Business Continuity Business Impact Analysis arrangements

Transcription

1 Aberdeen City Council Internal Audit Report 2012/2013 for Aberdeen City Council May 2013 Business Continuity Business Impact Analysis arrangements Final Report

2 Contents Section Page 1. Executive Summary 3 2. Background and scope 5 3. Detailed findings and recommendations 7 Appendix 1 Basis of our classifications 12 Appendix 2 Terms of reference 14 Appendix 3 - Limitations and responsibilities 16 Appendix 4 - Detailed Management Comment 17 This report has been prepared solely for Aberdeen City Council in accordance with the terms and conditions set out in our engagement letter 4 th October We do not accept or assume any liability or duty of care for any other purpose or to any other party. This report should not be disclosed to any third party, quoted or referred to without our prior written consent. Internal audit work will be performed in accordance with CIPFA s Internal Audit Code of Practice for Local Government. As a result, our work and deliverables are not designed or intended to comply with the International Auditing and Assurance Standards Board (IAASB), International Framework for Assurance Engagements (IFAE) and International Standard on Assurance Engagements (ISAE) Internal Audit report for Aberdeen City Council PwC Contents

3 1. Executive Summary Report classification Total number of findings Section 3 High Critical High Medium Low Advisory Control design Operating effectiveness Total Summary of findings 1.01 We have reviewed the business continuity arrangements put in place by Aberdeen City Council, in particular the Business Impact Analysis (BIA) performed by a sample of service areas located at Marischal College. Based on our review we have raised two high points and one medium point An Internal Audit Review of Business Continuity was performed in August 2011 and a number of recommendations made. Despite this a number of the points noted in this review are similar in nature to those raised in August It is appreciated that the Corporate Risk Management Group is aware of some of these points and is taking action to address them. A summary of the points noted is included below; A lack of effective governance and compliance mechanisms along with inconsistent support and guidance for those responsible for business continuity outputs has resulted in poorly documented and in some cases non-existent business continuity plans and strategies; Each business unit has completed its own BIA and business continuity plans and strategy. No exercise has been completed to collate the information to ensure dependencies between critical processes are understood and appropriate focus is given to the critical processes the Council as a whole operates rather than the individual business unit; and Service areas have been led to believe that disaster recovery capability is such that IT systems will always be available to them. However, the network incident in January 2013 proves that this is not the case. Given the high reliance of service areas on IT systems it is questionable as to whether service areas could operate manually. Limited analysis has been performed to ensure IT disaster recovery can meet business requirements and as such service areas have limited recovery strategies should IT systems be unavailable (i.e. the ability to provide a skeleton service manually). 3

4 1.03 Although out of scope of this review it was also noted that a number of service areas have performed limited or no testing of business continuity plans and strategies. Testing of incident management and business continuity plans is the most important part of business continuity as it can help identify flaws within plans and strategies as well as providing staff with training to improve their familiarity with plans and ultimately their effectiveness in a disaster situation. Overall management comment 1.04 The completion of Business Continuity Plans including quality control has up until now been the responsibility of Services. Support in completing the plans has been available from the Emergency Planning Unit but this has not, as made clear in the Business Continuity Policy & Procedures document, extended to checking the quality of information contained in Service plans. This support will now be given where necessary. Governance arrangements for Business Continuity planning will be more clearly defined with additional resource being provided, where necessary, to support services in raising the quality of their plans and to ensure integration across functions and with ICT and Facilities Disaster Recovery arrangements. Please see appendix 4 for the detailed management comment. 4

5 2. Background and scope Background 2.01 Business continuity management gives an organisation a capability to plan for and respond to a major incident that may impact their business. It focuses on making sure that businesses can carry on providing critical functions, in the event of a disaster or emergency The Emergency Planning Unit (EPU), which forms part of the Housing and Environment Service, has responsibilities for co-ordinating the preparation, testing and review of emergency plans for the North East of Scotland. The plans cover major emergency scenarios or site specific emergencies. The unit also maintains generic plans for use in natural disasters and civil emergencies. EPU provides this service both to the Council and also to Aberdeenshire and Moray Councils as partner organisations. EPU is also responsible for supporting the development of BCPs by the Services within the Council by the provision of support, advice and guidance 2.03 Services are responsible for performing the business impact analysis and formulating, reviewing and approving business continuity plans and strategies. Services are also responsible for ensuring that business impact analysis and plan information is tested and updated periodically Following on from the Internal Audit review in 2011/12, this review has focussed on the arrangements surrounding the business impact analysis prepared for a sample of service areas and has considered these against recommended practice guidance Scope and limitations of scope 2.05 The overall scope of this review was to consider the Council s arrangements in respect of business continuity, in particular the business impact analysis (BIA) within a sample of service areas located at Marischal College: Customer Contact centre Environmental Health and Trading Standards Care Management and Adult Protection Unit The review considered each of the respective BIAs against recommended practice and assessed how these had been consolidated to provide a co-ordinated business continuity plan for Marischal College. These 3 areas were selected following discussion with Management and based on risk and priority should an incident occur impacting on Marischal College. 5

6 The detailed terms of reference is set out in Appendix 2. The review did not assess whether the business continuity or disaster recovery plans themselves have been tested throughout the year. In addition, it should be noted that our work will not provide management with assurance that business continuity plans or disaster recovery plans will work in the event of an incident. 6

7 3. Detailed findings and recommendations 3.01 Controls to ensure the quality of business impact analysis and business continuity plans Finding Finding summary The Emergency Planning Unit (EPU) has provided templates that service areas should utilise in order to complete the Business Impact Analysis (BIA) and prepare business continuity strategies and plans. The EPU states guidance and support is available to service areas on how to complete and utilise these templates. However, this support is not proactively offered and rather service areas have to request it. During the course of our fieldwork we noted that very few service areas had engaged with the EPU. In addition, there is limited compliance monitoring and regular reporting of business continuity to senior management. Compliance monitoring and reporting to senior management would help to ensure visibility of business continuity and that service areas have completed templates correctly and produced realistic practical strategies and plans. This lack of control over the quality of business continuity outputs has resulted in inconsistent and in some cases poorly documented and non-existent business continuity plans and strategies. Finding detail The BIA templates provided by the EPU on the whole captures the information that would typically be expected. However, it would be expected that a suitably experienced business continuity practitioner would then take that information and perform a robust risk based analysis to formulate business continuity strategies and plans. For example, this would normally entail reviewing each of the identified critical processes to understand; Location which locations is the critical process performed from and if one location was lost could the process be performed from other locations? Business continuity plans should then specifically consider what actions would be required if the location was lost. Systems which systems does the process rely on and can disaster recovery measures restore the system before the business experiences a major impact? If not then business continuity plans should consider how the business unit would operate manually. Suppliers are there any critical internal or external suppliers and if so what actions have been taken to confirm they have adequate business 7

8 continuity plans or strategies put in place to ensure the critical process could continue if the supplier was unavailable? People what is the minimum level of staff that is required to operate the critical process and what strategies are available to supplement staff levels should they dip below that level? For example, training staff from less critical processes so they could be used in an emergency situation. Plant and equipment Does the critical process rely on any specialist pieces of plant and equipment and what continuity strategies can be put in place to reduce the impact if the plant or equipment is lost? For example, preventative maintenance or if feasible purchase or a second item. The sample documentation reviewed did not suggest this level of analysis had been undertaken and is indicative of the fact the employees being asked to perform this work have limited business continuity experience, training and support available to them with appropriate governance and compliance mechanisms in place to ensure the robustness of work performed. Specific examples include: Service areas are required to capture details of locations from which critical processes are performed and any alternative locations that could be used in a disaster. However, within the plans reviewed there were no detailed actions listed on what steps would be taken. Comments include: There are multiple spare desks available throughout ACC with ICT access and Alternative accommodation would be sought in other council locations, especially where network access is available. Both statements are general in nature and do not allow for a specific plan to be put into action during an incident. The BIA template requires service areas to consider the loss of a key supplier. In the sample of BIAs reviewed while this information had been captured it had not been used to formulate a recovery strategy. Service areas are required to capture details of the documents which are needed to perform critical processes and consider how access will be gained to these during an incident. This was inconsistently considered in the sample of BIAs reviewed. For example, one BIA reviewed noted that the business unit is heavily reliant on paper documentation held in the record storage facility at Marischal College; however there is no plan of how to retrieve these documents if access is denied to the building. The BIA template requires service areas to consider the maximum period no service could be provided. One response states There is no time period in which a basic service for emergency work not being provided would be acceptable. There are no specific details as to what the emergency work includes, and no indication is provided as to how long other services within the business unit could last. The BIA template requires service areas to consider minimum staffing levels for each critical service. One business unit comprehensively states the minimum staffing levels; however there is no strategy of how to ensure these levels are maintained. Another business unit has stated that all staff are required to maintain a minimum level of service which suggests that the question has not been fully understood. 8

9 Risks Without effective governance and compliance mechanisms along with support and guidance for those responsible for business continuity the risk exists that poorly defined strategies are produced which could result in a delay in restoring critical functions in a disaster situation. Action plan Finding rating Agreed action Responsible person / title Risk rating: High 1. Management to conclude the exercise to agree the critical processes that the Council operates 2. The EPU to provide support and guidance to the individuals completing (and testing) BIA and plans for these critical processes. Service s to review and approve BIA and plans prior to the EPU reviewing and approving. 3. EPU to report to Corporate Management Team on a quarterly basis on the status of plans (and testing of the plans) for the agreed critical processes. 4. Service areas to be responsible for developing (and testing) BIA / plans for any processes not on the Council s list of critical processes (non critical processes). 5. EPU to implement a reporting process whereby service areas report details of plans developed for non critical process. This will be reported to the Corporate Management Team on a quarterly basis. Emergency Planning Unit Officer Target date: 30 June

10 3.02 Consolidation of business impact analysis information Finding Each business unit has completed its own BIA and business continuity plans and strategy. No exercise has been completed to collate the information to ensure dependencies between critical processes are understood and appropriate focus is given to the critical processes the Council as a whole operates rather than the individual business unit. For example, if a major incident impacted Marischal College then a number of service areas and processes would be impacted. Without a consolidated view of critical processes operating then the risk exists of an uncoordinated response and delays in recovering critical processes. For example; a business unit may decide to send staff home unaware that this would have a major impact on the ability to provide a customer facing critical process a non critical business unit may decide to send its staff to an alternative location unaware that a critical customer facing function is sending its people there too. This may impact the ability of the customer facing process to meet the needs of the public. Risks Without a consolidated view of critical processes operating then the risk exists of an uncoordinated response and delays in recovering critical processes Action plan Finding rating Agreed action Responsible person / title Risk rating: High Following completion of the actions noted in 3.01 the following should occur; 1. The EPU to review the plans and strategies to recover the critical functions to ensure dependencies between units are clearly understood and plans cater for these dependencies 2. Property to produce an inventory of all available desk space within the Council and then work with the EPU to determine where critical functions would relocate to should their primary location be impacted by a disaster. The results of this exercise should be communicated to the business unit so they can update plans accordingly. 1. Emergency Planning Unit Officer 2. Asset Management Officer Target date: 31 July

11 3.03 Disaster recovery linkage to business continuity Finding In typical business continuity process service areas would determine the maximum time they could not operate a process before a major impact is experienced. This is known as the Maximum Acceptable Outage (MAO). The IT department then use this information to determine whether they can restore the IT systems and data prior to the MAO expiring. If this is not feasible the business unit needs to develop plans to operate manually. From the discussions held and the plans reviewed it is apparent that service areas have limited plans or recovery strategies should IT systems be unavailable (i.e. the ability to provide a skeleton service manually). There is a need to perform an analysis to ensure IT disaster recovery can meet business requirements and as such service areas Risks IT systems may not be reinstated within an acceptable timeframe to all critical services. The MAO set may not be achievable in the event of a major incident. Action plan Finding rating Agreed action Responsible person / title Risk rating: Medium Following the IT outage in January the ICT Team have conducting an exercise to identify and remove single points of failure within the IT network. A disaster recovery test was performed in April 2013, with a further test scheduled for June As part of the disaster recovery test the ICT and the EPU will perform an exercise to ensure that disaster recovery is in place for all systems supporting critical functions and that the systems can be restored in line with business requirements. The results of this exercise will be reported to CMT and where systems can t be restored in line with business requirements then CMT will determine what alternative strategies (if any) will be put in place. IT Manager Target date: 30 September

12 Appendix 1 Basis of our classifications Individual finding ratings Finding rating Assessment rationale Critical A finding that could have a: Critical impact on operational performance; or Critical monetary or financial statement impact; or Critical breach in laws and regulations that could result in material fines or consequences; or Critical impact on the reputation or brand of the organisation which could threaten its future viability. High A finding that could have a: Significant impact on operational performance; or Significant monetary or financial statement impact ; or Significant breach in laws and regulations resulting in significant fines and consequences ; or Significant impact on the reputation or brand of the organisation. Medium A finding that could have a: Moderate impact on operational performance; or Moderate monetary or financial statement impact; or Moderate breach in laws and regulations resulting in fines and consequences; or Moderate impact on the reputation or brand of the organisation. Low A finding that could have a: Minor impact on the organisation s operational performance; or 12

13 Minor monetary or financial statement impact; or Minor breach in laws and regulations with limited consequences; or Minor impact on the reputation of the organisation. Advisory A finding that does not have a risk impact but has been raised to highlight areas of inefficiencies or good practice. Report classifications Findings rating Points Report classification Points Critical 40 points per finding Low risk 6 points or less High 10 points per finding Medium risk 7 15 points Medium 3 points per finding High risk points Low 1 point per finding Critical risk 40 points and over 13

14 Appendix 2 Terms of reference This review is being undertaken as part of the 2012/2013 internal audit plan approved by the Audit & Risk Committee in February Background Business continuity management gives an organisation a capability to plan for and respond to something that may impact their business. It focuses on making sure that businesses can carry on doing the most important things, in the event of a disaster or emergency. The Aberdeen City Council Corporate Management Team (CMT) has identified Service areas requiring business continuity plans and has prioritised a number of these as being critical due to the impact of any disruption on service provision. Following on from the Internal Audit review in 2011/12, this review will focus on the arrangements surrounding the business impact analysis prepared for two service areas and will consider these against best practice guidance. Scope Review of the Council s arrangements surrounding the business impact analysis (BIA) within a sample of service areas within Marischal College. include; Customer Contact centre This will Environmental Health and Trading Standards Care Management and Adult Protection Unit The review will consider each of the respective BIAs and then how these have been consolidated to provide a Marischal College perspective We will review each BIA against best practice guidance, including considering; 14

15 Has a BIA been completed and updated within the past 12 months; Does the BIA identify the Critical Activities of the service area; Have the consequences of the loss of the critical activities been assessed; Have dependencies for the critical activities been assessed; Have Maximum Acceptable Outages (MAOs) been established for the critical activities; Have RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) been identified for IT systems supporting critical activities; Where critical activities rely on IT systems can disaster recovery measures recover systems in sufficient time to meet the RTO and if not what plans have been put in place (i.e. does the RTO / RPO meet the requirements of the MAO and if not what plans are in place); Has the service identified all the resources, equipment and premises needed to carry out each critical activity; Has the service determined the minimum level of service that each activity could operate at in a recovery environment; Have the BIAs involved and been signed off by Senior Management; Do the BIAs meet the needs of the wider Council, giving consideration to Council-wide risks and allowing for linkage with other service areas; Have BC risks been assessed and mitigation measures been put in place (e.g. contingencies)? How have the individual BIAs completed by service areas been consolidated to understand dependencies between service areas residing in Marischal College? Limitations of scope The scope of our review is outlined above. We will not assess whether the business continuity plans themselves have been tested throughout the year. In addition, it should be noted that our work will not provide management with assurance that business continuity plans or disaster recovery plans will work in the event of an incident. Furthermore we will not review the disaster recovery plans 15

16 Appendix 3 - Limitations and responsibilities Limitations inherent to the internal auditor s work We have undertaken a review of Business Continuity, subject to the limitations outlined below. Internal control Internal control, no matter how well designed and operated, can provide only reasonable and not absolute assurance regarding achievement of an organisation's objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the possibility of poor judgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances. Future periods Our assessment of Business Continuity is as at March Historic evaluation of effectiveness is not relevant to future periods due to the risk that: the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or the degree of compliance with policies and procedures may deteriorate. Responsibilities of management and internal auditors It is management s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management s responsibilities for the design and operation of these systems. We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist. 16

17 Appendix 4 - Detailed Management Comment 1. Background This internal audit and recent events affecting Marischal College have highlighted the requirement for quality and compliance arrangements to be transferred from Services and to be managed corporately. It is recommended and agreed that this responsibility should sit with the Emergency Planning Strategist. The report also recommends that corporate governance arrangements are clarified to ensure that, in addition to ensuring that effective Business Continuity Plans for critical functions are produced and maintained, corporate arrangements are in place (particularly with regard to facilities and systems) to support the delivery of these critical functions. 2. Quality Control, Compliance and Review Services will be responsible for ensuring all appropriate Business Continuity Planning documentation is completed for critical functions under their control. The Emergency Planning Unit will review documentation and highlight shortcomings. Services will be offered support where required from the Emergency Planning Unit and will be given deadlines to rectify shortcomings. Status reports will be provided to CMT who will be expected to take action where progress is not being made 3. Corporate Issues The Emergency Planning Unit will, from the plans provided, extract information regarding the facilities and systems required to support critical functions. This information will be used to inform Facilities and ICT Disaster Recovery plans which will identify from where critical functions will be delivered together with details of how ICT systems will be provided to support these critical functions. 4. Governance Arrangements CMT will receive regular progress reports regarding status of Business Continuity Planning across the organisation. They will be responsible for taking appropriate action where targets are not being met. 17

18 The Director of Housing and Environment will be the lead Director with the Emergency Planning Strategist being responsible for ensuring plans are completed and reviewed as necessary. The Emergency Planning Strategist, Facilities and ICT staff will be responsible for ensuring Disaster Recovery plans are in place to ensure critical functions can be delivered from appropriate facilities using necessary systems. Services will be responsible for producing Business Continuity Plans for critical functions under their control. 5. Current Status All Services have been asked to provide an up to date list of all the plans they should have in place together with a copy of everything they actually have in place. The Emergency Planning Strategist is working through these plans to ensure compliance and to identify where support and additional resource may be required. Existing asset information has been provided and this will be assessed against requirements identified in Business Continuity Plans. ICT have introduced measures to remove the network single point of failure which exacerbated the recent network outage. This was tested successfully at the beginning of April. The next full ICT Disaster Recovery test is scheduled for 22 June. This will test the readiness of infrastructure and the integrity of replicated data at the Disaster Recovery data centre. The results of that test will assist Services in clarifying potential downtime of the systems supporting their critical functions and allow them to assess the need for identifying alternative working arrangements (e.g. manual systems). The Risk Manager intends to, subject to appropriate approvals, purchase a module for Covalent. This module is designed to manage policies and, amongst other projects, will be used to store and provide access to the Business Continuity Plans. It will automate the process of managing the review and maintenance of the plans. It will also provide high quality management reports on individual and corporate plan status. The module is being trialled at the moment and, if purchased, will greatly assist in the corporate management of Business Continuity. 18

19 This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.