Industry Canada / Industrie Canada
MenuSkip first menuSkip all menus
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewFrequently Asked QuestionsA-Z IndexSite MapPublications
The Department
Media Room
Information by Subject
Programs and Services
Online Forms
Publications
Catalogue of Published Materials
Corporate Publications
Special Reports
Newsletters
Publishing Toolbox
Industry Portfolio
Access to Information
Acronyms
Careers
Proactive Disclosure

Canada Business - Services for entrepreneurs Canadian Consumer Information Gateway Strategis

Industry Canada Business Continuity
Plan Methodology Audit – Phase II
December 1999

Report

Background

On March 1, 1999, Industry Canada's Y2K Project Office initiated a business impact analysis process to determine the departmental business functions requiring a Y2K Business Continuity Plan (BCP). The business impact analysis process ultimately revealed that Industry Canada had twenty-eight critical business functions that required individual Year 2000 BCPs. By May 30, 1999 all 28 BCPs were completed pending the validation phase which included modules on testing, training and plan maintenance. The validation phase concluded on October 15, 1999, with most BCPs completed and signed off by their respective BCP Manager.

Audit Objectives

The objectives of the Audit and Evaluation Branch audit of the BCP methodology were to determine that the:

  • process used to identify critical functions is reasonable;
  • methodology and templates developed are effective;
  • approach is comprehensive and does not include any gaps; and
  • BCPs have been prepared by properly applying the methodology.

This audit was conducted in two phases. The first phase was completed and a report was issued on October 4, 1999. It reviewed the BCP identification process and the effectiveness of the methodology and templates used as well as determined whether the approach was comprehensive. This first phase report found that the process and methodology were sound and reasonable but made several recommendations of how to strengthen the BCPs. The key recommendation indicated a need to develop a "command centre" to better manage the flow of information to decision-makers and BCP Managers during the critical date rollover period.

Senior departmental management agreed with this recommendation by deciding to implement four operations centres that reflect existing business lines and reporting relationships. These four centres are the following centres:

  • Operation Command Centre (OCC), responsible for monitoring and reporting on the status of internal departmental operations. The OCC will monitor developments in 23 of the 28 departmental BCPs. It will also serve as a general point of contact for all Y2K information flows and provide a secretariat function for the Business Continuity Plan Implementation Committee. A subset of OCC will be a CIO operations centre that will report on the status of the department's IT infrastructure.


  • Emergency Telecommunications Operations Centre will be operated by SITT. In addition to the operations centre BCP, the Assistant Deputy Minister (ADM) SITT will have responsibility for three other SITT BCPs and report directly to the Deputy Minister on their status.


  • Industry Sector Operations Centre will monitor industry developments and be operated by the Industry Sector. This monitoring function has its own BCP. The ADM Industry will be responsible for reporting developments to the Deputy Minister.


  • Task Force 2000 will operate an operations centre that will be closely linked to the OCC. Over time, Task Force 2000 developed close ties to the federal government Year 2000 transition management infrastructure (like the National Contingency Planning Group (NCPG) ) and other federal departments. These relationships are being leveraged to ensure that the department receives timely information from central agencies, the NCPG and other departments.

This audit report presents the findings of phase II of the audit covering whether the BCPs have been prepared properly by applying the methodology. A sample of three BCPs were selected.

The three BCPs selected were for the following critical business functions: the Operations Command Centre (OCC), the Strategis web site and the Emergency Telecommunications. The findings for each BCP are shown in the next section.

Findings

Operations Command Centre

The auditors found that the document reviewed is suitable to serve as the framework for the department's Operations Command Centre.

In general, given the tight deadlines to develop an effective decision-making structure, the department has responded with a logical and workable plan. At the time of this audit, it is understood that the Operations Command Centre (OCC) roles and responsibilities may change going forward. As the plan is tested and as the department learns more about the reporting requirements of Treasury Board and NCPG amendments will be made. The basic framework is sound.

Four recommendations resulted from the audit of this document. The first recommendation is the most significant one, while the remaining three are intended to address minor gaps in the plan.

It is recommended that the OCC take the following action:

  1. The OCC document briefly describes that there will be a "dress rehearsal" in mid-December without showing any detailed testing or training plan in place. Since the department has worked to develop this framework under tight deadlines, it is understandable that a well-defined testing plan is not complete. It is recommended that priority be given to a robust testing and training schedule to ensure that the OCC is effective.


    2. The testing plan should include the following:

    • types of testing planned (table top, integrated, evacuation too back-up site etc.)


    • a list of participants (including staff from all BCPs, other command centres and possibly members of the Business Continuity Plan Implementation Committee and BCP Steering Committee.)


    • procedures for reviewing, documenting and reporting testing results

  2. The Operations Centre Operating and Reporting Plan could be improved by outlining which resources are required at which time. Since resource needs will change, it is useful to communicate clearly who will be required and when. This is referred to as an "activation schedule."

    3. This may not be necessary and is not intended to add an administrative burden. However, clear documentation and planning ensures clarity of purpose and communications. It also ensures that the Command Centre is truly scalable and able to respond flexibly to events as they occur.

  3. The OCC is primarily focussed on internal operations. However, some of the BCPs they oversee may be monitoring external dependencies, stakeholders, business partners or utilities. It would be useful to compile a list of these external monitoring activities to understand the scope of external monitoring in these BCPs and be better prepared to capture and respond to external disruptions affecting these BCPs.


  4. It is important to clarify that there are appropriate delegations of authority in place so that in the absence of a critical decision-maker, an alternate is fully empowered to make executive level decisions.

    5. Strategis

    The auditors found that the Strategis Business Continuity Plan was prepared by properly applying the department's Business Continuity Planning Methodology.

    Staff are to be commended for preparing an additional internal document called the "Business Continuity Game Plan for Y2K" that provides extra detail of the roles and responsibilities of critical staff. The document outlines in more depth the internal procedures they will use should a critical failure occur.

    The only shortcoming of the Strategis BCP was the lack of a documented testing and training strategy. While not documented in the Strategis BCP, interviews with key staff confirmed that there is every intention to test the key workarounds described in their BCP.

    Emergency Telecommunications

    The auditor found that the Emergency Telecommunications Business Continuity Plan was prepared by properly applying the department's Business Continuity Planning methodology. There are no recommendations.

    It is important to note that the Emergency Telecommunications business function is designed solely to respond to a telecommunications emergency. As such, their contingency and business continuity plans are robust and complete.

    Management Action Taken

    Recommendations centered around improving internal information flows during the Year 2000 roll-over period and the need for prior detailed testing, and all of these were implemented. Indeed, the absence of any interruption to the public is a testament to Industry Canada's state of readiness.

    See also…



    Date Created: 2000-04-26


    Printer-friendly VersionPrinter-friendly Version
    Date Modified: 2005-12-13 Top of Page Important Notices