ARCHIVED - Audit of Business Continuity Planning - Follow-up Report Status Update as of September 30, 2012

Archived information

This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

PDF Version (58 Kb, 13 Pages)

 

 

Action Plan Implementation Status Update Report to the Audit Committee - As of September 30, 2012

Chief Financial Officer

Audit of Business Continuity Planning
Approval Date: 20/06/2011

Project
Recommendations
Action Plan Expected
Completion Date
Program
Response
1. Develop a multi-year plan that addresses gaps in the BCP Program and present it to an executive committee for review and approval. The planning process should include a reassessment of the program objectives, establishment of measurable goals and targets, development of fully costed strategies to implement the program, and a reassessment of BCP Program governance. The Director, ITSD – in collaboration with the DSO – will:
  • Conduct an organizational assessment to determine the best-fit placement of the function, and options for management consideration regarding changes to program governance for improving the effectiveness of the program. Assessment will include capacity options given current state (eg. BCP Coordinator position is currently vacant), and the training requirements associated to BCM-related responsibilities.
  • Develop a 3 year tactical plan which prioritizes and addresses the identified gaps within the Business Continuity Management (BCM) file commensurate with the risk each gap presents, and present the plan to the Departmental Operations Committee (DOC) for approval.

    This plan will include:
    1. Establishment of measureable goals/targets
    2. Development of fully costed strategies and options for DOC consideration (human resources, systems, etc)
  PROGRAM RESPONSE:
Status: Underway
Update/Rationale:
As of 31/03/2012:

An organizational assessment has been drafted and circulated among key stakeholders within the IMB which identifies that the retention of the program within the IMB as the recommended option for AANDC moving forward. The BCP Coordinator position has been identified as a priority, and a staffing action is nearing completion to have the position re-staffed (AS-5 /deployment).

A 3 year tactical plan has been begun, but will not be completed by end of Q4 2011-12. It will be completed in conjunction with other Branch planning exercises through Q1 2012-13.

Expected return to OC in mid-to-late Q2 with recommendations of the file moving forward based on strategies developed in the tactical plan.
Actions
  • Draft of organizational assessment for circulation and comments
End Q2, 2011-12 PROGRAM RESPONSE:
Status:Underway
Update/Rationale:
As of 31/03/2012:

An organizational assessment has been drafted and circulated among key stakeholders within the IMB which identifies that the retention of the program within the IMB as the recommended option for AANDC moving forward. The BCP Coordinator position has been identified as a priority, and a staffing action is nearing completion to have the position re-staffed (AS-5 / deployment).
  • Draft of tactical plan for circulation and comments
Mid Q3, 2011-12 PROGRAM RESPONSE:
Status: Underway
Update/Rationale:
As of 31/03/2012:

A 3 year tactical plan has been begun, but will not be completed by end of Q4 2011-12. It will be completed in conjunction with other Branch planning exercises through Q1 2012-13.
  • Presentation of organizational assessment and tactical plan including viable options to DOC
End Q3, 2011-12 PROGRAM RESPONSE:
Status: Underway
Update/Rationale:
As of 31/03/2012:

Expected return to OC in mid-to-late Q2 with recommendations of the file moving forward based on strategies developed in the tactical plan.

AES: Closed.
2. Revise the AANDC BCM Policy to ensure that roles and responsibilities for directing and reporting on the BCP Program are clear. The Director, ITSD – in collaboration with the DSO – will:
  • Consult with key stakeholders, including but not limited to: the three (3) Critical Service program areas, a sample of Critical Support Service program areas and Regions, Communications, and Public Safety Canada to refresh roles and responsibilities pertaining to BCM.
  • Update the BCM Policy to reflect: updated roles and responsibilities, mandatory seniority level of BCM representation in Regions and Sectors, and input from organizational assessment (Item #1 above), including the more explicit definition of the BCP Coordinator's challenge function identified within Item #3.
  Status: Underway

Update/Rationale:
As of 30/09/2012:

Given the recent and significant changes to the Departmental organization and operations, changes to the BCM policy have been deferred. In particular, the creation of the Business Management Units (BMUs) may result in roles and responsibilities of BCP Coordinators shifting to these units at the Sector level.

A Communications Plan has been updated by the Communications Branch in consultation with the Information Management Branch. The plan should be ready for approval in Q3.
Actions
  • Begin consultations with key stakeholders
Mid Q2, 2011-12 Actions
1) PROGRAM RESPONSE: Status: Underway

Update/Rationale:
As of 09/11/2012:

Public Safety Canada has yet to publish an updated BCM policy instrument. Consultation with key stakeholders will continue into Q4.

PROGRAM RESPONSE:
Status: Underway
Update/Rationale:
As of 09/11/2012:

2) No further guidance has been provided by Public Safety Canada as to the updated policy instruments for BCM within client departments, impeding progress on refreshing internal policy instruments. Public Safety Canada will be contacted once more in Q3, and preliminary consultations with the BMUs and other key stakeholders will continue in Q4 to reflect operational changes. A BCM policy refresh will consequently materialize in mid fiscal year 2013-14, pending publication of updated Public Safety Canada guidance.  

AES: Implementation ongoing.
  • Updated BCM policy presented to DOC for approval
Mid Q4, 2011-12
3. Ensure that the Departmental BCP Coordinator plays a more active role in advising and challenging managers of critical services and critical support services throughout the process of developing, testing and updating BIAs and BCPs. Director, ITSD – in collaboration with the DSO – will:
  • Working with Communications, develop a communication plan to ensure that the authority of the new BCP Coordinator is readily shared with all stakeholders in the department. Emphasis will be placed on the advisory services provided by the BCP Coordinator.
  • Implement operationalized processes based on new BCM policy similar to IT Security Certification and Accreditation process (CIO, DSO, and DG of responsible program area will need to formally sign off on yearly BIA/BCP updates) for existing Critical Services and Critical Support Services. This process will include a provision by which the CIO and DSO will not endorse the signoff of BIA/BCP without appropriate endorsement by BCP Coordinator.
  • Other actions as necessary will be developed and implemented, based on direction set by DOC as related to organizational assessment and tactical plan options outlined in Item #1.
  Status: Request to close (completed)

Update/Rationale:
As of 30/09/2012:

A Communications Plan has been updated by the Communications Branch in consultation with the Information Management Branch. The plan should be ready for approval in Q3.
Actions
  • Communication Plan developed
End Q3, 2011-12 Actions

1) PROGRAM RESPONSE: Status: Request to close (completed)

Update/Rationale:
As of 09/11/2012:

A Communications Plan has been updated by the Communications Branch in consultation with the Information Management Branch.  The plan should be ready for approval in Q3.

2) PROGRAM RESPONSE: Status: Request to Close (completed)
Update/Rationale:
As of 09/11/2012:

New endorsement process has been developed for updating and recording progress of BIA/BCP updates on an annual basis, with initial focus on Level 1 and Level 2 services. This process has been initially shared with the Regional/Sector BCP Coordinators and has been approved by the OC (March 2012). Consultation with the DSO was done to ensure alignment, and to help inform the Departmental Security Plan update process in future years. The process will be updated as necessary for the next cycle, as lessons learned are recorded and addressed.

AES: Implemented. Closed.
Updated BIA/BCP sign off process designed and developed, presented in conjunction with BCM refreshed policy to DOC. Mid Q4, 2011-12
4. Develop a formal training and awareness program for BCP Coordinators and managers of critical services (and critical support services). The level of formal training should consider the extent to which the Departmental BCP Coordinator also provides advice and hands-on support throughout the process of developing and testing BIAs and BCPs. Director, ITSD – in collaboration with the DSO – will:
  • Consult with Public Safety to determine if new training and awareness products are available for use by client departments.
  • Review existing BCM-related material available to the department (such as the Institute for Continuity Management or the Canada School of Public Service) and establish baseline mandatory and/or recommended training for BCM-related roles, in consideration of DOC guidance provided regarding Item #1.
  • Other actions as necessary will be developed and implemented, based on direction set by DOC as related to organizational assessment and tactical plan options outlined in Item #1.
Note: AANDC's BCP Awareness/Training approach was approved by Public Safety during H1N1 – ie. providing templates and being available for consultation on an "as needed basis". However, we do agree with the audit results that a more comprehensive approach, particularly for Critical Services and Critical Support Services would continue to mature the BCM function and increase the effectiveness of BCP-efforts.
  Status: Request to close (completed)

Update/Rationale:
As of 30/09/2012:

PowerPoint presentations have been developed which identify the required steps for completing Business Impact Assessments and Business Continuity Plans. A dedicated Business Continuity Planning Coordinator has been staffed to provide support beyond the contents of the produced material.

Actions
1) PROGRAM RESPONSE: Status: Request to Close (completed)
Update/Rationale:
As of 09/11/2012:

Please see previous rationale; no material exists for adoption by Public Safety Canada.

2) PROGRAM RESPONSE: Status: Request to Close (completed)
Update/Rationale:
As of 09/11/2012:

PowerPoint presentations have been developed which identify the required steps for completing Business Impact Assessments and Business Continuity Plans. A dedicated Business Continuity Planning Coordinator has been staffed to provide support beyond the contents of the produced material.

3) PROGRAM RESPONSE: Status: Request to Close (completed)
Update/Rationale:
As of 09/11/2012:

PowerPoint presentations have been developed which identify the required steps for completing Business Impact Assessments and Business Continuity Plans. A dedicated Business Continuity Planning Coordinator has been staffed to provide support beyond the contents of the produced material.

AES: Substantially implemented. Closed.
Actions
  • Consultation with Public Safety
End Q1, 2011-12
  • Formalize training material for managers of Critical Services and Critical Support Services
Beginning Q4, 2011-12
  • Integrate training coverage as part of reporting process implemented for Item #5.
Beginning Q4, 2011-12
5. Improve monitoring and reporting of the effectiveness of the BCP Program in regions and sectors to support continuous improvement and oversight (e.g., semi-annual reporting to an executive committee on the state of the BCP Program, including significant program gaps, resolution rates for issues identified through BCP testing and disruptions, completion rates for various levels of BCP testing, completion rates for BCP training, etc.). Director, ITSD – in collaboration with the DSO – will:
  • Build upon the policy update (Item #2) and operationalized process development (Item #3) to ensure that biannual updates are provided across Regions and Sectors which are signed off at a sufficiently senior level (DG or above), including training coverage.
  • Develop a "scorecard" for Critical Services and Critical Support Services (NCR and Regionally) and provide to responsible DGs on a biannual basis, which considers:
    • Existing BCM gaps – BIA/BCP completion rates and completeness of plans
    • Status of testing (exercises)
    • Post mortems (both testing and post-events)
  Status: Underway

Update/Rationale:
As of 30/09/2012:

Process has been developed, and report cards will be completed once all updated BIAs/BCPs are received. Given the extensive change to the AANDC organization and operations, including the creation of various BMUs, Hubs, updating BIAs and BCPs to reflect these new operational realities will delay reporting in this context.

Due date for updates will be end of Q3/mid Q4, with reporting on aggregate results in Q1/Q2 fiscal 2013-14.

Actions
1) PROGRAM RESPONSE: Status: Ongoing
Update/Rationale:
As of 09/11/2012:

Given the significant AANDC operational and organizational changes, the most appropriate service for piloting may be the service(s) provided by newly created Hubs. Consultation is required. Service identified for pilot to be done in Q4.

2) PROGRAM RESPONSE: Status: Ongoing
Update/Rationale:
As of 09/11/2012:

Given the significant AANDC operational and organizational changes, the rollout of report carding to other Critical Services and Critical Support Services will materialize through FY 2013.

3) PROGRAM RESPONSE: Status: Ongoing
Update/Rationale:
As of 09/11/2012:

Given the significant AANDC operational and organizational changes, the rollout of report carding to other Critical Services and Critical Support Services will materialize through FY 2013 (second half).

AES: Implementation ongoing.
Actions
  • Pilot Critical Service is identified, with review in Q1 2012
Mid Q4 , 2011-12
  • Rollout to remaining Critical Services and Critical Support Services throughout 2012
FY 2012
  • Aggregation of scorecards presented to DOC biannually, beginning in early 2012.
FY 2012
 
 
Date modified: