Audit of the Justice Canada Emergency Management Program and the Business Continuity Planning Program
May 03, 2013

2.0 Findings, Recommendations and Management Responses

2.1 Challenge (Oversight and QA) Function

Key Finding: SSEMD does not exercise an effective challenge (Oversight and Quality Assurance) function with respect to BCP across the Department. This has resulted in inconsistency of BCPs, difficulty in the identification of critical services, and underuse/ misapplication of documentation for Business Impact Analyses.

Audit Criterion 1: Appropriate governance structure and corporate policy are in place.

Audit Criterion 2: Risks are identified, assessed and mitigating strategies are in place.

2.1.1 Inconsistency of BCPs. We observed that the 17 BCPs for critical services in corporate headquarters Footnote 16 varied in length from 14 to 73 pages, and on average were made up of 34% telephone contact lists. As illustrated at Appendix H, Footnote 17 nine (of the 17) BCPs were outdated and eight were missing elements of the common format recommended in the DOJ Guide to BCPs. “Outdated” refers primarily to the annual updating of the telephone contact numbers in these BCPs. Footnote 18 However, “outdated” can also refer to organizational and other changes that are not reflected in the BCP. For example, the Information Management Branch (IMB) BCP is outdated with respect to the Shared Services Canada initiative. Updating of the IMB BCP, in conjunction with the departmental BCP Coordinator, could provide a useful source document for all BCP coordinators in the Department.

2.1.2 The six BCPs we reviewed for the Regions varied from 21 pages to 250 pages in length, with an average of 36% being made up of telephone contact lists. Only one of the BCPs was outdated (with respect to telephone contacts) and two were missing elements from the common format in the DOJ Guide to BCPs, as illustrated at Appendix I. Modernization initiatives that are currently underway were not considered when reviewing the BCPs for the Regions.

2.1.3 Accordingly, consistency of BCPs could be improved in several ways. First, direction on the maximum length of BCPs could be provided in the SEMP to include the length of telephone recall lists, if they are included at all. Second, telephone recall lists, or large parts of them, could be moved to a separate document on an intranet website that could be updated regularly and cross-referenced in the BCP. Third, SSEMD could better monitor compliance with the common elements (template) in the Guide to the BCP, ensure the BCPs are current, and take follow-up action as necessary. Collectively, this is Oversight and QA.

2.1.4 Identification of Critical Services. Public Safety Canada recognized in a 2010 memo to Departments that ...there are differences in the interpretation of a critical service.” We found this to be the situation in the Department. In our review of the 17 corporate BCPs identified to have critical services, we found that three did not have any critical services and that 11 identified critical services at the Program and Branch level rather than at the business line level. One exception, the 2013 BCP for the Family Orders and Agreements and Enforcement Assistance Program, identified four critical functions and two necessary functions. This level of detail permits the identification of critical assets and the development of appropriate continuity procedures. Another exception, the BCP for the Chief Financial Officer Branch (CFOB), included a one page summary that described the critical services in adequate detail. In the review of Regional BCPs, one Region included several critical assets in its statement of 15 critical services. In this case, the large number of critical services identified and the confusion with respect to critical assets, demonstrates that some expert assistance would be helpful. Sophisticated analysis is required to identify critical services and critical assets. Overall, definition and mentoring across the Department with regard to the identification of critical services is warranted.

2.1.5 Business Impact Analysis. Business Impact Analysis (BIA) is the basic building block for BCPs, in that BIAs identify the critical services and critical assets that are used in the BCPs. However, BIA is not a widely used tool in the Department. The current list Footnote 19 of seven departmental critical services with 17 corresponding BCPs was based on a series of BIAs developed in conjunction with the Y2K Footnote 20 Crisis in 1999. We have been advised by SSEMD that there has not been a significant re-examination of the fundamental analysis (BIAs) for the critical services and critical assets in these BCPs since that time. Similarly, there has been no significant re-examination of the BIAs for Regional BCPs for a number of years. There is a need to redo these BIAs to confirm the critical services and critical assets in corporate and regional BCPs.

2.1.6 The BIA process in the Department requires client organizations to complete a BIA Questionnaire but they are not provided with additional guidance or assistance. There is no specific training provided for the BIA process within the Department. The BIA Questionnaire was provided by Public Safety Canada and was posted on the Intranet in 2009. This form is lengthy, is not user-friendly and by itself is not conducive to the identification of critical services, which we would expect to be in the range of 10%-15% of total business lines Footnote 21. There is no suitable explanation on the intranet site about how to use and apply the form.

2.1.7 We would expect an efficient BIA process to include a way to quickly filter services and processes that are not likely to be critical before the Questionnaire or other detailed analytical form is utilized. We are aware that other government departments have developed their own BIA process. A refinement and tailoring of the BIA process for the Department is warranted.

2.1.8 Responsibility. SSEMD recognizes the responsibility for managing the departmental BCP program. We were advised that the priority for the past four years has been to design and implement the departmental emergency management governance structure. Now that this structure has been put in place, SSEMD anticipates that they can address issues related to BCP that they have been aware of for some time, as well as some additional issues raised in this report.

2.1.9 Resources. In the 2007 Report on a Tabletop Exercise, M. Purdy recommended a small centre of expertise on Emergency Management that should include at least three positions Footnote 22. We understand this to be separate from positions required for the BCP program. For the past few years at least, there have been only two full-time people assigned to EM and BCP - the BCP Coordinator who also manages the JEOC, works part-time on EM and carries out the standby function; and the EM Manager who has other security responsibilities as well.

2.1.10 Risk Assessment. We consider the risk associated with this finding to be Medium. Without an effective challenge function, these issues will likely not be resolved, that is, BIAs will not be done properly, BCPs will not necessarily identify the correct critical services, and extra effort will be expended on BCPs for non-critical services across the Department. We realize this risk is mitigated to some extent by the efficacy of the governance structure for EM.

Recommendation

1. The Director, SSEMD develop an action plan to improve the challenge (Oversight and QA) function with respect to BCP, to include refinement and improvement of the BIA process for the Department. (Medium Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions:

2. The Director, SSEMD develop a medium and long term human resources action plan to appropriately staff the EM/BCP function in SSEMD. (Medium Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions:

2.2 Consolidation of Corporate BCPs

Key Finding: A consolidated corporate BCP would help to ensure that critical services are identified at a practical level and save effort currently expended on maintaining BCPs for important but not necessarily critical services.

Audit Criterion 1: Risks are identified, assessed and mitigating strategies are in place.

2.2.1 In the 2009 Report On A Tabletop Exercise M. Purdy observed that, DoJ does not have a consolidated, department-wide business continuity plan, but the SSEM Division has plans to do so, as a complement to the departmental Emergency Management Plan.”

2.2.2 The department-wide Business Continuity Plan was not developed. For the seven critical services identified in the 2009 Critical Services Information Collection Footnote 23, 17 BCPs have been developed. There are a total of 36 BCPs for the Department. Consolidation of these BCPs would significantly reduce the work required to update and maintain the BCP program in the Department.

2.2.3 As mentioned previously, there has not been a thorough re-examination of the BIAs supporting these 17 BCPs since 1999. Footnote 24 The result is that BCPs have been prepared for every organization on the list rather than only for those where critical services were identified. This could be described as encompassing “important” services as well as “critical services”. The result is extra work to maintain all of these BCPs and no guarantee that the critical services are properly identified.

2.2.4 Preparation of a consolidated corporate BCP, and eventually a departmental BCP, would help to resolve this situation. Appropriate action would entail a sophisticated BIA analysis that would consider all of the business lines/services and the corresponding critical assets. This one BCP could theoretically replace the 17 BCPs for central organizations that currently exist. It is anticipated that during the process some of the organizations involved would recognize that they do not have any critical services, as has already been the case with three of these organizations.

2.2.5 This would also help the departmental BCP Coordinator identify the organizations that need a “hot seat” for the “Hot Site” he intends to develop in the primary Alternate Site whereby laptops for organizations with critical services would be maintained in a ready status.

Recommendation

3. The Director, SSEMD prepare a consolidated corporate BCP. (Medium Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions:

2.3 Support to the Regions

Key Finding: Regional Offices would benefit from additional support and mentoring from SSEMD with respect to BCP. In the context of changes in reporting relationships stemming from Modernization Strategy consolidation initiatives, there are potential risks that some employees in Regional Offices may be overlooked in emergency situations.

Audit Criterion 2: Risks are identified, assessed and mitigating strategies are in place.

2.3.1 BCP Coordination is done on a part-time basis in the Regions, mostly by the Regional Security Officers (RSOs) who spend relatively little time on this activity. Footnote 25 Their experience and training with respect to BCP and EM varies considerably. As noted previously, this has resulted in inconsistency of BCPs, a wide variation in the identification of critical services and underuse/misapplication of BIAs. This situation presents opportunities for increased training and mentoring.

2.3.2 SSEMD confirmed that EM/BCP staff do not visit the Regions on a regular basis, but agrees that such visits are critical to the success of the BCP program. However, SSEMD does hold bi-weekly teleconferences with the RSOs, who are invited to attend BCP exercises in Ottawa. In addition, RSOs attend workshops with the DSO in Ottawa or when the DSO visits the Regions. The NSBCPC includes membership from all Regions but has not met recently – October 12, 2011 was the most recent meeting.

2.3.3 Nevertheless, as M. Purdy observed, there is a tendency “...to pay less attention to issues which may arise at a regional, as opposed to a headquarters level”. Footnote 26

2.3.4 Modernization Initiatives Footnote 27 have recently resulted in consolidation of most functional staff in the Regions; that is, they now report to the appropriate functional head in Ottawa rather than to the Regional Director General in the Region in which they are located. The related risk is that some staff may be overlooked in the reorganization from an EM/BCP perspective. For example, a consolidated group in a region might be included in the relevant corporate BCP but not be considered with respect to local emergency procedures for fire and building evacuation. SSEMD has a role to ensure that this does not occur. We have also been advised that the overall reorganization with respect to security, to include EM and BCP, has not been entirely resolved at this point. The risk associated with this finding during the transition period is rated as High.

Recommendation

4. The Director, SSEMD develop an action plan to more fully project the BCP program to the Regions. (High Risk)

Management Response

The Director, SSEMD agrees with the recommendation and will undertake the following actions: