Audit of the Justice Canada Emergency Management Program and the Business Continuity Planning Program
May 03, 2013

2.0 Findings, Recommendations and Management Responses

2.1 Challenge (Oversight and QA) Function

Key Finding: SSEMD does not exercise an effective challenge (Oversight and Quality Assurance) function with respect to BCP across the Department. This has resulted in inconsistency of BCPs, difficulty in the identification of critical services, and underuse/ misapplication of documentation for Business Impact Analyses.

Audit Criterion 1: Appropriate governance structure and corporate policy are in place.

Audit Criterion 2: Risks are identified, assessed and mitigating strategies are in place.

2.1.1 Inconsistency of BCPs. We observed that the 17 BCPs for critical services in corporate headquarters Footnote 16 varied in length from 14 to 73 pages, and on average were made up of 34% telephone contact lists. As illustrated at Appendix H, Footnote 17 nine (of the 17) BCPs were outdated and eight were missing elements of the common format recommended in the DOJ Guide to BCPs. “Outdated” refers primarily to the annual updating of the telephone contact numbers in these BCPs. Footnote 18 However, “outdated” can also refer to organizational and other changes that are not reflected in the BCP. For example, the Information Management Branch (IMB) BCP is outdated with respect to the Shared Services Canada initiative. Updating of the IMB BCP, in conjunction with the departmental BCP Coordinator, could provide a useful source document for all BCP coordinators in the Department.

2.1.2 The six BCPs we reviewed for the Regions varied from 21 pages to 250 pages in length, with an average of 36% being made up of telephone contact lists. Only one of the BCPs was outdated (with respect to telephone contacts) and two were missing elements from the common format in the DOJ Guide to BCPs, as illustrated at Appendix I. Modernization initiatives that are currently underway were not considered when reviewing the BCPs for the Regions.

2.1.3 Accordingly, consistency of BCPs could be improved in several ways. First, direction on the maximum length of BCPs could be provided in the SEMP to include the length of telephone recall lists, if they are included at all. Second, telephone recall lists, or large parts of them, could be moved to a separate document on an intranet website that could be updated regularly and cross-referenced in the BCP. Third, SSEMD could better monitor compliance with the common elements (template) in the Guide to the BCP, ensure the BCPs are current, and take follow-up action as necessary. Collectively, this is Oversight and QA.

2.1.4 Identification of Critical Services. Public Safety Canada recognized in a 2010 memo to Departments that ...there are differences in the interpretation of a critical service.” We found this to be the situation in the Department. In our review of the 17 corporate BCPs identified to have critical services, we found that three did not have any critical services and that 11 identified critical services at the Program and Branch level rather than at the business line level. One exception, the 2013 BCP for the Family Orders and Agreements and Enforcement Assistance Program, identified four critical functions and two necessary functions. This level of detail permits the identification of critical assets and the development of appropriate continuity procedures. Another exception, the BCP for the Chief Financial Officer Branch (CFOB), included a one page summary that described the critical services in adequate detail. In the review of Regional BCPs, one Region included several critical assets in its statement of 15 critical services. In this case, the large number of critical services identified and the confusion with respect to critical assets, demonstrates that some expert assistance would be helpful. Sophisticated analysis is required to identify critical services and critical assets. Overall, definition and mentoring across the Department with regard to the identification of critical services is warranted.

2.1.5 Business Impact Analysis. Business Impact Analysis (BIA) is the basic building block for BCPs, in that BIAs identify the critical services and critical assets that are used in the BCPs. However, BIA is not a widely used tool in the Department. The current list Footnote 19 of seven departmental critical services with 17 corresponding BCPs was based on a series of BIAs developed in conjunction with the Y2K Footnote 20 Crisis in 1999. We have been advised by SSEMD that there has not been a significant re-examination of the fundamental analysis (BIAs) for the critical services and critical assets in these BCPs since that time. Similarly, there has been no significant re-examination of the BIAs for Regional BCPs for a number of years. There is a need to redo these BIAs to confirm the critical services and critical assets in corporate and regional BCPs.

2.1.6 The BIA process in the Department requires client organizations to complete a BIA Questionnaire but they are not provided with additional guidance or assistance. There is no specific training provided for the BIA process within the Department. The BIA Questionnaire was provided by Public Safety Canada and was posted on the Intranet in 2009. This form is lengthy, is not user-friendly and by itself is not conducive to the identification of critical services, which we would expect to be in the range of 10%-15% of total business lines Footnote 21. There is no suitable explanation on the intranet site about how to use and apply the form.

2.1.7 We would expect an efficient BIA process to include a way to quickly filter services and processes that are not likely to be critical before the Questionnaire or other detailed analytical form is utilized. We are aware that other government departments have developed their own BIA process. A refinement and tailoring of the BIA process for the Department is warranted.

2.1.8 Responsibility. SSEMD recognizes the responsibility for managing the departmental BCP program. We were advised that the priority for the past four years has been to design and implement the departmental emergency management governance structure. Now that this structure has been put in place, SSEMD anticipates that they can address issues related to BCP that they have been aware of for some time, as well as some additional issues raised in this report.

2.1.9 Resources. In the 2007 Report on a Tabletop Exercise, M. Purdy recommended a small centre of expertise on Emergency Management that should include at least three positions Footnote 22. We understand this to be separate from positions required for the BCP program. For the past few years at least, there have been only two full-time people assigned to EM and BCP - the BCP Coordinator who also manages the JEOC, works part-time on EM and carries out the standby function; and the EM Manager who has other security responsibilities as well.

2.1.10 Risk Assessment. We consider the risk associated with this finding to be Medium. Without an effective challenge function, these issues will likely not be resolved, that is, BIAs will not be done properly, BCPs will not necessarily identify the correct critical services, and extra effort will be expended on BCPs for non-critical services across the Department. We realize this risk is mitigated to some extent by the efficacy of the governance structure for EM.

Recommendation

1. The Director, SSEMD develop an action plan to improve the challenge (Oversight and QA) function with respect to BCP, to include refinement and improvement of the BIA process for the Department. (Medium Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions:

  • Provide the Emergency Response Committee and the National Security/Business Continuity Planning Committee with a briefing on the Internal Audit recommendations and Management Action Plan in September 2013;
  • Develop a generic Business Continuity Planning template for business units that would ensure an integrated approach and consistency of Business Continuity Plans by March 2014;
  • Review and update the Business Impact Analysis to make it more user-friendly in the identification of critical services and assets for business units by March 2014;
  • Update the Departmental Guide for Business Continuity Planning by March 2014;
  • Conduct training in the National Capital Region and the Regions on the re-vitalized business continuity planning program during the period from April to September 2014;
  • Conduct an annual review of Business Continuity Plans and provide assistance and quality assurance feedback to business units on Plans beginning in fiscal year 2014-15; and,
  • Provide biannual updates to the Emergency Response Committee and National Security and Business Continuity Planning Committee on the status of the Management Action Plans beginning in fiscal year 2014-15

2. The Director, SSEMD develop a medium and long term human resources action plan to appropriately staff the EM/BCP function in SSEMD. (Medium Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions:

  • Since the completion of the audit engagement, one position has been staffed; and,
  • Review the staffing requirements for the long term to ensure that SSEMD meets the needs of the Emergency Management and Business Continuity Programs by November 2014

2.2 Consolidation of Corporate BCPs

Key Finding: A consolidated corporate BCP would help to ensure that critical services are identified at a practical level and save effort currently expended on maintaining BCPs for important but not necessarily critical services.

Audit Criterion 1: Risks are identified, assessed and mitigating strategies are in place.

2.2.1 In the 2009 Report On A Tabletop Exercise M. Purdy observed that, DoJ does not have a consolidated, department-wide business continuity plan, but the SSEM Division has plans to do so, as a complement to the departmental Emergency Management Plan.”

2.2.2 The department-wide Business Continuity Plan was not developed. For the seven critical services identified in the 2009 Critical Services Information Collection Footnote 23, 17 BCPs have been developed. There are a total of 36 BCPs for the Department. Consolidation of these BCPs would significantly reduce the work required to update and maintain the BCP program in the Department.

2.2.3 As mentioned previously, there has not been a thorough re-examination of the BIAs supporting these 17 BCPs since 1999. Footnote 24 The result is that BCPs have been prepared for every organization on the list rather than only for those where critical services were identified. This could be described as encompassing “important” services as well as “critical services”. The result is extra work to maintain all of these BCPs and no guarantee that the critical services are properly identified.

2.2.4 Preparation of a consolidated corporate BCP, and eventually a departmental BCP, would help to resolve this situation. Appropriate action would entail a sophisticated BIA analysis that would consider all of the business lines/services and the corresponding critical assets. This one BCP could theoretically replace the 17 BCPs for central organizations that currently exist. It is anticipated that during the process some of the organizations involved would recognize that they do not have any critical services, as has already been the case with three of these organizations.

2.2.5 This would also help the departmental BCP Coordinator identify the organizations that need a “hot seat” for the “Hot Site” he intends to develop in the primary Alternate Site whereby laptops for organizations with critical services would be maintained in a ready status.

Recommendation

3. The Director, SSEMD prepare a consolidated corporate BCP. (Medium Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions:

  • Conduct a table top exercise with Emergency Response Committee members including Regions to validate the consolidated corporate Business Continuity Plan before March 31, 2014
  • Upon completion of critical services review, a Departmental consolidated Business Continuity Plan will be tabled to the Emergency Response Committee for approval before March 31, 2015 

2.3 Support to the Regions

Key Finding: Regional Offices would benefit from additional support and mentoring from SSEMD with respect to BCP. In the context of changes in reporting relationships stemming from Modernization Strategy consolidation initiatives, there are potential risks that some employees in Regional Offices may be overlooked in emergency situations.

Audit Criterion 2: Risks are identified, assessed and mitigating strategies are in place.

2.3.1 BCP Coordination is done on a part-time basis in the Regions, mostly by the Regional Security Officers (RSOs) who spend relatively little time on this activity. Footnote 25 Their experience and training with respect to BCP and EM varies considerably. As noted previously, this has resulted in inconsistency of BCPs, a wide variation in the identification of critical services and underuse/misapplication of BIAs. This situation presents opportunities for increased training and mentoring.

2.3.2 SSEMD confirmed that EM/BCP staff do not visit the Regions on a regular basis, but agrees that such visits are critical to the success of the BCP program. However, SSEMD does hold bi-weekly teleconferences with the RSOs, who are invited to attend BCP exercises in Ottawa. In addition, RSOs attend workshops with the DSO in Ottawa or when the DSO visits the Regions. The NSBCPC includes membership from all Regions but has not met recently – October 12, 2011 was the most recent meeting.

2.3.3 Nevertheless, as M. Purdy observed, there is a tendency “...to pay less attention to issues which may arise at a regional, as opposed to a headquarters level”. Footnote 26

2.3.4 Modernization Initiatives Footnote 27 have recently resulted in consolidation of most functional staff in the Regions; that is, they now report to the appropriate functional head in Ottawa rather than to the Regional Director General in the Region in which they are located. The related risk is that some staff may be overlooked in the reorganization from an EM/BCP perspective. For example, a consolidated group in a region might be included in the relevant corporate BCP but not be considered with respect to local emergency procedures for fire and building evacuation. SSEMD has a role to ensure that this does not occur. We have also been advised that the overall reorganization with respect to security, to include EM and BCP, has not been entirely resolved at this point. The risk associated with this finding during the transition period is rated as High.

Recommendation

4. The Director, SSEMD develop an action plan to more fully project the BCP program to the Regions. (High Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions:

  • An agenda item will be brought forward to the June 2013 meeting of the Emergency Response Committee to amend the current membership to include representation from all Regions beginning in fiscal year 2013-14;
  • Increase contact with the Regions to provide awareness briefings and training to senior managers and Regional Business Continuity Planning Coordinators between February and June 2014;
  • Involve the Regions in the development of standardized Business Continuity Planning processes and tools and exercises. SSEMD will provide oversight and quality assurance with respect to Emergency Management and Business Continuity Planning activities in the Regions on an ongoing basis beginning in fiscal year 2013-14; and,
  • Involve Regions in table top exercises which will help build an understanding among Regional colleagues on Emergency Management and Business Continuity Planning issues on an ongoing basis beginning in fiscal year 2013-14.
Date modified: