- Skip to main content
- Skip to secondary menu
Office of the Superintendent of Financial Institutions
Business Continuity Planning
- PDF, 580 KB
- Type of Publication: Internal Audit Report
- Date: February 2019
Glossary and Abbreviations
Business Continuity Planning (BCP) is a key activity that enables the organization to provide for the continued availability of priority services in the case of disruption.
BCP is a requirement under Public Safety and Emergency Preparedness Canada’s Emergency Management Act and Treasury Board Secretariat’s (TBS) Policy on Government Security. The Departmental Security Officer (DSO) is ultimately accountable for BCP, as part of the broader departmental security program; however, the responsibility for operationalizing BCP at the Office of the Superintendent of Financial Institutions (OSFI) is delegated to the Security and Facilities Services (SFS) division under Human Resources and Administration within Corporate Services.
The TBS Policy on Government Services references TBS’s Operational Security Standard - Business Continuity Planning Program (OSS-BCPP) , which further outlines the requirement of the BCP program, including the following four elements:
- The establishment of BCP program governance.
- The conduct of a business impact analysis.
- The development of business continuity plans and arrangements.
- The maintenance of BCP Program readiness.
In support of the requirement for establishing a BCP Program governance, OSFI established its Directive on Business Continuity Management (BCM) in February 2014.
At the time of the audit, SFS was in the midst of an OSFI-wide Business Impact Analysis (BIA), as required every 5 years per the OSFI Directive on BCM . BIAs help to identify and prioritize essential operations and are a key driver for the development of divisional business continuity plans and associated investment decisions. The results of the BIA were pending communication to senior management, and corresponding updates to divisional business continuity plans were yet to be revised. Per management, the recent BIA exercise identified a key opportunity for the move towards functional based plans rather than maintaining divisional business continuity plans.
With organizational efforts underway in the area of BIA and respective revisions to the divisional BCPs, the scope of this audit focused on providing assurance that SFS has an adequate governance framework and mechanisms in place to administer, monitor and improve on business continuity planning on behalf of OSFI, as required by the Government of Canada.
An audit of BCP was recommended by OSFI’s Audit Committee and approved by the Superintendent for inclusion in the OSFI 2018-19 Internal Audit Plan.
Provide assurance on the governance framework and key mechanisms in place to support business continuity planning governance objectives, including a review of the Security Policy and associated policy tools for alignment with the Government of Canada guidelines, adequacy of the core processes to support key elements of the policy and tools, including any supporting operational procedures and guidance; roles and responsibilities; training and awareness; and monitoring and improvement mechanisms.
The scope of the audit focused on business continuity planning (BCP) governance elements, specifically policies, training, monitoring and assessment mechanisms in place to support Security Services. The scope of this audit excluded the assessment of the adequacy and effectiveness of the business impact analysis (BIA) and business continuity plans.
Statement of Conformance
The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
2. Results of the Engagement
Security and Facilities Services (SFS) has developed a robust business continuity planning program, which includes various governance tools and procedures in place to execute the program requirements. Although the foundational elements of a strong governance program exist, the program is not operationalized and lacks senior management commitment and oversight for effective functioning. SFS is in the process of updating the Corporate Security Policy , assessing the overall security program, and facilitating the establishment of functional business continuity plans through an ongoing Business Impact Analysis (BIA).
SFS is developing a roadmap for establishing strategic priorities for the improvement of the security program activities. In support of this roadmap and consistent with a recent opportunity highlighted in the BIA exercise, SFS should explore centrally managing high priority business continuity plans to ensure they receive the appropriate consideration to provide a level of confidence for the continued delivery of priority services.
Additional observations and considerations pertaining to updating policy and policy instruments and the establishment of a higher degree of accountability and governance over the BCP program are contained in this report.
3. Management Response
The management team agrees with the findings and recommendations, and recognizes that the recommendations require attention. SFS has a small team of three resources, none of which is dedicated to BCP. Therefore, mitigating these risks and implementing the actions in the near term would present an operational challenge.
As part of this year’s planning exercise, SFS identified the need to invest in the corporate security team in order to mitigate risks. Subsequent to the completion of this audit, the Executive Committee approved additional resources for the Corporate Security team, which includes resources for the BCP program. The timelines in the action plan have been established based on this increased resource level, although still dependent on successfully being able to recruit talent on a timely basis.
SFS would like to thank the audit team for conducting a review of practices and documents as it relates to business continuity management within OSFI.
SFS is proposing that the Operating Committee (OC) provide an oversight function in order to support overall security risk management activities within the Office. This strengthened governance will be an important element in the successful implementation of the action plan.
4. Observations and Recommendations
Provide a higher level of assurance on continued delivery of priority services by exploring the feasibility of centrally managing critical business continuity plans.
Medium Priority Observation #1
The Operational Security Standard – Business Continuity Planning requires ongoing review and revision of all business continuity plans to account for changes, as well as regular testing and validation of plans. In line with this requirement, OSFI’s Directive on BCM outlines the requirement for quarterly review, annual validation and update and annual testing of business continuity plans.
SFS has developed a Dashboard for BCP management tracking process as an oversight mechanism for monitoring the activities of the BCPs across OSFI, including BCP updates and testing frequency; however, SFS has noted difficulty in maintaining the Dashboard due to lack of updates provided by the sector leads. This is attributable to low BCP engagement due to competing priorities within sectors, BCP Lead staff turnovers, and a lack of training and awareness.
Without assurance that business continuity plans are being reviewed and monitored on a consistent basis, the risk exists of business continuity plans being outdated and business units not having the awareness and understanding of their BCP processes should an event require plan activation.
Consideration should be given to SFS centrally managing the business continuity plans in order to provide a higher level of assurance for the continuity of priority operations in the event of a disruption. This provides the opportunity for SFS to ensure the accuracy of the business continuity plans as well as the completion of more timely testing and monitoring in order to identify better practices and lessons learned that could help strengthen plans and practices.
Management Action Plan
Currently, SFS provides an oversight function for business continuity plans. However, SFS is proposing to consolidate existing plans into a single overarching organizational business continuity plan, in collaboration with Sector BCP Leads. We agree that SFS would centrally manage the enterprise level business continuity plan and present it to the Operating Committee for review and approval.
Director, SFS, Completion:
- Present BIA for approval – Q1, FY 2019/20.
- Interim review of existing BCPs – Q2, FY 2019/20
- Present consolidated BCP for approval, Q3, FY 2019/20
Establish monitoring and reporting on the effectiveness of the BCP program to senior management in order to strengthen governance and oversight for the effective management of risk.
Medium Priority Observation #2
As required in the Directive on BCM, the effectiveness of the overall BCP program should be tested with the results reported to the Executive Committee. This measurement and reporting is not currently taking place. Since 2014 OSFI has conducted multiple activities assessing areas of the security program including a division-wide tabletop exercise (2018), a post-mortem following a security incident (2014) and a business impact assessment (2015); however, it was noted that findings/action items, if any, are not reported to a senior management committee for identifying program gaps and any significant risk exposures.
Without monitoring and reporting on the effectiveness of the program and with no formal communication regarding recommendations and/or action items stemming from assessments conducted, senior management risks not being able to execute their governance responsibilities for effectively managing the risk to the organization.
SFS should establish a process for tracking recommendations and action items as a result of BCP assessments/exercises, including a method to track progress against the action plans. Regular reporting on the effectiveness of the BCP program should also be communicated to a decision-making senior management committee to address noted deficiencies and gaps in the program, including recommended costed strategies.
Additionally, regular reporting to a senior management committee will strengthen governance and oversight over the program and aid in raising the awareness of overall BCP initiatives through the organization.
SFS recognizes that enhancing resilience within an evolving risk environment requires a more integrated approach.
In response to these recommendations, SFS will report regularly on the effectiveness of the BCPP to the Operating Committee.
- Present summary of key findings related to the tornado in the National Capital Region to EC - Q4, FY 2018/19
- Propose KPIs to OC for quarterly reporting - Q2, FY 2019/20
- Implement quarterly reporting to OC - Q3 FY 2019/20
- Develop an Action and Risk register to track progress against action plans – Q3, FY 2019/20
Strengthen accountabilities by clarifying, and aligning policy instruments to address inconsistencies in roles and responsibilities and accurately reflecting current practices.
Low Priority Observation #3
OSFI maintains a Policy on Corporate Security , which is supplemented by policy instruments pertaining to BCP, including the Directive on BCM, BCM Framework and the BCP Communication Framework. OSFI’s BCP policy instruments were generally found to be in line with the over-arching Government of Canada Policy on Government Security and Operational Security Standard – Business Continuity Planning Program (OSS-BCPP).
OSFI’s governance documents communicate roles and responsibilities to BCP Team Leaders as well as outline the requirements of the program to OSFI as a whole. All OSFI governance documents have a requirement to be reviewed every five years. At the time of the audit, the Policy on Corporate Security was under review as part of OSFI’s corporate policy suite renewal.
It was noted that some elements of the policy documents are outdated and not reflective of the requirements and actions taken by the organization in executing its Business Continuity Planning Program (BCPP). Specifically, the following inconsistencies were noted:
Roles and responsibilities
- The Policy on Corporate Security tasks the Director, Securities and Facilities Services (SFS) with the responsibility of discharging the authorities and requirements of the DSO while in practice the Director, Cyber Security has been delegated this function.
- The Directive on BCM indicates a requirement for quarterly review of the divisional business continuity plans; however, this is not defined within the sector roles and responsibilities in the various governance documents and is not in alignment with the BCM Framework, which outlines the requirement for annual update and testing.
- The Directive on BCM and the BCM Framework assigns the Sector Leads with the responsibility for creating Sector Business continuity plans; however, these plans are not currently required to be in place.
- The BCM framework and the BCP Communication Framework contain governance/communication diagrams illustrating a direct reporting relationship between the BCPC and the Executive Committee, while the Directive on BCM assigns the DSO as accountable for this reporting. In practice the Director, SFS with the BCPC will begin reporting to the Operating Committee on the most recent BIA as of 2018-19.
The inconsistencies between the requirements in the governance documents and actual practices leads to the misalignment in BCP roles, responsibilities and accountabilities risking the effectiveness of the overall BCP program.
In updating the Policy on Corporate Security , Security and Facilities Services (SFS) should review and update the corresponding policy instruments to address the noted inconsistencies with roles and responsibilities in order to clarify accountabilities for the effective functioning of the BCP program. Additionally, the various documents should be reviewed for alignment with current practices while reducing redundancies and ensure effective communication to BCP Team Members and OSFI staff.
SFS will continue its work refreshing internal security policies and ensuring alignment with Treasury Board’s security policy evolution. This work will also include clarification and consistency regarding roles and responsibilities for the overall BCPP, which will be presented to OC for approval.
- Draft Policy on Corporate Security submitted for approval - Q4, FY 2018/19
- Prepare BCP Governance document for approval - Q3, FY 2019/20
- Update subsequent security policy instruments (4) – Q3, FY 2019/20
Enhance BCP program effectiveness by reinstating the BCP working group with an expanded mandate to actively engage members in overseeing and integrating BCP activities in the organization.
Low Priority Observation #4
Public Safety and Emergency Preparedness’ Operational Security Standard – Business Continuity Planning requires that the BCP Coordinator (BCPC) establish working groups and define their roles and responsibilities. In compliance with this requirement, OSFI’s Directive on BCM includes, as part of the roles and responsibilities of the BCPC, the requirement to chair a working group on BCP with the aim of reviewing, monitoring and updating the BCP program. The working group is to include representation from all sectors and corporate, functional and operational areas of OSFI.
OSFI established a BCP working group in 2016, including cross-sector representation, with the responsibility for providing strategic considerations for the enhancement of the BCPP and to aid the BCPC in implementing and monitoring activities to support the program. Sector Leads were responsible for the appointment of participants as well as replacements should those participants vacate their positions. The BCP working group is currently not meeting quarterly per the working group terms of reference. This lack of engagement has been attributed to resource constraints in SFS and sector member turnover without an appointed replacement. With the BCP working group inactive, SFS is missing the opportunity for employee involvement to aid the BCPC in executing the BCP program.
Securities and Facilities Services should revisit the working group and its membership to include the representation of BCP Team Leaders for business units, and consider revising the mandate to include operational tasks, to help facilitate regular testing, monitoring and training, as well as identifying opportunities for improvement to the program.
SFS will propose updates to the terms of reference of the Business Continuity Planning Working Group (BCPWG) in order to ensure appropriate accountabilities and operational focus. The terms of reference will be presented to the OC for review and approval along with seeking their support for a renewed, engaged and representative membership on the BCPWG.
- Present updated terms of reference for the BCP working group to OC for approval - Q2, FY 2019/20
- Reinstate BCP working group – Q3, FY 2019/20
- Define and propose training and awareness program – Q3, FY 2019/20
Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.
Observations are ranked according to the following:
High priority - should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively or a significant operational improvement opportunity.
Medium priority – a control weakness or operational improvement that should be addressed in the near term.
Low priority - non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.
Individual ratings should not be considered in isolation and their effect on other objectives should be considered.
- Skip to main content
- Skip to "About this site"
- Search and menus
Directive on Security Management
- Security Screening Control
- Information Technology Security Control
- Physical Security Control
- Business Continuity Management Control
- Information Management Security Control
- Security in Contracts and Other Arrangements Control
- Security Event Management Control
- Security Awareness and Training Control
- Government security
Note to reader
1. effective date.
- 1.1 This directive takes effect on July 1, 2019.
- Directive on Departmental Security Management (July 1, 2009)
- Operational Security Standard: Business Continuity Planning (BCP) Program (April 23, 2004)
- Operational Security Standard: Management of Information Technology Security (MITS) (May 31, 2004)
- Operational Security Standard on Physical Security (February 18, 2013)
- Operational Security Standard: Readiness Levels for Federal Government Facilities (November 1, 2002)
- Security and Contracting Management Standard (June 9, 1996)
- Security Organization and Administration Standard (June 1, 1995)
- 1.3.1 Subsections 4.1.3 and 4.2.5 of this directive will take effect on July 1, 2019 or on the scheduled date for the renewal of the department’s security plan, whichever is later.
- 2.1 This directive is issued pursuant to the authorities indicated in section 2 of the Policy on Government Security.
3. Objectives and expected results
- 3.1 The objectives indicated in section 3 of the Policy on Government Security apply to this directive.
- 3.2 The expected results indicated in section 3 of the Policy on Government Security apply to this directive.
Chief security officer
- 4.1.1 Supporting the deputy head’s accountabilities under the Policy on Government Security;
- 22.214.171.124 Responsibilities for defining, documenting, implementing, assessing, monitoring and maintaining security requirements, practices and controls; and
- 126.96.36.199 Authorities for related security risk management decisions;
- 188.8.131.52 Provides an integrated view of departmental security threats, risks and requirements; and
- 184.108.40.206 Includes strategies, priorities, responsibilities and timelines for maintaining, strengthening, monitoring and continuously improving the security practices and security controls described in appendices A to H;
- 4.1.4 Overseeing the establishment of department-wide processes to assess and document actions taken regarding residual security risks for the department’s programs and services and their supporting resources;
- 4.1.5 Reporting at least annually to the deputy head on progress in achieving the priorities defined in the department’s security plan and, as required, recommending changes to departmental security practices, security controls and priorities;
- 4.1.6 Overseeing the establishment of department-wide processes to monitor and ensure a coordinated response to, and reporting of, department-specific threats, vulnerabilities, security incidents and other security events, including identification of actions to address any deficiencies;
- 4.1.7 Ensuring that any significant issues regarding policy compliance, suspected criminal activity, national security concerns or other security issues are assessed, investigated, documented, acted on and reported to the deputy head and, as required, to the appropriate law enforcement authority and/or security and intelligence agency (see Appendix I: Standard on Security Event Reporting), and to affected stakeholders, and as required, cooperating in any resulting criminal or other investigation(s);
- 4.1.8 Collaborating with other senior officials and other stakeholders to respond to direction, advice and information requests issued by the Privy Council Office, the Treasury Board of Canada Secretariat as the employer (for example, the Office of the Chief Human Resources Officer), and the Government Operations Centre regarding security events that require an immediate or coordinated government-wide action; and
- 4.1.9 Verifying that written agreements are in place when the organization provides or receives security services from another department or organization pursuant to subsections 6.2 and 6.3
Senior officials in the department’s security governance
- 4.2.1 Participating in and reporting to the department’s security governance, in accordance with their assigned security responsibilities;
- 4.2.2 Assigning security responsibilities for programs, services and activities in their area of responsibility, as an integral element of the department’s security governance;
- 4.2.3 Providing advice to the deputy head, the CSO and other stakeholders on departmental security matters in their area of responsibility;
- 220.127.116.11 Establishing, or recommending the establishment of, a written agreement that defines applicable security requirements and respective security responsibilities;
- 18.104.22.168 Verifying that these requirements and responsibilities are met; and
- 22.214.171.124 Monitoring continued compliance (see subsections 6.2 and 6.3);
- 4.2.5 Identifying security requirements and related resource needs for programs, services and activities within their area of responsibility, while considering other stakeholders and acting in accordance with the department’s security governance;
- 4.2.6 Ensuring that security practices and security controls (see appendices A to H) are defined, documented, implemented, monitored and maintained to meet identified security requirements for programs, services and activities within their area of responsibility, in accordance with the departmental security plan and in collaboration with other senior officials, security functional specialists, partners and other stakeholders;
- 4.2.7 Documenting or recommending actions to be taken regarding residual security risks for programs, services and activities within their area of responsibility, and their supporting resources, in accordance with their assigned authority and department-wide processes and in consultation with the CSO;
- 4.2.8 Establishing processes to monitor, respond to and report threats, vulnerabilities, security incidents and other security events within their area of responsibility, as an integral element of department-wide processes;
- 4.2.9 Addressing security events that could impact programs, services and activities within their area of responsibility or that require an immediate or coordinated government-wide action, in collaboration with the CSO, partners and other stakeholders; and
- 4.2.10 Monitoring and reporting on the effectiveness of security practices and controls within their area of responsibility, and sharing the results with the CSO.
Security functional specialists and other designated individuals
- 4.3.1 Defining, documenting, implementing, assessing, monitoring and maintaining departmental security requirements, practices and security controls (see appendices A to H and Appendix J);
- 4.3.2 Providing advice to the CSO and other stakeholders, as appropriate, on departmental security matters within their area of responsibility; and
- 126.96.36.199 Assess the extent to which departmental security requirements are met; and
- 188.8.131.52 Identify necessary actions to address any deficiencies.
- 4.4.1 Integrating security and related resource considerations into planning and other administrative activities;
- 4.4.2 Ensuring that individuals are informed of their security responsibilities and that employees are provided with security awareness and training to maintain the required knowledge and skills to meet their responsibilities;
- 4.4.3 Verifying that employees apply and adhere to departmental security practices and are taking or recommending corrective actions to address any deficiencies;
- 4.4.4 Informing the CSO of any issues regarding policy compliance, suspected or alleged criminal activity, national security concerns, security incidents or other security events within their area of responsibility; and
- 4.4.5 Cooperating with the CSO and other stakeholders in the investigation of security incidents and other security events and in identifying and implementing corrective actions.
- 4.5.1 Adhering to government security policy and departmental security practices, including safeguarding information and assets under their control, whether working on-site or off-site;
- 4.5.2 Participating in security awareness and training activities to maintain awareness of security concerns and issues and understanding of security responsibilities; and
- 4.5.3 Maintaining vigilance and reporting changes in circumstances, potential security deficiencies, security incidents, suspected criminal activity, national security concerns and other security issues through appropriate departmental channels.
Individuals designated by deputy heads of internal enterprise service organizations to oversee their internal enterprise service activities
- 184.108.40.206 Includes responsibilities and authorities for identifying and meeting security requirements throughout the planning, design, delivery, operations and maintenance of services provided to departments; and
- 220.127.116.11 Is an integral element of the department’s security and corporate governance;
- 4.6.2 Liaising with client departments when identifying security requirements for internal enterprise services, and with the Treasury Board of Canada Secretariat, for services intended to be offered government-wide;
- 4.6.3 Communicating to client departments the security practices and controls that have been implemented to meet defined security requirements, the security conditions that need to be in place in the client environment, and any remaining residual risks and recommended mitigation measures;
- 4.6.4 Establishing processes for monitoring services provided to departments to ensure that issues regarding fulfillment of security requirements are examined and acted on, in coordination with affected stakeholders, and that issues that have potential government-wide impacts are documented and reported to the Treasury Board of Canada Secretariat; and
- 4.6.5 Responding and taking necessary actions regarding security events that could impact the security of the services provided to departments, in collaboration with the CSO, clients and other stakeholders.
5. Roles of other government organizations
- 5.1 The roles of other government organizations in relation to this directive are described in section 5 of the Policy on Government Security.
- 6.1 This directive applies to the organizations listed in section 6.1 of the Policy on Government Security.
- 6.2 Subsections 4.1.9 and 4.2.4 of this directive apply only to interdepartmental agreements pursuant to subsection 29.2 of the Financial Administration Act, and to arrangements with Crown corporations, other orders of government, the private sector or other entities that are not governed by the Policy on Government Security, where the department has authority to enter into such agreements or arrangements.
- 6.3 Subsections 4.1.9 and 4.2.4 of this directive apply to contracts for the production or delivery of goods or services and to any other arrangement involving the sharing of sensitive information or assets with organizations or individuals that do not fall under the application of the Policy on Government Security (for example, memoranda of understanding with other orders of government and academic or scientific partners).
- Financial Administration Act
- Access to Information Act
- Criminal Code
- Public Service Employment Act
- Civil Code of Québec (articles 3 and 35 to 41)
- Policy on Government Security
- Policy on Conflict of Interest and Post-Employment
- Values and Ethics Code for the Public Sector
- Standard on Security Screening
- 8.1 Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this directive.
- 8.2 Individuals from departments should contact their departmental security management group for any questions regarding this directive.
- 8.3 Individuals from the departmental security group may contact the Security Policy Division at the Treasury Board of Canada Secretariat, by email at [email protected] , for interpretation of any aspect of this directive.
Appendix A: Mandatory Procedures for Security Screening Control
A.1 effective date.
- A.1.1 These procedures take effect on October 20, 2014
- A.2.1 These procedures provide details on the requirements to support the deputy head accountability.
- Security screening requirements and practices ;
- Collection, use, disclosure, retention and disposition of personal information for security screening ;
- Evaluation, decision-making and review for cause ;
- Review and rights of redress ; and
- Aftercare .
Appendix B: Mandatory Procedures for Information Technology Security Control
B.1 effective date.
- B.1.1 These procedures take effect on July 1, 2019.
The procedures and subsections are as follows:
- B.18.104.22.168 Identify pertinent physical security, business continuity, disaster recovery and information security requirements;
- B.22.214.171.124 Identify and assess threats to which information systems are exposed; and
- B.126.96.36.199 Define and document requirements for ensuring the protection of departmental information systems throughout their life cycle, commensurate with identified security requirements and threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding; and
- B.2.2.2 Define and document departmental security practices for implementing and maintaining IT security controls, including practices for conducting IT security assessment and authorization, in accordance with departmental security requirements.
- B.2.3.1 Identification and authentication management: Implement measures to ensure that individuals and devices are uniquely identified and authenticated to an appropriate level of assurance before being granted access to information in information systems, in accordance with Appendix A: Standard on Identity and Credential Assurance of the Directive on Identity Management.
- B.188.8.131.52 Establish approval, notification, monitoring and operational requirements and procedures for the creation, activation, modification, periodic review, and disabling or deletion of information system accounts;
- B.184.108.40.206 Define access privileges based on departmental security requirements and the principles of least privilege, segregation of duties, and acceptable use of government information systems;
- B.220.127.116.11 Inform authorized users of expectations for acceptable use of government information systems, of monitoring practices being applied, and of the consequences for unacceptable use of those systems;
- B.18.104.22.168 Establish measures to control the use of accounts that have administrative privileges, including restricting the number of users who have administrative privileges, and restricting the information systems, networks and applications that can be accessed and the operations that can be performed using privileged accounts;
- B.22.214.171.124 Verify that individuals who are authorized to conduct privileged operations, such as setting or changing access privileges and implementing or maintaining other IT security controls, are not permitted to alter records of these operations and have been security-screened commensurate with their access level; and
- B.2.3.6 Review access privileges periodically, and remove access when it is no longer required (for example, when an employee leaves or changes responsibilities).
- B.126.96.36.199 Ensure that change management practices consider security impacts that may result from proposed changes;
- B.188.8.131.52 Design and configure information systems to provide only required capabilities and to specifically prohibit, disable or restrict the use of unnecessary functions, ports, protocols and services;
- B.184.108.40.206 Establish measures to ensure that only authorized applications and application components are installed and executed on information systems and their components; and
- B.220.127.116.11 Establish measures to ensure that only authorized hardware and devices are connected to, or have access to, information systems and their components.
- B.18.104.22.168 Identify secure electronic storage, transportation, transmittal, sanitization and destruction devices, methods and services that are authorized for use in the department, including but not limited to portable storage devices; and
- B.22.214.171.124 Implement appropriate safeguards where other devices, methods or services are used for operational purposes, subject to approval by an individual who has the required authority.
- B.126.96.36.199 Implement appropriate physical and environmental safeguards in facilities where information systems are developed, operated, maintained or stored;
- B.188.8.131.52 Place physical information system components in appropriate physical security zones; and
- B.184.108.40.206 Use emanations security or other measures, as required, to protect information systems from information leakage owing to the emanation of electromagnetic signals.
- B.220.127.116.11 Define and establish security zones to maintain appropriate separation within physical and virtual IT environments, and ensure that information systems (including virtual instances) that reside in these environments are provided with consistent protection levels that are commensurate with the threat type and level, the sensitivity of the information, and other pertinent security considerations, such as criticality of services and activities supported by the information system;
- B.18.104.22.168 Restrict the number of discrete external connections to departmental networks to the minimum necessary to meet departmental and government requirements; and
- B.22.214.171.124 Use encryption and network safeguards to protect the confidentiality of sensitive data transmitted across public networks, wireless networks or any other network where the data may be at risk of unauthorized access.
- B.126.96.36.199 Monitor information systems to detect attacks and indicators of potential attacks; unauthorized local, network and remote connections; and unauthorized use of IT resources;
- B.188.8.131.52 Identify, document and report vulnerabilities in information systems and their components to the responsible security functional specialist and others, as defined in the department’s security governance and security event management processes;
- B.184.108.40.206 Analyze impacts of identified vulnerabilities, and implement corrective actions (for example, apply patches and updates, in accordance with defined timelines and, as required, on an emergency basis);
- B.220.127.116.11 Coordinate processes for managing vulnerabilities in information systems with departmental and government-wide security event management processes;
- B.18.104.22.168 Use, review and regularly update measures to prevent, detect and eliminate malicious code (for example, viruses) in information systems and their components; and
- B.22.214.171.124 Establish source authentication and other mechanisms, where required, to ensure that information (for example, messages and financial transactions) can be attributed to an authorized individual.
- B.126.96.36.199 Implement measures to enable user activities to be authoritatively audited, to ensure that users are accountable for their activities; and
- B.188.8.131.52 Monitor the acceptable use of government information systems, regardless of location of access or system used, and report through appropriate channels potential instances of unacceptable use in the department.
- B.184.108.40.206 Ensure that individuals performing maintenance have appropriate authorization, access and direction in the performance of their duties.
- B.220.127.116.11 Define recovery strategies and restoration priorities for data and information systems, in accordance with departmental business continuity requirements;
- B.18.104.22.168 Implement measures to meet identified recovery strategies and restoration priorities; and
- B.22.214.171.124 Test IT continuity management mechanisms to ensure an acceptable state of preparedness as an integral element of practices for departmental business continuity management.
- B.2.4 Security in IT project management: Integrate security considerations into all phases of IT project management to ensure that the security needs of programs and services are considered and addressed when developing, implementing or upgrading information systems.
- B.2.5.1 Integrate system security engineering and security design processes at the appropriate stages of the system development lifecycle process;
- B.2.5.2 Implement supply chain security measures to establish and maintain reasonable confidence in the security of sources of information systems and IT components, in accordance with applicable security requirements;
- B.2.5.3 Identify and address any risks regarding transmission, processing or storage of data, both internal and external to Canada, when planning for an information system, including the complete life cycle of the system; and
- B.2.5.4 For information systems managed for or by another organization, and for information systems shared or interconnected by two or more organizations, establish documented arrangements that define applicable security requirements and respective security responsibilities.
- B.2.6.1 Assess whether security controls are effective and whether applicable security requirements are met;
- B.2.6.2 Implement and document risk mitigation measures when security requirements cannot be fully met before putting an information system into operation, subject to approval by an individual who has the required authority;
- B.2.6.3 Authorize an information system before putting it into operation through established IT security assessment and authorization processes;
- B.2.6.4 Document security assessments and authorization decisions, including the formal acceptance of residual risk by an individual who has the required authority; and
- B.2.6.5 Evaluate and maintain authorization throughout the information system’s operational life cycle.
- B.2.7.1 Monitor threats and vulnerabilities;
- B.2.7.2 Analyze information system audit logs and records;
- B.2.7.3 Review the results of system monitoring, security assessments, tests and post-event analysis; and
- B.2.7.4 Take pre-emptive, reactive and corrective actions to remediate deficiencies and ensure that IT security practices and controls continue to meet the needs of the department.
Appendix C: Mandatory Procedures for Physical Security Control
C.1 effective date.
- C.1.1 These procedures take effect on July 1, 2019.
- C.126.96.36.199 Assign a security category to assets commensurate with the degree of injury that could reasonably be expected as a result of their compromise, and group, where appropriate, assets of equivalent sensitivity (see Appendix J: Standard on Security Categorization);
- C.188.8.131.52 Identify and assess threats to which assets are exposed; and
- C.184.108.40.206 Define and document requirements for ensuring the protection of assets under the custody or control of the department throughout their life cycle, commensurate with potential impacts of a compromise and identified threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding;
- C.220.127.116.11 Identify relevant information, asset and employee protection and business continuity requirements;
- C.18.104.22.168 Identify and assess threats to which facilities are exposed; and
- C.22.214.171.124 Define and document requirements for ensuring the protection of departmental facilities throughout their life cycle, commensurate with identified security requirements and threats, and in accordance with applicable legislation, policies, contracts, agreements and understandings; and
- C.2.2.3 Define and document departmental security practices for implementing and maintaining physical security controls, including practices for conducting facility security assessment and authorization, and security inspections of facilities, in accordance with departmental security requirements.
- C.2.3.1 Design of the facility environment: Design, integrate and manage the external and internal environments of a facility to create conditions that together with specific security controls, detect attempted or actual unauthorized entry and activate an effective response to meet departmental security requirements, including electronic surveillance.
- C.126.96.36.199 Issue identification to employees;
- C.188.8.131.52 Issue access cards to employees and other individuals to identify the facility or zone to which the bearer has authorized access, as applicable;
- C.184.108.40.206 Define and establish a discernable hierarchy of physical security zones to progressively control access, and provide consistent protection levels that are commensurate with the threat type and level and with the sensitivity of the programs, services, activities, information or assets in each zone;
- C.220.127.116.11 Authorize, control and monitor individuals and assets entering and, where appropriate, exiting government facilities, zones and sensitive areas, and maintain records of these activities, in accordance with departmental security practices and with records retention and disposition schedules; and
- C.18.104.22.168 Review access privileges periodically, and remove access when it is no longer required (for example, when an employee leaves or changes responsibilities).
- C.22.214.171.124 Identify authorized secure physical storage, transportation, transmittal and destruction devices, methods and services for use in the department;
- C.126.96.36.199 Implement appropriate safeguards where other devices, methods or services are used for operational purposes, subject to approval by an individual who has the required authority; and
- C.188.8.131.52 Where appropriate, apply relevant security markings to sensitive assets to alert users of the level of protection that should be applied to the asset.
- C.2.3.4 Additional controls: Implement additional controls, as required, to meet departmental security requirements or to achieve a higher readiness level in the event of emergencies or increased threat situations (for example, screening of incoming mail or deliveries for suspicious packages, special discussion areas, secure rooms, technical surveillance countermeasures, emergency destruction instructions, and measures for safeguarding sensitive or valuable information or assets).
- C.2.4.1 Integrate security considerations into the planning, site selection, design, procurement, contracting, construction, modification, operation and maintenance of facilities; and
- C.2.4.2 Integrate security considerations when assessing requirements, analyzing options and planning the acquisition, operation, use, maintenance, disposal and replacement of materiel.
- C.2.5.1 Assess whether security controls are effective and whether applicable security requirements are met;
- C.2.5.2 Implement and document risk mitigation measures when security requirements cannot be fully met before putting a facility into operation, subject to approval by an individual who has the required authority;
- C.2.5.3 Authorize facilities before putting them into operation through established facility security assessment and authorization processes;
- C.2.5.4 Document security assessments and authorization decisions, including the formal acceptance of residual risk by an individual who has the required authority; and
- C.2.5.5 Evaluate and maintain authorization throughout the use, occupancy and maintenance of a facility.
- C.2.6.1 Ensure that security inspections are conducted by authorized persons and in accordance with defined processes and timelines;
- C.2.6.2 In emergency or increased threat situations, increase the frequency or depth of security inspections to achieve a higher readiness level; and
- C.2.6.3 Report issues of non-compliance in accordance with defined processes to enable the implementation of corrective actions, and report to the responsible authorities, as applicable.
- C.184.108.40.206 Define base building security requirements;
- C.220.127.116.11 Provide base building security;
- C.18.104.22.168 Inform any tenants of the base building security provided in tenant-occupied facilities;
- C.22.214.171.124 Consider tenant security requirements when conducting site selection; and
- C.126.96.36.199 Coordinate the integration of additional safeguards into base building infrastructure to meet tenant security requirements;
- C.188.8.131.52 Define tenant security requirements, while considering resources and activities in tenant-occupied facilities, in consultation with other stakeholders with whom facilities are shared, as applicable;
- C.184.108.40.206 Inform the custodian department of its tenant security requirements, to support site selection and tenant fit-up; and
- C.220.127.116.11 Verify that additional safeguards have been integrated into base building infrastructure to meet tenant security requirements;
- C.2.7.3 For multi-tenant facilities occupied or managed by the department, establish or verify that mechanisms are in place to enable the coordination of security activities, including a building security committee, alignment of the hierarchy of security zones for common areas, identification of responsibilities of the lead tenant, and security event management processes; and
- C.2.7.4 When individuals from another department or organization require regular access to facilities occupied or managed by the department, establish or verify that mechanisms are in place to address security requirements and enable the coordination of security activities, including security screening, access management and security event management.
- C.2.8.1 Monitor threats and vulnerabilities;
- C.2.8.2 Analyze access records;
- C.2.8.3 Review the results of security assessments, security inspections and post-event analysis; and
- C.2.8.4 Take pre-emptive, reactive and corrective actions to ensure that physical security practices and controls continue to meet the needs of the department.
Appendix D: Mandatory Procedures for Business Continuity Management Control
D.1 effective date.
- D.1.1 These procedures take effect on July 1, 2019.
- D.2.1 These procedures provide details on the requirements to support the deputy head accountability.
- Processes for conducting business impact analysis and for developing business continuity plans, measures and arrangements;
- Coordination of business continuity management with security event management and emergency management activities;
- Processes and timelines for providing awareness and training and for testing business continuity plans, measures and arrangements;
- Coordination with partners and other stakeholders; and
- Processes and timelines for review and maintenance of business impact analysis and business continuity plans, measures and arrangements.
- D.18.104.22.168 Assign a security category to services and activities commensurate with the degree of injury that could reasonably be expected as a result of their interruption or degradation, and, where appropriate, group services and activities of equivalent criticality (see Appendix J: Standard on Security Categorization);
- D.22.214.171.124 Liaise with clients (for services provided to another department) and other stakeholders who may be affected by disruptions in departmental services or activities, to inform them of continuity requirements, strategies and priorities;
- D.126.96.36.199 Provide information to the Treasury Board of Canada Secretariat, on a regular basis or when requested, regarding the department’s identified critical services and activities;
- D.188.8.131.52 Define business continuity management requirements, expressed as maximum allowable downtime, minimum service levels, recovery time objectives and recovery point objectives;
- D.184.108.40.206 Define continuity strategies and recovery priorities;
- D.220.127.116.11 Identify supporting resources, including employees, contractors, suppliers, information and assets such as information systems, materiel and facilities, including where the department relies on or supports another organization in delivering a service or activity; and
- D.18.104.22.168 Identify any existing operational plans that support business continuity management requirements.
- D.2.2.3 Business continuity plans, measures and arrangements: Establish business continuity plans, measures and arrangements based on the results of the business impact analysis.
- D.2.2.4 Awareness and training: Provide awareness and training to all individuals, including specialized training for individuals directly involved in the implementation of business continuity plans, in accordance with departmental practices.
- D.2.2.5 Testing: Conduct regular testing of business continuity plans to ensure an acceptable state of preparedness, in accordance with departmental practices.
- D.2.2.6 Monitoring and corrective actions: Review and maintain business impact analysis and business continuity plans, measures and arrangements, while considering changes in services, activities, resources or threat environment, based on the results of tests and the activation of plans, to ensure business continuity management practices continue to meet the needs of the department.
Appendix E: Mandatory Procedures for Information Management Security Control
E.1 effective date.
- E.1.1 These procedures take effect on July 1, 2019.
- E.2.1 These procedures provide details on the requirements to support the deputy head accountability.
- Assign a security category to departmental information resources commensurate with the degree of injury that could reasonably be expected as a result of its compromise, and group, where appropriate, information resources of equivalent sensitivity (see Appendix J: Standard on Security Categorization);
- Identify and assess threats to which departmental information resources are exposed; and
- Define and document requirements for ensuring the protection of information resources under the custody or control of the department throughout their life cycle, commensurate with potential impacts of a compromise and identified threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding;
- Define and document departmental security practices for implementing and maintaining information management security controls, in accordance with departmental security requirements.
- Apply security markings at the time that information is created or collected, based on the assigned security category and any applicable caveats; and
- Apply security markings to information in physical and electronic form and, where required, to electronic media and storage devices that contain sensitive information.
- Where appropriate and in accordance with privacy requirements and other legal or policy obligations, downgrade the security category assigned to information resources when the expected injury is reduced;
- Consult the relevant authority before downgrading any information that originates from another organization;
- When downgrading information received from other orders of government, private sector organizations or international organizations, abide by agreements or memoranda of understanding with these governments or organizations; and
- Where appropriate, upgrade the security category assigned to information resources when the expected injury is increased.
- E.22.214.171.124 Additional controls: Implement additional controls, as required, to meet departmental security requirements.
- E.2.2.3 Security in the information management life cycle: Integrate security considerations into information management processes throughout all stages of the information life cycle, including planning, creation, receipt, organization, use, dissemination, maintenance, transfer and disposition.
- E.2.2.4 Monitoring and corrective actions: Monitor information management security practices and controls to ensure consistent application, and implement changes, as required, to ensure that these practices and controls continue to meet the needs of the department.
Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control
F.1 effective date.
- F.1.1 These procedures take effect on July 1, 2019.
- F.2.2.1 Define department-wide security requirements that should apply to all contracts or arrangements;
- F.2.2.2 Establish a process for identifying security requirements for a specific contract or arrangement;
- F.2.2.3 Establish a process for verifying and monitoring continued compliance with security requirements, including any permitted exceptions and risk mitigation measures, as applicable; and
- F.2.2.4 Integrate security considerations into departmental procurement processes and into information management, asset management and program management processes, while considering information- and asset-sharing arrangements.
- F.126.96.36.199 Security screen individuals who require access to sensitive information, assets or sites in the performance of their work; individuals who need to be relied on to produce and deliver the goods and services being procured; and individuals who, because of their position, could gain access to sensitive information, assets or sites or could adversely affect the delivery of goods and services, including supplier security points of contact and, for certain contracts, suppliers’ key senior officials;
- Physical security controls in facilities that are used to store or produce sensitive information or assets or that need to be relied on to produce or deliver the goods or services being procured;
- Security controls to protect information systems that are used to electronically process or transmit sensitive information or that are relied on to produce or deliver the goods or services being procured;
- Administrative and operational security controls (including designation of security points of contact, governance, planning, management of subcontracts or arrangements with third parties, security awareness and training, and security event monitoring, reporting and response, as applicable);
- Any other specific security requirements to meet statutory, regulatory or other obligations (for example, requirements for the management of COMSEC material; international or defence contracts that are subject to negotiated treaties, international agreements and multinational arrangements; and requirements where duties or access to information, assets or facilities are related to or directly support security and intelligence functions); and
- Risk-based approach for verifying and monitoring supplier, partner and departmental compliance with security requirements, as applicable.
- F.188.8.131.52 For contracts and other arrangements with suppliers, document security requirements in the Security Requirements Check List or an equivalent document and in other documentation associated with the contract or arrangement;
- F.184.108.40.206 For other types of arrangements, document security requirements in the arrangement;
- F.220.127.116.11 For contracts or arrangements involving a subcontractor or another third party, identify in the contract or arrangement the need for the supplier or partner to extend applicable security requirements to any other entity involved in fulfilling the contract or arrangement; and
- F.18.104.22.168 For contracts or arrangements that do not involve any security requirements, include an attestation to that effect in the documentation of the contract or the arrangement.
- F.22.214.171.124 Provide the security records of Government of Canada suppliers to internal enterprise service organizations and other departments; and
- F.126.96.36.199 Consult the security records of Government of Canada suppliers when verifying supplier compliance;
- F.2.4.2 Implement and document risk mitigation measures when security requirements to limit access to sensitive information, assets or sites cannot be fully met before awarding a contract or entering into an arrangement, subject to approval by an individual who has the required authority; and
- F.2.4.3 Establish documented arrangements that define respective security responsibilities for contracts or arrangements managed for or by another organization.
- F.2.5 Monitoring and corrective actions: Monitor supplier, partner and departmental compliance with security requirements throughout the contracting or arrangement process, using the risk-based approach defined for the contract or arrangement, and take corrective actions to address issues of non-compliance, security incidents or other security events.
Appendix G: Mandatory Procedures for Security Event Management Control
G.1 effective date.
- G.1.1 These procedures take effect on July 1, 2019.
- G.2.2.1 Define security event management processes, including responsibilities of all stakeholders, with consideration given to partners (for example, other departments, suppliers and other orders of government) and government-wide processes;
- G.2.2.2 Designate an official departmental contact to support government-wide communications of threats and vulnerabilities, and responses to security incidents and other security events, in accordance with government-wide processes;
- G.2.2.3 Establish resources to support the implementation of security event management processes and to enable secure exchange of relevant information within the department and with other stakeholders;
- G.2.2.4 Implement measures to ensure that security event management processes can be triggered in the event of disruptions that affect their supporting resources;
- G.2.2.5 Coordinate security event management processes with communications plans and with business continuity, emergency management, strike management, and other contingency plans and measures, as applicable; and
- G.2.2.6 Test security event management processes to ensure preparedness and to support continuous process improvement.
- G.2.3.1 Ensure that reporting and sharing of information related to threats, vulnerabilities, security incidents and other security events is restricted to authorized users who have been security-screened at the appropriate level and who need to access the information to ensure appropriate preparedness, response or recovery; is effected using mechanisms that provide protection commensurate with the sensitivity of the information and threats to which the information may be exposed; and is conducted within the bounds of applicable legislation, policies or other obligations;
- G.2.3.2 Report security events that affect, or that have the potential to affect, government-wide preparedness, response or recovery, to the appropriate lead security agency or central agency;
- G.2.3.3 Report all suspected criminal activity, including but not limited to theft and breach of trust, to the appropriate law enforcement authority; provide all relevant documents, materials and details; and follow protocols to ensure preservation of evidence and cooperation between the department and law enforcement authorities; and
- G.2.3.4 Inform other departments and stakeholders when there is reason to believe that an event originated from, or could potentially affect, an organization, including internal enterprise service organizations, departments that provide or receive services under agreements or other arrangements, suppliers and other partners.
- G.2.4.1 Apply defined readiness levels based on the level of threat to Government of Canada employees, information, assets or service delivery;
- G.188.8.131.52 Designate the departmental contact for security event management as the official liaison for purposes of declaring and applying heightened readiness levels within the department;
- G.2.4.3 Report, without delay, a declaration of a higher readiness level and a return to lower levels of readiness to the Privy Council Office, in accordance with Appendix I: Standard on Security Event Reporting ;
- G.2.4.4 Implement changes in readiness level when directed by the Privy Council Office, in response to emergency and increased threat situations that may affect multiple departments, national security and the government as a whole; and
- G.2.4.5 Coordinate readiness processes and measures with security event management processes and business continuity plans and with emergency preparedness and response measures.
- G.2.5.1 Define practices for the conduct of administrative investigations of security events;
- G.2.5.2 Inform parties who are involved in administrative investigations of security events of their rights and obligations; and
- G.2.5.3 Conduct administrative investigations of security events independently of, and without any specific intent to advance, a criminal investigation in order to avoid compromising such investigations.
- G.2.6.1 Communicate results of post-event analysis to the appropriate lead security agency or central agency, as applicable and based on the severity and scope of the event.
- G.2.7.1 Apply protective measures to ensure that access to security event records is restricted to security officials and other authorized users, to maintain the integrity of these records.
Appendix H: Mandatory Procedures for Security Awareness and Training Control
H.1 effective date.
- H.1.1 These procedures take effect on July 1, 2019.
- H.2.1 These procedures provide details on the requirements to support the deputy head accountability.
- H.2.2.1 Security awareness requirements and practices: Define, document and maintain departmental security awareness and training requirements and practices, in accordance with government-wide policy requirements.
- H.2.2.2 Security awareness: Develop, deliver, document and maintain security awareness activities and products to inform and remind individuals of security threats and risks and of their security responsibilities, in accordance with departmental security awareness requirements.
- H.2.2.3 Security training: Provide, or arrange and document the provision of, security training to all employees, including specialized security training for those individuals who have specific security responsibilities or who could affect the achievement of security objectives as part of their duties, in accordance with departmental security training requirements.
- H.2.2.4 Monitoring and corrective actions: Assess the effectiveness of security awareness and training activities, and implement changes, as required, to ensure that these activities continue to meet the needs of the department.
Appendix I: Standard on Security Event Reporting
Provides details on Government of Canada organizations that must be contacted to report different types of security events. The Standard on Security Event Reporting can be found here: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32613
Appendix J: Standard on Security Categorization
Provides details on the types of security categories that must be applied to different types of assets, information, or services. The Standard on Security Categorization can be found here: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32614
Appendix K: Definitions
Definitions to be used in the interpretation of this directive can be found in Appendix B of the Policy on Government Security.
© Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, 2019, ISBN:
- Français fr
Audit of NRCan's Business Continuity Management Process
Presented to the Departmental Audit Committee (DAC) October 19, 2021
Table of Contents
Introduction, areas for improvement, internal audit conclusion and opinion, statement of conformance, audit purpose and objectives, audit considerations, approach and methodology, bcm governance structure, communication, reporting mechanisms, and training and awareness, risk management activities and processes.
- Management Processes, Compliance with Policy, and IT Solutions
Appendix A – Audit Criteria
Appendix b – acronyms & abbreviations, executive summary.
Business continuity management (BCM) is the process of identifying and planning for possible major service disruptions in an effort to minimize their impact on an organization’s ability to perform its critical functions. Effective BCM is vital to an organization’s ongoing stability and success, as it prepares efficient responses to interruptions and aims to proactively address internal and external threats. The onset of the COVID-19 pandemic has highlighted the importance of effective BCM practices for all organizations.
As a key component of organizational security, the requirements for Government of Canada (GoC) Departments to create and implement BCM processes are stipulated in two Treasury Board (TB) policy instruments; the Policy on Government Security (PGS) , and the Directive on Security Management . The TB Policy on Service and Digital is also complimentary to these policy instruments. Together, the instruments aim to ensure that Departments have established effective security controls to support the timely and effective delivery of products and services to Canadians.
The Emergency Management Act (EMA) identifies the accountabilities and responsibilities of federal ministers relating to emergency management in Canada. Consequently, BCM relates to this core mandate by seeking to prepare the functions that are deemed critical to the success of the Department’s mandate in the event of a major service disruption. Through BCM, critical functions may continue to operate, and provide the EMA related activities for which Natural Resources Canada (NRCan) is responsible.
NRCan’s Security and Emergency Management Division (SEMD) within the Corporate Management and Services Sector (CMSS) is responsible for the Department’s BCM Program; however, business owners are responsible for the management and operation of the Department’s mission critical functions and systems. NRCan activated its business continuity plan (BCP) in response to the COVID-19 pandemic on March 15th, 2020, and employees were instructed to work from home until further guidance was provided. NRCan’s strategy for continuing operations during a BCP activation includes an alternate site that can be used under the Common Office Recovery System (CORS); however, this site has not been used given the nature of the pandemic.
The objective of the audit was to assess the effectiveness of NRCan’s security governance structure, risk management activities, and processes supporting the Department in fulfilling its BCM obligations and enabling a continual state of readiness to deliver on its mandate in the event of a service disruption. The audit also identified lessons learned emerging from the activation of the BCP in March 2020 due to the global pandemic.
The Department has demonstrated flexibility and agility in its efforts to achieve BCM objectives in response to the COVID-19 BCP activation. A Chief Security Officer (CSO) led governance committee that provides an oversight function over BCM was recently renewed. In addition, some business impact analysis/business continuity plan (BIA/BCP) tools have recently been updated in consultation with Public Safety (PS). While there is no complete Departmental BCP in place, the Department has begun to prepare a draft BCP and intends to finalize it.
The Department is exposed to a number of risks due to BCM processes requiring significant improvement. Opportunities were identified to improve the BCM governance structure and management processes to oversee and coordinate the Department’s BCM. This includes defining and communicating roles and responsibilities, developing a BCM training and awareness program, and strengthening internal monitoring and communication processes. Opportunities also exist to strengthen departmental BIA and BCP activities to ensure they are thoroughly documented, routinely approved by senior management, and supported by regular risk assessments as well as a formal testing program. Furthermore, opportunities were identified to document plans, definitions, and requirements for critical services IT components. There also exists an opportunity to ensure that BCM continuous improvement efforts are strengthened, including the regular monitoring of BCM operations as well as timely follow-up and lessons learned activities.
In my opinion, although some elements of a BCM program are in place at NRCan, several are not working effectively and require significant improvement. Specifically, opportunities exist to strengthen the effectiveness of the security governance structure, risk management activities, and processes supporting the Department in fulfilling its BCM obligations and enabling a continual state of readiness to deliver on its mandate in the event of a service disruption. The importance of departmental BCM activities will require management’s timely attention in addressing the areas identified in this audit to ensure that the Department will be prepared to meet its objectives in the event of a BCP activation.
In my professional judgement as Chief Audit and Evaluation Executive, the audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the GoC’s Policy on Internal Audit , as supported by the results of the Quality Assurance and Improvement Program.
Michel Gould, MBA, CPA, CIA Chief Audit and Evaluation Executive October 19, 2021
The audit team would like to thank those individuals who contributed to this project, particularly employees who provided insights and comments as part of this audit.
Business continuity management (BCM) is the process of identifying and planning for possible major service disruptions in an effort to minimize their impact on an organization’s ability to perform its critical functions. Effective BCM is vital to an organization’s ongoing stability and success, as it serves to reduce the impact of service interruptions and aim to proactively address internal and external threats. The onset of the COVID-19 pandemic has highlighted the importance of effective BCM practices for all organizations.
As a key component of organizational security, the requirements for Government of Canada (GoC) Departments to create and implement BCM processes are stipulated in two Treasury Board (TB) policy instruments; the Policy on Government Security , and the Directive on Security Management . The TB Policy on Service and Digital (PSD) is also complimentary to these policy instruments. Together, the instruments aim to ensure that Departments have established effective security controls to support the timely and effective delivery of products and services to Canadians.
Furthermore, the Emergency Management Act (EMA) identifies the accountabilities and responsibilities of federal ministers relating to emergency management in Canada. Consequently, BCM relates to this core mandate by seeking to prepare the functions that are deemed critical to the success of the Department’s mandate in the event of a major service disruption. Through BCM, critical functions may continue to operate, and provide the EMA related activities for which Natural Resources Canada (NRCan) is responsible.
“Business continuity management” is displayed in the center of the figure, surrounded by five labelled boxes connected with arrows forming a complete cycle. Beginning from the first box at the top of the figure, and moving in a clockwise fashion, the boxes display the following terms: Business Impact Analysis, Business Continuity Plans, Awareness and Training, Testing, Monitoring & Corrective Actions.
The BCM cycle is comprised of five overarching components (depicted to the right). The cycle begins with a business impact analysis (BIA), in which the major risks facing an organization are identified, and an assessment of their impact on critical service functions is performed. A business continuity plan (BCP) is developed based on the outcomes of the department’s BIA, outlining the activities and procedures to implement in the event that a major service disruption actually occurs. Awareness and training are intended to prepare employees to deliver an efficient, coordinated BCP effort. Regular testing of the BCP ensures that the organization is continually in an appropriate state of preparedness. Finally, regular monitoring of the various BCM components ensures future BIAs are well-informed and up-to-date, ensuring the continuous improvement of an entity’s BCM practices.
NRCan’s Security and Emergency Management Division (SEMD) within the Corporate Management and Services Sector (CMSS) is responsible for the Department’s BCP Program. SEMD finalized the Standard on Business Continuity Management (the Standard) in August 2018. The objectives of this document are to ensure the continued delivery of critical business functions, limit the loss of public trust, reduce the financial and economic hardship to Canadians, reduce the disruption of internal government operations, and diminish the negative impacts on international, federal, provincial and territorial relations. The Standard intends to outline the roles and responsibilities of various stakeholders within the Department, including SEMD, the Chief Information Office and Security Branch (CIOSB), and Sector Management and BCM leaders. The Standard also outlines the overarching steps for developing and addressing BCM activities.
NRCan activated its BCP in response to the COVID-19 pandemic on March 15th, 2020, and employees were instructed to work from home until further guidance was provided. The Department’s mission critical systems are managed and operated at the sector level by business owners. NRCan has an alternate site that can be used under the Common Office Recovery System (CORS); however, this site has not been used given the nature of the pandemic.
Appendix B provides a list of acronyms used throughout the audit report. This audit was included in the 2020-2025 Integrated Audit and Evaluation Plan, approved by the Deputy Minister on August 27, 2020.
Specifically, the audit assessed whether:
- Adequate security governance structures have been established to oversee and coordinate the Department’s business continuity management components at the departmental, sectoral, and regional levels;
- Risk management activities are adequately designed, implemented, and continually updated to enable a continual state of readiness to deliver on NRCan’s mandate in the event of service disruption;
- Adequate processes have been established to ensure the operating effectiveness of NRCan’s critical business functions in the event of a BCP activation; and
- Lessons learned emerged from the activation of NRCan’s BCP in March 2020 due to the global pandemic.
A risk-based approach was used in establishing the objectives, scope, and approach for this audit engagement. A summary of the key underlying potential risks that could impact the effective implementation of NRCan’s BCM include:
- Adequate security governance structures support departmental, sectoral, and regional planning and responses to an event that requires the BCP to be activated, including appropriate identification of relevant roles and responsibilities throughout the Department;
- Effective and adequate business impact assessments exist, and are implemented correctly, to identify the Department’s critical functions, and to ensure that unmitigated risks are addressed;
- Effective processes are designed and support the adequate implementation of the BCP in the event of a BCP activation, including the implementation of BCP testing exercises, continuous improvement initiatives, and training activities; and
- BCPs were effectively activated and implemented in response to the COVID-19 Pandemic, and the lessons learned from that experience have been documented by the Department.
The audit focused on the current and planned business continuity management activities and initiatives within the Department. Given the department-wide contribution to the BCP program, it included an examination of the roles, responsibilities, and accountabilities of the various sectors, including SEMD, which is the Office of Primary Interest located within CMSS. The audit timeline covered the period commencing with the effective date of the TB Policy on Government Security , July 1, 2019, through to July 2021.
The audit did not focus on emergency management activities as these were covered by a recent audit. The audit also did not focus on departmental disaster recovery plans (DRPs), except where there was a direct relevance to BCM. This audit did not assess the adequacy or effectiveness of the Department’s integrated risk management framework and corporate risk profile, nor the supporting processes used to develop and update them.
The results of previous advisory, audit, and evaluation projects on related topics was also considered by the audit team.
The approach and methodology used in this audit followed the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing (IIA Standards) and the Treasury Board Policy of Internal Audit . These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. The audit included tests considered necessary to provide such assurance. Internal auditors performed the audit with independence and objectivity as defined by the IIA Standards.
The audit included the following key tasks:
- Interviews with key personnel and committee representatives;
- Review and testing of the Department’s documentation and business processes with regards to business continuity planning;
- Identifying and reviewing best practices identified in other government departments; and
- Review of key Policies and Directives.
The conduct phase of this audit was substantially completed in July 2021.
Please refer to Appendix A for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusion.
Findings and Recommendations
Overall, the Department demonstrated flexibility and agility in the efforts and actions it took to achieve BCM objectives in response to a BCP activation. While CIOSB has designed and implemented some processes to direct and oversee the Department’s BCM components, opportunities were identified to improve the BCM governance structure and management processes to coordinate the Department’s BCM components at the departmental, sectoral, and regional levels. Opportunities were also identified to ensure that roles and responsibilities are defined and communicated, and that NRCan develops awareness and training programs to build BCM skills and capacity. Furthermore, an opportunity to improve internal monitoring and communication processes was identified, which could provide sectors and regions a better understanding of their requirements and of the priorities of the Department as it pertains to BCM.
The audit team expected that adequate governance structures would have been established to oversee and coordinate NRCan’s BCM components at the departmental, sectoral, and regional levels. Furthermore, it was expected that roles, responsibilities, and accountabilities would be clearly defined and communicated to those being charged with these responsibilities. The audit team expected that the Department has established adequate communication mechanisms between sectors and the central coordination function responsible for the BCP program, as well as, reporting mechanisms to ensure that SEMD and governance committees receive accurate, complete, and timely information allowing them to effectively guide and oversee business continuity processes. Lastly, the audit team expected that adequate formal training and awareness programs would be established to develop the required skills and capacity within those roles assigned BCM responsibilities, thereby enabling effective performance in response to the activation of a BCP.
The audit team found that an Assistant Deputy Minister (ADM) level committee, the ADM Security Emergency Management and Intelligence Committee (ADM SEMIC), and a Director General (DG) level governance committee, DG SEMIC, were established in support of BCM activities. However, the ADM-level committee has not met since 2019, and the DG-level committee had not met since 2018, until it was reconvened by the Chief Security Officer (CSO) in December 2020. During the pandemic, the Department chose to utilize other committees to exercise governance and oversight of the organization’s response. The audit team found that this renewed DG committee has been meeting monthly since January 2021, that it includes a relevant list of members, and that it is fulfilling its mandate. CMSS developed and updated a Terms of Reference (TOR) for DG SEMIC indicating that it intends to report to NRCan’s senior management through the Operations Committee. However, the audit team noted that, since January 2021, information resulting from DG SEMIC meetings has yet to be provided to the Operations Committee.
The audit team found that a Business Continuity Management Working Group (BCM WG) was formed, intending to report upwards to DG SEMIC. The working group’s TOR does not identify the frequency with which the group intends to meet. SEMD indicated that while the BCM WG met quarterly, meeting minutes or records of decision were not retained. The BCM WG membership includes BCP Leaders from each sector who have been assigned to the working group by the Sector ADM. The audit team noted that the BCM WG membership list was not kept up to date.
Roles and Responsibilities
The audit team found that roles and responsibilities for BCM at NRCan are formally and primarily defined in the NRCan Standard on Business Continuity Management (the Standard) (August 2018). The Standard has not been updated despite the TB Directive on Security Management coming into effect in July 2019. Consequently, the audit team found that while the roles and responsibilities in the Standard generally align to the roles outlined in TB guidance, there were some discrepancies. The TB Directive indicates that the CSO of the organization has delegated authority for security management including BCM; however, the Standard does not define or document the roles and responsibilities of the CSO or how their role coordinates with the other various individuals responsible for BCM activities at NRCan. Furthermore, the TB Directive and the Standard are not aligned regarding the assignment of responsibility for the annual report on security which includes BCM.
The audit team also noted that ADMs have been given the responsibility to identify critical functions within their sectors and the NRCan Standard on BCM requires that the master list of critical business functions undergo an annual review by the Executive Committee. The audit team was not able to find evidence of this review being completed as required. The audit team also found that the Standard does not identify BCM roles or responsibilities for the Senior Building Officers (SBOs) in each region in which NRCan operates. In the absence of defined BCM roles and responsibilities or an understanding of where they have authority to permit work to continue, some SBOs working together across regions, created their own BCP documentation in an attempt to standardize their response and decision-making processes.
The Standard was available on the departmental intranet, and SEMD indicated that the responsibilities identified in the Standard were communicated via the BCM WG to the Sector BCM coordinators and leader community. Despite this, the audit team found that many of the members of these groups were not aware of their BCM roles and responsibilities or where they could find their documented roles and responsibilities. In addition, there has been high turnover in the BCM coordinators and leaders group leading to training for new members being required more frequently.
In addition, the audit team found that numerous individuals from all levels, sectors, and regions at the Department who had been assigned BCM responsibilities were not aware of what was expected of them in their assigned BCM role. Therefore the existing methods by which BCM roles and responsibilities are communicated were found to be ineffective.
Communication and Reporting Mechanisms
The TB Directive on Security Management requires that the CSO report at least annually to the Deputy Head on their progress and the achievement of priorities defined in the Department’s security plan. The audit team found that formal reporting to senior management for NRCan’s BCM function and its progress and achievement towards the Department’s priorities has not been completed during the scope period of this audit.
The audit team noted that SEMD communicates with BCM coordinators from each sector who are responsible for coordinating the annual completion of BIAs and BCPs. The main mechanism for these communications is through the BCM WG. As noted above, the audit team found that documentation of BCM WG meetings has not been completed or retained; however, SEMD has created user guides for sectors to rely on when completing the BIA/BCP template, as well as guides to lead and participate in a table-top exercise.
The audit team found that in each building within Canada that NRCan staff occupy, there is a SBO, typically assigned to the DG level, who is responsible for making decisions regarding occupancy and safety of personnel under the building’s Emergency Evacuation Plan (BEEP). During the COVID-19 pandemic, and due to the prolonged nature of the disruptions it is causing, NRCan SBOs are responsible for decisions surrounding building occupancy based on local public health agency guidelines; therefore, they hold responsibilities related to the continuation of NRCan activities, some of which were designated as critical. As a result, in consultation with their peers across the country, they made decisions regarding continuity of operations, including approving the removal of equipment from NRCan buildings. SBOs noted that in some instances they had to amend decisions when guidance was received from CMSS. In many cases, NRCan’s SBOs are responsible for not only the NRCan employees in these NRCan-owned buildings, but also the other tenants of various offices, which include private organizations and other government departments. As such, there was significant importance for SBOs to receive timely information regarding the Department’s priorities and decisions pertaining to building occupancy.
Training and Awareness
Training programs and awareness campaigns are an important component of the BCM cycle. The requirement for NRCan to have these processes in place is identified in the TB Directive on Security Management . This Directive specifically highlights training and awareness as vital aspect contributing to the success of a department’s BCM function.
Overall, the audit team found that there is an overall lack of awareness pertaining to BCM activities. Specifically, the audit team found that at all levels of the Department, there is a lack of understanding of how the Department’s processes and plans for achieving emergency management (EM) objectives differ from those supporting business continuity. The audit team did note that CIOSB conducted a BCM awareness campaign with members of NRCan’s Senior Management Committee prior to an EM tabletop exercise conducted in May 2021, and that many of the individuals interviewed who participated in this exercise indicated that it was well organized and well received.
The audit team learned that individuals asked to act for officials who could not attend meetings were not always well equipped with adequate BCM awareness or training to make the required decisions for which they were given responsibility. This could indicate a lack of awareness of BCM protocols and training for those with delegated responsibilities.
The Standard assigns SEMD responsibility for training BCM Sector Coordinators and Leaders, who are then assigned the responsibility to provide training as required within their “area of responsibility”. However, the audit team noted that the “area of responsibility” for training sectors is not clearly defined or understood. Business Process Owners (BPOs) have the overall responsibility for their critical functions and the processes required to ensure continuity of operations, particularly IT continuity, in the event of a BCP activation. The resulting training to ensure staff are prepared for an activation would need to be specific to each critical function. However, the responsibility for this BCM training and awareness of critical function staff is not clearly assigned in the Standard. The audit team also found that in addition to, and possibly as a result of, departmental guidance lacking clarity, critical functions had not designed or implemented formal training and awareness programs in support of business continuity.
The BCP leader role is typically held at the director or manager level and through various interviews across all sectors the audit team found that the BCM leader role is often assigned to an individual without prior BCM skills or experience. Rather, assignment is based on who has capacity to take on the administrative role of ensuring that BIA/BCP templates are completed on an annual basis. The audit team found that there was not an adequate training program to support and build the skills and capacity of the Sector BCM Leader community to enable them to complete their assigned role and responsibilities related to conducting sectoral BCM training, establishing and leading their Sector’s BCM Working Group, and coordinating BCP exercises.
The audit team found that while SEMD has created and shared a user guide for completion of BIA/BCP templates and guides for participation in a BCP Tabletop exercise, the division has not provided adequate training for BCM Sector Coordinators and Leaders. Furthermore, there was no evidence that a formal training program for the Department had been established to develop the necessary skills and capacity within the Department to achieve its BCM objectives.
Risk and Impact
In the absence of governance committees meeting regularly and basing their activities and decisions on adequate and timely reports, and a clear response structure, there is a risk that oversight is not adequately performed, which could result in the Department being unprepared to respond to a service disruption.
A lack of BCM processes including communication of roles, responsibilities, integration of SBO's role into BCM processes, as well as a training and awareness program to build capacity and develop skills may contribute to individuals at all levels lacking the information to execute their duties required to achieve departmental BCM objectives in support of the Department's mandate.
Recommendation 1: It is recommended that the CSO ensure that:
- there are adequately functioning governance committees and that there is sufficient, timely, and sustained reporting from BCM WG to DG-SEMIC, and from DG-SEMIC to NRCan Senior Management allowing for adequate oversight of the BCM program and activities;
- roles and responsibilities and decision-making authorities, including the delegation of these authorities, are reviewed and communicated to ensure that they align with the Department’s plans to achieve its BCM responsibilities in the event of a major service disruption; and
- a robust BCM training and awareness program is implemented to develop, train, and retain the appropriate skills and capacities required to ensure that the Department is prepared to fulfill its mandate as it relates to BCM.
Management Response and Action Plan
Management agrees with Recommendation #1a.
CIOSB will ensure that a copy or debrief of the BCM WG is provided to DG-SEMIC in a timely manner, furthermore, all materials that are developed as it relates to BCM are reviewed and approved by the BCM WG and DG-SEMIC and presented to NRCan senior management.
Position responsible : Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector
Timing : March 31, 2022
Management agrees with Recommendation #1b.
CIOSB will ensure that BCM roles, responsibilities and reporting relationships are communicated to all levels of management, key business continuity stakeholders within NRCAN, and all employees. Roles and responsibilities will also be included in the revised Standard. This includes outlining the CSO functional reporting to the DM. CIOSB will use presentations to management, communiqués to employees as well as training and table-top exercises.
Furthermore, Management agrees to hold a BCM Table-top exercise for Senior Management every year, so that Senior Management are kept abreast of their roles and responsibilities and are well prepared for any events.
First table-top is schedule for November 2021
Management agrees with Recommendation #1c.
CIOSB will establish a monitoring and reporting framework, which will be an integrated part of NRCAN’s BCM program. The monitoring and reporting framework will include a testing/exercising component as well as a reporting component to capture the number of plans completed, approved, exercised/tested, as well as compliance to NRCAN, TBS and Public Safety’s (PS) policy instruments and technical guidance.
NRCAN will also develop a Training and awareness program for BCM Coordinators, Senior Management and employees. Roles and responsibilities for each group will also be conveyed in the training.
NRCAN’s goal is to test Branch BCMs, which includes critical services and critical support function recovery strategies, on a yearly basis. The reporting component will be used to keep senior management apprised of the business continuity planning programs’ effectiveness and progress. The Sector-level BCM Plan will be reviewed and revised if necessary every year, as outlined in the current iteration of the Branch BCP.
Timing : September 30, 2022
Overall, the audit team found that NRCan has established an annual BIA process that is completed for each business function within the Department; SEMD coordinates and reviews the results of this exercise. While SEMD is currently updating the BIA templates and its accompanying user guide in consultation with PA, existing BIAs are out of date, do not receive senior management approval as required by PS guidance, and are not informed by a thorough risk assessment. The audit team also found that a BIA is not conducted for NRCan as a whole, and processes to systematically identify the Department’s critical functions and their recovery objectives do not exist as required by the TB Policy. Existing BIA processes do not offer a complete view of the Department’s vulnerabilities and the impacts of possible service disruptions to help inform ongoing business continuity strategies.
While an overarching departmental BCP is currently being drafted by SEMD, the audit team found that areas for improvement exist for the Department to develop additional procedures to guide the users’ actions in the event of a variety of types of service disruptions. Activation/deactivation triggers have not been defined and there are no formal processes for monitoring the Department’s internal/external environments for potential threats.
NRCan has historically conducted both department-wide BCP tabletop exercises and CORS testing on an annual basis. While neither have been conducted in the last two years, a BCP tabletop exercise is being planned for the fall of 2021. Pandemic tabletop exercises were conducted for critical functions in March 2020 in preparation for the COVID-19 pandemic. However, NRCan has not established a BCP testing program detailing the frequency, content, and objectives of BCP tests. Furthermore, formal procedures for documenting lessons learned for BCP tests and following-up on their implementation have not been documented.
While key lessons learned emerging from the BCP activation were identified by NRCan, opportunities exist to complete the lessons learned exercise in a timely manner, to document actions plans, and to ensure their implementation.
The audit team expected that adequate risk management activities have been designed, implemented, and are routinely updated across the Department to enable a continual state of readiness to deliver on NRCan's mandate in the event of a service disruption. It was expected that BIA activities are being conducted on a regular basis to identify critical functions and continuity requirements, and that they are informed by thorough risk assessments used to have a clear perspective of NRCan’s vulnerabilities. The audit team also expected to see established BCP processes which could be effectively leveraged in the event of service disruptions and support the Department in addressing existing and unmitigated risks. Lastly, the audit team expected to see established processes to regularly monitor and test NRCan’s BCM activities, ensuring corrective actions are implemented when appropriate.
In addition, the audit team expected that the Department has established adequate processes to identify lessons learned as part of the March 2020 BCP activation, and that best practices would be documented and implemented, and that follow-up activities would be conducted.
Adequate risk assessment processes support an entity’s ability to identify potential vulnerabilities and service disruptions, understand the consequences of possible events, and establish effective mitigation measures where gaps may exist. Risk assessments can inform pre-emptive initiatives to minimize the impacts of service disruptions and improve the overall effectiveness of the BCM program.
The audit team could not obtain evidence that a risk assessment that considers internal and external risks has been conducted to support departmental BCM activities. Interviews with BPOs, BCP leads/coordinators, and CMSS confirmed that routine risk assessments are not taking place for BCM purposes. This type of exercise, when properly executed, would help ensure that potential impacts and consequences of different events are routinely considered, informing the criticality assessments and prioritization of departmental functions. There was no evidence demonstrating that mitigation measures are being implemented as a result of BCM risk assessments at NRCan.
Business Impact Analysis (BIA) Activities
Completing and maintaining an accurate business impact analysis (BIA) is a fundamental step in an entity’s BCM efforts. This step supports the organization in determining the impacts of potential internal/external service disruptions and identifying its critical functions. Those functions deemed critical through a BIA would then be prioritized during a disruption to ensure that the organization’s mandate and overarching objectives are continuously met.
Several key metrics are typically used in order to assess the criticality levels of an organization’s functions’ relative to one another, and to gain a better understanding of their requirements and objectives. PS, which has a role in offering BCM expertise to GoC departments and agencies, established guidance that uses the following definitions for these standard items:
- Maximum Allowable Downtime (MAD): The longest period of time which a service or activity can be unavailable or degraded before a high or very high degree of injury results;
- Minimum Service Level (MSL): The lowest level of service delivery which is necessary to avoid a high or very high degree of injury, and that is maintained until full recovery is achieved for critical services, activities, and business enabling functions (BEFs) - usually expressed as a percent;
- Recovery Time Objective (RTO): The established period of time within which services, activities, BEFs, resources and/or associated assets must be recovered after a disruption, in order to meet the MSL and avoid exceeding the MAD; and
- Recovery Point Objective (RPO): The established point in time up to which data must be recoverable after interruption or disruption in an organization’s information and technology systems.
The audit team found that NRCan does not have an overarching, strategic-level BIA for the Department as a whole to help consolidate departmental BCM requirements and support a coordinated approach to pursuing continuity objectives. Instead, it has established an annual exercise in which each function within the Department completes its own BIA, using a template developed by SEMD. This template has historically contained four major sections, with BPOs providing a description of their service, assessing their criticality level, and documenting their interdependencies and resource requirements. BPOs use their judgement to fill out their respective templates on an annual basis. SEMD coordinates this exercise, reminding sectors to complete their BIAs and conducting follow-up when necessary.
SEMD performs a review of the completed templates once submitted in order to ensure that they have all been updated, and that all fields are completed. Through this review, SEMD also intends to provide a challenge function in which it assesses the appropriateness of some inputs; which may include questioning the self-assessed criticality levels or the MAD/MSL entries. However, the outcomes of this challenge function can sometimes be limited due to the large quantity and breadth of BIA entries as well as the lack of clarity in the role that SEMD has in exercising the challenge function.
The audit team noted that the current BIA template does not include the identification and assessment of RTOs and RPOs, two key metrics supporting BCM initiatives. However, it is worth noting that the BIA template is currently being updated by the SEMD team. A draft version of this template was shared with the audit team, but has not yet been implemented department-wide. The new template is aligned with PS guidance, in that it now incorporates all four key metrics and has expanded its criteria for defining criticality. SEMD has been working with PS in order to update the content of its template.
Overall, the audit team found that there is confusion over self-assessed criticality levels and determining MAD/MSL, as a result of a lack of adequate definitions of terms and BCM training. An accompanying BIA/BCP user guide was developed by SEMD, intended to support BPOs in fulfilling their duties; however, the guide primarily ensures that users fill out each field, instead of disambiguating some of the required input fields to ensure accurate content.
The annual BIA updates do not formally require management approvals or signatures unless the function is classified as critical, which would trigger a requirement for the full completion of a functional BCP. However, with the adoption of the new BIA template, senior management approval will be required on all BIAs, regardless of the criticality level.
The last completed BIA exercise for the Department was conducted in fiscal year 2019-2020. The current year’s iteration has been delayed due to the ongoing COVID-19 pandemic and recent efforts to update the supporting templates and guides. As a result, the content of available BIAs is out of date. A key feature of the BIA is to provide contact information for business owners and their alternates. This information can be leveraged by central departmental functions to coordinate continuity efforts. Given the BIAs have not been reviewed since 2019-2020, contact lists are out of date, and other key items including criticality levels, MAD, MSL, interdependencies, and resource requirements may be less reliable.
The results of the annual exercise are captured and summarized by SEMD in a master list. This document identifies each business function, categorizing them based on their criticality levels. This master inventory currently lists 133 departmental functions, each of which have completed a BIA in 2019-2020. Of the 133 functions, five were classified as a “critical service”, four were classified as a “critical dependency”, and 24 were classified as a “critical support” function, which included all ADM Offices (ADMOs).
Through interviews with BPOs, sector BCP leads/coordinators, and various members of CMSS, the audit team noted that there is confusion among those who exercise BCM responsibilities regarding what constitutes a critical function. While PS has developed guidance to this effect, interviewees were not always aware of it. In addition, criticality criteria have not been formally established or documented within NRCan to allow for consistent application between functions.
Standard BCM practice dictates that consequence-based criteria be developed and implemented throughout an organization. This involves determining key consequences that could result from different types of events and service disruptions; these can vary from threats to human safety, loss of access to major facilities, loss of network availability etc. Once the criteria have been established, BPOs would rank their function’s impact on each potential consequence on a standard scale (e.g. a 4-point scale from low to high). These assessments demonstrate the impact of various types of service disruptions for each function, helping an organization prioritize their BCM efforts and ensure that the entity can achieve its continuity objectives for a well-defined list of critical functions or services. By planning for potential consequences of service disruptions, organizations can prepare for disruptions without requiring individual plans for every single type of event requiring an activation.
This type of process has not been present in NRCan’s BCM activities. Instead, the Department has relied on independent self-assessments of criticality by each Sector without standard procedures or formal definitions, which have been approved by senior management, for determining criticality. The result has been inconsistent interpretations and perceptions of criticality among NRCan’s members.
PS guidance identifies five consequence-based criteria that can be used to assess criticality in federal departments. They are: (1) the health of Canadians; (2) the safety of Canadians; (3) the security of Canadians; (4) the economic well-being of Canadians; and (5) the effective functioning of Government. Organizations are expected to assess their impact on a 4-point scale for each criteria in order to determine their overall criticality level. SEMD has incorporated this system into the new BIA template; which has yet to be implemented. While Departmental guidance that would serve to support users in interpreting these criteria, understanding them fully, and applying the 4-point scale consistently is not currently in place, management has indicated that a new BIA/BCP user guide is currently being drafted that would serve this purpose.
The audit team also noted that the Department has not developed an exhaustive, consolidated list of its critical functions and their accompanying recovery objectives, approved by senior management. Such a list would help ensure departmental priorities are clear and understood, allowing for more organized prioritization of resources and efforts during major service disruptions. The audit team identified two consolidated lists of critical functions, one of which exists through the master inventory previously discussed and the other within the draft departmental BCP, last updated in 2016. These two lists are inconsistent with each other, and neither have received senior management approval.
Business Continuity Planning (BCP) Activities
NRCan’s BCP processes are closely linked to the BIA, and are generally conducted in unison. When a BPO has completed their BIA using the template and self-assesses as critical, a BCP must be completed. This BCP is filled out in the same template, which expands to incorporate BCP requirements when a function is deemed critical. Findings previously mentioned regarding the delayed implementation of this year’s annual update and the absence of a supporting risk assessment process also apply to the BCP. At the time of the audit, the new draft BIA/BCP template being developed by SEMD makes minor adjustments to the BCP sections.
In contrast to the BIA, the purpose of a BCP is to outline how an organization will respond to disruptions to maintain acceptable service levels for critical functions. Effective BCPs should provide concrete, relevant guidance for users to address the consequences of service disruptions, which may be common across different types of events. For example, an entity’s BCP might describe procedures to address prolonged loss of access to facilities, which could be caused by a variety of incidents including pandemics or natural disasters. NRCan has produced functional BCPs for 41 functions within the Department, five of which were for critical services, three for critical dependencies, 21 for critical support functions, and 12 for moderately critical functions. NRCan does not currently have a strategic-level BCP process to capture BCM priorities and objectives at the Departmental level to ensure that NRCan’s critical functions share a coordinated strategy that is also in alignment with the broader GoC strategy. This type of process is recommended by PS guidance.
NRCan’s documented BCP processes are captured in three primary sources: the BCP template, the draft departmental BCP, and the Standard. In general, the procedures defined within these documents are broad, and presented at a high-level. Section 3.1 of the BCP template covers activation procedures; it is primarily focused on communication and ensuring that appropriate individuals are contacted. PS’s BCP guidance and suggested templates recommend offering substantial, concrete guidance to users for reference during an activation; however, this is not included in NRCan’s template, which mainly includes steps for contacting individuals to discuss and communicate the potential BCP activation.
Activation procedures are also offered in Section 2.3.1 of the draft Departmental BCP. This section of the plan states that the Department should assign employees to critical service maintenance, direct supporting staff to CORS, ensure key files are available, limit the use of networks where possible, etc. The guidance offered in the draft plan is very general, which can be useful given the wide variety of potential events. The NRCan Standard provides a high-level view of the processes that must be followed in the event of an emergency situation. However, there are no formal procedures and documented processes to address the consequences of different types of service disruptions. Given that the plan is still in draft and has not been approved or widely distributed, the guidance therein has not been leveraged by the Department.
In general, the documented procedures offered through Departmental guidance are primarily focused around initiating the BCP but offer very limited guidance to users as to what concrete actions should be taken once the activation has occurred. As a result, interviews with Sector representatives revealed that the BCPs were not heavily leveraged for the current pandemic, given its lack of clear guidance and perceived utility.
A review of Departmental BCP guidance revealed additional areas for improvement in NRCan’s established BCP processes, they include:
- Current draft plan does not provide thorough procedures for determining when a service disruption or threat is terminated, and how to deactivate the plan once this is confirmed;
- Current BCPs do not capture a list of Memoranda of Understanding or Service Level Agreements in which the Department is engaged to support their BCP activities and response efforts; and
- BCM incident governance, distribution lists, and suggested training or awareness activities are also not incorporated, all of which are suggested additions to BCPs according to PS guidance.
According to recognized best practices and PS guidance, an effective BCP should address a wide variety of service disruptions, by offering suggested actions that address the different types of resulting consequences. These consequences and impacts are normally generated through risk assessments and BIA exercises. With adequate BCP coverage, an entity could effectively react to a wide array of service disruptions, quickly evaluating its needs, mobilizing the appropriate resources, and implementing pre-established recovery strategies.
The audit team found that NRCan’s BCP documents are heavily centered on the CORS. CORS has been developed as a recovery strategy in which senior managers and key personnel congregate to an alternate site in Ottawa. The temporary location would be fitted with workstations operating with a barebones system to ensure critical functions can resume their work. The CORS strategy may not accommodate the circumstances of NRCan’s critical functions which are located in regional offices. While CORS could be an effective response strategy to certain types of service disruptions, it does not apply to a wide variety of cases including pandemics and widespread network unavailability.
Although activation procedures are provided within NRCan’s BCP documentation, there is limited guidance relating to when the BCP should actually be activated in the first place. Clear BCP triggers have not been defined by the Department. There was also no evidence of established procedures and detection mechanisms to alert the Department of potential events that could lead to service disruptions, whether that be in the form of communications with external parties or through regular environmental scans. Processes for assessing alerts, and determining the severity of detected threats have not been established. A good industry practice is to align activation triggers with other crisis management procedures including EM and building evacuation plans and to develop an approved list of alert criteria that BCP users can leverage to assess a potential disruption and determine what type of response is merited. However, alert criteria have not been developed, and there is limited guidance surrounding aligning the type of BCP response with relevant impact levels.
According to the Standard, the moment an emergency event occurs, it is expected that a teleconference would take place among senior BCM officials to determine whether the BCM should be activated. However, this process is unlikely to be activated except in the case of extreme emergencies. This level of coordination would not apply for smaller events, or near misses, which may still require some form of BCP response. NRCan has not established different response strategies to accommodate varying levels and categories of service disruptions.
BCM Testing and Exercises
According to PS guidance, entities should develop and implement a testing program, in order to continuously validate their plans and state of preparedness and reinforce the departmental BCM practices. Regular testing of BCPs helps to promote an acceptable state of preparedness, in accordance with departmental practices. It provides the opportunity to validate plans, identify deficiencies, and exercise BCM teams. Testing programs typically span multiple years and detail the various tests and exercises to be conducted on an annual basis. These programs should be approved by senior officials and follow clear, documented testing objectives.
PS guidance suggests that planned testing initiatives be aligned with the entity’s objectives and the overall maturity of its BCM practices. Different levels of testing are possible, varying in terms of their relative complexity and involvement. BCM tests can span from drills, to tabletop exercises, to full simulations. Ideally, a testing program would follow a ‘building block approach’, in which annual exercises are conducted that gradually increase in their level of complexity, as the entity builds its BCM knowledge and capacity. The time and resources dedicated to testing should reflect its BCM maturity.
The audit team found that two types of BCP tests have historically been conducted on an annual basis at the Departmental level. The first is a department-wide tabletop exercise. This involved coordinating and gathering NRCan representatives from multiple Sectors to walk through varying sets of circumstances and discuss Departmental response mechanisms and strategies. The second was the annual CORS testing, in which key members of the Department would gather in the central location and practice using the alternative infrastructure and systems. Neither of these exercises have been conducted within the last two years, with the latest BCM department-wide tabletop exercise having taken place in 2017, and the latest CORS simulation in 2018. However, management has indicated that it plans to conduct an annually reoccurring Department-wide BCP tabletop exercise beginning in the fall of 2021, as well as to conduct an annual EM session each spring. The first of these reoccurring EM tabletop exercises was held in May 2021 for the NRCan Senior Management Committee; included during this exercise was a BCM awareness session for participating senior managers as noted previously with regard to training and awareness.
In March 2020, the Department conducted seven tabletop exercises with the sectors containing critical functions in anticipation of the COVID-19 pandemic. This exercise was intended to help determine whether the critical services could be delivered from any location, that resources were equipped accordingly, and to ensure that employees designated in the plan were familiar with its contents. The exercise involved gathering business owners, critical staff, and their alternates from across the Sectors and presenting them with hypothetical scenarios associated with a pandemic (e.g. whether they were able to fully transition to remote working, whether they could compensate for critical employees randomly becoming ill and not being able to perform their functions, etc.). For each scenario, sector representatives reflected on whether adapting to these situations was feasible in the current conditions. The pandemic tabletop exercises were effective in preparing critical employees in their respective responsibilities and were well received by Sector representatives.
While the pandemic tabletop exercises were effective, BCP tests were not conducted at the departmental level over the past year. NRCan has not established a formal BCM testing program to evaluate existing procedures, identify potential gaps in plans, measures and arrangements, as well as to support the continuous improvements of departmental BCM efforts. BCP testing strategies and objectives have not been approved by a member of senior management. As noted above, the audit team learned that a BCM exercise is planned to be held in fall 2021. As this exercise was not conducted as of the time of the audit, the audit team was not able to assess whether the exercise adequately supported continuous improvement efforts.
Follow-Up and Monitoring Activities
Capturing lessons-learned from BCM exercises is an essential step to ensure the continuous improvement of the overall BCM framework. Best practices dictate that lessons learned should be formally documented, communicated to relevant parties, and actioned where appropriate. Ensuring an appropriate, timely response to potential gaps or weaknesses highlighted during an exercise requires establishing accountabilities for implementing any lessons learned, as well as routine follow-up efforts to track their completion.
SEMD produces after-action reports following departmental BCM testing exercises. These reports typically include the nature of the tests performed, key outcomes, and the resulting lessons learned. For example, the pandemic tabletop exercises conducted in 2020 yielded after-action reports for each critical function. Within these after action reports, Sectors were asked to identify gaps discovered in their existing processes that could inhibit proper functioning during a pandemic situation. Business owners were also asked to list action items they should implement that will improve their ability to effectively respond to the pandemic.
Results from the pandemic tabletop exercises were consolidated into a single after-action report, summarizing all of the findings and exercise outcomes. SEMD has developed a tracking sheet that lists each action item, the accountable implementation lead, and the current implementation status. Through this tracking sheet, SEMD was able to ensure that the outcomes of the tests are incorporated into future BCM efforts, enabling continuous improvement. Despite evidence demonstrating that the results of the most recent BCM testing exercises were documented and followed-up on, there are no standardized procedures in place within the Department to ensure this is done consistently by all sectors. Approved processes and procedures describing the actions that should be taken post-exercises, including the appropriate documentation and follow-up of action items for BCP improvements, are not in place.
According to PS guidance, to ensure BCM programs continue to meet the needs of an entity, BIAs and BCPs must be regularly reviewed and updated to account for changes in services and activities, resource requirements and availability, and environmental threats. Both internal and external BCM monitoring activities should be established to support continuity efforts.
PS guidance indicates that internal BCM monitoring can be achieved through examining the impacts of major organization changes, developing post-incident reports, reviewing after-action reports following exercises, and keeping apprised of industry best practices. External monitoring can take the form of regular risk assessments and environmental scans to encourage proactive responses to major events and improved preparedness. The audit team could not obtain evidence that formal internal or external monitoring activities and procedures are documented to support the BCM program.
Lessons Learned relating to COVID-19
On March 15, 2020, the Department activated its business continuity processes in response to the Global COVID-19 pandemic. This was the first time that such an activation has taken place at NRCan. The TB Directive on Security Management requires that each department review and maintain BCPs based on the results of tests and the activation of plans to ensure that BCM practices continue to meet the needs of the department. Furthermore, while not required by the TB Directive, a best practice includes identifying lessons learned based on BCP activations or events that have occurred to similar organizations as well as ‘near miss’ incidents that could have had a more serious impact (e.g. cyber attack in a similar department, or a fire in a neighboring building).
While the Department’s BCM guidance does not formally require the identification of lessons learned and the remediation of issues in a timely manner following a BCP activation, SEMD began obtaining input from sectors and recording the lessons learned from the first wave of the pandemic in a “COVID-19 1st Wave After Action Report’’. The lessons learned recorded via this exercise pertained to a wide variety of topics, not limited to BCP. However, the audit team found that this exercise was not conducted and completed in a timely manner. Specifically, as of June 2021, the report is still in a draft phase and has not been shared with management. Lessons learned have been collected, but next steps and plans for remediation and implementation have not been documented.
In the absence of adequate BIA and BCP processes, there is an increased risk that departmental resources and efforts are not properly prioritized in the event of a major service disruption, potentially leading to prolonged service interruptions. Delayed or ineffective response procedures, including defined activation triggers, increases the likelihood that NRCan’s critical services are not recovered to an appropriate level within an acceptable period of time and properly maintained. Such interruptions could ultimately impact the Department’s ability to deliver the services that are deemed critical.
Without appropriate BCP testing, lessons learned, and follow-up activities, there is a risk that established BCM processes are not functioning as intended. Gaps and deficiencies in existing procedures may persist without notice or remediation for extended periods, hindering NRCan’s response efforts and the continuous improvement of BCM processes.
When lessons learned exercises are not completed, implemented, and corrected in a timely manner, there is a risk that the Department may not be adequately prepared to respond to subsequent and/or concurrently occurring service disruptions, such as a network failure.
Recommendation 2 : It is recommended that the CSO establish processes to ensure the development and implementation of:
- Thorough BIA activities, supported by regular risk assessments and approved by senior management on a regular basis;
- Updated BCP activities, including concrete operating procedures for a variety of service disruptions, as well as activation, deactivation, and monitoring procedures;
- A formal BCM testing program outlining the objectives, types, frequency, and post-exercise actions for departmental BCM tests; and
- A lessons learned process that is adequately designed, implemented, and operating in a timely manner during and after BCP activations to ensure that best practices are documented and that issues are tracked until remediated.
Management agrees with Recommendation # 2a.
CIOSB has developed a BIA template which will be sent to sector BCM coordinators for review and approval. Sectors will use the BIA template for their annual review. Sector BIAs will require formal approval by sector head and brought to the DG-SEMIC governance committee. A formal risk assessment program will be developed and implemented in the next fiscal year to ensure compliancy to NRCan, TBS and PS policies.
Timing: September 30, 2022
Management agrees with Recommendation # 2b.
CIOSB will continue to review and revise all BCM activities, which includes operating procedures for a variety of service disruptions. Standard Operating Procedures (SOP) will be reviewed based on a risk analysis and using “After Action Reports” following major events. i.e., wild fires. Once each SOP is reviewed and approved, they will be provided to Subject Matter Experts and included in the training and awareness products. In addition, CIOSB will engage sectors BCM Coordinators in the review and implementation of those procedures. CIOSB will ensure everyone that plays a role in BCM are trained and have knowledge of what to do during an emergency.
Timing : June 30, 2022
Management agrees with Recommendation # 2c.
CIOSB will be establishing a monitoring and reporting framework, which is an integrated part of NRCan’s business continuity management planning program. Management will continue to revise and review this reporting framework to ensure compliancy with NRCAN, TBS and PS’s policy instruments and technical guidance. NRCAN’s goal is to test Branch BCPs, which includes critical services and critical support function recovery strategies, on a yearly basis. The reporting component will be used to keep senior management apprised of the business continuity planning programs’ effectiveness and progress.
The Sector-level BCP will be reviewed and revised if necessary every year.
Timing : December 31, 2022
Management agrees with Recommendation # 2d.
CIOSB will ensure lessons learned from BCM events are documented, continuously reviewed and implemented when a BCP is activated. In addition, these lessons learned will be presented to DG-SEMIC, and incorporated in the training and awareness products.
Timing : June 30, 2022 – process will be defined.
Management Processes, Compliance with Policy, and IT solutions
Overall, the audit team noted several areas of non-compliance with the TB Policy on Government Security (PGS), the Directive on Security Management , and the NRCan Standard on BCM. The audit team found that critical functions have designed and implemented IT solutions to support their BCP IT continuity objectives and a Major Incident Management Plan (currently in draft form) establishes an updated list of critical business applications and services. However, opportunities exist for the Department to establish internal guidance to improve alignment with, and the achievement of, TB policy objectives and expected results through the creation of department-wide plans and written agreements, as well as through establishing clear expectations for BPOs of critical functions.
The audit team sought to determine whether NRCan had developed and implemented an adequate policy suite and department-wide plans to achieve compliance with the requirements set out in the TB PGS and the Directive on Security Management . The audit team expected that the Department has designed and implemented IT solutions to support and achieve its continuity objectives and that the Department has established processes to ensure that resources are prioritized and effectively distributed to critical functions. Through the effective completion of these activities prior to an activation, an organization can improve its level of preparedness and thereby contribute to the effectiveness of the Department’s ability to continue to operate its critical functions in the event of a service disruption occurring.
Compliance with TB Policy and Development of Internal Guidance
TB has established a policy suite to guide GoC departments and agencies in the establishment of their respective BCM policy suite. This suite includes the PGS, the Directive on Security Management and PSD. In addition, PS is identified as having a role in providing expertise to GoC departments and agencies and does so through BCM guidance, which is published and available on the GCPedia webpage.
The audit team found that NRCan does not have a departmental level BCP that has been finalized or approved. A draft departmental plan does exist; however, it was last updated in 2016. While business function specific continuity plans were obtained and examined, the audit team noted that there is no central strategic level document to guide and inform the Department on BCM processes.
Through an examination and comparison of the Department’s internal policies and plans against the TB policy suite pertaining to BCM, the audit team found that NRCan’s internally developed guidance is generally aligned with external guidance from TB policy and PS guidance. However, several areas of improvement have been identified, including that NRCan’s policies and standards do not adequately stipulate the roles and responsibilities related to testing BCPs and the expected training requirements. Currently, the NRCan Standard on BCM does not identify the TB requirement for senior officials to review the training program. Another area of improvement identified is the documented roles and responsibilities of the CSO. The CSO is identified in the TB policy as having numerous responsibilities related to BCM oversight and operational activities; however, NRCan has limited internal guidance that define the CSO’s responsibilities and identify how the CSO’s efforts will be coordinated with the rest of the Department.
The PGS states that senior officials in the Department’s security governance must establish or recommend the establishment of written agreements when their department relies on or supports another department or organization to achieve government security objectives. For example, the audit team found that NRCan has not established a written agreement between itself and Shared Services Canada (SSC) based on NRCan’s reliance on SSC to achieve government security objectives related to business continuity management processes. SEMD noted that in place of written agreements NRCan relies on service standards developed by SSC; however, NRCan’s critical function representatives have noted that their IT continuity plans are reliant on SSC support, and that the existing SSC service standards being used in place of agreements are insufficient to achieve the Department’s continuity objectives.
Overall, the audit team found that while the critical functions examined have designed and implemented IT solutions to support their BCP objectives, there were several opportunities for improvement identified related to IT continuity. These areas include documentation of plans, definitions, and requirements for critical services IT components, identification and regular approval of critical business applications and services, and establishment of written agreements with third-party service providers.
IT continuity mechanisms are identified in the Standard under the role of the Information Technology Security Coordinator (ITSC); however, guidance on the implementation of the BCM program does not include specific requirements or guidelines on IT continuity documentation. Business process owners of critical functions are responsible for ensuring IT continuity of their operations. While the audit team found that the BIA template asks functions to list their critical IT assets, this section is not consistently completed and therefore there is no complete list of critical IT assets. The audit team also found that the Information Technology Disaster Recovery Plan (IT-DRP) created for the CORS site was last updated in 2015; therefore, there is a risk that this plan is out of date given it has not been reviewed based on changes to the Department that have occurred over the past six years.
The audit team noted that NRCan’s critical functions have established infrastructure to ensure continuity of IT operations in the event of a major service disruption to achieve the objectives in their BCP. Three out of five critical functions documented their continuity plans via IT-DRPs, which outlined in detail the supporting IT infrastructure processes for maintaining IT continuity through a service disruption. These plans included a ticketing system to track and prioritize incidents, including concurrently occurring service disruptions. However, the audit team also found that while lessons learned related to IT continuity may originate from planned tests of their systems or from unplanned incidents, there is no formal documentation or tracking of these lessons learned to ensure remediation occurs.
The audit team found the information included in the version of the BIA/BCP template used over the last several years does not provide adequate information to BPOs about what plans and information are required to ensure IT continuity. The newly updated version of the BIA/BCP template, requests BPOs to answer whether they require a DRP, whether the function completing the BIA/BCP has the necessary computers available should telework be the chosen continuity strategy, and whether the function has established processes to continue operations in the event of an IT infrastructure failure. However, no description or explanation of when a function is required to create an IT-DRP is provided. Furthermore, the new version of the template only requires the identification of recovery objectives (i.e. Recovery Time Objective and Recovery Point Objective) for each function as a whole, and does not require specific objectives for each system and/or application that supports it. The lack of specific recovery objectives for each system and/or application, as identified in PS guidance, may affect critical functions’ ability to ensure alignment between their planned IT capacity and the continuity needs of the business function.
SSC provides network, hardware, and software to government departments and is therefore relied on as a service provider by various NRCan functions including NRCan’s critical functions. In January 2021, SSC met with the NRCan to provide an outlook on their IT continuity position and discuss the collaborative next steps to close gaps identified by an IT continuity assessment of NRCan’s IT environment. Furthermore, SSC has a process in place to identify Critical Business Applications and Services (CBAS) to inform incident priority levels as part of their incident management prioritization process. SSC’s CBAS service standards note that having an application or service on the CBAS list with SSC does not by itself grant it 24/7 support but results in higher level of communication, escalations, and service support resource engagement. SSC’s process for requesting an application or service to be added to their CBAS list is through submission of a Microsoft Excel document via email. BPOs of NRCan’s critical functions requesting to be added to SSC’s CBAS list must complete a questionnaire, which is then sent to SSC by CIOSB. The audit found that SSC’s CBAS list of NRCan applications and services is not regularly approved or reviewed, and that there is no one at NRCan responsible for ensuring that NRCan regularly ensures that there is alignment between what NRCan expects is listed as a CBAS by SSC and what is on SSC’s CBAS list. The audit team found that in the past, there have been instances where the understanding between NRCan and SSC regarding what was on SSC’s CBAS list, did not align. The audit team obtained evidence that in June 2021, a departmental critical function’s data centre went offline and SSC was contacted to obtain IT support. SSC did not have the data centre identified as primary on their CBAS list for NRCan resulting in the critical function not receiving the level of support that they expected for an application or service due to a misalignment between what NRCan believed was CBAS and what was on SSC’s list of CBAS for NRCan.
After the completion of the conduct phase, the audit team obtained a draft Major Incident Management Plan (MIMP) in July 2021 which was shared by the CIO/CSO for comments at the Information Management & Technology Committee (IMTC). The primary purpose of this draft plan is to outline a step-by-step process for managing major IT incidents within NRCan to restore normal operations. The audit team found that this plan does provide a thorough guide to manage major IT incidents and includes an updated list of what NRCan would like to be classified as CBAS. The draft plan has been approved by the CIO/CSO; however, this plan has not yet been implemented and it does not provide clarity on the process to ensure that NRCan’s list of what they consider CBAS is approved, complete, accurate, and in alignment with SSC’s CBAS list for NRCan.
Additionally, the audit team found that BCM staff have developed IT Continuity mechanisms that include outlining third party service providers (including SSC) and the types of support they provide, including lists of required networks, applications and hardware. However, there are no agreements in place between NRCan and SSC outlining what each department is responsible for in the event of a service disruption to enable support of, and ensure continuity of, IT applications and services that rely on SSC, even though SSC maintains a website indicating the services they provide. The process to obtain SSC support for IT continuity of applications and services on the CBAS list requires a request to be made from the NRCan IT Helpdesk who are responsible for forwarding the request to SSC. Given that the NRCan service desk is not currently staffed outside of NRCan’s core business hours, CIOSB indicated that critical functions rely on knowing specific contacts at SSC to call if an incident occurs outside of core business hours. The draft MIMP received indicates that NRCan plans to provide 24/7 NRCan Helpdesk support to critical functions; however, this is a draft plan and the audit team did not obtain evidence that this level of support is in place. The draft plan does not identify if the department will procure 24/7 support from SSC for CBAS. As NRCan’s Helpdesk often acts in a coordination role between critical functions and SSC, 24/7 support from NRCan’s Helpdesk may not remediate the issues identified above unless the Department procures matching 24/7 support from SSC. Furthermore, agreements with third-party service providers including SSC would improve the understanding of NRCan’s own responsibilities and expectations, as well as, the effectiveness of the Department to continue its critical operations. The audit team found that there are no adequate plans, processes, and agreements detailing how the Department’s critical functions should interact with some third-party providers in order to receive the levels of support needed for their IT applications and services.
Prioritization and Distribution of Resources
The audit team found that the annual BIA process noted above is the key mechanism for NRCan’s prioritization and allocation of centralized services and resources, as well as the key mechanism for the identification of human resources required by a critical function. The audit team found no evidence to demonstrate that the Department’s critical functions have been prioritized based on the expected outcomes that would occur should they be unable to continue their operations in the event of a service disruption.
Senior officials in NRCan’s security governance structure are responsible for identifying the security requirements and the resulting resource needs of programs, services, and activities within their area of responsibility. Critical functions have financial authority assigned for emergency funds in the event that the designated official is not available to ensure that critical operations may continue.
The audit team was not able to obtain evidence of formally defined and documented plans or guidance on the redistribution of IT resources in response to a BCP activation. Despite the lack of formally documented plans and processes, the audit team noted that CIOSB was able to distribute IT hardware and infrastructure support to the critical functions effectively with the aim of allowing them to continue their operations during the COVID-19 pandemic, and that critical functions had plans in place to identify the resources they require.
Risk and impact
Failing to comply with requirements dictated in TB Policies can result in not having effective management processes in place for BCM.
The Department may be unprepared to meet its objectives in the event of a service disruption in the absence of a departmental-wide BCM plan, written agreements with third parties, effective processes to align IT capacity to meet identified recovery objectives, as well as, identification and communication of priority IT solutions and critical functions.
Recommendation 3: It is recommended that the CSO ensure that:
- departmental guidance aligns with TB Policy, and is communicated, implemented, and updated on a regular basis and includes plans for redistribution of resources to priority functions;
- areas of improvement or gaps identified by NRCan’s monitoring, testing and continuous improvement life-cycle components are identified and followed-up on in a timely basis; and
- a departmental-wide plan to achieve business and IT continuity objectives is designed and that it is adequately implemented, maintained, and updated in a timely manner, to ensure that the Department is prepared to achieve its mandated responsibilities under the Emergency Management Act .
Recommendation 4: It is recommended that the CSO ensure that:
- departmental guidance provides adequate information to business process owners of critical functions to inform them of their roles, responsibilities, and expectations pertaining to IT continuity; and
- a process is established to ensure that CIOSB regularly reviews the list of NRCan’s applications included on SSC’s CBAS list to ensure that it is complete and accurate and that this review as well as NRCan’s additions to the list are appropriately approved.
Recommendation 5: It is recommended that ADMs of Sectors with critical functions ensure that agreements are signed with third-party service providers (including departments) with which their critical functions provide or receive support to ensure that roles, responsibilities, and service standards are established based on BIA results (including recovery objectives).
Management agrees with Recommendation # 3a.
The CIOSB will review and update the 2018 NRCAN Standard on Business Continuity Planning Program (and other related policy documents, as required, such as the BIA documentation and the terms of reference for the BCP Working Group). CIOSB will ensure that the revised version of these documents aligns with TBS policies and framework.
The revised standard will clearly outline roles, responsibilities and reporting relationships through a clear governance structure.
The revised standard will be approved by NRCAN’s DG-SEMIC and governance, will be communicated to employees and posted on NRCan’s intranet, and will be reviewed every three years.
Position responsible: Chief Information and Security Officer, Chief Information and Security Branch, Corporate Management Services Sector
Timing: June 30, 2022
Management agrees with Recommendation # 3b.
Business owners of mission critical applications perform yearly tabletop exercise to test their respective DRPs and address any area for improvement. This remains within their respective areas of responsibility and accountability. The MIMP has gone through governance and SSC has agreed with the process. The MIMP will be implemented in Q3 2021-22 and it identifies areas of improvement or gaps after a major incident has been resolved through a critical incident report. A process will be implemented to capture these gaps as well as the gaps identified from the IT Continuity exercise (see 3c below) and the testing/review of the business continuity management process (2c) in an action plan. CIOSB will follow-up on the gaps with the business owners and SSC on a timely basis. The review and implementation of the action plan will also be added to the Departmental Security Policy for common understanding across NRCan.
Position responsible: Chief Information and Security Officer, Chief Information Officer and Security Branch, Corporate Management Services Sector
Timing: March 31, 2022
Management agrees with Recommendation # 3c.
The departmental-wide plan to achieve the business continuity objectives will be updated to align with the IT continuity objectives and the SSC incident management process so that the department can achieve its mandated responsibilities under the Emergency Management Act .
Management agrees with Recommendation #4a.
The MIMP, aligned with the Departmental BCM plan and validated by business owners of critical functions and SSC, has been endorsed by IMTC and is planned to be approved by Operations Committee in September 2021. The MIMP documents the roles, responsibilities, and expectations when a major incident is detected and resolved. Similarly, CIOSB is validating the need for 24/7 IT Continuity Services with business owners of critical systems prior entering and signing the SSC IT Continuity Services agreements which will document the roles, responsibilities and expectations of business owners for IT continuity. CIOSB will provide guidance to business owners on their roles, responsibilities and expectations on IT continuity.
Management agrees with Recommendation #4b
SSC creates and owns the CBAS list. NRCan reviews and approves this list on a yearly basis in an exercise led by SSC Client Executive team. Currently, the CIOSB Business Service Delivery (BSD) liaises with the business owners of critical services in order to review and approves the CBAS list for NRCan. The process will be updated so that the NRCan CIO reviews and approves the CBAS list for NRCan prior to sending it back to SSC. The updated process will be reflected in the Departmental Security Policy.
Management agrees with Recommendation # 5
There is a cost to availing of 24/7 SSC IT Continuity Services and CIOSB is reviewing the need for 24/7 IT continuity services with business owners at NRCan. NRCan will subsequently avail of the level of SSC IT Continuity Services accordingly. This will formalize the IT Continuity plans with SSC and will establish annual IT Continuity testing services of the existing IT Continuity infrastructure. The fallout of this exercise would also position NRCan to meet recommendations 3b, 3c and 4a from the Audit.
ADMs of Sectors with critical services will need to provide funding and ensure that the SSC IT Continuity agreements are signed, through CIOSB, to avail of SSC IT Continuity services. The signed agreements will formalize the SSC IT Continuity support with roles, responsibilities and service standards.
Position responsible: ADM of Sectors with critical services with support from the Chief Information and Security Officer
The following audit criteria were used to conduct the audit:
Thank you for your help!
You will not receive a reply. For enquiries, contact us .
- Skip to main content
- Skip to "About this site"
- Search and menus
Operational security standard - Business Continuity Planning (BCP) Program . : BT39-17/2004E-PDF
"The continued delivery of government services must be assured through baseline security requirements, business continuity planning, including information management and information technology continuity planning, and continuous risk management. The Policy on Government Security and its associated standards describe these baseline security requirements"--Provided by publisher.
Permanent link to this Catalogue record: publications.gc.ca/pub?id=9.844201&sl=0
- MARC XML format
- MARC HTML format
Request alternate formats
Wxt language switcher.
- Français fr
Audit of Business Continuity Planning
From: Transport Canada
Audit of Business Continuity Planning (PDF, 848 KB)
Table of contents
Introduction, audit objective and scope, statement of conformance, 1.1. purpose, 1.2. background, 1.3.1 audit objective, 1.3.2 audit scope, 1.3.3 audit approach, 1.3.4 audit criteria, 1.3.5 audit sample, 1.4. report structure, 2.1. governance framework, 2.2. business continuity planning process, 2.3. monitoring of bcp readiness, 3. conclusion, 4. recommendations and management action plan, executive summary.
Business Continuity Planning (BCP) refers to the establishment of a governance structure, the conduct of a Business Impact Analysis (BIA), the development, timely execution and maintenance of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets. In the wake of recent natural and man-made events, as well as the changing Government of Canada operating environment, there is a heightened awareness of the importance of services provision following disruptions to the normal course of a government department’s business.
Critical services are defined as any services, program or operation whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security and economic well-being of Canadians, or to the efficient functioning of the Government of Canada. Transport Canada has identified 130 critical services which fall into two categories: Services critical to the national interest and those critical to the Department.
The Deputy Minister has overall departmental responsibility to ensure the effectiveness and implementation of the Business Continuity Planning Program.
To provide assurance that Transport Canada’s BCP Program is in place and operating in accordance with Government directions, the audit team worked with the Office of the Comptroller General as they carried out a Horizontal Audit of Business Continuity Planning in Large and Small Departments . This approach allowed the audit team to leverage OCG’s planning and audit criteria as well as provide a useful point of comparison to other government departments.
The Audit of Business Continuity Planning was included in Transport Canada's 2016/17 to 2018/19 Integrated Audit and Evaluation Plan.
The objectives of this audit were to determine whether:
- Departmental governance Footnote 1 frameworks for BCP are in place; and
- Departmental BCP processes are in place Footnote 2 .
The audit team examined the current (as at December 31, 2015) BCP documentation and governance framework used within Transport Canada and work underway in 2016 to ensure continuity of critical services and support services of the Department. The audit utilized a risk-based sample of business continuity plans to examine whether BCP processes followed the essential elements and considerations required to ensure the continuity of operations.
We found that a governance framework is in place for the management of the departmental BCP Program. Departmental processes are also in place for the development, implementation, testing and update of departmental BCPs. However, the foundational work to identify critical services has generally not been updated since the inception of BIAs in 2006. While resulting BCPs for the identified critical services are being updated, it is unknown if the critical services identified are still the correct critical services requiring a BCP. Transport Canada has recognized the need to update its BIAs and BCPs and proactively embarked on a BIA/BCP renewal exercise in January 2016. Transport Canada needs to ensure that its current process for the renewal of BIAs and BCPs is completed and conforms to the OCG’s expectations/criteria for a BCP Program.
This Audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of an external assessment of Internal Audit’s Quality Assurance and Improvement Program .
Dave Leach (CIA, MPA) Director, Audit and Advisory Services
Martin Rubenstein (CPA, CIA, CFE) Chief Audit and Evaluation Executive
The Audit of Business Continuity Planning was included in Transport Canada’s 2015/16 to 2017/18 Integrated Audit and Evaluation Plan. Our audit results directly support the Office of the Comptroller General’s (OCG) Horizontal Internal Audit of Business Continuity Planning (BCP) in Large and Small Departments.
The OCG developed the Audit Plan and Program and Transport Canada Internal Audit carried out the examination, testing and reporting of results to the OCG for inclusion in its horizontal audit.
The following is a synopsis from the Audit Plan for the OCG-led Horizontal Internal Audit of Business Continuity Planning (BCP) in Large and Small Departments.
Business Continuity Planning (BCP) refers to the development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets. In the wake of recent natural and man-made disasters (e.g. Parliament Hill shooting – Oct 2014, floods in Western Canada – June 2014, Heartbleed incident against Canadian Revenue Agency - April 2014), as well as the changing Government of Canada operating environment (e.g. transition to enterprise-wide service delivery), there is a heightened awareness of the importance of the Government being able to respond and recover its services and assets within the maximum allowable downtime Footnote 3 .
BCP in a federal government setting is a component of baseline security requirements and forms a process that aims to ensure that critical government services can be continually delivered in the event that there are disruptions to normal course of business. Critical services can be categorized as either critical to the Government of Canada by supporting the health, safety, security and economic well-being of Canadians and the effective functioning of government or critical to departments themselves, where they are required in order to fulfill the department’s mandate and other departmental obligations. Departmental critical services may not necessarily be critical to the Government of Canada.
The requirements for BCP are established in the Emergency Management Act (EMA) , Treasury Board Policy on Government Security (PGS) , Directive on Departmental Security Management , Operational Security Standard – Business Continuity Planning Program (OSS-BCP) and Operational Security Standard – Management of Information Technology Security (OSS-MITS) . The Act, policy, directive and operational standards provide guidance to departments in developing business continuity processes that support departmental objectives, and define roles, responsibilities and accountabilities for departments and lead security agencies.
Based on current requirements, governance frameworks are required to ensure government-wide coordination of critical service recovery and departmental BCP readiness.
Within Transport Canada, the responsibility to implement a departmental BCP Program rests with the Deputy Minister. The Deputy Minister is responsible for ensuring that appropriate management direction, processes and tools are in place to efficiently manage BCP and that the departmental security plan remains appropriate to the needs of the department and the government as a whole through periodic reviews. As per the Treasury Board’s OSS-BCP , the development and implementation of a departmental BCP involves implementing a departmental BCP governance structure, completion of Business Impact Analyses (BIAs), development of BCP strategies and plans and developing and maintaining BCP readiness through regular training, testing, validation and review of plans. With the transition to service provision from Critical Support Service Providers (CSSP) Footnote 4 , departments must also ensure that formal service provision agreements are in place and that departmental recovery strategies include coordination mechanisms and procedures.
Internal Audit provided audit findings, without audit recommendations, to the OCG for inclusion in the development of its audit report. The OCG audit report will summarize the audit findings for all large and small departments and provide recommendations for the Government moving forward. This internal audit report makes specific recommendations to strengthen Transport Canada’s BCP Program.
1.3. Audit Objective, Scope, Approach, Criteria and Sample
As defined by the OCG, the objectives of the audit were to determine whether:
- Departmental governance Footnote 5 frameworks for BCP are in place; and
- Departmental BCP processes are in place Footnote 6 .
The audit examined BCP documentation in place as at December 31, 2015, the governance framework used within Transport Canada, and work underway in 2016 to ensure continuity of critical and support services of the Department. Based on an assessment of risk, the audit utilized a risk-based sample Footnote 7 of business continuity plans to examine whether BCP processes included essential elements and mitigated risks to ensure the continuity of operations.
The audit was conducted through the review of key BCP related documents, interviews and an examination of a sample of business continuity plans and BIAs which were assessed against the specific criteria defined in the OCG’s Audit Program.
The audit examined three areas:
- Departmental governance frameworks are in place for the management of departmental BCP.
- Departmental BCP processes are in place for the development, implementation, testing and update of departmental BCP.
- Departmental monitoring processes are in place for the oversight of BCP readiness.
For each area, the OCG had developed audit criteria and sub-criteria.
The following sample was selected for review:
- Pacific Region
- Prairie and Northern Region
- Ontario Region
- Quebec Region
- Atlantic Region
- Pacific Region – Emergency Contracting
- Marine Security
- Civil Aviation
- Aviation Security
- Rail Safety
- Transportation of Dangerous Goods
- Civil Aviation – Aircraft Maintenance and Manufacturing
Transport Canada is a key player in responding to any transportation related emergencies. A situation centre is located at HQ and one in each region. These centers provide critical support to enable Transport Canada to carry out its role during an emergency. The OCG selected the Situation Centre in Pacific Region as one of the critical services in its sample. Internal Audit expanded the sample to include all Situation Centres to ensure full coverage of this particular critical service.
For each of the three areas examined, we have included contextual information, what we expected to find, what we found and, where appropriate, recommendations. The last section of the report contains management’s action plan to address our audit recommendations.
2. Findings and Recommendations
The requirements for BCP are established in the Emergency Management Act (EMA) , Treasury Board Policy on Government Security (PGS) , Directive on Departmental Security Management , Operational Security Standard – Business Continuity Planning Program (OSS-BCP) and Operational Security Standard – Management of Information Technology Security (OSS-MITS) . The Act, policy, directive and operational standards provide guidance to departments in developing business continuity processes that support departmental objectives; and define roles, responsibilities and accountabilities for departments and lead security agencies.
What We Expected
We expected to find departmental governance structures in place that actively support business continuity planning and roles and responsibilities that have been documented, approved and communicated to all stakeholders; an established departmental policy framework that defines roles, responsibilities and expectations for BCP; and an established department-wide systematic approach to identify and prioritize departmental critical services.
What We Found
Transport Canada has governance and policy frameworks in place for the management of its BCPs. There are opportunities to strengthen accountabilities within these frameworks.
We found that Business Continuity Planning is supported by the following three governance bodies:
- Transport Canada Executive Management Committee (TMX)
- BCP Program Working Group (BCPWG)
- Departmental Security Committee (DSC)
Transport Canada also periodically reviews its governance structures. The most recent review resulted in giving the BCPWG decision-making authority as reflected in their April 2016 Terms of Reference. In addition, a general review of security programs, which includes the BCP Program, is conducted every three years. The last such review was in November 2013.
Transport Canada has a BCP Policy which defines the roles, responsibilities and expectations of the following key stakeholders within the Department:
- Deputy Minister
- TMX members (senior management)
- Departmental Security Officer
- Directorate/Branch Managers
- Departmental BCP Coordinator
- BCP Program Working Group
- BCP Coordinators
The BCP Policy is approved and published on Transport Canada’s internal website (Intranet).
We noted, however, that these roles, responsibilities and expectations have not been embodied in all of the key individuals’ performance accords or job descriptions. Having BCP responsibilities described in either job descriptions or performance accords of all key individuals would further strengthen key individuals’ BCP accountability and ensure consistency within the BCP Program.
We found that although all three governance bodies meet and discuss the BCP Program on a regular basis, the Departmental Security Plan (equivalent of a Terms of Reference) for the Departmental Security Committee does not define the frequency of meetings that are required. Without clearly stipulating this requirement, the DSC may not be held accountable to meet on a regular basis.
We also found from our sampling that service agreements do not exist between Transport Canada and Critical Support Service Providers (e.g. Shared Services Canada and Public Services and Procurement Canada). With the transition to being dependent on services from external Critical Support Service Providers, departments must also ensure that formal service agreements are in place and that there are departmental recovery strategies including coordination mechanisms and procedures. Footnote 8
A systematic approach to the identification and ranking of critical services is found in Transport Canada’s Business Continuity Management at Transport Canada User Guide. The guide was created to assist in the development of Business Impact Analysis (BIA) and Business Continuity Plans. It is available to all staff on the departmental Intranet.
- Defining BCP roles and responsibilities in either job descriptions or the performance accords of key individuals.
- Ensuring the Terms of Reference for the Departmental Security Committee defines the frequency of meetings.
- Consider developing formal service agreements with Critical Support Service Providers.
Generally, the BCP process involves carrying out a BIA to identify the various services provided by a function and then ranking the services by criticality and the maximum allowable downtime (MAD). Based on a BIA, a business continuity plan is then developed for each critical service to identify the actions to be taken and resources required to ensure the critical service can be restored/maintained within the MAD for that service.
We expected to find that BIAs have been conducted and reviewed on a regular basis to identify all critical services that require a business continuity plan and that necessary recovery strategies had been developed to ensure the continuity of the Department’s critical services and critical support services. We also expected the Department to coordinate with Critical Support Service Providers and other key internal stakeholders when developing, testing and updating their business continuity plans to ensure integration between all parties. Finally, we expected sufficient and relevant BCP training and tools are being provided to stakeholders.
Transport Canada has processes in place for the development, implementation, testing and updating of its business continuity plans. However, the adequacy of its BIAs has not been regularly reviewed nor is there evidence that business continuity plans are tested regularly. Key BCP staff are not always aware of BCP training and tools nor have they all received BCP training.
As described previously, the process is to first complete a BIA that identifies all services of a function and to rank and identify which services are critical. Business continuity plans are then prepared for services identified as critical. During our interviews, we were informed that the process followed was oftentimes reversed. In our sample review we found that two of 13 business continuity plans for each critical service were developed before the BIAs were developed, and three of 13 were developed after the BIA. The remaining eight BIAs could not be located. Conducting a review of BIAs on a regular basis ensures that updates are made in a timely manner to reflect the Department’s changing operating environment. In other words, a BIA review ensures that the most critical services to the Department have been identified and that business continuity plans have been developed. Without up-to-date BIAs, there is the risk that not all critical services that require a BCP have been identified or that BCPs are being maintained for services that are no longer considered critical.
The BIAs reviewed as part of our sample were created between 2006 and 2016 and the majority have not been updated since their inception. Following a tabletop BCP testing exercise in 2015, it was recommended that BIAs and business continuity plans be reviewed and updated. As of the date of this report, the Department is in the process of updating its BIAs. We had expected, however, that the BIAs would have been reviewed more frequently.
We assessed a sample of BIAs and BCPs against OCG criteria based on current guidance provided by Lead Security Agencies and the requirements of the TB Operational Security Standard – BCP and Management of Information Technology Security of 2004 and Public Safety’s All-Hazard Risk Assessment Guide of 2012-13. We found that BIAs and BCPs in the sample do not meet all of the OCG criteria but this is not unexpected given that the BIAs and BCPs were initially developed in 2006 and some of the criteria are based on later requirements. As the BCP Coordinator indicated to us, the BIA/BCP templates were developed based on the BCP guidance provided in 2006 and, therefore, the resulting BIAs and BCPs would have met the criteria that existed at that time. As Transport Canada is currently updating its BIAs and BCPs, it should ensure, where appropriate, that the revised BIAs and BCPs meet the OCG criteria.
For the sample of BIAs and business continuity plans reviewed, we found inconsistencies with the level of detail and information provided. A BIA should include two parts: Part I describes the business service, business impact and criticality, and maximum allowable downtime whereas Part II describes the resource requirements. We found that the majority of BIAs we reviewed did not include a Part II description of resource requirements. Without complete information, there is the risk that functional managers may not respond correctly to an event.
To ensure business continuity plans are reviewed on a regular basis, the BCP Coordinator sends a call letter twice a year asking all groups/regions to review and update their BCPs. Within our audit sample we found that although BCPs are being reviewed, there was no documentary evidence in the Records, Documents and Information Management System (RDIMS) of them being conducted biannually.
All business continuity plans dealt with the recovery or availability of electronic information necessary to carry out their functions. However, the plans did not identify the consequences of not being able to access IT services that are provided by Shared Services Canada. The business continuity plans identified the chosen recovery strategy but there was no description of the options considered before selecting the chosen strategy. It would not be possible, therefore, to determine if the strategy selected is in fact the best strategy, especially in a changing environment.
While testing has occurred in the form of the 2015 tabletop exercise, there was no evidence that this exercise included any CSSPs. The CSSPs should have been included particularly if the scenario presented at the tabletop exercise required or impacted the provision of their critical services
The BCP Program includes criteria and the requirement for testing of business continuity plans such that all business continuity plans will have been tested over the course of a three- year cycle. With the exception of one case in our sample, we found no evidence of the systematic testing of business continuity plans. Without testing BCPs, the Department cannot ensure that it could effectively respond to an event.
BCP training and tools have been developed and are available on the intranet. The Pacific Region developed an initial BCP Coordinators Training Guide, which was then adapted by the BCP Office for national use. The BCP Office has also developed BCP Training Presentations which are modified and tailored for specific groups. Tools include the BIA-BCP User Guide and various BIA-BCP templates. BCP training is also included as a component of the Canada School of Public Service’s Security Management training. However, the majority of staff we interviewed from the OCG sample were not aware of any BCP tools or training. The lack of training provided to functional managers could limit their ability to effectively execute their BCP responsibilities should an incident occur.
- Ensuring biennial reviews are conducted on all BIAs, biannual reviews are conducted on BCPs, and they are documented.
- Ensuring business continuity plans, at a minimum, are all tested on a three-year cycle as per the BCP Program, and that BCP exercises are coordinated with CSSPs and other stakeholders.
- Ensuring BCP training is offered, stakeholders are aware of it, and it is provided to key individuals in the BCP process.
The requirements for departments to monitor and report on the effectiveness of their BCP Program are established in the Treasury Board Policy on Government Security (PGS) Footnote 9 , Directive on Departmental Security Management Footnote 10 , and the Operational Security Standard – Business Continuity Planning Program (OSS-BCP) Footnote 11 . The policy, directive and operational standard also define roles, responsibilities and accountabilities for departments and lead security agencies.
We expected the Department to monitor and report both on the status of its BCP Program and its compliance with government policy.
Transport Canada monitors and reports to senior management on the status of the BCP Program and its compliance with government policy.
The Departmental Security Officer is the functional authority for the BCP Program within Transport Canada who reports to senior management on the overall status of the BCP Program, and reports annually on the Departmental Security Plan, which includes a specific section reporting on the overall status of the BCP Program as well as its compliance with government BCP Program requirements. At the last update to TMX in January 2016 TMX noted the need for updated BIAs, reduced BCPs and decreased level of effort to update the BCPs. TMX approved a project timeline for the updating of BIAs.
In 2014 Transport Canada completed an internal review to assess its compliance with the Policy on Government Security (GSP). A GSP Compliance Review is to be completed every three years with the results presented to TMX and Treasury Board Secretariat. The 2014 review recommended that a tabletop exercise be conducted as a preliminary test of the business continuity plans.
Transport Canada conducted the tabletop exercise in September, 2015 and made nine recommendations for improvement. In response, the Departmental Security Officer prepared an action plan, a key part of which includes replacing the individual departmental BIAs with a National BIA and reviewing the BIA every two years. The audit team supports this commitment and others included in the action plan.
Based on existing guidance and direction, the OCG has put together what it would expect to find in a BCP Program within a department. Considering Transport Canada is currently working on updating its BIAs and BCPs, it should ensure that, where appropriate, its BCP Program meets the OCG criteria.
- The current BIA/BCP renewal exercise should be carried out and address the OCG criteria set out in this audit.
We found that a governance framework is in place for the management of the departmental BCP Program. Departmental processes are also in place for the development, implementation, testing and updating of departmental BCPs. However, the foundational work to identify critical services has generally not been updated since the inception of BIAs in 2006. While resulting BCPs for the identified critical services are being updated, it is unknown if the critical services identified are still those relevant to requiring a BCP. Transport Canada has recognized the need to update its BIAs and BCPs and proactively embarked on a BIA/BCP renewal exercise in January 2016. Transport Canada needs to ensure that its current process for this renewal is carried out and conforms to the OCG’s expectations/criteria for a BCP Program.
It is recommended that the Assistant Deputy Minister, Corporate Services and Chief Financial Officer should ensure that the following audit recommendations are addressed.
Report a problem with this page
- Français fr
WxT Search form
Audit of business continuity planning (bcp).
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Tabled and approved by DAEC on January 9, 2007
This publication is available upon request in accessible formats.
Contact: Multimedia Services Section Communications and Marketing Branch Industry Canada Room 264D, West Tower 235 Queen Street Ottawa ON K1A 0H5
Tel. : 613-948-1554 Fax: 613-947-7155 Email: [email protected]
Permission to Reproduce
Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Industry Canada, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that Industry Canada is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, nor as having been made in affiliation with, or with the endorsement of, Industry Canada.
For permission to reproduce the information in this publication for commercial redistribution, please email: [email protected]
Aussi offert en français sous le titre Vérification de la planification de la continuité des activités ( PCA )
PDF version (84 KB, 18 pages)
Table of Contents
1.1 introduction, 1.2 overall assessment, 1.3.1 business continuity plan governance (see section 3.1 of the bcp standard), 1.3.2 business impact analysis (see section 3.2 of the bcp standard), 1.3.3 business continuity action plans and arrangements (see section 3.3).
- 1.3.4 BCP Program Readiness (See Section 3.4 of the BCP Standard)
- 1.3.5 BCP Training and Awareness (See Section 3.4 of the BCP Standard)
2.1.1 Treasury Board of Canada Secretariat ( TBS ) Policy
2.1.2 industry canada policy, 2.1.3 industry canada's identification of critical and essential services, 2.1.4 public safety and emergency preparedness canada ( psepc ) role, 2.2 audit objectives, 2.3 audit scope, 2.4 audit approach, 2.5 audit criteria, 2.6 appreciation, 3.1 business continuity plan governance, 3.2 business impact analysis, 3.3 bcp action plans and arrangements, 3.4 bcp readiness, 3.5 bcp training and awareness.
- Appendix A: Management Response and Action Plan
In accordance with the Treasury Board of Canada Secretariat standards for operational security in the Government Security Policy ( GSP ), Industry Canada ( IC ) established a Business Continuity Planning ( BCP ) Program and identified critical and essential services. Public Safety and Emergency Preparedness Canada ( PSEPC ) has the mandate to review plans of federal departments to ensure that they are able to continue operating during emergencies and has requested auditors of departments to audit business continuity planning. In accordance with this request by PSEPC , Industry Canada has undertaken an internal audit of its BCP program.
Overall the audit found that the BCP program is built on a solid foundation and provides some assurance that the organization will manage critical and essential services during major disruptions and emergencies. However, the audit found that complete assurance could not be provided because: no comprehensive exercise program exists; and, serious questions remain about the integration of IM/IT for the critical BCP plans.
1.3 Main Findings, Conclusions, and Recommendations
The audit found that Industry Canada has a well administered BCP program overall. In the sectors, some of the essential functions do not give enough priority to their BCP . The audit found serious concerns with the integration of the business continuity plans for critical functions with IT continuity planning and found no comprehensive exercise program.
The control objective is to ensure that Industry Canada has assigned responsibility for the BCP program in accordance with the standard.
We found that Industry Canada has appointed an effective and efficient BCP coordinator who reports to the Director, Security and Departmental Security Officer ( DSO ). A BCP Steering Committee meets approximately every 6 months to discuss strategic issues related to BCP . A BCP Working Group includes representatives from the various corporate services and the critical functions.
The essential conditions of stable governance and strategic direction are in place for providing effective business continuity planning, support to the Deputy Minister, and the delivery of results. Several improvements could make the overall governance better as described in the following recommendations:
An effective independent challenge to the sector business continuity plans is needed in order to improve them. Such a challenge should be done every two years in order to respond to rapidly changing risks and circumstances. In addition each sector should include a review of business continuity planning in their annual business planning cycle.
Industry Canada should identify key external dependencies. These dependencies should be assessed as to their significance for the business continuity plan to be successful. A plan should then be developed and documented to minimize any risk exposure. Where appropriate, there should be memoranda of understanding or equivalent agreements negotiated with these external dependencies.
After a thorough challenge to the business continuity plans, internal dependencies ( IM/IT services for example) need to be identified and documented. Internal service level agreements, or some equivalent, need to be negotiated in order to ensure that appropriate services are available to support the execution of the sector business continuity plans.
The control objective is to ensure that an effective BCP program is based on a Business Impact Assessment ( BIA ). The BIA identifies and quantifies the direct and indirect, quantitative and qualitative impacts on critical and essential services due to disruptions and emergencies.
Industry Canada has used BIA s as a tool for examining essential services but has not done them for all critical services. The information gained by a detailed impact assessment provides management with information helpful to establishing priorities and identifying key services.
The information gained by doing a Business Impact Assessment could contribute value to the business continuity plans. Although the audit is not making a specific recommendation, Industry Canada might consider that Business Impact Assessments be done and maintained for all business functions so as to ensure that the BCP programs for service functions such as CIO , Facilities, and Security are appropriate, responsive and complete.
The control objective is to ensure the completeness of the business continuity plans by encouraging the use of Business Impact Assessments and Threat and Risk Assessments ( TRAs ). Another control objective is to ensure that recovery options have been thoroughly analyzed so as to provide information to management regarding appropriate choices and priorities.
We noted that the various business continuity plans were developed in parallel in Industry Canada and they have not benefited from a collaborative effort to identify dependencies of one function on another. In particular, dependencies on facilities and on IM/IT tools have been listed in some business continuity plans without corresponding responses from those responsible for those areas. This results in business continuity plans that may not stand up in a real emergency. Also, without good analysis of recovery options accompanied by estimates of costs, management decisions and choices in emergency situations may result in expensive or suboptimal recoveries. We observed also that business continuity recovery strategies were sketchy and left for Response teams to create ad hoc.
BCP programs would benefit if they were completely integrated with respect to support functions and dependencies (see recommendations 2 & 3). They should include recovery options showing detailed steps to provide critical and essential services including full costs and analysis as to risks and threats.
Planning the development of the TRAs should be done jointly by both the DSO & the Chief Information Officer ( CIO ). The coordinated planning will ensure that both physical and IT related security issues are fully covered and no gaps occur. In addition, any BCP related issues should be considered in the development of the TRAs so the BCP Coordinators can benefit by the results of the TRAs . The results of the data gathered in the TRAs can be shared by the DSO and the CIO .
Business continuity plans should include fully documented business continuity recovery strategies that detail steps to provide critical and essential services. Estimated costs are necessary to identify a viable recovery option such as IM/IT requirements. These costs can then be used for management decisions of priorities and choices made in the plans.
Business continuity plans and associated documents would benefit from a change management control system by providing a reader with information as to the latest update for any significant change (e.g. mandate of the critical and essential functions) to the plan as well as the nature and origin of the changes.
1.3.4 BCP Program Readiness (See Section 3.4 of the BCP Standard)
The control objective is to ensure that Industry Canada has kept its BCP programs up-to-date. Business continuity plans benefit from a regular exercise program. All incidents, disruptions and emergencies provide lessons learned that can result in a more thorough review and update of the plans.
The audit found that Industry Canada did not have a regular exercise program in place and has not developed a way of sharing lessons learned from a database of incidents, disruptions and emergencies.
Industry Canada business continuity plans are updated quarterly or semi-annually when names, roles and/or phone numbers change. There is no change management control system for the business continuity plans (see recommendation 6). We noted that there is no regular test or exercise program. There are no standard templates for capturing lessons learned from real events or from exercises and any information that is kept is not readily accessible to business continuity planners unless they contact the IC BCP coordinator who maintains a file.
An effective annual exercise should be conducted.
Industry Canada should implement a procedure to capture lessons learned from real events and exercises. Lessons learned from exercises and from real disruptions and incidents should be made available to business continuity coordinators so as to provide useful material with which to make substantive changes and improvements to the business continuity plans as required. The captured information of incidents and lessons learned should be used also to create training and awareness materials for managers and senior staff.
1.3.5 BCP Training and Awareness (See Section 3.4 of the BCP Standard)
The control objective is to ensure that training and instruction has been developed, funded and used to support the BCP program. Specialized training is required for security specialists and for business continuity planners. General awareness programs are needed to sensitize staff to emergency planning and to create an environment where people have confidence that their managers will act correctly with respect to health and safety, and protection of assets.
The audit found that the BCP coordinator has received annual training. However, we did not find that all other BCP coordinators and key managers attended annual BCP -related training and some have not had any external BCP training courses.
We noted that the Industry Canada BCP coordinator and some of the sector BCP coordinators have been trained and have kept up their awareness through attendance at conferences. Others have received only in-house presentations and lack practical experience in handling emergencies. In addition, general awareness amongst management and senior staff of business continuity planning and emergency planning could be improved.
Industry Canada could improve the education of sector and regional business continuity and emergency planners by ensuring that their annual career development plan includes the appropriate business continuity and emergency planning courses and seminars based on the scope of their BCP responsibilities.
Industry Canada should ensure that its BCP policy is well communicated and understood.
The following suggestion may be considered:
Industry Canada could improve general awareness of business continuity and emergency planning issues by taking advantage of the intranet, by having a program during the annual BCP awareness week, and by promoting on site presentations by the BCP coordinator.
From the Treasury Board of Canada Secretariat 'Operational Security Standard—Business Continuity Planning Program':
In accordance with sections 10.1, 10.14 and 10.12.4 of the Government Security Policy ( GSP ), the continued delivery of government services must be assured through baseline security requirements, business continuity planning, including Information Management ( IM ) and Information Technology ( IT ) continuity planning, and continuous risk management. The GSP and its associated standards describe these baseline security requirements. They are based on a government-wide threat and risk assessment and are designed to protect the resources on which the government relies to deliver services: employees, information and other assets. As part of baseline security requirements, departments must establish a Business Continuity Planning ( BCP ) Program to provide for the continued availability of: Services and associated assets that are critical to the health, safety, security or economic well-being of Canadians, or the effective functioning of government. Unavailability would result in a high degree of injury to Canadians and government. Other services and assets when warranted by a threat and risk assessment. The BCP Program complements emergency preparedness that is mandated by legislation or government policy ( e.g. fire and building evacuation plans; civil emergency plans). It also supports planning that is necessary to restore other-than-critical services and their associated assets and resources; departments should use this program to incorporate their planning for other-than-critical services.
Operational Security Standard—Business Continuity Planning Program, Treasury Board of Canada Secretariat
In accordance with the above Standard, Industry Canada set out the following Policy Statement:
In order to support the national interest and the Government of Canada's business objectives for safeguarding employees and assets and assuring the continued delivery of services, Industry Canada is establishing a business continuity planning program to provide for the continued availability of critical services and assets, and other services when warranted by a threat and risk assessment and will ensure that business continuity plans are developed, implemented and maintained.
Policy Statement, Industry Canada
Based on the Treasury Board definition of 'critical services', Industry Canada has identified its critical and essential services.
Under the National Security Policy of 2004, Public Safety and Emergency Preparedness Canada ( PSEPC ) has the responsibility for "strengthening, testing and auditing of key capabilities and conducting assessments of other departments. This will include a review of the plans of federal departments to ensure they are able to continue operating during emergencies."
This direction is further amplified by providing direction to Government of Canada departments under "The Way Forward—Strategic Coordination". The relevant paragraph reads as follows:
The Government needs to be able to continue to provide core services to Canadians during emergencies. Building on existing work in this regard, federal departments will ensure that they can continue to serve Canadians regardless of the circumstances by strengthening their continuity planning process and requiring regular exercise to test these plans.
The Way Forward—Strategic Coordination
The internal auditors of departments are requested to collaborate with PSEPC to ensure that, as a first step, BCP Programs are audited by departments. At a later stage PSEPC will begin an independent third-party BCP audit and examination program.
In accordance with the above request by PSEPC , Industry Canada has undertaken an internal audit of its BCP Programs.
The following audit objectives are grouped based on the BCP Standard:
- BCP Governance (Section 3.1 of the BCP standard) Ensure the department has established a governance structure for the BCP Program.
- Business Impact Analysis (Section 3.2 of the BCP standard) Ensure the department has completed a business impact analysis to select and prioritize its critical services and to identify the impacts of disruptions on the department.
- Plans and Arrangements (Section 3.3 of the BCP standard) Ensure the department has developed plans and arrangements to provide for the continuous availability of critical services. This includes putting teams into place for recovering the services and if necessary, when warranted, identifying an alternate site from which to deliver critical services.
- BCP Readiness (Section 3.4 of the BCP standard) Ensure the department has put in place a regime of continuous maintenance, training, testing, audit and exercises to keep the BCP program up-to-date and ready to be deployed when a disruption occurs.
- BCP Training and Awareness (Section 3.5 of the BCP standard) Ensure that appropriate security and business continuity training has been provided to security and BCP specialists and emergency planners. Ensure that training, instruction and awareness programs are in place within the department so that staff, who have been given a full or part-time role performing BCP -related duties, is able to support the BCP program appropriately.
The audit examined the business continuity planning of Industry Canada in place as of March 31, 2006 .
The audit was performed following a standard audit process based on professional standards that are in compliance with Standards for the Professional Practice of Internal Auditing (Institute of Internal Audit) .
Detailed audit criteria used during this audit were drawn from the 'Guide to the Audit of Business Continuity Planning Programs' Draft dated June 2004 and published by Public Safety and Emergency Preparedness Canada.
The audit team wishes to express their appreciation to the Industry Canada managers and staff that made themselves available and provided all requested documentation. Our special thanks to the BCP coordinator for her support and work.
3.0 Detailed Audit Findings and Recommendations
Industry Canada has a governance structure in place for the BCP program. Responsibility has been delegated from the Deputy Minister to the Senior Associate Deputy Minister and to the ADM , Comptrollership and Administration. The DSO for the department has administrative responsibility for the program. The departmental BCP coordinator reports to the DSO .
A BCP Steering Committee is chaired by the ADM and has representatives of the Industry Canada Sectors that manage critical functions and includes representatives from various corporate services. The Steering Committee is the decision-making body regarding BCP . A Business Continuity Working Group handles coordination and support issues. The Working Group has key operational managers in its membership. Sectors that manage critical functions have full-time BCP and emergency planning coordinators. Sectors that manage essential services have part-time BCP and emergency coordinators. Response teams have been identified and lists of relevant contact information have been created and are regularly maintained.
Although Industry Canada contracted with outside experts to assist in creating its BCP program originally, we found that no independent challenge or evaluation of the plans has occurred since. In particular an independent evaluation could clarify and identify assumptions, inter-relationships , dependencies and service requirements in the plans that require careful negotiation between the organizations and business units involved.
Industry Canada sectors and service functions have focused inwardly in their BCP programs. Hence, Industry Canada has not thoroughly examined external dependencies for successful execution of the plans. Where key dependencies exist, their significance to the BCP needs to be assessed and a plan developed and documented to minimize the exposure.
There are assumptions made and requirements identified in the plans for levels of service needed internally for successful responses to emergencies. Where these internal service requirements have been identified there are no service level agreements in place to assure the business units that the required priority and levels of service will be provided in an emergency.
Industry Canada has not completed business impact analyses for all of its business lines although this is recommended by PSEPC . In the case of critical services, for example, senior management identified the critical services and made the decision to proceed with creation of BCP plans without first completing business impact analyses. Although the audit is not making a specific recommendation, Industry Canada might consider that Business Impact Assessments be done and maintained for all business functions so as to ensure that the BCP programs for service functions such as CIO , Facilities, and Security are appropriate, responsive and complete.
Threat and Risk Assessments ( TRAs ) are a valuable source of information, and complemented by business impact assessments can be used to ensure that business continuity planning includes consideration of all possible factors affecting services to the Canadian public. We found that two types of threat and risk assessments are done at Industry Canada, one for physical security and the other for security of information technology. The two types are not linked but are done independently of each other. While some BCP related questions were added to the physical security questionnaire recently, we noted that the questions could be improved. The IT TRA does not include questions related to business continuity or emergency planning.
Planning the development of the TRAs should be done jointly by both the DSO & the CIO . The coordinated planning will ensure that both physical and IT related security issues are fully covered and no gaps occur. In addition, any BCP related issues should be considered in the development of the TRAs so the BCP Coordinators can benefit by the results of the TRAs . The results of the data gathered in the TRAs can be shared by the DSO and CIO .
The Operational Security Standard—Business Continuity Planning Program requires departments to include instructions describing how critical and essential business services are to be recovered in an emergency. The Standard calls for the development of recovery options from which a recovery strategy may be selected. Recovery options are to be estimated as to costs. Risks and benefits are to be identified, and impacts are to be assessed. The selected strategies are to be approved and funded by senior management. We noted that some plans, such as the BCP for Canadian Intellectual Property Office ( CIPO ), have such detailed recovery instructions. The other business continuity plans need some improvement as they do not document in detail how to recover critical and essential business functions, or appear to be copied from some other source.
Business continuity plans should include fully documented business continuity recovery strategies that detail steps to provide critical and essential services. Estimated costs are necessary to identify a viable recovery option such as IT/IM requirements. These costs can then be used for management decisions of priorities and choices made in the plans.
Business continuity plans and associated documents would benefit from a change management control system by providing a reader with information as to the latest update for any significant change ( e.g. mandate of the critical and essential functions) to the plan as well as the nature and origin of the changes.
The Operational Security Standard—Business Continuity Planning ( BCP ) Program requires regular testing and validation of all plans including capture of lessons learned. Our audit found that, although some exercises had been done, in most cases the business continuity plans had not been exercised at all. No plans for an annual exercise exist for the sector business continuity plans.
Although the BCP coordinator and the BCP planners for the critical services have received formal training, the regional planners and sector planners generally have only had internal orientation and training sessions.
The audit found that the Industry Canada BCP policy has not been made available to all staff and some business continuity planners were unaware of the policy.
Industry Canada does not have a general awareness program for business continuity planning that takes advantage of various methodologies for reaching Industry Canada staff.
Appendix A—Management Response and Action Plan
- Français fr
Planning Update: Tax and Benefit Administration and the COVID-19 Pandemic in 2020–21
Each year, the Canada Revenue Agency (CRA) prepares a Corporate Business Plan (CBP) and Departmental Plan (DP). The Summary of the CBP and DP are tabled in Parliament and are important tools to inform Canadians of how the CRA intends to use its resources to fulfill its core responsibilities of administering tax and benefit programs. The CRA ’s CBP and DP for fiscal year 2020–21 with perspectives to 2022–23 were developed prior to the COVID‑19 pandemic.
This planning update describes the impact of the COVID-19 pandemic on the CRA ’s previously reported plans for fiscal year 2020–21. It provides the most current information available as of September 2020. As the pandemic continues, it may have additional impacts on the CRA ’s plans.
The pandemic required the CRA to rapidly launch new programs to deliver on the Government of Canada’s Economic Response Plan. The CRA ’s work in recent years to transform into a client-centric, digital organization positioned it well to respond to the pandemic and support Canadians in this difficult time. However, the magnitude of the effort and the need to adapt to the changing public health and economic circumstances have impacted our operations this year. Moreover, in an environment where cybercriminals and scammers continue to use more sophisticated means against the CRA and our clients, we will continue to adapt our practices to protect our clients’ personal information and build their trust in us.
Contextualizing our priorities
The CRA and its Board of Management remain committed to the following five priorities:
- Providing a seamless service experience
- Maintaining fairness in Canada’s tax and benefits administration
- Strengthening trust, transparency and accountability
- Enabling innovation
- Empowering our people to excel
These priorities will continue to guide the delivery of the CRA ’s core responsibilities. They have proven to be essential to the CRA ’s operations during the pandemic and responding to the evolving needs of Canadians. As the CRA continues to deliver emergency measures, it has placed service and empathy at the forefront in all of its interactions, while continuing to provide accurate information and promote compliance to ensure the tax and benefits administration remains fair for all Canadians.
We recognize maintaining this fairness, particularly in the administration of emergency measures, is fundamental to Canadians’ trust in us. Despite the CRA ’s actions to combat scams, identity theft happens every year, and cyber incidents are a regular occurrence. Scammers acquire taxpayers’ personal information through a variety of means, such as phishing scams and data leaks or breaches stemming from organizations outside the CRA . As scammers adapt their practices, so does the CRA . We routinely monitor accounts for suspicious activity to detect, prevent and address potential instances of fraud and identity theft, whether or not this activity is related to cyberattacks. The CRA works to quickly notify individuals whose accounts may have been compromised and offers credit protection services free of charge to help prevent fraudulent activity. Additionally, we will continue to work diligently to identify threats to the security of information and improve cyber security, to prevent and detect fraud and the misuse of information.
Finally, the CRA is ensuring that the workplace—whether at home or in office—is healthy and safe, and employees have the tools and support they need to continue to deliver emergency measures and provide service to Canadians.
A primary focus of the CRA this year will be to ensure that the new and essential COVID‑19 emergency measures are effectively implemented and managed to support Canadians and businesses facing hardship as a result of the pandemic. The COVID‑19 pandemic has impacted the 2020 tax filing season and is expected to affect the CRA ’s overall performance and delivery of commitments to Canadians outlined in corporate plans for 2020–21, with potential impacts in 2021–22 as well. We will provide a full account of these impacts in future departmental results reports. The CRA will also continue to track and report online on the delivery of emergency measures.
Administering emergency measures in response to the COVID‑19 pandemic
The COVID‑19 pandemic has had an unprecedented impact on the lives of Canadians. The CRA ’s vision of being trusted, fair and helpful by putting people first has guided our actions to support clients during this pandemic. As part of Canada’s COVID‑19 Economic Response Plan, the CRA took action to help clients facing hardship, while ensuring that any privacy implications were reviewed, mitigated, and addressed when required. A complete catalogue of changes to CRA services, due dates and programs affected by the pandemic is available on the CRA and COVID-19 web page.
In response to the pandemic, the CRA is administering the following emergency measures:
- the Canada emergency response benefit (CERB), to provide income support for people facing unemployment, who are sick, quarantined, or in directed self-isolation
- the Canada emergency student benefit (CESB), to provide funding for post-secondary students and graduating high school students who do not qualify for the CERB
- the Canada emergency wage subsidy (CEWS), to support employers and protect jobs
- a one-time special payment through the goods and services/harmonized sales tax (GST/HST) credit, to provide additional income support for low income individuals
- the temporary wage subsidy (TWS), to support eligible employers by reducing the amount of payroll deductions required to be remitted to the CRA
- a one-time payment increase of an extra $300 for each child, under the Canada child benefit (CCB), to deliver additional support for families with children already receiving the CCB
- support to the provinces and territories by providing assistance to deliver additional tax credits or benefits
To add integrity to the administration of the CERB and CESB and to guard against instances in which individuals may be defrauded, the CRA increased its requirements for applications. This will help the CRA complete applications securely.
The CRA is also providing flexibilities to help clients through the pandemic, including:
- extension of certain filing and payment deadlines that may pose unnecessary strain on individuals, businesses, trusts and charities
- continuation of benefit payments, such as GST / HST credit and CCB , until September 2020 for those who are unable to file their tax return on time
- temporary waiver of interest on existing tax debts related to individual, corporate, and trust income tax returns to ensure existing tax debt does not continue to grow through interest charges during this difficult time
- focus on higher dollar audits first, audits close to completion and prioritizing actions that are beneficial to the taxpayer or where taxpayers have indicated there is an urgency to advancing their audit
- deferral of other CRA actions that might pose a burden on clients, including suspending collections activities on all debts, except for high‑risk cases
- temporary administrative policies to reduce or eliminate unintended tax effects of COVID‑19 travel restrictions on individuals and corporations
- alleviation of cash flow pressures on businesses, including processing scientific research and experimental development tax credits and issuing payments
- flexibility in the use of communication methods where an interaction with the taxpayer has already been initiated for audit and complex special election returns processes
The CRA is continuing to offer tax and benefits administration services while adjusting to respect public health advice where required. This includes:
- adapting the Outreach Program and Liaison Officer Program, traditionally available in person, to be accessible over the phone to provide urgently needed information for clients, including small businesses and self-employed individuals
- supporting free virtual tax clinics hosted by community organizations, by videoconference or phone, through the Community Volunteer Income Tax Program (CVITP) and the Income Tax Assistance – Volunteer Program in Quebec
- implementing the new Individual Tax Filing Assistant Project to help certain clients file their tax returns, such as clients eligible for the CVITP
- accepting electronic signatures on forms to authorize a representative to file income tax returns electronically on behalf of individuals or corporations, to meet the evolving expectations of taxpayers and electronic filers and to reduce administrative burden
- continuing to deliver critical services, such as processing requests by clients that result in issuing refunds or tax credits or benefits, adjustments and clearance certificates
The CRA will continue to engage stakeholders to ensure its approach remains world-class and communicate clearly as the pandemic evolves. Specifically, we will:
- work with international partners, such as the Forum on Tax Administration (FTA), to share guidance and best practices on tax administration responses to the COVID‑19 pandemic, including the implementation of fiscal measures, and ensuring business continuity
- engage provincial and territorial tax administrations to keep them informed and, where appropriate, coordinate activities
- communicate regularly with members of the tax community, including industry associations, to provide updates and clarity regarding measures being taken to help clients
Ensuring the continuity of business and employees’ connectivity
In response to the COVID‑19 pandemic, the CRA implemented a national COVID‑19 Business Continuity Plan to ensure the delivery of critical services. During the initial phase of the plan, we implemented timely measures to ensure the connectivity of all employees. The actions the CRA has taken have been in collaboration with the unions. This relationship has been key in supporting workforce agility throughout the pandemic.
The CRA will continue to foster a thriving workforce by supporting employees, the majority of whom are now working remotely, through technology and processes, including:
- increasing secure remote access (SRA) infrastructure to enable more users to connect to the CRA network remotely, and providing more bandwidth for those connections
- providing equipment and changing paper processes to make them digital, to ensure the ability to work remotely
- reviewing and adapting various internal mechanisms, policies, guidelines, and procedures to ensure they are relevant and able to support the CRA ’s response to the COVID‑19 pandemic
Resuming business during the COVID‑19 pandemic
The CRA ’s plans for resuming business during 2020–21 will be strategic and incremental, taking into account employee safety and readiness, program readiness, compliance risks, public awareness and opinion, tax policy priorities, and our clients’ resilience. We will focus on the areas that are most important in terms of service, and address the most egregious cases of non-compliance.
Employees’ and clients’ health and safety are the CRA ’s primary concern. In this regard, we have based our health protocols on guidance from the Public Health Agency of Canada and Health Canada, as well as local public health authorities. It is expected that most employees will work remotely for the foreseeable future. CRA buildings will continue to follow health guidelines so that CRA worksites can be kept safe for employees who have continued to work from or need to return to them. Similarly, the CRA has developed protocols and risk mitigation procedures for exceptional cases where in-person interaction with clients is needed.
The CRA will also continue to support employee psychological health through the use of the Employee Assistance Program and as guided by our well-being strategy.
Our business resumption is rooted in our core values and beliefs as an organization. The CRA ’s vision of being trusted, fair and helpful by putting people first is at the core of our approach to resumption, especially with so many individuals and businesses still facing the impacts of the pandemic. This means supporting our clients facing hardship and assisting them to meet their tax obligations. Since spring 2020, we have progressively resumed compliance operations, and by the fall, we expect to have in place a more focused version of all of our compliance programs. Our audit efforts will be focused on the highest risk cases. It is important, now more than ever, that we prioritize an empathetic approach as we resume regular activities.
Clear, up to date, consistent and frequent communications on all decisions regarding business resumption will be essential. The CRA will use national, regional and local messages to communicate with employees and external stakeholders.
Seizing opportunities as we adapt
The need to adapt quickly and in some instances, assume the responsibility of delivering new programs, has demonstrated the resilience of the CRA and its employees. While the pandemic continues to be a challenge, it also provides the opportunity for innovation as the CRA resumes its business and adapts to the changing circumstances of a low-contact and physically-distant reality.
Our response to the pandemic allowed us to accelerate our digital transformation while maintaining clients’ privacy at the centre of our preoccupations. Our digital transformation is driven by our priorities to provide seamless service to Canadians; to strengthen trust, transparency and accountability in the CRA ; and to enable innovative ideas and ways of working.
In 2020–21, the CRA will continue to accelerate its digital program to integrate modern technology and practices in the following areas:
- delivering high quality interactions across all channels and programs
- collaborating with clients, industry, and other government entities to drive shared innovation as well as improvement in tools, services and mindsets
- modernizing practices and approaches to enable greater organizational flexibility
- preparing the organization to realize the potential of digital transformation
The CRA has identified and enhanced measures to empower our people as they work. The CRA has sharpened its focus on enabling a workforce that will predominantly be working remotely. To this end, the CRA will continue to equip employees and explore technology and tools to help them be more effective in their role, while supporting their physical and psychological health and safety. We will also consider our traditional approach to the geographic scope of staffing exercises in light of the realities of working more remotely and the opportunity to employ a workforce that best meets the needs of our transformation.
Increased worldwide attention on systemic racism gives additional impetus to our ongoing eﬀorts to foster a workforce that represents Canada’s diversity, while continuously creating an environment where individuals are safe to be themselves. The CRA will enhance eﬀorts to eliminate systemic discrimination, and harassment.
Working remotely has the benefit of reducing greenhouse gas (GHG) emissions from employee commuting while restrictions to travel and the use of technology to participate virtually in meetings will reduce the GHG emission from business air travel. The increased digitization of paper processes is also expected to decrease our consumption of paper. These results align with the CRA Departmental Sustainable Development Strategy 2020 to 2023.
The pandemic has inspired us to intensify our transformation to a more people-centric organization. Although the pandemic may continue to require physical distancing, we must continue to keep people at the centre of how we deliver programs and services in this changing environment. It is ultimately people who have been impacted by the pandemic, and we will increase our efforts to be empathic as we deliver emergency measures alongside our tax and benefit programs.
The way forward
The CRA demonstrated its agility in responding to the pandemic. We mobilized people and allocated resources to key priorities and were open to accepting more risk in favour of faster delivery of projects. We will learn from this experience and challenge ourselves to apply this knowledge in different situations.
One of the lessons that we will take forward is the resilience of our priorities even during moments of great change and uncertainty. When the need arose for thousands of CRA employees to deliver new programs to Canadians, providing seamless service and sincere empathy emerged as the most important considerations. Maintaining fairness informed the CRA ’s decision to be flexible in helping people affected by the pandemic. We continue to prioritize transparency and accountability to ensure that trust remains strong. We are delivering the programs identified in the GC Economic Response Plan by cultivating an environment that enables innovation and ultimately, empowers our people to excel.
The CRA will continue to conduct all of its activities with the utmost integrity. In 2020–21, we will carefully verify the eligibility of our clients for the new programs launched during the pandemic, focusing on compliance actions to address issues such as misuse and fraud. We will apply a respectful approach, even when investigating fraudulent claims for emergency benefits.
A key concern of Canadians is the constant threat of increasingly sophisticated cybersecurity threats. As noted in the CRA Privacy Management Framework, the CRA is committed to upholding the trust that Canadians place in our organization. To meet their expectations, the CRA is continuously enhancing its security controls, and managing a wide range of security risks in a fast-changing and sophisticated threat environment. We will continue to make investments in security to protect data, information assets, and information technology structure from these threats.
As stated in our Corporate Business Plan, innovation is the positive change that is required to adapt to current challenges and changing circumstances. Our organization’s innovative mindset has been essential to delivering the Government of Canada’s response to the pandemic. As we move forward with resuming our regular business, this mindset will continue to play an important role, as we consider how the lessons learned during the pandemic can drive innovation. It is, furthermore, the resiliency of our people and their ability to handle the shifts in focus that made managing the pandemic possible and will continue to be essential in managing the way forward. Our people are fundamental as we strive to be a world class tax and benefit administration that is trusted, fair and helpful by putting people first.
Prepare for the unexpected - Build a Business Continuity Plan
Download Prepare for the unexpected - Build a Business Continuity Plan
Every business should have a Business Continuity Plan. No business is immune to the risks of disruption or disaster. Nobody thinks an emergency event will happen to them, but preparing your business to survive such an event is vital for every business owner.
This practical guide takes you through the essential steps to build a your own Business Continuity Plan. It provides easy to use templates and checklists that can be filled out, creating a comprehensive business continuity plan unique to your business needs.
Canada planning $20-billion in subsidies for carbon capture, clean tech: source
Finance Minister Chrystia Freeland speaks during a news conference in Ottawa, on Nov. 7. Adrian Wyld/The Canadian Press
Canada’s government will present legislation this month to start paying subsidies for carbon capture and net-zero energy projects, a source with direct knowledge of the matter told Reuters, part of a plan to worth around $20-billion over five years.
A long delay in state support for carbon capture utilization and storage (CCUS) projects and for equipment used to produce low-carbon energy prompted industry lobbies to warn in September that some $50-billion worth of investments were at risk if the government did not act soon to provide some certainty for the sector.
Finance Minister Chrystia Freeland will announce the investment tax credit (ITC) funding when she presents the so-called Fall Economic Statement (FES) to parliament on Tuesday afternoon, the source added.
It will be included in the FES legislation to be sent to parliament later this month, the source said. Previous budget documents estimated all five of the ITC programs together would funnel an estimated $27-billion during their first five years in operation.
The government will concurrently introduce to parliament the labour provisions that will be tied to most of the ITCs. They require investors pay workers the prevailing union wage and provide apprenticeship opportunities in order to collect the maximum subsidy.
Canada is lagging the U.S. on the incentives seen as necessary to spur investment in new, low-carbon technologies. Washington has been offering massive incentives to clean tech companies under the U.S. Inflation Reduction Act (IRA) for well over a year.
President Joe Biden has lauded the $430-billion IRA passed in August, 2022, as an economic powerhouse. Bank of America estimates it has already spurred $132-billion of investment across more than 270 new clean energy projects.
CCUS are seen as vital to cutting emissions from Alberta’s oil sands without slashing production. Canada is the world’s fourth-largest oil producer.
The transition to a low-carbon economy is a cornerstone of Prime Minister Justin Trudeau’s economic policy and ITCs are key to help the government meet its goal of net-zero emissions by 2050.
There is “a global race for capital and investments in these sorts of projects,” the source said. “The government is trying to provide certainty to investors.
The finance ministry does not comment on fiscal documents before their publication, a spokesperson said.
The CCUS were first announced in the spring of 2021, and the clean tech ITCs were announced a year later – both before the IRA was launched – but Canada is only now launching the legislation needed to get the money flowing.
Freeland will also provide a timeline for the other promised ITCs, with public consultations for two of the three remaining programs starting this year and legislation for all of them put forward by the end of next year, said the source who was not authorized to speak on the record.
Funding for ITCs for machinery and other tools needed to build green technologies, and for producing hydrogen, is likely to be presented in the spring of 2024, with clean electricity ITCs coming in the fall, the source said.
The FES will offer additional spending to boost construction amid a housing supply crunch, the source said.
The fiscal statement will also put forward additional reforms to the Competition Act, the source said, in a bid to address affordability issues. The changes will be more broad than those announced earlier this year, and will address things like predatory pricing, the source said.
Report an error
Build your personal news feed
Follow topics related to this article:
- Energy Follow You must be logged in to follow. Log In Create free account
- Federal Budget 2023 Follow You must be logged in to follow. Log In Create free account
- Government Follow You must be logged in to follow. Log In Create free account
- Legislation Follow You must be logged in to follow. Log In Create free account
Interact with The Globe
Cookies on GOV.UK
We use some essential cookies to make this website work.
We’d like to set additional cookies to understand how you use GOV.UK, remember your settings and improve government services.
You have accepted additional cookies. You can change your cookie settings at any time.
You have rejected additional cookies. You can change your cookie settings at any time.
- Emergency preparation, response and recovery
- Prepare your business for flooding
Business flood plan checklists
Updated 16 November 2023
Applies to England
- Publication for Northern Ireland
- Publication for Scotland
- Publication for Wales
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: [email protected] .
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/preparing-your-business-for-flooding/business-flood-plan-checklists
Taking simple steps can go a long way to protect your business from flooding. Preparing in advance will make it easier to respond to and recover from a flood.
Your business should have a flood plan. Keep it in a safe and accessible place, away from potential flood water.
Read our personal flood plan advice for core steps to take to stay safe in a flood.
1. Before a flood
Actions you can take to protect your business include:
- check your insurance covers you for flood damage, business interruption and lost revenue
- adapt your business to the risk of flooding
- check that your flood prevention products or flood warning systems function properly
- use your existing maintenance procedures as an opportunity to reduce your flood risk
- include potential impacts of a flood on staff in your health and safety assessments
- agree flood contingency plans with suppliers and customers and contract management
- plan for preventing business disruption and assisting recovery (known as business continuity)
2. Business flood plan checklist
Here are examples of information you could include in your plan:
- trigger points for action that make the most sense for your plan, for example water in the car park
- what should happen at these trigger points and what might change if the flood gets worse
- security procedures you might need to activate during a flood
- a description or map of emergency routes and evacuation points
- shut off points for gas, electricity and water, and details of any emergency power source
- details of items that may need special protective measures, for example hazardous or refrigerated materials, and what to do with them
For your data and information:
- safe storage of data and information, for example customer and staff records
- moving important documents to a location where they won’t be damaged by flood water
For your people:
- emergency contact information, including out of normal hours
- a note of staff who may need assistance when flooding happens
- details of where a first aid kit, safety equipment or medical supplies are located
- details of actions for your staff to take and the training they may need to carry out these roles and responsibilities
Make a person, or group of people, responsible for managing a flood emergency, including:
- carrying out your flood plan
- making decisions
- contacting relevant people on and off site
- speaking with public authorities
- managing other staff
You should make a list of important contacts, including:
- building services
- evacuation contacts for staff
These organisations may be able to help with:
- installing flood protection products
- moving stock and important items to safe locations
- emergency storage
- emergency supplies
- medical support
Others who can help might include:
- local business and community networks
- chambers of commerce
- your local council
Make sure you know what you must do under relevant regulations and legislation, including:
- health and safety
- environmental management
- financial management
3. Immediately before a flood
If flooding is about to happen, check your staff:
- know what to do in a flood
- know their role and responsibilities
- know how to communicate in an emergency
4. When a flood happens
Follow your flood plan. You can also follow advice in:
- personal flood plan
- what to do before or during a flood
5. After a flood
- what to do after a flood
6. Campsites and caravan parks
We have specific guidance for managing the flood risk of your campsite or caravan park .
Is this page useful?
- Yes this page is useful
- No this page is not useful
Help us improve GOV.UK
Don’t include personal or financial information like your National Insurance number or credit card details.
To help us improve GOV.UK, we’d like to know more about your visit today. We’ll send you a link to a feedback form. It will take only 2 minutes to fill in. Don’t worry we won’t send you spam or share your email address with anyone.
We've detected unusual activity from your computer network
To continue, please click the box below to let us know you're not a robot.
Why did this happen?
For inquiries related to this message please contact our support team and provide the reference ID below.