Introduction

1. Many services delivered by public sector entities are essential to the economic and social well-being of society—a failure to deliver these could have significant consequences for those concerned and for the nation. Other services may not be essential, but a disruption can nonetheless result in inconvenience and inefficiency, and have economic costs.

2. Government entities face a range of situations—including equipment failure, natural disaster, and criminal activity—that may lead to a significant business disruption. In response to such business disruption, entities need to have arrangements in place to support the continuation and/or resumption of essential services and ultimately return to business as usual. Often these arrangements will need to operate alongside emergency or disaster management arrangements to ensure the safety of staff and assets.

3. Business continuity management (BCM) is the development, implementation and maintenance of policies, frameworks and programs, to assist an entity manage a business disruption, as well as build entity resilience.¹ As such, BCM is an important element of good governance. BCM forms part of an entity’s overall approach to effective risk management, and can provide a capability that assists in preventing, preparing for, responding to, managing and recovering from the impacts of a disruptive event.

4. To appropriately focus an entity’s business continuity arrangements, it is important to have a clear and agreed understanding of the entity’s business objectives and the critical business functions or activities which help to achieve those objectives. The business continuity arrangements should also identify the resources supporting these priority functions. These resources are known as enabling assets and services, and include information and communication technology (ICT), property and security, and human resources.

Policy requirements and better practice

5. Business continuity management in Australian Government entities is governed by the Protective Security Policy Framework (PSPF), which requires entities to use a risk management approach to cover all areas of protective security activity. The PSPF applied to all former Financial Management and Accountability Act 1997 (FMA Act) agencies, and to those former Commonwealth Authorities and Companies Act 1997 (CAC Act) bodies that have received a Ministerial Direction. This arrangement is currently being revised as part of the introduction of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), from 1 July 2014.²

6. For entities subject to the PSPF, the key mandatory requirements relating to BCM are GOV 11 and PHYSEC 7 (see Table S.1, below). The ANAO completed an audit in 2013–14 of the Management of Physical Security³ which included a focus on the implementation of PHYSEC 7 in three entities. This audit focuses on the GOV 11 requirement.

Table S.1: Protective Security Policy Framework—key mandatory requirements relating to business continuity management

Source: PSPF, June 2013, pp. 18 and 34.

7. Protocols, standards and guidelines have been developed to support the mandatory requirements in the PSPF. In relation to GOV 11, this includes an expectation that an entity’s BCM program should comprise the following five components:

1. a governance structure that establishes authorities and responsibilities for the BCM program, including for the development and approval of business continuity plans (BCPs);
2. an impact analysis to identify and prioritise an entity’s critical services and assets, including the identification and prioritisation of information exchanges provided by, or to other entities or external parties;
3. plans, measures and arrangements to ensure the continued availability of critical services and assets, and of any other service or asset when warranted by a threat and risk assessment;
4. activities to monitor an entity’s level of overall preparedness; and
5. the continuous review, testing and audit of BCPs.

8. In addition to these specific requirements, entities should seek to adopt a BCM approach that is relevant, appropriate and cost-effective. In this respect, clearly defining the purpose, priorities and coverage of BCM is important. The PSPF identifies several standards and guidelines that provide additional explanation for the five BCM components, and other aspects of BCM. These include Standards Australia Handbooks published in 2004 and 2006⁴ and the ANAO Better Practice Guide (BPG) 2009, Business Continuity Management—Building Resilience in Public Sector Entities. In addition to the standards and guidelines referred to in the PSPF, there is a range of other useful Australian and international better practice materials.⁵ Consistent with the PSPF promotion of a risk-based approach, entities are expected to tailor their BCM arrangements to their particular context and operating environment. In this regard, entities have some flexibility in relation to the structure, content and comprehensiveness of their programs.

9. Entities subject to the PSPF are required to report annually on their compliance with the mandatory PSPF requirements to their portfolio minister.⁶ Of the 110 entities that reported on the GOV 11 mandatory requirement in 2013, 12 entities reported that they were non-compliant. The majority of the non-compliant entities were in the process of finalising reviews of their BCPs at the time of reporting.

Previous audits

10. The ANAO has conducted four audits since 2002 that have focused on BCM arrangements in entities.⁷ Each of these audits has identified areas for improvement. Specific areas for improvement include the need for enhanced oversight and testing of BCM arrangements, as well as the need to adopt a program management approach to BCM in order to facilitate continual review and adjustment. The ANAO has also considered BCP and disaster recovery planning as part of the interim phase of the audits of financial statements of major general government sector agencies. These audits have highlighted the importance of BCP and ICT disaster recovery planning to the continuing delivery of services, but have observed that a number of entities relied on unplanned disruptions to business operations to test their BCPs.⁸

Audit objective, criteria and scope

Audit objective

11. The objective of the audit was to assess the adequacy of selected Australian Government entities’ practices and procedures to manage business continuity. To conclude against this objective, the ANAO adopted high-level criteria relating to the entities’ establishment, implementation and review of business continuity arrangements.

12. The ANAO examined BCM arrangements and practices in the:

• Civil Aviation Safety Authority (CASA)⁹;
• Department of Finance (Finance); and
• Department of Social Services (DSS).

13. For the selected entities¹⁰, the ANAO assessed the BCM framework and approach, including key documentation (such as BCM policy and BCPs), entity responses to actual events, BCM exercises and testing activities, and monitoring and review.

Overall conclusion

14. The risk and potential consequences of natural disasters and other business disruption events reinforces the need for Australian Government entities to have effective business continuity management (BCM) arrangements in place to provide for the continued availability of critical services and assets. Effective BCM arrangements give entity management and stakeholders greater confidence in the entity’s ability to manage the impact of a disruption and return to business as usual.

15. In line with policy requirements and expectations of the Protective Security Policy Framework (PSPF), each of the entities had established relevant governance structures, assessed risks, identified critical functions, services or assets, undertaken business impact analyses, and developed business continuity plans (BCPs). Each of the entities assessed their business continuity risk at an entity-wide level, and developed a BCM program to manage their risk exposure. The program involved annual or biennial business impact analysis, development of BCPs, and testing of business continuity arrangements. Finance’s approach was the most structured, providing a clear line of sight between the 17 functions it identified as critical and the actions that would be undertaken to recover in the event of a disruption, including key dependencies and resource requirements.

16. CASA, as a Commonwealth Authorities and Companies Act 1997 body, was not required to comply with the PSPF, but had nonetheless developed its BCM approach generally in line with the PSPF. CASA has chosen to manage the business continuity of its most time critical activity¹¹ separate from its entity-wide BCP. While CASA’s BCP anticipates having functions and systems operational in alternative locations within 24 hours, it did not identify a list of these critical functions or activities and their key dependencies. As a result, the focus of the plan was on enabling resources rather than critical functions as envisaged by the GOV 11 element of the PSPF and better practice guidance. However, CASA’s BCP did provide a list of 23 ICT systems and facilities that need to be recovered within 48 hours. The absence of a list of critical functions, and the lack of integration of the arrangements for managing critical functions, introduces the risk that the delivery of key products and services will not be appropriately prioritised and addressed during a disruption. To better support the management of disruptions, CASA should identify and prioritise critical functions in its BCPs, and detail key dependencies.

17. As a larger and more diverse entity, DSS’s BCM approach was to identify six Mission Critical Activities and 281 critical functions (requiring recovery within seven days). Of these critical functions, 120 related to the six Mission Critical Activities and the remainder were considered to be enabling services. Responses were to be managed across 33 BCPs, each varying in comprehensiveness. The volume of documentation is potentially problematic from a recovery perspective. To assist in making decisions regarding potential recovery action, DSS should prioritise and rationalise its critical functions at an entity-wide level. This would involve determining entity priorities for services and assets, particularly in relation to resourcing and the continuation, recovery and/or stand down of functions.

18. Since January 2010, the audited entities have each experienced a number of business disruptions, ranging in impact from the minor and inconvenient—partial evacuations and all day outages of critical systems—to the significant—week-long office closures due to weather events including cyclones and floods. In most cases the entities’ emergency or disaster response arrangements were initiated quickly to provide protection for staff and property, however, in this period Finance was the only entity that had initiated its BCM arrangements in response to disruptions to provide protection for affected critical functions.

19. CASA and DSS managed several significant disruptions in 2011, including the Queensland floods and Cyclone Yasi, without activating business continuity arrangements. CASA has advised that some critical operational processes were diverted to other locations.¹² Beyond this, CASA adopted an emergency response intended to protect staff and property. Similarly, DSS responded with an emergency management approach—business continuity arrangements were not activated. Regardless, neither the emergency management nor business continuity arrangements extended to consideration of community services (delivered by the department’s funded service providers), consequently senior management within the Queensland Office sought to manage continuity issues in relation to these services as the event unfolded. A subsequent review recommended a number of operating changes. While DSS’s Queensland State Office had revised its BCM arrangements for the continuation of services delivered by funded service providers, these arrangements were not sufficiently proactive and have not been applied at an entity-wide level.

20. To understand and improve the operation of business continuity arrangements, it is important to review the response to disruptions. Finance systematically documented incidents and their impact, providing reasons why the BCPs were, or were not, initiated during an incident, and had undertaken post incident reviews. In contrast, CASA’s and DSS’s approaches to documenting events, their impact, BCM considerations and post incident review were not systematic, limiting the opportunity for continuous improvement.

21. Between 2009 and 2013 CASA and DSS had undertaken testing of some aspects of their BCM approach. This generally included testing critical ICT systems, DSS also usually conducted an annual test of its entity-wide BCP¹³, while CASA participated in a joint exercise with NSW police and emergency services. Relative to the other entities examined, Finance had a more comprehensive testing and exercising regime in place, and conducted entity-wide annual tests for some critical functions. This included post-exercise reviews, with assigned actions, to incorporate improvements or revisions into the BCPs.

22. The PSPF provides entities with flexibility to establish a BCM approach which is appropriate to their business requirements. To be practical and useful during a disruption, the approach needs to establish priorities, be easy to follow and should be tested. Finance’s arrangements were more mature and reflected incremental improvements made by the department over a number of years. However, while CASA’s¹⁴ and DSS’s BCM approaches align with the PSPF expectation to have a BCM program, both entities should take a more structured and systematic approach to planning for, testing and responding to business disruptions. This provides for continuous improvement to business continuity planning. The ANAO has made three recommendations in this regard.

Key findings by chapter

Business Continuity Management (Chapter 2)

23. A key element of effective ongoing management of business continuity is developing and implementing an appropriate governance framework. Such a framework includes establishing overall policy, key responsibilities, annual planning arrangements, and performance review and monitoring arrangements. All audited entities had developed a governance framework as part of their BCM approach and had reviewed these in 2013. Each entity also issued policy and guidance, determined the objective and scope of their BCM approach, and assigned key roles and responsibilities. Generally, entities’ arrangements focused on continuing or recovering critical functions within maximum acceptable outage timeframes—mostly within one to seven days of a disruption.

24. CASA and Finance had developed overall BCM framework documents to promote a more coherent understanding of their approach, while DSS had not yet developed a similar overall representation of its BCM arrangements. Finance’s policy and guidance also provided targeted guidance for different stages of the BCM approach (and for different levels within the entity) with practical tools such as templates. CASA’s and DSS’s guidance was not as well-structured, and better links could have been established between their respective policy and guidance materials.

Assessing and Planning for Business Continuity Needs (Chapter 3)

25. Effective planning of BCM includes: identification of critical business functions; undertaking a business impact analysis; and developing strategies and plans to manage the continuation and recovery of critical functions during a business disruption. While entities generally begin with the identification of all business processes, it is necessary to refine these into a prioritised list of critical processes, and assign target recovery times. In this respect, CASA would benefit from specifically addressing critical functions in its BCPs, and DSS from rationalising and prioritising its critical functions—the list of 281 critical functions is too extensive to usefully focus on the continuation or restoration of business priorities.

26. To restore business, entities must be able to readily identify and have on hand—or recover—the technology, telecommunications and vital records necessary to support these critical business functions. It is also important to understand external and internal dependencies and prepare adequate arrangements, including with third party providers, to make sure the entity can deliver key products and services within target recovery times. Neither DSS’s nor CASA’s business impact analyses and BCPs contained sufficient details of key dependencies for their critical functions. For DSS this is an important risk to manage given the department’s use of third parties to deliver community services across Australia. There would also be merit in DSS adjusting its current approach towards more proactive and action-oriented plans that better facilitate business continuity preparedness.

Responding to Disruptions (Chapter 4)

27. When responding to a disruption an entity should record important decisions and actions, including the Control Team’s considerations regarding activating BCM arrangements. After the entity has returned to normal operations it is sound practice to review its response to the disruption. This contributes to continuous improvement, potentially placing an entity in a better position to respond to similar future events. By analysing successes and failures, lessons to be learned can be drawn out, and actions can be taken to safeguard against failures and to replicate and repeat successes.

28. CASA and DSS should do more to systematically record key events, decisions and actions, including capturing details of the impact of events on the entity and any decisions to activate BCM arrangements. This information would also support post incident review to inform improvements to the processes. Finance has systemically documented incidents and the reasons why BCPs were, or were not, activated during a disruption. Finance also used a post incident report to assess its response to the disruption and where necessary, made improvements to its plans.

Monitoring and Review (Chapter 5)

29. To practice, assess the effectiveness, and improve performance of business continuity arrangements, the PSPF expects entities to test and continuously review their BCPs. Finance had the most structured exercising regime, including guidance, an annual program of events, cross-entity testing of systems and post exercise reviews. While DSS and CASA both tested their critical ICT systems, both entities should develop and undertake a broader program of testing for their entity-wide and local level BCM arrangements.

30. The PSPF also emphasises the importance of entities undertaking a range of activities to monitor their overall level of preparedness. None of the entities sufficiently monitored their overall preparedness to manage and resolve business disruptions. To better meet the expectations of the PSPF, the audited entities would benefit from regularly monitoring their overall level of preparedness and reporting on the extent to which key performance targets are met.

Summary of entities’ responses

31. The audited entities’ summary responses to the audit report are provided below. Appendix 1 contains the entities’ full response to the audit report.

Civil Aviation Safety Authority

32. While CASA is not required to comply with the Protective Security Policy Framework (PSPF), CASA fully acknowledges the importance of business continuity and in addition to the GOV 11 requirement CASA has adopted a BCM approach that is tailored to CASA’s business objectives and operating environment, risk based and relevant.

33. Overall, CASA accepts the ANAO findings and the continuous improvement which can be generated through the implementation of the recommendations contained in the report. CASA has already undertaken steps to address the recommendations and thanks the ANAO for their professional conduct during the fieldwork and their ongoing consultation with CASA’s management team throughout the process.

Department of Finance

34. The Department of Finance acknowledges the findings of this report and supports the recommendations. The Department found the audit process to be a valuable exercise and appreciates the positive feedback provided by the ANAO on the Department’s performance in relation to its business continuity management practices.

Department of Social Services

35. The Department of Social Services (DSS) welcomes the ANAO audit report on Business Continuity Management and supports the recommendations made by the ANAO.

36. DSS is committed to managing business interruptions that have the potential to affect its critical services and assets as well as the wider Australian community. DSS continues to refine its framework to ensure a well-developed, structured and robust business continuity program leading to improved organisational resilience.

Recommendations

The recommendations are likely to be relevant to other Australian Government entities. Therefore, all Australian Government entities are encouraged to assess the benefits of implementing these recommendations in light of their own circumstances, including the extent to which each recommendation, or part thereof, is addressed by practices already in place.

Business continuity management in the Australian Government

1.1 Government entities face a range of situations that may lead to significant business disruption. Providing continuity of critical public services and assets in the face of a disruptive event is essential to the economic and social well-being of Australian society—a failure of a public sector entity to deliver these could have significant consequences for those concerned and for the nation. Other services may not be essential, but a disruption can nonetheless result in inconvenience and inefficiency, and have economic costs.

1.2 When a disruption occurs, often an entity will initially activate emergency response or disaster management arrangements to ensure the safety of staff and assets. However, entities also need to have arrangements in place for the continuation and/or resumption of essential services and ultimately return to business as usual. Business continuity management (BCM) is the development, implementation and maintenance of policies, frameworks and programs, to assist an entity manage a business disruption, as well as build entity resilience.¹⁵ As such, BCM is an important element of good governance and forms part of an entity’s overall approach to effective risk management.¹⁶

1.3 To appropriately focus an entity’s business continuity arrangements, it is important to have a clear and agreed understanding of the entity’s business objectives and the critical business functions or activities which help to achieve those objectives. The business continuity arrangements should also identify the resources supporting these priority functions. These enabling resources are also known as enabling assets and services, and include information and communication technology (ICT), property and security, and human resources.

Policy requirements and better practice

1.4 Business continuity management in Australian Government entities is governed by the Protective Security Policy Framework (PSPF) which requires entities to use a risk management approach to cover all areas of protective security activity.¹⁷ The PSPF was introduced in July 2010 and applies to all former Financial Management and Accountability Act 1997 (FMA Act) agencies, and to those former Commonwealth Authorities and Companies Act 1997 (CAC Act) bodies that have received a Ministerial Direction. This arrangement is currently being revised as part of the introduction of the Public Governance, Performance and Accountability Act 2013 (PGPA Act).¹⁸

1.5 For entities subject to the PSPF, the key mandatory requirements for BCM are GOV 11 (which requires agencies to establish a BCM Program to provide for continued availability of critical services and assets¹⁹) and PHYSEC 7 (which requires plans for heightened security levels in case of increased threats). Table 1.1, below, outlines these requirements. The focus of this audit is the GOV 11 requirement. The ANAO completed an audit in 2013–14 of the Management of Physical Security²⁰ which included a focus on the implementation of PHYSEC 7 in three entities.

Table 1.1: Protective Security Policy Framework—key mandatory requirements relating to business continuity management

Source: PSPF, June 2013, pp. 18 and 34.

1.6 BCM is also an integral component of the PSPF’s information security management (such as INFOSEC 4²¹)—where the overarching policy requirements are confidentiality, integrity and availability of information and associated assets. Specifically, system availability requirements need to be considered, and appropriate measures must be applied including the development of business continuity and disaster recovery plans.²²

Expectations underlying the GOV 11 requirement

1.7 The PSPF mandatory requirements are supported by detailed protocols, standards and guidelines. GOV 11 includes an expectation that an entity’s BCM program should be comprised of five components: a governance structure; an impact analysis; plans, measures and arrangements; preparedness monitoring activities; and continuous review and testing. A detailed description of these components is provided in Table 1.2.

Table 1.2: Business continuity management expectations—Protective Security Policy Framework components

Source: PSPF, June 2013, p. 18.

1.8 The PSPF identifies several standards and guidelines that provide additional explanation of each of the five BCM components, and other aspects of BCM, including Standards Australia handbooks published in 2004 and 2006²³ and the Australian National Audit Office (ANAO) Better Practice Guide (BPG), 2009, Business Continuity Management—Building resilience in Public Sector Entities. In addition to the standards and guidelines referred to in the PSPF, there is a range of other Australian and international better practice material.²⁴

1.9 Consistent with the PSPF promotion of a risk-based approach, entities should tailor their business continuity arrangements to their particular context and operating environment. In this regard, entities have flexibility in relation to the structure, content and comprehensiveness of their programs (depending on each entity’s requirements), and the standards and guidelines they adopt.

1.10 In addition, the National Archives of Australia has developed minimum requirements for basic information and records management.²⁵ Check-up 2.0 established a minimum requirement for information and records management of having business continuity and disaster management plans that: identify vital records; cover records in all formats; and are regularly reviewed and updated. Check-up Digital also requires business continuity and disaster recovery plans for all digital information.

Developments in International Standards

1.11 The 2009 ANAO BPG and Australian Standards handbooks are referenced in the PSPF as further guidance. Over time, some elements of this guidance have been superseded, or are no longer relevant.²⁶ For example, Standards Australia’s HB 292–2006 A Practitioners Guide to Business Continuity Management notes that there is no internationally defined or accepted standard for business continuity.²⁷ This changed in 2012, when the following international BCM standards were released:

• ISO 22301:2012 Societal security—Business continuity management systems—Requirements; and
• ISO 22313:2012 Societal security—Business continuity management systems—Guidance.²⁸

1.12 These standards provide references to more recent guidance material, including the latest risk management standard and they adopt international BCM terminology, methods, concepts and practices. These international standards have not been adopted by the PSPF (or Standards Australia).

Australian Government reporting on business continuity management arrangements

1.13 Entities subject to the PSPF must report annually on their compliance with the PSPF to their portfolio minister.²⁹ Of the 110 entities that reported on the GOV 11 mandatory requirement in 2013, 12 entities reported that they were non-compliant. The majority of the non-compliant entities were in the process of finalising reviews of their business continuity plans (BCPs) at the time of reporting.

1.14 Comcover also conducts an annual Benchmarking Survey of its Fund Members’ Risk Management. The survey includes consideration of Business Continuity and Disaster Recovery. In 2013, 143 Fund Member entities responded to the survey. Comcover noted that one of the most significant changes since the survey was first undertaken in 2010 was in relation to improvements in the maturity of business continuity and disaster recovery. Responses indicated that many entities were building enhanced BCPs which were critical to respond to adverse events impacting agency operations. Survey results also indicated entities were investing in establishing and regularly testing BCPs, including defining roles and responsibilities for critical business processes.

Previous audits

1.15 The ANAO has conducted four audits since 2002 that have focused on BCM arrangements in entities.³⁰ Each of these audits has identified areas for improvement. Specific areas for improvement include the need for enhanced oversight and testing of BCM arrangements, as well as the need to adopt a program management approach to BCM to facilitate continual review and adjustment to remain relevant to changing operating and external environments. ANAO has also considered BCP and disaster recovery planning as part of the interim phase of the audits of financial statements of major general government sector agencies. These audits have highlighted the importance of BCP and ICT disaster recovery planning to the continuing delivery of services, but have observed that a number of entities relied on unplanned disruptions to business operations to test their BCPs.³¹

Audit objective, criteria and scope

1.16 The objective of the audit was to assess the adequacy of selected Australian Government entities’ practices and procedures to manage business continuity.

1.17 To conclude against this objective the ANAO adopted the following high-level criteria:

• entities established a sound BCM framework that supports effective ongoing management of business continuity, and which is integrated with other corporate governance arrangements;
• entities effectively implemented the BCM framework, including documenting key analysis, plans, controls and testing of arrangements; and
• entities established effective monitoring and review arrangements, which supports continuous improvement in BCM arrangements.

1.18 The scope of the audit included the examination of BCM arrangements in three entities. The entities were selected to provide a range of the BCM challenges across Australian Government entities. These entities were the:

• Civil Aviation Safety Authority (CASA);
• Department of Finance (Finance). Formerly the Department of Finance and Deregulation; and
• Department of Social Services (DSS). Formerly the Department of Families, Housing, Community Services and Indigenous Affairs (FaHCSIA).

1.19 The ANAO assessed these entities against key requirements of the PSPF. CASA, as a former CAC Act body³², was not required to comply with the PSPF, nonetheless it had developed BCM arrangements. During the course of the audit, machinery of government changes affected DSS and Finance. These changes had a significant impact on the coverage and relevance of DSS’s BCM arrangements.³³

1.20 The three entities differed considerably in terms of the type of services they provided to the Australian public, their operations, structure, geographic locations, and size. Each entity had functions that would not be noticeably affected by a week-long disruption to operations, for example, a delay in CASA’s industry delegate training would result in individuals needing to wait longer than normal to receive training and be appointed as industry delegates. This is also the case for many functions performed by DSS³⁴ and Finance.³⁵ However, each of the entities also had functions where even a brief disruption may have serious repercussions for the delivery of key activities and services to the Australian public. These critical activities include ongoing management of Australian airspace, controlling and monitoring the movement of funds through the Official Public Account, the delivery of payments to more than eight million Australians, and the delivery of essential community services to the vulnerable including daily services for disability and mental health programs which are delivered by funded service providers.

1.21 The audit was conducted in accordance with ANAO auditing standards at a cost to the ANAO of $572 543.

Report structure

1.22 The structure for the report is outlined in Table 1.3.

Table 1.3: Report structure

Introduction

2.1 Under the Protective Security Policy Framework (PSPF), all relevant Australian Government entities are expected to develop a business continuity management (BCM) governance structure as part of their BCM approach. At a basic level, a governance framework will establish the scope, objectives, and roles and responsibilities for BCM arrangements. The framework should also establish policy and guidance which outlines key management processes to be undertaken as part of the business continuity arrangements, including expectations in relation to business impact analysis, development and approval of business continuity plans (BCPs), testing arrangements, and monitoring and review. In addition, the BCM framework should be linked with other governance frameworks in the entity including the risk management framework. Once a BCM governance framework is established, the entity then needs to put in place a work program to support the maintenance, review and continuous improvement of business continuity arrangements. The extent of the program of work will be informed by an assessment of disruption related risk.

Disruption related risk

2.2 An entity’s risk assessment of business activities and IT services provides useful information to assist in analysing an entity’s business continuity needs and subsequent approach. An entity-wide risk assessment process was undertaken in each of the audited entities and identified business continuity related risk exposures affecting the delivery of services or ICT arrangements. Both Finance and DSS assessed their business continuity related risk as a matter that needed to be monitored at an entity-wide level. This assessment heightened the importance of BCM arrangements in these entities. In comparison, CASA had assessed its business continuity related risk as a matter that could be monitored at a business group level. This risk rating was derived from an assessment that CASA’s existing business continuity arrangements were sufficient to manage BCM risk from an entity-wide perspective. These assessments influenced the nature, scale and scope of the entity’s annual work program for BCM and BCM arrangements.

2.3 Another valuable source of information for analysing an entity’s business continuity needs is an assessment of the risk of disruption scenarios to which the entity may be vulnerable. CASA and DSS did not assess the risk of disruption scenarios. Training material delivered by Finance in mid-2013 indicated that Finance was considering treatment of disruption related risk. The approach outlined in the training material sought to proactively manage disruption related risk by establishing mitigation strategies for times when key resources—such as buildings, equipment, technology and staff—were not available. Finance considered that this approach supported a business continuity response, regardless of the scenario.³⁶ An example of the type of business continuity risk considered using Finance’s approach at a branch level is provided at Table 2.1. Each risk would then be supported by a consideration of the: causes; consequences; risk rating; mitigation strategy (which would be documented in the relevant branch recovery kit³⁷); residual risk rating; and responsible officer.

Table 2.1: Example of Finance’s business continuity disruption risks

Source: Adapted from Finance’s training material.

Business continuity management framework

2.4 Each of the entities had developed policy and guidance, governance structures, and processes that formed part of their BCM framework. The frameworks were based on a variety of better practice material, although DSS was the only entity to identify the GOV 11 requirement from the PSPF in its framework documentation. Each of the frameworks identified that BCM was cyclical and ongoing in nature, with DSS and Finance having established an annual review process and CASA a biennial review process, unless the circumstances required an earlier review.³⁸ Approaches taken by the three entities are summarised below.

Civil Aviation Safety Authority

2.5 To promote a more coherent understanding of its BCM approach, CASA had developed an overarching framework³⁹ document which included: BCM planning processes; required documentation; and a summary of key elements considered essential for an effective BCM program.⁴⁰ CASA’s expectations for each of these components are provided in Table 2.2.

2.6 CASA’s framework stated that a communication policy should be developed covering all critical aspects of communication and related activities, including dealing with the media. CASA’s framework also emphasised the importance of maintaining current standard operating procedures for business units to assist personnel who are unfamiliar with a task during an incident.

Table 2.2: Civil Aviation Safety Authority’s Business Continuity Management Framework

Source: CASA Business Continuity Management Framework, Version 1.1, July 2013.

Department of Finance

2.7 Finance’s BCM framework⁴¹ incorporated three distinct areas of focus: Finance’s role within Continuity of Government Planning; departmental-wide BCM; and group level BCM for different areas in the department. A key expectation noted in the framework was that the departmental and group BCM would operate in unison. Finance’s framework overview document provided a pictorial presentation of the framework and explained the focus and components of BCM arrangements (see Figure 2.1 below for a high level summary of the Finance framework).

Figure 2.1: Overview of Finance’s Business Continuity Management Framework

Source: Summary of Finance’s Business Continuity Management Framework Diagram, 2013.

Notes:

(A) The Continuity of Government (CoG) Plan provides for the continuity of the executive functions of the Australian Government during a national security emergency. The CoG plan is the responsibility of the Department of Prime Minister and Cabinet with the coordination and implementation responsibilities falling to the Attorney-General’s Department.

(B) Where external continuity planning includes: service providers, co-tenants, other relevant agencies and portfolio agencies.

Department of Social Services

2.8 DSS’s Business Continuity Management Policy stated that the department’s:

Risk Management and BCM frameworks, which include the over-arching Business Continuity Plan, form the basis for continued provision of key services in the event of an emergency, national disaster or incident that causes significant disruption to [DSS’s] business …⁴²

2.9 While the policy⁴³ identified that there was a departmental BCM framework, the elements of this framework were not captured in a single BCM document or diagram. DSS advised the ANAO that it intended to develop such a document to assist in the better understanding of BCM arrangements across the department.

Policy and guidance

2.10 To support their approaches to BCM, each of the entities had developed policies, including guidance and templates, and had reviewed these policies in 2013. The policies generally outlined the business continuity objectives, approach, key processes and outputs (such as business impact analysis, the development of BCPs, and testing and exercises), related frameworks and governance arrangements including roles and responsibilities.

2.11 The PSPF expects an entity’s BCM governance arrangements will provide a structure for the development and approval of BCPs. In this respect entities need to consider whether there should be a single plan, or a hierarchy of BCPs. A hierarchy of plans might include an: entity-wide plan; group, branch and/or regional plans that reflect the structure of the entity; and functional level plans for each critical business function or process. Larger entities are more likely to need a range of different plans with an entity-wide plan to coordinate business continuity sub-plans for operational matters.

2.12 While each of the entities had established a hierarchy of plans to guide their response to a disruption, see Table 2.3, CASA’s BCP arrangements could be more comprehensive (as its framework does not specify the need for critical function BCPs or the need for business continuity arrangements to address the continued availability of critical services and assets, beyond establishing recovery times for critical ICT assets and the non-stop management of temporary restricted airspace). However, to assist potentially inexperienced personnel in unfamiliar roles, CASA’s BCM approach relied on business areas developing and maintaining standard operating procedures that would be called upon as supporting plans in a business recovery situation.⁴⁴ CASA’s approach also relied on disaster recovery arrangements to be in place for critical systems.

Table 2.3: Hierarchy of plans

Legend:

Y = have an approved plan at this level

na not applicable

Source: ANAO analysis.

Note:

(A) CASA’s National Headquarters BCP is focused on a location, but it also includes arrangements for enabling resources including ICT, people management, communications and media, and property and security.

(B) CASA’s BCM policy indicated regions would develop plans, but not divisions, groups or branches.

2.13 Each of the entities had also developed several templates to support the development of key BCM documents including business impact analyses and BCPs. BCM policy and guidance by entity is summarised in Table 2.4.

Table 2.4: Entities’ business continuity guidance and templates

Source: Entity documentation, 2012 and 2013.

Note: (A) Finance had a range of templates supporting the development of documentation at the branch, division and group level. In relation to recovery kits supporting templates included: an index; pre-activation checklist; activation checklist; contact list; critical function listing; critical IT application listing; event log; meeting agenda guide; personnel report to HR; and critical infrastructure listing.

2.14 Finance’s guidance was well-structured and targeted to different stages of the BCM approach (and for different levels within the entity⁴⁵) with practical tools such as templates that were linked to stages of the BCM approach.⁴⁶ CASA’s and DSS’s guidance was not as well-structured, and better links could have been established between their respective policy and guidance materials. For example, CASA’s framework and policy documents did not make reference to existing templates to support business impact analysis and development of BCPs, instead the framework provided an overview of the content of a BCP and a link to completed BCPs. Similarly, DSS’s policy listed the department’s overarching BCP as a related document but did not refer to other relevant material such as the Business Impact Analysis Guide or existing templates.

Business continuity management coverage

2.15 A key step in establishing BCM arrangements is determining the scope of the BCM program and related BCPs. This includes determining factors such as: strategic and operational objectives; expected deliverables and outcomes; time requirements, demands and constraints; resourcing capabilities and limitations; geographical coverage; and which parts of the entity would be included.

Business continuity management objectives

2.16 Each of the entities had identified that the purpose, aim or objective of their business continuity arrangements was to continue to deliver key services within maximum acceptable outage periods, mostly within one to seven days of a disruption. Each entity supported these objectives by developing a program of work for business continuity (the program of work established by entities is discussed at paragraphs 2.26 to 2.28). An overview of each entity’s primary BCM objective is provided in Table 2.5.

Table 2.5: Purpose/objective of entity business continuity management arrangements

Source: CASA BCM Policy (September 2013), Finance BCM Framework (July 2013), and DSS BCM Policy (July 2013).

Business continuity management scope

2.17 Having extensive BCM arrangements for all aspects of an entity’s operations will, in most cases, not be practical. Entities need to define the scope and focus of their arrangements in policy and guidance to best manage the entity’s needs in the context of their approach to risk. Each of the audited entities sought to have an entity-wide approach to BCM, generally focusing the scope of the business continuity strategies and plans by dealing with the most critical activities, services or systems.

Civil Aviation Safety Authority

2.18 There were no specific limitations to the scope of CASA’s BCM arrangements, although the policy noted that safety of people was the single most important stage of incident management and was closely aligned with Emergency Management Plans. CASA’s arrangements were designed only to address the first three weeks of a major disruption, beyond this period standard management decision making practices were to be adopted. In addition, the plan focused on enabling resources by providing a list of 23 critical systems and facilities including telephone, website, internet and email (see Appendix 2). The National Headquarters BCP also specified that where an incident affected the provision of the Temporary Restricted Airspace approval (a function which required non-stop operation) the relevant standby procedures were to be activated independently of any decision to invoke the BCP on a wider basis.

Department of Finance

2.19 The focus of Finance’s BCM approach was on the continuation, or timely resumption of, critical functions, which must be restored within five days of the interruption event.⁴⁷ The approach recognised that critical functions were dependent on other enabling resources such as ICT, facilities, accommodation and human resources. Finance’s 2013 framework identified 17 critical functions including: controlling and monitoring the movement of funds through the Official Public Account—Cash Management; COMCAR reservations, allocations and driving operations; and supporting the government in the preparation and ongoing management of the budget. A complete list of critical functions is provided at Appendix 3.

Department of Social Services

2.20 DSS’s Business Continuity Management Policy limited its scope to six critical departmental processes with a maximum allowable outage of seven days or less. DSS’s June 2013 BCP identified that the six Mission Critical Activities (MCAs) for DSS related to ministerial support and to making payments. The list of MCAs is provided in Table 2.6. DSS identified 281 critical functions relating to the MCAs and enabling resources.

Table 2.6: Department of Social Services’ Mission Critical Activities

Source: DSS, April 2013.

Notes: (1) In May 2014 this MCA was changed to enabling DHS to make payments to individuals.

 (2) With the introduction of National Disability Insurance Agency (NDIA), the sixth MCA is now captured by the third MCA payments to service providers. In May 2014, the sixth MCA was changed to working with aged care providers and state emergency agencies to maintain continuity of care, particularly during emergency events.

Business continuity management responsibilities

2.21 The PSPF expects that entities will establish authorities and responsibilities for the BCM program, and for the development and approval of BCPs. In better practice entities, the entities’ executive would be expected to sponsor the business continuity arrangements by endorsing business continuity policy, business impact analyses and BCPs, as well as participating in exercises. A senior manager or committee would generally be given direct responsibility for the execution and support of business continuity arrangements. This senior manager or committee should be supported by a team that coordinates and implements day-to-day BCM tasks.

2.22 Each of the entities included business continuity governance structures, roles and responsibilities in their policy or framework documents, and in their continuity plans. Consistent with sound practice, each of the entities involved executive and senior management in the sponsorship and execution of business continuity arrangements. The typical management structures and key responsibilities are summarised in Figure 2.2. When responding to disruptions the Control and Response Teams⁴⁸—which are depicted in Figure 2.2—are critical to the success of the entity’s business continuity arrangements.

2.23 Within each entity the head of the Control Team was generally at a Deputy Chief Executive level and was supported by a number of other senior managers. These teams also had at least one manager responsible for enabling resources. In addition, a senior manager was the head of each of the Response Teams. For example, at a regional level the State Manager would be the head of the State’s Response Team.

2.24 In the audited entities, various managers were responsible for developing BCPs and response plans. Generally these were managers with responsibility for critical functions, enabling resources or regional areas. CASA’s BCM policy specifies that the Director is responsible for approval of the BCM policy and related documentation. CASA advised that this responsibility includes the approval of the National Headquarters BCP but does not extend to the approval of regional BCPs. Finance required approval of critical functions by the relevant Deputy Secretary and also the then Executive Board prior to developing BCPs. Finance then required Deputy Secretary approval of group BCM strategies, which covered critical function BCPs. DSS’s entity-wide BCP was approved by the Chief Operating Officer and the department’s BCP template required relevant branch managers to approve branch and state office plans.

Figure 2.2: Business continuity management structures and key responsibilities

Source: ANAO, adapted from entity BCM frameworks.

Note: A. Enabling resources includes property and security, human resources, finance, and ICT.

Links to other entity frameworks

2.25 To provide a more coherent approach, each of the entities had established links between BCM arrangements and other frameworks including: enterprise risk management; security; ICT disaster recovery; emergency management; pandemic; and communication. CASA’s business continuity framework also emphasised the link between BCM and standard operating procedures. Of particular note, Finance’s framework linked BCM to the annual business planning process to assist with annual review, and integrated its ICT disaster recovery planning into its broader BCM framework.

Managing business continuity arrangements

2.26 After an entity has established a business continuity framework and developed BCPs, these arrangements need to be managed on an ongoing basis. Better practice suggests that ongoing management involves systematically reviewing and updating arrangements on an annual basis through integrating business continuity activities into annual business planning and periodically updating BCP contact lists. To support the PSPF expectation that entities periodically test their BCPs, entities should develop an exercise schedule to assess business continuity arrangements for critical functions and resources. Entities should also have a structured and regular system of performance monitoring.

2.27 In each entity, the business continuity framework and policy documents supported ongoing management by establishing an annual or biennial requirement to conduct a business impact analysis, develop BCPs, and test business continuity arrangements. In addition to these internal policy requirements, each entity developed an annual program of work to support the ongoing management of business continuity arrangements. The entities’ work programs varied—with Finance having the most extensive program of work—generally the planned activities included maintaining and enhancing business continuity arrangements, conducting business continuity exercises, and having BCPs in place.⁴⁹ Finance had integrated its identification of critical functions, business impact analysis process and development of BCPs with its business planning process. Finance also supplemented its annual work program with a 12 month calendar of business continuity events.

2.28 While each entity planned to undertake an annual or biennial program of work, only Finance completed business impact analyses, developed BCPs and tested arrangements in 2012–13.⁵⁰ Business impact analysis and business continuity planning are discussed further in Chapter 3 and business continuity testing is discussed in Chapter 5.

Conclusion

2.29 Each of the entities had BCM arrangements in place which were informed by a risk assessment approach. The entities had updated their BCM governance arrangements in 2013. In general, the entities’ governance arrangements established the objective and scope of their BCM approach, and assigned key roles and responsibilities for BCM. Each of the entities established a range of plans to support entity-wide and operational continuity. The arrangements aimed to continue or recover critical functions within maximum acceptable outage periods and generally focused on functions that needed to be recovered within a week of a disruption.

2.30 Finance’s policy and guidance provided targeted guidance for staff relating to different stages of the BCM approach including identifying critical functions, developing continuity plans, activating plans, and maintaining BCM arrangements. The guidance for key stages in developing BCM arrangements was supported by practical tools such as templates. CASA’s and DSS’s guidance was not as well-structured, and better links could be established between their respective policy and guidance materials. There would also be merit in CASA and DSS integrating their BCM arrangements more fully within their business planning processes to support timely periodic review.

2.31 In general, management structures provided for entity executive and senior management sponsorship of BCM. At an entity-wide level, arrangements were in place for a Control Team (comprised of senior managers) to act as a central point of contact for communications and coordination during an incident. Another important element of the entities’ BCM arrangements was response teams. Each of the entities had identified teams responsible for establishing and activating a BCP for an enabling resource, regional office or critical function. Finance established responsibilities for approval of group BCM strategies which include BCPs and DSS established responsibility for approval of branch and regional BCPs, in contrast, CASA had not sufficiently specified responsibility for approval of regional BCPs.

2.32 Each of the entities developed a BCM program which involved, to varying degrees, annual or biennial business impact analysis, development of BCPs, and testing of business continuity arrangements. The programs were also influenced by the nature, scale and scope of the entities’ business functions and the risk of disruption.

Introduction

3.1 Under the Protective Security Policy Framework (PSPF) entities⁵¹ are expected to:

• undertake an impact analysis to identify and prioritise the entity’s critical services and assets, including identifying and prioritising information exchanges provided by, or to other entities or external parties; and
• develop plans, measures and arrangements to ensure the continued availability of critical services and assets, and of any other service or asset when warranted by a threat and risk assessment.

3.2 Once an entity has established its BCM framework, the next step is to prioritise its objectives, and identify and document the critical business services and assets (critical functions) that support these objectives. The identification of critical functions often occurs as part of a business impact analysis (BIA), which generally is used to determine how urgent each critical function is, based on an assessment of the impact of a disruption over time. This analysis allows the development of a list of time-critical functions with details of their target recovery time⁵² and resource dependencies.⁵³ Using a threat and risk assessment, the entity can then identify other services and assets, and supporting functions, that need to be continuously delivered. From this list the entity is expected to develop business continuity plans (BCPs) to address the impact of a disruption on each critical function.

3.3 To assess the preparation of entity business continuity arrangements, the ANAO examined each entity’s approach to identifying critical functions, conducting BIAs including identifying critical functions, and the subsequent development of BCPs.

Business impact analysis

3.4 Business impact analysis assesses the tangible and intangible impacts of a business process being disrupted or downgraded for different time periods. It begins with identifying and understanding the critical business processes that support the entity’s business objectives. It is important for entities to identify the activities and resources that support critical business processes, as well as internal and external dependencies. Then the entity can analyse the consequences of a business disruption. Finally prioritisation of the key processes enables the organisation to apply its limited resources in the most effective manner.

3.5 In line with policy expectations of the PSPF and each entity’s program of work⁵⁴ (see paragraphs 2.27 and 2.28), the entities had identified critical functions, services or assets, and undertaken BIA processes. The ANAO has examined business impact analyses conducted by entities in 2012–13. In Finance and DSS the BIA involved most business areas, however, in CASA the BIA was limited to four of its six regions⁵⁵, and also did not involve National Headquarters.⁵⁶

3.6 ANAO analysed a sample of the current BIAs from each entity to consider the processes used to identify critical functions, as well as the resourcing, dependencies and target recovery time for critical functions. The results identified against the key areas of entity approaches to BIA in relation to identifying critical functions, identifying and mapping resources and other dependencies, and target recovery times are outlined below.

Entity approaches to business impact analysis and identifying critical functions

3.7 Each of the entities had established processes for identifying and prioritising critical business functions. An overview of the approaches to BIAs and the definitions of a critical function are provided in Table 3.1. For each entity, the approach was generally supported by an established process and a template to assist business areas capture key information generated by the process, in a consistent manner. At a minimum the BIA processes were designed to identify: all functions and then critical business functions and provide a brief description of these functions; the ICT and non-ICT resources necessary to deliver the function; internal and external dependencies or stakeholders; and any workarounds or controls in place. There were a number of differences in the approaches adopted by the entities, which are discussed below in relation to each entity.

Table 3.1: Entity approaches to business impact analysis and definition of critical functions

Source: Adapted from entity 2012 and 2013 policy and guidance.

Notes: (1) Finance identified two time critical points for its critical functions: the ‘cry point’ is when workarounds must commence; and the ‘die point’ is when workarounds can no longer be sustained.

Civil Aviation Safety Authority

3.8 The four regional BIAs conducted by CASA in 2013 did not include functions undertaken by the CASA National Headquarters or the Brisbane Office which were responsible for most of the entity’s business functions.⁵⁷ The absence of an assessment of the functions undertaken by National Headquarters and Brisbane Office was inconsistent with CASA’s policy expectations, which required a BIA at least every two years.⁵⁸

3.9 CASA’s 2013 approach determined whether a function was critical based on a risk assessment of the function, having regard to its business objectives. Business objectives were listed in the division’s or region’s business and risk management plan, and CASA advised that it intended these objectives would be assigned to business functions performed by the division or region. CASA also advised that its risk management team facilitated the workshops in each of the four regions to ensure consistency in the understanding and application of the process. However, CASA’s documentation provided limited guidance to business areas on the process for identifying and assessing risk (see Figure 3.1).⁵⁹ In practice, the BIAs undertaken by CASA’s regional offices focused on business functions only, rather than also referencing the relevant business objectives, as can be seen in Figure 3.2.

Figure 3.1: Business function risk assessment—Civil Aviation Safety Authority’s guidance

Source: CASA, BIA of Critical Business Functions—Template, 2013, extract, p. 5.

Figure 3.2: Example of completed risk assessment including the Civil Aviation Safety Authority’s guidance

Source: Extract from a regional business impact analysis completed in 2013.

Notes: A risk level rating of six or more for a business function means that the function is critical.

3.10 CASA’s most recent BIA processes, undertaken in 2013, have not resulted in a complete up-to-date assessment of critical functions within the entity, nor has it identified the relative priorities of these functions.⁶⁰ While its BIAs identified critical functions, CASA focused on confirming a list of critical systems and facilities developed as part of its 2011 BIA processes, rather than critical functions. This led to CASA’s 2011 and 2013 BCPs only including critical ICT systems and facilities.⁶¹ The absence of an up-to-date and complete entity-wide list of critical functions introduces the risk that the delivery of key products and services will not be appropriately prioritised and addressed during a disruption.

3.11 CASA required a BIA to be undertaken at least every two years.⁶² As previously mentioned in paragraph 3.5, CASA’s review has been partial and did not include two of its regions or the National Headquarters. CASA advised that it chose to focus on four regions because there were sufficient similarities between the regions. Nonetheless, the approach to this review meant that many business functions were not considered.

Department of Finance

3.12 Consistent with sound practice, Finance identified critical functions prior to conducting BIAs through identifying all business functions for an area and then determining the maximum acceptable outage (‘die point’) for each function. This assessment resulted in the ready classification of critical, important and general functions.⁶³ Finance required BIAs and critical business functions to be reviewed at least annually (on an entity-wide basis consistent with the scope and approach of their BCM arrangements). To ensure that the annual review was undertaken, Finance sought to integrate the identification of critical functions and the subsequent BIA process into the entity’s annual business planning process.

Department of Social Services

3.13 DSS defined critical processes as those with a final risk rating of high or extreme.⁶⁴ DSS’s BIA guide did not use maximum acceptable outage as a criterion for determining whether a business function was critical. Nonetheless the department identified that its business continuity planning only applied to functions with a maximum acceptable outage of up to seven days. To identify critical functions DSS’s process required first that the maximum acceptable outage for each function be determined and then an impact rating and a risk assessment be completed. An examination of ten BIAs completed in 2013 indicated that business areas assigned an impact rating, but did not undertake a risk assessment and as a result a final risk rating was not assigned. Therefore the department’s list of critical processes was not developed in accordance with its guidance. Rather than focusing on the high risk functions, DSS’s list focused more broadly on functions that needed to be restored within seven days, and as a result about 80 per cent of the functions included had in fact been assessed by DSS as having a negligible to moderate impact on DSS’s operations during a business disruption.

3.14 DSS required BIAs and critical business functions to be reviewed at least annually on an entity-wide basis consistent with the scope and approach of their BCM arrangements.

Identifying and mapping resources and other dependencies

3.15 To enable continuity or rapid recovery of critical functions during a disruption, relevant enabling resources, workarounds, and other dependencies should be identified and mapped to each critical function. In most cases there will be a range of internal and external dependencies, including processes, key personnel, technology, vital records⁶⁵, suppliers and organisations that are essential to delivering a critical function. The identification of key personnel and stakeholders would also support the PSPF expectation that relevant information exchanges will be identified and prioritised. It is also important that practical steps are taken to support an efficient response during a disruption, such as maintaining details of key contacts.⁶⁶ The extent to which key dependencies were identified for the purposes of BCM varied across the entities.

Civil Aviation Safety Authority

3.16 CASA’s 2013 BIAs outlined some dependencies for the entity’s identified critical functions, primarily relating to the IT applications and unspecified ICT personnel. For critical functions there was also some consideration of linkages with other areas in⁶⁷ CASA but contact details for these areas were not included in business continuity documentation. Regional BIAs examined by the ANAO identified some external dependencies, but generally none of the critical functions presented in the linkages section of CASA’s regional BIAs, matched the description of critical functions identified in other sections in the BIA. As a result, it is not clear whether the dependencies related to a critical function. Overall, CASA would benefit from more clearly identifying key personnel for critical functions and the internal and external areas that affect the delivery of critical functions, or which are affected by non-delivery of CASA’s critical functions.

3.17 To support incident and business continuity preparedness, CASA’s framework established an expectation that a vital records analysis would be undertaken to establish the hard copy records that would be necessary in the event of an incident and how these records should be managed. As outlined in paragraph 1.10, the National Archives of Australia established a requirement for entities to have business continuity and disaster management plans that: identify vital records; cover records in all formats; and are regularly reviewed and updated. However, CASA does not identify vital records in any format for the purpose of business continuity. CASA’s records are held in electronic systems, including an electronic document and records management system, and beyond fully restoring these systems CASA has no other means of readily accessing the information. An exception is that CASA’s People and Performance Response Plan is required to be maintained off-site, and back-up arrangements are in place for the Command and Response Team members in National Headquarters and Brisbane offices. This plan also indicates that there is a vital records policy that needs to be communicated to staff when business continuity arrangements are activated. CASA’s arrangements would be improved by identifying vital records for critical functions.

Department of Finance

3.18 Finance’s BIA process identified key personnel, internal and external ICT resource dependencies, and accommodation and facilities requirements for critical functions. Finance also identified dependencies⁶⁸ in terms of internal and external parties, and identified vital records. An example of Finance’s dependencies is outlined in Table 3.2.

Table 3.2: Example of Finance internal and external dependencies and vital records

Source: Adapted from Finance’s Appropriations and Cash Management Branch business continuity documentation.

Department of Social Services

3.19 Like Finance, DSS also identified enabling resources and internal and external stakeholders, but for some stakeholders the BIA documentation did not establish how these dependencies affected the critical process or were affected by the critical process. Generally DSS did not capture contact information for these external stakeholders in its business continuity documentation.⁶⁹ In addition, DSS identified vital records in the BCP—if determined to be appropriate by the business area. Some critical processes⁷⁰ did not have vital records.

3.20 During a business disruption, depending on its nature and severity, funded service providers may also need to be contacted by the relevant funding department regarding their capacity to continue to provide services. Although DSS’s funded service providers deliver programs across Australia, in the sample of BIAs reviewed⁷¹, only the Queensland DSS State Office identified key stakeholder engagement (including funded service providers⁷²) as a critical function. In response to the 2011 Queensland floods and Cyclone Yasi, the State Office engaged with key stakeholders to identify lessons learned and developed a Stakeholder Contact Strategy to facilitate contact with funded service providers during a business disruption (see Table 3.3). While this is a positive step, the strategy could be made more practical, by including a list of stakeholder contacts, and should be used more broadly in the BCPs for other areas of the department.⁷³

Table 3.3: Case study—Department of Social Services’ response to Queensland floods—stakeholder contact

Source: ANAO analysis of post-flood review documentation from DSS.

Target recovery time

3.21 Generally, a BIA should identify recovery times for critical functions.⁷⁴ Target recovery time reflects the relative criticality of a business function from an entity-wide perspective, and should be reflected in the relevant BCPs. Determining the target recovery time requires an informed understanding of the function and its dependencies, the sustainability of workarounds, and the resourcing required to resume normal operation within a target time frame. For example, recovery of critical functions may be dependent on the recovery of ICT systems that support these functions. Therefore recovery timeframes for enabling systems and resources would be relevant to the development of BCPs.

Civil Aviation Safety Authority

3.22 As previously discussed in paragraph 3.10, CASA’s 2011 and 2013 BIA processes focused on identifying a list of critical systems and facilities, rather than critical functions. This led to CASA’s 2011 and 2013 BCPs only including recovery times for critical ICT systems and facilities (see Appendix 2).⁷⁵ The recovery times for critical systems and facilities identified in 2013 did not directly align to recovery targets for critical functions identified in the 2011 BIAs. Better alignment of recovery times would assist in appropriately prioritising recovery action during a disruption. For example, for the four regions that completed a BIA in 2013, CASA identified critical business functions that had maximum tolerable periods of disruption of one to two weeks. In comparison, CASA’s 2011 BIA⁷⁶ process identified critical functions with maximum tolerable periods of disruption generally ranging from 48 hours to three weeks.⁷⁷ The ICT systems related to these functions generally needed to be recovered within the same timeframe as the function.⁷⁸

Department of Finance

3.23 As noted in paragraph 2.19, Finance identified 17 critical functions. The priority given to these functions was determined based on recovery targets with maximum acceptable outages of 24 hours to one week.⁷⁹ Finance’s BCPs linked recovery times for critical functions to the BIAs. Finance’s executive has endorsed a list of critical functions and recovery times at least annually since 2010. This approach has assisted the department to address a recommendation from a 2008–09 internal audit to: review and rationalise critical functions at the departmental level, including their maximum acceptable outages and the critical IT applications.

Department of Social Services

3.24 As a larger and more diverse entity, DSS identified 281 critical functions⁸⁰, many with the same recovery targets—with maximum acceptable outages ranging from zero hours to seven days. DSS’s BCPs linked recovery times for critical functions to the BIAs. DSS used a rating scale to assess its priorities where a rating of ‘1’ was considered to have an insignificant impact⁸¹, and a rating of ‘5’ was considered to have an extreme impact.⁸² Of the 281 critical functions, only 20 per cent were rated as having a major or extreme impact, and nearly 30 per cent were rated as having an insignificant or minor impact.⁸³ Of these critical functions, 120 were considered to be directly related to the six Mission Critical Activities (refer to Table 2.6 on page 47) and the remainder were considered to be enabling resources for the Mission Critical Activities. The critical functions were identified across a total of 59 branches and regional offices. Notwithstanding DSS’s size and diverse functions, the value of the entity’s business continuity arrangements was diminished as there was no clear priority for business continuation and recovery action. To address this, DSS should prioritise and rationalise its critical functions at an entity-wide level. Examples of maximum acceptable outages for seven out of DSS’s total of 281 critical functions for are provided in Table 3.4 (Appendix 4 contains a list of the 57 critical functions where DSS had assigned an impact rating of major or extreme).

Table 3.4: Example of Department of Social Services’ recovery targets for critical functions

Source: Extract from 2013 DSS BCP Appendix 2—Critical Business Activities by Maximum Allowable Outage.

Business continuity planning

3.25 In accordance with the PSPF, entities are expected to have plans, measures and arrangements to ensure the continued availability of critical services and assets, and any other services and assets when warranted by a threat and risk assessment. For each of the critical business functions identified in the BIA process, plans are expected to reduce the effect (likelihood and consequence) of a disruption to the activities, resources or systems on which the critical processes rely. This includes identifying alternative activities such as manual workarounds and resources, and planning the restoration of normal operations. It is also important to maintain contact lists for key personnel and stakeholders.

3.26 Business continuity plans should be documented, endorsed by the entity’s executive and be kept up-to-date. If there are multiple BCPs, it is generally sound practice to have an overarching entity-wide plan to coordinate business continuity sub-plans for enabling resources, critical functions and regional offices.

3.27 The audited entities each developed BCPs that describe and direct the actions to be followed in the event of a business disruption. Although some of DSS’s response and recovery procedures involve designing a strategy rather than specifying actions (see paragraph 3.33). Key aspects of the entities BCPs are discussed below.

Civil Aviation Safety Authority

3.28 CASA developed an overarching National Headquarters BCP, and six regional BCPs.⁸⁴ The plan states that:

Key functions and systems and their respective priorities have been determined … The BIA, upon which this BCP is based, is reviewed and the respective BCPs updated with the introduction of any new systems, and at least biennially … This plan is primarily designed to facilitate an orderly transition of the Command Team and other essential personnel to a secure site to facilitate the overall management of an incident and to ensure the timely continuation of critical activities, if necessary at suitable alternate sites.⁸⁵

3.29 CASA’s National Headquarters BCP specified that the provision of the Temporary Restricted Airspace approval process was the only critical activity requiring non-stop operation, and it was managed independently of the entity-wide BCP. The BCP specified that most activities could be deferred for 24 to 48 hours, but restoration of enabling services should commence immediately. While CASA’s BCP anticipated having functions and systems operational in alternate locations within 24 hours, it did not provide a list of these critical functions or activities and their key dependencies.

3.30 CASA’s BCP also provided a list of 23 ICT systems and facilities that needed to be recovered within 48 hours.⁸⁶ However, restoring the systems on the list in isolation would not necessarily ensure the continuation of the entity’s critical functions. As a result, the focus of the plan was on enabling services rather than critical functions and increased the risk that the delivery of key products and services would not be appropriately prioritised and addressed during a disruption. The BCPs would benefit from the inclusion of workarounds and other recovery strategies for critical functions, and contact details for key personnel.

3.31 CASA’s⁸⁷ BCPs and enabling service response plans generally did not contain external stakeholder contact lists (such as relevant clients, suppliers and/or service providers) to guide an efficient response in the event of a disruption. CASA’s framework established an expectation that lists of key personnel⁸⁸ (those personnel that were essential to continue day-to-day operations) and key stakeholders would be maintained. CASA’s people and performance response plan contained office telephone and email addresses, and occasionally contained home or mobile telephone contact information, for people management, as well as response teams for CASA’s regional offices.

Department of Finance

3.32 There was a clear line of sight between the critical functions identified in the Finance and DSS BIAs and their BCPs. Consistent with its BIAs, Finance’s BCPs contained contact details of key stakeholders. Finance’s documentation stated that its business continuity arrangements at a departmental level were based on the restoration of key enabling services (enabling resources) that supported business groups in continuing to undertake critical functions. Finance developed targeted recovery kits to support the Control Team and other response teams to respond to a business disruption (see Table 3.5). The Control Team’s recovery kit included all group business continuity strategies⁸⁹ and related critical function BCPs. In practice this meant that a branch responsible for a critical function developed a BCP for the continuation or restoration of that function and a recovery kit. Critical function BCPs formed part of the group recovery kits and business continuity strategies. Overall, Finance’s BCPs were well-structured, clearly written and, in the main, comprehensive.

Table 3.5: Finance’s recovery kits

Source: Finance, Finance Business Continuity Management Framework, 1. Overview, July 2013.

Department of Social Services

3.33 In 2013, DSS prepared an entity-wide BCP that included the critical functions identified in its BIA process. DSS’s entity-wide BCP also included a list of 33 BCPs for national office branches, and the states and territory offices. Analysing the link between the 281 critical business functions and a sample of DSS’s national office, and state and territory office BCPs, the ANAO observed inconsistency in the approach adopted by business areas. Specifically, half of the BCPs included all critical functions relevant to the business area, while others only addressed the critical functions with an impact rating of major or extreme (see paragraph 3.13). DSS’s BCPs generally did not contain external stakeholder contact lists (such as relevant clients and/or service providers) to guide an efficient response in the event of a disruption. DSS’s BCPs were not always action-oriented. For instance, rather than establishing procedures to put in place when a disruption occurred, DSS’s response and recovery procedures sometimes involved designing a strategy to restore a critical function. An example of this approach is outlined in relation to making payments to suppliers, and state and territory governments, see Table 3.6.

Table 3.6: Department of Social Services’ response and recovery strategy for making payments

Source: Adapted from DSS, Financial Accounting Branch BCP, 2013.

Summary results for assessing and planning for business continuity management

3.34 A summary assessment for each entity against the key steps in business continuity planning is presented in Table 3.7. Adequate BCM arrangements should address these steps.

Table 3.7: Entity business continuity management processes

Legend: YY= good   Y = requires further work N = insufficient.

Source: ANAO analysis.

Conclusion

3.35 Consistent with PSPF expectations, each of the entities identified critical business functions, conducted BIAs for critical functions, and developed strategies and plans to manage the continuation and recovery of critical functions or systems during a business disruption. CASA identified critical functions for some regions in 2013, however, a more comprehensive BIA involving all of CASA’s divisions was not undertaken in 2013. Instead, as a product of a more comprehensive 2011 BIA process, CASA identified a list of critical systems and facilities rather than functions. Finance had developed a prioritised list of critical functions to guide recovery decisions. DSS should rationalise and prioritise its list of 281 critical functions to better support decision making in the event of a disruption; potentially this would be achieved by completing the agreed BIA process. To assist in business continuity preparedness, there would also be merit in DSS standardising its approach to BCPs by making them proactive and action-oriented.

Recommendation No.1

3.36 To better support the recovery of critical functions, the ANAO recommends that CASA and DSS more systematically identify and prioritise critical functions, and document the relevant external and internal dependencies in their business continuity plans.

3.37 This recommendation was directed to CASA and DSS. Finance also commented.

Civil Aviation Safety Authority

3.38 CASA agrees with this recommendation.

Department of Social Services

3.39 Agreed.

Department of Finance

3.40 Supported.

Introduction

4.1 There are different types of potential disruptions that an entity may be faced with and not all of these will require activation of BCPs. However, there is a point when a decision must be made as to whether a local or entity-wide BCP should be activated. The transition from ‘incident’ (or ‘emergency’) to ‘business continuity event’ will usually involve an element of judgement, and may not be the same for any two incidents. A sound BCM approach will seek to provide relevant guidance to decision makers to assist them in assessing whether conditions have been reached that would require the activation of a BCP. Entities’ guidance on activating the plan and considerations during an incident is outlined below. The ANAO also examined entities’ use of incident records and post incident reviews, to understand and improve the operation of their business continuity arrangements.

Activating business continuity plans

4.2 The potential impact on critical functions and the expected time to resolution are common issues to be considered by responsible officers, when making a decision around activating BCPs and other BCM arrangements. In this respect, each entity specified different BCP and business continuity activation points, although common key considerations were the expected duration of the outage and the impact on critical functions and systems. Arrangements could also be activated locally or at an entity-wide level. For example, CASA’s regional BCPs were to be activated by state managers, although for major incidents the Command Team would activate the National Headquarters plan. The triggers for activating BCM arrangements in each entity are outlined in Table 4.1.

Table 4.1: Activation point for business continuity management arrangements

Source: CASA, Canberra National Headquarters BCP, July 2013, pp. 6 and 17; Finance BCM 5. Activation and Response, March 2013, p. 2; and DSS Business Continuity Plan, June 2013, p. 6.

Civil Aviation Safety Authority

4.3 CASA’s activation guidance briefly outlined two key considerations for activating the plans. To support activation, CASA’s plan included: a list of critical systems and facilities; overall incident response (which starts with emergency management); command team plan and other enabling service response team plans; team resources; incident recording templates (such as an incident log, a business interruption assessment sheet, and communications log); and key stakeholders.

Department of Finance

4.4 Finance’s guidance succinctly outlined a number of key considerations for deciding whether to activate the framework, including safety, communication and coordination, and impact on critical functions. The guidance also indicated key matters to be addressed once the framework was activated. Tailored recovery kits were developed for Central Control Team, enabling services, and division and branch managers who had responsibility for one or more critical functions (see paragraph 3.32). The purpose of the recovery kit was to structure the BCM information, to make it more easily accessible during an incident. The recovery kit was split into two sections, one addressing an emergency incident—which is not yet a business interruption event—and one addressing the business continuity event.⁹⁰

Department of Social Services

4.5 The activation of the DSS’s plan was the responsibility of the relevant group, state and branch managers, but DSS’s guidance did not concisely outline activation considerations. DSS’s plan identified that there were three phases that would be applicable to the management of any crisis:

• evaluation and planning phase—emergency management;
• plan implementation and coordination phase—continuity/recovery management; and
• situation recovery and closedown phase—recovery management.

Control team arrangements following activation

4.6 In response to an actual or potential disruption, CASA and Finance required their response teams to make an assessment of the situation and advise the Command or Control Team of threats to critical functions and enabling resources. Response teams were responsible for activating regional or critical function plans. At an entity-wide level, the Command and Control teams would then formulate strategies and allocate resources to continuing or restoring critical functions or systems.⁹¹ These steps were supported by the checklists established in business continuity planning documentation. Rather than implementing existing business continuity documentation in anticipation of or following an incident, at an entity-wide level DSS’s Crisis Response Team Recovery Director would assemble the Crisis Response Team to brief them on the initial analysis of the crisis and establish all impact/s prior to the development of an Action Plan. The analysis process would attempt to identify:

• the full impacts of the crisis on DSS’s critical business processes, and identify events that may cause an escalation of the crisis;
• any critical business service maximum acceptable outage triggers reached and implement those BCPs; and
• whether additional personnel are required to meet with the Crisis Response Team for the development, communication and implementation of a more specific Action Plan for an unforeseen event.

4.7 This approach to entity-wide management of a business disruption was similar to the approach adopted in a number of DSS’s critical function BCPs, which were not proactive and action-oriented. That is, at a branch level, response and recovery strategies sometimes involved designing a strategy to restore a critical function, rather than implementing pre-determined procedures (see paragraph 3.33 and Table 3.6). Similarly, DSS also developed approaches that were reactive rather than proactive, for example, rather than maintaining contact lists, they developed a strategy for developing a contact list once an incident occurred (see paragraph 3.20 and Table 3.3). Such an approach limits the department’s preparedness for a business disruption.

4.8 Each of the entities’ plans or guidance indicated that the decision to stand-down Command, Control or Recovery Teams and move to business as usual should be a clearly documented decision. There is an opportunity for entities to consider whether the documentation (for notifying staff of the conclusion of an incident and return to business as usual) could be strengthened, as in practice it did not discuss resumption of normal operations. Advice to staff generally noted when they could return to work. Further, to support continuous improvement each of the entities’ stand-down processes included debriefing those involved, and for Finance and DSS, and to a lesser extent CASA, also involved lessons learnt, documentation review, process capture and preparation of a post incident review for the Command, Control or Recovery Team.

Incident records

4.9 Incident records are an important element of assessing the effectiveness of BCM arrangements and each of the entities’ BCM arrangements highlighted the importance of maintaining an incident record during the incident. Such a record should include a concise and factual recording of incident-related events, decisions and actions taken.

4.10 To facilitate the incident recording process, each entity had an incident recording template (or set of templates) that could be used to support incident recording. The incident recording template can assist with meeting insurance requirements, and in monitoring requests for services or support, and tracking tasks and resources. In practice, when an incident record was not used, regular email communication often provided a partial record of the incident. CASA’s BCM arrangements required an officer to be designated to perform the role of incident recorder, although this was not a requirement identified by Finance or DSS.

Incidents

4.11 Since January 2010, the number and frequency of disruptions encountered by each entity has varied considerably, resulting in three disruptions affecting CASA, at least seven disruptions affecting Finance and more than nine disruptions affecting DSS. These disruptions ranged in impact from the inconvenience of a partial evacuation⁹², to all day outages of critical systems and week-long office closures due to extreme weather events. To reflect the differences in the number and nature of disruptions, the ANAO selected a sample⁹³ of 16 disruptions to review the extent to which continuity plans were enacted in response to the selected business disruptions, the templates that guide documentation of the disruption events, and reporting of the response to the events. For a sample of 16 incidents⁹⁴, ANAO examined incident reports and other incident documentation, such as entity event logs.

Civil Aviation Safety Authority

4.12 For the three incidents examined by the ANAO, CASA did not document the activation of BCPs in incident reporting or whether the Command Team was involved. CASA maintained a detailed event log for one of the incidents, and for another incident maintained less detailed records of events through regular email communication with the BCM team in National Headquarters. The third incident was logged and managed through an IT service request system. Based on the incident records examined, there is scope for CASA to improve its incident recording.

Department of Finance

4.13 For the six incidents affecting Finance, there was systematic documentation of each incident⁹⁵ and reasons why the BCP was, or was not activated during the incident. For example, BCPs were activated twice for incidents that threatened to disrupt critical functions. For another incident, the possibility of implementing the BCP was discussed with the Business Continuity Manager. The incident report for a fourth incident, noted that disruption occurred in the middle of the night and that services continued to be delivered with the use of workarounds until the issue was resolved.⁹⁶

Department of Social Services

4.14 Of the seven DSS incidents examined, only one incident reported the active and early involvement of the department’s Crisis Response Team, and the activation of business continuity arrangements. Three of the incidents only required emergency response and in two cases detailed event logs were completed. For another incident, some email records provided limited information about the event, although they clearly established the involvement of the Crisis Response Team Secretariat, and showed that the State Office considered there were no significant BCP issues (see Cyclone Oswald Case Study in Table 4.2). DSS did not record the details of the remaining two incidents or document considerations regarding the activation of relevant BCPs for these events.

Table 4.2: Case study—Department of Social Services’ response to Cyclone Oswald

Post incident review

4.15 Actual events provide important feedback on the success and usefulness of the continuity arrangements. Post incident review, including debriefing for major disruptions, is an essential component of the BCM lifecycle.

Civil Aviation Safety Authority

4.16 CASA’s experience dealing with disruptive events was given consideration between 2010 and 2013. In particular, in 2011 Cyclone Yasi and the Queensland floods were a catalyst for a revision of CASA’s business continuity arrangements, as outlined in Table 4.3.

Table 4.3: Case study—Civil Aviation Safety Authority’s response to the Queensland floods and Cyclone Yasi

4.17 At the time of the Queensland floods and Cyclone Yasi, CASA did not have regional office BCPs, so the response to these events was heavily reliant on the actions and knowledge of individual CASA staff. Although CASA maintained an event log during the floods, it did not document actions taken with respect to critical functions for the floods or the cyclone. In addition, there was no documented post incident review for either incident.

4.18 Following these incidents, CASA updated policy and guidance documents, and developed BCPs for Cairns and Brisbane, and updated the National Headquarters BCP by June 2011. These BCPs included incident recording forms, however, these forms did not prompt consideration of the lessons learnt or the opportunity to improve BCM arrangements.⁹⁷ This limits the potential to improve continuity planning from these events. There is scope for CASA to upgrade its post incident review arrangements to document the extent to which continuity arrangements were followed during disruption events, consider lessons learnt, and assign action items to improve continuity arrangements.

Department of Finance

4.19 The post incident reports completed by Finance between 2010 and 2013 discussed the implications of the event from a business continuity perspective including aspects which worked well and where further consideration was needed. In 2013, only Finance used a post incident report template to assess its response to the business disruptions and incidents. The template prompted discussion of the impact of the disruption on business operations, actions taken to resolve the problem, and further actions needed to improve business continuity arrangements in the future. A snapshot of the post incident report for an incident which occurred at Finance in 2013 is outlined in Table 4.4.

Table 4.4: Case study—Finance post incident review

Source: Finance, Post Incident Report 29 August 2013.

Department of Social Services

4.20 Between 2010 and 2013 DSS reviewed its response to three major disruptive events: a review of the response to an all-day power failure and IT systems outage that occurred in June 2010; and post incident reviews for the Brisbane floods and Cyclone Yasi (see Table 4.5).⁹⁸ While the DSS review did not address the extent to which business continuity arrangements were followed it identified some opportunities for improvement but did not assign responsibility for implementing change. Post incident review arrangements would have been more effective if the department had assigned action items to senior officers.

4.21 There was scope for DSS to upgrade its post incident review arrangements to document the extent to which continuity arrangements were followed during disruption events, consider lessons learnt, and assign action items to improve continuity arrangements. In July 2014, DSS provided the ANAO with a draft post incident review template that addresses many of these considerations.

Table 4.5: Case study—Department of Social Services’ post incident review of Queensland floods

Conclusion

4.22 Each of the entities developed guidance for the activation of BCM arrangements or BCPs at an entity-wide and local level. Key considerations for activation of arrangements generally addressed duration of the disruption and the impact on critical functions and systems. Following activation, at an entity-wide level, CASA’s and Finance’s continuity arrangements were generally action-oriented, while DSS was focused initially on a more detailed assessment of the impacts of the interruption which would then lead to the development of an action plan for managing business continuity.

4.23 To facilitate incident recording each of the entities had an incident recording template. For the incidents examined between 2010 and 2013, Finance systematically recorded key events, decisions and actions, including capturing details of the impact of events on the entity and decisions to activate or not activate BCM arrangements. During this period, DSS and CASA did not consistently record key decisions and actions, although both entities used email communication to provide a partial record of their decisions and actions. They also did not generally document consideration of whether BCM arrangements should be activated.

4.24 Finance also consistently completed post incident reviews for incidents that occurred between 2010 and 2013. These reviews identified aspects of the BCM arrangements that worked well and where further consideration was needed. DSS undertook some post incident reviews which lead to improvements in some BCM arrangements, however, the reviews did not assign action items or responsibility for the lessons learnt. CASA did not routinely review its response to the business disruption events, although these events were the catalyst for developing BCPs for Brisbane and Cairns offices, and updating its Headquarters BCP.

4.25 For CASA and DSS there is scope for more systematic recording of key events, decisions and actions, including capturing details of the impact of events on the entity and any decisions to activate BCM arrangements. This information would also support improved post incident review in these entities, including: the extent to which the BCP was followed and whether other business continuity issues should have been considered; suggesting improvements to the processes; and assigning further actions as appropriate.

Recommendation No.2

4.26 To improve business continuity arrangements the ANAO recommends that CASA and DSS take a more systematic approach to analysing decisions and actions taken, and reviewing the effectiveness of business continuity management arrangements after the disruption.

4.27 This recommendation was directed to CASA and DSS. Finance also commented.

Civil Aviation Safety Authority

4.28 CASA agrees with this recommendation.

Department of Social Services

4.29 Agreed.

Department of Finance

4.30 Supported.

Introduction

5.1 Under the PSPF, all relevant Australian Government entities are expected to monitor their level of overall preparedness to respond to business disruption. They are also expected to review, test and audit their BCPs. Monitoring and review arrangements should be both comprehensive and balanced. In the business continuity context, this includes testing and exercising BCPs, reviewing broader business continuity arrangements and reporting on the entity’s preparedness to manage and resolve business disruptions. The following sections examine the extent and nature of business continuity testing, and other measures the audited entities had in place to monitor preparedness.

Business continuity exercising and testing

5.2 Conducting exercises provides an entity with a safe environment to practice and rehearse responses to various potential incidents. Accordingly, entities should plan a variety of testing and exercises to gauge the level of overall preparedness. The number and frequency of exercises is dependent on the needs, size and complexity of the entity but ideally every member of a response team should participate in at least one exercise per year.

5.3 Exercises may range from simple discussion based activities, through to complex, high risk, high cost, full-scale simulations. Pass/fail types of exercises are typically used to test the performance of equipment and technology capabilities within a required timeframe. Exercises should focus on different elements of the entity’s BCM arrangements including testing entity-wide arrangements (and the operation of the Control Team), local and business area BCPs (and the operation of Response Teams), and recovery arrangements for enabling resources such as ICT disaster recovery testing. To assess testing and exercising of entity continuity plans, the ANAO examined the planning of exercises, post-exercise review, and the extent to which the reviews of exercises were used to revise BCPs.

Civil Aviation Safety Authority

5.4 Both the 2011 and 2013 CASA BCM frameworks emphasised the importance of regular exercising of the plan; including the planning, conduct, review and update process for the exercise schedule. The framework indicated that ongoing exercises would be scheduled, and that these exercises would follow a staged approach, which would commence with a walk through of plans. CASA considered that incrementally increasing the scope of exercises would progressively build the capability of staff and the usefulness of its plans. CASA’s 2013 framework required:

Whether it is a simple exercise to validate a contact list, or a major simulation, all exercises must be recorded, reviewed, debriefed, the outcomes acted upon and verified, and the results maintained in an Exercise Register.⁹⁹

5.5 Testing scenarios and desktop reviews were also identified as risk treatment strategies in CASA’s 2009 and 2013 risk management plans. The plans were silent regarding the type and frequency of exercises that should be conducted. Although testing and exercising expectations were established by CASA, a schedule of testing was not established.¹⁰⁰

5.6 CASA developed one testing scenario, in October 2013, but did not use the scenario to test its BCM arrangements. The scenario focused on the Headquarters BCP and the role of the Command Team. CASA advised the ANAO that undertaking scenario testing would not be cost effective, relative to the risk exposure. While no tests of overall BCM arrangements involving the Command Team have occurred, CASA has undertaken some testing of disaster recovery and emergency management. As outlined in Chapter 3, CASA’s BCP focuses on critical systems and facilities, therefore disaster recovery testing concentrates on the most important element of CASA’s BCM arrangements. ICT disaster recovery testing was most recently conducted in August 2012, in accordance with the May 2012 IT Disaster Recovery Plan. The report on the testing included issues, risks and recommendations regarding the infrastructure tested. In 2014, CASA advised that it conducted regular out-of-hours testing of the Temporary Restricted Airspace hotline system, but also relied on unplanned outages to test its systems.¹⁰¹

5.7 CASA has also benefited from joint airport emergency exercises. For example, in April 2011, a major multi-agency exercise (involving Sydney Airport, NSW Police and a variety of other entities)¹⁰² was conducted to test the response to a plane crash. Lessons learnt from the exercise were documented, and CASA’s Critical Occurrence Response Plan was updated. Overall, while CASA has tested some elements of its BCM arrangements, particularly its ICT disaster recovery, there is scope for CASA to improve its testing by developing and undertaking a program of testing its BCPs and critical functions.

Department of Finance

5.8 Of the three entities audited, Finance had the most structured approach to testing its business continuity program, as well as the most comprehensive guidance for planning, conducting and reviewing exercises. Finance’s framework established roles and responsibilities for exercises at the entity-wide level and then the critical function level. There was an expectation that the Control Team would undertake an annual exercise, while critical functions would be tested more frequently. To guide its overall approach, Finance developed an annual business continuity calendar which included a schedule for exercises, planning, and meeting with other entities that relied on Finance’s critical systems. Finance’s approach is set out in Figure 5.1.

Figure 5.1: Finance’s Exercise Management Process

Source: Finance, Finance Business Continuity Management, 4. Maintenance of the Business Continuity Management Framework, April 2013, p. 4.

5.9 Finance’s major business continuity exercise for 2012–13 was Exercise Sparky (see Table 5.1).

Table 5.1: Case study—Finance’s Exercise Sparky

5.10 In addition to this overall exercise, some individual branches within Finance that were responsible for critical business functions also planned testing of their arrangements; some of these tests included other entities. For example, the Official Public Account administration team conducted business continuity testing at the Reserve Bank of Australia facilities, but the timing and results of this testing was not monitored centrally. In addition, a schedule of testing and maintenance of Finance’s ICT disaster recovery plan was undertaken to ensure that it remained relevant.

Department of Social Services

5.11 DSS’s BCM policy and BCP set out expectations regarding testing and exercising the business continuity framework, including that a testing plan was to be developed and exercised annually. The BCM team had responsibility for exercise and testing of BCPs across the department, including for state offices. DSS required documentation to be maintained with respect to the implementation and testing of the business continuity policy. The DSS BCP was to be tested regularly to evaluate its effectiveness and capabilities.

5.12 Since 2008, DSS had generally scheduled an annual program of testing and review activities, which included a major, annual scenario test, known as ‘Iron Triangle’. Iron Triangle was designed to test selected areas of the department with a scenario based crisis and involved oversight by the Crisis Response Team. The earlier iterations of the exercise each involved recovering IT systems. The most recent exercise, which was completed in June 2012 (see Table 5.2), involved grants administration, ministerial support, and media and communications. The exercise was followed by a post exercise report, participant feedback, and recommendations. However, consistent with the discussion in relation to the DSS’s Queensland State Office stakeholder contact strategy (see paragraph 3.20), it is not clear that the revision sufficiently addresses the issues identified.

Table 5.2: Case study—Department of Social Services’ exercise Iron Triangle IV

5.13 A business continuity exercise was not conducted in 2013. Developing a review program was delayed to allow for changes to the business continuity arrangements in response to an internal audit conducted in 2012. While DSS planned to undertake scenario testing of its new arrangements in November 2013, testing was further delayed by the Machinery of Government changes to the department in September 2013. After a two year gap in testing, in June 2014, DSS conducted Exercise Firefly. This exercise focused on the initial management of a business continuity event by the Crisis Response Team and Secretariat, as well as the resumption of critical processes in accordance with maximum allowable outages. A post exercise review was completed in July 2014 and identified opportunities to improve BCM arrangements including the operation of Crisis Response Team meetings, understanding roles and responsibilities, understanding the longer-term impact of the disruption and using BCPs.

5.14 As an important enabling resource, ICT systems that support critical functions should be regularly tested. DSS conducted an annual ICT disaster recovery test. Some post incident analysis was undertaken and the results of activities were reported to Executive Management Group. The test conducted in March 2013 indicated that disaster recovery processes for priority applications were in place and performed as required, but that there was scope to improve communications and planning.

5.15 The PSPF expects continuous review and testing of BCPs, which would include testing entity-wide, regional, branch and critical function BCPs. With the exception of ICT disaster recovery testing, DSS’s tests and exercises were not sufficiently frequent or comprehensive to provide assurance on the business continuity arrangements. To better meet the expectations of the PSPF regarding testing its BCPs, DSS needs to ensure that it has a regular testing program in place.

Recommendation No.3

5.16 To provide assurance that business continuity plans are current and would operate as intended during a disruption, the ANAO recommends that CASA and DSS develop and undertake more comprehensive and regular testing of their business continuity arrangements.

Entity response

5.17 This recommendation was directed to CASA and DSS. Finance also commented.

Civil Aviation Safety Authority

5.18 CASA accepts this recommendation and will develop a comprehensive program to enable testing of its business continuity arrangements and implement testing commensurate with the organisations risk appetite and cost benefit analysis practices.

Department of Social Services

5.19 Agreed. DSS conducted its annual testing in June 2014.

Department of Finance

5.20 Supported.

Monitoring overall preparedness

5.21 All entities subject to the PSPF are required to undertake activities to monitor the entity’s level of overall preparedness in the event of a business disruption event. Monitoring preparedness includes establishing key performance measures and targets to support assessments of whether business continuity arrangements are: current; provide adequate coverage; and BCP testing is planned and undertaken. Preparedness can also be informed by the results of internal audits and reviews.

5.22 CASA was the only entity to include incident and business continuity preparedness arrangements in its business continuity guidance. CASA identified six preparedness activities that should be undertaken and reviewed, including maintaining lists of key personnel, establishing succession plans for all managerial and operational key roles, maintaining up-to-date standard operating procedures for all business units, undertaking a vital records analysis to establish which hard copy records may be necessary in the event of an incident, developing a communication policy, and reviewing evacuation assembly points to ensure that they provide adequate protection for personnel (as well as undertaking evacuation exercises). While CASA’s framework identified these preparedness activities, a number of the activities did not occur in practice, including a vital records analysis and maintaining complete contact lists.

5.23 Similarly, Finance and DSS had completed activities that would support preparedness, including updating BCPs and some testing of its arrangements. However, aspects of DSS’s approach could be more practical, for example, BCPs that contain procedures that were action focused rather than focused on developing further plans would better assist response teams when a disruption occurs (see paragraph 3.33). In addition, practical steps such as having up-to-date stakeholder contacts lists would further facilitate a timely response (see paragraph 4.7). These steps would ease the pressure on response teams and provide a level of assurance that priority functions are being managed.

Performance measures and targets

5.24 All three entities had made some effort to develop ways of measuring the performance of aspects of their BCM approach. CASA adopted a broader approach than Finance and DSS involving a mix of quantitative, qualitative and process measures (see Table 5.3). Although these measures were established, CASA did not collate data or report on the extent to which the performance measures were achieved. Finance and DSS developed a small number of indicators relating to the performance of certain processes. These indicators included updating framework documents and completing a training and testing program.

Table 5.3: Civil Aviation Safety Authority’s performance measures

Source: CASA Business Continuity Policy, September 2013.

5.25 Overall, only CASA identified activities to undertake and review to monitor preparedness, although it did not undertake all of the specified activities, and none of the entities reported on the performance of their BCM arrangements using the performance indicators that they had developed.

Audits and reviews

5.26 Regular internal audit or external reviews and evaluations of their business continuity program are further mechanisms for entities to obtain assurance over the effectiveness of their BCM arrangements.

Civil Aviation Safety Authority

5.27 Between 2009 and 2013, CASA has not audited its overall business continuity arrangements.¹⁰³ However, aspects of CASA’s continuity planning have been updated approximately every two years since 2007. CASA’s BCM framework, some regional BIAs, and all BCPs were most recently updated in 2013. Prior to this, the continuity framework and most business area BIAs were revised in 2011¹⁰⁴, following Cyclone Yasi.

Department of Finance

5.28 Since 2008, three internal audits of aspects of Finance’s business continuity arrangements prompted significant re-focusing of Finance’s BCM arrangements. These audits covered business continuity management in 2009, ICT Disaster Recovery Planning in 2010, and compliance with the PSPF in 2013. In response to the 2009 audit, critical functions were rationalised, the reporting framework for BCM was strengthened, and a schedule for updating BCPs was established, resulting in Finance developing a structured approach to continuously improving its business continuity strategies and plans.¹⁰⁵ The ICT Disaster Recovery audit focused on reviewing core recovery documentation, agreeing on recovery times with the relevant business areas, and testing the disaster recovery plan. The 2013 PSPF audit found that Finance was compliant with GOV 11.

Department of Social Services

5.29 A 2012 internal audit of DSS’s business continuity arrangements prompted a cross-entity update of BCM arrangements. Recommendations from the audit related to updating BIAs, preparatory controls, governance, disaster response teams, testing, target recovery time and IT backup. In response to this audit, DSS updated the BIAs and BCPs across the department in early 2013. By July 2013, DSS had also developed an overarching BCP.

Conclusion

5.30 In accordance with the PSPF, relevant Australian Government entities are expected to monitor their level of overall preparedness through exercising and review of their business continuity arrangements. While all entities subject to this audit undertook testing of their critical ICT systems, and CASA participated in joint exercises, only Finance had a comprehensive testing and exercising regime. This included post exercise reviews, with assigned actions, to incorporate improvements or revisions into the BCPs.

5.31 Both CASA and DSS identified the importance of regular exercising of the BCP. However, neither entity developed or had undertaken a business continuity exercising and testing program for 2012–13 or 2013–14, nor had they provided detailed guidance on how to structure, undertake and report on exercises and testing of the business continuity arrangements.

5.32 All of the entities could do more to monitor and report on their overall preparedness to manage and resolve business disruptions. In addition, DSS would benefit from developing a more proactive approach that better supports response teams during a disruption.

Appendices

Please refer to the attached PDF for the Appendices:

• Appendix 1: Entities’ Responses
• Appendix 2: Civil Aviation Safety Authority’s Key Systems and Facilities
• Appendix 3: Department of Finance’s Critical Functions
• Appendix 4: Department of Social Services’ Critical Functions with a Major or Extreme Impact Rating

Abbreviations

Glossary