Archived – Audit of the Business Continuity Planning Program

Archived information

The Standard on Web Usability replaces this content. This content is archived because Common Look and Feel 2.0 Standards have been rescinded.

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Project Number 6B207
Final Audit Report
December 17, 2010

Table of Contents

    Acronyms

BCP
Business Continuity Planning
DFO
Department of Fisheries and Oceans
IM&IT
Information Management and Information Technology
TBS
Treasury Board Secretariat

Top of page

1.0    Executive Summary

1.1    Introduction

Business Continuity Planning

As per the Emergency Management Act and Treasury Board Secretariat (TBS) Policy on Government Security, “each federal department must have in place a comprehensive and effective Business Continuity Planning (BCP) program to ensure continuity of federal critical services and associated assets during an emergency or situation that may disrupt normal operations (e.g. flood, manifestation, pandemic, power outage)”.

The TBS Operational Security Standard – BCP Program (hereafter referred to as TBS BCP Standard) sets the requirements for the BCP program which is built on the following four key elements:

  • The establishment of BCP program governance
  • The conduct of a business impact analysis
  • The development of business continuity plans and arrangements
  • The maintenance of BCP program readiness

As per the TBS Operational Security Standard: Management of Information Technology Security, a critical service is defined as a “service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the Government of Canada”, where high degree of injury means “severe harm related to provision of sustenance (e.g. food, water, shelter, and energy), public order, emergency care and response, life sustaining environment, vital communications and transportation, fundamental economic services, continuity of government, territorial integrity and sovereignty”.

The Department of Fisheries and Oceans (DFO) has over 200 business continuity plans developed covering 90 critical services which are referred to by stakeholders as “mission critical functions” across all regions. At DFO, business continuity plans are land-site based so they often include more than one critical service as sites carry many different services. At the same time, the same critical service could be covered by many plans if delivered by different sites.

Control Framework

BCP is a fundamental cornerstone of the overall departmental Safety and Security programs (security, emergency preparedness, business continuity and operational health and safety) managed by the Real Property, Safety and Security branch. In recent past, changes in the Safety and Security regulatory framework have been significant and implementing these changes has been a challenge, with a direct impact on the BCP activities.

In 2008, Real Property Safety and Security management has developed a Safety and Security risk profile which identified a high risk linked to its capacity, both from a financial and human resources perspective. Mitigation strategies were identified, however few were implemented and some still require to be addressed at the senior departmental level.  

In 2005, Real Property, Safety and Security developed a Departmental Safety and Security Policy and Accountability Framework and the DFO Operational Standards for Business Continuity Planning (hereafter referred to as the DFO BCP Standard) which provides a control framework and guidance to support the BCP program. Both of these documents are currently under revision. In addition, the directorate has also developed a departmental business continuity plan template and a guide to preparing DFO business continuity plans as tools for site teams to prepare their plans. There is no departmental policy dedicated to the BCP program.

1.2    Objective and Scope

The objective of this audit is to provide assurance that the Department has established a BCP program that ensures the continued availability of its critical services and related assets.

Based on the audit team’s preliminary risk assessment, high risk areas were identified in the processes for the business impact analysis and for the development and review of business continuity plans and arrangements. The audit focused on those two areas. Lower and moderate risks were identified within the BCP program governance and program readiness. Consequently, they have not been addressed by this audit in order to focus audit resources on key value-added items. The scope of the audit included a review of a random sample of 20 plans from all regions selected from the national repository as of June 2010.

1.3    Statement of Assurance

In our opinion, the auditors have examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a high level of assurance on the reported opinion or conclusions.

1.4    Summary of Observations and Recommendations

Overall, while efforts were made by program management to build a good foundation for the BCP program, the program still needs to be strengthened. Currently the program only provides for some assurance that the organization will manage its critical services during major disruptions or emergencies. The program cannot provide complete assurance to this effect because an adequate selection and prioritization of critical services, and an identification and assessment of recovery strategies still need to be completed and properly reflected in the plans and arrangements developed with the full integration of Information Management & Information Technology (IM&IT) continuity planning. Streamlining the critical services is essential to achieve cost effectiveness and efficiency. This will require renewed commitment from senior management and their sectors.

A key challenge remains one of setting priorities within the department-wide Safety and Security function in a context of increasing pressures due to changes in the regulatory framework, limited resources and high turnover within the BCP program.

The following provides the audit team’s observations and recommendations based on the evidence collected and analysis performed. They are presented based on issues and linked to three key processes which are essential to the efficiency and effectiveness of the BCP program.

Business Impact Analysis (High Significance)

BCP program management established a prioritized list of critical services. However, the list includes non critical services and dependencies which are listed as critical services. The exercise was not based on a sound business impact analysis process. Despite efforts made by BCP program management to update the list, it is still widely criticized by stakeholders, has too many critical services identified and is outdated. Shifting priorities and lack of engagement from some sectors were identified as main factors associated with this situation. There is no evidence of senior management approval of original business impact analysis results or of its subsequent updates.

1. The Assistant Deputy Minister, Human Resources and Corporate Services should ensure that a business impact analysis process is conducted with the sectors concerned under the direction and coordination of the Departmental Security Officer. The Departmental Security Officer should coordinate the approval of the business impact analysis results by senior management.

Recovery Strategies (High Significance)

Although some business continuity plans mention recovery strategies such as alternate site arrangements, there is no evidence of formal identification and assessment of recovery options for each critical service. The recovery strategy process is not defined. Senior management decisions supporting final recovery strategies are not documented.

2. The Assistant Deputy Minister, Human Resources and Corporate Services should:

i) Define and implement a formal process to identify recovery options for each critical service and to select final recovery strategies with the engagement of sectors concerned under the direction and coordination of the Departmental Security Officer.

ii) Have the Departmental Security Officer coordinate approval of the recovery strategies by senior management to ensure their support and funding of selected strategies. 

 iii) Ensure that senior management decisions made on final recovery strategies are documented and reflected in their business continuity plans.  

Integration of Information Management & Information Technology Continuity Planning(Medium Significance)

The IM&IT continuity plan is partially completed and not fully integrated into the BCP program. Roles and responsibilities are not defined and communicated to key players involved in the development, maintenance and testing of the IM&IT continuity plan; however, information technology management and staff are committed to continue the work undertaken with key stakeholders.

3. The Assistant Deputy Minister, Human Resources and Corporate Services should define a strategy to strengthen the integration of IM&IT continuity planning to the departmental business continuity planning activities under the direction of the Departmental Security Officer and the Chief Information Officer.

Plans and Arrangements (Medium Significance)

The new template and guide introduced by program management to help site teams prepare their business continuity plans is missing key elements and is not used consistently across regions. As a result, business continuity plans reviewed were also missing some key elements essential to efficient recovery of critical services.

4. The Assistant Deputy Minister, Human Resources and Corporate Services should ensure that the tools for the plan development process are strengthened to address deficiencies and ensure that their use is reinforced.

The plan review and approval processes are defined in the DFO BCP Standard however responsibilities for updating plans is not clearly assigned and review activities by Regional and National Coordinators are not clearly defined. Site Team Leaders are not always engaged in updating their plans on a semi-annual basis for larger sites and annually for smaller sites. Plans are not always reviewed by Regional and National Coordinators as prescribed by the DFO BCP Standard. An effective independent challenge to the sector business continuity plans is needed in order to improve them. Such a challenge should be done to respond to rapidly changing risk.The weaknesses in the regional and national oversight activities are partially due to a capacity issue and shifting in priorities. Lack of oversight and monitoring does not permit the escalation and resolution of issues at higher management levels when required. Approval control over maintenance of plans is burdensome. 

5. The Assistant Deputy Minister, Human Resources and Corporate Services should:

i) Ensure that maintenance of all plans is done, on an adequate basis to reflect changing risks and circumstances, by the sectors concerned under the direction and coordination of the Departmental Security Officer.

ii) Ensure that roles and responsibilities related to plan maintenance process are clearly defined and communicated in order to reinforce accountabilities.

iii) Ensure that review and approval controls are reviewed to take into account the resource level, rapidly changing risks and circumstances, and the importance of changes justifying re-approvals. The review activities for Regional and National Coordinator should be clearly defined.

iv) Strengthen the monitoring and reporting function of the BCP activities to ensure that issues identified are addressed at the appropriate level including lack of plan approval and the absence of plans.

Top of page

2.0     Introduction

2.1     Background

Business Continuity Planning

As per the Emergency Management Act and Treasury Board Secretariat (TBS) Policy on Government Security, “each federal department must have in place a comprehensive and effective Business Continuity Planning (BCP) program to ensure continuity of federal critical services and associated assets during an emergency or situation that may disrupt normal operations (e.g. flood, manifestation, pandemic, power outage)”.

The TBS Operational Security Standard – BCP Program (hereafter referred to as TBS BCP Standard) sets the requirements for the BCP program which is built on the following four key elements:

  • The establishment of BCP program governance;
  • The conduct of a business impact analysis;
  • The development of business continuity plans and arrangements; and
  • The maintenance of BCP program readiness.

As per the TBS Operational Security Standard: Management of Information Technology Security, a critical service is defined as a “service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the Government of Canada”, where high degree of injury means “severe harm related to provision of sustenance (e.g. food, water, shelter, and energy), public order, emergency care and response, life sustaining environment, vital communications and transportation, fundamental economic services, continuity of government, territorial integrity and sovereignty”.

The Department of Fisheries and Oceans (DFO) has currently over 200 business continuity plans developed covering 90 critical services which are referred to by stakeholders as “mission critical functions” across all regions. At DFO, business continuity plans are land-site based so they often include more than one critical service as sites carry many different services. At the same time, the same critical service could also be covered by many business continuity plans if delivered by different sites.

Control Framework

BCP is a fundamental cornerstone of the overall departmental Safety and Security programs (security, emergency preparedness, business continuity and operational health and safety) managed by the Real Property, Safety and Security branch, which falls under the accountability of the Assistant Deputy Minister of Human Resources and Corporate Services. The National and Regional BCP Coordinators play multiple roles in the Safety & Security programs and as a result, only a portion of their time is dedicated to the BCP program. The multiple roles of the coordinators, combined with recent high staff turnover and the fact that only one FTE supports the National Coordinator have led management to identify a significant risk of national headquarter staff being overworked and is also reflected in the Safety and Security risk profile.

In recent past, changes in the Safety and Security regulatory framework have been significant, including Emergency Preparedness Management Act, Federal Emergency Response Plan, Canadian Standards Association standards, National Critical Infrastructure Protection Strategy, Policy on Government Security, Occupational Health and Safety Hazard Prevention Program, and Management of Information Technology Security standard requirements. Interpreting, adapting, and developing policies and procedures for these changes has been a challenge with a direct impact on BCP activities.

Since an assessment was conducted by TBS in 2008, BCP program management made some progress to improve and strengthen the BCP program. This progress has been limited partly due to higher priority being given to other programs such as those related to security and emergency response.  In 2008, Real Property Safety and Security management has developed a Safety and Security risk profile which identified a high risk linked to its capacity both from a financial and human resources perspective.  Mitigation strategies were identified, however few were implemented and some still require to be addressed at the senior departmental level.  

In 2005, Real Property, Safety and Security developed a Departmental Safety and Security Policy and Accountability Framework and the DFO Operational Standards for Business Continuity Planning (hereafter referred to as the DFO BCP Standard) which provides a control framework and guidance to support the BCP program. Both of these documents are currently under revision. In addition, the directorate has also developed a departmental business continuity plan template and a guide to preparing DFO business continuity plans as tools for site teams to prepare their plans. There is no departmental policy dedicated to the BCP program.

2.2    Objective and Scope of the audit

The objective of this audit is to provide assurance that the Department has established a BCP program that ensures the continued availability of its critical services and related assets.

Based on the audit team’s preliminary risk assessment, high risk areas were identified in the processes for the business impact analysis and for the development and review of business continuity plans and arrangements. The audit focused on those two areas. Lower and moderate risks were identified within the BCP program governance and program readiness. Consequently, they have not been addressed by this audit in order to focus audit resources on key value-added items. The scope of the audit included a review of a random sample of 20 plans from all regions selected from the national repository as of June 2010.

2.3    Audit Criteria

The following audit criteria were identified following a preliminary assessment of the program-related risks completed during the audit planning phase.

  • Departmental Security Officer provides for effective development, administration and monitoring of appropriate business continuity processes.
  • Mission critical functions list is based on the business impact analysis results and approved by senior management.
  • Final recovery strategies are feasible, agreed upon by stakeholders, and approved. Recovery options have been identified and assessed against current recovery capability and final strategy selected and approved by senior management.
  • All sites delivering mission critical functions have business continuity plans and plans contain all required elements including integration of Information Management and Information Technology (IM&IT) continuity plans and arrangements.
  • The Department takes into account changes (e.g. changes in critical services, operations, dependencies, emergency contact) to keep its business continuity plans and arrangements up to date.

2.4    Methodology

The audit team carried out its mandate in accordance with Government of Canada internal audit standards, as set out in the TBS Policy on Internal Audit.  The approach included the following activities:

  • Review of key TBS policies and standards and Public Safety Canada guidelines and tools related to BCP.
  • Review of departmental documentation (e.g. Security and Safety policy and accountability framework, BCP Standard, guides and business continuity plan template, BCP status report, incident reports etc.).
  • Interviews with key program management, staff and stakeholders at headquarters and in the regions.
  • Review of a random sample of 20 business continuity plans.

Top of page

3.0    Observations and Recommendations

3.1   Statement of Assurance

In our opinion, the auditors have examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a high level of assurance on the reported opinion or conclusions.

3.2    Observations and Recommendations

Overall, while efforts were made by program management to build a good foundation for the BCP program, the program still needs to be strengthened. Currently the program only provides for some assurance that the organization will manage its critical services during major disruptions or emergencies. The program cannot provide complete assurance to this effect because an adequate selection and prioritization of critical services, and an identification and assessment of recovery strategies still need to be completed and properly reflected in the plans and arrangements developed with the full integration of IM&IT continuity planning. Streamlining the critical services is essential to achieve cost effectiveness and efficiency. This will require renewed commitment from senior management and their sectors.

A key challenge remains one of setting priorities within the department-wide Safety and Security function in a context of increasing pressures due to changes in the regulatory framework, limited resources and high turnover within the BCP program.

The following provides the audit team’s observations and recommendations based on the evidence collected and analysis performed. They are presented based on issues and linked to three key processes which are essential to the efficiency and effectiveness of the BCP program. 

In order to assist management in preparing its action plan, the audit recommendations have been labelled according to the following three categories to reflect their degree of importance:

  • High significance – major control weaknesses and/or unacceptably high level of risk;
  • Medium significance – control weakness affecting operational efficiency and/or credibility; and
  • Low significance – control or process weakness contributing to inefficiency.

3.2.1    Business Impact Analysis

Business impact analysis is an important component of a BCP program as it is designed to enable departments to identify and prioritize their critical services based on their criticality. As per TBS BCP Standard, the Department must conduct a business impact analysis to assess the impacts of disruptions and to prioritize its critical services and associated assets. Senior management approval of the results of the business impact analysis is also required before proceeding with the development of business continuity plans and arrangements.

In 1998, for reasons unrelated to BCP, DFO prioritized its critical functions and mapped them out to systems and assets sensitive to the Y2K problem. The results became the basis of the current mission critical functions list which is considered by BCP stakeholders as the list of critical services. This Y2K exercise was not originally meant to be a business impact analysis exercise as intended by BCP practitioners. Analysis performed by the audit team also confirmed that the objectives, processes and results of this exercise do not fulfill the business impact analysis requirements as defined by TBS BCP Standard.

Since 2005, BCP program management have made three attempts to streamline the original mission critical functions list and its related MCF description sheets. The results achieved were not deemed satisfactory by management. BCP program management explained that they encountered some challenges related to the lack of resources at the national level due to changes in priorities, the lack of engagement from some stakeholders and the difficulty from sectors in determining which services are likely to cause a high degree of injury to Canadians and to the government if disrupted. Based on interviews, this is mainly due to a different interpretation of the TBS definition of “critical services” and to some sectors which wanted their functions to be on the list irrespective of criticality. Overall, few documents supporting these revision attempts have been provided. As a result, the audit team has not found evidence as to how the list of mission critical functions has evolved since the original exercise, nor of senior management approval of its different iterations.

The current mission critical functions list is still criticized by both National and Regional BCP Coordinators for being outdated, not reflecting regional realities and for identifying too many services as critical despite the fact that category C mission critical functions have been recently eliminated1 as deemed non critical. The audit team reviewed the content of the current mission critical functions list and found that it still includes non critical services and dependencies which are listed as critical services.

There is a need to clarify and ensure a common understanding of what is considered a critical service for DFO and to ensure consistency with the TBS BCP Standard definitions and spirit. In 2009, Public Safety issued new definitions which will help address this matter. Program management and some Regional BCP Coordinators acknowledged the need to conduct a new business impact analysis exercise aligned with the new DFO Program Activity Architecture; however they are concerned about their capacity and the sectors’ engagement. It is suggested that program management considers Public Safety’s best practices when conducting its business impact analysis.

Recommendation (High Significance):

1. The Assistant Deputy Minister, Human Resources and Corporate Services should ensure that a business impact analysis process is conducted with the sectors concerned under the direction and coordination of the Departmental Security Officer. The Departmental Security Officer should coordinate the approval of the business impact analysis results by senior management.

3.2.2    Recovery Strategies

The purpose of the recovery strategies process is to develop and assess recovery options associated with each critical service identified in the business impact analysis. The assessment of each option is conducted in terms of possible disruption, impacts on the Department, benefits, risks, feasibility, and cost in order to select the most appropriate strategy. For example, recovery options may include the use of consultants, contracts with providers, use of a “hot site” or alternative BCP facility, mirrored sites, and reciprocal arrangements with internal and external suppliers and equipment vendors. Final recovery strategies are to be selected from the recovery options developed and they must address Information Management and Information Technology continuity issues and they require senior management approval for support and funding.

The audit team found no evidence of formal identification and assessment of recovery options for each critical service. However, it is important to note that the DFO BCP Standard does not contain references to recovery options or final recovery strategies and there is no formal process in place to identify and assess recovery options. Furthermore, the audit team did not find evidence that senior management has been presented with options for recovery or final recovery strategies; hence they may not be supported financially and operationally. As a result, final recovery strategies might not be identified or when identified, might not be effective, efficient or even feasible and resources (financial and human) may be wasted.

Assessment of recovery option is done on an ad-hoc basis. Two regions shared their preoccupation for the recovery activities related to Marine Communication Traffic Services as the cost of the options were prohibitive. One of these regions identified and assessed costs for a recovery option. The assessment and option were presented to sector management but no decision was made. Consequently, the business continuity plan for that site has not been put in place. Decisions must be documented to reinforce accountability and to identify risks accepted or mitigated by management.

When asked about recovery strategies, BCP staff pointed to the initial steps section contained in the mission critical function description sheets. The purpose of this section is to identify 5 to 10 high-level steps for restoring the critical function. However, there is no evidence of how the initial steps were assessed in terms of possible disruption, impact on the Department, benefits, risks, feasibility, and cost. These initial steps are criticized by some stakeholders for being overall weak as final recovery strategies and for not being aligned with the reality of sites. Based on audit team’s analysis, these initial steps do not satisfy the purpose of a recovery strategy.
 
Recommendations (High Significance):

2. The Assistant Deputy Minister, Human Resources and Corporate Services should:

i) Define and implement a formal process to identify recovery options for each critical service and to select final recovery strategies with the engagement of sectors concerned under the direction and coordination of the Departmental Security Officer.

ii) Have the Departmental Security Officer coordinate approval of the recovery strategies by senior management to ensure their support and funding of selected strategies. 

 iii) Ensure that senior management decisions made on final recovery strategies are documented and reflected in their business continuity plans.

3.2.3    Integration of Information Management and Information Technology (IM&IT) Continuity Planning

Many of the essential and critical business services identified in the business continuity plans are dependent on information technology systems and services for their normal, efficient and reliable delivery. These dependencies must be identified and plans for the recovery and continuity of information technology services must be developed, maintained and tested in conjunction with the related business services and operations.

Based on the TBS BCP Standard, departments must develop IM&IT continuity plans as part of their BCP and recovery activities. The TBS BCP Standard requires departments to integrate IM&IT continuity planning into the BCP program. This integration is meant to allow departments to restore essential information technology capabilities within the time constraints and the availability requirements specified in the departmental business continuity plans.  

Progress was made in the last two years to develop an IM&IT continuity plan supporting the BCP program. Collaboration between Information Management and Technical Services staff, BCP program management and sectors at the national level helped to map out information technology applications and systems for category A critical services. Information Management and Technology Services is currently developing recovery options and associated costs for the information technology dependencies identified in the plan. This will address the gaps between the expected recovery time requested by the sectors and the capacity of the infrastructure available.

Currently, roles and responsibilities are not defined for the players involved in the development, maintenance and testing of the IM&IT continuity plan though management is in the process of drafting a directive to address this issue.  

The IM&IT continuity plan is partially completed and information technology management and staff are committed to continue the work with the engagement of sectors to ensure complete coverage of critical services and to address feasibility of options in relation to recovery time set by sectors. 

As the IM&IT continuity plan does not yet address category B critical services (currently under development) and its dependencies are not yet integrated into the mission critical function description sheets or into the business continuity plans/template, and stakeholders are not aware of its content and their roles, there remains work to do to further the integration of IM&IT into the BCP program.  The DFO BCP Standard does not clearly define integration of IM&IT continuity planning into BCP. Management also needs to resolve how the IM&IT continuity plan and its related procedures will link to the business continuity plans.

Recommendation (Medium Significance):

3. The Assistant Deputy Minister, Human Resources and Corporate Services should define a strategy to strengthen the integration of IM&IT continuity planning to the departmental business continuity planning activities under the direction of the Departmental Security Officer and the Chief Information Officer.

3.2.4    Plans and Arrangements

The processes for business continuity plan development, maintenance, review and approval are defined in the DFO BCP Standard however, some of its controls need to be strengthened and better supported.

Plan Development

Business continuity plans should be based on the information from the business impact analysis and recovery strategy processes. Plans and arrangements should contain several elements described broadly by the TBS BCP Standard and further elaborated by Public Safety Canada’s Guide to the Assessment of BCP Programs and in the Supporting (Technical) Documentation for the BCP Standard. These elements were considered in the audit team’s plan review. It was beyond the scope of this audit to verify the accuracy of the data contained in the plans and of the information supporting it (e.g. contracts or agreements for alternate sites). As per the DFO BCP Standard, sites should use the DFO BCP template and its related guide to prepare their business continuity plans.

The DFO template is not used consistently across regions. Of the 20 plans reviewed, 10 were based on the old version of the Public Safety template, nine were based on the DFO template and one was not based on any template. Furthermore, the DFO template is missing key elements.

All reviewed plans contained team membership (names and positions) for the response and recovery teams, however very few contained clear roles and responsibilities and contact information for its members. Most plans listed minimum service requirements, critical assets and critical infrastructure as well as alternate arrangements such as BCP team meeting sites and sites for relocation.

Most plans were missing procedures for recovery that would detail the steps to recover critical services and procedures related to activation and relocation, alternate facility operations, and reconstitution (e.g. termination and return to normal operations). The audit team noticed that most plans are not aligned to the current mission critical functions list, are missing communications strategies and are not aligned with the IM&IT continuity plan.

All of the DFO business continuity plans reviewed remain incomplete, creating a risk that DFO’s response to a disruptive event will not ensure continuity of critical services in an organized, effective or efficient manner.

A “Key Activity Guide” was introduced by program management as a tool to complement the plans. It was inspired from another government department and, as explained by program management, remains very generic as it was never fully adapted to DFO’s context. It addresses some of the missing elements (e.g procedures for activation and implementation of the business continuity plan and a communication process etc.). According to program management, regions were invited in 2009 to update their plans based on the new DFO template and were informed that the “Key Activity Guide” should no longer be used. The DFO BCP Standard still contains reference to it. However, some Regional BCP Coordinators and Sites Team Leaders continue using it as no other option has been presented to provide guidance on response and recovery matters.

Plans developed based on the current DFO template do not address all required elements and the usage of the “Key Activity Guide” can not fill the gaps. As a result, there is a risk that activation of plans will not be successful or done adequately and efficiently to assure continued availability of critical services in case of a disruption.  This is due in part to a lack of awareness of the best practices advocated by Public Safety Canada and the requirements of the TBS BCP Standard.

Recommendation (Medium Significance):

4. The Assistant Deputy Minister, Human Resources and Corporate Services should ensure that the tools for the plan development process are strengthened to address deficiencies and ensure that their use is reinforced.

Plan Maintenance, Review and Approval

Plan maintenance activities are an important component of the BCP program. It enables departments to take into account organizational changes or changes to critical services. These changes could include changes in the departmental mandate, legislation or binding agreements, senior management, the threat environment, operations, critical services, internal or external dependencies, stakeholders, suppliers, or team arrangements. A key role of plan administrators is to ensure that changes have been reflected into plans and to ensure that the teams are kept apprised of changes.

The plan review and approval processes are defined in the DFO BCP Standard however responsibilities for updating plans is not clearly assigned and review activities by Regional and National Coordinators are not clearly defined. The controls over plan updates include multiple layers of review and approval. It includes the maintenance of the plan by the Site then a review by Regional BCP Coordinator, followed by review and technical approval by the National BCP Coordinator, before final approval by the Regional Director General or the Canadian Coast Guard Assistant Commissioner. Once approved, the plans should be stored in the national and regional plan repositories.

In practice, plans are not reviewed by Regional Coordinators as prescribed by the DFO BCP Standards. Plan review cycle varies greatly with some Regional Coordinators having a three year plan review cycle while others did not review their plans since 2005. It was explained to the auditors that Site Team Leaders are not always engaged in updating their plans on an on-going basis due to a lack of accountability. The National BCP Coordinator does not always review and technically approve business continuity plans. Program management explained that technical approval was not well defined and that plans were reviewed on an ad-hoc basis and when capacity permits. The 2009 review cycle was not completed due to the involvement of BCP staff in some special events such as the Olympics and the potential H1N1 pandemic. An effective independent challenge to the sector business continuity plans is needed in order to improve them. Such a challenge should be done to respond to rapidly changing risk.

The audit team noted that some plans have not been updated since 2005. It was also found that the national repository does not always contain the most recent version of plans.

As per the DFO BCP Standard, each land-based site should have a business continuity plan. As per the 2008 BCP Status Report, 90% of sites carrying critical services have plans and only forty-five percent of all plans were identified as being approved. Evidence of approval was provided for only 2 of the 20 plans requested.  With plans not being approved, there is a risk of plans not being supported financially and operationally. Approval provides for commitment and accountability.

The annual approval process related to the maintenance of plans described in the DFO BCP Standard is not always followed. It is a burdensome process requiring Senior Management approval for all business continuity plans regardless of the importance of the changes and furthermore it is not required by TBS BCP Standard.

National BCP staff has developed monitoring tools such as the BCP Status Reports. The last report identified some issues including the lack of plan approval or plan approval done at inappropriate levels, sites lacking plans, and last review update dating from 2007 or earlier for most regions. The results of this monitoring are not followed-up with corrective measures. Hence, there are weaknesses in the oversight activities and in the monitoring of plan approval at the national level. Lack of oversight and monitoring does not permit the escalation and resolution of issues at higher management levels when required.

Recommendation (Medium Significance):

5. The Assistant Deputy Minister, Human Resources and Corporate Services should:

i) Ensure that maintenance of all plans is done, on an adequate basis to reflect changing risks and circumstances, by the sectors concerned under the direction and coordination of the Departmental Security Officer.

ii) Ensure that roles and responsibilities related to plan maintenance process are clearly defined and communicated in order to reinforce accountabilities.

iii) Ensure that review and approval controls are reviewed to take into account the resource level, rapidly changing risks and circumstances, and the importance of changes justifying re-approvals. The review activities for Regional and National Coordinator should be clearly defined.

iv) Strengthen the monitoring and reporting function of the BCP activities and to ensure that issues identified are addressed at the appropriate level including lack of plan approval and the absence of plans.

Top of page

4.0     Management Action Plan

Recommendations

Management Action Plan

Status Report Update

Actions Completed

Actions Outstanding

Target Date

1. The Assistant Deputy Minister, Human Resources and Corporate Services should ensure that a business impact analysis process is conducted with the sectors concerned under the direction and coordination of the Departmental Security Officer. The Departmental Security Officer should coordinate the approval of the business impact analysis results by senior management. (High Significance) Consideration will be given to re-organizing the Corporate Business Continuity and Emergency Services section in order to increase capacity in that area.

 

 

 

 

 

 

 

 

 

 

 

 

December 2010
A Consultant will be hired by the Departmental Security Officer to assist in the conduct of the business impact analysis.  May,  2011
The ADM, HRCS will send a memo  to all Sector Assistant Deputy Ministers, Canadian Coast Guard and Regional Director Generals advising them that their collaboration will be required in the conduct of the business impact analysis which will assess the impacts of disruptions on the department and to identify and prioritize critical services and associated assets. June, 2011

Conduct of business impact analysis:

The Departmental Security Officer will co-ordinate activities and will assist sectors to conduct a business impact analysis aligned with the new Program Activity Architecture but responsibility and engagement for participating in the exercise remains with all sectors concerned.

Start of business impact analysis in June 2011 
The Departmental Security Officer will obtain support/vetting for the business impact analysis results through the Security and Emergency Management Advisory Committee (SEMAC). October 2011
The ADM, HRCS will present the Business Impact Analysis results to the Departmental Management Committee for approval. December 2011
2. The Assistant Deputy Minister, Human Resources and Corporate Services should (High Significance):

 

 

 

 

 

 

 

 

 

 

 

i) Define and implement a formal process to identify recovery options for each critical service and to select final recovery strategies with the engagement of sectors concerned under the direction and coordination of the Departmental Security Officer. The Departmental Security Officer will define and document formal recovery strategy process (which include identification and assessment of IT dependencies).
 

IT continuity planning process:

Directive currently under development (draft stage)

 
The Departmental Security Officer will work in collaboration with IM&IT to help finalize the Directive on Development, Maintenance and Testing of IT Continuity Plans currently being developed which will define clear roles and responsibilities for all stakeholders to ensure the identification and maintenance of recovery options (IT dependencies) for each critical service. The Directive will also ensure that IT continuity plans are prepared, reviewed and tested on a regular basis IM&IT has completed the identification of IT dependencies for all current category A critical services and is currently developing recovery options and associated costs for those to address gaps between expected recovery time and existing capacity. April 2011
  The Departmental Security Officer will co-ordinate activities related to the identification of recovery strategies in ensuring they are aligned with the critical services but responsibility and engagement for the identification and assessment of options including funding requirements and approval of these recovery strategies remains with the sectors concerned.   Begin:  October 2011
End:  February 2012
ii) Have the Departmental Security Officer coordinate approval of the recovery strategies by senior management to ensure their support and funding of selected strategies.  The Departmental Security Officer will make presentation to SEMAC for support/vetting of recovery strategies.  The membership for this committee includes key sector representatives, Canadian Coast Guard, Chief Information Officer, Regions, Departmental Security Officer and Assistant Deputy Minister, Human Resources and Corporate Services.   March 2012
  The ADM, HRCS will make presentation to Departmental Management Committee to seek approval of the recovery strategies.    March 2012
 iii) Ensure that senior management decisions made on final recovery strategies are documented and reflected in their business continuity plans. The DSO will ensure the DFO Business Continuity Planning template is amended to include the final recovery strategies.  Senior management approval and decisions will then be documented and available on site.   Begin: October 2011
End:  December 2011
  The Departmental Security Officer will monitor this component on a regular basis in the first six months and then on an ad hoc basis.   September 2012
3. The Assistant Deputy Minister, Human Resources and Corporate Services should define a strategy to strengthen the integration of IM&IT continuity planning to the departmental business continuity planning activities under the direction of the Departmental Security Officer and the Chief Information Officer. (Medium Significance) The Departmental Security Officer and Chief Information Officer will work together to develop a strategy to strengthen the integration of IM&IT continuity planning to the business continuity planning activities. IM&IT continuity plan is a work in progress and its first version was recently approved by the Informatics Steering Committee and the Informatics Management Board and sent to regions.

 

 

 

 

 

 

June 2011

 

Departmental Security Officer and Chief Information Officer will continue the work undertaken to finalize IM&IT continuity plans and related IT Directive and ensure full communication to all key stakeholders and will integrate IT continuity plan essential components into business continuity plans.   December  2011

4. The Assistant Deputy Minister, Human Resources and Corporate Services should ensure that the tools for the plan development process are strengthened to address deficiencies and ensure that their use is reinforced. (Medium Significance)

The Departmental Security Officer will set up a Business Continuity Working Group (with Terms of Reference).  One of their objectives will be to review and update existing tools to ensure they are strenghthened to include missing elements to comply with TBS BCP Standard and Public Safety Canada’s best practices (Guide to the Assessment of BCP Programs and in the Supporting (Technical) Documentation for the BCP Standard).

 

 

September  2011

 

Once the tools are updated and vetted by Business Continuity Working Group (chaired by the Departmental Security Officer), they will be communicated to all key stakeholders to reinforce its use. February 2012

5. The Assistant Deputy Minister, Human Resources and Corporate Services should (Medium Significance):

 

 

 

 

i) Ensure that maintenance of all plans is done, on an adequate basis to reflect changing risks and circumstances, by the sectors concerned under the direction and coordination of the Departmental Security Officer. The Departmental Security Officer will ensure a reporting template is developed which will include a risk assessment portion and be provided to SEMAC on an annual basis to address issues.  This reporting will be done through the Regional Coordinators. A reporting schedule will be developed in consultation with IM/IT, Sectors and Regional Coordinators. February  2012
  To reinforce engagement from the sectors, the BCP Working Group will develop a new Business Continuity Planning Policy to highlight roles and responsibilities related to the maintenance of plans as well as the oversight and monitoring of the plans at all levels. Begin in September 2011
  The BCP Policy will be presented to the Security and Emergency Management Advisory Committee by the Departmental Security Officer. May  2012
  The BCP Policy will be presented  by the ADM, HRCS  And will be approved by Departmental Management Committee. May  2012
  A memo will be sent from the Assistant Deputy Minister, Human Resources Corporate Services to reinforce participation in the recovery strategy process and in the maintenance of the plans. October  2011
ii) Ensure that roles and responsibilities related to plan maintenance process are clearly defined and communicated in order to reinforce accountabilities. The Business Continuity Working Group will update the DFO BCP Standard to clearly assign responsibility for updating the plans. December 2011
  The BCP Policy will clearly define and reinforce roles and responsibilities related to the program governance.  These will be communicated to all stakeholders. May  2012
iii) Ensure that review and approval controls are reviewed to take into account the resource level, rapidly changing risks and circumstances, and the importance of changes justifying re-approvals. The review activities for Regional and National Coordinator should be clearly defined. The Business Continuity Working Group will review its plan review cycle and approval controls (including roles and responsibilities) to reflect changes in risks and to take into account resource level. The change will be formally communicated to all key
stakeholders.
February 2012
  The Business Continuity Working Group will update the DFO BCP Standard to define and review activities carried by Regional and National Coordinators to ensure effective independent challenge to sector’s business continuity plans. Begin: September 2011
End:  February 2012
iv) Strengthen the monitoring and reporting function of the BCP activities and to ensure that issues identified are addressed at the appropriate level including lack of plan approval and the absence of plans. Discrepencies, lack of plans, plan approval, will be brought to the attention of the Regional Director Generals and Sector Assistant Deputy Ministers through SEMAC by the Departmental Security Officer. February 2012
  The Departmental Security Officer will ensure challenge to sector BC plans is reinforced. The monitoring will be risk-based. In 2012, this will be done on a quarterly basis.

1 DFO has categorized its mission critical services in three categories based on restoration time: category A requires immediate restoration, category B requires restoration between 2 and 14 days and category C requires restoration either after all category B functions have been restored or after 14 days, whichever is earlier. The list was recently adjusted to remove all of category C function services. The list now contains 90 critical services. The departmental intranet site has not been updated to reflect the change and still contains 106 critical services. Based on interviews, the change was communicated to stakeholders but last iterations were not presented to senior management for approval.