Archived - Audit of the Business Continuity Planning (BCP) Program - Final Report

September 2013

Table of Contents

• 1.0 Executive Summary
• 2.0 Introduction
  • 2.1 Background
  • 2.2 Objective
  • 2.3 Scope
  • 2.4 Methodology and Approach
  • 2.5 Statement of Conformance
• 3.0 Findings and Recommendations
  • 3.1 Business Continuity Program Governance
  • 3.2 Business Impact Analysis
  • 3.3 Business Continuity Plans and Arrangements
  • 3.4 Integration with IT Continuity Plans
  • 3.5 Business Continuity Program Readiness
  • 3.6 Recommendation
• Appendix A: Audit Criteria
• Appendix B: Management Response and Action Plan

1.0 Executive Summary

As a consequence of natural and human-made disasters, organizations have gained a heightened awareness of the requirement to continue providing critical services following disruptions to their normal course of business. There are various types of disruptions that may affect a business such as natural disasters, human pandemic, vandalism, damage to infrastructure and/or equipment failure. Within the Government of Canada, the absence of preparation and/or the inability to maintain critical services can negatively impact an organization's reputation, and fail to ensure the health, safety, security or economic well-being of Canadians.

The Emergency Management Act and the Treasury Board (TB) Policy on Government Security mandate all government departments/agencies to establish and maintain a Business Continuity Planning (BCP) program. The requirements and further guidance are provided in the Operational Security Standard - Business Continuity Planning Program (OSSBCP) along with its associated technical documentation.

At the CFIA, functional direction for the BCP program is the responsibility of the Corporate Security Division (CSD), which is part of the Assets and Security Management Directorate within the Corporate Management Branch (CMB). CSD works with a working group of branch representatives to develop and maintain business continuity plans.

The objective of this audit was to provide assurance that the CFIA's Program activities support compliance to the requirements of the TB Operational Security Standard – Business Continuity Planning Program (OSSBCP).

Upon engagement of the audit, we observed that the program had been dormant for some time. Governance had been inactive, the program policy required revision, and the working group was generally dormant for two years. As a result, we observed that business continuity plans and arrangements were generally incomplete, out of date and would not ensure recovery of services within pre-defined maximum allowable downtimes. In addition, the audit observed that the plans and arrangements were not integrated with recovery priorities as identified by the Information Management and Information Technology Branch.

As management is aware of these shortcomings, the Corporate Security Division (CSD) at the CFIA has recently reactivated the program. A revised policy has been written, and was recently approved. The Human Resources and Corporate Management Committee (HRCMC) is identified as the responsible oversight committee for the program, and has accepted the new approach proposed by CSD to revive the program. The working group began meeting again and has commenced work on implementing this new approach.

The report makes one recommendation reflecting management's commitment to take action to achieve a much greater degree of compliance with relevant Treasury Board policy requirements.

Conclusion

The audit concluded that the program at the CFIA, in its current state, is not compliant with Treasury Board's OSSBCP. However, the audit also noted that the Agency is aware of the program's weaknesses and has already commenced actions to address the compliance gaps.

2.0 Introduction

2.1 Background

As a consequence of natural and human-made disasters, organizations have gained a heightened awareness of the requirement to continue providing critical services following disruptions to their normal course of business. There are various types of disruptions that may affect a business such as natural disasters, human pandemic, vandalism, damage to infrastructure and/or equipment failure. Within the Government of Canada, the absence of preparation and/or the inability to maintain critical services can negatively impact an organization's reputation, and fail to ensure the health, safety, security or economic well-being of Canadians.

The Emergency Management Act and the Treasury Board (TB) Policy on Government Security mandate all government departments/agencies to establish and maintain a Business Continuity Planning (BCP) program. The requirements and further guidance are provided in the Operational Security Standard - Business Continuity Planning Program (OSSBCP) along with its associated technical documentation.

Emergency response and are complementary, but entirely distinguishable. Emergency response tends to focus broadly on lifesaving, safety, minimizing damage, and organizing the resources to manage the consequences of an event, whereas focuses exclusively on continued delivery of pre-approved time critical services. Business continuity is an inherent aspect of managing risk related to the potential interruption of one or more business functions.

Business continuity plans are the individual documents that describe how a specific business function will respond to and recover from an interruption of normal functioning. The content of the plans will focus on four primary elements or requirements: people, information, technology, and the workplace. Well-documented supports the re-establishment of critical services in an organized, effective and efficient manner. The Government of Canada has defined a critical service as a service whose compromised availability would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the government.

At the CFIA, functional direction for the program is the responsibility of the Corporate Security Division (CSD), which is part of the Assets and Security Management Directorate within the Corporate Management Branch (CMB). CSD works with branch representatives to develop and maintain business continuity plans.

Business continuity plans should identify the impacts of a disrupted critical service on each business function based on specified criteria. The maximum allowable downtime (MAD) that a service could have before seriously impacting the mandate of the CFIA, and the tolerable period in which data may be lost, must also be identified. A completed plan prioritizes the order of recovery of the critical services, and identifies associated assets and required human resources. The plan also identifies when, where and how these services, assets and personnel will be recovered to pre-approved levels of service. The process provides guidance on how to determine if a service is critical or not. Periodic exercising of a validates the information and helps to ensure the services recoverability.

The audit of business continuity planning was identified and approved in the Agency's 2012-2013 to 2014-2015 Risk Based Audit Plan.

2.2 Objective

The objective of this audit was to provide assurance that the CFIA's Program activities support compliance to the requirements of the TB Operational Security Standard – Business Continuity Planning Program (OSSBCP).

2.3 Scope

The scope of the audit covered review of Agency policies, procedures, and activities related to the Program and included an examination of the key elements of the Program: Program governance, Business impact analysis (BIA), Business continuity plans and arrangements, and Program readiness. The Audit also considered Corporate Security Division's action plan to refresh the Program as it existed prior to the completion of the audit's conduct phase. The audit commenced in September 2012 and the field work was completed in May 2013.

2.4 Methodology and Approach

A control assessment was completed during the planning phase of the audit. The assessment considered the Operational Security Standard – Business Continuity Planning (BCP) Program and various key controls that Internal Audit considers relevant in assessing the Agency's Program. Based on this assessment, background research, and document analysis, the following audit criteria from the OSSBCP were identified:

Criterion1: program responsibilities are established, defined and assigned (OSSBCP 3.1)

Criterion 2: A governance structure is in place (OSSBCP 3.1)

Criterion 3: The business impact analysis was completed in a manner consistent with the OSSBCP and critical services were prioritized (OSSBCP 3.2)

Criterion 4: Plans and Arrangements have been developed for critical services identified in the Business Impact Analysis (OSSBCP 3.3)

Criterion 5: The Agency has implemented a Readiness program (OSSBCP 3.4)

The audit included a judgmental sample of 14 business continuity plans and their related documentation, focusing on high-risk level 1 (0-24 hours' recovery) critical services. The sample was chosen to ensure coverage across the Agency (i.e. headquarters, Area and Regional Operations and Laboratories).

2.5 Statement of Conformance

The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the CFIA's internal audit quality assurance and improvement program. Sufficient and appropriate auditing procedures were performed and evidence gathered in accordance with Institute of Internal Auditor's International Standards for the Professional Practice of Internal Auditing and to provide a high level of assurance over the findings and conclusion in this report. The findings and conclusions expressed in this report are based on conditions as they existed at the time of the audit, and apply only to the entity examined.

3.0 Findings and Recommendations

3.1 Business Continuity Program Governance

We expected to find evidence of a management structure in place which encompasses responsibility for the overall management of the Agency's program in accordance with OSSBCP 3.1. The governance structure should include a number of functioning elements:

• An Agency Program policy that applies the Policy on Government Security in a CFIA context;
• Strategic direction and oversight provided by a high level committee;
• Functional leadership and direction provided by the CFIA's Corporate Security Directorate;
• A working group supporting the functional leadership and providing links into business units; and
• Business units taking ownership of their plans and arrangements.

Upon engagement of the audit, we observed that the program had been dormant for some time. Governance had been inactive, the program policy required revision, and the working group was generally dormant for two years. The inactive state of the program is demonstrated by the fact that six out of 14 business units that were contacted during the audit were unable to provide us with the requested business continuity documents.

The Corporate Security Division (CSD) at the CFIA has recently reactivated the program. A revised policy has been written, and was recently approved. The Human Resources and Corporate Management Committee (HRCMC) is identified as the responsible oversight committee for the program, and has accepted the new approach proposed by CSD to revive the program. The working group began meeting again, and has commenced work on implementing this new approach.

While these are encouraging signs, the CMB plan to revive the program was not sufficiently detailed, at the time of the audit, to demonstrate that its implementation will result in full compliance with the OSSBCP. CSD must ensure active engagement of management and employees at all levels of the organization: Senior Management, including HRCMC, must demonstrate its commitment by providing strategic direction and oversight, and the working group must support the new approach and effectively communicate and foster compliance within their branches. Business units require the support, guidance and tools necessary to update business continuity plans and arrangements.

3.2 Business Impact Analysis

We expected to find evidence that the National Coordinator and Agency staff completed the Business Impact Analysis (BIA) required under Section 3.2 of the Standard. We expected the BIA methodology to be structured to capture all the requirements of the Standard, namely:

• The services that the CFIA must deliver were identified and assessed to determine which were likely to cause a high degree of injury to Canadians and the government if disrupted;
• Direct and indirect, quantitative and qualitative impacts of disruptions to business on the CFIA were analyzed;
• Critical services were prioritized and the resources (personnel, contractors, suppliers, information, systems and other assets) that support them directly or indirectly, within or outside the CFIA were identified; and
• Senior management has approved the results of the BIA prior commencing work on the business continuity plans and arrangements.

We found that in 2008-2009 much effort was spent in creating business impact analyses from the ground up. CSD developed a methodology and associated templates to gather the necessary information and solicited assistance from all business units of the CFIA. Then, the information was transformed into a National Service Prioritization List which was approved by senior management. The aforementioned templates required users to identify services performed, key contacts, resources requirements to ensure business continuity, both human and technical, essential records, key suppliers and the actual analysis of criticality (i.e. impact if service was unavailable).

As part of sampling work, we requested the BIA's related to the plans and arrangements included in the sample. We expected both CSD and the business units to have a copy of the BIA. Of the 14 BIA's requested, only seven were available: six from CSD, and one from a business unit. Our review of seven BIA's indicated that much information was solicited and collected. While much data was received by CSD, it was incomplete, as parts of the templates were not fully populated and in many cases also demonstrated a lack of rigor in the analysis.

In the instances where BIA's were provided, we found the following weaknesses:

• Many critical services identified in the BIA's did not meet the OSSBCP definition as those which are likely to cause high degree of injury to Canadians and the government, if disrupted. Rather, they were services supporting the infrastructure in place to support critical service delivery;
• There was a lack of consideration for qualitative and quantitative impacts resulting from business interruptions. While the maximum allowable downtime (MAD) was given, there was no clear justification. A subjective assessment of impacts may lead to incorrect MAD; and
• The BIA's were completed in 2008-2009, and the information contained in them may be out of date.

As a result of the BIA process, The CFIA identified 470 services of which 262 that were deemed critical (i.e. require a Business Continuity Plan), and of these, 131 were deemed level 1 critical services requiring restoration within 24 hours. Best practices suggest that the CFIA list of critical services is too long. Many of the services listed are in fact dependencies which support the infrastructure required to deliver critical services, but not critical services themselves according to the OSSBCP definition. For example, the first five on the 0-24 hour list relate to security, IT, facilities management, and senior management communications. The consequence of having such a long list contributed to the inability to complete the plans and arrangements required for each critical service.

The large number of critical services that resulted from the BIA process at the CFIA, together with the results of our sample review, point to a lack of oversight and challenge in the process of developing the BIAs.

3.3 Business Continuity Plans and Arrangements

We expected that the Agency, using the results of the BIA, analyzed recovery options and selected and funded recovery strategies which would have become the basis for the business continuity plans and arrangements. We also expected plans and arrangements to have been developed using best practices identified in the OSSBCP.

We found no documented evidence that recovery options and associated funding were considered or analysed. Lack of consideration given to recovery options and their associated costs suggests that the optimal recovery strategy may not have been selected and that the resources necessary to recover critical services may not be available.

We reviewed in detail 14 plans, focussing on pre-approved "level 1" critical services that required recovery within 24 hours. Six business units were not able to locate theirs. For those, we used a version that was obtained from CSD. We found information that was out of date in all the plans, with one exception. Our detailed review noted the following:

• Plans generally did not contain a mechanism of emergency situation assessment. The situational assessment process must be clear so that an untrained person could complete the activity with the use of the plan. Failure to conduct the assessment may lead to unnecessary expenditures or delayed recovery of the service;
• Plans indicated who had to be involved in the recovery process. However, plans generally had little or no information regarding what actions to take and how the recovery could be conducted. Without instructions as to how the recovery will take place, employees needing to react to emergencies may not make the best decisions, and the recovery of the activity may exceed MAD;
• Four of the plans did not indicate an alternative work location. Without knowing the approved alternate work location employees could make inappropriate decisions at the time of emergency, with a resulting delay in recovery. In a recent incident, one group had difficulty finding an alternate work location for its people; and
• Resource requirements were inconsistently indicated in plans. Some plans had listed the required resources but did not guide the user on how to get them at the onset of an interruption. Seven plans did not contain any information on required resources. Inadequate resources will result in delayed recovery times.

When business continuity plans do not follow best practices, as outlined in the OSSBCP and its associated technical documentation, there is an increased risk that if the plan is invoked, continuity will not be assured within the required time. In our sample, we concluded that 10 of 14 plans reviewed are at a high risk of not being able to recover within the identified MAD.

3.4 Integration with IT Continuity Plans

We expected that the Agency's IT continuity plans would be integrated into the Agency's business continuity program, as required by the OSSBCP.

We found that the program did not incorporate IMIT continuity issues. Continuity plans for high priority IT services do not yet exist at the Agency. The Information Management and Information Technology Branch (IMITB) recently conducted an IT Systems Business Impact Analysis (IT BIA). The objective of this IT BIA was to identify and prioritize critical IT systems, and to identify their recovery time objectives and requirements based on an analysis of the impact to CFIA business functions should these systems be unavailable. Once IMITB identifies actual recovery capabilities for the critical IT systems, it plans to conduct a gap analysis of recovery capability versus recovery objectives.

Priorities for IT recovery have been initiated and led by IMITB. CSD has yet to determine if recovery priorities, as identified by IMITB, satisfy the business requirements defined within the program and integrate them into business continuity planning. There is a risk that the IMITB recovery strategy is not aligned with the critical services of the CFIA and that services of the greatest priority will not be restored within maximum allowable downtimes.

3.5 Business Continuity Program Readiness

We expected that regular review and updating of the plans would take place within the CFIA. This would include regular testing and validation, and the corresponding lessons learned.

We found, based on our sample, that with one exception, plans were not being updated. Regular testing and validation has not taken place within the last three years.

Failure to update the plans and conduct regular exercises may cause the plans to be unusable. Employees may not be aware of the plan's existence because it had not been reviewed in a long time, or they may not trust its contents if they consider it out of date. Although CFIA has responded successfully to the continuity of business, existing business continuity plans did not factor prominently in those responses. There was one business interruption in Ottawa recently where the affected group did not consult its business continuity plan because the plan was not considered a "living document". In another recent incident in the Western Area, the employees involved were not aware of the existence of a plan.

3.6 Recommendation

The Vice President of the Corporate Management Branch should expand the action plan to refresh the program, including appropriate timelines for implementation, and obtain Agency Governance approval. The plan should address the deficiencies identified in the observations of this audit report, with the purpose of achieving a much greater degree of compliance with relevant Treasury Board policy requirements.

Appendix A: Audit Criteria

Criterion 1: program responsibilities are established, defined and assigned (OSSBCP 3.1)

• A policy framework has been established, and incorporates best practices recommended in the standard

Criterion 2: A governance structure is in place (OSSBCP 3.1)

• A Steering Committee provides and communicates strategic direction and oversight
• The CFIA Corporate Security Division provides functional direction and leadership
• Branches are providing representatives and support to the working group
• Operational units are aware of their roles and responsibilities and demonstrate ownership of individual business continuity plans and arrangements

Criterion 3: The business impact analysis was completed in a manner consistent with the OSSBCP and critical services were prioritized (OSSBCP 3.2)

• The services that the CFIA must deliver were identified
• Impacts of disruptions on the CFIA were determined
• Services were assessed to determine which are likely to cause high degree of injury to Canadians
• Critical services and the resources (personnel, contractors, suppliers, information, systems and other assets) that support them directly or indirectly, within or outside the CFIA were identified and prioritized
• BIA's were approved by senior management

Criterion 4: Plans and Arrangements have been developed for critical services identified in the Business Impact Analysis (OSSBCP 3.3)

• The Agency has, using the results of the BIA, identified recovery options in order to prepare the business continuity plans and arrangements
• Selected recovery strategies have been funded
• IT and IM Continuity Plans have been integrated into Business Continuity Plans
• Plans and arrangements have been developed using best practices identified in the TB Operational Security Standard

Criterion 5: The Agency has implemented a Readiness program (OSSBCP 3.4)

• There is an ongoing review and revision of plans to account for changes
• Regular testing and validation of all plans occurs
• Readiness was demonstrated where Business Continuity Plans were invoked
• A regular audit cycle was followed as a basis for reporting to TB secretariat

Appendix B: Management Response and Action Plan

Management Response

In general, basic policies and procedures are in place to ensure that the proper requirements are followed although CMB Management agrees with the overall findings of the audit related to strengthening and updating the Program. CMB has been working to improve the Program since the winter of 2012 as evidenced by the BCM Program Operational plan referred to in the audit.