A UKHSA Yellow heat health alert is in place from 9am 22 May to 5pm 27 May. Read our guidance on how to stay well during the hot weather. Hot weather advice

Emergency Preparedness, Resilience and Response (EPRR) and Business Continuity Management (BCM) Policy

Policy No: C020

Document control:

Document control information

Policy Name: Emergency Preparedness, Resilience and Response (EPRR) and Business Continuity Management (BCM) Policy
Policy Number: C020
Version: 1.0
Status: Final – Approved
Author / lead: Head of Emergency Preparedness Resilience and Response
Responsible Executive Director: Accountable Emergency Officer
Responsible Committee: Audit, Risk and Compliance Committee
Date Approved by Responsible Committee: 24 March 2026 (MSEICB Audit Committee)
Date Ratified by the ICB Board/Effective Date: 1 April 2026
Next review date: April 2029
Target audience: All ICB Board members and staff (including temporary/bank/agency/work experience staff, students and volunteers)
Stakeholders engaged in development of policy (internal and external):
– Accountable Emergency Officer
– Emergency Preparedness Resilience Response and System Coordination Centre Teams
Impact assessments undertaken:
– Equality Impact Assessment (see Appendix A)
– Quality Impact Assessment
– Privacy Impact Assessment

Version history:

Version: 0.1
Date: February 2026
Author (Name and title): Associate Director EPRR
Summary of amendments made: First Draft for comments

Version: 0.2
Date: March 2026
Author (Name and title): Associate Director EPRR
Summary of amendments made: Minor amendments made following AEO review

Version: 1.0
Date: April 2026
Author (Name and title): Head of EPRR
Summary of amendments made: Final approved version

Introduction

The NHS needs to plan for, and respond to, a wide range of incidents and emergencies that could affect health or patient care. These could be anything from extreme weather conditions, an infectious disease, or a major transport accident. This is underpinned by legislation and is referred to in the health services as Emergency Preparedness Resilience & Response (EPRR). 

The Essex Integrated Care Board (the EICB), as a ‘Category 1 Responder’ under the Civil Contingencies Act (2004), must demonstrate it can deal with such incidents while maintaining services through its compliance with the NHS Core Standards for EPRR, and stand ready to coordinate the local NHS response. The ICB must also ensure the local NHS and commissioned providers are also compliant with relevant guidance and standards.

This is a controlled document. Whilst this document may be printed (please consider if this is necessary), the electronic version posted on the intranet is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the website (or requested from the Governance Lead/Team) to ensure the most up-to-date version is used.  

Purpose / Policy Statement

This policy sets out how the EICB prepares for, responds to and recovers from incidents and emergencies as a ‘Category 1 Responder’, while maintaining critical services.

The EICB accepts its statutory duties and it will:

  • Assess the risk of emergencies occurring and use this to inform contingency planning
  • Put in place emergency plans
  • Put in place business continuity management arrangements
  • Put in place arrangements to make information available to the public about civil protection matters and maintain arrangements to warn, inform and advise the public in the event of an emergency
  • Share information with other local responders to enhance co-ordination
  • Cooperate with other local responders to enhance co-ordination and efficiency

In addition to meeting legislative duties, the EICB is required to comply with guidance and framework including, but not limited to:

  • NHS EPRR Framework 
  • NHS England Core Standards for EPRR
  • NHS England Business Continuity Management Toolkit aligned to ISO 22301, as well as the Business Continuity Good Practice Guidelines

NHS EICB is committed to:

  • ensuring strong EPRR Governance by appointing a board-level Accountable Emergency Officer (AEO) with the authority and resources to lead the EPRR portfolio, ensuring Board level oversight of preparedness activities. This overarching policy outlines how the organisation will meet its obligations;
  • risk-based approach to EPRR by routinely assessing risks, following internal and external risk management processes to record, monitor and communicate risks, to enable effective early identification and management of risk to support planning and preparedness.  
  • maintaining a resilient and dedicated 24/7 on-call mechanism with trained and competent staff;
  • developing and maintaining a single Incident Response Plan detailing how it will carry out its obligations when responding to a wide range of incidents and emergencies including Business Continuity, Critical and Major Incidents;
  • developing and maintaining a Business Continuity Management System (BCMS) which ensures it can continue to provide its core functions during a wide range of disruptions, incident and emergencies, and recover in a timely manner, so far as is practicable;
  • ensuring that adequate resources and funding is in place to meet its obligations, ensure that its staff are trained and exercised to respond accordingly and maintain systems that enable a robust response to Business Continuity, Critical and Major Incident’s;
  • ensuring that all staff with incident response responsibilities are trained and competent through a training needs analysis and structured training, testing and exercising programme in line with current guidance and standards. The organisation will maintain accurate records and support responders in their ongoing professional development;
  • continuous improvement of its EPRR arrangements and BCMS. We maintain a clear and structured process for capturing learning from exercises and incidents, ensuring that lessons are implemented. The organisation also routinely evaluates the effectiveness of its EPRR arrangements and the BCMS and implements corrective actions;  
  • upholding our duty to warn and inform the public by maintaining incident communication arrangements which can be enacted rapidly to ensure clear, timely and effective messaging before, during and after an incident;
  • recognises that EPRR requires cooperation and collaboration with partners from other NHS and non-NHS organisations; the sharing of experience, knowledge, skills and resources; and a commitment to work as part of a broader health and social care system via the Essex Local Health Resilience Partnership (LHRP) and with local multi agency partners via the Essex Resilience Forum (ERF); and
  • promoting and protecting the health, safety and wellbeing of all patients, staff and visitors. The organisation also recognises the importances of addressing health inequalities so every individual regardless of background, circumstance or vulnerability can receive high-quality care and experience positive health outcomes.

Scope

This policy applies to all ICB Board members and staff (including temporary/bank/agency/work experience staff, students and volunteers).

Definitions

  • Emergency – defined under the Civil Contingencies Act as: an event or situation which threatens serious damage to human welfare, the environment, or UK security.
  • Major Incident – defined in the NHS EPRR Framework as: an event or situation with a range of serious consequences that require special arrangements by one or more emergency responder agency. In the NHS this will cover any occurrence that presents serious threat to the health of the community or causes such numbers or types of casualties, as to require special arrangements to be implemented.
  • Critical Incident – defined in the NHS EPRR Framework as: any localised incident where the level of disruption results in an organisation temporarily or permanently losing its ability to deliver critical services; or where patients and staff may be at risk of harm. It could also be down to the environment potentially being unsafe, requiring special measures and support from other agencies, to restore normal operating functions. A Critical Incident is often an internal escalation response to increased system pressures.
  • Business Continuity Incident – defined in the NHS EPRR Framework as: an event or occurrence that disrupts, or might disrupt, an organisation’s normal service delivery, to below acceptable predefined levels. This would require special arrangements to be put in place until services can return to an acceptable level.
  • Emergency Preparedness – defined in the NHS EPRR Framework as: the extent to which emergency planning enables effective and efficient prevention, reduction, mitigation of and response to incidents and emergencies.
  • Resilience – defined in the NHS EPRR Framework as: ability of the community, services, area or infrastructure to detect, prevent and, if necessary, withstand, handle and recover from incidents and emergencies
  • Response – defined in the NHS EPRR Framework as: decisions and actions taken in accordance with the strategic, tactical and operational objectives defined by emergency responders, including those associated with recovery.
  • Business Continuity – defined in the NHS EPRR Framework as: the capability of an organisation to continue delivery of products or services, at acceptable predefined levels, following a disruptive incident.
  • Business Continuity Management – defined in the NHS England BCM Toolkit as: a holistic management process that identifies potential threats to NHS organisations and the impact to business operations those threats, if realised, might cause. 
  • Business Continuity Management System (or Programme) – defined by ISO 22301 as: a framework for organisations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.
  • Business Impact Analysis – defined by ISO 22301 as: the process of analysing the time-phased impact of disruptions on an organisation, identifying critical activities, and setting recovery objectives. 
  • Business Continuity Plan (BCP) – defined by ISO 22301 as: documented procedure guiding response, recovery, and resumption to a predefined operational level after a disruption, using BIA finds to ensure critical functions continue.
  • Incident Response Plan (IRP) – defined as: documented arrangements that are in place to enable an effective and appropriate response in the event of an incident and emergency.

    Roles and Responsibilities

    Integrated Care Board (ICB)

    As a ‘Category 1 Responder’, EICB is subject to the full set of civil protections duties under the Civil Contingencies Act (2004), illustrated in the diagram below:

      Category 1 Responder’, EICB is subject to the full set of civil protections duties under the Civil Contingencies Act (2004), illustrated

      EICB responsibilities outlined under the EPRR Framework 2022 require the organisation to:

        • Appoint a Board level Chief Officer to act as the Accountable Emergency Officer (AEO).
        • Co-Chair Essex LHRP via the AEO.
        • Have suitable director level representation at the Essex Resilience Forum Programme Board.
        • Establish a mechanism to provide NHS strategic and tactical leadership and support structures to effectively manage and coordinate the NHS response to, and recovery from, incidents and emergencies, 24/7. This will include representing the NHS at Strategic Coordinating Groups and Tactical Coordinating Groups.
        • Support NHS England in discharging their EPRR functions and duties locally, including supporting system-level tactical coordination during incidents (level 2–4 incidents).
        • Have escalation procedures in place to respond to disruption to delivery of patient services
        • Ensure that there is an effective process for the identification, recording, implementation and sharing of lessons identified through response to incidents and emergencies and participation in exercises and debrief events.
        • Provide annual assurance against the NHS EPRR Core Standards, including by monitoring each commissioned provider’s compliance with their contractual obligations in respect of EPRR and with applicable Core Standards.
        • Develop an annual EPRR workplan that identifies organisational priorities for emergency preparedness, driven by applicable risk assessments.
        • Present a comprehensive EPRR report to the Board at least annually, including training and exercising, incidents experienced, lessons and learning, compliance with the core standards assurance process and statement of readiness.
        • Develop and maintain arrangements for mutual aid.
        • Ensure contracts with all commissioned providers (including independent and third sector) contain relevant EPRR elements, including business continuity.

        ICB Board

        As the accountable body to the public and to NHS England, the EICB Board provides strategic oversight and assurance that the EPRR and BCMS frameworks are effective and that the organisation is prepared to respond to, and recover from, incidents and emergencies. This includes ensuring that, during incidents and emergencies, the public continues to receive services of the highest quality it is reasonably practicable to deliver, and that critical functions are maintained. 

        The Board has overall accountability for ensuring that effective governance arrangements are in place for EPRR, including the BCMS. The Board is responsible for ensuring that the organisation maintains robust systems for the development, approval and scheduled review of all policies relating to its corporate and statutory duties. 

        The Board assures itself via the annual EPRR Core Standards Assurance process that the necessary resources, governance structures and EPRR and BCMS arrangements are in place and effective.

        Audit, Risk and Compliance Committee 

        The Audit, Risk and Compliance Committee is responsible for scrutinising and ratifying all EPRR and BCMS policies and arrangements and providing assurance to the Board that the EICB is compliant with corporate and statutory requirements.

        Corporate Oversight of Resilience and Emergency Preparedness (CORE) Group

        The CORE Group provides corporate oversight and coordination of all corporate activity relating to EPRR and BCM. Chaired by the EPRR Lead and reporting to the Audit, Risk and Compliance Committee, the group ensures that the EICB meets its statutory duties by aligning workstreams, monitoring compliance, and supporting the development and review of EPRR and BCM arrangements across the organisation. The group brings together key corporate functions and directorate representatives to ensure the organisation maintains robust, resilience and well-governed arrangements for EPRR and BCM.

        Chief Executive Officer (CEO)

        The ICB CEO holds overall accountability for ensuring effective arrangements for EPRR and BCM are compliant with legislation, national guidance and NHSE requirements.  

        The responsibility for EPRR and BCM has been delegated to the EICB’s Executive Director for Corporate Services who fulfils the role of Accountable Emergency Officer.

        Accountable Emergency Officer (AEO)

        Under the NHS Act 2006, the ICB must appoint an individual to discharge its statutory responsibilities for EPRR and BCM. This role, designated as the AEO, is held by the Executive Director for Corporate Services.

        The AEO is a board‑level director with executive authority for ensuring that the EICB meets all legal, regulatory and policy requirements for EPRR. They provide assurance to the EICB Board and NHS England that the organisation is appropriately prepared, resourced, and capable of responding to, and recovering from incidents and emergencies.

        The AEO is accountable for ensuring that robust governance structures are in place, that the EICB is meeting the NHSE EPRR Core Standards, and that arrangements are developed, maintained, exercised and continually improved.

        The AEO also co‑chairs the Essex LHRP and represents the NHS at the ERF Executive Programme Board.

        Executive Directors 

        Executive Directors are responsible for providing senior leadership and oversight of EPRR and BCM arrangements within their respective Directorate. This includes ensuring appropriate representation, engagement and coordination with corporate EPRR and BCM, wider NHS and multi-agency preparedness activities and response structures.

        They must oversee the development, implementation and maintenance of EPRR and BCM activities across their areas of responsibility, ensuring that risks are identified, mitigated and escalated where required.

        Executive Directors are responsible for reviewing and approving Business Impact Assessments (BIAs) and associated Business Continuity Plans (BCPs) within their Directorates, ensuring suitable arrangements are in place to respond effectively to disruptions and support organisational recovery. 

        EPRR Team

        The EPRR Team provides the operational capacity, specialist expertise, coordination and delivery required to enable the ICB to meet its statutory duties and requirements under the NHS EPRR Framework.

        The EPRR Team will:

        • Deliver an annual EPRR work programme covering all aspects of the ICB’s EPRR and BCM activities;
        • Coordinate the ICBs EPRR and BCM arrangements including risk assessments, development and maintenance of plans and arrangements including on-call, training, testing and exercising;
        • Provide subject matter expertise on EPRR and BCM, acting as a central point of contact for the ICB, local NHS Providers and local multi-agency partners;
        • Support the AEO in fulfilling system leadership responsibilities by providing secretariat to the Essex LHRP and coordination of health participation across the ERF to ensure collaboration between health and care partners, and local multi-agency partners;
        • Lead and coordinate the annual NHS EPRR Core Standards Assurance process for the ICB and ICS; and
        • Promote continual improvement by capturing learning from incidents, exercises and inquiries, and embedding this into EPRR and BCM arrangements and work programmes to strengthen organisational resilience.

        Line Managers 

        Managers play a critical role in implementing and embedding effective EPRR and BCM arrangements within their services. Managers are required to:

        • Lead the development, maintenance and review of service level EPRR and BCM, ensuring arrangements are accurate and up-to-date;
        • Support development, maintenance and review of corporate EPRR and BCM arrangements where relevant to the service;
        • Identify, assess and escalate risks that may impact on service continuity or response, ensuring these are managed via the organisation’s risk management processes;
        • Ensure that staff understand their roles and responsibilities during incidents and emergencies, and know where to access plans and are familiar with response arrangements; and
        • Ensure staff participate in training, exercises and debriefs, to enhance organisational resilience and contribute to organisational learning and support implementation of learning relevant to the service.

        All Staff

        All staff have a responsibility to support the organisation’s EPRR and BCM arrangements. Staff must familiarise themselves with relevant emergency and business continuity procedures, understand their roles during incidents, and act in accordance with instructions issued by managers or incident commanders. This will be incorporated into the induction process.

        All staff are expected to:

        • Participate in required briefings, training and exercises;
        • Report incidents, risks or disruptions that may impact service delivery;
        • Follow established procedures during incidents and emergencies; and
        • Support the safe continuation of essential services and contribute to recovery efforts where required.

        By fulfilling these responsibilities, all staff help ensure the organisation can respond effectively to emergencies and maintain the continuity of critical services.

        Providers, Contractors and Suppliers

        All contractors and suppliers working on behalf of the EICB must support, evidence and comply with the ICB’s EPRR and BCM requirements, in line with NHS England’s EPRR Framework and the NHS Core Standards for EPRR (including obligations set out in the NHS Standard Contract). 

        Contracted organisations are required to:

        • Maintain proportionate Business Continuity arrangements that align with ISO 22301 principles using the NHS England BCM Toolkit (v2), including up-to-date BIA, risk assessment and service‑level BCP’s for the services provided to the EICB.
        • Demonstrate compliance on request, providing assurance evidence against relevant EPRR Core Standards and contractual conditions (e.g., NHS Standard Contract service condition on EPRR/BC), and participate in EICB‑led or system‑level assurance activity where required.
        • Co‑operate with planning, training and exercising, taking part in appropriately scoped tests and exercises to validate interoperability, escalation, communications and recovery arrangements across the local health system. 
        • Notify the EICB promptly of incidents or emerging risks that may threaten service delivery or patient safety, activate agreed continuity plans, and provide timely situation updates until recovery is achieved. 
        • Ensure staff working on EICB contracts are trained and briefed on relevant emergency and continuity procedures, roles, call‑out processes and contact points, consistent with the training and exercising expectations in the BCM Toolkit. 
        • Embed supply‑chain resilience, ensuring critical sub‑contractors and upstream suppliers hold and maintain suitable continuity arrangements and can evidence them to the EICB if requested. 

        Non‑compliance with these requirements may be escalated through contract management processes and the EICB’s EPRR assurance arrangements to safeguard continuity of critical services for patients.

        Policy Detail

        Integrated Emergency Management (IEM) and EPRR Principles

        The organisation takes a systematic approach to EPRR and BCM based on the Cabinet Office principles of IEM as illustrated below:

        EPRR and BCM based on the Cabinet Office principles of IEM as illustrated

        The EICB also adopts the following underpinning principles detailed in the NHSE EPRR Framework:

        Preparedness and anticipation – the NHS needs to anticipate and manage the consequences of incidents and emergencies by identifying risks and understanding direct and indirect consequences, where possible. All individuals and organisations that might have to respond to incidents should be properly prepared. This includes having clarity of roles and responsibilities, specific and generic plans, and rehearsing arrangements periodically. All organisations should be able to demonstrate clear training and exercising schedules that deliver against this principle.

        Continuity – the response to incidents should be grounded within organisations’ existing functions and their familiar ways of working. Actions will need to be faster, on a larger scale and in more testing circumstances during a response to an incident.

        Subsidiarity – decisions should be taken at the lowest appropriate level, with coordination at the highest necessary level. Local responders should be the building blocks of response for an incident of any scale.

        Communication – good two-way communication is critical to any effective response. Reliable information must be passed correctly and without delay between those who need to know, including the public.

        Cooperation and integration – positive engagement based on mutual trust and understanding will facilitate information sharing. Effective coordination should be exercised between and within organisations and local, regional and national tiers of a response. This includes active mutual aid across organisations, within the UK and across international boundaries as appropriate.

        Direction – clarity of purpose should be delivered through an awareness of the strategic aim and supporting objectives for the response. These should be agreed and understood by all involved in managing the response to an incident.

        Risk Management 

        The EICB is committed to proactive and robust risk management as a core component of its EPRR arrangements. Effective risk management enables the organisation to anticipate, prepare for and mitigate the impacts of emerging risks, incidents and emergencies.

        The EICB will:

        • Identify, assess and monitor risks related to emergencies and business continuity using recognised methodologies and aligning with local, regional and national risk registers.
        • Integrate EPRR risks into the organisation’s corporate risk management processes, ensuring ownership, escalation and governance in accordance with the EICB’s Risk Management Policy.
        • Use risk assessments to inform planning, including the development of BIAs, incident response plans and decision‑making during incidents and emergencies.
        • Regularly review EPRR and BCM risks to ensure timely identification of changes in likelihood or impact, including new and emerging risks.
        • Work collaboratively with partners, including ERF and Essex LHRP, to share risk information and support a coordinated approach to mitigation and preparedness.
        • Support embed risk awareness across all staff groups, ensuring that risks are reported promptly and managed in line with organisational policies and statutory duties.

        Through these commitments, the EICB ensures that risk management remains integral to its ability to maintain essential services and protect patients, staff and communities during periods of disruption.

        Command and Control (including on-call)

        The EICB maintains a resilient, clearly defined command, control and coordination structure aligned to the NHSE EPRR Framework. These arrangements ensure that the EICB can effectively lead, support and coordinate system‑wide incident response and recovery activities, fulfilling its statutory responsibilities under the Civil Contingencies Act 2004 and NHS legislation. 

        Consistent with NHS and JESIP doctrine, the EICB’s incident management system is structured across three command tiers—Strategic (Gold), Tactical (Silver) and Operational (Bronze)—and incorporates the NHS Incident Definitions and Incident Response Levels to ensure clarity of activation, escalation and coordination. 

        The ICB maintains 24/7 on call arrangements to ensure leadership and decision making capability is continuously available, in line with expectations for Category 1 responders. 

        The EICB will also maintain the capability to stand up an Incident Coordination Centre (ICC) and Incident Management Team (IMT) to support the effective management of incident, there arrangements can be physical or virtual. The ICC provides a focus hub for the ICB and ensures the Strategic, Tactical and Operational tiers are supported, and that the ICB can fulfil its local NHS leadership role. 

        Operating seven days a week between 0800 and 1800hrs the System Coordination Centre (SCC) provides the EICB’s central coordination function and provides real-time operational oversight of the ICS. If operational at the time of an incident the SCC will initially lead on the co-ordination of the ICB and System’s response until formal response structures, resources and protocols are stood up.  

        These command and control arrangements underpin the EICB’s response to Business Continuity, Critical and Major Incidents.

        Incident Response 

        The organisation is committed to maintaining robust, interoperable, and legally compliant arrangements for responding to incidents and emergencies in accordance with the NHS EPRR Framework. All incident response activity will be delivered in line with statutory duties and the NHS Core Standards for EPRR. 

        Our approach to incident response will align with nationally recognised doctrine, including the Joint Emergency Services Interoperability Principles (JESIP). The organisation will embed JESIP doctrine to ensure effective system and multi-agency cooperation during incidents and emergencies. 

        The organisation will maintain a single scalable Incident Response Plan (IRP), aligned to the NHS EPRR Framework’s expectations for command, control, decision‑making, and coordinated system response. The IRP will set out:

        • Incident classification and triggers for activating local, regional or national response levels. 
        • Command and control structures, ensuring clear leadership, reporting lines and the ability to integrate with system and multi-agency partners during incidents and emergencies. 
        • Alerting and activation procedures, including structured initial reports. 
        • Response roles and responsibilities, referencing organisational, NHS and multi-agency requirements. 
        • Arrangements for information sharing and situational awareness, ensuring interoperability. 
        • Mutual aid processes, enabling coordinated support across health and partner organisations where demand exceeds capacity. 
        • Record keeping requirements, including decision logging, to meet legal, assurance and learning standards. 
        • Debriefing and organisational learning. 

        As a minimum, the IRP will provide a response framework and guidance that addresses the following:

        • Business Continuity, Critical and Major Incidents 
        • Adverse Weather (including flooding)
        • Chemical, Biological, Radiological, Nuclear (CBRN) and Hazardous Materials (HAZMAT)
        • Countermeasures 
        • Mass Casualty 
        • Evacuation and Shelter
        • Cyber Security Incident 
        • Infectious diseases and new and emerging pandemics 

        Through this commitment, the organisation ensures a consistent, interoperable and resilient incident response capability that protects life, mitigates harm, maintains essential services, and supports system-wide coordination during disruptive events.

        Mutual Aid

        The organisation is committed to maintaining a clear, coordinated and risk‑based approach to Mutual Aid as required under the NHSE EPRR Framework. Mutual aid enables NHS organisations to support one another during significant pressure or major incidents by sharing staff, equipment or other critical resources to protect patient safety and maintain essential services.

        The organisation adopts the principles and processes set out in the NHSE East of England Mutual Aid Framework, ensuring that mutual aid is delivered consistently, safely and transparently across partners. This includes recognising that mutual aid may be necessary when local capacity is exceeded, where risks require rebalancing across organisations, or where major incidents trigger system‑level support. A patient‑centred, clinically risk‑based assessment will underpin all mutual aid decisions, balancing the resilience of both requesting and contributing organisations. 

        Mutual aid arrangements will follow established command and control structures, with early notification to the EICB and escalation to NHS England regional teams when required. All requests and decisions will be supported by formal documentation, risk assessments, and decision logs. 

        This commitment ensures that mutual aid is used effectively to maintain patient safety, support system resilience, and strengthen collaborative working across the health and care system.

        Military Aid to the Civil Authorities (MACA)

        The EICB is committed to ensuring that requests for Military Aid to the Civil Authorities (MACA) are made only in exceptional circumstances and strictly in accordance with Guidance for the NHS in England on Requesting Military Aid to the Civil Authorities. This national guidance outlines that MACA may be considered only when the NHS cannot meet critical capability or capacity requirements and when all reasonable alternatives—including mutual aid, commercial options and voluntary sector support—have been exhausted. 

        Where a need for MACA is identified by an NHS organisation within the EICB footprint, the EICB will ensure that the request is routed through the NHS England Regional EPRR Team, as required by the national process, and that the requesting organisation engages the Joint Regional Liaison Officer (JRLO) at the earliest opportunity for advice and guidance. 

        Through this commitment, the ICB ensures MACA requests are made appropriately, transparently, and in full alignment with national expectations, safeguarding the integrity of NHS response arrangements and maintaining public confidence.

        Business Continuity Management System (BCMS)

        The organisation is committed to establishing, implementing, and maintaining a robust BCMS to ensure the continuity of critical services during incidents and emergencies. In accordance with statutory duties under the Civil Contingencies Act 2004 and the Health and Care Act 2022, all NHS organisations are required to maintain effective continuity arrangements that protect essential functions and support safe, high‑quality patient care during periods of disruption. 

        We will develop and operate our BCMS in line with the NHS EPRR Framework, which identifies business continuity as a core component of organisational resilience, and in alignment with the NHS England BCM Toolkit, which sets out the standards, processes and templates necessary for effective continuity planning across the organisation.

        Our approach will follow the Plan–Do–Check–Act (PDCA) cycle (see figure below) and principles aligned to ISO 22301, ensuring a structured, auditable and continually improving system of organisational resilience. This includes undertaking business impact analyses, developing service and function‑specific continuity plans, exercising and testing these arrangements, and ensuring corrective actions and organisational learning are embedded into continual improvement processes.

        Plan–Do–Check–Act (PDCA) cycle

        The organisation will ensure that all directorates and critical services maintain up‑to‑date BCP’s that set out recovery priorities, tolerances, and response arrangements. These plans will align with incident response arrangements under the EPRR Framework and will include strategies to manage disruptions arising from loss of premises, people, technology, suppliers, or critical information. 

        We are committed to ensuring that all staff with BC responsibilities receive appropriate training and that business continuity arrangements are regularly exercised, monitored and reviewed. Lessons identified from exercises, real events and audits will be used to strengthen the organisation’s resilience and ensure continuous compliance with NHS standards. 

        Through this commitment, the organisation will maintain a resilient, compliant and proactive approach to business continuity that safeguards essential services and supports the wider health and care system during periods of disruption.

        Recovery Management

        The organisation is committed to ensuring that effective, timely, and coordinated recovery arrangements are embedded within its EPRR and BCM arrangements. Recovery begins during the response phase and continues until services, systems, and functions return to an agreed steady state. National EPRR doctrine emphasises that recovery must be planned for in advance, integrated with all‑hazards preparedness, and supported through structured leadership, governance, and collaboration.

        We will ensure that recovery activity adheres to statutory duties under the Civil Contingencies Act and broader NHS EPRR requirements, including the restoration of services, support for affected staff and patients, and engagement with partners to deliver coordinated system-wide recovery. These duties form a core part of the NHS EPRR Framework, which requires organisations to maintain readiness to recover sustainably from disruptions to health services.

        The organisation commits to establishing clear recovery leadership and governance arrangements, ensuring structured oversight, transparent reporting, and alignment with wider-NHS and ERF structures as required. National guidance highlights the importance of consistent oversight and coordination to support the safe restoration of services following emergencies.

        We will conduct recovery activities that prioritise safe restoration of clinical and corporate functions, support workforce wellbeing, re-establish infrastructure and digital capabilities, and maintain clear communication with staff, partners, patients, and the public. Formal debriefing and organisational learning processes will be undertaken following every incident or activation to ensure improvements are identified, captured, and integrated into future preparedness and response arrangements, reinforcing long-term organisational resilience.

        The organisation will formally conclude recovery once services have been restored to agreed levels, risks have been appropriately managed or transferred, and outstanding actions are allocated with clear ownership and timelines. This ensures transparency and alignment with national expectations for safe and effective recovery after major incidents.

        Training and Exercising

        The EICB is committed to ensuring that its EPRR arrangements are strengthened by a structured, risk‑based programme of training and exercising. As a Category 1 Responder, the ICB must ensure that staff are trained, competent and confident to discharge their roles during incidents and emergencies, and that incident response and business continuity arrangements are regularly tested and validated.

        To meet these duties and ensure organisational resilience, the ICB will maintain a comprehensive EPRR Training and Exercising Programme that aligns with the NHS England EPRR Framework, local multi-agency, regional and national requirements. This includes compliance with the mandated exercise frequency standards, at a minimum:

        The Incident Coordination Centre (ICC) equipment test The functionality of equipment and systems used in an ICC must be tested to ensure they remain fit for purpose. Minimum every three months.

        Communications (CommEx): Purpose to test the organisation’s ability to contact key staff and other partners 24/7. Tests should be conducted both during and out-of-hours, and should be unannounced. Minimum every six months.

        Table-top (TTX): Purpose to bring together relevant staff and partners to discuss the response, or specific element of a response, to an incident in a safe learning environment. They can help to validate a new or revised plan, and support participants Minimum every 12 months.

        Command Post (CPX): Purpose to test command and control, including the ICC. It provides a practical test of equipment, facilities and processes, and familiarity for those undertaking roles within the command structure. CPX’s also provide an opportunity to test arrangements with local multi-agency partners. Minimum every three years.

        Live Play (LiveEx): Purpose is a live test of arrangements and includes the operational and practical elements of an incident response. This may be achieved through participation in exercises run by local multi-agency partners where relevant to health. Minimum every three years.

        In addition to these core requirements, the EICB will participate in the NHSE EPRR Exercise Programme (2024–2030), which requires all NHS organisations to exercise against seven rotating annual themes—including mass casualties, HAZMAT/CBRN, business continuity, cyber incidents, infectious disease, extreme weather, and security/shelter/evacuation scenarios. 

        The EICB will work collaboratively with NHS England Regional EPRR team, across the Essex LHRP, and with the ERF to ensure that exercises reflect system‑wide risks, interoperable response arrangements, and the principles of coordinated multi‑agency working.

        To ensure that training and exercising is embedded across the organisation, the EICB will:

        • Maintain an Annual Training and Exercising Programme, aligned to national and regional programmes, local risks and local multi‑agency requirements.
        • Provide training for all staff with EPRR responsibilities, including the AEO, Strategic and Tactical Commanders (on-call), Decision Loggists, Managers and other supporting staff.
        • Ensure competencies reflect national occupational standards, and that staff receive refresher training appropriate to their level of responsibility. Training will be informed by a training needs analysis (TNA) which takes into consideration the minimum national occupational standards for EPRR.
        • Test key plans and capabilities, including the Incident Response Plan, Business Continuity Plans, command arrangements, communications systems, cyber resilience protocols and surge capacity arrangements.
        • Participate fully in wider NHS and local multiagency exercises, ensuring interoperability and joint situational awareness.
        • Promote continuing professional development (CPD) for all staff with an EPRR or business continuity role, supporting the development of specialist skills, leadership capability, professional accreditation where applicable, and fostering a culture of continuous improvement across the organisation’s resilience arrangements.
        • Conduct structured debriefs after all exercises, activations and incidents, capturing lessons, identifying improvements and overseeing the implementation of recommendations.
        • Maintain comprehensive records of all exercises, training activity, attendance and outcomes to support internal governance and the NHS England annual EPRR assurance process.
        • Integrate learning from national inquiries, including the Manchester Arena Inquiry, Grenfell Tower Inquiry and the COVID‑19 Inquiry, ensuring the EICB’s preparedness and response arrangements reflect emerging national expectations and evolving best practice.

        Through these commitments, the EICB ensures that its staff, systems and processes remain prepared for incidents and emergencies, that resilience is embedded across all functions, and that the organisation can demonstrate compliance with NHS Core Standards and its statutory obligations.

        Partnership Working

        The EICB is committed to working collaboratively with NHS organisations, local authorities, emergency services, voluntary and community partners, and wider Category 1 and Category 2 responders to ensure a coordinated and effective approach to EPRR. Collaborative working is essential to safeguarding patients, maintaining critical services and supporting system resilience during incidents, emergencies and periods of pressure.

        The EICB will foster strong, proactive and transparent partnerships with the ERF, Essex LHRPs, ICS partners and NHS England, ensuring alignment of plans, expectations and incident response arrangements. This includes active participation in multi‑agency planning, risk assessment, training, exercising and assurance processes, and ensuring that shared risks, dependencies and capabilities are understood and jointly managed.

        The EICB is committed to promoting interoperability across the system by adopting nationally recognised joint working principles, including shared situational awareness, jointly understanding risk, coordinated decision‑making and co‑location where appropriate. Through these partnerships, the EICB will support timely information‑sharing, consistent communication, coordinated escalation, and mutual support across the health and care system and with wider multi‑agency responders.

        Through this commitment, the EICB ensures that collaborative and partnership working is embedded throughout its EPRR arrangements, enabling a whole‑system, integrated and resilient response to disruptions, incidents and emergencies.

        Assurance

        The EICB is committed to achieving, maintaining and demonstrating compliance with the NHSE EPRR Core Standards, which set out the minimum requirements for NHS organisations to prepare for, respond to and recover from incidents and emergencies. These standards form part of the statutory and contractual requirements for NHS‑funded organisations and are overseen nationally by NHS England. 

        The EICB will participate in the annual EPRR Core Standards Assurance process, ensuring that all required evidence, self‑assessments and improvement plans are reviewed, validated and submitted to NHSE in accordance with national and regional requirements. Oversight, monitoring and scrutiny of the organisation’s compliance will be undertaken through the EICB’s formal governance structures, with an annual assurance report escalated to and received by the EICB Board to ensure transparency and accountability. Quarterly EPRR Reports will be submitted to the Audit, Risk and Compliance Committee detailing performance against agreed EPRR and BCM KPIs, enabling oversight, scrutiny, and timely action where gaps in compliance or preparedness are identified.

        As the system leader for EPRR, the EICB will also coordinate and oversee the ICS‑wide assurance process, ensuring that all NHS providers within the system fulfil their obligations and that core standards are assessed consistently, robustly and in line with NHS England expectations. This includes supporting organisations to evidence compliance, identifying system‑level risks and gaps, and ensuring the development and monitoring of improvement actions across the ICS.

        Through this commitment, the EICB ensures a coherent, system‑wide approach to preparedness and continuous improvement in resilience, strengthening the capability of the ICS to manage incidents, emergencies and disruptive events effectively.

        Information Sharing, Records Management & Information Governance

        Recent public inquiries—including those into the Manchester Arena attack, the Grenfell Tower fire, and the COVID‑19 pandemic—have highlighted the critical importance of timely, accurate and lawful information sharing in protecting the public, supporting coordinated emergency response, and enabling transparent decision‑making. These inquiries have demonstrated that failures in communication, documentation, data handling and inter‑agency cooperation can significantly hinder response efforts, compromise public safety and erode trust. In this context, the ICB recognises that robust information governance, secure information sharing and effective records management are essential pillars of its EPRR responsibilities. As a Category 1 Responder, the EICB must therefore manage information to the highest standards, ensuring both operational effectiveness during incidents and accountability afterwards.

        The ICB will:

        • Operate in full compliance with the ICB’s corporate Information Governance Policy, Records Management Policy and related data protection procedures, ensuring that all EPRR information is collected, stored, used and shared appropriately and in accordance with UK GDPR and the Data Protection Act 2018.
        • Use approved informationsharing agreements (ISAs), including those developed collaboratively through the ERF and Essex LHRP, to govern the lawful, proportionate and secure sharing of information with partner agencies during preparedness, incident response and recovery.
        • Share information lawfully and on a “needtoknow” basis, ensuring that any disclosure to NHS partners, emergency services, Local Authorities or other Category 1 and 2 responders is justified, proportionate and aligned with relevant ISAs and statutory duties.
        • Ensure accurate and contemporaneous records are maintained during emergencies, exercises and business continuity incidents, including decision logs, situation reports and communications. The ICB will maintain a pool of trained decision loggists who will support record decisions by incident commanders based on guidance and best practice. All records will be retained, managed and disposed of in accordance with the ICB’s Records Management Policy and the NHS Records Management Code of Practice.
        • Apply robust informationsecurity controls, including appropriate classification, secure storage, controlled access, and secure communication channels when handling operational, sensitive or personal information.
        • Provide training and guidance to staff, ensuring those involved in EPRR duties—including commanders, decision loggists, and operational leads—understand their responsibilities regarding information governance, confidentiality and records management during incidents.
        • Ensure accountability and transparency, enabling information‑related decisions made during emergencies to be audited, reviewed and used to inform organisational learning and improvement.
        • Retain all EPRR-related records for extended periods where required for statutory or public inquiries, including those relating to major incidents. Records must not be destroyed if they fall within the scope of an ongoing or announced inquiry. The EICB adopts the following retentions detailed in the NHSE EPRR Framework:

        Category: Incidents (declared)
        Examples: Decision logs, incident related documents including plans.Paper and electronic records.
        Minimum retention period: 30 years
        Final action: Review, archive or destroy under confidential conditions

        Category: Exercise
        Examples: Post Exercise Reports.Electronic records.
        Minimum retention period: 10 years
        Final action: Review, archive or destroy under confidential conditions

        Category: On-call (routine – non-incidents)
        Examples: Decision logs, handover records.Paper and electronic records.
        Minimum retention period: 10 years
        Final action: Review, archive or destroy under confidential conditions

        Category: EPRR and BCM
        Examples: Incident Response Plans and supporting documents including on-call rota, core standards. Business Continuity Plans and supporting documents such as BIA’s.LHRP and sub-group minutes, papers, action logs.Electronic records.
        Minimum retention period: 30 years
        Final action: Review, archive or destroy under confidential conditions.

        Staff Health, Safety and Welfare

        The EICB is committed to ensuring the health, safety and wellbeing of all staff as a fundamental component of its EPRR and BCM arrangements in line with Health and Safety Legislation and EICB Health and Safety Policy. Protecting and supporting the workforce is essential to maintaining safe, effective services and delivering an equitable response during incidents and emergencies.

        The EICB will:

        • Provide a safe working environment by ensuring that EPRR and BCM plans incorporate appropriate risk assessment, mitigation measures, and accessible guidance for staff during incidents and emergencies.
        • Prioritise staff wellbeing before, during and after disruptive events, including access to welfare support, rest arrangements, psychological support pathways, and safe systems of work.
        • Ensure inclusive and equitable arrangements, recognising that emergencies may disproportionately affect staff with specific needs, disabilities, long‑term conditions, caring responsibilities, or those from communities experiencing health inequalities.
        • Embed fairness and equality into planning and response, ensuring that all staff have equitable access to information, training, protective measures, and support resources, and that decision‑making considers the impact on different staff groups.
        • Promote a learning and supportive culture, encouraging staff to raise concerns, report risks, and contribute to continuous improvement of EPRR and BCM arrangements without fear of detriment.
        • Strengthen workforce resilience, ensuring staff are adequately trained and competent for their roles during incidents, and that surge, rota and recovery arrangements safeguard staff wellbeing and prevent avoidable harm.

        This commitment underpins the EICB’s statutory duties as a Category 1 responder and ensures that emergency and continuity arrangements protect both the workforce and the populations served.

        Equalities and Health Inequalities 

        The EICB is committed to ensuring that its EPRR arrangements actively support the reduction of health inequalities and uphold the principles of equality, diversity and inclusion. The organisation recognises that incidents and emergencies can disproportionately impact individuals and communities based on factors such as age, disability, ethnicity, socioeconomic status, language, health status, and access to services.

        In developing, implementing and reviewing EPRR and BCM arrangements, the EICB will:

        • Assess and mitigate disproportionate impacts on protected groups and those experiencing health inequalities.
        • Ensure equitable access to information, support and services, including accessible formats, translation, interpretation and reasonable adjustments.
        • Embed inclusive decisionmaking, ensuring that the needs of vulnerable groups and underserved communities are considered in planning assumptions, risk assessments, and during response and recovery.
        • Monitor and review impacts to ensure that emergency and business continuity arrangements do not unfairly disadvantage any staff or population groups.
        • Work with partners across the system to reduce inequalities before, during and after incidents and emergencies.

        This approach ensures that EPRR and BCM arrangements not only meet statutory duties but also contribute to fair, inclusive and equitable responses for the people and communities of Essex.

        Budget and Financial Commitment

        The EICB is committed to ensuring that EPRR and BCM are appropriately resourced to meet all statutory and regulatory requirements. The organisation will allocate sufficient and sustainable funding to support the delivery of its EPRR and BCM functions, including for example the maintenance of on‑call arrangements, training and exercising, incident management capabilities and multi‑agency cooperation (via the ERF).

        The EICB will ensure that budgetary provision for EPRR and BCM is reviewed annually as part of the corporate planning and governance cycle. Directorates must ensure that EPRR and BCM requirements are reflected within their own planning and resource allocation processes. 

        In the event of an incident or emergency appropriate financial arrangements, with appropriate record keeping, will be activated by the EICB.

        Monitoring Compliance

        The Audit, Risk and Compliance Committee is responsible for monitoring the implementation of this policy and ensuing it is reviewed as required.

        Implementation and Staff Training

        The EPRR Team lead operationally on the implementation and monitoring of this policy, reporting compliance to the AEO and the Audit, Risk and Compliance Committee.

        There is a requirement as part of local inductions to ensure that staff are made aware of the importance of policies and procedures and their adherence to them.

        Compliance with specific training requirements detailed in this policy will be monitored by the Audit, Risk and Compliance Committee.

        Arrangements for Review

        This policy will be reviewed no less frequently than every three years. An earlier review will be carried out in the event of any relevant changes in legislation, national or local policy/guidance, organisational change or other circumstances which mean the policy needs to be reviewed. Policy reviews should seek input from relevant stakeholders, including Staff Side/Staff Engagement Group for HR policies, and other appropriate fora including the Executive Team. 

        If only minor changes are required, the sponsoring Committee has authority to make these changes without referral to the EICB Board. If more significant or substantial changes are required, the policy will be ratified by the relevant committee before final approval by the EICB Board.

        Associated Policies, Guidance and Documents

        For this policy the associate documentation is:

        • Incident Response Plan
        • Business Continuity Management System

        Associated Policies 

        • Essex ICB On-call Policy
        • Essex ICB Risk Management Policy
        • Essex ICB Information Governance Policy
        • Essex ICB Health & Safety Policy
        • Essex ICB Incident Reporting Policy

        References

        • NHS England EPRR Framework
        • NHS England Core Standards for EPRR
        • NHS England Business Continuity Management Toolkit aligned to ISO 22301
        • Joint Doctrine: The Interoperability Framework (JESIP)

        Equality Impact Assessment

        The EIA has identified no equality issues with this policy.

        The EIA has been included as Appendix A.

        Appendix A – Equality Impact Assessment

        Initial information

        Name of policy and version number: Essex ICB EPRR and BCM Policy
        Directorate/Service: Corporate Services
        Assessor’s Name and Job Title: Associate Director EPRR
        Date: 1 April 2026

        Outcomes

        This policy sets out the statutory and regulatory arrangements by which NHS Essex ICB prepares for, responds to and recovers from incidents and emergencies. It defines the organisational framework for EPRR, business continuity, command and control, risk management, training, exercising and multi‑agency coordination.

        Intended outcomes for staff include:

        Protection of staff wellbeing, health and safety through robust planning and recovery arrangements.

        • Clear understanding of roles and responsibilities during incidents.
        • Safe and structured working arrangements during emergencies.
        • Access to training and exercising to support competence and confidence.
        • Fair, transparent, and inclusive arrangements that ensure all staff are supported equitably before, during and after incidents.

        Evidence

        Data / information used

        • NHSE EPRR Framework
        • NHS Core Standards for EPRR 
        • NHS England BCM Toolkit 
        • Civil Contingencies Act 2004
        • Lessons from national inquiries (Manchester Arena, COVID‑19, Grenfell)
        • Organisational workforce data and policies (e.g., IG, Health & Safety, Risk Management)
        • Existing ICB EPRR and BCM arrangements
        • Good practice relating to accessible communication, staff welfare and equality duties

        These collectively demonstrate that the policy is procedural and governance‑focused and does not create conditions that inherently disadvantage protected groups.

        Due to the statutory and procedural nature of the policy, consultation has taken place with:

        • EPRR Team
        • Risk / IG / Governance / Comms / Health Inequalities colleagues
        • AEO
        • Audit, Risk and Compliance Committee (for assurance)

        Further public or staff‑group‑specific consultation is not required as the policy governs internal frameworks and compliance, not service delivery models.

        Analysis of impact on equality 

        The Public Sector Equality Duty requires us to eliminate discrimination, advance equality of opportunity and foster good relations with protected groups.   Consider how this policy / service will achieve these aims.

        N.B. In some cases it is legal to treat people differently (objective justification).

        • Positive outcome – the policy/service eliminates discrimination, advances equality of opportunity and fosters good relations with protected groups
        • Negative outcome protected group(s) could be disadvantaged or discriminated against
        • Neutral outcome  – there is no effect currently on protected groups

        Please tick to show if outcome is likely to be positive, negative or neutral.  Consider direct and indirect discrimination, harassment and victimisation.

        Protected groupPositive outcomeNegative outcomeNeutral outcomeReason(s) for outcome
        AgeXPolicy applies equally; training and information accessible for all ages.
        Disability(Physical and Mental/Learning)XPolicy emphasises accessible communication, reasonable adjustments, staff wellbeing, and safe working practices during incidents.
        Religion or beliefXNo impact on religious practices; incident arrangements include flexible rostering and individual needs.
        Sex (Gender)XPolicy supports fair deployment, training access, and welfare arrangements with no gender‑based differentiation.
        Sexual OrientationXNo element of the policy differentiates by sexual orientation.
        Transgender / Gender ReassignmentXInclusive policy framework; ensures safe working environment and equitable access to support.
        Race and ethnicityXIncludes equitable communication and access to information; promotes reduction of health inequalities.
        Pregnancy and maternity (including breastfeeding mothers)XBusiness continuity, flexible deployment and risk‑based planning support staff who are pregnant or breastfeeding.
        Marriage or Civil  PartnershipXNo impact on rights or responsibilities for married or civil‑partnered staff.

        Monitoring outcomes

        Monitoring is an ongoing process to check outcomes. It is different from a formal review which takes place at pre-agreed intervals.

        Monitoring will be through:

        • Annual EPRR Core Standards assurance
        • Quarterly EPRR updates to Audit, Risk and Compliance Committee
        • Review of feedback from exercises and incidents
        • Learning captured in debriefs and lessons registers
        • Review of accessibility and training completion rates

        Any emerging equality issues will be fed back into policy revisions and continuous improvement processes.

        Review

        Every 3 years as a minimum and earlier if there are any significant changes in legislation, policy or good practice.

        N/A

        Implementing the Policy/Service

        Negative outcomes – action plan

        If there are no negative outcomes, please remove this section.

        An Equality Impact Assessment cannot be signed off until negative outcomes are addressed. What actions you have taken/plan to take to remove/reduce negative outcomes?

        Action taken/to be taken: N/A
        Date: N/A
        Person Responsible: N/A

        Signed off by: Associate Director EPRR
        Date: 1 April 2026