area of responsibility and have targeted BC promotion work appropriately.

29. Being able to demonstrate that you have targeted your BC promotion to the specific needs of the organisations being advised.

 

(v) DUTY TO COMMUNICATE WITH THE PUBLIC

Mandatory requirements - Category 1 Responders must:

1. Arrange for the publication of all or part of the assessments made and plans maintained, if publication is necessary or desirable for the purpose of: preventing an emergency; reducing, controlling or mitigating its effects; or enabling other action to be taken in connection with an emergency – Section 2(1)(f).

2. Maintain arrangements to warn the public, and to provide information and advice to the public, if an emergency is likely to occur or has occurred – Section 2(1)(g).

3. In maintaining plans under Section 2(1)(d), (the duty to maintain plans to ensure a body is able to maintain its functions), have regard for the duty to warn and inform the public if an emergency is likely to or has occurred – Regulation 14.

4. When maintaining arrangements to warn and inform the public, have regard to plans made under the Section 2(1)(d) duty - Regulation 22.

5. Ensure that in publishing plans and assessments you do not alarm the public unnecessarily - Regulation 21.

6. Ensure that in maintaining arrangements to warn and inform you do not alarm the public unnecessarily – Regulation 24.

7. In performing the duty under Section 2(1)(g), note that you may make arrangements which relate to specific and/or generic types of emergency – Regulation 23.

8. When making arrangements made to warn and inform the public you must:

  • carry out exercises to ensure the arrangements are effective – Regulation 25(a)
  • train an appropriate number of your staff, and other persons considered necessary, to ensure the arrangements can be carried out effectively – Regulation 25(b).

9. If more than one Category 1 responder has a function in response to an emergency, those responders must co-operate with each other for the purpose of identifying which has lead responsibility for warning and informing the public – Regulation 26.

10. Have regard to the warning and informing arrangements maintained by:

  • other Category 1 responders
  • Category 2 responders
  • The Met Office
  • Scottish Ministers
  • The Secretary of State
  • Food Standards Agency

but need not maintain arrangements which would unnecessarily duplicate these other organisations’ arrangements – Regulation 29.

11. Except where required to do so under the Regulations, not publish or disclose any sensitive information, unless adequate permission has been granted to do so – Regulation 45.

Regulation 39 defines sensitive information as information that:

  • would, or would be likely to if disclosed to the public, adversely affect national security (evidence supplied by intelligence services may fall into this category). A certificate signed by a member of the Scottish Government is conclusive evidence of this fact (Regulation 40)
  • would, or would be likely to if disclosed to the public, adversely affect public safety
  • would, or would be likely to if disclosed to the public, prejudice the commercial interests of any person
  • is personal data within the meaning of the Data Protection Act 1998, and disclosure of it to the public would contravene that Act.

Adequate permission for the publication of sensitive information means (Regulation 45):

  • For information relating to national security or public safety – consent from the originator of the information or (if different) a member of the Scottish Government.
  • For information relating to business or affairs of a person or organisation where disclosure would harm the legitimate commercial interests of that person or organisation – consent from the person or organisation to whom the information relates.
  • For personal data – consent from the person to whom the information relates.

Consent for sensitive information to be published may include conditions which must be adhered to – Regulation 45(4)(c).

Plans and assessments that contain some sensitive information should still be published as long as the sensitive sections are removed or appropriate consent (see above) is acquired.

 

Issues to consider and recommended good practice (duty to communicate with the public):

12. Having regard for guidance in Warning and Informing Scotland: Communicating with the Public

13. Liaising and sharing relevant information with the Scottish Government. The Scottish Government has a key role explaining overall national resilience efforts and, during emergencies, informing and reassuring the public.

14. Considering who is the target audience for each published communication and what particular sections of the public need to know. This should include considering the needs of:

  • survivors – those in the immediate vicinity and directly affected, possibly as wounded casualties; focus on what they need to do or know immediately. Procedures should include some form of audit trail for tracking who has and has not been contacted.
  • those who might be affected by the emergency – those nearby who may need to take action to avoid further harm. Possible victims will need to know why the advice is being given. The media may be used to reinforce these safety messages.
  • local people – those in the area who may be disrupted by the consequences of the emergency and clean-up process; utilising the local media to provide general information about the emergency, information on how the public can help and advice on disruption to the area.
  • relatives and friends – those who are not directly affected but know or are related to those who might be and are therefore emotionally connected to the event.
  • the general public – those who are not affected but are concerned or alarmed about the wider implications will also require reassurance.

15. Considering whether risk assessments and plans contain sensitive information which prevents publication. However, the mere fact that risk assessments and plans contain some sensitive information should not be used as an excuse to avoid disclosure of all of the assessment or plans. Those aspects of the assessment or plans which do not contain sensitive information should still be published.

16. Identifying groups requiring special consideration and considering how best to meet their specific needs. These “harder-to-reach” groups might include children, people with disabilities, older people, non-English speakers, those living in isolated communities, homeless people and Gypsies/Travellers. Establishing a list of target audiences will help to identify these groups.

17. Warning the public by using all appropriate means to alert members of the community whose immediate safety is at risk (at the time of emergency or when one is likely).

18. Informing and advising the public by providing relevant timely information about the nature of the unfolding event (immediate and long term post-event) and about:

  • any immediate actions to be taken by responders to minimise risk to human health, animal welfare, the environment or property
  • actions the public can take
  • how further information can be obtained
  • the end of an emergency and the return to normal arrangements.

19. Identifying what information would normally be made public in your organisation’s Freedom of Information Publication Scheme. For more information see: www.itspublicknowledge.info/ScottishPublicAuthorities.

20. Considering what methods of communication should be used and who will deliver it. Although downloadable material is effective in terms of cost and delivery, not all members of the public have access to computers and alternative arrangements should be considered in addition to e-publication.

21. Including a public communications dimension in local exercises.

22. Being familiar with the media organisations in your resilience area and develop good working relations with them.

23. Considering the undernoted as essential elements of communications planning:

  • liaising with other Category 1 and 2 responders and organisations not captured by the Act and media/public liaison teams
  • identifying potential sites in the area where the communications team might be based
  • providing media training for potential spokespeople
  • providing suitable communications equipment for press office staff to work away from their main office base
  • in actual or potential transnational incidents, providing for liaison with cross border communication offices and for calling upon mutual aid
  • establishing a media liaison point at or near the scene of an emergency and a media liaison centre close to the strategic coordinating group/overall commander
  • establish a plan regarding VIP and ministerial visits to the scene of an emergency.

24. Being aware of the wider information environment, particularly social networking, and have the means to monitor social networks and to utilise those networks to disseminate public information.

25. Considering how you might handle a large volume of public enquiries during an emergency, and what arrangements might be needed to filter these.

26. Considering how to make best use of existing resources, such as helplines, in the event of an emergency, and have established protocols in place outlining the arrangements. Ensure that helpline staff are appropriately trained.

27. Being aware of and use, where appropriate, guidance and information issued by government, other responders and relevant groups. The undernoted are examples and are not an exhaustive list.

For general preparedness: ReadyScotland

For winter preparedness: Ready Scotland Ready for Winter

For business continuity: Ready Scotland Ready Business

For weather advice: http://www.metoffice.gov.uk/weather/uk/advice/

For weather warnings: http://www.metoffice.gov.uk/weather/ukforecastwarnings

For flood warnings and flood advice: http://www.sepa.org.uk/flooding.aspx and https://scottishfloodforum.org/news/latest-news/

For public transport advice: http://www.travelinescotland.com

For roads advice: http://trafficscotland.org/

For foreign travel advice: http://www.fco.gov.uk/en/

For first aid training and advice: http://www.firstaid.org.uk/ and http://www.redcross.org.uk/What-we-do/First-aid

For advice to disaster survivors and the bereaved: http://www.disasteraction.org.uk/

For consistent use of resilience terminology: Cabinet Office UK Resilience Lexicon

 

Indicators of good Practice (duty to communicate with the public:

28. Being able to show that you have considered which audience you are targeting or addressing by way of any published information.

29. Communicating with the public to encourage and empower the community to harness local resources and expertise. This will help the community to help itself in the event of an emergency in a way which complements the activities of responders. This is especially important among vulnerable groups.

30. Using identified good practice examples and research into the effectiveness of information campaigns run by other organisations (including those overseas) to develop warning and informing activities.

31. Using the lessons process, identifying and learning lessons from previous information campaigns to inform the development of future campaigns.

32. Setting up protocols with the media for warning and informing the public.

33. Having an agreed media strategy which identifies and trains key staff in dealing with the media.

34. Having a multi-agency warning and informing system which links to information sources, stores information and generates messages. To be effective this system should be:

  • secure and foolproof – with limits on who can access, update and send information in order to avoid false messages being sent
  • expandable – so that it is able to adapt and expand as required
  • reliable – 24 hour back-up so that messages can be sent and information uploaded when required. The system should also be regularly tested and properly supported by the technical provider
  • capable of coping with different types of data and information– including pre- written generic messages, media sources and numeric data in a number of different formats
  • linked to a variety of communication channels
  • auditable
  • quick and simple to operate and update.

35. Being able to demonstrate that publication of plans and assessments is part of a joined-up communications strategy and part of your work to warn and inform the community and to encourage community resilience.

 

vi) DUTY TO SHARE INFORMATION

Mandatory requirements – Category 1 and Category 2 Responders must:

1. Comply with a request for information from another responder in respect of a duty or other function relating to an emergency – Regulation 43(1) & 41.

(There are limitations to this duty, set out in the Regulations and highlighted at No 3).

2. Comply with a request for information within a reasonable timescale, at a reasonable place and to the address specified by the requesting responder – Regulation 44.

3. Not comply with a request for information if the receiving responder is satisfied that the request for information relates to sensitive information, i.e.:

  • information the disclosure of which to the public would, or would be likely to, adversely affect national security or public safety – Regulation 39(1)(a) & (b)
  • information, disclosure of which to the public would, or would be likely to, prejudice the commercial interests of the person to whom that information relates – Regulation 39(1)(c)
  • information which is personal data, within the meaning of the Data Protection Act 1998 and would contravene any of the data protection principles or would be likely to cause damage or distress – Regulation 39(1)(d)
  • disclosure to the requesting responder would, or would be likely to, adversely affect national security or the confidentiality of the information – Regulation 43(2)(a) & (b).

4. Give reasons for not complying with a request for information, as above and, if necessary, obtain consent for disclosure from a body which deals with security matters – Regulation 43(4).

5. When making a request for information from another responder, the requesting responder must be satisfied that:

  • it reasonably requires the information in connection with the performance of a duty under Section 2(1)(a) to (d) or section 4(1), or in connection with the performance of another function which relates to an emergency
  • it (the requesting responder) does not hold the information already
  • the information cannot be reasonably accessed by other means (e.g. informal means or by means established under other legislation) – Regulation 41(2) & (3).

6. When making a request for information from another responder, the requesting responder must send a legible written request, which may be electronic, for the information required. The written request must state the name of your organisation, an address for correspondence, describe the information requested, explain why it is required and be capable of being used for subsequent reference – Regulation 42.

7. Only use sensitive information for the purpose of performing the function for which the information was requested – Regulation 46(1).

8. If a responder wishes to use sensitive information for any other purpose from that relating to the original request then consent must be obtained from the relevant person or organisation. This person/organisation is:

  • in the case of information as specified in Regulation 39(1)(a) or (b) – the originator or a member of the Scottish Government
  • in the case of information as specified in Regulation 39(1)(c) or (d) – the person to whom the information relates – Regulation 46(2)

In this regulation, “use” does not include publication or disclosure.

9. Have arrangements in place for ensuring the confidentiality of sensitive information. This includes ensuring that:

  • sensitive information is clearly identified as such
  • only persons involved in the performance of a duty or function relating to an emergency, and who need to have access to the information, are able to have access to it
  • sensitive information is stored in a secure manner
  • sensitive information is transferred (including by electronic transfer) in a secure manner – Regulation 47.

 

Issues to consider and recommended best practice (duty to share information):

10. Working closely with Scottish Government colleagues, sharing information in support of the national resilience effort.

11. Considering whether the information you want to request is available by other means (e.g. through other legislative arrangements, through normal business arrangements or on the internet).

12. Data protection does not prohibit the collection and sharing of personal data.

13. Considering as a starting point the risks and potential harm that may arise if they do not share information.

14. Balancing the potential damage to the individual against the public interest in sharing information.

15. In emergencies, the public interest consideration will generally be more significant than during day to day business.

16. Always checking whether the objective can still be achieved by passing less personal data.

17. Category 1 and 2 responders should be robust in asserting their power to share personal data lawfully in emergency planning, response and recovery situation.

18. The consent of the data subject is not always a necessary pre-condition to lawful data- sharing.

19. Seeking advice when in doubt, though prepare on the basis that decisions may be necessary without formal advice during an emergency.

20. When communicating with the public or sharing information with other organisations, it is important that terminology is clear and consistent. The Cabinet Office’s Resilience Lexicon, to which the Scottish Government has contributed, is a helpful reference tool: http://www.cabinetoffice.gov.uk/sites/default/files/resources/cp-lexicon2.0.1-18012011.xls.

 

Indicators of good practice:

21. Where possible, channelling formal information requests through as small as possible a number of known routes, to avoid confusion and duplication.

22. Having a systematic process for tracking information flows and logging information requests and being able to deal with multiple requests for information as part of your normal business processes.

23. Collectively developing an information sharing protocol within your RRP.

 

vii) DUTY TO CO-OPERATE

Mandatory requirements – Category 1 Responders must:

1. Co-operate with each other in connection with the performance of their duties under Section 2(1). This refers to all such responders which exercise functions in an RRP area - Regulation 3(1).

2. Co-operate via a single group, the Regional Resilience Partnership (RRP) – Regulation 3(2)(b) and may co-operate with one or more other category 1 responder(s) – Regulation 3(2)(a).

3. Make arrangements to meet at least once every 6 months and must, as far as is reasonably practicable, attend or be effectively represented at such meetings – Regulation 3(4).

4. Inform relevant Category 2 responders of the location, time and agenda of RRP meetings – Regulation 3(7)(a).

5. Make arrangements for Category 2 responders to attend when they wish to do so – Regulation 3(7)(b).

6. Consider whether it is appropriate to invite all or selected Category 2 responders to each meeting – Regulation 3(7)(c).

 

Category 1 Responders may:

7. Make arrangements to jointly perform a duty under Section 2(1) with another responder – Regulation 5(a)

8. Make arrangements with another responder to perform such a duty on its behalf – Regulation 5(b).

9. Co-operate with other Category 1 responders who share particular duties under Section 2(1)(a)-(f) and identify a Category 1 responder with lead responsibility for performing a duty – Regulation 6.

 

If a lead Category 1 responder is identified, the following applies:

Lead Category 1 Responders must:

10. In relation to that particular duty:

  • take the lead responsibility for its performance
  • ensure non-lead Category 1 responders are consulted and informed
  • co-operate with non-lead Category 1 responders and ensure, so far as is reasonably practicable, that they approve of how that duty is being performed – Regulation 7.

 

Non-lead Category 1 Responders must:

11. In relation to that particular duty:

  • co-operate with the lead responder
  • provide any non-sensitive information to the lead responder which will assist that responder
  • assist in any exercises/training the lead responder wishes to carry out in connection with that duty
  • note that it need not unnecessarily duplicate work undertaken by the lead responder– Regulation 8.

 

Mandatory requirements – Category 2 Responders must:

12. Cooperate with Category 1 responders in the same RRP area to help them perform their duties under the CCA – Regulation 3(5).

13. So far as is reasonably practicable, attend or be represented effectively at RRP meetings if asked to do so by the other RRP members – Regulation 3(6)(a).

14. Where not specifically asked, still consider whether it is appropriate to attend or be represented at such meetings – Regulation 3(6)(b).

 

Issues to consider and recommended best practice (duty to co-operate):

15. Ensuring effective representation for responder organisations. To be effectively represented:

  • representatives must be of the most senior status, those people on whom ultimate responsibility for meeting an organisation’s responsibilities falls
  • if representing more than one Category 1 responder, representatives should fully represent all relevant responders for whom they have responsibility
  • all responders should have authorised this representative
  • representatives should be able to explain current structures, policies, priorities and events in the relevant area and be willing to take forward the issues of and provide feedback to those whom they represent.

16. Collectively agreeing to set up sub-groups or working groups which operate at the tactical level and which report to the RRP. Possible useful sub-groups include:

  • a general working group
  • risk assessment groups
  • telecoms sub-groups
  • capabilities groups
  • area groups
  • responder groups by sector
  • specialist groups
  • existing standing groups; and/or
  • project groups

Sub-groups should only be established with the approval of strategic members. They should have a clear purpose and numbers of such groups should be kept to a reasonable level.

17. In organising RRP meetings, members should have regard for those members who are likely to participate in more than one RRP.

18. Collectively agreeing a RRP chair. The chair should be able to:

  • undertake the role on a permanent basis
  • speak with authority about the RRP area
  • be able to commit sufficient time to prepare fully for RRP meetings
  • act as a lead contact for information cascaded from the regional and national levels.

19. Collectively agreeing to have an RRP secretariat which is responsible for:

  • fixing meeting dates
  • agreeing agendas
  • organising the production and circulation of any papers
  • briefing the chair
  • taking minutes
  • following up matters arising and action points
  • ensuring RRP sub-group meetings are effectively organised and recorded and do not clash with other subgroup meetings or the RRP meeting
  • ensuring relevant matters from these subgroups are raised in the RRP meeting.

The secretariat should be able to:

  • take on the job on a permanent basis
  • be of a level of seniority to support the chair
  • have a back-up administration team
  • be competent to organise or support officers from other organisations.

20. Considering whether co-operation with other responders in any particular case is best achieved directly with fellow Category 1 and Category 2 responders in your local resilience area or under the framework of the RRP.

21. Considering whether to set up protocols with other responders (both within and outside your RRP area as appropriate) to support plans and to ensure a more reliable delivery of needed resources in the context of an emergency.

22. Forms of direct and bilateral cooperation between two or more Category 1 and Category 2 responders may include:

  • risk assessment
  • development of a plan for one responder
  • development and agreement of a multi-agency plan
  • exercising a single responder/a multi-agency plan and sharing lessons learned
  • warning and informing arrangements, including publicity in relation to plans.

23. Considering whether to make an arrangement with another responder for them to perform a duty (on your behalf or vice versa) or for one responder to take the lead on performing the duty.

 

Indicators of good practice (duty to co-operate):

24. Engaging with responders, other organisations involved in civil protection (e.g. voluntary organisations and the military) as part of normal business practice.

25. Using the RRP to consider policy initiatives set at the regional, Scottish or UK levels.

26. Making proper use of the lessons process. Identifying and learning lessons from your own experience and from innovative thinking within your own organisation and using the RRP to share them with colleagues.

27. Identifying lessons learned from collaboration with other responders and drawing these to the attention of the RRP.

28. Having a list of contacts among both Category 1 and 2 responders within the RRP area.

29. Organising stakeholder satisfaction surveys to measure how well you are working with them.

30. Engaging with responders, other organisations involved in civil protection (e.g. voluntary organisations and the military) and RRPs as part of normal business practice.

31. Engaging with responders and other organisations involved in civil protection outwith the RRP area.

32. Through direct and bilateral collaboration, requesting that other Category 1 and 2 responders take part in your exercises.

 

Other Legislation – Existing Emergency Planning Duties

Category 1 Responders need not:

Perform a duty under Section 2(1) of the Act in relation to any emergency which is:

  • A major accident, within the meaning of regulation 2(1) of the Control of Major Accident Hazards Regulations 2015
  • A major accident within the meaning of regulation 2 of the Pipelines Safety Regulations 1996
  • A radiation emergency within the meaning of regulation 2 of the Radiation (Emergency Preparedness and Public Information) Regulations 2001 – Reg 9.

 

Issues to consider and recommended best practice

Ensuring that a ‘silo-based’ (i.e. narrow, insular and/or compartmentalised) approach is avoided and that risks under COMAH, PSR and REPPIR are managed in a manner complementary to the Civil Contingencies Act and the Regulations.

Stay Informed

Ready Scotland regularly publishes alerts on both Twitter and Facebook. Follow and like our pages to keep up to date wherever you are.