Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

190503AuCtteePaper1Annex1 Business Continuity Planning

Cairngorms Nation­al Park Author­ity Intern­al Audit Report — Final: Busi­ness Con­tinu­ity Planning

Audit & Risk Com­mit­tee Paper | Annex 1 | 03/05/2019

BDO

Con­tents

  • Exec­ut­ive Sum­mary: 3
  • Detailed Find­ings and Recom­mend­a­tions: 12
  • Appen­dices:
    • Staff Inter­viewed: 20
    • Defin­i­tions: 21
    • Terms of Ref­er­ence: 22

Report Status

  • Aud­it­ors: Gemma Rickman
  • Dates work per­formed: 28 Janu­ary – 15 Feb­ru­ary 2019
  • Draft report issued: 22 Feb­ru­ary 2019
  • Final report issued: 12 April 2019

Dis­tri­bu­tion List

  • Dav­id Camer­on, Dir­ect­or of Cor­por­ate Services
  • Mem­bers of the Audit Committee

Exec­ut­ive Summary

Level of Assurance

Design: Lim­ited Effect­ive­ness: Limited

Sum­mary of Recommendations

  • High: 1
  • Medi­um: 5
  • Low: 1
  • Total num­ber of recom­mend­a­tions: 7

Over­view

Back­ground:

In accord­ance with the 2018 – 19 Intern­al Audit Plan, it was agreed that Intern­al Audit would review the design and oper­at­ing effect­ive­ness of the con­trols in place at Cairngorms Nation­al Park Author­ity (‘CNPA/​the Author­ity’) sur­round­ing busi­ness con­tinu­ity plan­ning arrange­ments. The pur­pose was to provide man­age­ment and the Audit Com­mit­tee with assur­ance that the Author­ity has appro­pri­ate arrange­ments to min­im­ize dis­rup­tion to busi­ness activ­it­ies in the event of an unfore­seen event. CNPA has developed a Busi­ness Con­tinu­ity Plan (BCP), most recently updated in Decem­ber 2014, and a sup­port­ing Dis­aster Recov­ery Plan (DRP). The BCP and DRP aim to ensure CNPA is fully pre­pared to respond to and recov­er from unplanned dis­rup­tions, with a goal to restore nor­mal oper­a­tions as quickly as pos­sible. The BCP details teams formed to man­age and respond to dis­rupt­ive incidents.

Con­tinu­ing Func­tion­al­ity Team:

  • Respond imme­di­ately to a poten­tial dis­aster and call emer­gency ser­vices (if not already called).
  • Assess the disaster’s extent and its impact on the busi­ness, Author­ity offices, inter­net, web­site, etc.
  • Decide which ele­ments of the BCP and DRP should be activated.
  • Noti­fy the IT Man­ager to recov­er oper­a­tion­al sys­tems, main­tain vital ser­vices, and return to nor­mal operation.
  • Noti­fy the BC/DR Team Lead/​Coordinator if the situ­ation war­rants activ­a­tion of BCP and DRP.
  • Ensure employ­ees (and stake­hold­ers, vendors, and key cus­tom­ers, as needed) are notified.

Busi­ness Continuity/​Disaster Recov­ery Team:

  • Ensure the BCP and DRP are pre­pared and documented.
  • Ensure the BCP and DRP have been dis­trib­uted to all employ­ees, as well as the Con­tinu­ing Func­tion­al­ity Team and IT Manager.
  • Launch the BCP and DRP once approv­al is obtained from management.
  • Estab­lish pro­grams to organ­ize and con­duct plan assess­ments, busi­ness impact ana­lyses, risk ana­lyses, aware­ness and train­ing pro­grams, plan exer­cises, plan reviews and audits, and con­tinu­ous improve­ment of the BCP and DRP and asso­ci­ated programs.
  • Coordin­ate activ­it­ies with the Con­tinu­ing Func­tion­al­ity Team, IT Man­ager, build­ing man­age­ment, first respon­ders, etc.
  • Report to the Con­tinu­ing Func­tion­al­ity Team, IT Man­ager, and Author­ity man­age­ment, as needed.

Scope and Approach:

The review assessed whether:

  • A clear busi­ness con­tinu­ity plan is in place to allow recov­ery from dis­rupt­ive events.
  • Roles and respons­ib­il­it­ies relat­ing to busi­ness con­tinu­ity are fully defined with­in the plan.
  • The Author­ity has clearly defined busi­ness-crit­ic­al sys­tems and pro­cesses with­in the plan.
  • The plan is suit­able to allow the Author­ity to recov­er from sig­ni­fic­ant dis­rup­tion with­in required timescales.
  • The busi­ness con­tinu­ity plan is reg­u­larly tested, and res­ults are appro­pri­ately repor­ted to management.
  • The plan is appro­pri­ately com­mu­nic­ated to staff, and key staff are aware of their roles to instig­ate the plan.
  • The plan is suit­ably loc­ated to allow it to be put into effect in an emergency.
  • Staff con­tact details are kept up-to-date with­in the plan.

The approach involved inter­views to estab­lish con­trols and pro­cesses in oper­a­tion, and review of doc­u­ment­ary evid­ence to veri­fy the design of those con­trols. Con­trols were then eval­u­ated to determ­ine wheth­er they adequately addressed the risks.

Key Find­ings:

  • BCP Redac­tion and Dis­tri­bu­tion: The reviewed BCP was a redac­ted ver­sion, omit­ting key con­tact details, backup and recov­ery inform­a­tion, tech­no­logy DR plans, suc­ces­sion plan­ning, and equip­ment spe­cific­a­tions. Man­age­ment stated a non-redac­ted copy was on the net­work but pass­word-pro­tec­ted by a former employ­ee. Oth­er inform­a­tion, such as SLAs and dis­aster kit loc­a­tions, was also miss­ing. There was also a con­tra­dic­tion regard­ing access to the BCP; the plan ini­tially states that all staff must be aware of the BCP and DRP, but later explains that the plan and sup­port­ing doc­u­ment­a­tion are stored in secure loc­a­tions with lim­ited access.

  • Action Plans: The BCP and DRP lacked clear detailed action plans for restor­ing all crit­ic­al func­tions fol­low­ing a busi­ness dis­rup­tion with­in tar­get times­cales. There was also an oppor­tun­ity to detail a range of incid­ents that could cause the plan to be evoked, along with spe­cif­ic procedures.

  • Risk Assess­ments and Busi­ness Impact Ana­lyses: High-level risks were present in the BCP risk register, but no risk assess­ment had been con­duc­ted to determ­ine busi­ness con­tinu­ity risks apply­ing to each func­tion. The cur­rent risk register was incom­plete, par­tic­u­larly regard­ing mit­ig­at­ing actions and risk scores. Risk assess­ments and Busi­ness Impact Ana­lyses had not been updated annu­ally, as required by the BCP.

  • Plan Review and Approv­al: The BCP stated it should be reviewed annu­ally, along with the DRP. How­ever, it had not been reviewed since Decem­ber 2014, res­ult­ing in out­dated details. There was no ver­sion con­trol with­in the DRP.

  • Test­ing: The BCP stated that test­ing should be annu­al, with con­sid­er­a­tion giv­en to a daily tab­letop’ exer­cise. How­ever, no form­al test­ing had been con­duc­ted, and no plans were in place.

  • Train­ing: No train­ing on busi­ness con­tinu­ity had been provided to staff.

  • BC/DR Team Mem­ber­ship: The BCP detailed the BC/DR team’s respons­ib­il­it­ies, but not its members.

Con­clu­sion:

Lim­ited assur­ance can be provided on the design and oper­a­tion­al effect­ive­ness of the con­trols relat­ing to busi­ness con­tinu­ity plan­ning. Man­age­ment should imple­ment the noted con­trol improve­ments to devel­op cur­rent arrange­ments and ensure con­sist­ent oper­a­tion across the Author­ity. It is par­tic­u­larly import­ant to ensure that rel­ev­ant staff have access to a non-redac­ted ver­sion of the Busi­ness Con­tinu­ity Plan.

Risks Reviewed Giv­ing Rise to No Find­ings of a High or Medi­um Significance:

  • Roles and respons­ib­il­it­ies in rela­tion to busi­ness con­tinu­ity may not be fully defined with­in the busi­ness con­tinu­ity plan.

Areas for Improve­ment: (Table detail­ing find­ings and recom­mend­a­tions omit­ted for brev­ity, but can be found in the ori­gin­al document)

Detailed Find­ings and Recommendations

(Detailed break­down of find­ings and recom­mend­a­tions, with man­age­ment responses, and responsibilities/​implementation dates, are omit­ted for brev­ity. This inform­a­tion is avail­able in the ori­gin­al document.)

Appendix I — Staff Interviewed

  • Dav­id Camer­on, Dir­ect­or of Cor­por­ate Services
  • Sandy Allan, IT Ser­vice Manager

BDO LLP appre­ci­ates the time provided by all indi­vidu­als involved in this review.

Appendix II — Definitions

(Table defin­ing levels of assur­ance, design opin­ions, effect­ive­ness opin­ions, and recom­mend­a­tion sig­ni­fic­ance omit­ted for brev­ity. This inform­a­tion is avail­able in the ori­gin­al document.)

Appendix III — Terms of Reference

Back­ground:

As part of the 2018 – 19 Intern­al Audit Plan, a review of busi­ness con­tinu­ity plan­ning arrange­ments was agreed. The review covered oper­a­tion­al and IT envir­on­ments and included examin­ing pro­ced­ures for emer­gency response hand­ling; busi­ness impact ana­lys­is; dis­aster recov­ery; con­tin­gency plan­ning; and busi­ness resumption.

Pur­pose of Review:

To provide assur­ance that the Author­ity has appro­pri­ate arrange­ments to min­im­ize dis­rup­tion to busi­ness activ­it­ies in the event of an unfore­seen event. The review assessed the design and effect­ive­ness of the Authority’s busi­ness con­tinu­ity arrangements.

Key Risks:

Based on risk assess­ment under­taken dur­ing the devel­op­ment of the intern­al audit oper­a­tion­al plan, and dis­cus­sions with management:

  • Roles and respons­ib­il­it­ies in rela­tion to busi­ness con­tinu­ity may not be defined with­in the busi­ness con­tinu­ity plan.
  • The Author­ity may not have clearly defined busi­ness-crit­ic­al sys­tems and processes.
  • The plan may not be suit­able to allow recov­ery from sig­ni­fic­ant dis­rup­tion with­in required timescales.
  • The busi­ness con­tinu­ity plan may not be reg­u­larly tested, and res­ults appro­pri­ately repor­ted to management.
  • The plan may not be appro­pri­ately com­mu­nic­ated to staff, and key staff may not be aware of their roles.
  • The plan may not be suit­ably loc­ated to allow it to be put into effect in an emergency.
  • Staff con­tact details may not be kept up-to-date with­in the busi­ness con­tinu­ity plan.

BDO LLP Information

(BDO LLP con­tact inform­a­tion is omit­ted for brev­ity. This inform­a­tion is avail­able in the ori­gin­al document.)

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback