Audit of Business Continuity Management
Official title: Audit of Business Continuity Management
On this page
Alternate formats
Audit of Business Continuity Management [PDF - 509 KB]
Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.
List of abbreviations
- ADM
- Assistant Deputy Minister
- BCM
- Business Continuity Management
- BCP
- Business Continuity Plan
- BIA
- Business Impact Analysis
- EM
- Emergency Management
- EMC
- Enterprise Management Committee
- EMAS
- Emergency Management Application System
- EMBC
- Emergency Management and Business Continuity
- ESDC
- Employment and Social Development Canada
- ISB
- Integrity Services Branch
- PMB
- Portfolio Management Board
- TB
- Treasury Board
1. Background and context
The Treasury Board’s (TB) Policy on Government Security mandates that departments create a Business Continuity Management (BCM) Program. Employment and Social Development Canada (ESDC) maintains an inventory of 23 critical services. This includes programs such as Employment Insurance and the Canada Pension Plan. The Department classifies a program or service as critical if it must recover and achieve minimum service levels within a 72-hour timeframe.
ESDC is currently undergoing a BCM Program refresh, led by the Emergency Management and Business Continuity (EMBC) Division within Integrity Services Branch (ISB). The refresh includes a new BCM approach that aligns with recommended methodology included in Public Safety Canada’s 2023 BCM Program Guide. In addition, EMBC anticipates launching an integrated business continuity and emergency management software solution named Emergency Management Application System (EMAS) in July 2024. This software will replace the existing Excel-based templates.
1.1 Audit objective
The objective of this audit was to determine whether the Department had established an effective BCM Program to ensure continued availability of its critical services and related assets.
1.2 Scope
The scope of this audit included an assessment of the mandatory elements of a BCM Program as outlined in Appendix D of the TB Directive on Security Management and covered the period of the Department’s most recent BCM cycle.
1.3 Methodology
The audit used the following methodologies:
- Documentation review and analysis
- Interviews with management and staff
- Business Continuity Plan (BCP) Coordinator survey
- Review of a sample of BCM plans and arrangements
2. Audit findings
2.1 EMBC has established BCM guidance documents and tools that comply with TB Policy requirements
The Treasury Board Directive on Security Management outlines mandatory procedures for BCM. The audit found that the Department’s Operational Directive, supporting guidance, and templates are aligned with prescribed requirements. For example, the Directive clearly defines roles and responsibilities in the BCM process:
- EMBC is the program lead, responsible for functional guidance and direction as well as oversight and reporting of results
- Branch and regional coordinators are assigned critical roles in executing the BCM cycle from start to finish, including in the preparation, coordination, and testing of plans
- Assistant Deputy Ministers (ADM) of branches and regions have overall responsibility for BCM development and approval in support of ESDC’s critical services
2.2 Branches and regions responsible for critical services lack expertise and senior management support
EMBC has a qualified and experienced team with responsibilities for both BCM and Emergency Management (EM). However, in recent years EMBC has prioritized EM and BCM program modernization. Between 2020 and 2023, the National Emergency Operations Centre and Departmental Crisis Management Teams experienced an unprecedented rise in activity. Due to events such as COVID-19 and climate related disruptions, EMBC’s focus was on EM during this time. Additionally, implementation of EMAS began in June 2023. Consequently, EMBC has not met some BCM requirements including the provision of a specialized BCM training program to branches and regions. To address this shortcoming EMBC provided coaching and support to stakeholders throughout the last BCM cycle.
In general, branches that are accountable for critical services did not have proficient teams and structures to support BCM Program requirements. BCM structures varied, but most BCM coordinators were lacking in both expertise and awareness of their responsibilities. Additionally, senior management demonstrated a stronger awareness and emphasis on EM, often overlooking BCM requirements such as BCP testing.
The owners of critical services would improve program outcomes with strong and robust teams. In branches and regions where teams had BCM expertise and support from senior management, the quality of documents and activities supporting BCM was more likely to meet expectations.
2.2.1. Recommendation
The ADM of Integrity Services Branch (ISB) should develop and implement a plan to train BCM stakeholders to perform BCM requirements in alignment with departmental guidance.
2.2.2. Management response
Agree.
ISB will develop and implement a plan to train Business Continuity Management (BCM) stakeholders to perform BCM requirements in alignment with departmental guidance. Public Safety has in the recent past made training and awareness material available for Departments to use. Public Safety in collaboration with the Canada School of Public Service is developing a series of courses on BCM that will be made available for all government employees. When available, EMBC will include these in the training plan for BCM stakeholders.
2.3 ESDC's BCM Program is not operating as intended
ESDC conducted its most recent BCM cycle between April 2021 and January 2023. During this process, EMBC oversaw the development of Business Impact Analyses (BIA) and BCP for the Department's 23 critical services, while providing support and guidance to branches and regions. EMBC conducted some reviews of process completion, monitored timelines for the completion of BIAs and BCPs, and regularly engaged with stakeholders. However, a formal quality review or challenge function was not in place to confirm the quality, completeness, and regular maintenance of BCM documents and activities.
According to ESDC's Operational Directive, branch-level BCPs should be rolled up horizontally into Program Level BCPs. This initiative was not in place for ESDC's critical services and EMBC indicated their intention to relaunch this process in the next BCM cycle. EMBC is currently implementing EMAS which is a tool capable of enhancing collaboration and monitoring. Strengthening oversight and reporting of completeness and quality will be crucial to realize the benefits of EMAS in support of Program Level BCPs.
Testing and exercising of BCPs is a crucial part of a mature BCM Program. While the audit team sought evidence to verify ESDC's critical services were tested by their owners in the last 2 years, insufficient documentation was available. Over half of respondents to the audit team's survey of BCP coordinators indicated that they had never participated in a BCP test or exercise. Since testing results were neither monitored nor reported to ESDC's Executive Governance Committees, the audit team relied on the 2022 to 2023 Management Accountability Framework which outlined that only 30% of BCPs for ESDC's critical services were tested by their owners in the last 2 years. The EMBC team has mitigated this deficiency by ramping up departmental awareness and corporate exercises over the past year.
In addition, Playbooks were implemented to enhance the Department's readiness in response to specific events impacting the Department and Canadians, such as public service strikes and wildfires. While not a requirement under the current Directive, Playbooks represent a proactive approach to risk mitigation and complement the mandatory BCPs for critical services. They were first introduced in the fall of 2022 in preparation for the 2023 Public Service Alliance of Canada strike and all-hazard playbooks were implemented department-wide in the 2023 to 2024 fiscal year.
ESDC's challenges in meeting prescribed requirements for BCM impacted the quality and reliability of BCPs. Without adequate validation, testing, and maintenance of plans, ESDC faces an elevated continuity risk for its critical services.
2.3.1. Recommendation
The ADM of ISB should have EMBC coordinate annual assessments by the owners of critical services of the quality and completeness of BCM documents and activities supporting ESDC's critical services, and develop a mechanism to collect, analyze and report the results.
2.3.2. Management response
Agree.
Following completion of the next BIA/BCP exercise refresh, EMBC will assist and coordinate with ESDC's critical services owners who will conduct an annual assessment of the completeness and quality of continuity plans, measures, arrangements, and results supporting ESDC's critical services. As per Public Safety, a BCM program requires an ongoing commitment from senior leadership who ensure that BCM practices are implemented and are appropriately funded. (for example, determining potential mitigation strategy funding to reduce vulnerabilities and to support recovery strategies). Public Safety recommends a Departmental BCM cycle based on a 3-year cycle, starting with a complete refresh of BIA and BCP in year 1, then an annual review in years 2 and 3.
The new Emergency Management Application System includes a mechanism to efficiently collect, analyse and report the results.
In addition, ISB will lead the Department in the development of "whole of department" playbook (horizontal BCP approach) which outlines response measures, triggers, mitigations, and decision-making processes for service delivery crisis in ESDC and Service Canada related to cyclical events.
Furthermore, ISB will lead the Department through "whole of department" BCP exercises that support and help build business continuity for key areas and scenarios, targeting continued delivery of services to Canadians.
2.4 EMBC is not effectively using its established governance committee structure for decision making and oversight
ESDC's BCM governance structure is outlined in the Department's Operational Directive and Strategic Emergency Management Plan. Portfolio Management Board (PMB) is the Department's primary decision-making body, supported by the Enterprise Management Committee (EMC) which has oversight and decision-making authority for BCM. The audit found that the Departmental Crisis Coordinator, in other words, the ADM of ISB, is not consistently engaging EMC in decision making nor for oversight. For instance, the ADM of ISB did not present the Department's critical services list to EMC for approval after the 2021 BIA exercise nor did it provide EMC with periodic updates on the status of the Department's compliance with BCM requirements for ESDC's critical services. Nonetheless, the critical services were approved by the Deputy Minister in February 2022.
Better use of governance committees for BCM oversight would improve accountability, quality, and completeness.
2.4.1. Recommendation
The ADM of ISB should formalize a plan and approach to periodically leverage EMC and PMB to:
- Table and seek approval of critical services and corresponding plans
- Report on the completeness and quality of continuity plans, measures, arrangements, and results supporting ESDC's critical services
2.4.2. Management response
Agree.
Note: EMC and PMB do not have to approve corresponding plans, this is the responsibility of respective Branch/Regional ADM.
As per the new Public Safety guidance on identifying and categorizing critical services, the first step in the new BCM cycle will be to complete a BIA survey assessing the criticality of each service. ISB will table and seek approval from Enterprise Management Committee of the critical services list.
Following completion of the next BCM exercise refresh, which includes Branch/Regional BIAs and BCPs, ISB EMBC will report the status on the completeness and quality of continuity plans, measures, arrangements, and results supporting ESDC's critical services to EMC.
3. Conclusion
EMBC has established guidance, tools, and a governance structure to support an effective BCM Program. However, BCM program outcomes are not currently meeting requirements for BCP testing, maintenance, and training.
To improve the quality of BCM plans and arrangements, expertise and support from branches and regions responsible for critical services needs improvement. Additionally, enhanced oversight and monitoring by senior management committees is an important accountability mechanism for BCM.
4. Statement of assurance
In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of Business Continuity Management. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.
Appendix A: Audit criteria assessment
Audit criteria: Business Continuity Management Framework
It was expected that the Department has:
- established an adequate governance committee structure to coordinate BCM activities and to oversee and report on performance
- Rating: Sufficiently controlled; low-risk exposure
- defined, documented and communicated roles, responsibilities, and authorities related to the BCM Program to articulate clear accountabilities (including those at the National Headquarters and Regional level)
- Rating: Controlled, but should be strengthened; medium-risk exposure
- established, documented, and maintained BCM Program operational procedures and practices, aligned with Public Safety and TB legislative and policy requirements and guidance
- Rating: Sufficiently controlled; low-risk exposure
- established performance reporting mechanisms for the timely identification and reporting of BCM Program risks, issues, and emerging threats in the departmental operating environment
- Rating: Missing key controls; high-risk exposure
Audit criteria: Business Continuity Management Practices
It was expected that:
- requirements for the BCM Program are communicated to stakeholders and there are adequate levels of training and awareness activities including specialized training for individuals directly involved in the coordination of BCM
- Rating: Missing key controls; high-risk exposure
- BCM structures and processes in branches and regions have been established with adequate resources and support from senior management to enable BCM program objectives to be met
- Rating: Missing key controls; high-risk exposure
- the Department has utilized the established BCM governance structure and process to identify programs and services that are critical to the health, safety, security or economic well-being of Canadians and the effective functioning of government, and that priority is assigned based on minimum service levels, recovery time objectives, periods of criticality, interdependencies, and impacts
- Rating: Controlled, but should be strengthened; medium-risk exposure
- branch/regional BCPs have been developed and rolled-up to create Horizontal BCPs for the defined critical programs and services, based on BIAs, that are consistent with operational procedures, guidance and methodology
- Rating: Missing key controls; high-risk exposure
- BCPs are regularly reviewed and updated to address changes in the threat environment that adequately consider BIA results as well as lessons learned from recent disruptive events
- Rating: Missing key controls; high-risk exposure
- regular testing of BCM Program readiness is conducted to confirm their feasibility and effectiveness for supporting for an acceptable state of preparedness, continued availability of mission-critical programs, services and associated assets
- Rating: Missing key controls; high-risk exposure
Page details
- Date modified: