Audit of the Business Continuity Planning Program

Approved by the Deputy Minister of Finance Canada on the recommendation of the Audit Committee

August 29, 2016

Prepared by
Internal Audit
Department of Finance Canada

Table of Contents

Executive Summary

Background

Audit Objective

Audit Scope

Audit Criteria

Statement of Conformance and Approach

Conclusion

Audit Findings

Recommendations, Management Response and Action Plan

Executive Summary

The Treasury Board Operational Security Standard – Business Continuity Planning Program (OSS-BCPP) requires departments to provide for the continued availability of services that are critical to the health, safety, security or economic well-being of Canadians, or to the effective functioning of government.

The Policy on Government Security defines business continuity planning as the “development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets”.

Finance Canada provides the following four critical services:

  • Large Value Transfer Payments
  • Lead Coordination of Financial Sector
  • International Economic Leadership
  • Preparation of the Federal Budget

Departmental analysis and planning for business continuity are supposed to include the impacts of service interruption, an assessment and prioritization of the services considered for resumption and the recovery options for the services in question. The Department’s BCP Program includes a corporate Business Continuity Plan (BCP) and 14 branch and corporate service level Business Impact Analysis and Business Continuity Planning Tables (Tables).

Upon the activation of the corporate BCP, the Executive Committee is tasked with deciding which among the Department’s many branch and corporate service level business continuity teams described in the 14 Tables to activate.

The audit objective was to provide reasonable assurance that the Department has established a BCP program that supports the continued availability of its critical and essential services and related assets.

The audit concluded that the Department has established a BCP program that supports the continued availability of certain of its critical services. Improvements are required in the development of the plans and for the testing of certain critical services.

The report provides the following recommendations:

  1. The ADMs implicated in the provision of the Department’s four critical services, in collaboration with the Departmental Security Officer, should develop consolidated Tables for each of the four critical services.
  2. Executive Committee, on an annual basis, should review the consolidated Tables that have been reviewed and assessed by the Departmental Security Officer, to ensure that they support the Department’s priorities for restoring and providing critical services.
  3. The ADM, Corporate Services Branch, in collaboration with the ADMs implicated in the provision of the Department’s four critical services, should conduct coordinated annual tests of the Department’s critical services.

Background

The Audit of the Business Continuity Planning Program was authorized as part of Finance Canada’s 2015–18 Internal Audit Plan, approved by the Deputy Minister on December 11, 2015.

The Emergency Management Act outlines the responsibilities of each minister in the area of emergency management. Ministers are to identify risks in their area of responsibility, including those related to critical infrastructure, and are required to: prepare emergency management plans in respect of these risks; maintain, test and implement the plans; and conduct exercises and training for the plans.

The Treasury Board Policy on Government Security and the related “Operational Security Standard – Business Continuity Planning Program” (OSS-BCPP) provide direction and guidance to departments in establishing a BCPP. The Policy on Government Security defines business continuity planning as the “development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets”. The Policy on Government Security defines a critical service as a “service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians or to the effective functioning of the Government of Canada”.

The OSS-BCPP identifies four key elements of a BCP Program:

  • Establishment of BCP Program governance
  • Conduct of a business impact analysis
  • Development of business continuity plans and arrangements
  • Maintenance of BCP Program readiness

Assistant Deputy Ministers (ADMs) are responsible for developing and maintaining their respective Business Impact Analysis and Business Continuity Planning Tables (Tables) and testing their critical services. Executive Committee, which comprises the Deputy Minister and ADMs, approves the corporate BCP Program Policy and associated arrangements. The ADM of Corporate Services Branch leads, through the BCP Office, the development, maintenance and ongoing assessment and testing of the corporate BCP. The Departmental Security Officer is accountable for the BCP Office. The Deputy Departmental Security Officer at the BCP Office manages the day-to-day operations of the BCP program.

The Department’s BCP Program includes a corporate BCP and 14 branch and corporate service level Tables. Upon the activation of this BCP, the Executive Committee is tasked with deciding which among the Department’s many branch and corporate service level business continuity teams described in the 14 Tables to activate.

These 14 Tables are required to address:

  • The impacts of a service interruption,
  • An assessment and prioritization of the services considered for resumption, and
  • The recovery options for the services in question.

The Department’s Executive Committee has determined that Finance Canada provides the following four critical services:

Large Value Transfer Payments
Large value transfers to provincial, territorial and aboriginal governments fulfilling federal obligations for health, social, equalization and tax payments.

Lead Coordination of Financial Sector
Liaise and coordinate with financial sector agencies and associations, advise the Minister and develop public messaging. Seek approval for financial institution transactions, and for the Bank of Canada to proceed with debt operations. Support foreign reserves, liquidity management, and crown borrowing programs.

International Economic Leadership
Monitoring and providing leadership on Canadian response to international crises, including responses to G7/G8/G20 and International Monetary Fund related events.

Preparation of the Federal Budget
Preparation and co-ordination of the Federal Budget and associated activities.

The Department has a dedicated “hot site” equipped with 17 workstations and meeting space. A “hot site” is a fully equipped off site location where an organization can resume operations.

Audit Objective

To provide reasonable assurance that the Department has established a BCP Program that supports the continued availability of its critical and essential services and related assets.

Audit Scope

The audit scope covered departmental activities related to the BCP Program in place as of January 2016. The scope considered linkages between the BCP and the Information Technology continuity plan, along with arrangements in place for internal and external dependencies.

Audit Criteria

  1. Departmental processes are in place for the development and update of the Tables and arrangements.
  2. A governance framework for the BCP Program is in place, including a departmental BCP Policy that is aligned to the OSS-BCPP, clear roles and responsibilities, and processes for monitoring and oversight of the program.
  3. BCP Program readiness is supported through ongoing revisions of plans, regular testing and validation of plans including lessons learned, and training and awareness.

Statement of Conformance and Approach

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

The audit was planned and performed so as to obtain reasonable assurance that the audit objective was achieved. A risk assessment was conducted at the beginning of the audit to establish the audit criteria, which were accepted by management. The audit findings are based on a comparison of the conditions in place at the time of the audit with the audit criteria.

Audit procedures included:

  • Examination of all 14 of the Department’s branch and corporate service level Tables;
  • Examination of select policy branch contingency planning documents;
  • Interviews with staff from branches with BCP responsibilities associated with the Department’s four critical services;
  • Examination of documents which support departmental and branch BCP efforts, including Memoranda of Understanding (MoUs), testing plans and results, and IT plans; and,
  • Visiting and testing the Department’s “hot site” facilities.

Conclusion

The audit concluded that the Department has established a BCP program that supports the continued availability of certain of its critical services. Improvements are required in the development of the plans and for the testing of certain critical services.

Audit Findings

Improvements are required to the continuity plans for certain critical services

The audit team expected that the Department would have conducted a business impact analysis to assess the impacts of disruptions, then assessed and prioritized the services considered for resumption. We expected that based on this analysis, a business continuity plan would be developed which contains recovery options for the critical services of the Department.

The audit team found that while the Department has developed a corporate BCP, the plans for the continuity of its critical and essential services are contained in the 14 branch and corporate service level Tables. The audit team examined the 14 Tables to assess how the Department established:

  • The impacts of a service interruption,
  • An assessment and prioritization of the services considered for resumption, and
  • The recovery options for the services in question.

The audit team found that the analysis and recovery options for the Department’s four critical services were dispersed across 10 of the 14 Tables, where several branches were expected to provide plans for the same critical services. Collectively, the Tables did not contain the expected information and were not consistent for 2 of the 4 critical services. Observations on the 4 critical services are as follows:

Large Value Transfer Payments

This critical service of executing large value payments is performed by the Financial Management Directorate, using amounts determined in four other branches (Federal-Provincial Relations & Social Policy; Financial Sector Policy; International Trade & Finance and Tax Policy). The audit team found that the Department has developed the expected level of analysis and recovery options for the continuity of large value transfer payments. MoUs have been established and multiple facilities are available to ensure the continuity of these payments. These plans were found to be well known to the individuals interviewed by the audit team. However, the analysis and recovery options have not been explained in the most recent version of Financial Management Directorate’s Table.

Lead Coordination of Financial Sector

The provision of this critical service is mostly contained within Financial Sector Policy Branch. The audit found that this branch has developed the expected analysis and recovery options for this critical service. In addition to their Table, the branch has established other key BCP documents, including an MoU with another department and a “Redbook” document containing extensive information about external organizations involved in the leadership of the financial sector. The audit team found these to be good practices. Copies of this documentation have not been retained by the BCP Office, however. The audit team expected the BCP Office to retain records of all BCP documents associated with the Department’s critical services as part of its role in coordinating and implementing the BCP and recovery efforts.

Preparation of the Federal Budget

Virtually all departmental branches have responsibilities for the provision of services related to the preparation and delivery of the Federal Budget. The audit found that most branches had not provided the expected analysis and recovery options in their Tables. For example, the branch responsible for leading the preparation of the Federal Budget provided no recovery options, while, another branch indicated that it would rely on the recovery options of this lead branch. Branches that did provide analysis and recovery options were not integrated with each other.
Interviews with the authors of the various Tables indicated that the recovery options were as follows:

  • continuing with Budget preparations remotely, and at the hot site, with no reduction in output or delays
  • having less staff prepare Budget material
  • having the Budget tabling date changed

The audit team expected that the analysis and the recovery options would have been coordinated amongst the branches responsible for the preparation and delivery of the Federal Budget and documented in the Tables.

International Economic Leadership

The provision of this critical service is mostly contained within three branches (International Trade & Finance; Economic and Fiscal Policy; and Consultations & Communications). The audit found that one of the three branches had not provided any recovery options. Two branches had not determined the impact of a service disruption.

The Department’s BCP Program also has unclear expectations for the recovery of operations outside its facilities at 90 Elgin Street. The Department’s corporate BCP expects that, upon activation, the required branch continuity teams, as determined by Executive Committee, will report to the hot site. However, most Tables indicate that workers will connect remotely.

The Department faces certain capacity limitations for resuming operations outside its 90 Elgin facilities. There are currently 17 workstations at the hot site; however, the 14 Tables collectively identify 209 employees as potential users of the hot site. We also noted that only 210 of 739 employees can be connected remotely to the Department’s segregated network at once.

As noted previously, provision of three of the four critical services requires a significant multi-branch effort. Consequently, an approach where implicated branches collaborate to develop a consolidated Table for each of the critical services requiring a multi-branch effort would provide an integrated and consistent prioritization of services to be recovered and the recovery options to be considered with the capacity available to the Department.

The BCP Office has indicated that it intends to begin reviewing and assessing the information contained in the 14 Tables following the updates expected in late 2016-17.

Recommendation:

1. The ADMs implicated in the provision of the Department’s four critical services, in collaboration with the Departmental Security Officer, should develop consolidated Tables for each of the four critical services.

The BCP Program will benefit from greater oversight of its maintenance to ensure the Department’s plans are aligned to support the continued availability of its services

The audit expected that senior managers would be involved in the approval of appropriate analysis and plans for the continuity and resumption of critical and essential services.

We found that most Tables had been approved by ADMs, however, as noted above, several of these documents are not consistent or were missing the required analysis and recovery options. Certain other Tables also prioritized the resumption of services in ways that were not in alignment with the expectations around the Department’s risks and maximum allowable downtime.

The Department’s BCP templates were found to be largely in alignment with OSS-BCPP expectations. However, the audit found that other departmental contingency planning documents created without the use of a template contained better analysis. These contingency planning documents provided senior management with better expressions of the Department’s current IT dependencies, requirements to work face-to-face and options for prioritizing services.

The OSS-BCPP indicates that senior management support is essential to regularly review BCPs and activities. Given the Department’s dependence on an evolving IT environment, the regular maintenance of the Tables to capture impacts of these changes is important.

The Department’s BCP Policy indicates that Executive Committee is responsible for approving the corporate BCP and associated arrangements. Executive Committee also has responsibilities for providing the overall coordination of the Department’s response with respect to business recovery, including deciding which teams described in the 14 Tables to activate. The BCP Office, which is managed by the Departmental Security Officer, has indicated that it will begin reviewing and assessing the Tables in 2016-17. Executive Committee should review these newly validated Tables to ensure that they are cohesive and reflect the Department’s priorities for restoring and providing critical and essential services. As part of the ongoing maintenance of the BCP Program, Executive Committee should continue reviewing the validated Tables to ensure they reflect these priorities in a changing environment.

Recommendation:

2. Executive Committee, on an annual basis, should review the consolidated Tables that have been reviewed and assessed by the Departmental Security Officer, to ensure that they support the Department’s priorities for restoring and providing critical services.

The Department has not conducted the expected testing of continuity plans

The OSS-BCPP requires senior management to test business continuity plans regularly and the Department’s BCP Policy requires Executive Committee to test annually. In the Management Action Plan from the 2012 Internal Audit of BCP, the Department committed to the completion of annual executive BCP Tabletop exercises, in conjunction with on-going additional tests of the delivery of the four critical services.

The audit team conducted testing at the hot site and found that the available IT and communications devices operated as intended and the expected software was available on the expected devices. Since 2012, testing has occurred at least annually for the large value transfer payments as well as testing transactions associated with foreign reserves, liquidity management and crown borrowing programs. However, testing for the other three critical services has been limited.

Executive BCP Tabletop exercises occurred in December 2012 and in January 2014.

  • The December 2012 exercise scenario involved the Department’s premises being unavailable for one working day and only tested the large value transfer critical service, along with certain other essential services.
  • The January 2014 exercise scenario involved a pandemic, where only two of the four critical services, Budget preparation and large value transfers were considered. The exercise did not address the need to prioritize connecting remotely and the prioritization of services given the shortage of staff. The audit team noted that ten of the 13 senior managers of this last tabletop exercise have since left the Department.

Testing at the Branch level has also been limited. The audit team is aware of only three branch tests since 2012.

Given that the Department operates in a single building, with limited alternate facilities and remote connectivity, as well as the significant work undertaken to deliver the Federal Budget, the audit team encourages regular, meaningful testing of all four critical services, including taking decisions about the prioritization of services.

Recommendation:

3. The ADM, Corporate Services Branch, in collaboration with the ADMs implicated in the provision of the Department’s four critical services, should conduct coordinated annual tests of the Department’s critical services.

Recommendations, Management Response and Action Plan
Recommendations Management Response and Action Plan
1. The ADMs implicated in the provision of the Department's four critical services, in collaboration with the Departmental Security Officer, should develop consolidated Tables for each of the four critical services.
Management Response:
Agree. The ADMs of EFP, ITF, FSP and the CFO will develop consolidated Tables for each of the four critical services: preparation of the federal budget, international economic leadership, lead coordination of the financial sector, and large value transfer payments.

Action Plan:
Consolidated Tables will be developed containing business impact analysis on disruptions to the critical services, an assessment and prioritization of the services considered for resumption, and business continuity plans, including recovery options. The ADMs of EFP, ITF, FSP and the CFO, along with the DSO, will coordinate with all the branches involved in the delivery of these services to ensure that the Tables are complete and that recovery options are consistent with the Department’s capacity constraints.

Lead:
ADMs of EFP, ITF, FSP and the CFO

Target Date:
October 31, 2016
2. Executive Committee, on an annual basis, should review the consolidated Tables that have been reviewed and assessed by the Departmental Security Officer, to ensure that they support the Department's priorities for restoring and providing critical services.
Management Response:
Agree. The Departmental BCP coordinator will review and assess the consolidated Tables for each of the four critical services annually to ensure that they support the Department's priorities for restoring and providing critical services. The ADM, Corporate Services Branch will communicate these consolidated Tables to the Executive Committee on an annual basis for review.

Action Plan:
The Departmental BCP coordinator will review the consolidated Tables to ensure that the documented recovery strategies have detailed recovery instructions and that they support the Department's priorities for restoring and providing critical services. These additional Tables will be updated annually (in the fall) corresponding with the update schedule for other branch Tables. The departmental BCP group will work with BCPWG members to ensure any gaps identified in the Tables are addressed. The ADM, Corporate Services Branch will communicate these consolidated Tables to the Executive Committee in December, on an annual basis, for review.

Lead:
Departmental Security Officer

Target Date:
December 31, 2016
3. The ADM, Corporate Services Branch, in collaboration with the ADMs implicated in the provision of the Department's four critical services, should conduct coordinated annual tests of the Department's critical services.
Management Response:
Agree. The Departmental BCP Coordinator, on behalf of the ADM, Corporate Services Branch, will ensure that a minimum of four coordinated tests (one per critical service) will be conducted annually.

Action Plan:
Four coordinated tests will be integrated into Security Services' annual calendar of awareness items and events and will be conducted, outside of peak Finance work periods, to assess readiness levels and ensure departmental recovery priorities are met. The tests will be conducted in collaboration with the ADMs implicated in the provision of the Department's four critical services. Test methods (such as: table-top exercises, testing of critical applications at alternate site, testing of alternate site readiness and testing and review of departmental BCP tools) will be selected to fit the service being tested.

Lead:
Departmental Security Officer

Target Date:
By end of fiscal year 2017/2018