review of corporate business continuity - greater london authority

MPA Directorate of Audit, Risk and As

Review of Corporate Business

Continuity

Mayor’s Vision:

To make London the ‘Best Big city in the World’.

Internal Audit Service to the GLA

MPA Directorate of Audit, Risk and Assurance

Appendix 1a

Distribution List

Audit Team

Prakash Gohil, Audit Manager Andrew Dimon, Auditor

Report Distribution List Simon Grinter, Head of Resilience and Facilities Management Chris Harris, Support Services David Gallie, Assistant Director of Finance

CONTENTS

EXECUTIVE SUMMARY

Page

Background ......................................................................................1

Audit Assurance..................................................................................1

Areas of Effective Management Control.............................................2

Key Risk Issues for Management Action............................................2 FINDINGS AND AGREED ACTION Review Objectives...............................................................................3

Scope .................................................................................................3

Findings and Recommendations.........................................................3 ACTION PLAN Risk and Audit Assurance Statement – Definitions.............................8 Risks and Recommendations.............................................................9

EXECUTIVE SUMMARY

September 2011 Corporate Business Continuity Page 1

1. Background

1.1 This audit has been carried as part of the GLA 2011/12 audit plan.

1.2 The objectives of the Corporate Business Continuity (CBC), in accordance with the Civil Contingencies Act, are to ensure that the GLA have plans in place to ensure the most efficient and rapid way to ensure continuity of acceptable level of service.

1.3 At the outset of the review, the potential risks identified to achieving the

objectives of the CBC were:

• Failure to meet statutory and regulatory requirements

• Lack of clear roles, responsibilities and accountabilities

• Unclear leadership and direction

• Interruption of service through unavailability of accommodation, infrastructure and human resources

• Failure to carry out risk and impact assessment on a regular basis

• Inadequate planning and procedures

• Inadequate communication

• Inadequate record management

• Adverse publicity and reputational damage

1.4 For the period of 2010/11, the total expenditure recorded against business continuity was £60k. This includes payments to backup sites and contractor fees.

1.5 The Civil Contingencies Act, 2004 requires the GLA to maintain an acceptable

level of service of critical activities in the event of disruption, and therefore the GLA is a category 1 responder. Although the Head of Paid Services has the responsibility for business continuity, the Resilience and Facilities Management sets the corporate strategy and provides guidance, and also monitors the GLA Business continuity plans. However, all business areas are responsible for the development of their respective business continuity plans. Business continuity is overseen by the GLA Resilience Group, which is chaired by the Director of Resources and includes representatives from each business areas.

1.6 At the time of the audit, the GLA were in discussion to include those parts of the London Development Agency that are transferring to the GLA. The findings of the audit as detailed in this report will need to be incorporated in any amendment to the strategy and plans.

2 Audit Assurance

Substantial Key risks are being managed effectively, however some controls need to be improved to ensure business objectives are met.

EXECUTIVE SUMMARY


3 Areas of Effective Management Control

3.1 An approved framework and strategy are in place. The Corporate Business Continuity Framework is comprehensive, easy to follow and accessible to all relevant parties. Staff are made aware of their responsibilities on the GLA website.

3.2 There are implementation plans to support the strategy which provides for fully

documented business continuity plans that are approved and issued. Allocated desks have been prescribed to key departments at the recovery site based on priority and necessity. The Directorate plans identify communication trees, key staff, and mission critical processes/equipment/documents/records/staff and access to IT.

3.3 Regular annual corporate testing arrangements are in place and lessons learnt

are recorded and reported to management as appropriate.

4 Key Risk Issues for Management Action

4.1 Roles and responsibilities within the business continuity plans have been agreed, approved and assigned. However there is a need to document the change in the strategic lead since the Chief Executive role has been removed.

4.2 Details of the business continuity plans are not fully reflected, as appropriate, in the corporate and local inductions process. Business continuity is also not a regular agenda item at Corporate Management Team and Directorate/unit staff meetings.

FINDINGS AND AGREED ACTION


5 Review Objectives

5.1 We reviewed the control framework established by management to mitigate the risks to delivering successful corporate business continuity. In particular, we looked to provide an assurance that:

• A business continuity strategy has been established, approved and issued;

• An implementation plan supporting the strategy provides for fully documented business continuity plans that are approved, issued and regularly and adequately tested;

• Roles and responsibilities within the business continuity and disaster recovery plans have been agreed, approved and assigned;

• Details of the business continuity plans are reflected, as appropriate, in corporate and local procedures and these are made available to all relevant staff.

• Regular testing arrangements are put in place and lessons learnt are recorded and reported to management as appropriate.

6. Scope

6.1 We reviewed the control environment supporting the Corporate Continuity

Framework. We assessed whether there is appropriate ownership of the risks to services through visits to a number of departments across the GLA. We also assessed the effectiveness of risk management within Business Continuity. We did not cover the IT Business Continuity as it is covered in a separate audit.

7. Findings and Recommendations

Business Continuity Strategy

7.1 A corporate business continuity framework has been established and is in

place. The strategic approach to business continuity is detailed in the Corporate Business Continuity Plan that has been approved and issued. The plan sets out the strategy for how the Authority will operate in a business continuity situation. Best practice, tools and techniques are shared across the GLA Group through the GLA Business Continuity Group whose members includes the MPA, LFB, MPS, TFL and LDA.

7.2 The corporate business continuity plan is issued to all directors and their

nominated business continuity deputies, who in an emergency will form ‘the Emergency Management Team’, also known as ‘Recovery Gold’.

7.3 Each directorate within the GLA has a business continuity plan which has been



signed off by its director. These plans are consistently structured and detail procedures which ensure, as much as possible, that the Directorate/unit can carry out business as usual, if appropriate.

Implementations Plans

7.4 The corporate business continuity plan gives responsibility to directors to ensure that their directorate / units have their own appropriate business continuity plans and that they interlock and are compatible with the Corporate Business Continuity Plan. Appendices to the Plans detail the key personnel, critical functions/equipment and contact details. If City Hall becomes unusable access to alternative offices is available for a limited prescribed core team. Assigned business continuity leads and directors retain a hard copy of the plans.

7.5 Implementation plans support the strategy through fully documented business

continuity plans that are approved and issued. Business continuity plans will be launched following a wide range of events such as a widespread public transport strike, severe weather, a flu pandemic or a sudden major incident.

7.6 The information in the directorate/unit plans will enable the Head of Paid

Services to allocate limited resources and decide priorities in a business continuity situation. Desk space has been allocated to each directorate at the recovery site. Directors will inform staff, at the time and under the prevailing circumstances, of who needs to come into work and will communicate using a staff telephone ‘call tree’. Staff will also be kept informed through recorded information on the GLA Emergency line.

7.7 The Resilience and Facilities management team oversee the status of planned revisions of local business continuity plans and assist business areas to improve on the adequacy of their plans through quality assurance process. Each directorate/units business continuity plan documents key personnel, key stakeholders, mission critical functions/equipment/posts/staff, travel/working from home arrangements, and travel/weather disruption and illness plan. Resilience and Facilities Management recognise that there are areas of the GLA where business continuity plans have not been updated regularly, our testing has confirmed at the time of our audit that four out of twelve unit plans were past their review date. We reviewed a selection of plans and found that;

directorate/unit plans were not consistently updated every six months and therefore not regularly signed off by Head of Unit;

directorates keep accessible, off network, hard/electronic copies of their respective plans;

each directorate has a dedicated business continuity co-ordinator;

staff contact details and a cascade communication tree was in place, however some staff details in the plans were identified as being out of date or missing, and call trees were not tested;

remote working is available;



staff members were aware of the emergency contact number, the call tree to cascade information, and their responsibilities;

staff members who were required to attend the recovery site were aware of their responsibility and the plan detailing the site location;

Resilience and Facilities management team effectively monitor and oversee business continuity status using the red, amber, green methodology however there needs to be a mechanism to ensure compliance when plans reach the red stage.

risk assessment of the consequences of unavailability of service and the resolve of the risk are regularly refreshed and is a standing agenda item at GLA Resilience Group, and;

the Resilience & Facilities Management and Technology Group plans adequately detail their key suppliers and those responsible for managing external suppliers, however, there is no regular requirement for all directorates to review their critical suppliers.

Risk and Recommendation

Failed continuity through incorrect information. Failure to properly monitor the continuity of supplier service. We recommend that:

red status plans are flagged to the next routine CMT meeting for action to review and update;

critical suppliers are regularly reviewed by all directorates and included in their business continuity plans.

Roles and Responsibilities

7.8 Roles and responsibilities within the business continuity plans have been agreed, approved and assigned.

7.9 The GLA are required to comply with the Civil Contingencies Act 2004 as the London Resilience function is now under the control of the GLA. As a result the GLA has a statutory duty to have in place appropriate and proper arrangements for business continuity, this is delivered through having appropriate and tested plans in place.

7.10 TFL Procurement ensures that the GLA external supplier contracts have built in provision for continuity of services and that that suppliers own business continuity plans are approved and exercised adequately. This is overseen through the GLA Resilience Group and raised as an agenda item at quarterly meeting.

7.11 Resilience and Facilities Management are responsible for ensuring consistency, quality assurance and development of plans due to their resilience role. The GLA Resilience Group ensure that all directorates plans are in place



however although the group is chaired by the Director of Resources giving the operational lead, there is no clear assigned strategic lead within the GLA following the Chief Executive role being no longer in place. The strategic role is the Head of Paid Services however business continuity documentation does not reflect this.


Unclear leadership and direction. We recommend at the next revision of corporate and local plans that the strategic lead is identified as the Head of Paid Services and roles and responsibilities are set and communicated.

Embedding Business Continuity in Local Procedures

7.12 Details of business continuity are not fully reflected in corporate and local procedures, as appropriate. Our testing confirmed that induction programmes do not include responsibilities and information to ensure business continuity plan are known to new starters, and that their responsibilities are explained during inductions. Business continuity is also not included as a regular agenda item at Corporate Management Team and Directorate/unit meetings to ensure staff are aware of the plans and their responsibilities to keep personal information up to date. We did identify local good practice where business continuity responsibilities are signed off as part of a local health & safety induction process. There is a need to raise awareness of business continuity to ensure compliance.


Staff may be unaware of procedures through time lapses and staff changes.

We recommend that business continuity is:

incorporated in corporate and local new starter induction process.

discussed as a six monthly agenda item at the Corporate Management Team, Directorate and team meetings to update plans and to refresh all staff of their responsibilities.

Testing and Lessons Learnt

7.13 Regular annual testing arrangements are in place and lessons learnt are recorded and reported to management as appropriate.

7.14 The GLA Resilience Group terms of reference states that a regular desktop



exercise to test the corporate business continuity plans should be conducted and to make changes in response to these tests. Our testing identified an annual desk top exercise is completed as required and local business continuity plans are modified in light of test results. The GLA Resilience Group chaired by the Director of Resources monitors the ongoing status of local business plans and testing of the corporate plan. Key staff from facilities and the press office regularly visit the recovery site to test required electrical equipment, and to update resources and information held at the site.

7.15 All directorates/units ensure that staff contact details held in their local business

continuity plans are kept up to date and relevant as part of their regular periodic reviews. Although there is no testing of the cascade of information using the telephone ‘call tree’, periodic updates are undertaken and personal information is regularly confirmed.

Management Reporting

7.16 Management information is produced by the Resilience and Facilities Management team on the status of all unit/directorate plans; this information is provided to the Director of Resources and discussed at the GLA Resilience Group. The Director of Resources is required to provide an update at the Directors’ Meeting and DMT Meeting on a six monthly basis, and ensure the compilation and maintenance of directorate plans is incorporated within the GLA’s Performance Monitoring at the end of quarter 1 & 4. Our testing has identified that regular updates are not being formally discussed at Directors meetings and regular performance updates are not being provided.


There is a lack of senior management information and communication of the readiness and plans for business continuity.

We recommend that the reporting structure for business continuity is reviewed to ensure expected reporting and performance information is agreed and regularly provided.

ACTION PLAN


RISK AND AUDIT ASSURANCE STATEMENT - DEFINITIONS

Assurance Level Assurance Criteria

1

Full

There is particularly effective management of key risks and business objectives are being achieved.

There is a sound framework of control operating effectively to achieve business objectives.

2

Substantial

Key risks are being managed effectively, however some controls need to be improved to ensure business objectives are met.

The framework of control is adequate and controls to mitigate key risks are generally operating effectively.

3

Limited

Some improvement is required to address key risks before business objectives can be met.

A number of controls to mitigate key risks are not operating effectively.

4

No

Significant improvement is required to address key risks before business objectives can be met.

The control framework is inadequate and controls in place are not operating effectively to mitigate key risks. The business area is open to abuse, significant error or loss and/or misappropriation.

Definitions of Risk Ratings

Priority Categories recommendations according to their level of priority.

1 Critical risk issues for the attention of senior management to address control weakness that could have significant impact upon not only the system, function or process objectives, but also the achievement of the organisation’s objectives in relation to:

The efficient and effective use of resources

The safeguarding of assets

The preparation of reliable financial and operational information

Compliance with laws and regulations.

2 Major risk issues for the attention of senior management to address control weaknesses that has or is likely to have a significant impact upon the achievement of key system, function or process objectives. This weakness, whilst high impact for the system, function or process does not have a significant impact on the achievement of the overall organisational objectives.

3 Other recommendations for local management action to address risk and control weakness that has a low impact on the achievement of the key system, function or process objectives ; or this weakness has exposed the system, function or process to a key risk, however the likelihood is this risk occurring is low.

4 Minor matters need to address risk and control weakness that does not impact upon the achievement of key system, function or process or process objectives; however implementation of the recommendation would improve overall control.

ACTION PLAN

0September 2011 Corporate Business Continuity Page 9

Ref. Findings and Risk Priority Recommendations Accepted Responsibility Target Date

7.7 Plans are not regularly reviewed, updated and relevant there is a risk of failed continuity through incorrect information and inadequate identification of supplier service.

2 Red status plans are flagged to the next CMT meeting for action to review and update;

Critical suppliers are regularly reviewed by all directorates and included in their business continuity plans.

YES YES

Executive Director of Resources Executive Directors

Oct 11 Mar 12

7.11 The corporate lead is unclear in business continuity documentation; there is a risk of non compliance.

2 At the next revision of corporate and local plans that the strategic lead is identified as the Head of Paid Services and roles and responsibilities are set and communicated.

YES Support Services Manager

Jan 12

7.12 Business continuity is not regularly discussed; there is a risk that staff may be unaware of procedures through time lapses and staff changes.

2 Business continuity is incorporated in corporate and local new starter induction process.

Business continuity is discussed as a 6 monthly agenda item on the Corporate Management Team, Directorate and team meeting to update plans and to refresh all staff of their responsibilities.

YES

YES

Assistant Director Human Resources & Organisational Development

Executive Director of Resources

Jan 12

Nov 11

7.16 There is a lack of senior management knowledge of the readiness and plans for business continuity.

3 That the reporting structure for business continuity is reviewed to ensure expected reporting and performance information is agreed and regularly provided.

YES Executive Director of Resources Oct 11

review of corporate business continuity - greater london authority

Documents