Business Continuity Plan (BCP)

Revision history

Approval for operational use

The FCAC Business Continuity Plan for the Office of the Financial Consumer Agency of Canada is approved for operational use.

Signature: 

Werner Liedtke, CPA, CMA

CFO and Assistant Commissioner, Corporate Services

Financial Consumer Agency of Canada

Date: February xx, 2022

Quick reference flowchart

Figure 1. Business Continuity Plan Flowchart

Notification and escalation

During an incident, communication by telephone/cellphone is preferred. Other means, such as email or SMS (texting) may be available, but should not be relied upon.

Do not use social media

Figure 2. FCAC Org Chart as of April 1, 2022

Key Contacts and Useful Numbers

An up-to-date contacts list is kept in GC Docs. This is the link to it.

2022 BCP-Key BCP Contacts V1.docx

1. References

• Government of Canada Policy on Government Security (2019);
• Treasury Board of Canada Secretariat Directive on Security Management (2019), Appendix D - Mandatory Procedures for Business Continuity Management Security Control;
• Financial Consumer Agency of Canada Business Plan 2021-2022 to 2023-2024
• Tenant Based Threat Risk Assessment (TB-TRA) March 2018;
• A Government of Canada Guide for Developing a Business Continuity Management Program Public Safety Canada October 2019;
• 427 Laurier - Emergency Response Plan (2018-09-05);
• 427 Laurier - Fire Safety Plan (2018-09-05), and
• FCAC Emergency Procedures Manual (2020-02)

2. Purpose and goals

2.1 Purpose

This Business Continuity Plan (BCP) is produced in accordance with the Treasury Board of Canada Secretariat 2019 Directive on Security Management (DSM).  This plan guides the efficient recovery of time critical activities to their minimum service level (MSL) within a prescribed timeframe (MAD) following a business disruption. This plan has been developed taking FCAC’s two core responsibilities into account^{Footnote 1} . The two core responsibilities are:

• Core Responsibility 1: Supervising federally regulated financial entities (FRFE);
• Core Responsibility 2: Enhancing the financial literacy of Canadians; plus
• Internal services

None of the core responsibilities are by Government of Canada definition, critical to Canada business functions, but the services and key activities in support of the core programs are necessary to FCAC.

Additionally, the BCP contains special provisions for pandemic preparedness and response (Appendix C).

2.2 Scope

The following plans are complementary to this BCP, but are not included within its scope:

• Emergency Management and security plans;
• Building emergency evacuation plans (BEEP);
• Security event management plans; and
• Occupational health and safety plans.

This BCP encompasses FCAC’s worksite at 427 Laurier Avenue, Ottawa ON (5th and 6th floors). It does not include any FCAC office space in Toronto or staff working from home locations.

Other exclusions:

• This plan does not address Information Technology (IT) technical recovery as it is subject to IT Service Continuity (ITSC) plans and arrangements that are separate but complementary plans.
• This plan does not specifically cover scheduled workplace closures, IT Services downtime, or cutover periods (although elements of the plan can be used to bridge these events).

2.3 Goals

The goals of this BCP and Branch Recovery Guides are to:

• Minimize the impact and duration of a serious disruption;
• Commence timely response to an event or disaster;
• Facilitate effective co-ordination of recovery tasks;
• Provide procedures and a list of resources needed to recover critical business functions;
• Identify those vendors or business partners requiring notification of an event or disaster due to their necessary involvement with recovery;
• Document the storage, safeguarding, and retrieval procedures for vital records; and
• Identify areas of the business where a communications strategy will be needed to keep stakeholders and customers informed of recovery progress and to safeguard the reputation and legal liability of the organization.

2.4 Planning assumptions

The planning assumptions adopted in the creation of this plan are as follows:

• Any matters of security or life safety have been or are actively being resolved, and take priority over the content of this plan;
• Access to the building may not be available for 48 hours or longer;
• IT capabilities can support remote work;
• Execution of initial elements of specific but not all FCAC branch/divisional recovery plans will commence within the first four (4) hours of any incident that interrupts the normal operations of the FCAC;
• While some staff members may be unavailable at the time of the event or disaster, during the recovery, key personnel or alternates as well as various recovery teams will be available to assist in the recovery;
• All branches/divisions will work with the FCAC Incident Manager to mitigate the effects of an event or disaster;
• External stakeholder organizations such as clients, suppliers, and other government departments can be contacted and are available (as needed) during the business recovery period;
• At least one form of communication is always available (e.g., cellular, or land-line telephone, MS Teams, email etc.); and
• Any off-site storage locations for critical back-up files and information are intact and accessible.

2.5 Plan Maintenance and Continuous Improvement

2.5.1 Plan Maintenance

The Chief Security Officer (CSO) is accountable for the ongoing maintenance of the BCP and related documents. As such, the CSO ensures that the maintenance activities below occur on a minimum annual basis, or immediately following significant organizational changes:

• BIA data continues to reflect current business practices and priorities;
• Incorporate any necessary changes into the BCP;
• Obtain approvals of renewed BIA and BCP documents from senior management;
• Update training and awareness materials, as warranted; and
• All issued or printed copies of the BCP and related documents are replaced with current copies.

Branch/divisional recovery guides require maintenance on the following cycle:

• Annual review and update of all BCP documentation (BIA, branch/divisional recovery plans etc.). This review will take place no later than the end of Q2 or immediately following a major change in how FCAC business functions are delivered;
• At least a semi-annual update to contact information for staff and key vendors. Master documentation should always be kept in GC Docs with links to them embedded in this document.

2.5.2 Continuous Improvement

FCAC will objectively measure, evaluate, and report to management upon the performance of the BCM Program and use the resulting information to manage and improve the BCM program and plans.

2.6 Training and Awareness

FCAC has implemented a training and awareness program requiring targeted BCM activities to be conducted annually. This program encompasses three components:

1. Exercises: People-focused activities designed to offer an opportunity for individuals to practice their incident management and BCP roles while testing test plans and procedures.
2. Training: Formal session to teach personnel their BCP roles and responsibilities.
3. Awareness: As part of the overall security awareness program, raise awareness and ‘buy-in’ to business continuity planning and, more broadly, build a culture of resiliency within FCAC.

3. Roles & Responsibilities

3.1 Commissioner

The Commissioner has overall responsibility for emergency management, recovery, and the subsequent restoration of FCAC activities.

The Commissioner will:

• Declare the formal activation and deactivation of the BCP;
• Provide strategic direction to the CSO and management team;
• Authorize emergency funding; and
• Approve crisis communication messaging.

3.2 Chief Security Officer (CSO)

The CSO, as the recovery leader, has the authority to invoke elements of the BCP without having to have a disaster officially declared. Once invoked, the CSO, as the designated Incident Manager, manages and coordinates the overall FCAC recovery effort.

Specifically, the CSO is authorized to:

• Manage and coordinate the recovery effort; and
• Direct the activities of FCAC Staff.

The CSO will:

• Participate in business continuity training and exercising, as appropriate; and
• Be familiar with the contents of the FCAC Business Continuity Plan and each branch/division’s Business Continuity Recovery Plan.

3.3 Deputy or Assistant Commissioners

Each Deputy or Assistant Commissioner is responsible for the coordination and recovery effort among his or her branch/division and to report to the CSO (as the designated Incident Manager). They may directly lead recovery efforts or delegate to a director or manager within their respective Branch.

During a recovery effort, the team leader role is to:

• Promote the safety and security of themselves and their Branch members;
• Receive and follow direction from the CSO (as the designated Incident Manager);
• Contact and provide instruction to recovery team members and other branch staff;
• Assess the degree of impact to the branch/division’s key activities and the priorities;
• Communicate needs and priorities with the CSO (as the designated Incident Manager) or designate;
• Direct and coordinate branch/divisional recovery efforts, as outlined in Business Continuity Recovery Plan;
• Provide updated FCAC Recovery Status Reports to the CSO (as the designated Incident Manager) or designate on a minimum twice-daily basis or more frequently as required;
• Serve as an important decision-making resource to the Commissioner;
• Participate in business continuity training and exercising, as appropriate; and
• Be familiar with the contents of the FCAC Business Continuity Plan and their branch/division’s Business Continuity Recovery Plan.

3.4 Business continuity recovery teams

Recovery teams are composed of the subject matter experts within their respective areas of responsibility. These pre-selected individuals are trained to execute their individual responsibilities in case of a crisis and are familiar with the contents of their respective recovery plans. They would be reporting to their respective branch/division Deputy or Assistant Commissioner or recovery team lead.

A Business Continuity Recovery Team Member’s role is to:

• Follow the direction of their Deputy or Assistant Commissioner or recovery team lead;
• Provide feedback to their respective Deputy or Assistant Commissioner or recovery team lead, with emphasis on what additional resources (people, vital records, workspace, or equipment) are needed to recover key activities;
• Participate in business continuity training and exercising, as appropriate; and
• Be familiar with the contents of the FCAC Business Continuity Plan and their branch/division’s business continuity recovery plan.

Over and above the execution of their recovery plans, recovery teams are charged with the periodic testing and updating (maintenance) of their respective plans.

3.5 FCAC Non-business continuity recovery team staff

A non-business continuity recovery team staff member’s role is to:

• Remain vigilant about their own and their colleagues’ safety and security; and
• Follow the direction of their respective Deputy/Assistant Commissioner, Director or manager and be ready to support recovery efforts when requested.

4. Plan Parameters

4.1 Scope

This BCP guides the efficient recovery of time critical activities to their minimum service level (MSL) within a prescribed timeframe (MAD) following a business disruption. This plan has been developed taking FCAC’s core responsibilities into account. This plan has been developed taking FCAC’s two core responsibilities into account. The two core responsibilities are:

• Core Responsibility 1: Supervising federally regulated financial entities (FRFE);
• Core Responsibility 2: Enhancing the financial literacy of Canadians; plus
• Internal services

A BIA review confirmed that all branches and divisions within FCAC contribute to, and support core responsibilities 1 and 2 and ensure that they are delivered to financial institutions and citizens. Corporate Services, Public Affairs and HR branches provide the core internal services support to FCAC operations. None of the core responsibilities are by Government of Canada definition, critical to Canada business functions, but the services and key activities in support of the core programs are necessary to FCAC^{Footnote 2} .

4.2 Plan governance

4.2.1 Governance structure

FCAC has established a governance structure that provides leadership and oversight over major security events and other types of crises and would manage a crisis to resolution. The FCAC Executive Committee (EXCO) fulfills the strategic leadership and oversight role the FCAC, and the Incident Manager Team (IMT) provide the tactical leadership and decision-making capabilities.

The CFO and Assistant Commissioner Corporate Services in the role of CSO will act as Incident Manager and lead the recovery effort. Once activated, he has authority to:

• Direct FCAC personnel to conduct (if possible) or obtain a damage assessment information,
• Direct FCAC Branch/Divisional Heads to consider their recovery strategies, and
• Invoke business continuity procedures (The Commissioner may delegate the authority to invoke to another FCAC executive).

Once the BCP has been invoked the Incident Manger or a member of the Incident Management Team will record significant events and actions. The log is found at

Annex A– Incident management checklist and forms

4.3 Concept of Operations

This BCP is executed in three distinct phases.

Table 1- Phases of BCP Implementation

Table 2- BCP Activation Triggers

Health and safety

Critical Service Failure

Coordinated Response

4.4 Crisis communications

Communications to staff and the Government of Canada is an important priority in a crisis. While others may prepare messaging, FCAC speaks with one voice. All internal and external crisis messaging needs to be coordinated and as required, approved by the Commissioner or her delegate.

The Commissioner does not require the Public Affairs Crisis Communications Team to be co-located with her, but she must have means of communicating with the Assistant Commissioner of Public Affairs Branch and that team.

4.5 FCAC succession plan

Under article 8 and 11 of the FCAC Act, the Commissioner may authorize any person employed in the federal public administration to exercise and perform, in any manner and subject to any terms and conditions that the Commissioner directs, any of the powers and functions of the Commissioner in relation to human resources management in the public service and may, from time to time as the Commissioner sees fit, revise or rescind and reinstate the authority so granted. From a succession perspective, should the named deputy or assistant commissioner be unable to fulfil the duties of Commissioner, and has the time, he or she may sub-delegate to another officer or employee within the agency.

Under Section 11 of the FCAC Act, in the event of the absence or incapacity of the Commissioner, or if the office of Commissioner is vacant, the Minister may appoint a qualified person to exercise the powers and perform the duties and functions of the Commissioner, but no person may be so appointed for a term of more than 90 days without the approval of the Governor in Council.

5. Disruption Scenarios and Recovery Strategies

While incidents may be caused by a wide variety of factors, the types of impacts which may disrupt business fit into just a handful of categories. For example: flood, building fire, or HVAC system failures all cause a loss of workspace or a pandemic or epidemic cause a temporary or permanent unavailability of personnel.  This section identifies FCAC’s recovery strategies for the most common causes of business disruption.

5.1 Loss of workspace

Description

The work areas used to house and host FCAC business processes becomes unavailable either permanently or temporarily.

Recovery Strategies

1. Direct staff to work remotely using telework technology. This strategy works for all activities but for local security and shipping/receiving which must be performed on-site.
2. When and if available, temporarily ask staff to use a Government of Canada GCcoworking site (there are 5 in the NCR) to perform work or conduct meetings.

5.2 Loss of personnel

Description

The permanent or temporary unavailability of FCAC personnel.

Recovery Strategies

1. Direct alternate staff to step into the role of unavailable staff.
2. Temporarily reassign staff within FCAC from non time critical roles into time critical roles.
3. Use documented Standard Operating Procedures (SOPs) to guide qualified, but unfamiliar person(s) to perform that activity or hire externally to fill vacant positions.

5.3 Loss of IT Infrastructure, IT applications or databases

Description

A failure of the FCAC IT infrastructure (whole or in part) disrupting FCAC activities.

Recovery Strategies

1. Invoke Information Technology Service Continuity (ITSC) plans.
2. Invoke manual work around procedures to perform activities without IT support, while ensuring that work performed may eventually be reconciled once IT systems become available again.

5.4 Physical record destruction

Description

Some files and documents are still held in physical form. It is assumed unlikely that access to intact physical records could be interrupted while the rest of the work areas remain available. This scenario involves only the destruction of physically stored records. The most likely scenarios are fire or fire-related water damage within the records rooms.

Recovery Strategies

1. Retrieve and use duplicate copies of important or time-critical documents that have been previously kept off-site.

5.5 Loss of Equipment or Supplies

Description

The loss of, or inability to replenish equipment or supplies required for FCAC activities.

Recovery Strategies

1. Invoke service level agreements or memorandums of understanding with suppliers and partners that oblige them to deliver services to FCAC within defined timeframes.
2. Approach alternate suppliers to provide comparable supplies or equipment to FCAC.
3. Invoke mutual aid agreements that allows FCAC to use partner organization’s specialized equipment following a disruption.

6. Critical business functions

6.1 Maximum allowable downtimes (MAD)

FCAC does not perform any Government of Canada critical business functions^{Footnote 4} . There are however, two core responsibilities (plus Internal support services) that are critical to the fulfilment of FCAC’s legislated mandate. The unavailability of these key programs would prevent or significantly impact FCAC’s ability to achieve its mandate.

The table below presents these key activities supporting the delivery of the core responsibilities.  Any work not identified in the table below would be suspended until the incident has been resolved. The MAD of some branches/divisions will vary depending on time of year or whether specific projects are underway.

Table 3- Time critical activities essential to FCAC recovery

Maximum Allowable Downtime: Within 4 Hours

Within 72 hours

6.2 Business Continuity Plans

Individual branch/divisional business continuity recovery plans are designed to recover the time critical activities of each branch/division within their MAD.

Branch/divisional Business Continuity Recovery plans are maintained in GC DOCS by each Branch. Links to their respective plans are listed below. Plans are formatted into the following sections:

1. Office Identification
2. Time-Critical branch/divisional Recovery Team List
3. Time Critical Key Activities
4. Business Recovery Team Meeting Locations
5. External Parties to Notify
6. Staff Contact List
7. Key Activity Recovery Guides and Checklists

Business continuity plan to address a pandemic is found at

Annex C

Links to all Branch/Division Recovery Plans are found at

Annex D

Annex A – Incident management checklist and forms

A.1 Recovery team lead checklist

Table A-1: Recovery Team Lead Checklist

Situation Occurred / Potential:

✓ Notification process

• Note, scope, impact & location of incident (potential or real)
• Initiate Recovery Team call tree, and record results on plan checklist
• When and if advised, go directly to Business Recovery Team meeting location
• Contact the CSO (as the designated Incident Manager) or delegate and receive instructions
• Continue to escalate the notifications & make additional contacts, as required

✓ Assessment and Recommendation Process:

• Participate in any Incident Management briefings
• Assess the impact of the situation in your area of responsibility
• Determine the possible length of interruption
• Provide to the CSO (as the designated Incident Manager) or delegate any options and recommendations for resolution, prioritization of effort, etc.

✓ Management Decision:

• Direct the recovery efforts of your Business Continuity Recovery Team
• Coordinate with the CSO (as the designated Incident Manager) or delegate regarding all administrative issues
• Invoke plans or parts there of – proceed to activation
• Stand down
• Stand by – Continue to monitor situation & reassess options to determine if necessary to activate or can stand down
• Review tasks to be performed and assign personnel

✓ Recovery Process:

• Direct the recovery efforts of your Business Continuity Recovery Team
• Coordinate with the CSO (as the designated Incident Manager) or delegate regarding all administrative issues
• When ordered to do so, designated personnel will contact key vendors and advise them about the situation and the recovery requirements. Specific key vendor information is located at the end of each recovery plan.
• Distribute copies of any documents that may be needed during the recovery operation.
• Personnel may be assigned to provide recovery support needed by other teams, as needed

✓ Identify the category in which other personnel will be alerted. Consider:

• Personnel that may be needed to give aid to other teams.
• Personnel that will be needed at the work area to resume normal business functions; and

Personnel who will stay home and remain on standby (they will be needed when the initial group needs rest).

A.2 BCP event management forms

Damage impact assessment

The purpose of a damage assessment is to quickly determine the impact (injury level) of a disruption and whether activation of the BCP Recovery Team is warranted.

• Step 1: The CSO or DCSO is notified or acknowledges a disruption has occurred and as soon as possible, arranges for facilities management to conduct and report upon the damage to evaluate the site capabilities to maintain and deliver services. If any service or activity has received a high or very high injury (see Figure 6-1) then activation of recovery teams is considered.
• Step 2. CSO or DCSO makes a conference call activate the crisis management team to discuss the need to activate Recovery Teams based on the Immediate Impact Assessment. If yes, proceed to next tasks.

Figure A-3 – Example Immediate Impact Assessment Form

Immediate Impact Assessment Form

• Institution (Department):
• Branch:
• Division:
• Business Unit/Program:
• Location (Building Address, City/Town):
• Description of Disruption Impact: (Briefly describe the general damage to and impact on the affected resources (people, building, IT, equipment, etc.) and critical services. Estimate recovery time vis a vis MAD/RTO)

Service/ Activity/Resource

• Clear
  • No impact.
  • Business is normal
• Low Injury
  • Minor Impact
  • We are busy but maintaining service level
  • Very short-term disruption
• Medium Injury
  • Moderate impact.
  • Service is reduced
  • Limited short-term disruption within MAD
• High Injury
  • Serious impact
  • Service is below desired minimum service level.
  • Risk that disruption will exceed MAD/RTO
• Very High Injury
  • Critical Impact
  • Little or no service.
  • Risk that disruption will significantly exceed MAD/RTO

Recommend Activate Recovery Team

• Yes
• No

FCAC Recovery status report

When requested, the Team Lead will prepare a Recovery Status Report at a minimum of 60 minutes after the recovery task commences, then as directed by the CSO (as the designated Incident Manager) up to, or upon completion of an activity.

FCAC Recovery Status Report

Branch/Divisional Business Continuity Recovery Teams should check-in with the Incident Manager (or designate) with their progress on a minimum twice-daily basis.

The Recovery Status Report is completed by each branch/divisional Business Continuity Recovery Team Lead.  This “Checkpoint” report should be submitted to the Incident Manager (or delegate).  The Incident Manager requires this information to make decisions and advise the Commissioner.

• Name: 
• Branch/Division: 
• Date: 
• Time: 
• Location: 
• Branch/divisional Recovery Status, Concerns, Issues, and/or Recommendations:

Incident and action log

The purpose of this information is to provide a record log of decisions and actions taken in the event of an emergency.  This will help to avoid confusion, reduce duplication of work, and identify successes and lessons learned. The Incident Manager or a member of the Incident Management Team will keep this log throughout the entire event.

Instructions:  This would be completed once the BCP has been invoked.

BCP incident and action log

• Time/Date of Incident
• Incident information
• Person Reporting information and brief description
• Actions taken
• Decisions taken and time of actions/decisions
• Authority responsible for decision

Annex B – Notification guide

During an incident, communication by telephone is preferred. Other means, such as email or SMS (texting) may be available but should not be relied upon.

Do not use social media

A recovery team lead or manager, alternate or assigned individual will convey the following information to team personnel:

• Brief description of the problem;
• Location of the CSO (as the designated Incident Manager);
• Phone number of the CSO (as the designated Incident Manager) (or delegate);
• Immediate actions to be taken;
• Whether or not 427 Laurier Ave W. can be accessed;
• If applicable, the location and time the team will meet;
• A reminder that all team members should always carry photo identification with them and be prepared to show it to security or local authorities; and
• Instructions not to make any statement to the media.

During notifications of an interruption, this guideline applies to all personnel.

When a disruptive event occurs, the Commissioner through the CSO or DCSO, will keep all employees designated non-critical updated via tools such as the employee information number 613-941-1424 or as appropriate, direct telephone calls to them.

All critical employees with response and recovery team responsibilities will be contacted and may be asked to report to a pre-determined alternate work location^{Footnote 5} .

Employees Contact Lists

Branch: Office of the Commissioner (including Legal Services and Secretariat)

GC DOCS link: 

Branch: Research, Policy and Education

GC DOCS link: 

Branch: Public Affairs

GC DOCS link: 

Branch: Human Resources

GC DOCS link: 

Branch: Corporate Services

GC DOCS link: 

Branch: Supervision and Enforcement

GC DOCS link: 

Annex C – Business continuity plan to address a pandemic

Background and Context

A pandemic is the global outbreak of a disease. Pandemics are generally classified as epidemics first, which is the rapid spread of a disease across a particular region or region. An epidemic or pandemic can cause social disruption, economic loss, and general hardship.

This annex outlines the steps that FCAC may take before and during a pandemic in support of:

• The health and wellbeing of all FCAC’s stakeholders, including visitors on site at FCAC offices;
• The reputation of FCAC; and
• Continuity of time-critical business activities within FCAC.

Triggers for initiation of this plan and for its modification and cessation will be informed by the Treasury Board of Canada Secretariat, who coordinates pandemic related activities across the government. This formal trigger does not preclude FCAC’s Commissioner from taking preventive measures consistent with this plan. In all cases, the pandemic response will be adaptable to the situation to ensure the response is appropriate, timely and reflective of the emerging risks.

Planning Assumptions

Business Continuity Plan (BCP) - The BCP for FCAC is in place with defined time-critical services, critical staff, minimum service levels required to maintain time-critical services, and maximum allowable downtime for each time-critical service. These elements will be known and understood by all stakeholders.

Threat – The threat of pandemic will be monitored and assessed by the CSO. As the facts related a possible or announced pandemic emerge, this response plan will be adjusted accordingly.

• Magnitude - It is difficult to predict the impact of a pandemic with certainty but disruption to business operations in the event of a pandemic is anticipated to be mainly human-resource oriented. The generally accepted assumption is that the virus can cause infection in up to 60 per cent of the population. In addition to significant illness, a pandemic may cause death and social disruption.
• Duration – If the virus follows previous patterns, expect two distinct waves of illness, 3 – 9 months apart and each lasting at least 6 – 8 weeks. FCAC will plan for up to 50% staff absences for periods of approximately two weeks at the height of a severe pandemic wave, and lower levels of staff absence for a few weeks on either side of the peak.
• A quarantine period may be established by public health officials. For example, COVID 19 identified a global quarantine standard of 14 days for people suspected to have the illness, were exposed to people with the illness, or travelled to an affected area. During this period, they would be in either a formal quarantine or “self-quarantine” in which they should not go out in public or interact with others in order to limit the potential spread of the virus. Some but not all personnel in quarantine may be too ill to perform any work, even remotely.
• Staff Absences - Staff absences can be expected for several reasons:
  • Illness / incapacity (suspected / actual / post-infectious);
  • Some employees may need to stay at home to care for the ill;
  • People may feel safer at home (e.g., to keep out of crowded places such as public transport);
  • Some people may be fulfilling other voluntary roles in the community; and
  • Others may need to stay home to look after school-aged children (schools are likely to be closed).
• Information Technology - FCAC has the technical infrastructure to offer remote, collaborative teleworking capabilities. Technological limitations may require the prioritizing of personnel having access to the system. Guidelines related to the normal use of cloud services versus VPN access will be issued and guided by the time-critical services identified in the BCP.

FCAC Approach

Pandemic Strategy

FCAC takes a phased, proportional response to pandemic response. The four phases of this approach are:

1. Business-as-Usual: Actions taken during usual circumstances to ensure adequate preparedness for a pandemic.
2. Warning Phase: Precautionary measures taken when a pandemic has not yet arrived, but outbreaks or potential outbreaks of an illness have occurred within Canada, North America or other places in the world.
3. Pandemic-Phase: Full-scale measures meant to slow the spread of an illness which is known to exist within Canada.
   1. For the COVID-19 pandemic, FCAC developed and implemented a Return to Office Playbook (e.g., refer to GC DOCS #359806)
4. Post-Pandemic Phase: Stand-down procedures to return FCAC to business-as-usual following a disruption.

FCAC pandemic planning will focus on the following key areas:

Table 4 - Controls for Pandemic Mitigation

Category: Business continuity

Personal Hygiene

Communication

Social or Physical Distancing

Cleanliness

IT

Stockpile Health Supplies

FCAC promotes the following pandemic related procedures and protocols.

• Decisions concerning alternative work arrangements in the event of a pandemic will be made in accordance with Agency HR policies. These policies are compatible with the departmental BCP.
• In the event of a temporary office closure, branch heads, where possible and appropriate, will encourage their employees to discuss what arrangements may be made for off-site meetings, lists of priority actions, and options to best remain in touch and up to date on the activities of their work unit.
• Face-to-face meetings will be postponed to the greatest extent possible. The use of teleconferencing will be maximized.
• All unnecessary travel will be prohibited. Mission-critical travel will be approved based on the travel risk level of the location being visited, including any in-transit connections.
• Should access to the workplace not be possible, branch heads should consider what issues and projects urgently need to be dealt with and what work employees working off-site can most easily complete.
• Branch heads will maintain an up-to-date contact list for staff, suppliers, and other stakeholders.
• All employees will immediately report an absence to their respective managers.
• Managers will inform their respective branch heads of the number of absences and the impact to their operations.
• Cross train employees so they can effectively cover other duties, including delegates and backups.
• Employees will be encouraged to use the Employee Assistance Program (EAP) or counselling services to deal with stress and grief related issues.
• Employees should be encouraged to check FCAC’s Emergency Hotline regularly for status reports and updates.
• Employees with remote access and cell phones should be expected to work from home or an alternate location.
• Employees should be reminded of the necessity to safeguard personal or sensitive information outside the workplace.
• Good mental health practices during a pandemic:

HR Mental Health Guide

Communications (Internal and External)

FCAC will utilize several internal methods to promulgate pandemic-related information to employees.

• Pandemic information will be available on the FCAC Forum, with links to external sites as well. Employees will be encouraged to self-educate by going to related Government of Canada sites such as the GCintranet. There they will find information such as Frequently Asked Questions, Resources and Related Links. Employees can refer to the guidance, which is updated as necessary.

Pandemic Influenza Planning & Preparations will be a standing item at Health & Safety Committee meetings (as warranted by elevated threat levels).

In addition, posters and communiqués will be distributed and/or posted in the lunchrooms and/or washrooms as appropriate to bring new information to the attention of FCAC employees.

Annex D - Branch business recovery plans

Each Branch Recovery Plan is found at the following links. Each plan owner is responsible for the update and maintenance of their respective plans.

• Office of the Commissioner (including Legal Services and Secretariat): Office of the Commissioner Recovery Guide
• Research, Policy, and Education: RPE Branch Recovery Guide
• Public Affairs: PAB Recovery Guide
• Human Resources: HR Division Recovery Guide
• Corporate Services: Corp Services Recovery Guide
• Supervision and Enforcement: SEB Recovery Guide

Annex E - Supporting elements critical to recovery activities

Internal interdependencies

The table lists the internal and external interdependencies required to support recovery activities.

External dependencies

The table below lists internal and external departments, agencies, organizations, or companies that depend on each critical business function.

Critical Documentation and Files

The table below identifies critical/legal and business records as well as off-site storage location requirements.

• Critical area: Commissioner/Management Team
  • Critical, Legal, Business and other records : GC DOCS
  • Off-site storage media (i.e. Hard/electronic copies, memory stick etc.): Memory sticks
  • Critical records that are SECRET and above please indicate security classification level, the name, address, contact number and fax number of persons authorized to access these records: Not on system

• Critical area: Supervision and enforcement Branch
  • Critical, Legal, Business and other records :
  • Off-site storage media (i.e. Hard/electronic copies, memory stick etc.):
  • Critical records that are SECRET and above please indicate security classification level, the name, address, contact number and fax number of persons authorized to access these records: Draft legislation/ Regulations, Dept., of Finance documents (e.g. discussion papers, internal memos)

• Critical area: Research, Policy and Education Branch
  • Critical, Legal, Business and other records : Contact lists for: key stakeholders, ICFL, National Steering Committee, regional financial literacy networks
  • Off-site storage media (i.e. Hard/electronic copies, memory stick etc.): Off-site storage media (i.e. Hard/electronic copies, memory stick etc.)
  • Critical records that are SECRET and above please indicate security classification level, the name, address, contact number and fax number of persons authorized to access these records:

Essential Records

Essential Records/Information 

Depending on the severity of the crisis, the following items may need to be replaced / recovered from the backup sources identified below.

Please note that all records in electronic format stored on FCAC servers are also recoverable from offsite backup tapes stored at the Iron Mountain. Currently, Michelle Labreche and her alternate, Stephane Dupel are authorized and can request tapes from Iron Mountain.

Annex F – Glossary

Alternate site—An auxiliary location held in varying states of readiness and used to process data and/or deliver critical services or business operations in the event of a disruption. (Emergency management [EM] vocabulary—Terminology Bulletin 281, 2012)

BCP communications strategy—A communications and media relations strategy to be implemented in normal times and during the response and recovery stage of disruptions.

Business continuity plan (BCP)—A plan developed to provide procedures and information for the continuity and/or recovery of critical service delivery and business operations in the event of a disruption. (EM Vocabulary—Terminology Bulletin 281, 2012)

BCP disaster—This phrase is particular to the methodology of business continuity planning. In the context of the BCP program, declaring a BCP disaster refers to the process of activating and implementing BCPs and arrangements to ensure that the department’s critical services are delivered continuously or with only short downtimes.

BCM program—A BCP program includes the full range of BCP activities in a department. In accordance with the Government of Canada’s operational standard for BCP, such a program is composed of four elements:

• establishment of BCP program governance
• analysis of business impact (BIA)
• development of business continuity plans and arrangements
• maintenance of BCP program readiness

The mandatory requirements for building each of the four elements of a BCP program are contained in the operational standard for BCP. This technical documentation introduces readers to each of these elements and provides guidance and best practices on how to prepare each element.

Business continuity management (BCM)—An integrated management process involving the development and implementation of activities that provides for the continuity and/or recovery of critical service delivery and business operations in the event of a disruption. (EM Vocabulary—Terminology Bulletin 281, 2012)

Business continuity recovery site—The department’s alternative facility configured with hardware, software, telecommunications, offices and sufficient space for all participants. It is made specific to the department’s requirements.

Building emergency and evacuation plan (BEEP)—A written plan to prevent or limit loss of life or damage to property or the environment that consists of procedures and activities to be implemented immediately before, during and after an emergency. (Preparing for Emergencies and Evacuation of Buildings: A Guide for Federal Departments—Treasury Board Secretariat, July 31, 2015)

Business impact assessment (BIA)—The process of analyzing the degree to which a department is exposed to risks and impacts that could affect its ability to function or its ability to provide for the continuous delivery of critical services. The process consists of several steps: determining critical services and their priorities; determining minimum service levels and maximum allowable downtimes; mapping dependencies to critical services; assessing risks and existing recovery capabilities; and formulating strategies for recovery.

Business enabling functions (BEFs) – Services and activities that support the delivery of critical services or activities. BEFs are also referred to as critical support services.

Business operation—Business services, processes and associated resources that are specific to the internal functioning of a federal government institution. (EM Vocabulary—Terminology Bulletin 281, 2012).

Call tree—A document that graphically depicts the calling responsibilities and the calling order used to contact management, employees, customers, vendors and other key contacts in the event of an emergency, disaster or severe outage situation.

Chief security officer (CSO)—Responsible for the implementation of the department’s security program.

Crisis communication—The gathering, coordination and timely dissemination of crisis-related information and opinion to target audiences, in an effort to maintain or restore the public’s sense of appropriateness, tradition, values, safety, security or the integrity of the government. (EM Vocabulary—Terminology Bulletin 252, 2003)

Crisis management team—A group directed by senior management or its representatives designated to lead incident/event response comprising personnel from such functions as human resources, information technology facilities, security, legal, communications/media relations, operations and other business critical support functions. (ASIS International)

Command, control and coordination—A crisis management process. Command means the authority for an organization or part of an organization to direct the actions of its own resources (both personnel and equipment). Control means the authority to direct strategic, tactical and operational operations in order to complete an assigned function. This includes the ability to direct the activities of others engaged in the completion of that function—that is, the crisis as a whole or a function within the crisis management process. The control of an assigned function also carries with it the responsibility for the health and safety of those involved. Coordination means the integration of the expertise of all the agencies/roles involved with the objective of effectively and efficiently bringing the crisis to a successful conclusion.

Continued—Refers to an activity which can be interrupted but must be restored within an acceptable timeframe.

Critical service—A service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the effective functioning of the Government of Canada. (Policy on Government Security, 2009)

• Health of Canadians—Refers to “emergency care and response” services required to ensure the provision of sustenance and to avoid high injury. Includes those emergency services needed to save lives and restore individuals to normal functioning after severe trauma or an accident.

See also:

• Safety of Canadians—Includes those essential services (such as fire, police, ambulance) and broader safety services (including nuclear safety, HAZMAT response, mitigation of the effects of chemical, biological, radiological of nuclear contamination, search and rescue services, the safety of buildings, public areas and public gatherings) required to maintain a life-sustaining environment, ensure the provision of sustenance and protect the safety of the individual.
• Security of Canadians—Includes those essential services required to maintain public order, vital communications and transportation, the continuity of government, the territorial integrity and sovereignty of the nation, the security of buildings, public areas and public gatherings, and the security of Canadians, so as to avoid high injury. 
• Economic well-being of Canadians—Includes those essential and fundamental economic, monetary and fiscal services required to maintain income security, economic stability, essential banking services, and government sponsored benefits programs required to sustain the economic well-being of Canadians and avoid high injury.
• Effective functioning of government—Includes those essential government services, constitutional arrangements, programs, policies, regulations, legislation, buildings and human and financial resources required to keep government effective and avoid high injury.

Department—As in the Policy on Government Security, “department” means a department or agency of the Government of Canada, subject to this policy. 

Dependency – The reliance of a service on internal and external services, assets, and resources (including individuals). Dependencies are required to work in collaboration during a disruption to continue and recover the critical service or activity.

Disruption—In this report the word “disruption” includes emergencies, disasters, incidents, outages and events. A disruption includes any abnormal situation that could compromise the delivery of a department’s critical services.

Impact—The effect, acceptable or unacceptable, of an event on an organization. The types of business impacts are usually described as financial and non-financial and are further divided into specific types of impact.

(IT) service continuity planning—ITSC plans outline the specific actions required to restore the damaged IT system. ITSC and BCM plans must be aligned with each other to ensure that the recovery of IT systems and information supports business continuity requirements. ITSC plans ensure all critical applications and related IT services are able to meet their expected levels of availability, reliability and recoverability, both from a technology resiliency perspective and key HR requirements.

Maximum allowable downtime (MAD) – The longest period of time in which a service or activity can be unavailable or degraded before a high or very high degree of injury results. The MAD is expressed as time, and consists of all required activities to recover services and activities to a minimum service level.

Minimum service level (MSL) – The lowest level of service delivery which is necessary to avoid a high or very high degree of injury, and that is maintained until full recovery is achieved for critical services and activities and BEFs.

Participants—People who are involved in the BCP program. Includes senior management, recovery teams, BIA survey teams, working groups, the executive sponsor, the BCP coordinator and the CSO.

Plan—Documents containing a series of measures or arrangements to protect, detect, respond to or recover from a disruption. 

Plan activation—The plan is prepared for implementation. In this stage, senior management is being briefed on the situation. Initial notifications are sent to advance teams. Readiness levels are upgraded according to the Government of Canada readiness level standard or internal departmental policy. Minimal financial expenditures are used at this stage.

Plan implementation—The plan is fully applied pursuant to an internal disaster declaration. Full financial expenditures are approved to implement the BCM process.

Recovery—The restoration of full levels of service delivery.

Recovery point objective (RPO)* – The established point in time up to which data must be recoverable after interruption or disruption in an organization’s information and technology systems.

Recovery time objective (RTO) – The established period of time within which services, activities, BEFs, resources and/or associated assets must be recovered after a disruption, in order to meet the MSL and avoid exceeding the MAD.

Risk assessment* – The overall process of risk identification, risk analysis and risk evaluation.

Response—Activating mechanisms to deal with a disruption.

Suppliers—People, institutions and companies that supply the department with assets, human resources or material to support the delivery of critical services. These include operational suppliers, which deliver supplies in normal times, and recovery suppliers, whose services are used in the event of a disruption.

Vital records—Records or documents that, if damaged or destroyed, would cause considerable inconvenience and/or require replacement or recreation at considerable expense.

Virtual private network (VPN)—A computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization’s network.

Annex G – Acronyms used in this document

BC: business continuity

BCP: business continuity plan (or business continuity planning)

BCM: business continuity management

BEEP: building emergency evacuation plan

BIA: business impact assessment

CHRC: Canadian Human Rights Commission

CSO: Chief security officer

CMT: crisis management team

DR: disaster recovery

FCAC: Financial Consumer Agency of Canada

FISC: Financial Institutions Supervisory Committee

FRFE: federally regulated financial entities

GC Docs: The Government of Canada's solution for meeting the legal and policy requirements for information management of electronic and paper documents and records.

HR: human resources

ICE: in case of emergency

IM: information management

IT: information technology

MAD: maximum allowable downtime

MOU: memorandum of understanding

MSL: minimum service level

OSFI: Office of the Superintendent of Financial Institutions

SSC: Shared Services Canada

VPN: virtual private network