Audit of the Justice Canada Emergency Management Program and the Business Continuity Planning Program
May 03, 2013

Executive Summary

Conclusion

We conclude that the departmental governance structure and corporate policy provide overall an effective management control framework for Emergency Management and Business Continuity Planning in the Department of Justice. The structure includes the Executive Committee, the Emergency Response Committee, the Emergency Operations Team, the Justice Emergency Coordinating Committee, the Justice Emergency Team, the Justice Emergency Operations Centre and the National Security Business Continuity Planning Committee. The key corporate policies in place for these programs are the Department of Justice Strategic Emergency Management Plan and A Guide to Business Continuity in the Department of Justice.

Emergency Management and Business Continuity Planning are two distinct but linked programs in the Department, which come together in a practical way in the Justice Emergency Operations Center. The Emergency Management program is external and strategic, while the Business Continuity program is internal and one of the building blocks in the development of the Department of Justice Strategic Emergency Management Plan.

We did not find significant issues with respect to Emergency Management.

Introduction

The Emergency Management program and the Business Continuity Planning program are both managed by a small section within the Safety, Security and Emergency Management Division in the Administration Directorate of the Management Sector. These programs are separate but complementary in nature – Emergency Management planning builds on Business Continuity Planning. Footnote 1

The Emergency Management program is focused on how the Department relates to other federal government institutions, as well as provincial and municipal emergency organizations, in emergencies. Business Continuity Planning, by contrast, represents the Department’s internal planning associated with the continued availability of critical services to Canadians in the event of an incident/emergency affecting the organization. Business Continuity Plans are often activated when Emergency Management exercises or real events take place.

An industry benchmark is that no more than 10%-15% of an organization’s services should be classified as critical. Footnote 2 There is a natural tendency for managers to identify important services as critical services and to require recovery too quickly.

The Department of Justice has developed and implemented a strong and effective departmental governance structure for Emergency Management and Business Continuity Planning. The Strategic Emergency Management Plan is current, well-written and contains all of the more than 30 recommended “building blocks” of the Public Safety Canada Emergency Management Planning Guide, 2010-2011.

The governance framework supporting emergency preparedness is defined within the Department’s Strategic Emergency Management Plan and clearly identifies the roles and responsibilities of various levels of management involved in emergency response. The presence of senior management on the Emergency Management committees conveys the proper level of authority to support the decision making process essential to address emergency situations.

The Department ensures preparedness of senior management responsible for the implementation of the Strategic Emergency Management Plan by conducting yearly exercises at off-site locations to test the emergencies addressed in the Plan. Furthermore, the Department has signed a Memorandum of Understanding      [Information was removed in accordance with the Access to Information Act].      Ontario and the      [Information was removed in accordance with the Access to Information Act].      Quebec, for the use of operational space to be used by the Emergency Response Committee to meet and direct the Emergency Plan. The locations of the alternate operational facilities ensure that the Committee will be able to access at least one location.

The Justice Emergency Operations Center integrates a robust emergency management capability into an existing infrastructure. This facility has been used to conduct simulated emergency management exercises (e.g., desk top exercises), to manage and respond to such events as ice storms, and participated in large scale horizontal emergency exercises such as the Vancouver Olympics and the G8/G20 Summits in Toronto.

The assignment of Business Continuity Planning responsibilities to the Regional Security Officers has proven to be a pragmatic decision. Emergency Management and Business Continuity Planning agenda items are frequently raised in the regular Departmental Security Officer conferences, which are attended by Regional Security Officers. Also, the Departmental Security Officer conducts visits to the Regions on a regular basis.

This audit was identified in the 2011-12 Risk-Based Audit Plan. The overall objective of the audit was to provide assurance that the management control framework is effective for Emergency Management and Business Continuity Planning in the Department of Justice.

Key Findings

The section in the Safety, Security and Emergency Management Division responsible for the departmental Emergency Management and Business Continuity Planning programs is currently comprised of two full-time resources Footnote 3 - one AS Footnote 4 07 Emergency Management Manager and one AS 05 Departmental Business Continuity Planning Coordinator. It is considered to be effective for its size. However, if additional resources were established in this small unit, the following additional priorities could be addressed, which constitute the major findings for this audit:

Challenge (Oversight and Quality Assurance) Function.
The Safety, Security and Emergency Management Division does not exercise an effective challenge (Oversight and Quality Assurance) function with respect to Business Continuity Planning across the Department. This has resulted in inconsistency of Business Continuity Plans, difficulty in the identification of critical services, and underuse/misapplication of documentation for Business Impact Analyses.
A Consolidated Corporate Business Continuity Plan.
A consolidated corporate Business Continuity Plan would help to ensure that critical services are identified at a practical level and save considerable effort currently expended on maintaining Business Continuity Plans for important, but not necessarily critical, services.
Support to the Regions.
The Regional Offices would benefit from additional support and mentoring from the Safety, Security and Emergency Management Division with respect to Business Continuity Planning. There is considerable risk associated with the current situation in conjunction with modernization initiatives.
Date modified: