In accordance with the Treasury Board of Canada Secretariat standards for operational security in the Government Security Policy (GSP), Industry Canada (IC) established a Business Continuity Planning (BCP) Program and identified critical and essential services. Public Safety and Emergency Preparedness Canada (PSEPC) has the mandate to review plans of federal departments to ensure that they are able to continue operating during emergencies and has requested auditors of departments to audit business continuity planning. In accordance with this request by PSEPC, Industry Canada has undertaken an internal audit of its BCP program.

1.2 Overall Assessment

Overall the audit found that the BCP program is built on a solid foundation and provides some assurance that the organization will manage critical and essential services during major disruptions and emergencies. However, the audit found that complete assurance could not be provided because: no comprehensive exercise program exists; and, serious questions remain about the integration of IM/IT for the critical BCP plans.

1.3 Main Findings, Conclusions, and Recommendations

The audit found that Industry Canada has a well administered BCP program overall. In the sectors, some of the essential functions do not give enough priority to their BCP. The audit found serious concerns with the integration of the business continuity plans for critical functions with IT continuity planning and found no comprehensive exercise program.

1.3.1 Business Continuity Plan Governance (See Section 3.1 of the BCP Standard)

The control objective is to ensure that Industry Canada has assigned responsibility for the BCP program in accordance with the standard.

We found that Industry Canada has appointed an effective and efficient BCP coordinator who reports to the Director, Security and Departmental Security Officer (DSO). A BCP Steering Committee meets approximately every 6 months to discuss strategic issuesrelated to BCP. A BCP Working Group includes representatives from the various corporate services and the critical functions.

Conclusion

The essential conditions of stable governance and strategic direction are in place for providing effective business continuity planning, support to the Deputy Minister, and the delivery of results. Several improvements could make the overall governance better as described in the following recommendations:

Recommendation 1:

An effective independent challenge to the sector business continuity plans is needed in order to improve them. Such a challenge should be done every two years in order to respond to rapidly changing risks and circumstances. In addition each sector should include a review of business continuity planning in their annual business planning cycle.

Recommendation 2:

Industry Canada should identify key external dependencies. These dependencies should be assessed as to their significance for the business continuity plan to be successful. A plan should then be developed and documented to minimize any risk exposure. Where appropriate, there should be memoranda of understanding or equivalent agreements negotiated with these external dependencies.

Recommendation 3:

After a thorough challenge to the business continuity plans, internal dependencies (IM/IT services for example) need to be identified and documented. Internal service level agreements, or some equivalent, need to be negotiated in order to ensure that appropriate services are available to support the execution of the sector business continuity plans.

1.3.2 Business Impact Analysis (See Section 3.2 of the BCP Standard)

The control objective is to ensure that an effective BCP program is based on a Business Impact Assessment (BIA). The BIA identifies and quantifies the direct and indirect, quantitative and qualitative impacts on critical and essential services due to disruptions and emergencies.

Industry Canada has used BIAs as a tool for examining essential services but has not done them for all critical services. The information gained by a detailed impact assessment provides management with information helpful to establishing priorities and identifying key services.

Conclusion

The information gained by doing a Business Impact Assessment could contribute value to the business continuity plans. Although the audit is not making a specific recommendation, Industry Canada might consider that Business Impact Assessments be done and maintained for all business functions so as to ensure that the BCP programs for service functions such as CIO, Facilities, and Security are appropriate, responsive and complete.

1.3.3 Business Continuity Action Plans and Arrangements (See Section 3.3)

The control objective is to ensure the completeness of the business continuity plans by encouraging the use of Business Impact Assessments and Threat and Risk Assessments (TRAs). Another control objective is to ensure that recovery options have been thoroughly analyzed so as to provide information to management regarding appropriate choices and priorities.

We noted that the various business continuity plans were developed in parallel in Industry Canada and they have not benefited from a collaborative effort to identify dependencies of one function on another. In particular, dependencies on facilities and on IM/IT tools have been listed in some business continuity plans without corresponding responses from those responsible for those areas. This results in business continuity plans that may not stand up in a real emergency. Also, without good analysis of recovery options accompanied by estimates of costs, management decisions and choices in emergency situations may result in expensive or suboptimal recoveries. We observed also that business continuity recovery strategies were sketchy and left for Response teams to create ad hoc.

Conclusion

BCP programs would benefit if they were completely integrated with respect to support functions and dependencies (see recommendations 2 & 3). They should include recovery options showing detailed steps to provide critical and essential services including full costs and analysis as to risks and threats.

Recommendation 4:

Planning the development of the TRAs should be done jointly by both the DSO & the Chief Information Officer (CIO). The coordinated planning will ensure that both physical and IT related security issues are fully covered and no gaps occur. In addition, any BCP related issues should be considered in the development of the TRAs so the BCP Coordinators can benefit by the results of the TRAs. The results of the data gathered in the TRAs can be shared by the DSO and the CIO.

Recommendation 5:

Business continuity plans should include fully documented business continuity recovery strategies that detail steps to provide critical and essential services. Estimated costs are necessary to identify a viable recovery option such as IM/IT requirements. These costs can then be used for management decisions of priorities and choices made in the plans.

Recommendation 6:

Business continuity plans and associated documents would benefit from a change management control system by providing a reader with information as to the latest update for any significant change (e.g. mandate of the critical and essential functions) to the plan as well as the nature and origin of the changes.

1.3.4 BCP Program Readiness (See Section 3.4 of the BCP Standard)

The control objective is to ensure that Industry Canada has kept its BCP programs up-to-date. Business continuity plans benefit from a regular exercise program. All incidents, disruptions and emergencies provide lessons learned that can result in a more thorough review and update of the plans.

The audit found that Industry Canada did not have a regular exercise program in place and has not developed a way of sharing lessons learned from a database of incidents, disruptions and emergencies.

Conclusion

Industry Canada business continuity plans are updated quarterly or semi-annually when names, roles and/or phone numbers change. There is no change management control system for the business continuity plans (see recommendation 6). We noted that there is no regular test or exercise program. There are no standard templates for capturing lessons learned from real events or from exercises and any information that is kept is not readily accessible to business continuity planners unless they contact the IC BCP coordinator who maintains a file.

Recommendation 7:

An effective annual exercise should be conducted.

Recommendation 8:

Industry Canada should implement a procedure to capture lessons learned from real events and exercises. Lessons learned from exercises and from real disruptions and incidents should be made available to business continuity coordinators so as to provide useful material with which to make substantive changes and improvements to the business continuity plans as required. The captured information of incidents and lessons learned should be used also to create training and awareness materials for managers and senior staff.

1.3.5 BCP Training and Awareness (See Section 3.4 of the BCP Standard)

The control objective is to ensure that training and instruction has been developed, funded and used to support the BCP program. Specialized training is required for security specialists and for business continuity planners. General awareness programs are needed to sensitize staff to emergency planning and to create an environment where people have confidence that their managers will act correctly with respect to health and safety, and protection of assets.

The audit found that the BCP coordinator has received annual training. However, we did not find that all other BCP coordinators and key managers attended annual BCP-related training and some have not had any external BCP training courses.

Conclusion

We noted that the Industry Canada BCP coordinator and some of the sector BCP coordinators have been trained and have kept up their awareness through attendance at conferences. Others have received only in-house presentations and lack practical experience in handling emergencies. In addition, general awareness amongst management and senior staff of business continuity planning and emergency planning could be improved.

Recommendation 9:

Industry Canada could improve the education of sector and regional business continuity and emergency planners by ensuring that their annual career development plan includes the appropriate business continuity and emergency planning courses and seminars based on the scope of their BCP responsibilities.

Recommendation 10:

Industry Canada should ensure that its BCP policy is well communicated and understood.

The following suggestion may be considered:

Industry Canada could improve general awareness of business continuity and emergency planning issues by taking advantage of the intranet, by having a program during the annual BCP awareness week, and by promoting on site presentations by the BCP coordinator.

Final Audit Report (PDF - 84 KB - 18 pages)

Note: to read the PDF version, you need Adobe Acrobat Reader on your system. If the Adobe download site is not accessible to you, you can download Acrobat Reader from an accessible page. If the accessibility of PDF is a concern, you can have the file converted to HTML or ASCII text by using one of the access services provide by Adobe.