Audit of Business Continuity Planning
1.1 Business Continuity Planning in the Federal Government
Business continuity planning in a federal government setting is a component of baseline security requirements and forms a process that aims to ensure that critical government services can be continually delivered in the event of a potential disaster, a security incident, a disruption or an emergency. These requirements are contained in the Emergency Management Act (2007) and the Treasury Board Policy on Government Security. Business continuity planning is important in order to provide the "development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets"See Footnote 5 should such an eventuality occur. The Treasury Board's Operational Security Standard – Business Continuity Planning (BCP) Program requires departments to implement a Business Continuity Planning Program (BCPP) and to plan for emergencies or disruptions that could affect the delivery of critical government services.
Events such as the 1998 ice storm, the 2003 power blackout, the 2009 H1N1 pandemic and the 2010 Ottawa earthquake have highlighted the importance of business continuity plans across the organization.
The BCPP is composed of four elements:
- The establishment of BCPP governance;
- The conduct of a Business Impact Analysis (BIA);
- The development of business continuity plans and arrangements; and
- The maintenance of BCPP readiness.
1.2 Business Continuity Planning in the Treasury Board of Canada Secretariat
The Treasury Board of Canada (Secretariat's) departmental Business Continuity Plan (BCP) supports the Secretariat in fulfilling its mandate, including its responsibilities relating to the Federal Emergency Response Plan, the Public Service Readiness Plan and internal operations.
In the fall of 2009, the Secretariat developed its Departmental Policy on Business Continuity Planning. One year later, the Secretariat developed its departmental BCP, which is a high-level overview of the Secretariat's response to an incident. Sector BCPs, once they are validated and tested, become components of the departmental BCP and provide the detail on how a sector will respond to an incident, should the support of a sector's critical operation be required.
Public Safety Canada uses the Policy on Government Security definition of a critical service, "A service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians or the effective functioning of the Government of Canada."6 For a service to be identified as critical, it must be evident that interruption of the service will begin to cause injury within a specific period of time, up to 30 days.
During a tabletop exercise of the Secretariat's senior executives in December 2010, it was determined that the Secretariat has no critical services, as defined above. However, they identified a number of critical support functionsSee Footnote 7 and one critical dependency.See Footnote 8 In order to ensure that there is no confusion between the Treasury Board Policy on Government Security definition of a critical service and the terminology used in the Secretariat's BCPP documentation, the Secretariat uses the term "critical operation" to identify its critical support functions and dependencies.
As noted previously, the BCPP comprises four key elements, including the conduct of a BIA and the development of a BCP.
The purpose of a BIA is to identify the organization's mandate and critical services or products; rank the order of priority of services or products for continuous delivery or rapid recovery; and identify internal and external impacts of disruptions.See Footnote 9
The departmental BCP is intended to manage temporary business disruptions lasting up to 30 days. Business continuity planning is based on two scenarios:
- Workforce outage, where sufficient staff may be unable to report for duty, such as in a pandemic.
- Infrastructure outage, where premises occupied by the Secretariat may be uninhabitable due to damage or lack of utilities.
The BCP provides for the continued availability of services that are critical to the security of employees and the effective functioning of the department in times of an emergency incident or disruption.
The BCP explains what an organization has developed in terms of governance, processes (including approval processes) and tools to make sure it can respond in an emergency incident or disruption—whether the emergency incident or disruption lasts a few hours, days or much longer. The BCP clearly defines the roles and responsibilities of key people and groups, with a view to ensuring that operations that are critical to the effective functioning of the Secretariat will be maintained. The BCP will be activated when a critical operation is at risk of not being delivered and will provide for additional support from employees in non-critical operations.
At the Secretariat, responsibility for the BCPP is distributed between the corporate BCP unit in the Administration and Security Directorate, Corporate Services Sector, and the 17 Secretariat sectors and branches.See Footnote 10
The Director of Security, Administration and Security Directorate, has been designated as the Departmental Security Officer (DSO), who has the responsibility for developing and maintaining the BCPP.
A BCP coordinator, who reports to the DSO, is responsible for coordinating and supporting the development, management, delivery, and ongoing monitoring and maintenance of the Secretariat's BCPs. In turn, the BCP coordinator is supported by the BCP working group.
Sector heads and their management teams are accountable for assessing an incident, determining the most appropriate response within their respective areas, and developing a sector BIA and BCP to identify and document their responses. Each sector appoints a sector BCP coordinator and an alternate to represent them on the BCP working group and to support the sector head during an incident.
The Secretariat BCP working group, made up of sector BCP coordinators and their alternates, coordinates the development and implementation of the BCPP. This working group is chaired by the DSO.
The Secretariat Incident Management Team (IMT), made up of key stakeholders in communications, information technology, human resources and security services, supports the DSO and the BCP coordinator in the activation and coordination of the Secretariat's departmental BCP and sector BCPs during an incident, in accordance with the following:
- Emergency Management Act;
- Policy on Government Security;
- Operational Security Standard – Business Continuity Planning (BCP) Program; and
- Secretariat's Departmental Policy on Business Continuity Planning.
The Assistant Secretary, Corporate Services Sector, is the chair of the IMT.
Activation of the Secretariat's BCP will occur upon instruction from the Secretary, or the Secretary's alternate, in response to an incident that jeopardizes the Secretariat's ability to deliver its critical operations. In the event that both the Secretary and the alternate are not available, the decision will be taken by the IMT chair. Sector BCPs, as well as components of the Secretariat's departmental BCP, will be activated during an incident, as required.
- Date modified: