Audit of business continuity planning, Environment and Climate Change Canada: Executive summary
The Audit of business continuity planning (BCP) was conducted concurrently with the Office of the Comptroller General’s (OCG) Horizontal Audit of BCP, which involved selected large and small departments and agencies, including Environment and Climate Change Canada (ECCC).
The objective of the internal audit was to determine whether ECCC had in place a departmental governance framework and processes for BCP.
Why is business continuity planning important
Every department is at risk from potential disasters, including natural disasters, sabotage, power and utility disruptions and cyber-attacks. Critical services or products are those that must be delivered to ensure survival, to avoid causing injury and to meet legal or other obligations of an organization.
Strongly integrated BCP governance and processes are key to enhancing the resilience of government operations. Specifically, in the event of disruptions to normal government business operations, these elements will help enable service delivery to Canadians, with minimal downtime.
What we found
Key elements of departmental BCP governance framework, such as governance committees, formal policy and key BCP roles and responsibilities, were in place. However, monitoring and reporting have been limited to Executive Management Committee (EMC) presentations of an annual BCP status report, a high-level overview of what works well and areas requiring improvement. Furthermore, testing of the plans was limited to table-top exercises instead of full-scale tests. A formal monitoring and reporting frameworks (including testing) to periodically assess the effectiveness and compliance of the BCP program would enable ECCC to proactively identify and address any existing gaps and enhance the Department’s resilience to events that disrupt normal business operations.
While the departmental policy and plan provide for training and awareness activities, the audit found that ECCC activities in this area are currently limited to providing some useful tools on BCP and recovery activities.
ECCC has conducted business impact assessments (BIA) and has business continuity plans in place for the critical services sampled. Two of the three critical services reviewed had a service level agreement in place to describe service levels for the restoration of critical services. For the most part, the BIAs and the plans were developed in conformity with government’s BCP requirements.
Improvements in the following areas are required for ECCC to be in a better position to ensure the continuity of its operations in the event of a disruption:
- more effectively communicate BCP roles and responsibilities to decision makers by providing an updated BCP program policy that is aligned to the government’s security policy framework
- contribute to enhancing the overall effectiveness of the BCP program by ensuring that BCP roles, responsibilities and reporting relationships are clearly defined and formally communicated to all staff involved in the departmental BCP process
- proactively identify and address any gaps that have an impact on departmental effectiveness and compliance with the government’s overall BCP requirements by establishing a formal BCP monitoring and reporting framework (including testing the BCP program)
- ensure that business continuity plans are in place and have been developed in accordance with baseline requirements, including a clear external stakeholder relationship for information technology (IT) service delivery and in particular, the establishment of service level agreements describing service levels for the restoration of critical services
- develop and implement a departmental BCP program awareness, training and testing plan
Management agrees with the recommendations and has provided an action plan that will strengthen the management control framework supporting the BCP.
- Date modified: