Archived - Audit of Business Continuity Planning - Follow-up Report Status Update as of December 31, 2012

Archived information

This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

PDF Version (53 KB, 11 Pages)

Action Plan Implementation Status Update Report to the Audit Committee - As of December 31, 2012

Chief Financial Officer

Audit of Business Continuity Planning
Approval Date: 20/06/2011

Project Recommendations	Action Plan	Expected Completion Date	Program Response
1. Develop a multi-year plan that addresses gaps in the BCP Program and present it to an executive committee for review and approval. The planning process should include a reassessment of the program objectives, establishment of measurable goals and targets, development of fully costed strategies to implement the program, and a reassessment of BCP Program governance.	The Director, ITSD – in collaboration with the DSO – will: Conduct an organizational assessment to determine the best-fit placement of the function, and options for management consideration regarding changes to program governance for improving the effectiveness of the program. Assessment will include capacity options given current state (eg. BCP Coordinator position is currently vacant), and the training requirements associated to BCM-related responsibilities. Develop a 3 year tactical plan which prioritizes and addresses the identified gaps within the Business Continuity Management (BCM) file commensurate with the risk each gap presents, and present the plan to the Departmental Operations Committee (DOC) for approval. This plan will include: Establishment of measureable goals/targets Development of fully costed strategies and options for DOC consideration (human resources, systems, etc)		PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: An organizational assessment has been drafted and circulated among key stakeholders within the IMB which identifies that the retention of the program within the IMB as the recommended option for AANDC moving forward. The BCP Coordinator position has been identified as a priority, and a staffing action is nearing completion to have the position re-staffed (AS-5 / deployment). A 3 year tactical plan has been begun, but will not be completed by end of Q4 2011-12. It will be completed in conjunction with other Branch planning exercises through Q1 2012-13. Expected return to OC in mid-to-late Q2 with recommendations of the file moving forward based on strategies developed in the tactical plan.
	Actions Draft of organizational assessment for circulation and comments	End Q2, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: An organizational assessment has been drafted and circulated among key stakeholders within the IMB which identifies that the retention of the program within the IMB as the recommended option for AANDC moving forward. The BCP Coordinator position has been identified as a priority, and a staffing action is nearing completion to have the position re-staffed (AS-5 / deployment).
	Draft of tactical plan for circulation and comments	Mid Q3, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: A 3 year tactical plan has been begun, but will not be completed by end of Q4 2011-12. It will be completed in conjunction with other Branch planning exercises through Q1 2012-13.
	Presentation of organizational assessment and tactical plan including viable options to DOC	End Q3, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: Expected return to OC in mid-to-late Q2 with recommendations of the file moving forward based on strategies developed in the tactical plan. AES: Closed.
2. Revise the AANDC BCM Policy to ensure that roles and responsibilities for directing and reporting on the BCP Program are clear.	The Director, ITSD – in collaboration with the DSO – will: Consult with key stakeholders, including but not limited to: the three (3) Critical Service program areas, a sample of Critical Support Service program areas and Regions, Communications, and Public Safety Canada to refresh roles and responsibilities pertaining to BCM. Update the BCM Policy to reflect: updated roles and responsibilities, mandatory seniority level of BCM representation in Regions and Sectors, and input from organizational assessment (Item #1 above), including the more explicit definition of the BCP Coordinator’s challenge function identified within Item #3.		Status: Request to Close Update/Rationale: As of 31/12/2012: Draft revision completed. AANDC BCM directive will now point to the TBS BCP Standard with annexes of departmental specific requirements. BCP communications plan completed and signed off by the Deputy Minister.
	Actions Begin consultations with key stakeholders	Mid Q2, 2011-12	Status: Request to Close (Completed) Update/Rationale: As of 31/12/2012: Consultation with key stakeholders occurred but consultation will continue with Public Safety as the BCM policy instrument is still not ready to be published.
	Updated BCM policy presented to DOC for approval	Mid Q4, 2011-12	Status: Underway Update/Rationale: As of 31/12/2012: To be scheduled for upcoming DOC. AES: Closed.
3. Ensure that the Departmental BCP Coordinator plays a more active role in advising and challenging managers of critical services and critical support services throughout the process of developing, testing and updating BIAs and BCPs.	Director, ITSD – in collaboration with the DSO – will: Working with Communications, develop a communication plan to ensure that the authority of the new BCP Coordinator is readily shared with all stakeholders in the department. Emphasis will be placed on the advisory services provided by the BCP Coordinator. Implement operationalized processes based on new BCM policy similar to IT Security Certification and Accreditation process (CIO, DSO, and DG of responsible program area will need to formally sign off on yearly BIA/BCP updates) for existing Critical Services and Critical Support Services. This process will include a provision by which the CIO and DSO will not endorse the signoff of BIA/BCP without appropriate endorsement by BCP Coordinator. Other actions as necessary will be developed and implemented, based on direction set by DOC as related to organizational assessment and tactical plan options outlined in Item #1.		Status: Request to close (completed) Update/Rationale: As of 30/09/2012: A Communications Plan has been updated by the Communications Branch in consultation with the Information Management Branch. The plan should be ready for approval in Q3.
	Actions Communication Plan developed	End Q3, 2011-12	Actions 1) PROGRAM RESPONSE: Status: Request to close (completed) Update/Rationale: As of 09/11/2012: A Communications Plan has been updated by the Communications Branch in consultation with the Information Management Branch. The plan should be ready for approval in Q3. 2) PROGRAM RESPONSE: Status: Request to Close (completed) Update/Rationale: As of 09/11/2012: New endorsement process has been developed for updating and recording progress of BIA/BCP updates on an annual basis, with initial focus on Level 1 and Level 2 services. This process has been initially shared with the Regional/Sector BCP Coordinators and has been approved by the OC (March 2012). Consultation with the DSO was done to ensure alignment, and to help inform the Departmental Security Plan update process in future years. The process will be updated as necessary for the next cycle, as lessons learned are recorded and addressed. AES: Implemented. Closed.
	Updated BIA/BCP sign off process designed and developed, presented in conjunction with BCM refreshed policy to DOC.	Mid Q4, 2011-12
4. Develop a formal training and awareness program for BCP Coordinators and managers of critical services (and critical support services). The level of formal training should consider the extent to which the Departmental BCP Coordinator also provides advice and hands-on support throughout the process of developing and testing BIAs and BCPs.	Director, ITSD – in collaboration with the DSO – will: Consult with Public Safety to determine if new training and awareness products are available for use by client departments. Review existing BCM-related material available to the department (such as the Institute for Continuity Management or the Canada School of Public Service) and establish baseline mandatory and/or recommended training for BCM-related roles, in consideration of DOC guidance provided regarding Item #1. Other actions as necessary will be developed and implemented, based on direction set by DOC as related to organizational assessment and tactical plan options outlined in Item #1. Note: AANDC's BCP Awareness/Training approach was approved by Public Safety during H1N1 – ie. providing templates and being available for consultation on an "as needed basis". However, we do agree with the audit results that a more comprehensive approach, particularly for Critical Services and Critical Support Services would continue to mature the BCM function and increase the effectiveness of BCP-efforts.		Status: Request to close (completed) Update/Rationale: As of 30/09/2012: PowerPoint presentations have been developed which identify the required steps for completing Business Impact Assessments and Business Continuity Plans. A dedicated Business Continuity Planning Coordinator has been staffed to provide support beyond the contents of the produced material.
	Actions Consultation with Public Safety	End Q1, 2011-12	Actions 1) PROGRAM RESPONSE: Status: Request to Close (completed) Update/Rationale: As of 09/11/2012: Please see previous rationale; no material exists for adoption by Public Safety Canada. 2) PROGRAM RESPONSE: Status: Request to Close (completed) Update/Rationale: As of 09/11/2012: PowerPoint presentations have been developed which identify the required steps for completing Business Impact Assessments and Business Continuity Plans. A dedicated Business Continuity Planning Coordinator has been staffed to provide support beyond the contents of the produced material. 3) PROGRAM RESPONSE: Status: Request to Close (completed) Update/Rationale: As of 09/11/2012: PowerPoint presentations have been developed which identify the required steps for completing Business Impact Assessments and Business Continuity Plans. A dedicated Business Continuity Planning Coordinator has been staffed to provide support beyond the contents of the produced material. AES: Substantially implemented. Closed.
	Formalize training material for managers of Critical Services and Critical Support Services	Beginning Q4, 2011-12
	Integrate training coverage as part of reporting process implemented for Item #5.	Beginning Q4, 2011-12
5. Improve monitoring and reporting of the effectiveness of the BCP Program in regions and sectors to support continuous improvement and oversight (e.g., semi-annual reporting to an executive committee on the state of the BCP Program, including significant program gaps, resolution rates for issues identified through BCP testing and disruptions, completion rates for various levels of BCP testing, completion rates for BCP training, etc.).	Director, ITSD – in collaboration with the DSO – will: Build upon the policy update (Item #2) and operationalized process development (Item #3) to ensure that biannual updates are provided across Regions and Sectors which are signed off at a sufficiently senior level (DG or above), including training coverage. Develop a "scorecard" for Critical Services and Critical Support Services (NCR and Regionally) and provide to responsible DGs on a biannual basis, which considers: Existing BCM gaps – BIA/BCP completion rates and completeness of plans Status of testing (exercises) Post mortems (both testing and post-events)		Status: Request to Close (Completed) Update/Rationale: As of 31/12/2012: Draft policy instrument update has strengthened language around roles and responsibilities for RDGs & ADMs and sector/regional BCP coordinators. Call letter sent to RDGs and ADMs from the office of the CFO in Q1 to request the review of all BIAs and BCPs. Updates with sectors and regions currently underway. The development of the Critical Service Scorecard is completed. Once critical services coordinators have completed yearly reviews and updates, score carding will be applied.
	Actions Pilot Critical Service is identified, with review in Q1 2012	Mid Q4 , 2011-12	Status: Underway Update/Rationale: As of 31/12/2012: Once critical services coordinators have completed yearly reviews, score carding will be applied.
	Rollout to remaining Critical Services and Critical Support Services throughout 2012	FY 2012	Status: Underway Update/Rationale: As of 31/12/2012: Once critical services coordinators have completed yearly reviews, score carding will be applied.
	Aggregation of scorecards presented to DOC biannually, beginning in early 2012.	FY 2012	Status: Underway Update/Rationale: As of 31/12/2012: Once critical services coordinators have completed yearly reviews, score carding will be applied. AES: Closed

Did you find what you were looking for?

What was wrong?

I can't find the information

The information is hard to understand

There was an error or something didn't work

Other reason

Please provide more details

You will not receive a reply. Don't include personal information (telephone, email, SIN, financial, medical, or work details).
Maximum 300 characters

Date modified:: 2013-09-16