Audit of the Justice Canada Emergency Management Program and the Business Continuity Planning Program
May 03, 2013
1.1.1 The Emergency Management (EM) program and the Business Continuity Planning (BCP) program are both managed by a small section within the Safety, Security and Emergency Management Division (SSEMD) in the Administration Directorate of the Management Sector in the Department of Justice Canada. This section is currently made up of one AS 07 EM Manager and one AS 05 Departmental BCP Coordinator. These programs are different but complementary in nature - EM planning builds on the BCP Footnote 5.
1.1.2 The Department’s Report on Plans and Priorities Footnote 6 states that the annual budget for fiscal year 2012-13 is $739.9M and the authorized Full-time Equivalents (FTEs), or personnel, are 5,098. The corresponding information for SSEMD is a budget of $1.148M and 16 FTEs.
1.1.3 The Emergency Management program is focused on how the Department relates to other federal government institutions, as well as provincial and municipal emergency organizations, in emergencies. It is external in focus and strategic in nature. BCPs, by contrast, represent the Department’s planning associated with its “internal” efforts to ensure the continued availability of critical services to Canadians in the event of an incident/emergency affecting the organization. BCPs are often activated when EM exercises or real events take place.
1.1.4 The principal references or standards for EM and BCP are presented at Appendix A.
1.1.5 Two reports by M. Purdy in 2007 Footnote 7 and 2009 Footnote 8 set the agenda for the EM program in Justice Canada for several years. The recommendations in these reports were accepted as a baseline for EM by senior management and all but a few of the recommendations have been implemented.
1.1.6 Emergency Management Program. As illustrated at Appendix B Footnote 9, the Department of Justice governance structure for EM is two-tiered, supported by three special-purpose teams. The first tier is the Emergency Response Committee (ERC) that provides strategic leadership and oversight for Emergency Management. The second tier is the Emergency Operations Team (EOT), the first responders that manage the ensuing emergency with support from legal counsel as required. The EOT is supported by the Justice Emergency Coordinating Committee (JECC), which coordinates the legal and corporate advice from both the EOT and the Justice Emergency Team (JET) though the Justice Emergency Operations Center Footnote 10 (JEOC).
1.1.7 The Department of Justice Strategic Emergency Management Plan (SEMP) sets out an organized, structured approach to decision making to enable the Department to deal effectively with situations requiring extraordinary efforts. It is based on the Emergency Management Planning Guide, 2010-2011, published by Public Safety Canada.
1.1.8 Emergency management has been an active file in the Department since 2007. Recently, Public Safety Canada has published SEMP Leading Practices Footnote 11 and identified criteria used to rate federal government departments’ SEMPs. Although outside the scope of this audit, it was observed that the Department has already instituted most of the leading practices recommended by Public Safety, and has a few additional leading practices to offer, in particular, the design and operation of the JEOC.
1.1.9 BCP Program. The Department has developed a department-wide Business Continuity Planning Program to ensure critical service delivery within the Department. A Guide on Business Continuity Planning in the Department of Justice has been developed to assist departmental organizations in developing business continuity plans and to outline a uniform approach to plan development. SSEMD recognizes that this Guide should be updated.
1.1.10 As illustrated at Appendix B, the departmental BCP Coordinator is part of the National Security Business Continuity Planning Committee (NSBCPC) that is chaired by the Departmental Security Officer (DSO), who is also a member of the ERC.
1.1.11 In addition to the Policy on Government Security (PGS) that provides general policy on BCP, the TBS Operational Security Standard – Business Continuity Planning Program provides more specific definitions and procedures.
1.1.12 An industry benchmark is that no more than 10%-15% of an organization’s services should be classified as critical Footnote 12. There is a natural tendency for managers to identify too many critical services and to require recovery too quickly. In other words, managers tend to identify important services as critical.
1.1.13 Public Safety Canada has recently indicated that it will be moving forward with BCP renewal initiatives in the near future.
1.1.14 JEOC. The EM and BCP programs come together in a practical way in the JEOC. The JEOC has been used to conduct a high level of exercises and events for both EM and BCP. Between September 2007 and March 2013 more than Footnote 13 85.5 days of EM exercises/events were conducted. For the period September 2009 to September 2012, more than Footnote 14 33.5 days of BCP exercises/events were conducted. This activity is described Footnote 15 at Appendix C and Appendix D for EM and BCP respectively.
1.1.15 Some of the main features of the JEOC are described at Appendix E.
1.1.16 Audit Approval. The audit of the Emergency Management Program and the Business Continuity Planning Program was included in the 2011-12 Risk Based Audit Plan, as approved by the Deputy Minister.
1.2 Audit Objectives and Scope
1.2.1 The objective of this audit was to provide assurance that the management control framework in the Department of Justice is effective for Emergency Management and Business Continuity Planning.
1.2.2 The scope of the audit was strategic rather than technical in nature, as is reflected in the criteria selected for this audit and in the findings of this report. The audit covered all activities related to EM and BCP in headquarters (National Capital Region) and the Regions.
1.3 Risk Assessment
1.3.1 The key risk factors that were considered in relation to this audit include:
- Adequacy of resources across the Department to carry out EM and BCP program responsibilities, including the Regions;
- Capability to communicate with other federal government agencies during real events;
- The transition of the transfer of the bulk of departmental information technology (IT) infrastructure to Shared Services Canada (SSC); and
- Oversight and Quality Assurance (QA) of the BCP program.
1.4 Audit Criteria
1.4.1 Two high-level lines of enquiry – Governance and Risk Management - and related audit criteria (as presented at Appendix F) were selected to provide a strategic perspective of the EM and BCP programs. These were developed in consideration of the risks identified during the planning phase of the audit and were based on guidance from the TBS Management Accountability Framework, the TBS Core Management Controls: A Guide for Internal Auditors, and the standards/references for EM and BCP presented at Appendix A.
1.5 Approach and Methodology
1.5.1 The audit was conducted during two different time periods. The audit work in 2011 concentrated on Business Continuity Planning, while the audit work in 2012-13 focused on Emergency Management.
1.5.2 A detailed description of the approach and methodology is outlined in Appendix G of this report.
1.6 Identified Strengths
1.6.1 The Department of Justice has developed and implemented a strong and effective departmental governance structure for EM and BCP. The SEMP is current, well-written and contains all of the more than 30 recommended “building blocks” of the Public Safety Canada Emergency Management Planning Guide, 2010-2011.
1.6.2 The governance framework supporting emergency preparedness is defined within the Department’s SEMP and clearly identifies the roles and responsibilities of various levels of management involved in emergency response. The presence of senior management on the EM committees conveys the proper level of authority to support the decision making process essential to address emergency situations.
1.6.3 The Department ensures preparedness of senior management responsible for the implementation of the SEMP by conducting yearly exercises at off-site locations to test the emergencies addressed in the Plan. Furthermore, the Department has signed a Memorandum of Understanding (MOU) with the [Information was removed in accordance with the Access to Information Act]. Ontario and [Information was removed in accordance with the Access to Information Act]. Quebec, for the use of operational space to be used by the ERC to meet and direct the Emergency Plan. The locations of the alternate operational facilities ensure that the Committee will be able to access at least one location.
1.6.4 The Justice Emergency Operations Center integrates a robust emergency management capability into an existing infrastructure. This facility has been used to conduct simulated emergency management exercises (e.g., desk top exercises), to manage and respond to such events as ice storms, and participated in large scale horizontal emergency exercises such as the Vancouver Olympics and the G8/G20 Summits in Toronto.
1.6.5 The assignment of BCP responsibilities to the Regional Security Officers (RSOs) has proven to be a pragmatic decision. EM and BCP agenda items are frequently raised in the regular Departmental Security Officer (DSO) conferences, which are attended by RSOs. Also, the DSO visits the Regions on a regular basis.
- Date modified: