DIRECTORATE OF AUDIT, RISK FF AND ASSURANCE. Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY

Transcription

1 DIRECTORATE OF AUDIT, RISK FF AND ASSURANCE Internal (Foundry Audit Forms Service San/ Font size to 20/ the RBG: 160, GLA 160, 170) Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY

2 DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Andrew Dimon, Risk & Assurance Auditor Report Distribution List Simon Grinter, Head of Resilience and Facilities Management Chris Harris, Resilience and Facilities Management Martin Clarke, Executive Director Resources David Gallie, Assistant Director of Finance

3 CONTENTS EXECUTIVE SUMMARY Page Background 1 Audit Objectives 1 Audit Assurance 1 Key Findings 1 RISK CATEGORISATION Analysis of Original Recommendations 3 Risk and Assurance Ratings Definitions 4 ACTION PLAN Follow Up Findings and Recommendations 5

4 EXECUTIVE SUMMARY 1. Background 1.1 This audit follows up the progress made towards implementing the agreed recommendation from the audit of Corporate Business Continuity that was completed in September The Civil Contingencies Act, 2004 requires the GLA to maintain an acceptable level of service of critical activities in the event of disruption, and therefore the GLA is a category 1 responder. Business continuity is overseen by the GLA Resilience Group, which is chaired by the Director of Resources and includes representatives from each business areas who maintain their own directorate plans. 1.3 Since the audit the HCA and LDA are now part of the GLA, and have formed a new Housing and Land directorate, and as required the new directorate has an up to date business continuity plan in place. 1.4 The original audit report contained four recommendations which were accepted by management. 2. Audit Objectives 2.1 Our objectives during this review were to: Establish whether the accepted recommendations have been implemented. Assess the impact of any changes in the business continuity system since the original review. 3. Audit Assurance Adequate Assurance The control framework is adequate and controls to mitigate key risks are generally operating effectively. 4. Key Findings 4.1 Since our original audit review three recommendations have been fully implemented and one recommendation partly. 4.2 The GLA Resilience Group meet regularly to ensure best practice is consistently applied within the Authority and that the status of directorate continuity plans is discussed. Compliance to update and review every 6 months is overseen by the Director of Resources who chairs the group. An updated corporate business plan was implemented on 26 June September 2012 Corporate Business Continuity Follow Up 1

5 EXECUTIVE SUMMARY 4.3 Business continuity has been discussed extensively over the past year at regular meeting by Corporate Management Team, Devolution Programme, and London The corporate plan was successfully tested in June 2012 in a table top exercise; the outcomes were recorded with actions assigned where necessary. 4.5 Directorate plans are regularly refreshed and all staff are aware of their responsibilities. Directorates and key teams identify critical suppliers and include them in their business continuity plans. 4.6 To date business continuity has not been included into the Corporate and Local Induction process; a planned review of the best approach to incorporate business continuity into the staff inductions process is currently on-going. 4.7 The Executive Director of Resources holds quarterly meetings with representatives of all directorates at the GLA Resilience Group where performance information is agreed and reported as part of GLA Performance Monitoring. September 2012 Corporate Business Continuity Follow Up 2

6 RISK CATEGORISATION Our recommendations are categorised according to their level of priority as follows: Priority 1 Major issues for the attention of senior management. Remedial action should be taken urgently. Priority 2 Other recommendations for local management action. Although not fundamental, relate to short comings in control. Priority 3 Minor Matters. Not critical but would benefit from improved control. Risk Category ANALYSIS OF ORIGINAL RECOMMENDATIONS Accepted Fully Implemented Partly Implemented Not Implemented Priority Priority Priority Priority Total September 2012 Corporate Business Continuity Follow Up 3

7 RISK CATEGORISATION RISK AND AUDIT ASSURANCE STATEMENT DEFINITIONS ASSURANCE CRITERIA Overall Rating Substantial Adequate Limited No Assurance Criteria There is a sound framework of control operating effectively to mitigate key risks, which is contributing to the achievement of business objectives. The control framework is adequate and controls to mitigate key risks are generally operating effectively, although a number of controls need to improve to ensure business objectives are met. The control framework is not operating effectively to mitigate key risks. A number of key controls are absent or are not being applied to meet business objectives. A control framework is not in place to mitigate key risks. The business area is open to abuse, significant error or loss and/or misappropriation. Impact There is particularly effective management of key risks contributing to the achievement of business objectives. Key risks are being managed effectively, however, a number of controls need to be improved to ensure business objectives are met. Some improvement is required to address key risks before business objectives can be met. Significant improvement is required to address key risks before business objectives can be achieved. RISK RATINGS Priority Categories recommendations according to their level of priority. 1 Critical risk issues for the attention of senior management to address control weakness that could have significant impact upon not only the system, function or process objectives, but also the achievement of the organisation s objectives in relation to: The efficient and effective use of resources The safeguarding of assets The preparation of reliable financial and operational information Compliance with laws and regulations. 2 Major risk issues for the attention of senior management to address control weaknesses that has or is likely to have a significant impact upon the achievement of key system, function or process objectives. This weakness, whilst high impact for the system, function or process does not have a significant impact on the achievement of the overall organisational objectives. 3 Other recommendations for local management action to address risk and control weakness that has a low impact on the achievement of the key system, function or process objectives ; or this weakness has exposed the system, function or process to a key risk, however the likelihood is this risk occurring is low. 4 Minor matters need to address risk and control weakness that does not impact upon the achievement of key system, function or process or process objectives; however implementation of the recommendation would improve overall control. September 2012 Corporate Business Continuity Follow Up 4

8 ACTION PLAN Ref. Finding and Risk Priority Original Recommendation Follow Up Finding Further Recommendations and Management Response 7.7 Plans are not regularly reviewed, updated and relevant there is a risk of failed continuity through incorrect information and inadequate identification of supplier service. 2 Red status plans are flagged to the next CMT meeting for action to review and update; All red status plans are flagged for action to review and update. Business continuity is regularly discussed at CMT meetings. There are currently no red status plans and CMT received its latest update on 1 October. None 7.11 The corporate lead is unclear in business continuity documentation; there is a risk of non compliance. Critical suppliers are regularly reviewed by all directorates and included in their business continuity plans. 2 At the next revision of corporate and local plans that the strategic lead is identified as the Head of Paid Services and roles and responsibilities are set and communicated. The template for business continuity plans exists which requires Directorates and key teams (eg FM, IT and Finance) to identify critical suppliers and include them in their business continuity plans that are reviewed every 6 months. A revised corporate plan was published in June 2012 identifying the strategic lead as the Head of Paid Services with set roles and responsibilities. None 7.12 Business continuity is not regularly discussed; there is a risk that staff may be unaware of procedures through time lapses and staff changes. 2 Business continuity is incorporated in corporate and local new starter induction process. Business continuity is Process is still on-going due to staff changes within HR and a planned review of the best approach to incorporate business continuity into the staff inductions process. Business continuity has been Partly Implemented Original Recommendation (bullet point 1) applies Business continuity is incorporated in corporate and local new starter induction process. September 2012 Corporate Business Continuity Follow Up 5

9 ACTION PLAN Ref. Finding and Risk Priority Original Recommendation Follow Up Finding Further Recommendations and Management Response discussed as a 6 monthly agenda item on the Corporate Management Team, Directorate and team meeting to update plans and to refresh all staff of their responsibilities. discussed extensively over the past year at regular meeting by Corporate Management Team, Devolution Programme, GLA Resilience Group, and London This has ensured that directorate plans are regularly refreshed all staff are aware of their responsibilities. Management Response HR will review the appropriate approach to incorporate business continuity into staff inductions. Implementation date January There is a lack of senior management knowledge of the readiness and plans for business continuity. 3 That the reporting structure for business continuity is reviewed to ensure expected reporting and performance information is agreed and regularly provided. The Executive Director of Resources holds quarterly meetings with representatives of all directorates at the GLA Resilience Group where performance information is agreed and reported as part of GLA Performance Monitoring. None September 2012 Corporate Business Continuity Follow Up 6