Archived - Audit of the Business Continuity Plan

Archived information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Prepared by
Internal Audit and Evaluation
Department of Finance Canada

Approved by the Deputy Minister of Finance on the recommendation of the Audit and Evaluation Committee on August 28, 2012

Table of Contents

Executive Summary

Background

Audit Objective and Scope

Statement of Conformance and Audit Approach

Conclusions

Findings by Audit Criteria

Recommendations and Management Action Plan

Appendix A – List of Department of Finance Employees Interviewed

Appendix B – Key Reference Documents Consulted

Appendix C – Members of the Audit Team

Appendix D – Business Impact Analysis (BIA) Template

Appendix E – Business Continuity Planning Table (BCPT) Template

Appendix F – Contingency Plan Information Sheet (CPIS) Template

Executive Summary

The Emergency Management Act (EMA) requires each federal government department to establish its respective business continuity program, as well as the processes related to these programs.  These processes include the identification of strategic and operational risks; the development of a business continuity plan (BCP); the conduct of BCP exercises including the provision of awareness/training ; and the maintenance of related policy and plans. In support of this requirement, the Treasury Board’s Operational Security Standard - Business Continuity Planning Program (BCP Standard) provides direction and guidance on the implementation of processes related to Business Continuity Plans.

The objective of the audit was to provide reasonable assurance on the adequacy and appropriateness of the processes to establish the departmental business continuity program.

The audit concluded that overall, the processes to establish the departmental business continuity program are adequate and appropriate. Specifically, consistent with the BCP Standard, the Department of Finance Canada has:

  • Identified its strategic risks for BCP events;
  • Established a management framework to support business continuity planning;
  • Implemented a business continuity planning process for the development of a department-wide BCP, including a framework for branch-level plans; and
  • Conducted a BCP exercise.

Although the Department has made significant achievements in relation to the business continuity planning process the audit identified opportunities for improvement in the following three areas:

  • Complete the Business Impact Analysis (BIAs) at the branch level, particularly the interdependencies and minimum resource requirements sections;
  • Lead the timely completion of the Business Continuity Planning Tables (BCPT) and the Contingency Plan Information Sheets (CPIS) by all departmental branches in support of the department-wide BCP; and
  • Conduct additional BCP exercises and develop awareness and a training strategy, including an action plan.

Background

The audit of the business continuity plan is part of the Department of Finance Canada’s three-year risk-based audit plan (RBAP). The RBAP was tabled at the departmental Audit and Evaluation Committee meeting on March 1, 2011 and approved by the Deputy Minister. 

The Emergency Management Act requires all federal government departments to establish business continuity programs. Each department is responsible for the processes related to its respective program. These processes include:

  • The identification of strategic and operational risks, through the use of BIAs to establish critical services and critical support services, interdependencies and resource requirements to recover from disruptions;
  • The development of policy, a department-wide business continuity plan (BCP), branch-level Business Continuity Planning Tables (BCPT) and Contingency Plan Information Sheets (CPIS) referred to sometimes as branch level contingency plans;
  • The conduct of BCP exercises and development of awareness and training activities; and
  • The maintenance of policy and plans.   

Direction and guidelines on the implementation of processes related to business continuity programs are provided in the Treasury Board Operational Security Standard - Business Continuity Planning Program (BCP Standard). 

The Department’s Corporate Services Branch, through Security Services, has been responsible for the management of the business continuity program. In addition, the Departmental Business Continuity Plan Working Group coordinates the development, implementation and monitoring of the business continuity program throughout the various branches. 

Objective and Scope

Objective

The objective of the audit was to provide reasonable assurance on the adequacy and appropriateness of the processes to establish the departmental business continuity program.

Scope

As the current Department of Finance’s business continuity planning policy was approved by the executive committee in September 2009, and the audit examination phase was completed in April 2012, the audit covered the period from September 2009 to April 2012.

The audit examined the following components of the business continuity program, as required by the Emergency Management Act and the Treasury Board BCP Standard:

  • Adequacy of the identified strategic risks for BCP events;
  • Adequacy of the identified operational risks. These are listed as interdependencies and resource requirements in the BIAs and Business Continuity Planning Tables (BCPT);
  • Adequacy of the management framework to support business continuity planning, for example, through the Departmental Business Continuity Planning Policy;
  • Appropriateness of the business continuity planning process, including the development of a department-wide BCP, branch-level BCPT and Contingency Plan Information Sheets (CPIS);
  • Appropriateness of the lessons learned process related to BCP exercises; and
  • Appropriateness of the level of awareness of the BCP process and the training activities undertaken to support it.

The following areas were not examined:

  • Maintenance of the departmental business continuity planning policy and plans, since the Department had not completed its business continuity program at the time of the audit;
  • The Department’s Recovery Plan-IT (Information Technology) due to the significant changes presently affecting this area;
  • Plans for other departments and agencies, when there was a link in the Department’s BCP, for coordination purposes, between the Department and these external organizations;
  • The Department’s security and occupational health and safety responsibilities.

Statement of Conformance and Audit Approach

The audit was conducted in conformance with the internal audit standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

The audit was planned and performed in such a way as to obtain reasonable assurance that the audit objective was achieved.  During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and the overall audit opinion presented in this report.  The opinion is based on a comparison of the conditions, as they existed at the time of the audit, against the audit criteria identified within this report, which were accepted by management.  The opinion is applicable only to the entity examined. Sufficient evidence was gathered to provide reasonable assurance on the opinion derived from the audit work.

Audit procedures included, but were not limited to, interviews, observations, a review of supporting documentation, and analytical reviews.  The audit criteria used to develop the required audit tests were based on (1) the EMA, (2) the Treasury Board’s BCP Standard, (3) relevant elements of the Office of the Comptroller General’s Audit Criteria Related to the Management Accountability Framework, and (4) good management practices, such as the Australian National Audit Office’s Business Continuity Management - Better Practice Guide.

In total, 10 individuals were interviewed (list of interviewees is provided in Appendix A).  The audit team also conducted a review and analysis of applicable authorities and policies, as well as other relevant documents (list of key documents consulted is provided in Appendix B). 

The audit approach allowed for the audit results to be communicated in a manner that enabled management to review and provide feedback on the findings and conclusions before they were finalized.

Conclusions

Audit Objective

To provide  reasonable assurance on the adequacy and appropriateness of the processes to establish the departmental business continuity program.






















The audit concluded that overall, the processes to establish the departmental business continuity program are adequate and appropriate. Specifically, consistent with the BCP Standard, the Department of Finance Canada has:

  • Identified its strategic risks for BCP events;
  • Established a management framework to support business continuity planning;
  • Implemented a business continuity planning process for the development of a department-wide BCP, including a framework for branch-level plans; and
  • Conducted a BCP exercise.
Although the Department has made significant achievements in relation to the business continuity planning process the audit identified opportunities for improvement in the following three areas:
  • Complete the Business Impact Analysis (BIAs) at the branch level, particularly the interdependencies and minimum resource requirements sections;
  • Lead the timely completion of the Business Continuity Planning Tables (BCPT) and the Contingency Plan Information Sheets (CPIS) by all departmental branches in support of the department-wide BCP; and
  • Conduct additional BCP exercises and develop awareness and a training strategy, including an action plan.

Findings by Audit Criteria

The following pages present the assessment of risk exposure identified in the audit. Risk exposure for each audit criteria is categorized as follows.

High exposure
Medium exposure
Low exposure

A high, medium or low ranking corresponds to the potential risk exposure auditors believe may have an impact on the achievement of Department objectives, and is indicative of the priority management should give to the recommendations.

The assessment summarizes the audit observations based on the evidence gathered and analyzed during the audit. Based on these assessments, issues along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendations and Management Action Plan” section.

Findings by Audit Criteria
Criterion Risk Exposure Assessment
1. Identification of Business continuity Risks
The Department of Finance Canada identifies the strategic and operational risks for BCP events, consistent with the BCP Standard. Low

The Department has identified its business continuity strategic risks; however, to comply with the BCP Standard, the BIAs (i.e. operational risks) should be further developed.

The BCP Standard requires that Departments identify both strategic and operational business continuity risks.

Strategic risks include those which effect critical areas of the Department which have an impact on the Department’s ability to achieve its objectives. These include (1) processes related to the preparation of the federal budget; (2) the lead coordination role of the financial sector; (3) international economic leadership; (4) large value transfer payments and (5) information technology as a critical support service.

Operational risks include those identified in the BIAs, such as interdependencies and resource requirements, which are critical to the continuation of departmental branches’ operations following a disaster (i.e. during the recovery period). Without these resources, the branches would not be able to achieve their objectives.

The audit assessed whether strategic risks were identified and reviewed the completeness of all BIAs, including whether interdependencies and resource requirements were identified.

The audit found the Department has identified its business continuity strategic risks.  Regarding the  branch-level BIAs (i.e. operational risks), the audit found that additional information on internal and external interdependencies, such as defining the impact from the temporary loss of other government organizations, suppliers and contractors, is required.  Similarly, the audit also found that additional information on the minimum resource requirements section is required due to expected increased pressures and the impacts on people, infrastructure, assets and/or supplies caused by disruptions.

The following are examples of BIAs, received by Security Services from departmental branches and subsequently provided to the audit team, that require additional information:

  1. Economic Development and Corporate Finance Branch - Interdependencies with other departments and the private sector, such as the identification of names and alternative ways to reach key contacts;
  2. Financial Sector Policy Branch - Interdependencies involving public/private sector committees (e.g., Canadian banking sector), for example through the identification of communication protocols to be activated between the Department and these committees;
  3. International Trade and Finance Branch - Interdependencies with international organizations, such as the identification of contacts in the case of a disruption and the most efficient way to communicate with key organizations;
  4. Tax Policy Branch - Interdependency with the Canada Revenue Agency, by identifying the information channel to be used, during a disruption, between the Department and the Agency.

During the audit, Security Services shared their upcoming plans and commitment to contact critical services staff in each of the branches in order to assist them to complete their respective BIAs.

The audit recommends that Security Services work closely with the departmental branches’ critical and support services staff, to complete the BIAs particularly the interdependencies and minimum resource requirements sections.

The table below summarizes the audit findings for criteria 1:

Criteria 1 Components: Strategic risks for BCP events component was completed. Operational risks for BCP events (Business Impact Analysis) component was partially completed.
2. BCP Policy and Plan
The Department of Finance Canada prepares the business continuity policy and plan in respect of the identified risks, consistent with the BCP Standard. Low

The Department prepared its business continuity planning policy consistent with the BCP Standard and developed a department-wide BCP, including a framework for branch-level plans. However, the branch-level Business Continuity Planning Tables (BCPT) were partially completed and Contingency Plan Information Sheets (CPIS) were not completed.

The BCP Standard requires the preparation of a business continuity planning policy and of a departmental plan, including coverage of the eight elements listed below.

Specifically, the Standard requires:

  1. Critical services, information assets, and interdependencies;
  2. Approved recovery strategies;
  3. Measures to deal with the impacts and effects of disruptions on the Department;
  4. Response and recovery teams, including the membership and contact information;
  5. Roles, responsibilities and tasks of the teams;
  6. Resources and procedures for recovery;
  7. Coordination mechanisms and procedures; and
  8. Communications strategies.

These eight elements are required for the branch-level BCPT and CPIS.

The audit assessed whether essential components, as outlined in the BCP Standard, were included in the BCP.

The audit found that overall; the Department maintained a relevant business continuity planning policy. In addition, the department-wide business continuity plan included preparatory and reactive (e.g., activation) BCP procedures to minimize business disruptions and support recovery. A framework for branch-level plans was provided to the departmental branches; however, the audit found that branch-level BCPT and CPIS partly addressed the eight elements of the BCP Standard.

For example, at the end of the audit examination phase (April 2012) the CPIS, which are required for each Branch, had not been prepared. Their completion is important so that each critical and support services continuity team have their own detailed plan with action oriented procedures. As such during the audit, Security Services started to develop a tool (i.e., Contingency Plan Information Sheet Template) to assist branches towards completing their CPIS.

Another example, in the BCPT, departmental branches’ interdependencies contained insufficient information in the recovery strategies.

A key component for developing the branch-level BCPT and CPIS is the Department’s Business Continuity Plan Working Group (BCP WG). The BCP WG coordinates the development, implementation and monitoring of the business continuity planning program, including facilitating, for example, the development of CPIS by departmental branches.

During several interviews with various BCP WG members, the audit found that the BCP WG members were generally in need of further clarifications concerning their respective business continuity roles to prepare the branch-level BCPT and CPIS. 

As such, the audit recommends that Security Services lead all the departmental branches toward the timely completion of their branch-level BCPT and CPIS in support of the department-wide BCP.

The table below summarizes the findings for criteria 2 at the end of the examination phase of the audit in April 2012:

Criteria 2 Components: Business Continuity Policy component was completed. Department-wide BCP component was completed. Branch-level BCPT component was partially completed. Branch-level CPIS component was not completed.
3. BCP Exercises, Awarness and Training  
The Department of Finance Canada conducts exercises and training in relation to its business continuity policy and plan, consistent with the BCP Standard. Low

The Department conducted some BCP exercises and tests as well as maintains some BCP awareness information on its intranet site. However, additional BCP exercises, awareness and training are required.

The BCP Standard requires that regular training related to the business continuity planning policy and plan, is conducted through BCP exercises and the development of an awareness and a training strategy and action plan. According to departmental policy, the BCP exercises should be conducted on an annual basis in order to test and validate the effectiveness of the BCP.

Furthermore, awareness and training activities are required in order to prepare departmental staff to cope with business disruptions, as employees and management need to be aware of their respective roles in maintaining the delivery of important services.

The audit compared the Department’s conduct of BCP exercises, as well as its training and awareness practices with the BCP Standard.

The audit found that during the period of September 2009 to April 2012 the Department conducted only one BCP Tabletop exercise in January 2011.  This is an important exercise, its objectives include assessing the completeness of the plan, confirm personnel awareness and the overall awareness and preparedness of the BCP. In addition during the period audited, the Department conducted critical services tests; also referred to as smaller scale exercises.  For example, these tests were conducted in relation to the contingency scenarios for the budget.

The audit also found that the Department provides limited information relating to BCP awareness on its intranet site. Information on the intranet site includes: BCP Pandemic Annex, Departmental BCP Policy, and Crisis Management Council: Terms of References. Additional information would be beneficial such as: (1) key definitions, (2) descriptions of the roles and interdependencies of the Department’s critical and support services; and (3) description of the human resources support required during a crisis (e.g., Employee Assistance Program).

In addition, the audit noted that no formal business continuity skills training has been provided to BCP WG members since the working group established its current terms of reference in September 2009. The audit also noted that some informal training takes place at the BCP WG meetings, which are usually scheduled every second month. Finally, the audit recognized that the Assistant Director, Security Services, received some formal BCP training.

The audit recommends that Security Services conduct additional BCP exercises and develop an awareness and a training strategy, including an action plan. The plan would include for example activities to:

  • Conduct more frequent BCP exercises (e.g., on an annual basis);
  • Improve BCP awareness information on the intranet by including for example (1) Key definitions; (2) Descriptions of the roles and interdependencies of the Department’s critical and support services; and (3) Descriptions of human resources support required during a crisis (e.g., Employee Assistance Program);
  • Provide formal business continuity skills training for BCP WG members.

The table below summarizes the audit findings for criteria 3:

Criteria 3 Components: Annual BCP Exercises component was partially completed. BCP Awareness Information on the Intranet component was partially completed. BCP Training component was partially completed.

Recommendations and Management Action Plan

The following section presents the key opportunities for improvement identified during the audit.  The impact and recommendations are also presented. When applicable, relevant management initiatives already underway are included.For eachrecommendation, management has provided:

  • An action plan, which addresses the recommendation;
  • The position responsible for implementing the action plan; and
  • The target date for completion.

1. Complete the Business Impact Analysis (BIAs) at the Branch Level

Observations and Impact

Critical services often depend on the same external support in order to maintain the minimum level of operation required.  According to the BCP Standard, it is important that the BIAs:

  • Define the internal and external interdependencies (e.g., memoranda of understanding and agreements with other government departments and suppliers); and
  • Identify not only the minimum resource requirements for a single critical service area, but also the activities and resources of other critical and support service areas, which collectively are needed by the Department.

The audit reviewed the completeness of the BIAs for all branches, and found that additional information is required regarding the internal and external interdependencies and minimum resource requirements sections.

When internal and external interdependencies and minimum resource requirements are not properly identified, there is a significant risk that the Department’s critical and support services would not achieve their respective objectives because of insufficient resources and lack of support from the required interdependencies.

The audit recommends that Security Services work closely with the departmental branches’ critical and support services staff, to further develop the interdependencies and minimum resource requirements sections of the BIAs. This will help the Department’s staff to be well prepared for a disruption requiring that the BCP or part of it be put into action.

Recommendation

The audit recommends that Security Services work closely with the departmental branches’ critical and support services staff, to complete Business Impact Analysis (BIAs) particularly the interdependencies and minimum resource requirements sections.


Management Response

Agreed. The Director, Security Services will continue to collaborate with the departmental branches in leading the on-going work to complete the Business Impact Analysis (BIAs), particularly the interdependencies and the minimal resource requirements. This work will be completed by December 31, 2012.

2. Lead the timely completion of the BCPT and CPIS at the Branch Level

Observations and Impact

Consistent with the BCP Standard, each critical and support services continuity team should have its own branch-level: (1) Business Continuity Planning Table (BCPT) to identify, for example, key recovery strategies concerning the branch’s interdependencies; and (2) Contingency Plan Information Sheet (CPIS) identifying key staff and assigning individual responsibilities, as well as identifying the timing and expected outcome for each recovery action.

The audit assessed whether essential components, including BCPT and CPIS, were developed in support of the department-wide BCP. The audit found that the BCPT were partially completed and the CPIS had not been prepared.

Without branch-level BCPT and CPIS detailing essential information such as business recovery strategies (including key responsibilities, the timing and expected outcome for each recovery action), there is an increased risk that the Department’s critical and support services will not be able to achieve their business objectives should a disruption occur.

The audit recommends that Security Services lead the timely completion of branch-level BCPT and CPIS in support of the department-wide BCP. This will ensure the presence of key components into the departmental business continuity plan.

Recommendation

The audit recommends that Security Services lead the timely completion of the Business Continuity Planning Tables (BCPT) and Contingency Plan Information Sheets (CPIS) by all departmental branches in support of the department-wide BCP.

Management Response

Agreed. The Director, Security Services will continue to collaborate with the departmental branches in leading the on-going work to complete the Business Continuity Planning Tables (BCPT) and the Contingency Plan Information Sheets (CPIS). This work will be completed by December 31, 2012.

3. Conduct additional BCP exercises and develop an awareness/ training strategy, incl. an action plan

Observations and Impact

According to the BCP Standard, exercises should be conducted and an awareness and a training program should be developed to help departmental staff gain assurance that the BCP will operate effectively when required.

The audit assessed the Department’s exercises, awareness and training practices for business continuity. It found that a BCP exercise was last conducted in January 2011, limited business continuity information was posted on the Department’s intranet, formal training was provided to a key staff member of the Corporate Services Branch. These audit findings indicated that relevant BCP standards have only been partially met.

Without regular BCP exercises, and effective awareness and training strategy, departmental staff will not be well prepared to cope with business disruptions. Therefore, it is important to communicate to all staff the Department’s business continuity objectives, critical services and resources, and the agreed priority for recovery, through the well planned exercises, awareness and training activities.

The audit recommends that Security Services conduct additional BCP exercises and develop awareness and a training strategy, including an action plan. This will improve to the Department’s business continuity readiness.
Recommendation
The audit recommends that Security Services conduct additional BCP exercises and develop an awareness and a training strategy, including an action plan.










Management Response

Agreed. The Director, Security Services will develop an action plan by December 31, 2012 which will include:

  • The completion of annual executive BCP Tabletop exercises, in conjunction with the on-going additional tests of the delivery of critical services (e.g., federal budget delivery, large payment transfers); and
  • An awareness and training strategy which will also capture the on-going tabulation of test results and lessons learned.

Appendix A – List of Department of Finance Employees Interviewed

  • Executive Director, Human Resources and Departmental Security Officer, Corporate Services Branch (CSB)
  • Associate Executive Director, Human Resources, CSB
  • Director, Security Services, CSB
  • Assistant Director, Security Services, CSB
  • Senior Advisor, Economic and Fiscal Policy Branch
  • Chief, Program Payments and Estimates Section, Federal-Provincial Relations and Social Policy Branch
  • Senior Project Leader, Financial Sector Policy Branch
  • Senior International Relations Officer, International Trade and Finance Branch
  • Director, Public Affairs and Operations, Consultations and Communication Branch
  • Chief, IT Planning and Architecture, CSB

Appendix B – Key Reference Documents

Legislation

  •   Emergency Management Act (S.C. 2007, c.15), Section 6(1)

Policy and Standard

  • Treasury Board, Policy on Government Security, 2009
  • Treasury Board, Operational Security Standard – Business Continuity Planning Program, 2004

Guidelines and Best Practices

  • Public Safety Canada, A Guide to Business Continuity Planning, 2010
  • Australian National Audit Office, Business Continuity Management – Better Practice Guide, June 2009
  • Institute of Internal Auditors, Business Continuity Management – Practice Guide, July 2008
  • Disaster Recovery Institute – The Institute for Continuity Management, Professional Practices for Business Continuity Practitioners
  • Alberta Emergency Management Agency, Business Continuity Guide, March 2007

Documents Specific to Finance Canada

  • Business Continuity Planning Policy
  • Executive Committee/ Crisis Management Council Terms of Reference
  • Business Continuity Plan Working Group (BCP WG) Terms of Reference
  • BCP WG members list
  • BCP and related BIAs/BCPT
  • BCP Activation Reference Card
  • Corporate Risk Profile, January 2012 and June 2011
  • Risk Register, November 2011
  • Integrated Business Plan 2011-12

Appendix C – Members of the Audit Team

This audit was conducted by:

  • Chantale Dumornay, BAA, Auditor, Internal Audit and Evaluation
  • Jean-Luc Tétreault, CA-CIA, CGA, CMA, Audit Manager, Internal Audit and Evaluation
  • Christian Kratchanov, MBA, CIA, CMC, Chief Audit and Evaluation Executive

Appendix D – Business Impact Analysis (BIA) Template

Business Impact Analysis (BIA) Template. Identifies business function, impact indicators, criticality level and the Maximum Allowable Downtime (MAD).

Appendix E – Business Continuity Planning Table (BCPT) Template

Business Continuity Planning Table (BCPT) Template. The tables define the critical and essential services and programs which must be recovered and resumed, along with the services recovery strategy, the impact of non-performance, and the Maximum allowable downtime (MAD).

Appendix F – Contingency Plan Information Sheet (CPIS) Template

Contingency Plan Information Sheet (CPIS) Template. Identifies key staff and assigns individual responsibilities, as well as identifies the timing and expected outcome for each recovery action.