ARCHIVED - Final Audit Report - Audit of Business Continuity Planning

March 2011

Table of Contents

Executive Summary

A business continuity plan is a documented collection of procedures and information that is developed and maintained in readiness to deliver continuity of critical services in the event of a disruption. Health Canada has an integrated security program which includes a departmental Business Continuity Planning (BCP) Program under the leadership of the Corporate Services Branch.

The objective of the audit was to assess Health Canada's BCP management control framework, in regard to governance, risk management, and control. The audit was conducted by the Audit and Accountability Bureau. In the professional judgement of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

The Department's BCP Program has grown considerably in the last year. The Safety, Emergency and Security Management Division worked diligently to further enhance its BCP Program including the development of a governing framework, methodology for developing continuity plans, a central repository for holding continuity plans and corporate leadership to the Branches and regions in the development of continuity plans. These actions have better positioned the Department to provide for continuity readiness.

In addition, the BCP Program successfully supported Health Canada's participation in recent national events such as the 2009-2010 Influenza A/H1N1 pandemic, the 2010 Olympic Games in British Columbia and the G-8 and G-20 summits in Ontario. In October 2009, Health Canada was deemed "ready" in the event of a pandemic disruption by Public Safety Canada. Likewise, for the 2010 Olympic Readiness exercise conducted by the Government of Canada, the Department was also pronounced as "ready." In addition to the invaluable experience gained from the recent participation in national events Health Canada's security program received a "strong" rating based on the 2009-2010 self-assessment for the Management Accountability Framework.

The audit highlights some areas where additional actions would serve to further strengthen the emergency management culture at Health Canada and to better align the program to the Government of Canada's "Operational Security Standard - BCP Program." For example, while the business impact analysis template contains many of the essential elements, its scope should be expanded to include all elements outlined in the standard. Strengthened business impact analysis practices would improve the quality of information derived from the analysis and allow for improved decision making in order to develop a "short list" of critical services and the development of corresponding recovery strategies.

In 2009-10, the BCP team worked with the Branches to have them prepare and update their continuity plans in preparation for a potential pandemic. The plans are stored in the BCP database. The audit sampled plans and noted they could be more comprehensive, including explicit identification of dependencies and thoroughly described recovery strategies to better prepare the department for business disruptions. As well, the implementation of a permanent maintenance cycle will increase the likelihood of having accurate, up-to-date plans in the event of a disruption to operations.

While it is not required for departments and agencies to have a corporate continuity plan it is often a goal as the BCP Program evolves. Work in these key areas will serve to strengthen the BCP function and better position the Department to produce a corporate plan over the long-term.

Management has agreed with the eight recommendations and has developed an action plan which will serve to further strengthen the Department's business continuity planning program.

1. Introduction

1.1 Background

A business continuity plan is a documented collection of procedures and information that is developed and maintained in readiness to deliver continuity of critical services in the event of a disruption. It includes recovery (service restoration) strategies, measures to deal with impacts and effects of disruptions, responsibilities and tasks of response and recovery teams, as well as resources and procedures for recovery.

According to the definition in the Treasury Board Policy on Government Security, a critical service is a service that if not available could result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the Government of Canada.

BCP has seen considerable evolution as a management practice since the Y2K (Year 2000) established the importance of contingency planning for information assets (data that is of value) while September 11, 2001 demonstrated that although high impact/low probability events could occur, recovery is possible. The 2007 Government of Canada Emergency Management Act reinforced the requirement for departments to plan for the continuity of operations in the event of an emergency. As such, BCP at Health Canada continues to progress.

Health Canada has an integrated security program, which includes the Departmental BCP Program, under the leadership of the Corporate Services Branch's, Safety, Emergency and Security Management Division. The mandate of Health Canada's BCP Program is to provide for the continued availability of critical services and associated assets to assure the health, safety, security and economic well being of Canadians, and the effective functioning of government. As well, each Branch and Region is responsible for the development of local continuity plans.

The Department's BCP Program has grown considerably in 2009-10. The Security Management Division worked diligently to put in place a more comprehensive program including a sound governing framework, a methodology for developing continuity plans, a central repository for holding continuity plans and corporate leadership to Branches and Regions in the development of continuity plans.

Moreover, the BCP Program supported Health Canada's participation in recent national events such as the 2009-2010 Influenza A/H1N1 pandemic, the 2010 Olympic Games in British Columbia, and the G-8 and G-20 summits in Ontario. Leading to the H1N1 pandemic, all implicated departments were assessed on fifteen criteria in order for Public Safety to deem a Department/Agency "ready." In October 2009, Health Canada received the full "readiness check" on all fifteen criteria and was therefore identified as "ready" in the event of a pandemic disruption. Likewise, for the 2010 Olympic Readiness exercise conducted by the Government of Canada, the Department was also identified as "ready." In addition to the invaluable experience gained from the recent participation in national events Health Canada's security program received a "strong" rating based on the 2009-2010 self-assessment for the Management Accountability Framework.

1.2 Audit Objective

The objective of the audit is to assess Health Canada's Business Continuity Planning management control framework, in regard to governance risk management and control.

1.3 Scope and Approach

The audit of BCP was undertaken by the Audit and Accountability Bureau in accordance with the Health Canada Risk-Based Audit Plan for 2009-2010 to 2011-2012 which was endorsed by the Departmental Audit Committee on May 22, 2009 and subsequently approved by the Deputy Minister. The audit was conducted in accordance with the Treasury Board Policy on Internal Audit and has examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

The audit examined Health Canada's BCP Program for compliance with the Government of Canada "Operational Security Standard - BCP Program" (hereafter referred to as the Government of Canada BCP standard). The audit criteria were derived from the Government of Canada BCP standard and other management control frameworks (see Appendix A).

The scope period for the audit was January 1, 2009 to August 18, 2010. The audit was carried out within Branches and Regions and methodologies included: a review of BCP records, documentation, business impact analyses, policies, standards, guidelines, frameworks and continuity plans. Interviews were conducted with various BCP stakeholders. In addition, a risk-based sample of continuity plans for the most critical services (those which need to resume within 24 hours) was reviewed.

While the audit determined whether continuity plans had recovery strategies in place--including Information Management and Information Technology (IM/IT) recovery strategies--it did not test the technical feasibility of implementation. The audit examined arrangements with external service providers including other government departments, but did not assess the continuity plans of organizations external to Health Canada.

Lastly, during the audit, Public Safety Canada was in the process of conducting a review of the department's critical services. Management has reported that they have completed the exercise by providing the Department's list of critical services to Public Safety Canada, as requested of all Government departments.

1.4 Statement of Assurance

In the professional judgement of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

2. Findings, Recommendations and Management Responses

2.1 Governance

2.1.1 Strategic Oversight for BCP

Audit Criterion: Departmental senior managers provide strategic oversight for the BCP Program.

Senior Management

The Deputy Minister and the Executive Committee provide strategic senior management oversight and direction for the BCP Program to ensure that critical services remain available during a crisis situation and to maintain day-to-day operations of the BCP Program. As expected in a crisis, the Executive Committee would guide and direct the response measures to be implemented and would provide general direction on communications. If required, the Committee would coordinate measures with other government departments and would authorize the reassignment of specialized personnel.

Health Canada BCP Governance Structure

Health Canada Business Continuity Planning Governance Structure

Departmental Security Officer

The Executive Committee is supported by the Departmental Security Officer who establishes and directs the Department's security program. Under the direction of the Departmental Security Officer, Health Canada has designed and implemented an integrated security program which includes the BCP Program. The Departmental Security Officer is responsible for implementing the BCP Program and in doing so, is responsible for assessing all Branch and Region continuity plans.

As part of the Departmental Security Officer's priorities, the annual commitments for the BCP Program were communicated in the Health Canada 2010-2011 Departmental Operational Plan. Furthermore, BCP Program management intends to develop an integrated security plan to address departmental risks and participates in the departmental Integrated Risk Management Committee.

Crisis Management Team

Key to the governance of Health Canada's BCP Program is the Crisis Management Team. The Team is at the Director General level and becomes operational during a crisis. During a crisis the Deputy Minister and the Executive Committee would collaborate with the Crisis Management Team to activate continuity plans. The Crisis Management Team is chaired by the Assistant Deputy Minister, Corporate Services Branch. It has draft terms of references outlining the mandate and has full membership with appropriate alternates.

The Crisis Management Team holds exercises to increase readiness for the activation of plans in the event of a disruption and to provide orientation to new members. In 2009 the Crisis Management Team held two testing exercises and produced one final after-exercise report which identifies corrective action items. The Crisis Management Team has been conducting ad hoc exercises and would benefit from amending the terms of reference to state a requirement for exercises to be conducted on a regular basis.

Recommendation 1

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, in collaboration with other Assistant Deputy Ministers, revise the terms of reference for the Crisis Management Team to include a requirement for an annual committee exercise.

Management Response

Management agrees with the recommendation.

The Facilities and Security Directorate will be revising the terms of reference for the Crisis Management Team to include an annual Business Continuity Plan (BCP) exercise which will be conducted for all Branches and Regions.

2.1.2 BCP Policy

Audit Criterion: There is an approved BCP Program policy in place for new and existing departmental programs and operations to respond to the Treasury Board of Canada Secretariat policy requirements.

Every Government of Canada department must have a BCP policy to communicate the processes for continuity planning (see Appendix B). The policy should also outline the roles and responsibilities for applying the requirements of the Government of Canada BCP standard to new and existing departmental programs and operations.

Health Canada has a BCP policy embedded in the 2007 Departmental Security Policy. It is aligned with the Government of Canada BCP standard with regards to: the department's responsibility to establish a BCP Program; the identification of the fundamental elements of the BCP Program; and, the role of the Departmental Security Officer. However, the policy would benefit from inclusion of the all-hazards approach (looking at all threats), decentralized plan development, and the usage of the BCP database. While the policy does include the role of the BCP coordinator, it would be stronger by detailing all the elements of the Government of Canada BCP standard. For example, liaison with other government departments is excluded from the policy. It is important that Health Canada integrate its continuity activities with key partners for coordinated delivery of respective mandates. Lastly, the policy would benefit from an explicit description of Regional and Branch roles and responsibilities for new and existing departmental programs to meet the requirements of the Government of Canada BCP standard.

Recommendation 2

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, update the BCP policy with a more detailed description of the departmental program, as well as roles and responsibilities prescribed in the Government of Canada Business Continuity Planning standard, and have it approved by Executive Committee.

Management Response

Management agrees with the recommendation.

The Facilities Security Directorate will be updating the BCP policy with a more detailed description of the program, as well as roles and responsibilities as per the Government of Canada BCP standard. The updated policy will be circulated to Branches and Regions for consultation and the final draft will be presented at Executive Committee for approval.

2.1.3 Departmental BCP Coordinator

Audit Criterion: A departmental BCP coordinator has been appointed and fulfills required responsibilities of the BCP Program.

Health Canada has created a BCP coordinator position and the role has been integrated into the BCP Program. The Coordinator has overall administrative responsibility for the BCP Program and keeps the Departmental Security Officer informed of activities throughout the program lifecycle, as required by the Government of Canada BCP standard and the Departmental Security Policy. Responsibilities of the coordinator include: ensuring completeness of plans; collaborating with in-house expertise; and integrating dependency-related and technical information. In addition, the Coordinator has provided numerous training sessions and has designed/directed several exercises, increasing awareness of BCP within the Department.

The work description for the Coordinator reflects most of the requirements of the Government of Canada BCP standard however; it is missing some such as coordinating BCP activities with other government departments, coordination with IM/IT, and developing communication strategies. The classified work description includes an administrative reporting relationship to the Departmental Security Officer however; the Coordinator's reporting relationship is one level removed from the Departmental Security Officer as the position reports directly to the Director, Investigations and Security Operations.

Lastly, the departmental BCP coordinator position has been staffed on a temporary basis since January 2009. As such, the program would benefit from permanent staffing to retain corporate memory and to stabilize BCP Program activity.

2.1.4 BCP Working Group

Audit Criterion: A BCP working group is in place to support BCP activities--including IM/IT--in collaboration with the BCP coordinator.

A BCP working group is a key forum to provide for the continuity of services. To be effective, working groups should have defined and approved roles and responsibilities and meet regularly.

Health Canada has a Departmental BCP Committee with approved terms of reference. The mandate of the Committee is to facilitate the coordination, on-going maintenance and implementation of the Department's BCP Program and to provide strategic advice. The committee is comprised of a number of BCP stakeholders (e.g. departmental IT security coordinator, real property and facilities management and human resources) as well as Branch and Regional BCP coordinators who are responsible for the development, implementation, maintenance, and application of Health Canada's continuity plans.

Currently, Committee attendance is inconsistent and the appropriateness of levels should be reviewed. In addition, the IT Security Coordinator, who provides IM/IT support, has been absent from meetings since January 2009, however, the Information Management and Services Directorate's BCP coordinator participated in some meetings. Overall, the Committee would benefit from increased participation from IM/IT technical experts to support Branches and Regions with the development of continuity plans. Finally, health portfolio partners and other listed members' attendance are irregular.

Without regular meetings, full attendance and effective membership, the Committee is less active than it could be in supporting departmental BCP activities. The Committee is missing a key opportunity for IM/IT to facilitate the development of appropriate recovery strategies for information assets in support of critical services; especially when the opportunity for the integration of BCP and IM/IT expertise--through other working groups or committees such as the IM/IT Business Continuity & Disaster Recovery Committee--is absent.

Recommendation 3

It is recommended that the Assistant Deputy Minister, Corporate Services Branch review membership and promote regular meetings and attendance of the Departmental BCP Committee.

Management Response

Management agrees with the recommendation.

The Facilities and Security Directorate will review and update the Crisis Management Team and the Departmental Business Continuity Management Committee membership lists as a part of the terms of reference and will develop regular meeting cycles which will be mandatory. This will be communicated to the members in order to stress the importance of regular attendance, by either the primary or alternate member.

2.2 Risk Management

2.2.1 Business Impact Analysis

Audit Criterion: There are comprehensive, documented and approved business impact analyses.

A business impact analysis is a fundamental first step in the business continuity process. It is a key methodology used by organizations to determine critical services and priorities. The business impact analysis evaluates the potential impacts of disruptions on the organization to help management identify critical services and prioritize those services for recovery based on the maximum allowable downtime. According to the Government of Canada BCP standard, senior management approval of business impact analyses must be completed before continuity plans are developed; it signifies that all critical services have been identified and that the Department is ready to support the continuity of those services.

Elements of a Business Impact Analysis

  • Nature of the business, services and dependencies.
  • Quantitative and qualitative impacts of disruptions.
  • Potential degree of injury to Canadians in the event of a disruption.
  • Prioritized services, based on maximum allowable downtime, minimum service level and potential degree of injury.
  • Senior management approval prior to developing continuity plans.

Health Canada uses a business impact analysis template to examine services in order to evaluate the potential impacts of disruption and for management decision-making. The information gained from the business impact analysis is used to develop continuity plans. The Department's business impact analyses are stored in the BCP database.

As noted, the business impact analysis is used to determine critical services and supporting systems, however, when a list of level one critical services was requested from the Branches and Regions, it differed from the number provided by the Departmental BCP coordinator. The number of critical services from the Branches and Regions totalled approximately 169 while the corporate function reported 77. Moreover, when a reconciliation was performed between the two sets of data, the critical services differed by as much as 25 percent. Consequently, those identified by the Regions and Branches as critical may not have made the list in headquarters and vice versa. To eliminate the variance there should be an agreed upon and approved Departmental "short list", which would take into consideration the ability of Health Canada's IT infrastructure to support the critical services identified.

Recommendation 4

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, in collaboration with other Assistant Deputy Ministers, identify critical services, supporting systems and assets and table this information to the Executive Committee for approval.

Management Response

Management agrees with the recommendation.

The Facilities and Security Directorate will be identifying and revising the Department's critical services, supporting systems and assets using the Critical Services Mapping results. The Facilities and Security Directorate will use the Crisis Management Team and the Departmental Business Continuity Management Committee as the forum for discussion and for developing a consolidated listing of critical services. A consolidated list of critical services and activities will be presented to the Executive Committee for approval.

Currently the business impact analysis template excludes some elements of the Government of Canada BCP standard such as establishing a list of all services the organization must deliver (e.g. according to legislation, shared service arrangements, memoranda of understanding). The template also excludes identifying internal and external functions on which those services depend, such as information technology specialists responsible for restoring systems that support critical services. Business impact analyses would benefit from information on the quantitative impacts of disruptions (such as projected expenditures related to hiring extra staff), a rationale in the comments section supporting the determination of the level of criticality of services, and recorded approval. While documented business impact analyses were fairly comprehensive, additional elements would be useful in order to fully justify the recovery prioritization of services.

Recommendation 5

It is recommended that the Assistant Deputy Minister, Corporate Services Branch update the business impact analysis template to capture all elements required by the Government of Canada BCP standard including documenting the approval of business impact analysis.

Management Response

Management agrees with the recommendation.

The Facilities and Securities Directorate, in consultation with the Departmental Business Continuity Management Committee, will review the current business impact analysis mechanisms and approval processes and develop a needs assessment. Following this work, the Directorate will develop departmental business impact analysis requirements (covering recovery options, continuity planning) to align Health Canada's business impact analysis with the Government of Canada requirements.

The Directorate will seek approval from the Crisis Management Team for the newly developed approval process.

Lastly, the Directorate will update the business impact analysis template to capture all elements as required by Government of Canada Policy based on the results of the needs assessment.

The audit team reviewed continuity plans for 53 of Health Canada's level one critical services for compliance with the Government of Canada BCP standard. The compliance analysis established that 89 percent of the critical services had corresponding business impact analyses, and 77 percent of those were reflected as final in the BCP database. The majority of business impact analyses (89 percent) included maximum allowable downtime information based on financial and operational impacts. However, only 4 percent had contact information for other government departments and vendors (dependency information) that are specific to the critical service and documentation supporting the approvals of all business impact analyses was absent.

Level 1 service

Service that is required immediately for the protection of life, public safety and/or the national interest. Maximum acceptable downtime is 0-24 hours.

Currently the business impact analysis template excludes some elements of the Government of Canada BCP standard such as establishing a list of all services the organization must deliver (e.g. according to legislation, shared service arrangements, memoranda of understanding). The template also excludes identifying internal and external functions on which those services depend, such as information technology specialists responsible for restoring systems that support critical services. Business impact analyses would benefit from information on the quantitative impacts of disruptions (such as projected expenditures related to hiring extra staff), a rationale in the comments section supporting the determination of the level of criticality of services, and recorded approval. While documented business impact analyses were fairly comprehensive, additional elements would be useful in order to fully justify the recovery prioritization of services.

2.3 Controls

2.3.1 Continuity Planning

Audit Criterion: Business continuity activities, plans and arrangements--including IM and IT continuity plans--are comprehensive, documented, approved, and based on business impact analyses.

Plans are the cornerstone of all continuity activities and require arrangements to be ready for activation in the event of a disruption. In general, BCP practices state that once a service is identified as critical in an approved business impact analysis, senior management approval should be obtained in order to secure support and funding of recovery strategies. Senior management approval is an important control for the most appropriate recovery strategy to be retained.

Health Canada has documented continuity plans in the departmental BCP database. A review of continuity plans corresponding to all level one critical services revealed that only two Branches kept record of continuity plan approvals; for the remaining Branches and Regions, incomplete records were kept. In addition, records were missing for the assessment of recovery options to demonstrate that the most appropriate recovery strategy was selected by senior management.

The sampling exercise previously mentioned also established that 89 percent of the 53 critical services had documented continuity plans. However, 42 percent of plans reviewed do not yet have agreements between the BCP coordinator and the responsible authority that the plan is complete. In addition, recovery strategies were described for only 40 percent of the level one critical services reviewed. The activation procedures section of continuity plans would benefit from having explicit reference to the Deputy Minister's authority and the responsibilities of the Crisis Management Team.

Elements of a Business Continuity Plan

  • Critical services, information assets and dependencies.
  • Approved recovery strategies.
  • Measures to deal with the impacts and effects of disruptions on the department.
  • Membership, contact information, roles, responsibilities and tasks for response and recovery teams, including internal and external stakeholders.
  • Resources and procedures for recovery.
  • Coordination mechanisms and procedures.
  • Communications strategies.

Although a systems audit was not performed on the departmental BCP database, there were reports of plans being lost and some details in the database are missing in the print version of the plans. In the case of recovery strategies, for example, it is possible to list resources, quantities, requirements and assigns responsibilities in the database; however, the print version contains only resources and quantities, and would benefit from presenting requirements and responsibilities communicated in the database. In the event of a disruption, printed copies of plans may be the ones available for use and should, therefore, contain all the details required for implementation.

Health Canada is missing a list of critical services shared with other government departments. Five out of the ten largest dollar value (i.e. higher than $2,000,000) professional services contracts in the Department are inadequately documented as dependencies in the corresponding continuity plans.

In summary, it is reasonable to expect that employees who developed continuity plans may have a more detailed knowledge of recovery procedures than what is in documented plans. However, it is important to fully outline recovery procedures in case of employee absence or departures. Incomplete records were kept of senior management's approval of continuity plans. Records for the assessment of recovery options were also absent. Consequently, there is an increased likelihood that continuity plans will be difficult to implement in the event of a disruption, especially if they have to be implemented by employees less involved in plan development. If continuity plans are imprecise, there is also an increased likelihood that recovery of services (e.g. within 24 hours) may be difficult to achieve.

Recommendation 6

It is recommended that the Assistant Deputy Minister, Corporate Services Branch in collaboration with other Assistant Deputy Ministers, engage in more rigorous quarterly sign off of respective Branch and Regional business continuity plans, including descriptions of recovery strategies, and approve the plans.

Management Response

Management agrees with the recommendation.

The Facilities Securities Directorate will use the Department Business Continuity Management Committee to communicate the reporting requirements of continuity plans - outlining the importance of better quality including complete documentation on recovery strategies, with Assistant Deputy Minister sign-off. There will be quarterly reporting completed and this will be communicated to the Assistant Deputy Minister, Corporate Services Branch on a quarterly basis.

In addition, the Assistant Deputy Minister, Corporate Services Branch will communicate these requirements to all other Health Canada Assistant Deputy Ministers.

2.3.2 Maintaining continuity plans

Audit Criterion: A permanent maintenance cycle is established for business continuity plans to be ready to be put into effect.

A permanent maintenance cycle that includes senior management participation is vital to keep plans current with changes in Health Canada's internal and external environment (e.g. legislative and organizational) and ready for implementation in the event of a disruption. The Government of Canada BCP standard defines a permanent maintenance cycle as follows: ongoing review and revision of plans to account for changes; training as required; regular testing and validation of plans, including lessons learned report after testing activities or actual events; and development of an audit cycle as the basis for program reporting. A business continuity plan can only be considered complete after it has been tested by Branches and Regions. The purpose of the test exercise is to be sure that the plan will serve the Department in the event of a crisis. The testing that is part of a permanent maintenance cycle is different from Crisis Management Team exercises insofar as it mobilizes the employees responsible for the implementation recovery strategies to validate the content of plans.

Cost centre managers are responsible for developing the business continuity plan, therefore the Department requires training to guide decentralized activities. There is considerable departmental database training provided to Branch and Region BCP coordinators across Canada. Training includes a general overview of BCP, common causes of disasters and how to use database features. Training would be strengthened by outlining requirements of the Government of Canada BCP standard related to business impact analyses, continuity plans, and maintenance, as well as roles and responsibilities of Branch and Region BCP coordinators from the Departmental Security Policy.

The departmental BCP Program has required maintenance activities--yearly tests and quarterly updates of continuity plans--which could be carried out more completely. For example, in May 2010, only 28 percent (10 out of 36) of business continuity plans sampled had been tested and only 6 percent had met the quarterly update requirement. As well, the BCP Program is missing an opportunity to produce lessons learned reports based on Branch and Regional testing of recovery strategies and updates of continuity plans.

On July 16, 2010, the audit team conducted a "phone blitz" to test the reliability of the contact information contained in continuity plans. Staff identified in the contact portion of the continuity plans are responsible for the activation of continuity plans and recovery of critical services. The results showed that only 50 percent of the calls were returned within 2 hours and only 25 percent of those staff could confirm their BCP responsibilities. Also noted from the telephone survey was the observation that there is a greater awareness of BCP responsibilities within management teams than with individual employees responsible for the recovery of critical services.

Overall, the program would benefit from reviewing the contact information to ensure its completeness and accuracy so that, in the event of a crisis, the right people in the right place can conduct the necessary work. Testing of departmental IM/IT continuity plans and Health Canada's Information Management Services Directorate continuity plans by the responsible authorities and the Branch/Region BCP coordinators are also absent.

There may be less awareness of the importance of maintenance due to fact that the majority of departmental training is focused on the use of the departmental BCP database. In addition, the BCP Program policy should articulate a departmental BCP permanent maintenance cycle. Consequently, Branches and Regions may be using different maintenance cycles and there is an increased likelihood that continuity plans are inaccurate, outdated, or unworkable if activation is required.

Recommendation 7

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, deliver additional training in conjunction with the BCP database training to better support Branch and Regional BCP practitioners.

Management Response

Management agrees with the recommendation.

The Facilities Security Directorate will implement BCP training and support strategy for the community of practitioners.

In addition, the Facilities Security Directorate will evaluate and assess the current BCP database and identify gaps/deficiencies to better support Branch and Regional BCP practitioners to develop solutions in terms of templates and training.

Recommendation 8

It is recommended that the Assistant Deputy Minister, Corporate Services Branch implement a permanent maintenance cycle for the BCP Program, including review, training and testing.

Management Response

Management agrees with the recommendation.

The Facilities Security Directorate will develop guidelines and directives for a permanent maintenance cycle in compliance with the Government of Canada BCP standard, which includes, for example, quarterly business continuity plan updates as well as a change management process to validate changes to applications, lists of critical services, sites, and personnel. The Directorate will also consult with the Chief Financial Officer Branch to have the BCP function included in the Integrated Planning and Reporting Framework.

3. Conclusion

Overall the BCP Program continues to evolve. The current governance framework for BCP provides good senior management oversight to the function however, the framework could benefit from increased attendance at the working group level as well as sign-off on the BCP plans.

As expected by the Government of Canada, the Department has chosen to use the business impact analysis template to develop continuity plans at the level of Branches and Regions. While the template contains many of the essential elements, its scope should be expanded to include all elements outlined in the Government of Canada standard. Strengthened business impact analysis practices would improve the quality of information derived from the analysis and allow for improved decision making around developing a "short list" of critical services and the required systems to support the services as well as for the development of recovery strategies.

The Department has continuity plans at the Branch and Regional level, however, more comprehensive plans, which include explicit identification of dependencies and thoroughly described recovery strategies, would better prepare the Department for business disruptions. In addition, the implementation of a permanent maintenance cycle will increase the likelihood of having accurate, up-to-date plans in the event of a disruption to operations.

While it is not required for departments and agencies to have a single "corporate" continuity plan, it is often a goal as the BCP Program evolves. Work in these key areas will serve to strengthen the BCP function and better position the Department to produce a single plan over the long term.

Appendix A -Lines of Enquiry and Criteria

Lines of Enquiry Audit Criteria

1) Governance

1.1 Departmental senior managers provide strategic oversight for the Business Continuity Planning (BCP) Program.

1.2 There is an approved BCP Program policy in place for new and existing departmental programs and operations to respond to Treasury Board of Canada Secretariat policy requirements.

1.3 A departmental BCP coordinator has been appointed and fulfills required responsibilities of the BCP Program.

1.4 BCP working group(s) are in place to support BCP activities--including Information Management (IM) and Information Technology (IT)--in collaboration with the BCP coordinator.

2) Risk Management

2.1 There are comprehensive, documented, and approved Business Impact Analyses.

3) Control

3.1 Business continuity activities, plans and arrangements-- including IM and IT continuity plans--are comprehensive, documented, approved and based on business impact analyses.

3.2 A permanent maintenance cycle is established for business continuity plans to be ready to be put into effect.

Appendix B - Overview of BCP Process

* Adapted from the Government of Canada BCP standard.

Overview of Business Continuity Planning Process

Page details

Date modified: