Guidance

Preparedness plan

Updated 10 January 2025

Building a resilient and responsive organisation ready to respond to health security threats

Purpose of the UKHSA preparedness plan

This preparedness plan describes the UK Health Security Agency’s (UKHSA’s) systematic approach to preparing its people, its plans and its infrastructure to be ready to respond to all threats and hazards. These arrangements apply across all groups, directorates and divisions and includes the requirement for everyone in the agency to have a role that supports incident response, UKHSA’s compliance with its Category 1 responder duties and how the agency supports the Department of Health and Social Care (DHSC) and NHS England with their own emergency preparedness, resilience and response (EPRR) responsibilities.

To assess the agency’s readiness to respond to specific health security threats and hazards, the plan describes the annual 4 stage preparedness cycle. This begins with identifying prioritised threats, provides an assessment of readiness against those threats and then informs resource allocation, including the:

• business planning cycle
• UKHSA’s annual EPRR training and exercise programme
• internal and external regional and national capacity building work that increases resilience and preparedness of organisations across the country

Examples of our internal and external regional and national capacity building work includes:

• the Adverse Weather and Health Plan capacity building events
• Summer Preparedness and Cold Weather Preparedness webinars

Building a shared understanding of preparedness

To achieve its mission, UKHSA must prepare for incidents through effective planning that will help to prevent, control and mitigate the health security impact. The agency must prepare for day to day routine health security incidents and the potentially more complex standard, enhanced and severe nationally coordinated response arrangements as described in the UKHSA’s incident response plan.

UKHSA’s Integrated Emergency Management model and EPRR Principles provide the strategic framework for the agency’s preparedness. This framework is described in the EPRR concept of operations (CONOP) and for ease of reference is included in Annexe H.

Part 1: Preparing UKHSA’s people, plans and infrastructure

People

This section outlines the approach for three groups of people, with the detail provided in the appropriate supporting people policies and EPRR training plans.

All UKHSA staff

As part of their induction to UKHSA, all new joiners will have to complete training that will introduce the principles of EPRR and how EPRR is implemented within the agency.

To enable UKHSA to scale-up its incident response, all staff are required to have a response role, for which they are trained. These roles cover all aspects of the response including scientific, clinical, operations, data, policy, communications, business support and the arrangements are described in people group’s workforce surge plans.   To support their EPRR awareness and development, all UKHSA staff have access to the agency’s EPRR e-learning platform that is managed by HP Ops/Dir EPRR. All groups and directorates are to nominate a representative to join the EPPR Network in order to promote the continuous improvement and shared learning of EPRR across the agency

Specified incident response roles

UKHSA has a number of specific incident response roles that are undertaken by a cadre of appropriately trained individuals. These range from the chairing the Science and Technical Advice Cell (STAC) to supporting a local Strategic Coordination Group (SCG), leading an Outbreak Control Team, being the Incident Director (ID) to lead an Incident Management Team, undertaking the role of the Strategic Response Director (SRD), attending COBR, providing contributions to SAGE^{[footnote 1]}, or emergency preparedness managers providing EPRR tactical advice to senior decision makers. The list of the UKHSA’s key incident response roles is at Annexe I.

In the main, these roles are temporary for the duration of the incident response (including recovery) and are in addition to the incumbent’s appointment. Each role requires a specific set of competencies, skills and experiences that might require additional EPRR training and all roles require the opportunity for continuous professional development. These requirements and the associated training pathway are described in Annexe I.

The Incident Director or the Strategic Response Director must have the right technical skills in order to provide effective leadership to deliver the agreed health security objectives; the EPRR principle of ‘direction’ is described in Annexe H. Dir EPRR therefore manages a cadre of trained IDs and SRDs to ensure that the agency can effectively respond to the broad range of threats and hazards.

EPRR appointments

Across the agency there are a number of appointments that deliver the EPRR function within groups and directorates, including specialist EPRR personnel (emergency preparedness managers) at various civil service grades and staff members with EPRR responsibilities included in their job description. Whilst the accountability of these appointments remains within groups and directorates, Dir EPRR acts as the ‘professional head’ for the network of EPRR appointments.  

This is to promote matrix working of the EPRR function horizontally across the agency to ensure that EPRR quality, standards and improvement are maintained and the sharing of good practice.

EPRR plans

Introduction

Category 1 responders are required to have a range of emergency response and business continuity plans and within UKHSA these various plans describe the agency’s systematic approach to preparedness and response.

The development, implementation and continuous improvement of the agency’s suite of EPRR plans follows the Cabinet Office Emergency Planning Cycle, which is illustrated in Figure 2 below. The main components are:

• plans are risk based
• staff should be trained on the ‘new’ plan before it is validated through exercises or incident response
• plans must be kept up to date, and be routinely re-assessed for their continuous improvement

Figure 1. Cabinet Office emergency planning cycle

Figure 1 shows 2 cycles. The first circle is has the title ‘consult’. It has 4 steps:

1. Take direction from risk assessment

2. Set objectives

3. Determine actions and responsibilities

4. Agree and finalise

The second cycle has the title ‘embed’. It also 4 steps:

1. Issue and disseminate

2. Train key staff

3. Validate in exercises, and in response

4. Maintain review and consider revision

The consult cycle is below the embed cycle. However, consult has steps 1 to 4 and embed has steps 5 to 8.

The governance of all EPRR plans is provided by the EPRR Delivery Group (EPRR DG), chaired by Dir EPRR that reports into the EPRR Oversight Group (EPRR OG), which is chaired by the Chief Medical Advisor (CMA).

Incident response plan

The incident response plan (IRP) is UKHSA’s all hazards and threats approach to managing public health emergencies. It describes:

• activities within each of the incident response phases of

  • situational awareness
  • alerting
  • risk assessment
  • response
  • recovery
• UKHSA’s incident response levels and parameters for escalation and de-escalation
• roles and responsibilities for UKHSA’s incident response ‘command, control and coordination’ structures
• people management protocols during incident response, including their health, safety and wellbeing
• recovery, incident debriefs and continuous improvement

Supporting plans

To ensure a systematic and whole-Agency approach to preparedness and response, these functions are supported by a number of supporting plans to provide operational level detail. The majority of these plans are owned by Dir EPRR and their governance arrangements are provided by the EPRR DG and EPRR OG. Other plan owners are specified.

UKHSA EPRR training and exercise plan

UKHSA’s remit includes the provision of an EPRR training and exercising programme to support emergency preparedness, resilience and response capability in UKHSA, DHSC and NHS England that will facilitate both system wide and individual organisation assessment. This programme is governed by the DHSC Health Delivery Group (DHSC HDG).

The annual EPRR training and exercise plan will provide a detailed Year 1 delivery plan and the outline rolling programme for Years 2 and 3. UKHSA’s training and exercise requirements will be agreed by the EPRR DG and EPPR OG before being submitted to the DHSC HDG.

EPRR continuous improvement plan

UKHSA consistently improves its ability to prepare for, respond to and recover from health security threats by appropriately applying learning identified from incident response, simulation exercises, research and evaluation; EPRR principle of continuous improvement is at Annexe H.

The EPRR continuous improvement plan will describe the process and arrangements how ‘lessons identified’ (including appropriate external lessons and good practice) for preparedness and response become ‘lessons learned’. The plan will also describe the whole-agency continuous improvement arrangements.

The governance of preparedness and response lessons is provided by the EPRR DG and EPRR OG and is implemented by the EPRR Quality, Standards and Improvement (EPRR QSI) team that is part of the Emergency Preparedness Division within HP Ops/Dir EPRR.

An annual report on the learning and subsequent continuous improvement of preparedness and incident response will be provided to the UKHSA Advisory Board.

EPRR assurance assessment

The annual UKHSA EPRR Assurance Assessment will provide assurance to UKHSA’s Executive Committee and to DHSC on the effective and efficient delivery of EPRR activities across the Agency and compliance with its EPRR statutory duties (CCA 04 and more), policies, standards and regulations.

The identified Units of Assessment across the agency will complete a self-assessment against the given EPRR core standards and assurance criteria.

Governance is provided by the EPRR DG and EPRR OG and the assessment will inform the Annual Preparedness Cycle.

Business continuity management framework

As a Category 1 responder, UKHSA is required to have business continuity management (BCM) arrangements and the Cabinet Office definition is that BCM is a process that manages risks to the running of an organisation or delivery of a service, ensuring continuity of critical functions in the event of a disruption, and effective recovery afterwards.

Within the agency, director generals or directors remain accountable for the business continuity arrangements for the infrastructure, services or functions that they are required to deliver.

UKHSA’s Business Continuity Management Framework describes the process of Business Impact Analysis (BIA) to identify activities and resources that are critical to achieving the Agency’s mission, an impact assessment of their failure or disruption and how they might best be protected. A business continuity plan will then be developed for each appropriate service and/or function that is compliant with UKHSA’s Business Management Framework.

UKHSA’s response to a business continuity incident is assessed and managed in accordance with the incident response plan and in threat specific plans such as a national power outage and cyber attack.

Response centres interoperability plan

Across UKHSA there are a number of response centres that enable the agency to achieve its mission. These centres include:

• the National Response Centre
• the network of 9 Regional Response Centres
• National Operations
• UKHSA Press Office
• points of contact for Chemicals, Radiation and Extreme [natural] Events
• ICT
• Cyber
• Port Health
• Field Services
• Rapid Investigation Team

The agency also has an extensive network of on-call arrangements.

The Response Centres Interoperability Plan will provide a coherent and consistent framework for the operation of a response centre and describe the arrangements to ensure shared situational awareness, the shared understanding of joint risks and unified command, control and co-ordination.

Threat specific plans

The UKHSA’s approach to its preparedness, response and recovery to all threats and hazards is ‘generic where possible and specific when necessary’, which is applicable to a business as usual Routine response, up to a severe response for pandemic and others. These generic arrangements are described in UKHSA’s Incident Response Plan (IRP).

The nature of some threats, however, means that the escalatory arrangements described in the IRP may not be appropriate and therefore additional specific detail is required. A threat specific plan may be appropriate for a pre-determined response to a known incident (such as a national power outage), or there is the potential for a significant health security impact (such as pandemic, a high consequence infectious disease case, a civil nuclear accident, control of major accident hazards (COMAH) incident, a radiation release from an overseas nuclear site or others), or there is a potential significant disruption to UKHSA’s business critical services or functions (such as a cyber attack).

Each threat specific plan has a ‘threat owner’ and describes the necessary preparedness and response arrangements to mitigate the potential health security impact. Each plan is authorised by the EPRR OG to ensure that any major divergence from the incident response plan is agreed in advance. The list of extant threat specific plans is included in UKHSA Incident Response Plan.

Infrastructure

UKHSA’s regional and national footprint includes 30 sites across England that are connected by a network of information and communication technologies. In some locations (such as Porton, Colindale and Chilton) the agency acts as the ‘landlord’ and in other sites (such as its regional office locations, laboratories within the NHS estate and other places) it acts as a ‘tenant’.

The Business Continuity Management Framework outlined above describes how the agency’s infrastructure is resilient to business continuity incidents and key assurance processes, such as the NHS Data Protection Security self-tool kit to assess compliance against the data security and information governance requirements mandated by DHSC. The readiness of UKHSA’s infrastructure is assessed in the Annual Preparedness Cycle described in Part 2 below, during incident response, through simulation exercises and through the lessons identified continuous improvement process.

Part 2: Annual preparedness cycle

Introduction

Each year, UKHSA conducts a preparedness cycle to analyse the threats of highest concern informed by the national risk register, health security threat assessments and early warning from UKHSA’s surveillance systems. The preparedness cycle prioritises health threats with high likelihood and impact, ensuring they are addressed within the Agency’s broader responsibilities and provides UKHSA with the assurance that we are both ready to respond and continue to comply to our regulatory and statutory duties.

Each threat is then assessed to help understand the required capabilities and capacities needed to respond to a reasonable worst-case scenario and within the context of UKHAS’s planned health security activities. Any miss-match between what we currently have and what we need will drive our readiness activities over the next 12 months and will help to inform business planning and spending review considerations.

All divisions, teams and other groups across the agency contribute to preparedness cycle process and this holistic approach ensures that every part of the organisation validates that our preparedness efforts meet the necessary standards. Although the focus is on specific threats, the resulting activities are designed to enhance UKHSA’s overall preparedness and resilience, with recommendations that are, as far as possible, threat agnostic.  

This plan will outline the 4 stages of the Annual Preparedness Cycle, as illustrated in Figure 2 below

Figure 2. UKHSA annual preparedness cycle

Figure 2 shows a circle with 4 components. Component 1 is risk identification, which takes place in March. It includes text saying that there is “an agreed list of prioritised top threats informed by NSRA, UKHSA’s Health Security Risk Assessment, continuous improvement lessons and other sources”.

The next component (clockwise) is an initial readiness assessment. This takes place in March and April. It includes an “initial assessment of capacity and capability” against the threats identified in component 1 in the circle.

Component 3 is “decide and implement”. This takes place from April to January. It involves “strategic and tactical changes determined in response to the assessment”.

Component 4, the final component in the circle, is a “final readiness assessment”. It happens in February. It concerns an “evaluation of progress and preparation for the next cycle.

Stage 1: Risk identification

To ensure that potentially high likelihood (within the next 2 years) and high impact health threats are prioritised, in Stage 1 the UKHSA’s Health Security Risk Assessment is compared with other appropriate risk assessments, such as the National Security Risk Assessment. Other factors for each threat are also considered, which include:

• health equity

• any outstanding lessons identified

• the EPRR annual assurance assessment

• business continuity assessments

• UKHSA’s Strategic Risk Register

Stage 2: Initial readiness assessment

To ensure a consistent and coherent approach that can be applied to all threats and hazards, a Readiness Assessment Methodology has been developed. This includes both quantitative and qualitative assessment of UKHSA’s capability and capacity to respond to the specific threat and is completed as a whole-Agency assessment; the option to include key external partners should be considered.

Stage 3: Decide and implement

The information from Stages 1 and 2 is assessed by the EPRR OG against 2 possible outcomes;  

Outcome 1: Achievable with current resources

These are tasks that can be achieved within the current FY or within given budget allocations.

Examples include:

• amendment to current response plans

• refinement of existing EPRR training

• a simulation exercise to validate response arrangements

• minor adjustments to preparedness and response capacities

The planning assumption is that the majority of tasks would be achievable within the financial year (FY).

Outcome 2: Strategic reshaping 

These are tasks that require material changes to the resource allocation through the agency’s corporate business planning cycle. Examples include the provision of additional capabilities or significant expansion of existing capacity, significant changes to policy and development of new policies, significant re-organisation and other. The planning assumption is that these tasks will require sustained resourcing throughout the ‘prepare, respond, build’ project or programme cycle.

Stage 4: Final readiness assessment

The final stage is to ensure that the actions agreed to address the identified gaps have either been completed or are on-track as planned.

---

1.   Scientific Advisory Group for Emergencies provides scientific and technical advice to support government decision makers during emergencies. ↩