INTERNAL AUDIT DIVISION

REPORT 2018/038

Audit of business continuity in the

African Union-United Nations Hybrid
Operation in Darfur

The Mission was not adequately prepared to

ensure the continuity of important and time-
critical business processes following a
disruptive event

10 May 2018
Assignment No. AP2017/634/02
 Audit of business continuity in the
African Union-United Nations Hybrid Operation in Darfur

EXECUTIVE SUMMARY

The Office of Internal Oversight Services (OIOS) conducted an audit of business continuity in the African
Union-United Nations Hybrid Operation in Darfur (UNAMID). The objective of the audit was to assess
whether the Mission had established and implemented adequate and effective procedures to ensure
continuity of its critical business processes and services following disruptive events. The audit covered the
period from 1 July 2015 to 30 November 2017 and included governance structure and strategy; risk
assessment, business impact analysis and mitigating measures; and the maintenance, exercise and review
of the business continuity plan.

UNAMID was not adequately prepared to ensure the continuity of important and time-critical business
processes following a disruptive event. The Mission needed to identify critical functions and revise its
business continuity plan; conduct risk assessment and business impact analysis; and test the business
continuity plan for validity and train staff responsible for business continuity activities.

OIOS made five recommendations. To address issues identified in the audit, UNAMID needed to:

• Implement a functioning governance structure to make strategic decisions related to business

continuity plan, including essential time-critical business services, and to ensure that the plan
is regularly tested and updated;

• Identify the time-critical business processes and maximum tolerable periods of disruption, and
update its business continuity plan and annexes to ensure that the Mission is adequately
prepared to face disruptive events;

• Conduct and document a comprehensive business continuity risk assessment and business
impact analysis, including recovery time objectives, and develop mitigating strategies to
support the critical business processes built in its revised business continuity plan;

• Regularly test its business continuity plan and update it based on lessons learned to ensure it
remains current; and

• Conduct awareness-raising campaigns on business continuity and emergency management

plans and procedures, and take action to ensure those responsible for critical business processes
and business continuity focal points have been adequately trained.

UNAMID accepted the recommendations and has yet to initiate action to implement them.
 CONTENTS

Page

I. BACKGROUND 1

II. AUDIT OBJECTIVE, SCOPE AND METHODOLOGY 1-2

III. AUDIT RESULTS 2-6

A. Governance and strategy 2

B. Business continuity and recovery plan 3

C. Risk assessment, business impact analysis and mitigating strategies 4

D. Maintenance, exercise and review of business continuity plan 4-6

IV. ACKNOWLEDGEMENT 6

ANNEX I Status of audit recommendations

APPENDIX I Management response

 Audit of business continuity in the
African Union-United Nations Hybrid Operation in Darfur

I. BACKGROUND
1. The Office of Internal Oversight Services (OIOS) conducted an audit of business continuity in the
African Union-United Nations Hybrid Operation in Darfur (UNAMID).

2. Business continuity management is a holistic management process intended to strengthen an

organization’s ability to respond to risks and continue critical business processes following disruptive
events. In June 2013, the General Assembly approved the Organizational Resilience Management System
(ORMS) under A/RES/67/254 mandating all United Nations entities to implement, exercise and maintain
resilience by aligning and harmonizing preparedness efforts to enhance the Organization’s ability to
continuously deliver its mandates.

3. Business continuity is one of the core elements of ORMS, the emergency management framework
of the United Nations. Other core elements of ORMS include crisis management, security, information
technology disaster recovery, medical casualty incident response (pandemic and mass casualty incident
response), crisis communications and support to staff survivors and families. These elements are all
interlinked and constitute the framework for crisis response, recovery, reconstitution and return to usual
business. UNAMID developed a business continuity plan (BCP) in May 2011.

4. The UNAMID Chief of Staff, in collaboration with the Director of Mission Support, is responsible
for maintaining the BCP. The UNAMID Crisis Management Team (CMT), chaired by the Joint Special
Representative (JSR) and comprising key leaders from the substantive, support, military and police
components and the Deputy JSR, is responsible for taking the lead on all issues relating to business
continuity during crisis and disruption of services.

5. Comments provided by UNAMID are incorporated in italics.

II. AUDIT OBJECTIVE, SCOPE AND METHODOLOGY

6. The objective of the audit was to assess whether the Mission had established and implemented
adequate and effective procedures to ensure continuity of its critical business processes and services
following disruptive events.

7. This audit was included in the 2017 risk-based work plan of OIOS due to operational and
reputational risks related to the inability of the Mission to continue operations at defined levels and periods
following a disruptive event.

8. OIOS conducted this audit from August to November 2017. The audit covered the period from 1
July 2015 to 30 November 2017. Based on an activity-level risk assessment, the audit covered higher and
medium risk areas in UNAMID business continuity management, which included: governance structure
and strategy; risk assessment, business impact analysis and mitigating measures; and the maintenance,
exercise and review of the BCP.

9. The audit methodology included interviews of key personnel, review of relevant documentation
and analytical review of data.
10. The audit was conducted in accordance with the International Standards for the Professional
Practice of Internal Auditing.

III. AUDIT RESULTS

A. Governance and strategy

The Mission was not regularly meeting to make strategic and operational decisions on its business
continuity plan

11. The Secretary-General’s report on ORMS (A/67/266) requires UNAMID to establish a two-tier
governance structure comprising a high-level body and operational team to make strategic decisions and
coordinate responses.

12. In 2011, UNAMID established a two-tier governance structure: a CMT, which comprised the JSR
and senior leadership from the substantive, support, military and police components, responsible for making
strategic decisions regarding the BCP and its activation; and a crisis management working group
responsible for coordinating the Mission’s response to a crisis.

13. However, the CMT and the working group had not met since their establishment in 2011, with
UNAMID explaining that there had not been any crisis during the period. The lack of a functioning
governance structure for the overall management of business continuity and for discussing issues both at
the strategic and operational levels resulted in UNAMID not having a reliable or current BCP. For instance,
UNAMID had not updated the BCP since its development in 2011, which was prior to the introduction of
ORMS in 2015. Therefore its 2011 BCP was not supported by risk assessment and business impact analysis,
which were the basis for identifying critical business processes, and did not include maximum tolerable
periods of disruption. The 2011 BCP had also not been recently tested to validate and update it, except for
the testing of the information technology disaster recovery plan (ITDRP) at the Regional Service Centre in
Entebbe (RSCE).

14. As a result, UNAMID was not adequately prepared to ensure the continuity of important and critical
business processes in a timely manner following a crisis/disruptive event.

(1) UNAMID should implement a functioning governance structure to make strategic

decisions related to its business continuity plan and to ensure that the plan includes all
essential time-critical business services and is regularly tested and updated as
necessary.

UNAMID accepted recommendation 1 and stated that it would ensure that the established two-tier
governance structure was operational in order to take BCP-related decisions. UNAMID added that
it would conduct an annual review of the BCP; conduct exercises and tests of the BCP regularly;
and continue to update the BCP as needed to ensure that it remained current and covered all the
Mission’s essential time-critical business services and processes. Recommendation 1 remains open
pending receipt of evidence of the functioning of the two-tier governance structure.

2
 B. Business continuity and recovery plan
Need to update the Mission’s business continuity plan
15. The ORMS Policy, promulgated in August 2015, requires UNAMID to develop a mission-wide
BCP by June 2016. The United Nations Business Continuity Management Policy describes the BCP as a
living document that follows an all-hazards approach and outlines critical business processes and staff and
recovery procedures. The Department of Management’s BCP template requires UNAMID senior
management to: define its essential and time-critical business services; and set the maximum tolerable
period for disruption for resuming critical services following a disruptive event.

16. UNAMID had not revised its BCP since the promulgation of ORMS, with its current BCP
developed in 2011. The Mission’s former management had delegated the identification and classification
of time-critical services and related business processes to section/unit heads. However, due to lack of
direction from leadership, as mentioned above, most section/unit heads had not updated their time-critical
services and related business processes since identifying them in 2011. Therefore, the Mission did not have
an up-to-date BCP that incorporated the additional requirements introduced by ORMS, and to reflect
changes since 2011 in its operating environment, processes, information systems, partnerships and supply
chain.

17. A review of the 2011 BCP, including 93 critical business processes under various sections/offices
and related annexes, noted that important information was absent and/or outdated. For example, critical
business processes related to fuel, water and rations reserves were missing and a process like
Communication and Public Information Section maintaining 24/7 nationwide public radio service which
had never been operational were included. Furthermore, non-critical business processes were included in
the BCP such as: managing United Nations Volunteers time and attendance and personnel data; recording
of financial transactions and managing the budget implementation and monitoring process by the Budget
and Finance Section; and maintaining database of all prisoners in custody by the Rule of Law Section.
While the Geospatial Information and Telecommunications Technology Section (GITTS) and the Safety
and Security Section had conducted a separate risk assessment and identified mitigating actions, the results
were not part of a comprehensive revision of the Mission’s BCP.

18. The BCP was not updated because management did not pay attention to revising the plan. In 2017,
the Office of the Chief of Staff initiated its revision; however, there was no target completion date and no
one was assigned such responsibility. Without an updated BCP, UNAMID was not adequately prepared to
resume critical business processes in a timely manner.

(2) UNAMID should identify its time-critical business processes and the maximum
tolerable periods of disruption, and subsequently update its business continuity plan
and related annexes to ensure that it is adequately prepared to continue time-critical
business processes following a disruptive event.

UNAMID accepted recommendation 2 and stated that it would: update the BCP and its annexes by
31 July 2018; ensure that section/unit heads identified the Mission’s time-critical business processes
and services; and assess the maximum tolerable periods of disruption. Recommendation 2 remains
open pending receipt of the updated BCP and the identification of the Mission’s time-critical business
processes and services and maximum tolerable periods of disruption.

3
 C. Risk assessment, business impact analysis and mitigating strategies
Need to conduct risk assessment and business impact analysis

19. The United Nations Policy on Business Continuity Management requires UNAMID to conduct a
risk assessment and business impact analysis to support the identification of critical business processes and
take these into consideration when developing the Mission’s BCP. The policy also requires UNAMID to
develop recovery/mitigation strategies to respond to identified risks.

20. Although critical business processes were identified in the 2011 BCP, they were not supported by
a documented risk assessment showing how disruption of these processes could potentially impact the
Mission’s operations. At the time of the audit, only GITTS and the Safety and Security Section had
conducted risks assessment and business impact analysis for their respective processes. The GITTS risk
assessment identified critical business processes and a recovery strategy pertaining to the disruption of
services they provided, and the Safety and Security Section risk assessment focused on safety and security
risk that could impact operations.

21. Additionally, although the Mission was in the process of updating the 2011 BCP, there was no
evidence that a comprehensive risk assessment and business impact analysis were being conducted as part
of the process. Mitigation strategies (except in the cases of GITTS and the Safety and Security Section as
noted above) and recovery time objectives (RTOs) 1 to ensure continuity of critical functions were also not
defined. This resulted due to the lack of management attention to its BCP, including assigning dedicated
staff with the requisite knowledge to lead the process. In the absence of a comprehensive risk assessment,
a business impact analysis and identification of mitigating measures, including RTOs, UNAMID was not
adequately prepared to resume critical services and related processes following a disruptive event.

(3) UNAMID should conduct and document a comprehensive business continuity risk
assessment and a business impact analysis, including recovery time objectives, and
develop mitigating strategies to support the critical business processes built in its revised
business continuity plan.

UNAMID accepted recommendation 3 and stated that it would: conduct and document a
comprehensive business continuity risk assessment and business impact analysis; define RTOs; and
identify mitigating strategies to support the critical business processes as part of its update of the
Mission’s BCP. Recommendation 3 remains open pending receipt of the comprehensive business
continuity risk assessment and business impact analysis, including RTOs and mitigating strategies.

D. Maintenance, exercise and review of business continuity plan

Need to test the business continuity plan and establish mechanisms so that it remains current

22. The United Nations Policy on Business Continuity requires UNAMID to test the BCP to validate
policies, procedures and systems against established standards and update the plan to reflect lessons learned.

23. In April 2016 and October 2017, the Mission tested its ITDRP at the RSCE to validate the adequacy
of the plan and the Mission’s readiness to address disruptive events to the information communication
technology infrastructure and related services. The test concluded that RSCE was adequately prepared for

1
The period within which minimum levels of services and/or products and supporting systems, applications or
functions must be recovered after a disruption has occurred.

4
a disruptive event and had satisfactory information and technology disaster strategies in place. However,
due to inadequate attention by management, UNAMID had not prepared after-action reports with lessons
learned to update the plan. UNAMID had also not determined RTOs and target recovery point objectives 2
for its Information Communication and Technology (ICT) systems.

24. However, these exercises were solely focused on the recovery of critical ICT infrastructure and to
validate the ICT disaster recovery strategies and not on the recovery of critical business processes. Also,
out of the 53 Mission sections/components, only 13 participated in the ITDRP exercise in April 2016, while
9 participated in the October 2017 exercise. There was no indication to show how the staff were selected
to participate in these exercises. The limited number of participants was because the Mission did not provide
a budget for the testing of the ITDRP.

25. Overall, however, the Mission had not tested its 2011 mission-wide BCP to validate and update it
to ensure all time-critical business processes had been identified and adequate continuity strategies had
been developed including RTOs. Also, a review of staff (principals and alternates) to perform critical
business processes in the 2011 BCP showed that most of them had left the Mission even though there was
a requirement to update the list of critical staff and their contacts each month. As a result, there was a high
risk that UNAMID would not be able to resume critical business processes in a timely manner following a
disruptive event.

(4) UNAMID should regularly test its business continuity plan and update it based on lessons
learned to ensure it remains current.

UNAMID accepted recommendation 4 and stated that it would: periodically test its BCP to assess
the effectiveness of its plans and procedures to ensure that they remained current; prepare after-
action report and make necessary changes to the BCP. Recommendation 4 remains open pending
receipt of evidence that the BCP has been tested and lessons learned are captured and used to update
the BCP.

Need to train staff and raise awareness on the business continuity plan

26. The ORMS policy requires UNAMID to: ensure that staff and management are aware of emergency
management plans and procedures; and staff responsible for time-critical functions are adequately trained;
identify staff members (principals and alternates) to perform critical business processes in the event of a
disruption; and update the list of critical staff names and contacts each month.

27. There was no evidence that all staff and management were made aware of business continuity
arrangements and emergency management plans and procedures; and that crisis managers and staff
responsible for time-critical functions were trained and familiarized on the decision-making process. This
occurred because the Mission’s management did not monitor the requirement to update the list of staff
responsible for business continuity activities, provide the required training and undertake campaigns on
business continuity and emergency management plans and procedures.

(5) UNAMID should conduct awareness-raising campaigns on business continuity and

emergency management plans and procedures, and take action to ensure those responsible
for critical business processes and business continuity focal points have been adequately
trained.

2
The point in time at which data must be recovered after a disruption has occurred.

5
 UNAMID accepted recommendation 5 and stated it would: conduct mandatory awareness-raising
campaigns on BCP and emergency management plans and procedures; and update the list of those
responsible for critical business processes and ensure that they were trained and had expertise to
support implementation, maintenance and recovery of critical processes. Recommendation 5
remains open pending receipt of evidence that awareness-raising campaigns have been conducted
and that all staff responsible for critical business processes have been trained.

IV. ACKNOWLEDGEMENT
28. OIOS wishes to express its appreciation to the management and staff of UNAMID for the assistance
and cooperation extended to the auditors during this assignment.

(Signed) Eleanor T. Burns

Director, Internal Audit Division
Office of Internal Oversight Services

6
 ANNEX I

STATUS OF AUDIT RECOMMENDATIONS

Audit of business continuity in the African Union-United Nations Hybrid Operation in Darfur

Rec. Critical 1/ C/ Implementation

Recommendation Actions needed to close recommendation
no. Important 2 O3 date 4
1 UNAMID should implement a functioning Important O Receipt of evidence of the functioning of the two- 31 July 2018
governance structure to make strategic decisions tier governance structure.
related to its business continuity plan and to ensure
that the plan includes all essential time-critical
business services and is regularly tested and updated
as necessary.
2 UNAMID should identify its time-critical business Important O Receipt of the updated BCP and the identification 31 July 2018
processes and the maximum tolerable periods of of the Mission’s time-critical business processes
disruption, and subsequently update its business and services and maximum tolerable periods of
continuity plan and related annexes to ensure that it disruption.
is adequately prepared to continue time-critical
business processes following a disruptive event.
3 UNAMID should conduct and document a Important O Receipt of the comprehensive business continuity 30 June 2018
comprehensive business continuity risk assessment risk assessment and business impact analysis,
and a business impact analysis, including recovery including RTOs and mitigating strategies
time objectives, and develop mitigating strategies to
support the critical business processes built in its
revised business continuity plan.
4 UNAMID should regularly test its business Important O Remains open pending receipt of evidence that 30 June 2019
continuity plan and update it based on lessons the BCP has been tested and lessons learned are
learned to ensure it remains current. captured and used to update the BCP.
5 UNAMID should conduct awareness-raising Important O Remains open pending receipt of evidence that 30 August 2018
campaigns on business continuity and emergency awareness-raising campaigns have been
management plans and procedures, and take action conducted and that all staff responsible for
to ensure those responsible for critical business critical business processes have been trained.
processes and business continuity focal points have
been adequately trained.

1
Critical recommendations address critical and/or pervasive deficiencies in governance, risk management or control processes, such that reasonable assurance
cannot be provided with regard to the achievement of control and/or business objectives under review.
2
Important recommendations address important (but not critical or pervasive) deficiencies in governance, risk management or control processes, such that
reasonable assurance may be at risk regarding the achievement of control and/or business objectives under review.
3
C = closed, O = open
4
Date provided by UNAMID in response to recommendations.
 APPENDIX I

Management Response
 APPENDIX I

Management Response

Audit of business continuity in the African Union-United Nations Hybrid Operation in Darfur

Critical 1/ Impleme
Rec. Accepted?
Recommendation Important Title of responsible individual ntation Client comments
no. 2 (Yes/No)
date
1 UNAMID should implement a functioning Important Yes Mission Chief of Staff 31 July UNAMID will ensure that the
governance structure to make strategic Director of Mission Support 2018 established two-tier
decisions related to business continuity governance structure
planning and to ensure that the plan consisting of: (a) a crisis
includes all essential time-critical business management team comprised
services, and is regularly tested and of the Joint Special
updated as necessary. Representative and the senior
leadership from the
substantive, support, military
and police components; and
(b) a crisis management
working group is operational
and decisions on the business
continuity plan (BCP) are
made at the strategic and
operational levels. UNAMID
will also conduct an annual
review of the BCP as
well as regular exercises and
tests of the BCP. UNAMID
will also continue to update
the BCP as needed to ensure
that it remains current and
reflects all of the Mission’s
essential time-critical
business services and
processes.

1
Critical recommendations address critical and/or pervasive deficiencies in governance, risk management or control processes, such that reasonable assurance
cannot be provided with regard to the achievement of control and/or business objectives under review.
2
Important recommendations address important (but not critical or pervasive) deficiencies in governance, risk management or control processes, such that
reasonable assurance may be at risk regarding the achievement of control and/or business objectives under review.
 APPENDIX I

Management Response

Audit of business continuity in the African Union-United Nations Hybrid Operation in Darfur

Critical 1/ Impleme
Rec. Accepted?
Recommendation Important Title of responsible individual ntation Client comments
no. 2 (Yes/No)
date
2 UNAMID should identify its time-critical Important Yes Mission Chief of Staff 31 July UNAMID will revise and
business processes and the maximum Director of Mission Support 2018 develop an updated BCP,
tolerable periods of disruption, and including annexes, by 31 July
subsequently update its business continuity 2018 and ensure that heads of
plan and related annexes to ensure that it is section/units identify the
adequately prepared to continue time- Mission’s time-critical
critical business processes following a business processes and
disruptive event. services; including assessing
the maximum tolerable
periods of disruption.

3 UNAMID should conduct and document a Important Yes Mission Chief of Staff 30 June UNAMID will conduct and
comprehensive business continuity risk Director of Mission Support 2018 document a comprehensive
assessment and a business impact analysis, business continuity risk
including recovery time objectives, and assessment and business
develop mitigation strategies to support the impact analysis; define
critical business processes built in its recovery time objectives and
revised business continuity plan. identify the mitigation
strategies to support critical
business processes and
services and develop
mitigation strategies to
support the critical business
processes as a part of its
update of the Mission’s BCP.

4 UNAMID should regularly test its business Important Yes Mission Chief of Staff 30 June The Mission will periodically
continuity plan and update it based on Director of Mission Support 2019 test its BCP on the
lessons learned to ensure it remains current. effectiveness of its plans and
procedures to ensure that it
remains current. An after-
action report will be prepared
and necessary changes will be
made and implemented.

ii
 APPENDIX I

Management Response

Audit of business continuity in the African Union-United Nations Hybrid Operation in Darfur

Critical 1/ Impleme
Rec. Accepted?
Recommendation Important Title of responsible individual ntation Client comments
no. 2 (Yes/No)
date
5 UNAMID should conduct awareness- Important Yes Mission Chief of Staff 30 UNAMID will conduct
raising campaigns on business continuity Director of Mission Support August mandatory awareness raising
and emergency management plans and 2018 campaigns on BCP and
procedures, and take action to ensure those emergency management
responsible for critical business processes plans and procedures to
and business continuity focal points have ensure awareness of
been adequately trained. emergency management
plans and procedures. It will
also update the list of those
responsible for critical
business processes and ensure
that they are trained and have
expertise to support
implementation, maintenance
and, if required, recovery of
critical processes.

iii