FCAC's Business Continuity Plan FY2024/25

A strategic enabler for business continuity

1. Foundation

1.1 Purpose

This document is for the attention of Business Continuity Plan (BCP) stakeholders and for the information of all FCAC staff. It facilitates the rapid recovery of essential activities in the event of disruptions.

1.2 Recovery Plans

The branches recovery plans are the foundation of the Agency overall BCP. They enable an effective coordination of activities with the Chief Security Officer during the management of emergency situations. Guidance and context are provided under Annexes A and B for the development of recovery plans.

• SEB Recovery Guide
• RPE Branch Recovery Guide
• PAB Recovery Guide
• HR Branch Recovery Guide
• Corp Services Recovery Guide

The integration of the Recovery Plan for the Toronto office, the Secretariat and Legal are scheduled for development in 2024/25.

1.3 Recovery Team Responsibilities

Recovery team members are identified in the recovery plans. They have specific responsibilities and report to their branch head (or the Recovery Team Lead). The Recovery Team Members must:

• be familiar with the contents of this plan and their recovery plan
• follow the direction of their Branch Head or recovery team lead.
• provide feedback to their Branch Head on recovery activities.
• participate in business continuity training and exercising, as appropriate.

1.4 Branch Head or recovery team lead

The Branch Head can designate a recovery team lead for the coordination of BCP activities. The Branch Head or recovery team lead is responsible to:

• approve the branch recovery plan
• communicate their recovery plan to the recovery team
• test their recovery plans

1.5 Recovery Team Lead Contingency Plan for Communication Failure

Should the following scenarios transpire:

• no internet, mobile networks working
• no internet, mobile networks down, landlines (i.e., hardwired phones) working
• no internet, mobile networks down, landlines down

Herein are the contingency procedures for the Recovery Team Leads.

2. Context

2.1 Scope

This plan applies to FCAC office in Ottawa. The following complement the BCP and can be activated as needed:

• Cyber Security Event Management Plan
• IT service response and recovery documentation for IT personnel only.

2.2 Planning assumptions

• Activation of the BPC doesn't instantly resolve pending issues, and building access might not be possible for 48 hours or more.

• Our technology supports remote work, and communication remains possible through various means.
• Certain recovery plan elements start within four hours of disruption, with essential personnel, backups, and recovery teams stepping in if some staff are unavailable.
• All branches collaborate with the FCAC Incident Manager to minimize event impact, and external stakeholders are ready to assist during recovery.
• Off-site backup storage is secure and accessible, ensuring data protection and continuity.

2.3 Training and Awareness

Training and awareness sessions have been conducted sporadically, often coinciding with national awareness weeks. In 2024-25, FCAC will establish a structured training and awareness program to enhance resilience and preparedness.

3. Roles & Responsibilities

BCP implementation takes place through the Commissioner, the Chief Security Officer as the Incident Manager, the Branch Heads (or designated Recovery Team Leads) and Recovery Team Members. Together, they are the Incident Management Team:

Figure 1. Incident Management Team

3.1 Commissioner

The Commissioner is accountable to:^{Footnote 1} 

• Review any residual business continuity management related risk that exceeds established authorities for security risk management decisions.
• Investigate and act when significant issues regarding policy compliance arise and ensure that appropriate remedial action is taken to address these issues.

The Commissioner will:

• Declare the activation and deactivation of the BCP.
• Provide strategic direction to the CSO and management team.
• Authorize emergency funding.
• Approve crisis communication messaging.

3.2 Chief Security Officer (CSO)^{Footnote 2} 

The CSO ensures that FCAC conducts regular testing (i.e., minimum of every two years) of BCP to ensure an acceptable state of preparedness. The last test was completed in October 2022 and the next one is planned for fall 2024. The CSO acts as Incident Manager and leads the recovery effort. They have authority to:

• Direct personnel to conduct or obtain a damage assessment.
• Direct FCAC Branch Heads to consider their recovery strategies.
• Implement/Invoke business continuity procedures.

3.3 Branch Heads

Branch Heads are accountable for:

• The annual review and update of their BCP documentation, including Business Impact Analysis (BIA) and branch recovery plans - these were completed in May 2024. The review must be completed no later than the end of Q1 or immediately after a significant change in FCAC business operations.
• To update semi-annually key contact information and save in GC Docs.
• During a recovery effort, the Branch Head/Recovery Team Lead is responsible for:
• Ensuring the safety and security of themselves and their branch members.
• Coordinating instructions to recovery team members and other branch staff.
• Evaluating the impact on key activities within the branch and setting priorities.
• Communicating needs and priorities to the CSO or their designate.
• Directing and coordinating recovery efforts within their branch.
• Providing updated FCAC Recovery Status Reports to the CSO as needed.

3.4 Communication Flow

When the BCP is activated (illustrated under Annex A), use any means of communication EXCEPT SOCIAL MEDIA. Communication follows the hierarchy, here are the Key Contacts and Useful Numbers.

3.3 Crisis communications

Public Affairs provides communication support as follows:

• Internal communication: for BCP and emergencies situations;
• Coordination with FISC partners in case of crisis occurring at a federally regulated entity or with financial market infrastructure.

The Public Affairs Branch Crisis Communications Team does not need to be co-located with the Commissioner, but there must be a means of communicating between them.

4. Critical Services Overview

4.1 BCP across three phases.

Phase 1 - Immediate Event or Incident Response - all about immediate responses for safety. Plans such as emergency evacuations and health and safety protocols unfold under the CSO's guidance.

Phase 2 - Business Continuity Implementation - once the BCP is activated, the aim is to restore crucial activities to normal levels within a set timeframe after an incident.

Phase 3 – Demobilization - wraps things up, focusing on returning to normal operations and locations. This marks the end of the response cycle, with a focus on learning from the experience.

4.2 Critical services

The table below outlines key BCP activities across the agency.

MAD: Within 4 Hours

• Who: 
  • Incident Management team
• Activities: 
  • Damage assessment and situation reporting.
  • Crisis communication (internal and external stakeholders).
  • Initiation of incident response, recovery, and restoration activities.

• Who: 
  • CSO
• Activities: 
  • Provision of physical security for FCAC staff, physical assets, and facilities i.e. ensuring safety for locations and people

• Who: 
  • IM/IT (within the first 24 hours)
• Activities: 
  • T begins recovering within 24 hours.  The earliest MAD is likely three days but can extend up to 29 days.
    Key IT services that need to be restored include the following infrastructure support:
    • Security devices (firewalls etc.)
    • Internal networks
    • Communications links to the outside world and alternate data centre
    • Servers (including data bases)
    • personal computing devices

MAD: Within 72 Hours

• Who:
  • Finance and Procurement
• Activities:
  • Ensuring that there are sufficient funds to sustain operations and cover at a minimum payroll and recovery efforts
  • Process staff emergency pay requests
  • Emergency procurement

• Who:
  • Human Resources
• Activities:
  • Support to FCAC staff
  • Provide emergency payroll services for all classes of employees.
  • Ramp up recruitment should emergency workforce for recovery be required.
  • Provide services or advice with respect to labour relations

• Who:
  • CIC
• Activities:
  • If directed, operating Consumer Information Centre as a means of communicating with the public and FRFEs
• Who:
  • Enforcement
• Acrtivities:
  • Pending notice of violation (only when within 30 days of being issued and directed by Commissioner to do so)
• Who:
  • Education
• Acrtivities:
  • When directed by the Commissioner, consumer alerts may need to be issued if a significant event coincides with a business interruption

Note: Aggregate of Critical Personnel - BCP - Recover Plans.docx

Annex A – Internal and External Dependencies

Critical Service

• Commissioner/Management Team
  • Set the Agency’s priorities and strategies and provide leadership and direction.
  • Liaise and share information, as appropriate, with FISC partners, the FRFEs and other government departments, stakeholders and consumers as required.
  • Report to the Minister of Finance regularly about FCAC’s activities and findings

Internal Support

• IT
• Public Affairs
• Admin
• Legal

External Dependencies

• FISC partners
• OGD as required

Critical Service

• Supervision and Enforcement Branch
  • Ensure that key information on supervisory and compliance matters is coordinated and communicated internally to other areas of FCAC to support their work (i.e., the CIC)
  • Monitor and investigate compliance issues of individual financial entities at an industry-wide level.
  • Monitor the industry’s adherence to its voluntary codes of conduct and public commitments.
  • Undertake annual compliance examinations.
  • Undertake on-site examination of FRFEs to address key compliance issues as required.
  • Assist financial entities in their efforts to correct contraventions

Internal Support

• IT
• CIC
• Public Affairs

External Dependencies

• Department of Finance
• Department of Justice
• OSFI
• Regulated entities
• Consumers, merchants

Critical Service

• Research, Policy, and Education Branch
  Establish, enhance, promote, and support online tools and resources to assist consumers in making sound financial decisions and communicate information internally to other areas of FCAC to support their work (i.e., the CIC and the financial literacy team)

Internal Support

• IT
• CIC
• Public Affairs
• RPE

External Dependencies

• Inter departmental Committee on Financial Literacy
• Regional FinLit networks

Annex B – Developing Branch Recovery Plans: Common Strategies

1. Loss of workspace. The places where FCAC business processes happen are not accessible, either for a long time or temporarily.

Recovery Strategies

• Have staff work from home using telework tools, except for certain security and shipping tasks that need to be done in person.
• If possible, use Government of Canada coworking spaces for work or meetings.

2. Loss of personnel. The permanent or temporary unavailability of personnel.

Recovery Strategies

• Have backup staff take over for unavailable staff.
• Move staff from less urgent roles to more urgent ones within FCAC for a while.
• Use written procedures to help capable but unfamiliar people do the job or hire new staff for vacant positions.

3. Loss of IT Infrastructure, IT applications or databases. The failure of the IT infrastructure (whole or in part).

Recovery Strategies

• Activate IT service response and recovery plan which is planned to be developed as part of the IT roadmap in 2024-25.
• Use manual procedures to do tasks without IT support, making sure that work can be reconciled once IT systems are back online.

4. Physical record destruction. The main concern is potential damage to physical records, such as from fire, or water damage caused by fire.

Recovery Strategies: Get and use duplicate copies of important or urgent documents that were stored off-site before.

5. Loss of Equipment or Supplies. Running out of or not being able to replace equipment or supplies needed for FCAC activities.

Recovery Strategies

• Use agreements with suppliers to ensure they deliver services to FCAC on time.
• Look for other suppliers who can provide similar supplies or equipment to FCAC.
• Use mutual aid agreements to borrow specialized equipment from partner organizations during disruptions.

Annex C – Activation of the BPC

Depending on the scope and severity of an event, activating the BCP may require a formal decision. The purpose of the preliminary assessment is to quickly determine if the BCP Recovery Team is warranted.

Figure 2. Business Continuity Plan flowchart

STEP 1

The CSO or DCSO is notified or acknowledges a disruption. DCSO ensures facilities management conduct and report the damage to evaluate the site capabilities to maintain and deliver services.

STEP 2

CSO or DCSO makes a conference call activate the Branch Heads to discuss the need to activate Recovery Teams based on the Immediate Impact Assessment.

Key Contacts and Useful Numbers.

Annex D – For Recovery Team Leads

Annex purpose: to help identify information that needs to be gathered and communicated to the recovery team.

1. Briefly describe the issue.
2. Note where the CSO (Incident Manager) is located.
3. Provide the CSO's (or delegate's) phone number.
4. List immediate actions to take.
5. Confirm if work location is accessible.
6. If needed, specify the meeting place and time for the team.
7. Remind team members to carry photo ID and be ready to show it to security or authorities.
8. Instruct not to speak to the media.

When a disruptive event occurs, the Commissioner through the CSO or DCSO, will keep all employees designated non-critical updated via tools such as the employee information number 613-941-1424 or other appropriate means.

All critical employees with response and recovery team responsibilities will be contacted and may be asked to report to a pre-determined alternate work location.