Audit of Business Continuity Plans for Critical Services

September 2022

Prepared by the Office of Audit and Evaluation

On this page

• Executive summary
• Identification of critical services, development and update of BCPs
• Recommendations
• Appendix A - Scorecard
• Appendix B – About the audit

Executive summary

Context

The 2019 Treasury Board of Canada Directive on Security Management requires departments and agencies to define, document, and maintain continuity strategies and recovery priorities, so that they may be used in the event of a disruption to maintain an acceptable level of delivery of critical services and activities. Continuity of critical services has been essential for both the Public Health Agency of Canada (PHAC) and Health Canada (HC)'s response to the COVID-19 pandemic, as its success hinges on the ability of the Department and Agency to remain operational and provide continued services to Canadians.

A critical service is defined by Public Safety Canada as "Any service or activity whose disruption would result in a high or very high degree of injury to the health, safety, security, or economic well-being of Canadians, or to the effective functioning of the government of Canada."

Individual branches within PHAC and HC are responsible for developing and maintaining their business continuity plans (BCPs). The Corporate Services Branch (CSB) is responsible for the BCP process and for providing a coordinating function for the Department and Agency. CSB began revising all BCP processes, tools, and templates in 2019. This initiative was delayed due to the pandemic.

As the Department and Agency continue to be at the forefront of Canada's pandemic response, new risks have emerged and will continue to evolve. Since the working environment has changed significantly, BCPs may have become outdated, increasing the risk of non-continuity of critical services, should further disruptions occur. This audit was intended to provide specific assurance that the Department and Agency have maintained up-to-date BCPs during the pandemic.

Audit objective

The objective of this audit was to provide assurance that the Department and Agency have identified and prioritized critical services as part of the BCP process to ensure, in the event of a subsequent emergency, the continued availability of its critical services.

The scope of this audit included a review of a sample of BCPs from the critical services category of Emergency Preparedness and Response against Infectious Disease. The audit did not include a review of the management of business continuity plans, their related databases, nor of the appropriateness of templates and Business Impact Assessments. We examined whether HC and PHAC had up-to-date BCPs to enable continuity of services in the current environment, regardless of the format of these plans.

Findings

Good processes and best practices

• Some areas developed comprehensive and complete BCPs.
• Some plans were updated and tested in fiscal year 2021-22.
• 33 out of 34 BCPs received included information such as activities to undertake, roles and responsibilities, and contact information that is necessary to enable activation.

Areas for improvement

• The list of critical services was out of date and inconsistent.
• BCPs were difficult to obtain; only 43% (34 out of 80) of those requested were provided.
• 74% (25 out of 34) of the BCPs received were outdated and had not been recently tested (i.e., pre-COVID).
• Very few BCPs mentioned newer risks, such as COVID-19 or working from home for long periods of time.

Conclusion

The Agency and Department have developed, updated, and tested BCPs for some of their identified critical services. The BCPs that were reviewed included key information that would be necessary to enable activation. However, the Department and Agency have not properly identified a complete list of their critical services and many BCPs were not provided. Officials indicated that the Department and Agency used ad hoc business continuity strategies to maintain critical services in response to the unprecedented impacts of the pandemic. Management agrees with the recommendations and has already started taking action to address the areas for improvement identified in this report.

Identification of critical services, development and update of BCPs

Context

HC and PHAC have identified critical services (CS) in the following seven categories:

• Management of risk and coordination of national response associated with specific substances and emergencies
• Safety of consumer health products, drugs, drinking water, and food
• Timely health advice and access to emergency health services for the Public Service, the travelling public, internationally protected persons in Canada, and P/T Departments of Health
• Crisis and strategic communications
• Emergency preparedness and response against infectious disease
• Specialized health services
• Management of controlled substances services

Although the National Business Continuity Management Program (NBCMP) within CSB is responsible for developing and maintaining overall business continuity management preparedness, each branch has a BCM Leader who ensures that they establish a list of CS and have BCPs in place that are accurate and up-to-date by providing advice on the development, maintenance, testing, and exercise of BCPs for their respective branch or equivalent.

What did we expect to find?

A list of identified CS was available and up-to-date and these CS have developed and maintained BCPs. These BCPs were also periodically tested and updated.

Findings

Critical services (CS) for HC and PHAC are organized into seven categories, as mentioned in the "Context" section on the left of this page. CS are further categorized under levels of criticality, level 1 being a service that needs to be up and running within 24 hours, level 2 has to be up and running within 1 to 7 days, level 3 should be up and running between 8 and 21 days, and level 4 has a maximum allowable downtime that exceeds 22 days since these services are not critical. For the purposes of this audit, we concentrated on levels 1 and 2.

Based on reviewed documentation, we found that all branches had developed the list of identified CS, in coordination with NBCMP. We also found that the list was outdated and contained gaps, which made it difficult to determine the overall population.

Our initial sample consisted of 89 CS and concentrated on the category of Emergency Preparedness and Response against Infectious Disease. When requesting documentation, branches stated that some of the information for CS on the list was either outdated or had errors. Our final sample consisted of 80 BCPs, and, after multiple requests, we only received 34 BCPs.

For the 34 out of 80 reviewed BCPs, we noted the following:

• A few areas had BCPs (or Resilience Plans) which included objectives, activities, resources needed, office space to conduct these activities, and decision-making prioritization to ensure the continuity of each critical service. A few plans had been updated since the start of the pandemic (March 2020).
• The few BCPs that were current and contained sufficient detail were created specifically for the service and did not necessarily follow the established template, indicating that the template was not as useful as needed by management.
• Most of the reviewed BCPs were outdated and had not been tested since March 2020.
• Since the BCPs had not been recently updated, there was no mention of newer risks, such as COVID-19 and working from home for extended periods.
• Some reviewed BCPs only included short descriptions of the critical services and no other type of information, such as activation procedures, roles and responsibilities, testing, communications, maintenance and storage procedures, or more specifically, activities and resources needed to ensure the continuity of each critical service, office space needed to conduct these activities, if required, and decision-making prioritization.
• Since most BCPs were not updated or tested, monitoring and corrective actions had not taken place.

Branch officials stated that they were able to maintain critical services throughout the pandemic by mitigating impacts with ad hoc continuity strategies which had not been documented in their BCPs. These actions included making decisions at established and ad-hoc management meetings, monitoring, and reporting. Management expressed that the established BCP templates and processes were not useful and needed to be revised.

Conclusion

We found that the list of identified critical services was not up to date, that most BCPs have not been updated or tested since the start of the pandemic, and that this increases the risk of non-continuity of critical services should further disruptions occur. Although some branches did not use the suggested BCP template because of its limitations, we did expect to find information pertinent to the activation of the BCPs.

Recommendations

1. CSB should coordinate with ADMs and VPs to validate the list of critical services and complete this work as a first priority.
2. CSB should collaborate with the ADMs and the VPs to modernize the BCP tool so that it is functional and relevant for branches
3. CSB should develop and implement a formal monitoring program to ensure BCPs are developed for all critical services and that they are tested and updated on a regular basis.

Appendix A - Scorecard

Risk Ratings measure the residual risk without implementing the recommendation:

1 - Minimal Risk
2 - Minor Risk
3 - Moderate Risk
4 - Major Risk
5 - Significant Risk

Appendix B – About the audit

Audit objective

The objective of this audit was to provide assurance that the Department and Agency have identified and prioritized critical services as part of the BCP process to ensure, in the event of a subsequent emergency, the continued availability of its critical services.

Audit scope

The scope of this audit included a review of a sample of BCPs for identified critical services, but it did not include a review of Business Impact Analyses. Our sample size for this audit consisted of 80 BCPs for the Critical Services listed under the category of Emergency Preparedness and Response against Infectious Disease.

Audit approach

The audit approach included, but was not limited to:

• Interviews with senior management and employees;
• Reviews of relevant documentation and related controls; and
• Testing of a sample of BCPs.

Statement of conformance

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing and is supported by the results of the Office of Audit and Evaluation's Quality Assurance and Improvement Program.

Audit criteria

The audit criteria were derived from the TBS Core Management Controls and the COSO Enterprise Risk Management Framework. The following audit criteria were used to conduct the audit:

Criteria 1: The Department and Agency have developed business continuity plans to ensure the continuity of their critical services and critical support services, and these are tested and kept current for identified critical services.

• Branches have business continuity plans in place in case of further disruptions.
• Branches ensure that their business continuity plans are periodically tested, updated, and reflect interdependencies with other stakeholders to ensure the Department and Agency are ready to respond to another emergency.