Archived information Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available. Prepared by Internal Audit and Evaluation Department of Finance Canada Approved by the Deputy Minister of Finance on the recommendation of the Audit and Evaluation Committee on August 28, 2012 Table of Contents Executive Summary The Emergency Management Act (EMA) requires each federal government department to establish its respective business continuity program, as well as the processes related to these programs.

• Business Plan Summary Template

Business Plan Summary Template

These processes include the identification of strategic and operational risks; the development of a business continuity plan (BCP); the conduct of BCP exercises including the provision of awareness/training; and the maintenance of related policy and plans. In support of this requirement, the Treasury Board’s Operational Security Standard - Business Continuity Planning Program (BCP Standard) provides direction and guidance on the implementation of processes related to Business Continuity Plans. The objective of the audit was to provide reasonable assurance on the adequacy and appropriateness of the processes to establish the departmental business continuity program. The audit concluded that overall, the processes to establish the departmental business continuity program are adequate and appropriate.

Specifically, consistent with the BCP Standard, the Department of Finance Canada has:. Identified its strategic risks for BCP events;.

Established a management framework to support business continuity planning;. Implemented a business continuity planning process for the development of a department-wide BCP, including a framework for branch-level plans; and.

Conducted a BCP exercise. The audit concluded that overall, the processes to establish the departmental business continuity program are adequate and appropriate. Specifically, consistent with the BCP Standard, the Department of Finance Canada has:. Identified its strategic risks for BCP events;. Established a management framework to support business continuity planning;. Implemented a business continuity planning process for the development of a department-wide BCP, including a framework for branch-level plans; and.

Conducted a BCP exercise. Low exposure A high, medium or low ranking corresponds to the potential risk exposure auditors believe may have an impact on the achievement of Department objectives, and is indicative of the priority management should give to the recommendations.

The assessment summarizes the audit observations based on the evidence gathered and analyzed during the audit. Based on these assessments, issues along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendations and Management Action Plan” section. Findings by Audit Criteria Criterion Risk Exposure Assessment 1. Identification of Business continuity Risks The Department of Finance Canada identifies the strategic and operational risks for BCP events, consistent with the BCP Standard. Low The Department has identified its business continuity strategic risks; however, to comply with the BCP Standard, the BIAs (i.e. Operational risks) should be further developed.

The BCP Standard requires that Departments identify both strategic and operational business continuity risks. Strategic risks include those which effect critical areas of the Department which have an impact on the Department’s ability to achieve its objectives. These include (1) processes related to the preparation of the federal budget; (2) the lead coordination role of the financial sector; (3) international economic leadership; (4) large value transfer payments and (5) information technology as a critical support service. Operational risks include those identified in the BIAs, such as interdependencies and resource requirements, which are critical to the continuation of departmental branches’ operations following a disaster (i.e. During the recovery period). Without these resources, the branches would not be able to achieve their objectives.

The audit assessed whether strategic risks were identified and reviewed the completeness of all BIAs, including whether interdependencies and resource requirements were identified. The audit found the Department has identified its business continuity strategic risks. Regarding the branch-level BIAs (i.e. Operational risks), the audit found that additional information on internal and external interdependencies, such as defining the impact from the temporary loss of other government organizations, suppliers and contractors, is required. Similarly, the audit also found that additional information on the minimum resource requirements section is required due to expected increased pressures and the impacts on people, infrastructure, assets and/or supplies caused by disruptions.

Critical services often depend on the same external support in order to maintain the minimum level of operation required. According to the BCP Standard, it is important that the BIAs:. Define the internal and external interdependencies (e.g., memoranda of understanding and agreements with other government departments and suppliers); and.

Identify not only the minimum resource requirements for a single critical service area, but also the activities and resources of other critical and support service areas, which collectively are needed by the Department. The audit reviewed the completeness of the BIAs for all branches, and found that additional information is required regarding the internal and external interdependencies and minimum resource requirements sections. When internal and external interdependencies and minimum resource requirements are not properly identified, there is a significant risk that the Department’s critical and support services would not achieve their respective objectives because of insufficient resources and lack of support from the required interdependencies. The audit recommends that Security Services work closely with the departmental branches’ critical and support services staff, to further develop the interdependencies and minimum resource requirements sections of the BIAs. This will help the Department’s staff to be well prepared for a disruption requiring that the BCP or part of it be put into action. Consistent with the BCP Standard, each critical and support services continuity team should have its own branch-level: (1) Business Continuity Planning Table (BCPT) to identify, for example, key recovery strategies concerning the branch’s interdependencies; and (2) Contingency Plan Information Sheet (CPIS) identifying key staff and assigning individual responsibilities, as well as identifying the timing and expected outcome for each recovery action. The audit assessed whether essential components, including BCPT and CPIS, were developed in support of the department-wide BCP.

The audit found that the BCPT were partially completed and the CPIS had not been prepared. Without branch-level BCPT and CPIS detailing essential information such as business recovery strategies (including key responsibilities, the timing and expected outcome for each recovery action), there is an increased risk that the Department’s critical and support services will not be able to achieve their business objectives should a disruption occur. The audit recommends that Security Services lead the timely completion of branch-level BCPT and CPIS in support of the department-wide BCP.

Download excel heat transport software: fds-smv for mac. This will ensure the presence of key components into the departmental business continuity plan. According to the BCP Standard, exercises should be conducted and an awareness and a training program should be developed to help departmental staff gain assurance that the BCP will operate effectively when required. The audit assessed the Department’s exercises, awareness and training practices for business continuity. It found that a BCP exercise was last conducted in January 2011, limited business continuity information was posted on the Department’s intranet, formal training was provided to a key staff member of the Corporate Services Branch. These audit findings indicated that relevant BCP standards have only been partially met. Without regular BCP exercises, and effective awareness and training strategy, departmental staff will not be well prepared to cope with business disruptions. Therefore, it is important to communicate to all staff the Department’s business continuity objectives, critical services and resources, and the agreed priority for recovery, through the well planned exercises, awareness and training activities.

The audit recommends that Security Services conduct additional BCP exercises and develop awareness and a training strategy, including an action plan. This will improve to the Department’s business continuity readiness.

. Get Permission. EDITOR'S NOTE: This is the first installment of an occasional series summarizing key banking/security regulatory documents. The Business Continuity Planning manual is part of the IT Examination Handbook from Federal Financial Institutions Examination Council (FFIEC). The March 2008 version of the BCP manual has been updated since it original release in March 2003. This booklet is intended to provide guidance to the financial institutions regarding Business Continuity Planning, which helps companies recover and resume business processes when operations have been disrupted unexpectedly.

Because financial institutions are part of the nation's critical infrastructure, it is important to minimize disruptions to their business. Key Topics The BCP booklet is divided into two main areas: Business Continuity Plans and examination procedures.

The first part describes the planning process of creating a Business Continuity Plan, along with the responsibilities of senior management during that process. The second part describes the technical aspects regarding risk, including assessment, management, testing and monitoring. Business Continuity Plan Financial institutions should develop a comprehensive Business Continuity Plan based on the size and complexity of the institution. The goal of the BCP should be to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations. A financial institution's board and senior management are responsible for the following.

Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results. Closing Thoughts The above listed examination procedures are intended to be a cyclical process. The Business Continuity Plan is an ongoing process that needs to be updated as events occur. As an organization's risk testing and monitoring detects changes in the company, a new Risk Assessment phase should occur to evaluate the impact of the changes and modify the Business Continuity Plan as needed. To see the full BCP booklet or any of the other sections of the FFIEC IT Examination Handbook, visit. Thomas Donchez is a graduate of East Stroudsburg University of Pennsylvania, where he earned a Bachelor of Science Degree in Computer Security and Computer Science.

Tom is currently working toward his Masters Degree in Computer Science and resides near Allentown, PA. With a strong background in computer security and great interest in current trends, Tom enjoys writing on security related topics.

His recent research includes rootkit detection and advanced steganography methods, and his thesis work relates to network traffic analysis and reporting. Tom also spent three years as an ASP.NET web developer. From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations' risk management capabilities. But no one is showing them how - until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 - the bible of risk assessment and management - will share his unique insights on how to:. Understand the current cyber threats to all public and private sector organizations;. Develop a multi-tiered risk management approach built upon governance, processes and information systems;. Implement NIST's risk management framework, from defining risks to selecting, implementing and monitoring information security controls.