Audit of Business Continuity Planning

February 2017

 

Table of contents

Executive Summary

Introduction

Business Continuity Planning (BCP) refers to the establishment of a governance structure, the conduct of a Business Impact Analysis (BIA), the development, timely execution and maintenance of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets. In the wake of recent natural and man-made events, as well as the changing Government of Canada operating environment, there is a heightened awareness of the importance of services provision following disruptions to the normal course of a government department’s business.

Critical services are defined as any services, program or operation whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security and economic well-being of Canadians, or to the efficient functioning of the Government of Canada. Transport Canada has identified 130 critical services which fall into two categories: Services critical to the national interest and those critical to the Department.

The Deputy Minister has overall departmental responsibility to ensure the effectiveness and implementation of the Business Continuity Planning Program.

To provide assurance that Transport Canada’s BCP Program is in place and operating in accordance with Government directions, the audit team worked with the Office of the Comptroller General as they carried out a Horizontal Audit of Business Continuity Planning in Large and Small Departments. This approach allowed the audit team to leverage OCG’s planning and audit criteria as well as provide a useful point of comparison to other government departments.

Audit Objective and Scope

The Audit of Business Continuity Planning was included in Transport Canada's 2016/17 to 2018/19 Integrated Audit and Evaluation Plan.

The objectives of this audit were to determine whether:

  • Departmental governanceFootnote 1 frameworks for BCP are in place; and
  • Departmental BCP processes are in placeFootnote 2.

The audit team examined the current (as at December 31, 2015) BCP documentation and governance framework used within Transport Canada and work underway in 2016 to ensure continuity of critical services and support services of the Department. The audit utilized a risk-based sample of business continuity plans to examine whether BCP processes followed the essential elements and considerations required to ensure the continuity of operations.

Conclusion

We found that a governance framework is in place for the management of the departmental BCP Program. Departmental processes are also in place for the development, implementation, testing and update of departmental BCPs. However, the foundational work to identify critical services has generally not been updated since the inception of BIAs in 2006. While resulting BCPs for the identified critical services are being updated, it is unknown if the critical services identified are still the correct critical services requiring a BCP. Transport Canada has recognized the need to update its BIAs and BCPs and proactively embarked on a BIA/BCP renewal exercise in January 2016. Transport Canada needs to ensure that its current process for the renewal of BIAs and BCPs is completed and conforms to the OCG’s expectations/criteria for a BCP Program.

Statement of Conformance

This Audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of an external assessment of Internal Audit’s Quality Assurance and Improvement Program.

Dave Leach (CIA, MPA) Director, Audit and Advisory Services

Martin Rubenstein (CPA, CIA, CFE) Chief Audit and Evaluation Executive

1. Introduction

1.1. Purpose

The Audit of Business Continuity Planning was included in Transport Canada’s 2015/16 to 2017/18 Integrated Audit and Evaluation Plan. Our audit results directly support the Office of the Comptroller General’s (OCG) Horizontal Internal Audit of Business Continuity Planning (BCP) in Large and Small Departments.

1.2. Background

The OCG developed the Audit Plan and Program and Transport Canada Internal Audit carried out the examination, testing and reporting of results to the OCG for inclusion in its horizontal audit.

The following is a synopsis from the Audit Plan for the OCG-led Horizontal Internal Audit of Business Continuity Planning (BCP) in Large and Small Departments.

Business Continuity Planning (BCP) refers to the development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets. In the wake of recent natural and man-made disasters (e.g. Parliament Hill shooting – Oct 2014, floods in Western Canada – June 2014, Heartbleed incident against Canadian Revenue Agency - April 2014), as well as the changing Government of Canada operating environment (e.g. transition to enterprise-wide service delivery), there is a heightened awareness of the importance of the Government being able to respond and recover its services and assets within the maximum allowable downtimeFootnote 3.

BCP in a federal government setting is a component of baseline security requirements and forms a process that aims to ensure that critical government services can be continually delivered in the event that there are disruptions to normal course of business. Critical services can be categorized as either critical to the Government of Canada by supporting the health, safety, security and economic well-being of Canadians and the effective functioning of government or critical to departments themselves, where they are required in order to fulfill the department’s mandate and other departmental obligations. Departmental critical services may not necessarily be critical to the Government of Canada.

The requirements for BCP are established in the Emergency Management Act (EMA), Treasury Board Policy on Government Security (PGS), Directive on Departmental Security Management, Operational Security Standard – Business Continuity Planning Program (OSS-BCP) and Operational Security Standard – Management of Information Technology Security (OSS-MITS). The Act, policy, directive and operational standards provide guidance to departments in developing business continuity processes that support departmental objectives, and define roles, responsibilities and accountabilities for departments and lead security agencies.

Based on current requirements, governance frameworks are required to ensure government-wide coordination of critical service recovery and departmental BCP readiness.

Within Transport Canada, the responsibility to implement a departmental BCP Program rests with the Deputy Minister. The Deputy Minister is responsible for ensuring that appropriate management direction, processes and tools are in place to efficiently manage BCP and that the departmental security plan remains appropriate to the needs of the department and the government as a whole through periodic reviews. As per the Treasury Board’s OSS-BCP, the development and implementation of a departmental BCP involves implementing a departmental BCP governance structure, completion of Business Impact Analyses (BIAs), development of BCP strategies and plans and developing and maintaining BCP readiness through regular training, testing, validation and review of plans. With the transition to service provision from Critical Support Service Providers (CSSP)Footnote 4, departments must also ensure that formal service provision agreements are in place and that departmental recovery strategies include coordination mechanisms and procedures.

Internal Audit provided audit findings, without audit recommendations, to the OCG for inclusion in the development of its audit report. The OCG audit report will summarize the audit findings for all large and small departments and provide recommendations for the Government moving forward. This internal audit report makes specific recommendations to strengthen Transport Canada’s BCP Program.

1.3. Audit Objective, Scope, Approach, Criteria and Sample

1.3.1 Audit Objective

As defined by the OCG, the objectives of the audit were to determine whether:

  • Departmental governanceFootnote 5 frameworks for BCP are in place; and
  • Departmental BCP processes are in placeFootnote 6.

1.3.2 Audit Scope

The audit examined BCP documentation in place as at December 31, 2015, the governance framework used within Transport Canada, and work underway in 2016 to ensure continuity of critical and support services of the Department. Based on an assessment of risk, the audit utilized a risk-based sampleFootnote 7 of business continuity plans to examine whether BCP processes included essential elements and mitigated risks to ensure the continuity of operations.

1.3.3 Audit Approach

The audit was conducted through the review of key BCP related documents, interviews and an examination of a sample of business continuity plans and BIAs which were assessed against the specific criteria defined in the OCG’s Audit Program.

1.3.4 Audit Criteria

The audit examined three areas:

  1. Departmental governance frameworks are in place for the management of departmental BCP.
  2. Departmental BCP processes are in place for the development, implementation, testing and update of departmental BCP.
  3. Departmental monitoring processes are in place for the oversight of BCP readiness.

For each area, the OCG had developed audit criteria and sub-criteria.

1.3.5 Audit Sample

The following sample was selected for review:

  1. Response and Readiness – Situation Centre
    1. Pacific Region
    2. Prairie and Northern Region
    3. Ontario Region
    4. Headquarters
    5. Quebec Region
    6. Atlantic Region
  2. Pacific Region – Emergency Contracting
  3. Atlantic Region – Regulatory Oversight
    1. Marine Security
    2. Surface
    3. Civil Aviation
    4. Aviation Security
  4. Headquarters – Emergency Measures
    1. Rail Safety
    2. Transportation of Dangerous Goods
    3. Civil Aviation – Aircraft Maintenance and Manufacturing

Transport Canada is a key player in responding to any transportation related emergencies. A situation centre is located at HQ and one in each region. These centers provide critical support to enable Transport Canada to carry out its role during an emergency. The OCG selected the Situation Centre in Pacific Region as one of the critical services in its sample. Internal Audit expanded the sample to include all Situation Centres to ensure full coverage of this particular critical service.

1.4. Report Structure

For each of the three areas examined, we have included contextual information, what we expected to find, what we found and, where appropriate, recommendations. The last section of the report contains management’s action plan to address our audit recommendations.

2. Findings and Recommendations

2.1. Governance Framework

Context

The requirements for BCP are established in the Emergency Management Act (EMA), Treasury Board Policy on Government Security (PGS), Directive on Departmental Security Management, Operational Security Standard – Business Continuity Planning Program (OSS-BCP) and Operational Security Standard – Management of Information Technology Security (OSS-MITS). The Act, policy, directive and operational standards provide guidance to departments in developing business continuity processes that support departmental objectives; and define roles, responsibilities and accountabilities for departments and lead security agencies.

Based on current requirements, governance frameworks are required to ensure government-wide coordination of critical service recovery and departmental BCP readiness.

What We Expected

We expected to find departmental governance structures in place that actively support business continuity planning and roles and responsibilities that have been documented, approved and communicated to all stakeholders; an established departmental policy framework that defines roles, responsibilities and expectations for BCP; and an established department-wide systematic approach to identify and prioritize departmental critical services.

What We Found

Transport Canada has governance and policy frameworks in place for the management of its BCPs. There are opportunities to strengthen accountabilities within these frameworks.

We found that Business Continuity Planning is supported by the following three governance bodies:

  • Transport Canada Executive Management Committee (TMX)
  • BCP Program Working Group (BCPWG)
  • Departmental Security Committee (DSC)

Transport Canada also periodically reviews its governance structures. The most recent review resulted in giving the BCPWG decision-making authority as reflected in their April 2016 Terms of Reference. In addition, a general review of security programs, which includes the BCP Program, is conducted every three years. The last such review was in November 2013.

Transport Canada has a BCP Policy which defines the roles, responsibilities and expectations of the following key stakeholders within the Department:

  • Deputy Minister
  • TMX members (senior management)
  • Departmental Security Officer
  • Directorate/Branch Managers
  • Departmental BCP Coordinator
  • BCP Program Working Group
  • BCP Coordinators

The BCP Policy is approved and published on Transport Canada’s internal website (Intranet).

We noted, however, that these roles, responsibilities and expectations have not been embodied in all of the key individuals’ performance accords or job descriptions. Having BCP responsibilities described in either job descriptions or performance accords of all key individuals would further strengthen key individuals’ BCP accountability and ensure consistency within the BCP Program.

We found that although all three governance bodies meet and discuss the BCP Program on a regular basis, the Departmental Security Plan (equivalent of a Terms of Reference) for the Departmental Security Committee does not define the frequency of meetings that are required. Without clearly stipulating this requirement, the DSC may not be held accountable to meet on a regular basis.

We also found from our sampling that service agreements do not exist between Transport Canada and Critical Support Service Providers (e.g. Shared Services Canada and Public Services and Procurement Canada). With the transition to being dependent on services from external Critical Support Service Providers, departments must also ensure that formal service agreements are in place and that there are departmental recovery strategies including coordination mechanisms and procedures.Footnote 8

A systematic approach to the identification and ranking of critical services is found in Transport Canada’s Business Continuity Management at Transport Canada User Guide. The guide was created to assist in the development of Business Impact Analysis (BIA) and Business Continuity Plans. It is available to all staff on the departmental Intranet.

Recommendation

  1. The BCP governance and policy framework should be strengthened by:
    • Defining BCP roles and responsibilities in either job descriptions or the performance accords of key individuals.
    • Ensuring the Terms of Reference for the Departmental Security Committee defines the frequency of meetings.
    • Consider developing formal service agreements with Critical Support Service Providers.

2.2. Business Continuity Planning Process

Context

Generally, the BCP process involves carrying out a BIA to identify the various services provided by a function and then ranking the services by criticality and the maximum allowable downtime (MAD). Based on a BIA, a business continuity plan is then developed for each critical service to identify the actions to be taken and resources required to ensure the critical service can be restored/maintained within the MAD for that service.

What We Expected

We expected to find that BIAs have been conducted and reviewed on a regular basis to identify all critical services that require a business continuity plan and that necessary recovery strategies had been developed to ensure the continuity of the Department’s critical services and critical support services. We also expected the Department to coordinate with Critical Support Service Providers and other key internal stakeholders when developing, testing and updating their business continuity plans to ensure integration between all parties. Finally, we expected sufficient and relevant BCP training and tools are being provided to stakeholders.

What We Found

Transport Canada has processes in place for the development, implementation, testing and updating of its business continuity plans. However, the adequacy of its BIAs has not been regularly reviewed nor is there evidence that business continuity plans are tested regularly. Key BCP staff are not always aware of BCP training and tools nor have they all received BCP training.

As described previously, the process is to first complete a BIA that identifies all services of a function and to rank and identify which services are critical. Business continuity plans are then prepared for services identified as critical. During our interviews, we were informed that the process followed was oftentimes reversed. In our sample review we found that two of 13 business continuity plans for each critical service were developed before the BIAs were developed, and three of 13 were developed after the BIA. The remaining eight BIAs could not be located. Conducting a review of BIAs on a regular basis ensures that updates are made in a timely manner to reflect the Department’s changing operating environment. In other words, a BIA review ensures that the most critical services to the Department have been identified and that business continuity plans have been developed. Without up-to-date BIAs, there is the risk that not all critical services that require a BCP have been identified or that BCPs are being maintained for services that are no longer considered critical.

The BIAs reviewed as part of our sample were created between 2006 and 2016 and the majority have not been updated since their inception. Following a tabletop BCP testing exercise in 2015, it was recommended that BIAs and business continuity plans be reviewed and updated. As of the date of this report, the Department is in the process of updating its BIAs. We had expected, however, that the BIAs would have been reviewed more frequently.

We assessed a sample of BIAs and BCPs against OCG criteria based on current guidance provided by Lead Security Agencies and the requirements of the TB Operational Security Standard – BCP and Management of Information Technology Security of 2004 and Public Safety’s All-Hazard Risk Assessment Guide of 2012-13. We found that BIAs and BCPs in the sample do not meet all of the OCG criteria but this is not unexpected given that the BIAs and BCPs were initially developed in 2006 and some of the criteria are based on later requirements. As the BCP Coordinator indicated to us, the BIA/BCP templates were developed based on the BCP guidance provided in 2006 and, therefore, the resulting BIAs and BCPs would have met the criteria that existed at that time. As Transport Canada is currently updating its BIAs and BCPs, it should ensure, where appropriate, that the revised BIAs and BCPs meet the OCG criteria.

For the sample of BIAs and business continuity plans reviewed, we found inconsistencies with the level of detail and information provided. A BIA should include two parts: Part I describes the business service, business impact and criticality, and maximum allowable downtime whereas Part II describes the resource requirements. We found that the majority of BIAs we reviewed did not include a Part II description of resource requirements. Without complete information, there is the risk that functional managers may not respond correctly to an event.

To ensure business continuity plans are reviewed on a regular basis, the BCP Coordinator sends a call letter twice a year asking all groups/regions to review and update their BCPs. Within our audit sample we found that although BCPs are being reviewed, there was no documentary evidence in the Records, Documents and Information Management System (RDIMS) of them being conducted biannually.

All business continuity plans dealt with the recovery or availability of electronic information necessary to carry out their functions. However, the plans did not identify the consequences of not being able to access IT services that are provided by Shared Services Canada. The business continuity plans identified the chosen recovery strategy but there was no description of the options considered before selecting the chosen strategy. It would not be possible, therefore, to determine if the strategy selected is in fact the best strategy, especially in a changing environment.

While testing has occurred in the form of the 2015 tabletop exercise, there was no evidence that this exercise included any CSSPs. The CSSPs should have been included particularly if the scenario presented at the tabletop exercise required or impacted the provision of their critical services

The BCP Program includes criteria and the requirement for testing of business continuity plans such that all business continuity plans will have been tested over the course of a three- year cycle. With the exception of one case in our sample, we found no evidence of the systematic testing of business continuity plans. Without testing BCPs, the Department cannot ensure that it could effectively respond to an event.

BCP training and tools have been developed and are available on the intranet. The Pacific Region developed an initial BCP Coordinators Training Guide, which was then adapted by the BCP Office for national use. The BCP Office has also developed BCP Training Presentations which are modified and tailored for specific groups. Tools include the BIA-BCP User Guide and various BIA-BCP templates. BCP training is also included as a component of the Canada School of Public Service’s Security Management training. However, the majority of staff we interviewed from the OCG sample were not aware of any BCP tools or training. The lack of training provided to functional managers could limit their ability to effectively execute their BCP responsibilities should an incident occur.

Recommendation

  1. BCP processes should be strengthened by:
    • Ensuring biennial reviews are conducted on all BIAs, biannual reviews are conducted on BCPs, and they are documented.
    • Ensuring business continuity plans, at a minimum, are all tested on a three-year cycle as per the BCP Program, and that BCP exercises are coordinated with CSSPs and other stakeholders.
    • Ensuring BCP training is offered, stakeholders are aware of it, and it is provided to key individuals in the BCP process.

2.3. Monitoring of BCP Readiness

Context

The requirements for departments to monitor and report on the effectiveness of their BCP Program are established in the Treasury Board Policy on Government Security (PGS)Footnote 9, Directive on Departmental Security ManagementFootnote 10, and the Operational Security Standard – Business Continuity Planning Program (OSS-BCP)Footnote 11. The policy, directive and operational standard also define roles, responsibilities and accountabilities for departments and lead security agencies.

What We Expected

We expected the Department to monitor and report both on the status of its BCP Program and its compliance with government policy.

What We Found

Transport Canada monitors and reports to senior management on the status of the BCP Program and its compliance with government policy.

The Departmental Security Officer is the functional authority for the BCP Program within Transport Canada who reports to senior management on the overall status of the BCP Program, and reports annually on the Departmental Security Plan, which includes a specific section reporting on the overall status of the BCP Program as well as its compliance with government BCP Program requirements. At the last update to TMX in January 2016 TMX noted the need for updated BIAs, reduced BCPs and decreased level of effort to update the BCPs. TMX approved a project timeline for the updating of BIAs.

In 2014 Transport Canada completed an internal review to assess its compliance with the Policy on Government Security (GSP). A GSP Compliance Review is to be completed every three years with the results presented to TMX and Treasury Board Secretariat. The 2014 review recommended that a tabletop exercise be conducted as a preliminary test of the business continuity plans.

Transport Canada conducted the tabletop exercise in September, 2015 and made nine recommendations for improvement. In response, the Departmental Security Officer prepared an action plan, a key part of which includes replacing the individual departmental BIAs with a National BIA and reviewing the BIA every two years. The audit team supports this commitment and others included in the action plan.

Based on existing guidance and direction, the OCG has put together what it would expect to find in a BCP Program within a department. Considering Transport Canada is currently working on updating its BIAs and BCPs, it should ensure that, where appropriate, its BCP Program meets the OCG criteria.

Recommendation

  1. The current BIA/BCP renewal exercise should be carried out and address the OCG criteria set out in this audit.

3. Conclusion

We found that a governance framework is in place for the management of the departmental BCP Program. Departmental processes are also in place for the development, implementation, testing and updating of departmental BCPs. However, the foundational work to identify critical services has generally not been updated since the inception of BIAs in 2006. While resulting BCPs for the identified critical services are being updated, it is unknown if the critical services identified are still those relevant to requiring a BCP. Transport Canada has recognized the need to update its BIAs and BCPs and proactively embarked on a BIA/BCP renewal exercise in January 2016. Transport Canada needs to ensure that its current process for this renewal is carried out and conforms to the OCG’s expectations/criteria for a BCP Program.

4. Recommendations and Management Action Plan

It is recommended that the Assistant Deputy Minister, Corporate Services and Chief Financial Officer should ensure that the following audit recommendations are addressed.

Recommendation Management Action Plan Completion Date
(for each action)
OPI direct report for each specific action
1 The BCP governance and policy framework should be strengthened by:

a. Defining BCP roles and responsibilities in either job descriptions or the performance accords of key individuals.

A standard clause will be provided for inclusion in the performance accords of key individuals involved with the Transport Canada BCP program. Completed Corporate Services

b. Ensuring the Terms of Reference for the Departmental Security Committee defines the frequency of meetings.

The DSC Terms of Reference will be revised to include frequency of meetings. Completed Corporate Services

c. Consider developing formal service agreements with Critical Support Service Providers.

A section on BCP will be included in the departmental service agreement with PSPC. March 2017 Corporate Services
SSC has not entered into a service agreement with Transport Canada; however, Transport Canada will confirm that the Service Level Expectations published on SSC’s Service Catalogue for Application Hosting are applicable to legacy environments, including Transport Canada. The response, positive or negative, will be used to form a standard clause in each BCP that is directly reliant on SSC. Completed  
2 BCP processes should be strengthened by:

a. Ensuring biennial reviews are conducted on all BIAs, biannual reviews are conducted on BCPs, and they are documented.

A process will be established that requires all BIA owners to conduct and document their BIAs reviews every two years. BCPs will be reviewed and documented twice a year. Completed Corporate Services

b. Ensuring business continuity plans, at a minimum, are all tested on a three-year cycle as per the BCP Program, and that BCP exercises are coordinated with CSSPs and other stakeholders.

A schedule will be developed to ensure that all BCP plans are tested on a three year cycle and BCP exercises will be coordinated with CSSPs and other stakeholders. Completed Corporate Services

c. Ensuring BCP training is offered, stakeholders are aware of it, and it is provided to key individuals in the BCP process.

The Canada School of the Public Service is responsible for the providing the Government of Canada BCP training and is currently reviewing their departmental curriculum. The DSO will take advantage of this program as the courses become available. In the interim, TC will ensure that stakeholders are aware of existing BCP training and that it is provided to key individuals.

A binder and proposed communications plan will be presented to TMX. The binder will outline procedures to manage responses to the following:

  • - External crisis events such as oil spills and natural disasters (in partnership with TC Emergency Management)
  • - Internal events such as building evacuations, shelter-in-place, lockdowns and active shooter scenarios.
Completed Corporate Services
3 The current BIA/BCP renewal exercise is carried out and addresses the OCG criteria set out in this audit. OCG recommendations will be taken into account as the BIAs and BCPs are refreshed. Completed Corporate Services