Audit of business continuity planning, Environment and Climate Change Canada: Conclusion

Every department is at risk from potential disasters, including natural disasters, sabotage, power and utility disruptions and cyber-attacks. Critical services or products are those that must be delivered to ensure survival, avoid causing injury and meet legal or other obligations of an organization.

Strongly integrated BCP governance and processes are key to enhancing the resilience of government operations. More specifically, in the event of disruptions to normal government business operations, these elements will help enable service delivery to Canadians with minimal downtime.

Key elements of departmental BCP governance framework, such as governance committees, formal policy and key BCP roles and responsibilities, are in place. However, monitoring and reporting have been limited to Executive Management Committee presentations of an annual BCP status report, a high-level overview of what works well and areas requiring improvement. Furthermore, testing of the plans was limited to table top exercises instead of full-scale tests. A formal monitoring and reporting framework (including testing) to periodically assess the effectiveness and compliance of the BCP program would enable ECCC to proactively identify and address any existing gaps and enhance the Department’s resilience to events that disrupt normal business operations.

While the departmental policy and plan provide for training and awareness activities, the audit found that ECCC activities in this area are currently limited to providing some useful tools on BCP and recovery activities.

ECCC has conducted business impact assessments (BIA) and has business continuity plans in place for critical services sampled. Two of the three critical services reviewed had a service level agreement in place to describe service levels for the restoration of critical services. For the most part, the BIAs and the plans were developed in conformity with government’s BCP requirements.

Improvements in the following areas are required for ECCC to be in a better position to ensure the continuity of its operations in the event of a disruption:

The areas of improvement that have been noted will collectively strengthen the management control framework supporting BCP.

Page details

Date modified: