Internal Audit Report (2.13/.14) FINAL with the Civil Contingencies Act 1 October 2013
Contents Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 6 Debrief meeting 15 August 2013 Auditors Mark Jones Draft report issued 23 August 2013 Daniel Harris Suzanne Lane, Senior Manager Andrew Patterson, Assistant Manager Grant Spilsbury, Senior Auditor Responses received 1 October 2013 Client sponsor(s) Charles Thomas - Risk & Continuity Manager Final report issued 1 October 2013 Report distribution Charles Thomas - Risk & Continuity Manager Glenn McGuiness - Deputy Director of Finance The matters raised in this report are only those which came to our attention during our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. Whilst every care has been taken to ensure that the information provided in this report is as accurate as possible, based on the information provided and documentation reviewed, no complete guarantee or warranty can be given with regard to the advice and information contained herein. Our work does not provide absolute assurance that material errors, loss or fraud do not exist. This report is prepared solely for the use of Board and senior management of Essex Fire Authority. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose. 2013 Baker Tilly Business Services Limited The term "partner" is a title for senior employees, none of whom provide any services on their own behalf. Baker Tilly Business Services Limited (No 04066924) is registered in England and Wales. Registered Office 25 Farringdon Street, London, EC4A 4AB.
1 Executive Summary 1.1 Introduction An audit of Business Continuity including compliance with the Civil Contingencies Act was undertaken as part of the approved internal audit periodic plan for 2013/14. Essex is one of the largest County fire services in the UK and cover 367,000 hectares and a population of more than 1.74 million. The county contains the following risks - oil and gas terminals, a power station, two airports, docks, and arguably the country's busiest motorway, the M25 which runs through the heart of the ground. Service currently employs 890 whole time and 466 retained fire fighters, 46 control staff and 253 support staff in its 50 fire stations. Essex County Fire & Rescue Service (referred to as the Service hereafter) has a simple mission To save and protect lives, property and the environment and in order to continually achieves this mission; the Service has to consider the potential impacts of business interruptions and the many risks facing the organisation that could threaten the delivery of core functions. The Service has appointed a Risk & Business Continuity Manager to ensure that the Service has sufficient arrangements for business continuity arrangements and applies with the Civil Contingencies Act (CCA 2004). The CCA 2004 and supporting Regulations and statutory guidance Emergency preparedness establish a clear set of roles for category 1 organisations. As a category 1 organisation, the Service is required to: Assess the risk of emergencies occurring and use this to inform contingency planning; Put in place emergency plans; Put in place business continuity management arrangements; Put in place arrangements to make information available to the public about civil protection matters and maintain arrangements to warn, inform and advise the public in the event of an emergency; Share information with other local responders to enhance co-ordination; Co-operate with other local responders to enhance co-ordination and efficiency. The audit was designed to assess the controls in place to manage the following objectives and risks: Objective Risk To ensure the Service can continue to operate and respond effectively in the event of any serious incident. Inability to deliver normal / business as usual service. 1.2 Conclusion Taking account of the issues identified, the Authority can take reasonable assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective. However we have identified issues that, if not addressed, increase the likelihood of the risk materialising. Page 1
The above conclusions feeding into the overall assurance level are based on the evidence obtained during the review. The key findings from this review are as follows: Design of control framework The Risk & Business Continuity Manager is responsible for ensuring that at the Service processes satisfy the requirements of the CCA 2004. This responsibility has been formally defined with their Job description. The Service has published a Strategic Assessment of Risk. The objective of the document was to understand the current issues and likely future trends of demography, industry, and transport infrastructure within Greater Essex in order to assess the likely risks to which the Service may have to respond. The Service has an established Strategic Business Continuity & Recovery Plan as required by the CCA 2004. This document provides the framework for response and recovery management to a business interruption. The Strategic Business Continuity & Recovery Plan includes a framework for communications in the event of a range of crises. The delivery of accurate and speedy information internally and external is vital and is a required of the CCA 2004. The plan lists a four stage approach and records contact details for all agency and public communication channels. Each department (business continuity units) is required to develop, implement and maintain their own Business Continuity Plans (BCP). Each department s BCP is reviewed by the Risk & Business Continuity Manager to ensure its completeness. A Crisis Management Plan has also been established to assist the service in responding to a sudden impact event. The document provides an action aide memoire to consider on the invocation of this plan, the likely roles and responsibilities if a serious business continuity interruption occurs, a generic CIT agenda and communications aide-memoire. The Service is a member of the Essex Resilience Forum s. The overall purpose of this forum is to ensure that there is an appropriate level of preparedness to enable an effective multiagency response to emergencies which may have a significant impact on the communities of Essex. The Service has conducted a scenario planning exercises to test how the Service reacts to the loss of the Headquarter in Kelvedon Park. This exercise was completed as a table top exercise and a presentation was used to act out the scenario. Any lessons are learnt from testing or actual incidents. The lessons are shared with the Service through formal incident debriefs and where necessary updates are made to the Business Continuity Plans. Application of and compliance with control framework The controls identified above were adequately complied with except in the following instances where two medium priority recommendations were raised regarding these issues: From our review of the BCP review tracker we confirmed that three departments had yet to submit their annual BCPs for review yet despite the deadline of the 31st May 2013 being communicated and a further three BCPs were still undergoing the review process. We understand that previous versions were in place, but they have not been subject to the annual review and update The Service could potentially fail to deliver core activities in the event of incident if BCPs are not updated regularly.. Sample testing of five BCPs confirmed that in three instances the BCP had not been tested. If BCPs are not subject to a test; they may fail to adequately enable business to continue appropriately in the event of an incident. A further low priority recommendation was raised relating to the assurance of BCPs of suppliers and the testing of BCPs. These have been outlined further in the Action Plan and Findings and Recommendations section that follows. Page 2
1.3 Scope of the review To evaluate the adequacy of risk management and control within the system and the extent to which controls have been applied, with a view to providing an opinion. Control activities are put in place to ensure that risks to the achievement of the organisation s objectives are managed effectively. When planning the audit, the following controls for review and limitations were agreed: Limitations to the scope of the audit: The audit did not consider all aspects of business continuity. The sample testing of business continuity plans during this review was focused predominantly on operational aspects and closely related business support functions. The audit did not provide assurance that the plans delivered will be sufficient and have the capability to ensure continuity in the event of an incident. We have not provided assurances on areas not covered within the business continuity plans reviewed as part of this audit. We were requested not to review the Industrial Action Business Continuity Planning as this document was highly protected and sensitive due to the high possibility of strike action in the near future. Therefore we have not provided any assurance in this area. The scope of the work was limited to those areas examined and reported upon in the areas for consideration in the context of the objectives set out for this review. It should not, therefore, be considered as a comprehensive review of all aspects of non-compliance that may exist now or in the future. Any testing undertaken as part of this audit was compliance based and sample testing. In addition, our work did not provide any guarantee against material errors, loss or fraud or provide an absolute assurance that material error, loss or fraud does not exist. Our work does not provide an absolute assurance that material errors, loss or fraud do not exist. The approach taken for this audit was a Risk-Based Audit. 1.4 Recommendations Summary The following tables highlight the number and categories of recommendations made. The Action Plan at Section 2 details the specific recommendations made as well as agreed management actions to implement them. Recommendations made during this audit: Our recommendations address the design and application of the control framework as follows: Priority High Medium Low Design of control framework 0 0 0 Application of control framework 0 2 1 Total 0 2 1 Page 3
1.5 Additional Feedback We have made a suggestion where we have identified innovation or good practice at other organisations that Essex Fire Authority may wish to consider: Suggestions Made During the Audit The Fire Authority could consider utilising a third party to conduct a scenario planning exercise with Senior Management to extend the possible scenarios used and bring an independent view to the process. Minutes for the Essex Resilience Forum should be requested and retained by the Service to enable matters raised to be easily referred to where required. Page 4
2 Action Plan The priority of the recommendations made is as follows: High Medium Recommendations are prioritised to reflect our assessment of risk associated with the control weaknesses. Low Suggestion These are not formal recommendations that impact our overall opinion, but used to highlight a suggestion or idea that management may want to consider. Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible 1a All Business Continuity Plans should be submitted to the Risk and Business Continuity Team in a timely manner to enable a regular review. Medium Y This is a perennial problem, somewhat worse this year. Department Managers will be debriefed on this Audit to inform them of the findings and recommendation. The SDB and the SMB will be asked to endorse the recommendation 1 April 2014 Risk & Business Continuity Manager. All Department Managers 1b Each department should assure itself that its key suppliers or partners that support a critical activity have effective business continuity management arrangements in place and update their Business Continuity Plans accordingly. Low Y Department Managers will be debriefed on this Audit to inform them of the findings and recommendation. The SDB and the SMB will be asked to endorse the recommendation. 1 April 2014 All Department Managers 2 A planned schedule of Business Continuity testing should be established to ensure that the Business Continuity Plans are fit for purpose and teams are knowledgeable of their roles. Medium Y A formal exercising and testing programme will be prepared and published. 31 January 2014 Risk & Business Continuity Manager Page 5
3 Findings and Recommendations This report has been prepared by exception. Therefore, we have included in this section, only those areas of weakness in control or examples of lapses in control identified from our testing and not the outcome of all audit testing undertaken. Controls (actual and/or missing) Risk 1: Risk 1 Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation 1.1 Control 1 Yes test results 1 None Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation Risk: Inability to deliver normal / business as usual service. 1 Each department (business continuity units) is required to develop, implement and maintain their own Business Continuity Plans (BCP) to ensure that the following are achieved: Development of procedures and information maintained in readiness for use in a business interruption. Development, maintenance Yes At the time of the audit we were provided with a copy of the email dated the 16 th April 2013 instructing all departments to begin the BCP review process. We confirmed that the email provided detailed information on what was expected. At the time of the audit we were provided with a copy of the BCP review tracker and from our review we confirmed that three departments have yet to submit their BCPs for review despite the deadline of 31st May 2013 being communicated and a further three of the 19 departments are still undergoing the review process. These three related to: All Business Continuity Plans should be submitted to the Risk and Business Continuity Team in a timely manner to enable a regular review. Each department should assure itself that its key suppliers or partners that support a critical activity have effective business continuity Medium Low Page 6
Controls (actual and/or missing) and testing of suitable business recovery plans for all subsidiary business units and locations. Regular review of the continuity requirements and plans to ensure that they reflect the needs of the business. Each department should assure itself that its key suppliers or partners that support a critical activity have effective BCM arrangements in place. The BCP can be activated during duty and non-duty hours with and without warning. The BCP covers all locations, systems and buildings operated or maintained by the service. In May of each year, each department is required to review and update their plans and submit them to the Risk & Business Continuity Manager for review and approval. Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation Occupational Health now required their own BCP, whereas previously it was incorporated within a Human Resources BCP; and Executive Support & Legal and Transport where it was confirmed with the Risk & Business Continuity Support Officer that BCPs were in existence; however, no review had been undertaken on the appropriateness in 2013. If BCPs are not updated they may fail to acknowledge significant changes in the environment resulting in the failure of a BCP when implemented. In order to assist the development of the BCPs a standardised pro forma was developed by the Risk & Business Continuity Manager to ensure the plans requirements are met. From a review of the pro forma we confirmed that it is fit for purpose and should facilitate the requirements being fulfilled. We obtained and reviewed the BCPs for Water, Fuel, Control, Technical Services and Fleet. From a review of these documents we confirmed the following: Each BCP contained sufficient information in readiness for use in the event of business interruption; Only two of the five plans had been tested, although one was last tested in 2009. In the remaining three cases the plans did not record that any testing has been management arrangements in place and update their Business Continuity Plans accordingly. Page 7
Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation undertaken. Without BCPs being subject to regular testing there is a risk that the plans can be inadequate and may not be sufficient to restore business as usual; Three of the BCPs had been subject to a recent review and had been updated accordingly. Two of the BCP were still under review at the time of the audit. We discussed this further with the Risk & Business Continuity Manager and we were informed that the reviews are still in progress and were delayed to arising sector issues that required priority. Each BCP identified there key suppliers and there possible lead time in providing support. However, none of the BCPs showed that assurance had been gained from suppliers to ensure that they have effective BCM arrangements in place. Ineffective supplier BCPs could affect the Service from continuing to provide a suitable service in the event of an incident. Each BCP contained sufficient information to permit the BCP to be activated during duty and non-duty hours with and without warning. Each BCP covered the locations, systems and buildings operated or maintained by the service. 2 It is the intention of the Service to develop a plan to periodically Yes We confirmed with the Risk & Business Continuity Manager that a planned schedule of Business A planned schedule of Business Continuity Medium Page 8
Controls (actual and/or missing) test and evaluate the operational business continuity plans to ensure that they are fit for purpose. This process has been delayed due to the organisation preparing for possible strike action therefore concentration has been placed in planning and strengthen the organisation resiliencies to this threat. However, in this financial year the Service has conducted scenario planning exercises to test how the Service reacts to the loss of the Headquarters in Kelvedon Park (KP). This exercise was completed as a table top exercise and a presentation was used to act out the scenario. Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation Continuity testing will be established and this task has been delayed due to current external events that have changed the priority of the task. Whilst accepting this and that a review of the BCPs is completed, it is important that all BCPs are tested regularly and without a schedule in place there is a risk BCPs will not be tested and therefore may not be fit for purpose and teams may not be aware of their roles and responsibilities. We obtained and reviewed the copies of the KP fire scenario planning exercise held on the 1st August 2013. This was designed for departments to verify and improve department s business continuity plans. We confirmed that this scenario was a desktop exercise and participants were lead through the event using a PowerPoint presentation. The event was led by the Risk & Business Continuity Manager and the exercise considered the loss of the Headquarters as a result of a fire. From a review of the slides and supporting material we confirmed that the exercise was fit for purpose and adequately designed to fulfil the objective of the exercise. testing should be established to ensure that the Business Continuity Plans are fit for purpose and teams are knowledgeable of their roles. Page 9