Credit: PublicDomainPictures/Pixabay

The Department for Environment, Food and Rural Affairs is to create a business-continuity and disaster-recovery playbook to help understand the potential impact and guide its response to a range of scenarios – including cyberattacks, strikes, and UK-wide power outages.

Newly published procurement information reveals that, on 2 May, Defra entered into a three-month engagement with consultancy KPMG, which will support the creation of “templates” to help guide the department’s response to disasters and the measurement of their impact.

The text of the contract reveals that the first of the deal’s three “deliverables” is to create four “business impact analysis” templates that allow Defra to consistently assess the operational effects of major incidents. These plans must be aligned to guidelines as set out by industry body the Business Continuity Institute.

Related content

• Government’s cyber plan delivers ‘a complete revolution in how we provide assurance’
• EXCL: Government red team security unit to test departmental defences with hostile reconnaissance
• CCS deploys phishing simulation to help find security weak spots

The first of the quartet of templates will address initial disaster response, followed by three documents to conduct analysis of: products and services; processes; and activity.

The second task for KPMG will be to create “reusable templates” setting out an “overarching plan” for recovery activities to be undertaken by the department in the event of a disaster. These plans should address measures to be taken at the level of individual Defra directorates – which includes operations focused on the environment, food and biosecurity, and science and analysis. These documents will be informed by existing plans and operations, but the consultancy will be asked to conduct “interviews with practitioners to determine gaps [and] issues with the current templates and processes”.

The final objective for KPMG will be to create seven templates, each of which will represent a “definition of [a] credible scenario that [is] tailored to the Defra context”. This will include outline descriptions – encompassing between three and five PowerPoint slides – of seven incidents the department believes could have a major impact on its operations.

The scenarios include: a cyberattack; a terrorist incident; an issue with the department’s supply chain; a nationwide power outage; a loss of key premises; a loss of key personnel; and nationwide industrial action.

Defra’s contract with the consultancy, which was awarded via the G-Cloud 13 framework, runs until 1 August and is valued at £40,000.