Audit of Business Continuity Planning
August 2017
PDF Version (161 Kb, 24 Pages)
Table of contents
Acronyms
BCM |
Business Continuity Management |
---|---|
BCP |
Business Continuity Planning |
BIA |
Business Impact Analysis |
CFRDO |
Chief Finances, Results and Delivery Officer |
CIO |
Chief Information Officer |
DGIOC |
Directors General Implementation and Operations Committee |
DRP |
Disaster Recovery Planning |
HR |
Human Resources |
INAC |
Indigenous and Northern Affairs Canada |
IT |
Information Technology |
OSS-BCPP |
Operational Security Standard for Business Continuity Planning Program |
PGS |
Policy on Government Security |
SSC |
Shared Services Canada |
TBS |
Treasury Board Secretariat |
TRA |
Threat and Risk Assessment |
Executive Summary
Background
The Audit and Assurance Services Branch of Indigenous and Northern Affairs Canada ("INAC" or "the Department") identified the Audit of Business Continuity Planning in the Department's 2016-2017 to 2018-2019 Risk-Based Audit Plan mid-year update, which was approved by the Deputy Minister on September 13, 2016. The audit was identified as a high priority due to the significance of recent departmental events requiring the use of a business continuity plan. The audit was initiated in December 2016, and audit fieldwork concluded in April 2017. This report details the results of the audit.
Audit Objective and Scope
The objective of the audit was to assess the adequacy, efficiency and effectiveness of the design of the management control framework established for developing, maintaining and operationalizing the Department's Business Continuity Planning (BCP) Program.
The audit scope focused on assessing the governance framework,Footnote 1 the development of business continuity plans, the readiness and awareness of INAC's BCP Program, and the management controls in place to ensure that INAC has the capacity to deliver the BCP Program in compliance with applicable legislation and policies.
Audit work considered the incident management and internal emergency management processes that overlap and/or integrate with the BCP Program. Audit work also considered arrangements with external service providers, including other government departments, in support of the Department's overall BCP strategy. The scope was limited to those processes, agreements and controls that intersect or overlap with the BCP Program and excluded examining the internal emergency management and incident management programs in their entirety. The scope also excluded the Emergency Management Assistance Program, which is specific to emergency incidents occurring on First Nation Reserves.
Statement of Conformance
This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.
Conclusion
The Department has established a management control framework for developing, maintaining, and operationalizing its Business Continuity Plan. Also, the BCP Program is currently under review to strengthen readiness and awareness due to challenges experienced during recent incidents, including INAC office occupations.
Recognizing that changes are currently underway, opportunities to improve key elements of the BCP management control framework were identified, including strengthening the: governance structure and monitoring of the BCP Program; process for developing business continuity plans; and, communication and training provided to staff involved in BCP activities.
Recommendations
Based on observations made during the audit, the audit team recommends that the Chief Finances, Results and Delivery Officer in collaboration with the Director General of Human Resources and Workplace Services in consultation with the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of Northern Affairs Organization :
- Strengthen the BCP governance framework by:
- Reviewing and assessing the roles and responsibilities needed to implement the BCP Program requirements;
- Reviewing, updating and communicating BCP governance, policies and procedures;
- Reviewing and reinforcing how support is delivered to regional/sectoral BCP Coordinators to promote effective development of business continuity plans; and
- Strengthening the monitoring and reporting of the effectiveness of BCP, and formalizing a results-based reporting framework to promote accountability.
- Strengthen the practices for developing business continuity plans by:
- Reviewing, refining, clarifying and communicating BCP guidance material, including department-defined critical services and critical support services, to staff involved in BCP activities
- Reviewing and reinforcing how priorities within and across sectoral/regional business continuity plans are identified and aligned; and
- Conducting an assessment to determine whether the BCP Refinement Strategy promotes the effective development and integration of BIAs and business continuity plans, with appropriate consideration to stakeholder interdependencies.
- Strengthen the BCP Program readiness and awareness by:
- Formalizing a training and awareness program for regional/sectoral BCP Coordinators to carry out BCP-related responsibilities; and
- Conducting an assessment to determine whether the BCP Program Refinement Strategy effectively promotes BCP Program awareness and readiness, including ensuring that business continuity plans are maintained, accessible and tested on a regular basis.
Management Response
Management agrees with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated in this report.
1. Background
The Audit and Assurance Services Branch of Indigenous and Northern Affairs Canada ("INAC" or "the Department") identified the Audit of Business Continuity Planning in the Department's 2016-2017 to 2018-2019 Risk-Based Audit Plan mid-year update, which was approved by the Deputy Minister on September 13, 2016. The audit was identified as a high priority due to the significance of recent departmental events requiring the use of a business continuity plan. The audit was initiated in December 2016, and audit fieldwork concluded in April 2017. This report details the results of the audit.
1.1 Context
Business continuity planning (BCP) is a "proactive planning process that ensures critical services are delivered during a disruption.Footnote 2 A critical service is one whose compromise would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the Government of Canada.Footnote 3
A business continuity plan includes the plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and assets. The plan also identifies necessary resources to support BCP, including personnel, information, equipment, financial obligations, legal counsel, infrastructure protection and accommodations.Footnote 4
Business continuity plans are not meant to cover all organizational services or activities, but rather the organization's critical services as well as any services that directly or indirectly support critical services, referred to as "critical support services".
Business impact analyses (BIAs) must be performed to assess the impacts of disruptions on the organization and to identify and prioritize critical services and associated support services and assets. The business continuity plans should be established based on the results of the BIAs. The performance of BIAs and development of business continuity plans should be consistent across the organization and the results of these activities should be documented, comprehensive and approved.Footnote 5
As part of the Government of Canada's baseline security requirements described in the Treasury Board Policy on Government Security (PGS) and the associated Operational Security Standard - Business Continuity Planning Program (OSS-BCPP), departments must establish a BCP Program to provide for the continued availability of services and associated assets that are:Footnote 6
- Deemed critical to the health, safety, security, or economic well-being of Canadians;
- Deemed critical to the effective functioning of government; or
- Warranted by a threat and risk assessment (TRA).
The OSS-BCPP states that a BCP Program is composed of four elements:Footnote 7
- The establishment of BCP Program governance;
- The conduct of a BIA;
- The development of business continuity plans and arrangements; and
- The maintenance of BCP Program readiness.
BCP complements incident management, which is the discipline of protecting personnel and containing/neutralizing threats and hazards, as well as internal emergency management, which is the discipline of preventing and mitigating emergencies with an emphasis on emergency prevention, mitigation, preparedness, response and recovery.Footnote 8 BCP ensures critical services can continue to be delivered throughout a disruption, while emergency management seeks to minimize damage and bring the incident under control in a timely manner.Footnote 9
1.2 BCP at INAC
At INAC, BCP is recognized and administered as a formal program within the Information Management Branch of the Chief Finances, Results and Delivery Officer (CFRDO) Sector. INAC outlines the roles and responsibilities for implementing the BCP Program through its Policy on Business Continuity Management (BCM). The Policy on BCM adopts the Treasury Board OSS-BCPP.
Per the OSS-BCPP, the Departmental Security Officer (DSO) is to direct and coordinate the security program, which includes BCP. At INAC, the DSO, within the Human Resources and Workplace Services Branch, is responsible for establishing and directing the departmental security program that ensures coordination and implementation of all BCP Program requirements, issues and functions. The Chief Information Officer (CIO), within the CFRDO Sector, is responsible for directing and managing the BCP Program and monitoring compliance to the Policy on BCM. Also consistent with the OSS-BCPP, INAC has appointed a full-time Departmental BCP Coordinator who is responsible for the Departmental BCP Program and ongoing liaison with the DSO. Reporting to the CIO, the Departmental BCP Coordinator is responsible for the development and maintenance of the overall BCP Program.
The BCP Program is coordinated at the national level, and applies to all regions and sectors of INAC. The development of region- and sector-specific business continuity plans is the responsibility of regional/sectoral heads (i.e. Regional Directors General and Assistant Deputy Ministers). Specifically, regional/sectoral heads are accountable to the Deputy Minister for the effectiveness and maintenance of BCP for their respective organizations. They are responsible for ensuring departmental expert review and compliance with the BCP Program requirements. Each region and sector has a BCP Coordinator to support the implementation, maintenance, and testing of the BCP Program. Regional/sectoral BCP coordinators perform these activities on a part-time basis and have other full-time duties, which typically fall within the region/sector's corporate services. Most regional/sectoral BCP Coordinators also act as the security officer for their region/sector.
1.3 BCP changes underway at INAC
At the time of this audit, INAC already had multiple internal initiatives underway to strengthen its BCP Program. As an example, a ‘Lessons Learned' report was recently developed further to 2016 Occupy INACFootnote 10 incidents. The report identified challenges experienced invoking business continuity plans and made recommendations to prevent and mitigate protest-related impacts on INAC business operations. The report recommended that regions revisit and revise their business continuity plans to ensure relevancy in terms of social protest scenarios as well as to ensure they account for scenarios with longer-term business disruptions.
More broadly, a BCP Refinement Strategy initiative is currently under development to strengthen the delivery of the BCP Program. As an example, the BCP Program is revisiting the way in which BIAs are performed across the Department to ensure alignment to critical services. The timing of the audit was advantageous to informing some of these initiatives. As such, the audit findings and recommendations within this report may inform actions that management is taking to strengthen the BCP Program.2. Audit Objective and Scope
2.1 Audit Objective
The objective of the audit was to assess the adequacy, efficiency and effectiveness of the design of the management control framework established for developing, maintaining and operationalizing the Department's Business Continuity Plan.
2.2 Audit Scope
The audit examined the adequacy, efficiency and effectiveness of the design of INAC's BCP Program and associated management controls intended to provide assurance that the Department:
- Complies with applicable Government of Canada policies, procedures, directives and standards, including the Treasury Board PGS and OSS-BCPP; and
- Has the appropriate processes and controls in place to support continued operations should events occur that require the business continuity plan to be used.
The audit scope included an assessment of the following areas of highest priority, which were determined based on a risk assessment performed during the audit's planning phase:
- Governance framework, including the roles and responsibilities in place to support the BCP Program from a national, sectoral and regional perspective;
- Development of business continuity plans, including the management controls in place to ensure that business continuity plans, BIAs and related planning activities are documented, comprehensive, and approved;
- BCP Program readiness and awareness, including the management controls in place to ensure that business continuity plans are well-communicated and routinely reviewed/tested and updated; and
- Management controls in place to ensure that INAC has the capacity to deliver the BCP Program in compliance with applicable legislation and policies.
Audit work considered the incident management and internal emergency management processes that overlap and/or integrate with the BCP Program, in light of the areas listed above. Audit work also considered arrangements with external service providers, including other government departments, in support of the Department's overall BCP strategy. However, the scope was limited to those processes, agreements and controls that intersect or overlap with the BCP Program, and excluded examining the internal emergency management and incident management programs in their entirety.
The scope also excluded the Emergency Management Assistance Program, which is specific to emergency incidents occurring on First Nation reserves. Lastly, the scope was limited to the design of the BCP Program and management controls, and excluded procedures to test the effectiveness of the business continuity plans.
3. Audit Approach and Methodology
The Audit of BCP was planned and conducted in accordance with the requirements of the Treasury Board Policy on Internal Audit and followed the Institute of Internal Auditors' International Professional Practices Framework.
The audit was performed from December 2016 to May 2017 and consisted of three phases: planning, conduct and reporting. Based on information gathered during the planning phase, a risk assessment was completed to determine the most significant risks to the BCP Program. Audit criteria were developed to cover areas of highest priority and served as the basis for developing the detailed audit program for the conduct phase of the audit. Refer to Appendix A for the audit criteria developed for this audit, which were informed by relevant policies, standards, and guidance listed in Appendix B.
The conduct phase included the completion of audit procedures at headquarters as well as in two regions (Nunavut and Ontario). Audit procedures were also conducted through teleconferencing with three additional regions (Alberta, Manitoba and Yukon). During the conduct phase performed between February 2017 and April 2017, the audit team examined sufficient, reliable and relevant evidence to provide a reasonable level of assurance in support of the audit conclusion. The principle audit techniques used were:
- Interviews with key individuals involved in BCP;
- Documentation review; and
- Risk analysis.
4. Conclusion
The Department has established a management control framework for developing, maintaining, and operationalizing its Business Continuity Plan. Also, the BCP Program is currently under review to strengthen readiness and awareness due to challenges experienced during recent incidents, including INAC office occupations.
Recognizing that changes are currently underway, opportunities to improve key elements of the BCP management control framework were identified, including strengthening: the governance structure and monitoring of the BCP Program; the process for developing business continuity plans; and, the communication and training provided to staff involved in BCP activities.
5. Findings and Recommendations
Based on a combination of evidence gathered through interviews, examination of documentation and risk analysis, each audit criterion was assessed and observations were made. Where a significant difference between the audit criterion and the observed practice was found, the risk of the gap was evaluated and used to develop relevant recommendations for improvement.
Observations and recommendations below focus on BCP Program governance and delivery, development of business continuity plans, and BCP Program readiness and awareness.
5.1 BCP Program governance and delivery
The establishment of a governance framework is essential to the effective delivery of a BCP Program. Within the governance framework, it is pertinent that roles, responsibilities, and accountabilities are clearly defined, documented and well understood.Footnote 11
The BCP Program governance framework is defined by the INAC Policy on BCM. The Policy is aligned to the requirements of the Treasury Board Policy on Government Security and the OSS-BCPP, and defines the expected results of the BCP Program. The Policy also defines the roles, responsibilities and accountabilities for implementing the BCP Program's requirements. In addition to the Policy, a roles and responsibilities reference guide exists for senior management, with key decision points for invoking a business continuity plan in the event of an incident/emergency.
While a governance framework exists, the following opportunities exist to strengthen BCP Program governance in support of the achievement of the Policy's expected results.
Roles and responsibilities
Although roles and responsibilities are defined in documentation, there is a need to strengthen these implementation roles and responsibilities in practice. The following were examples identified:
- Formal acceptance of risk. The approval process for the development and maintenance of business continuity plans and BIAs is an important aspect of the BCP Program. There exists a documented endorsement process for business continuity plans and BIAs, which identifies region/sector heads as responsible for approving updated business continuity plans and BIAs, and for completing a risk acceptance form in cases where the BIA or plan is not updated. However, there are multiple instances where BIAs have not been updated, yet acceptance of risk was not formally documented.
- Central challenge function. The Departmental BCP Coordinator is responsible for ensuring the completion of BIAs and the development of business continuity plans. To support the execution of this responsibility, the endorsement process includes a challenge function whereby the Departmental BCP Coordinator is responsible to review and provide feedback on regional/sectoral business continuity plans as part of the annual maintenance. A centralized challenge function is important for identifying inconsistencies across regional/sectoral business continuity plans, and for ensuring that business continuity plans and BIAs are aligned to departmental critical services and critical support services.Footnote 12 However, this challenge function has not been implemented and the Departmental BCP Coordinator's review is limited to identifying completeness, as opposed to ensuring alignment to the BCP Program requirements.
- BCP Working Group. To support implementation of the BCP Program, the Policy on BCM states that a permanent BCP Working Group will be established and chaired by the Departmental BCP Coordinator with representatives from each region and sector. A departmental working group provides a forum for the sharing of knowledge and practices, and helps promote awareness of the BCP Program requirements throughout the Department.Footnote 13 The roles and responsibilities of the BCP Working group members are defined in the Policy; however, these roles are not always carried out as required (i.e. attendance to meetings, testing of BCP, report on action items, briefing to new employees).
BCP Program support to regions and sectors
Business continuity plans are developed by INAC's regions and sectors, and should be consistent and aligned to departmental guidance, templates and accepted practices for effective BCP. Because of the decentralized planning, proactive support and expertise from headquarters is needed to promote consistency, efficiency and effectiveness.
Some regional/sectoral business continuity plans have been updated by individuals unaware of the Policy on BCM and guidance available. Also, regional/sectoral business continuity plans and BIAs have not always been completed. One region was not aware that BIAs were to be performed or reviewed. Regions/sectors would have benefited from proactive support from headquarters in the development of their business continuity plans.
Per the INAC Policy on BCM, the BCP Program includes providing support to regions/sectors, such as communicating guidance material and providing training for the development, maintenance, and testing of BIAs and business continuity plans. Implementation of these functions has been limited.
Monitoring, oversight and reporting
Monitoring and reporting are essential to determining whether a BCP Program is functioning as expected and achieving its objectives. Monitoring and reporting on results can strengthen the accountability of those involved in implementing BCP and can foster an environment of continuous improvement.Footnote 14
Monitoring and oversight processes for the implementation of INAC's BCP Program are defined but not consistently applied. For example, the Information and Technology Stewardship Group is described as one of the committees involved in department-wide monitoring and reporting; however, this is not the case in practice. Similarly, while the DSO is responsible for establishing and directing a security program that ensures coordination and implementation of BCP, no monitoring or oversight responsibilities are defined for the DSO in the Policy on BCM, nor in the INAC Security Policy.
While the consequences of non-compliance with the BCP Program requirements are described within the Policy, there is no formalized results reporting framework to promote compliance and performance. While certain monitoring activities are in place, there are limitations with the existing tools and data available on compliance and performance; and a need for more formalized review and response to non-compliance.
Recommendation:
1. The Chief Finances, Results and Delivery Officer in collaboration with the Director General of Human Resources and Workplace Services and in consultation with the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of Northern Affairs Organization, should strengthen the BCP governance framework by:
- Reviewing and assessing the roles and responsibilities needed to implement the BCP Program requirements;
- Reviewing, updating and communicating BCP governance, policies and procedures;
- Reviewing and reinforcing how support is delivered to regional/sectoral BCP Coordinators to promote effective development of business continuity plans; and
- Strengthening the monitoring and reporting of the effectiveness of BCP, and formalizing a results-based reporting framework to promote accountability.
5.2 Development of business continuity plans
Based on the results of the BIA, business continuity plans must include sufficient detail to execute required actions during a business disruption.Footnote 15 Departmental guidance and templates are in place to support the development of INAC's business continuity plans. For example, there are documented procedures and templates (last updated in 2011-12) to support regions and sectors in performing BIAs and developing business continuity plans. These documents are maintained by the Departmental BCP Coordinator.
While processes and documented guidance are in place to develop BIAs and business continuity plans, the following opportunities for improvement were noted.
Practice consistency
Guidance material was not always known by key individuals involved in BCP, including regional/sectoral BCP Coordinators. Furthermore, inconsistent use of departmental templates was observed. One region had engaged an external consultant to develop and prepare their own templates to support their process.
Although regional/sectoral business continuity plans generally considered the key elements required by the OSS-BCPP, there were instances where the existing departmental guidance on developing the plans was not well known or understood.
The inconsistent use of departmental guidance material has been proactively identified by INAC management and is being considered as part of the BCP Refinement Strategy.
Accounting for stakeholder interdependencies
There exist instances where stakeholder interdependencies were not clearly defined or accounted for in BIAs and business continuity plans. As an example, one INAC regional office provides IT support to other government departments in the region. However, this key service is not being accounted for in the region's business continuity plan or in its BIA. Without clearly identifying interdependencies in BIAs and business continuity plans, service level agreements with other government departments/service providers may go unfulfilled if recovery strategies do not incorporate service level time requirements.
During Occupy INAC, regions impacted had difficulty procuring necessary services, which had to be done through headquarters in coordination with Public Services and Procurement Canada (PSPC). The time needed to procure through PSPC resulted in the region's inability to effectively procure critical support services during the business disruption.
INAC relies on Shared Services Canada (SSC) for technology infrastructure, such as servers. However, if government-wide services were to be disrupted, it is unclear what priority INAC critical services would have for recovery. While government-wide service prioritization is beyond the scope of INAC's BCP Program, identifying the dependencies and associated risks can be important to informing plans and stakeholder agreements.
Without clearly identifying these stakeholder interdependencies, the readiness of future BIAs and business continuity plans may be impacted.
Departmental alignment and integration
An essential component of BCP is the prioritization of services, which depends on alignment across the business functions involved.Footnote 16 To support alignment of the business continuity plans across regions and sectors, INAC has a list of three critical services and nine critical support services for the Department.
There are instances where regional/sectoral BIAs were not aligned to INAC's critical services/support services. In addition, there is insufficient prioritization in the recovery activities defined across sectors and regions. Specifically, several business continuity plans were not coordinated across regions/sectors in which similar programs/services exist, and staff involved in BCP activities did not have a good understanding of how services were prioritized across the Department. For example, remote network access was observed to be inconsistently prioritized across regions, with one region requiring remote access within 24 hours for a particular program that had not been identified in other regional plans.
Each region's/sector's business continuity plan consolidates more detailed business continuity plans that are developed by each business unit within the region/sector. Each plan is approved at the regional/sector head level and submitted to the BCP Program. However, centralized processes are not in place to identify inconsistencies and validate alignment across regions/sectors. Rather, the centralized review is limited to confirming whether the region/sector has completed its business continuity plan. Without a challenge function and a formalized validation of alignment across these plans, the Department may be unable to respond effectively to a disruption impacting multiple regions/sectors.
In summary, evidence that a departmentally-integrated plan exists based on prioritized services was not observed. INAC management is reviewing and considering its current model for performing BIAs as part of its BCP Program Refinement Strategy.
Recommendation:
2. The Chief Finances, Results and Delivery Officer in collaboration with the Director General of Human Resources and Workplace Services and in consultation with the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of Northern Affairs Organization, should strengthen the practices for developing business continuity plans by:
- Reviewing, refining, clarifying and communicating BCP guidance material, including department-defined critical services and critical support services, to staff involved in BCP activities;
- Reviewing and reinforcing how priorities within and across sectoral/regional business continuity plans are identified and aligned; and
- Conducting an assessment to determine whether the BCP Refinement Strategy promotes the effective development and integration of BIAs and business continuity plans, with appropriate consideration to stakeholder interdependencies.
5.3 BCP Program readiness and awareness
BCP readiness and awareness are essential to enabling business continuity during an incident and/or business disruption that requires the business continuity plans to be invoked.Footnote 17 While activities are in place to support BCP Program readiness and awareness, the following opportunities for improvement were noted.
Annual maintenance
After business continuity plans are developed, approved and implemented, it is important that a permanent maintenance cycle be established. A maintenance cycle should provide for ongoing review of all plans to account for changesFootnote 18 to the Department and its operating environment.Footnote 19
At INAC, processes are in place to trigger the annual update of business continuity plans as are ad-hoc/event-driven triggers for updates, such as the response to the 2016 "Occupy INAC" events.
While there are processes in place to trigger the review of business continuity plans, the maintenance processes carried out by regions/sectors are mainly focused on updating contact information rather than on identifying relevant environmental changes and assessing the appropriateness of existing recovery strategies/arrangements in light of such changes. For example, multiple regions had not conducted a BIA in several years despite significant changes in organizational/operational context. Some regional BIAs were last completed prior to the formation of SSC and the Canadian Northern Economic Development Agency despite the interdependencies the Department has with these organizations.
While updating the contact lists and call trees are important, the maintenance processes should be extended to ensure business continuity plans remain relevant and appropriate.
Training and awareness
Effective awareness and training activities help employees in the execution of their BCP Program responsibilities. BCP Coordinators responsible for maintaining their region's/sector's business continuity plans were not always equipped with the necessary knowledge and awareness to carry out their BCP-related responsibilities. Some regional recovery team members were not aware of their BCP-related responsibilities, and this is particularly prominent with employees new to their role. Headquarters-driven training material exists for BCP; however, a formal training program is not in place.
Without sufficient training, there is a risk that key staff may not fully understand their role and responsibilities when the plan is invoked, and BCP coordinators or their delegates may not have adequate knowledge or skills to effectively develop or refresh BIAs and business continuity plans on an annual basis. INAC management is considering implementing awareness/training issues through the BCP Program Refinement Strategy.
Accessibility of business continuity plans
An essential factor to BCP Program readiness is the accessibility of business continuity plans in the event of a disruption. Plans should be stored in areas that are accessible and easy to retrieve by individuals with responsibilities defined by the plan.Footnote 20
At INAC, business continuity plans are stored and maintained in electronic format in the Department's electronic record keeping system and also in hard copy format. However, business continuity plans are not always available to staff during a business disruption. For example, hard copy business continuity plans are typically locked in Protected A or B cabinets within INAC premises and thus unavailable to staff during a disruption to building and network access.
BCP testing
Business continuity plans should be regularly tested to validate if the Department is well positioned to respond to a wide range of incident types, and to identify areas for improvement. As per the Department's Policy on BCM, all regions and sectors are required to test their business continuity plans on an annual basis. Documented procedures are in place to support the annual review/testing of business continuity plans; however, evidence of testing being carried out was not observed. Per information collected by the BCP Program in October 2016, only 36% of sectors had tested their plans in the previous 12 months, and no regions had tested their plans. Without regular testing and validation of plans, it is difficult to determine whether plans are adequate and complete, and whether staff are prepared in the event of a disruption.
The BCP Program Refinement Strategy is expected to include actions to strengthen awareness and readiness, including the performance of regular testing.
Recommendation:
3. The Chief Finances, Results and Delivery Officer in collaboration with the Director General of Human Resources and Workplace Services and in consultation with the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of Northern Affairs Organization, should strengthen the BCP Program readiness and awareness by:
- Formalizing a training and awareness program for regional/sectoral BCP Coordinators to carry out BCP-related responsibilities; and,
- Conducting an assessment to determine whether the BCP Program Refinement Strategy effectively promotes BCP Program awareness and readiness, including ensuring that business continuity plans are maintained, accessible and tested on a regular basis.
6. Management Action Plan
Recommendations | Management Response / Actions |
Responsible Manager (Title) |
Planned Implementation Date |
---|---|---|---|
1. The Chief Finances, Results and Delivery Officer in collaboration with the Director General of Human Resources and Workplace Services and in consultation with the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of Northern Affairs Organization, should strengthen the BCP governance framework by: | The Manager of Business Continuity Management (BCM), in collaboration with the Departmental Security Officer (DSO) and in consultation with RO and NAO, will implement the following measures: | Chief Finances, Results and Delivery Officer and Director General, Human Resources and Workplace Services | |
a) Reviewing and assessing the roles and responsibilities needed to implement the BCP Program requirements; | 1. Begin consultations with the DSO office and other key stakeholders to develop a Crisis Management Training package for Departmental Crisis Management Teams, commensurate with the BCM Refinement Strategy approved on December 12, 2016. |
Manager of Business Continuity Management Departmental Security Officer |
Q1 2017-2018 |
2. Begin consultation with the DSO's office and other stakeholders to develop a BCM Training and Awareness framework, including clarification on roles and responsibilities. | Manager of Business Continuity Management Departmental Security Officer |
Q1 2017-2018 |
|
b) Reviewing, updating and communicating BCP governance, policies and procedures; | 1. Begin consultations with key stakeholders to refresh current INAC BCM policy framework | Manager of Business Continuity Management | Q2 2017-2018 |
2. Finalize and publish BCM policy framework for circulation and comments | Manager of Business Continuity Management | Q3 2017-2018 | |
3. Complete the formatting of the centralized repository (for BIA and BCP) | Manager of Business Continuity Management |
Q1 2017-2018 |
|
4. Update Senior Management on the above action items | Chief Finances, Results and Delivery Officer | Q3 2017-2018 | |
c) Reviewing and reinforcing how support is delivered to regional/sectoral BCP Coordinators to promote effective development of business continuity plans; | 1. Begin developing training/awareness tools and products, including the BCM Training Framework | Manager of Business Continuity Management | Q2 2017-2018 |
2. Complete the operational review of the Business Continuity Management Program, including a review of the programs current state, program gaps, current industry trends, environmental scan and a resource requirement analysis. | Manager of Business Continuity Management |
Q1 2017-2018 |
|
d) Strengthening the monitoring and reporting of the effectiveness of BCP, and formalizing a results-based reporting framework to promote accountability. | 1. Review and finalize a reporting template and formalize a results-based framework to promote accountability | Managerof Business Continuity Management | Q3 2017-2018 |
2. Update endorsement process for criticality levels to reflect the new BIA process and changes in the BCM Maintenance Cycle | Manager of Business Continuity Management | Q2 2017-2018 |
|
3. Update Senior Management on the above action items | Chief Finances, Results and Delivery Officer | Q3 2017-2018 | |
2. The Chief Finances, Results and Delivery Officer in collaboration with the Director General of Human Resources and Workplace Services and in consultation with the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of Northern Affairs Organization, should strengthen the practices for developing business continuity plans by: | The Manager of Business Continuity Management, in collaboration with the DSO and in consultation with RO and NAO, will implement the following measures: | Chief Finances, Results and Delivery Officer and Director General, Human Resources and Workplace Services | |
a) Reviewing, refining, clarifying and communicating BCP guidance material, including department-defined critical services and critical support services, to staff involved in BCP activities; | 1. Develop a training and awareness framework to support staff involved in BCP activities, along with a communication strategy to promote the BCM policy and training/awareness framework. This work will be done in consultation with the DSO's office to ensure integration with Incident Management and Response Planning and an overarching Security Training and Awareness framework (DSO deliverable) | Manager of Business Continuity Management Departmental Security Officer |
Q2 2017-2018 |
b) Reviewing and reinforcing how priorities within and across sectoral/regional business continuity plans are identified and aligned; | 1. Review current BCP template with consultation from BCP Coordinators to better determine common recovery priorities within and across sectoral/regional business continuity plans and to better align common recovery priorities for the department | Manager of Business Continuity Management | Q3 2017-2018 |
2. Develop a BCP recovery option/strategy analysis template for the identification and analysis of BCP recovery options for sectoral/regional business continuity plans to better align criticality levels in HQ and regional offices | Manager of Business Continuity Management | Q3 2017-2018 |
|
c) Conducting an assessment to determine whether the BCP Refinement Strategy promotes the effective development and integration of Business Impact Analysis (BIAs) and business continuity plans, with appropriate consideration to stakeholder interdependencies. | 1. Conduct an operational review of the BCM program to assess in part, whether the BCM refinement strategy promotes the effective development and integration of BIAs and BCPs with appropriate consideration to stakeholder interdependencies | Manager of Business Continuity Management | Q3 2017-2018 |
3. The Chief Finances, Results and Delivery Officer in collaboration with the Director General of Human Resources and Workplace Services and in consultation with the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of Northern Affairs Organization, should strengthen the BCP Program readiness and awareness by: | The Manager of Business Continuity Management, in collaboration with the DSO and in consultation with RO and NAO, will implement the following measures: | Chief Finances, Results and Delivery Officer and Director General, Human Resources and Workplace Services | |
a) Formalizing a training and awareness program for regional/sectoral BCP Coordinators to carry out BCP-related responsibilities; and, | 1. For actions pertaining to the development of a BCM Training and Awareness Framework and the operational review, please refer to the action items in the Recommendation #1 section | Manager of Business Continuity Management | Q4 2017-2018 |
b) Conducting an assessment to determine whether the BCP Program Refinement Strategy effectively promotes BCP Program awareness and readiness, ensuring that business continuity plans are maintained, accessible and tested on a regular basis | 1. Conduct an operational review of the BCM program to assess, in part, whether the BCM refinement strategy promotes BCP Program awareness and readiness, including ensuring that business continuity plans are maintained, accessible and tested on a regular basis. | Manager of Business Continuity Management | Q4 2017-2018 |
2. Update Senior Management on the above action items and BCM Program Status | Chief Finances, Results and Delivery Officer | Q4 2017-2018 |
Appendix A: Audit Criteria
To acquire an appropriate level of assurance to meet the audit objective, the following audit criteria were developed.
Audit Criteria and Control Objectives
1. Governance framework
1.1 A departmental BCP Program is in place with appropriate and clearly defined objectives, roles, responsibilities, and accountabilities
1.2 Important aspects of other continuity programs, including Information Technology (IT) security, incident management, and internal emergency management are effectively integrated into the BCP Program
2. Development of business continuity plans
2.1 There are appropriate and adequate management controls in place to support the development of business continuity plans
3. BCP Program readiness and awareness
3.1 There are appropriate and adequate management controls in place to support maintenance of business continuity plans
3.2 There are appropriate and adequate management controls in place to support the readiness of business continuity plans
3.3 There are appropriate and adequate management controls to promote awareness of business continuity plans
4. BCP Program resources
4.1 There are appropriate and adequate management controls in place to maintain the capacity necessary to deliver the BCP Program in compliance with applicable legislation and policies
Appendix B: Relevant Policies, Directives, and Guidance
The following authoritative sources were examined and used as a basis for this audit:
- Treasury Board Policy on Government Security
- Treasury Board Operational Security Standard – Business Continuity Planning Program
- Treasury Board Management Accountability Framework
- Public Safety An Emergency Management Framework for Canada
- Canadian Standards Association Emergency and continuity management program
- ISO 22301 Societal security — Business continuity management systems — Requirements
- INAC Business Continuity Management Policy