Audit of business continuity planning, Environment and Climate Change Canada: Conclusion
Every department is at risk from potential disasters, including natural disasters, sabotage, power and utility disruptions and cyber-attacks. Critical services or products are those that must be delivered to ensure survival, avoid causing injury and meet legal or other obligations of an organization.
Strongly integrated BCP governance and processes are key to enhancing the resilience of government operations. More specifically, in the event of disruptions to normal government business operations, these elements will help enable service delivery to Canadians with minimal downtime.
Key elements of departmental BCP governance framework, such as governance committees, formal policy and key BCP roles and responsibilities, are in place. However, monitoring and reporting have been limited to Executive Management Committee presentations of an annual BCP status report, a high-level overview of what works well and areas requiring improvement. Furthermore, testing of the plans was limited to table top exercises instead of full-scale tests. A formal monitoring and reporting framework (including testing) to periodically assess the effectiveness and compliance of the BCP program would enable ECCC to proactively identify and address any existing gaps and enhance the Department’s resilience to events that disrupt normal business operations.
While the departmental policy and plan provide for training and awareness activities, the audit found that ECCC activities in this area are currently limited to providing some useful tools on BCP and recovery activities.
ECCC has conducted business impact assessments (BIA) and has business continuity plans in place for critical services sampled. Two of the three critical services reviewed had a service level agreement in place to describe service levels for the restoration of critical services. For the most part, the BIAs and the plans were developed in conformity with government’s BCP requirements.
Improvements in the following areas are required for ECCC to be in a better position to ensure the continuity of its operations in the event of a disruption:
- more effectively communicate BCP roles and responsibilities to decision makers by providing an updated BCP program policy that is aligned to the government’s security policy framework
- contribute to enhancing the overall effectiveness of the BCP program by ensuring that BCP roles, responsibilities and reporting relationships are clearly defined and formally communicated to all staff involved in the departmental BCP process
- proactively identify and address any gaps that have an impact on departmental effectiveness and compliance with the government’s overall BCP requirements by establishing a formal BCP monitoring and reporting framework (including testing the BCP program)
- ensure that business continuity plans are in place and have been developed in accordance with baseline requirements, including a clear external stakeholder relationship for IT service delivery and in particular, the establishment of service level agreements describing service levels for the restoration of critical services
- develop and implement a departmental BCP program awareness, training and testing plan
The areas of improvement that have been noted will collectively strengthen the management control framework supporting BCP.
- Date modified: