ARCHIVED - Management Response and Action Plan (MRAP) - Audit of Business Continuity Planning

Audit of Business Continuity Planning
March 2011

Audit of Business Continuity Planning
Recommendations Management Responses Planned Management Actions Deliverables Expected Completion Date Responsibility
1. It is recommended that the Assistant Deputy Minister (ADM), Corporate Services Branch (CSB), in collaboration with other Assistant Deputy Ministers, revise the terms of reference for the Crisis Management Team (CMT) to include a requirement for an annual committee exercise. Management agrees with the recommendation.

The Facilities and Security Directorate (FSD) will be revising the terms of reference for the Crisis Management Team to include an annual Business Continuity Plan (BCP) exercise which will be conducted for all Branches and Regions.
1. 1 Revise the Health Canada BCP Crisis Management Team's Terms of Reference, to include the responsibilities of Emergency Management requirements and that a mandatory annual BCP exercise be conducted for all Branches and Regions. Final revised draft of the Crisis Management Team Terms of Reference. May 2011 ADM/CSB/FSD ADM/Regions and Programs Branch (RAPB)
1.2 Ensure implementation of an annual BCP exercise and communicate the importance of attendance for primary or alternate members. Communiqué via committee meetings and Chair of CMT regarding mandatory attendance requirements for CMT and the Departmental Business Continuity Management Committee (DBCMC) at the annual BCP exercise. March 2011 ADM/CSB/FSD
Exercise design and development. April 2011
Annual BCP exercise held. May 2011
2. It is recommended that the Assistant Deputy Minister, Corporate Services Branch, update the BCP policy with a more detailed description of the departmental program, as well as roles and responsibilities prescribed in the Government of Canada Business Continuity Planning (BCP) standard, and have it approved by Executive Committee. Management agrees with the recommendation.

The Facilities Security Directorate will be updating the BCP Policy with a more detailed description of the program, as well as roles and responsibilities as per the Government of Canada Business Continuity Planning (BCP) standard. The updated policy will be circulated to Branches and Regions for consultation and the final draft will be presented at Executive Committee for approval.
2.1 Update the Health Canada BCP policy with a more detailed description of the program, as well as roles and responsibilities as per the Government of Canada Business Continuity Planning (BCP) standard. Updated draft Health Canada BCP policy for consultation. April 2011 ADM/CSB/FSD
2.2 Consult with all Branch/Regional Coordinators on the updated draft BCP Policy. Final draft update of HC BCP policy ready for approval. April 2011 ADM/CSB/FSD
Communications plan established for revision roll out. May 2011
2.3 Seek ADM and Executive Committee approval on updated BCP policy. Updated Health Canada BCP Policy approved. May 2011 ADM/CSB/FSD
3. It is recommended that the Assistant Deputy Minister, Corporate Services Branch review membership and promote regular meetings and attendance of the Departmental BCP Committee. Management agrees with the recommendation.

The Facilities and Security Directorate will review and update the Crisis Management Team and the Departmental Business membership lists as a part of the Terms of Reference and will develop regular meeting cycles which will be mandatory. This will be communicated to the members in order to stress the importance of regular attendance, by either the primary or alternate member.
3.1 Review and update the Crisis Management Team and the Departmental Business Continuity Management Committee membership lists. Relevant/accurate CMT and DBCMC membership lists. Completed ADM/CSB/FSD
3.2 Ensure implementation of regular meeting cycles (quarterly) and communicate the importance of regular attendance of primary or alternate members. Quarterly DBCMC committee meetings established stressing mandatory attendance. Completed ADM/CSB/FSD
Semi annual CMT meetings established for mandatory attendance. May 2011
4. It is recommended that the Assistant Deputy Minister, Corporate Services Branch, in collaboration with other Assistant Deputy Ministers, identify critical services, supporting systems and assets and table this information to the Executive Committee for approval. Management agrees with the recommendation.

The Facilities and Security Directorate will be identifying and revising the Department's critical services, supporting systems and assets using the Critical Services Mapping results. The Facilities and Security Directorate will use the Crisis Management Team and the Departmental Business Continuity Management Committee as the forum for discussion and for developing a consolidated listing of critical services.

A consolidated list of critical services and activities will be presented to Executive Committee for approval.
4.1 Provide Crisis Management Team with critical services mapping data for review and final prioritization. Consolidated listing of critical services, supporting systems and assets available for Executive Committee approval. March 2011 ADM/CSB/FSD in consultation with other ADMs, Crisis Management Team, Departmental Business Continuity Management Committee, Information Management Services Directorate (IMSD) (IT), HR, and Real Property Facilities Management Division
4.2 Seek approval of Executive Committee on final critical services, supporting systems and assets. Executive Committee approval of critical services and activities. March 2011
5. It is recommended that the Assistant Deputy Minister, Corporate Services Branch, update the Business Impact Analysis (BIA) template to capture all BIA elements required by the Government of Canada BCP standard including documenting the approval of the BIA. Management agrees with the recommendation.

The Facilities and Security Directorate, in consultation with the Departmental Business Continuity Management Committee, will review the current Business Impact Analysis mechanisms and approval processes and develop a needs assessment. Following this work, the Directorate will develop departmental BIA requirements (covering recovery options and continuity planning) to align Health Canada's Business Impact Analysis with the Government of Canada requirements.

The Directorate will seek approval from the Crisis Management Team for the newly developed approval process.

Lastly, the Directorate will update the BIA template to capture all elements as required by Government of Canada Policy based on the results of the needs assessment.
5.1 Review the current BIA mechanisms and approval processes and develop needs assessment. BIA mechanisms and approval processes review completed and needs assessment produced. April 2011 ADM/CSB/FSD in consultation with the (DBCMC)
5.2 Develop departmental BIA requirements (covering recovery options and continuity planning) to ensure Health Canada's BIAs are in-line with the government of Canada's (GoC's) requirements. Draft departmental BIA requirements developed. May 2011 ADM/CSB/FSD
5.3 Develop a structured approval for the revised BIA process and seek approval of Crisis Management Team. Revised BIA requirements CMT approved. May, 2011 ADM/CSB/FSD, in consultation with the CMT.
5.4 Update the BIA template to capture all elements as required by the Government of Canada Policy based on needs assessment. BIA Template updated. March 2011 ADM/CSB/FSD
6. It is recommended that the Assistant Deputy Minister, Corporate Services Branch, in collaboration with other Assistant Deputy Ministers engage in more rigorous quarterly sign off of respective Branch and Regional business continuity plans, including descriptions of recovery strategies, and approve the plans. Management agrees with the recommendation.

The Facilities Securities Directorate will use the Department Business Continuity Management Committee to communicate the reporting requirements of BCPs - outlining the importance of better quality including complete documentation on recovery strategies, with ADM sign-off. There will be quarterly reporting completed and this will be communicated to the Assistant Deputy Minister, Corporate Services Branch on a quarterly basis.

In addition, the Assistant Deputy Minister, Corporate Services Branch will communicate these requirements to all other Health Canada Assistant Deputy Ministers.
6.1 Issue communiqués to DBCMC members of the reporting requirements of BCPs - outlining the importance of better quality (i.e. BIAs, recovery strategies, etc.) and complete documentation, with ADM sign-off. Quarterly reporting completed and business continuity plans documented and approved. April 2011 ADM/CSB/FSD
6.2 ADM of CSB to communicate reporting requirements to all ADMs. Communiqué from CMT Chair to ADMs regarding need for rigorous reporting on plans. April 2011 ADM/CSB/FSD
6.3 Communicate quarterly findings to ADM/CSB. Quarterly findings communicated. June 2011 ADM/CSB/FSD
7. It is recommended that the Assistant Deputy Minister, Corporate Services Branch deliver additional training in conjunction with the BCP database training to better support Branch and Regional BCP practitioners. Management agrees with the recommendation.

The Facilities Security Directorate will implement BCP training and support strategy for the community of practitioners.

In addition, the Facilities Security Directorate will evaluate and assess the current BCP database and identify gaps/deficiencies to better support Branch and Regional BCP practitioners to develop solutions in terms of templates and training.
7.1 Evaluate and assess the current BCP database and identify gaps/deficiencies to better support Branch and Regional BCP practitioners to develop solutions in terms of tools and training. Needs assessment and Gap Analysis of the current BCP database conducted. March 2011 ADM/CSB/FSD/IMSD
7.2 Develop BCP training and support strategy for community of practitioners. BCP training and support framework developed. March 2011 ADM/CSB/FSD
7.3 Develop a communications plan for roll out of training and, support framework to all practitioners. Approved Communications plan. May 2011 ADM/CSB/FSD
8. It is recommended that the Assistant Deputy Minister, Corporate Services Branch implement a permanent maintenance cycle for the Business Continuity Planning Program, including review, training and testing. Management agrees with the recommendation.

The Facilities Security Directorate will develop guidelines and directives for a permanent maintenance cycle in compliance with the Government of Canada BCP standard, which includes, for example, quarterly BCP updates as well as a change management process to validate changes to applications, lists of critical services, sites, and personnel. The Directorate will also consult with the Chief Financial Officer Branch (CFOB) to have the BCP function included in the Integrated Planning and Reporting Framework.
8.1 Develop guidelines and directives to ensure permanent maintenance cycle (i.e. Quarterly BCP updates, including a change management process to validate changes to applications, lists of critical services, sites, and personnel, etc.). Guidelines and directives developed and a BCP maintenance cycle implemented. September 2011 ADM/CSB/FSD
8.2 Seek ADM approval of permanent maintenance cycle for BCP and distribute to all BCP coordinators -DBCMC. Approved BCP maintenance cycle distributed to DBCMC and CMT members. September 2011 ADM/CSB/FSD
8.3 Consult CFOB and CSB/Planning, Integration and Management Services Directorate (PIMSD) to ensure BCP function included in the Integrated Planning and Reporting Framework. BCP function included in the Integrated Planning and Reporting Framework. December 2011 ADM/CSB/FSD with CSB/PIMSD and ADM/CFOB

Page details

Date modified: