Audit of business continuity planning, Environment and Climate Change Canada: Introduction and background

The Audit of business continuity planning (BCP) was conducted concurrently with the Office of the Comptroller General’s (OCG) Horizontal Audit of BCP, which involved selected large and small departments and agencies, including Environment and Climate Change Canada (ECCC). As recommended by the External Audit Advisory Committee (EAAC) and approved by the Deputy Minister (DM), the internal audit was included in the Audit and Evaluation Branch’s (AEB) 2015 Integrated Risk-Based Audit and Evaluation Plan.

BCP is a proactive security measure to help increase an organization’s resilience to disruptive events. Specifically, BCP refers to the development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of services and assets when a disruption to normal business operations occurs, regardless of the disruption’s origin. On a broader scale, BCP complements emergency management because it supports preparedness, response and recovery activities.

The Emergency Management Act  (EMA) requires that all federal departments and agencies prepare plans to deal with emergencies. According to the EMA, the emergency management responsibilities of each deputy head consist of identifying the risks that lie within the purview of their department and:

• preparing emergency management plans (for example, strategic emergency management plan and building emergency evacuation plans) to address these risks
• maintaining, testing and implementing those plans
• conducting exercises and training in relation to those plans

The Treasury Board (TB) Policy on Government Security and its associated standard, the Operational Security Standard – Business Continuity Planning Program, further establish that departmental critical services and associated assets must remain available, to ensure the continued health, safety, security and economic well-being of Canadians and the effective functioning of government.

Under the EMA, departmental emergency management plans must be supported by “programs, arrangements or other measures to provide for the continuity of the operations.”^[1] Such support is achieved by establishing departmental BCP programs that comprise the following:

BCP program governance (for example, BCP policy, appointment of a Departmental Security Officer and a BCP coordinator)

• business impact analyses (for example, to assess the impacts of disruptions on the Department and to identify and prioritize critical services and associated assets)
• business continuity plans and arrangements
• maintenance of BCP program readiness (for example, review and revision of all plans and regular testing)

The Departmental Security Officer (DSO) is responsible for the departmental BCP program, including the monitoring and coordination of the development, implementation and review of the program.