Business Continuity and Emergency Preparedness Policy

1. What the regulation says

Care and treatment must be provided in a safe way for service users. (Reg 12(1) (the headline duty))

assessing the risks to the health and safety of service users of receiving the care or treatment, (Reg 12(2)(a) (risk assessment))

doing all that is reasonably practicable to mitigate any such risks, (Reg 12(2)(b) (risk mitigation))

ensuring that the premises used by the service provider are safe to use for their intended purpose and are used in a safe way, (Reg 12(2)(d) (premises safety))

where equipment or medicines are supplied by the service provider, ensuring that there are sufficient quantities of these to ensure the safety of service users and to meet their needs, (Reg 12(2)(f) (sufficient equipment + medicines supply))

Regulation 17 adds the governance duties that this policy operationalises:

Systems or processes must be established and operated effectively to ensure compliance with the requirements in this Part. (Reg 17(1): the umbrella duty)

assess, monitor and improve the quality and safety of the services provided in the carrying on of the regulated activity (including the quality of the experience of service users in receiving those services) ... assess, monitor and mitigate the risks relating to the health, safety and welfare of service users and others who may be at risk which arise from the carrying on of the regulated activity. (Reg 17(2)(a) and (b): quality and risk)

The full text is at https://www.legislation.gov.uk/uksi/2014/2936/regulation/12 and https://www.legislation.gov.uk/uksi/2014/2936/regulation/17. Where this policy and the regulation diverge, the regulation wins.

2. Plain-English summary

Care and treatment must be provided in a safe way. The regulation lists the areas a provider must address, including risk assessment, risk mitigation, staff competence, safe premises, safe equipment, sufficient equipment and medicines, medicines safety, infection prevention and shared-care planning. Good governance under Reg 17 means running effective systems and processes to assess, monitor and mitigate risks to people's health, safety and welfare, and a tested, current business continuity plan is how a service shows it can keep people safe when normal systems fail.

3. Purpose

The purpose of this policy is to make sure that [Service Name] can continue to provide safe care and treatment during disruption, emergency or service failure.

Business continuity is part of safe care and good governance. The service must be able to identify essential functions, plan for disruption, respond quickly, communicate clearly and protect people from avoidable harm.

This policy supports Regulation 12 safe care and treatment, Regulation 17 good governance, Regulation 18 staffing, Regulation 15 premises and equipment, health and safety duties and CQC notification requirements.

4. Policy warning

A service disruption does not remove the provider's duty to keep people safe.

Where normal systems fail, the service must move quickly to safe contingency arrangements. Staff must know who is in charge, what to prioritise, who to contact and what must be recorded.

A continuity plan that is not tested, not known by staff, or not updated after changes may fail when needed.

5. Scope

This policy applies to disruption involving:

staffing shortage
severe weather
infectious disease outbreak
fire, flood or building failure
power failure
heating or water failure
IT or telephone failure
cyber incident
medicine supply disruption
equipment failure
vehicle failure
contractor failure
transport disruption
loss of records
evacuation or relocation
public health emergency
death or sudden absence of key person
financial or provider failure affecting safe service delivery

6. Essential services

The Registered Manager must identify essential functions that must continue during disruption.

These may include:

direct care and treatment
medicines
safeguarding
emergency response
access to care plans and risk assessments
clinical records
staffing and rota management
communication with people using the service
communication with families, advocates and professionals
infection control
equipment safety
premises safety
escalation to external bodies
CQC statutory notifications

Essential functions must be prioritised in the continuity plan.

7. Responsibilities

The Registered Manager is responsible for maintaining the business continuity plan, training staff, leading the response and reviewing incidents.

The provider or Nominated Individual is responsible for ensuring that resources, insurance, systems and provider-level support are available.

Senior staff are responsible for following the plan, escalating concerns and recording actions.

All staff are responsible for knowing emergency procedures relevant to their role.

8. Business continuity plan

The service must maintain a written business continuity plan.

The plan must include:

key risks
essential functions
emergency contacts
leadership arrangements
out-of-hours escalation
staff contact process
emergency staffing arrangements
priority people or activities
access to care records
medicines continuity
equipment continuity
premises arrangements
IT and telephone contingency
evacuation or relocation arrangements where relevant
communication plan
external reporting requirements
recovery process
post-incident review

The plan must be accessible to senior staff during an emergency, including where IT systems are unavailable.

9. Leadership during disruption

The plan must identify who leads the response.

The lead person must:

assess the situation
decide immediate safety actions
allocate roles
communicate with staff
prioritise essential care
escalate to provider level where needed
contact emergency services where required
contact external agencies where required
keep records of decisions and actions
review when the service can return to normal

There must be a deputy where the Registered Manager is unavailable.

10. Staff shortage

The service must have a plan for unexpected staffing shortage.

The plan must include:

minimum safe staffing levels
priority tasks
escalation route
use of bank or agency staff
manager redeployment where appropriate
cancellation or postponement of non-essential activity
communication with people using the service
risk assessment where staffing is below planned level
provider escalation
CQC or commissioner notification where required

The service must not continue unsafe activity without risk assessment and escalation.

11. Loss of premises, utilities or environment

Where premises, utilities or environment are unsafe, the service must assess:

immediate risk to people
fire, flood, temperature or infection risk
access and evacuation
suitability of alternative areas
equipment and medicine safety
impact on treatment or care
need for emergency services
need to relocate or suspend service
need to notify CQC, commissioner or other bodies

Decisions must be recorded.

12. IT, records and cyber disruption

The service must have contingency arrangements for loss of IT, telephone or record systems.

This must include:

how staff access essential care information
paper fallback arrangements
secure storage of temporary records
process for later uploading or reconciling records
emergency contact lists
reporting cyber incidents
protecting personal data
informing affected people where required
notifying ICO where required
notifying CQC where the disruption affects safe care

Staff must know how to work safely if electronic systems are unavailable.

13. Medicines and equipment continuity

The continuity plan must cover disruption affecting medicines, clinical supplies, equipment, vehicles or devices.

The service must consider:

emergency medicine access
controlled drugs where relevant
oxygen or emergency medicines
vaccine or cold-chain arrangements where relevant
device failure
maintenance contractor failure
spare equipment
alternative supplier routes
safe suspension of activity if equipment is unavailable
escalation to prescriber, pharmacy, manufacturer or emergency services

Unsafe workarounds must not be used.

14. Infection outbreak or public health emergency

The service must follow current public health guidance during infectious disease outbreaks or public health emergencies.

The response must consider:

isolation or separation where relevant
PPE
staffing impact
cleaning
testing guidance where applicable
communication with people using the service
staff exclusion or return-to-work advice
visiting or attendance arrangements where relevant
notification to relevant authorities
increased monitoring of vulnerable people

The service must record decisions and updates to the plan.

15. Communication

The plan must include communication arrangements for:

staff
people using the service
families or representatives
advocates
emergency services
commissioners
local authority
safeguarding
CQC
suppliers and contractors
professional advisers
insurers

Communication must be timely, factual and proportionate.

Where communication is disrupted, alternative methods must be used where possible.

16. Prioritisation

During disruption, the service must prioritise according to risk.

Priority should be given to:

life-threatening or urgent care needs
people at greatest risk of harm
medicines and time-critical treatments
safeguarding
essential personal care
infection control
emergency communication
continuity of records
safe staffing
service-user dignity and rights

Non-essential activity may be delayed where necessary, but the decision and rationale must be recorded.

17. External reporting

The Registered Manager must consider whether the disruption requires notification to:

CQC
commissioner or local authority
safeguarding authority
emergency services
public health body
Health and Safety Executive
Information Commissioner's Office
professional regulator
insurer

The decision to notify or not notify must be recorded.

18. Recovery

The service must have a recovery process after disruption.

Recovery must include:

confirming people are safe
checking missed or delayed care
reconciling temporary records
checking medicines and equipment
updating risk assessments
informing relevant people
completing incident records
reviewing staff wellbeing
identifying learning
updating the business continuity plan

The service must not assume that recovery is complete because the immediate emergency has ended.

19. Testing the plan

The business continuity plan must be tested at least annually.

Testing may include:

tabletop exercise
call cascade test
IT outage exercise
evacuation drill where relevant
severe-weather scenario
staffing-shortage scenario
cyber incident scenario
loss of records exercise

The test must be recorded and any actions tracked.

20. Training and awareness

Staff must receive training appropriate to their role on:

emergency procedures
escalation route
fire and evacuation
business continuity arrangements
record fallback process
communication plan
infection outbreak response
staffing shortage response
cyber or IT outage response

New staff must receive relevant continuity information during induction.

21. Records

The service must keep:

business continuity plan
emergency contact list
risk assessments
test records
incident records
communication records
external notification records
action plans
post-incident review
updated plan versions

Records must show what happened, what was decided, who was informed and what changed afterwards.

22. Post-incident review

After any significant disruption, the Registered Manager must complete a post-incident review.

The review must consider:

what happened
what worked
what failed
impact on people using the service
missed or delayed care
staff impact
communication effectiveness
records and evidence
external reporting
actions required
whether the risk register needs updating
whether the continuity plan needs updating

Findings must be reviewed through governance.

23. Related policies in this pack

This policy should be read with:

Safe Care and Treatment Policy
Good Governance Policy
Risk Management and Risk Register Policy
Incident Reporting, Investigation and Learning Policy
Fire Safety Policy
Infection Prevention and Control Policy
Medicines Policy
Staffing Policy
Data Breach Policy
Record Keeping Policy
CQC Statutory Notifications Policy
Health and Safety Policy

24. Review

This policy will be reviewed annually, or sooner following a serious incident, service disruption, business continuity test, CQC finding, change in service model, change in premises, major system change, or new legal or regulatory guidance.

25. Sources and further reading

This template is based on CQC's guidance for providers and managers, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and other topic-specific legislation and guidance listed below. It is a starting point for adaptation, not a substitute for legal, clinical, HR, safeguarding or specialist professional advice.

CQC Regulation 12: Safe care and treatment
CQC Regulation 17: Good governance
CQC statutory notifications guidance
UKHSA outbreak guidance
HSE health and safety guidance
Local emergency planning and commissioner guidance
Civil Contingencies Act principles (where relevant)
Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (https://www.legislation.gov.uk/uksi/2014/2936/regulation/12)

26. When to seek further advice

Seek specialist advice where the issue involves serious harm, safeguarding, deprivation of liberty, restraint, children, professional misconduct, controlled drugs, radiation, termination of pregnancy, infection outbreak, water safety, employment dismissal, DBS barring referral, or regulatory enforcement.

27. Document control

Version	Date	Author	Changes
v1	2026-06-10	Verivius (sample)	Initial sample template, conformed to the Verivius policy standard.

This sample policy template was issued by Verivius. It is a template, not a substitute for legal advice or the tenant's own policy-development process. Where this template and live law or regulator guidance diverge, the live source wins.