The Board Can Better Coordinate Its Contingency Planning and Continuity of Operations Program

Appendix B: Management’s Response

BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, DC 20551

DATE:           October 7, 2014

TO:                Andrew Patchan Jr., Associate Inspector General for Information Technology

FROM:          Michell Clark, Director,  Management Division /signed/ 

                      William Mitchell, Director and CFO,  Division of Financial Management /signed/ 

SUBJECT:     Combined Divisions' Response to OIG Audit of the Contingency Planning and Continuity of Operations Programs

We have reviewed your report entitled "The Board Can Better Coordinate Its Contingency Planning and Continuity of Operations Programs" and appreciate the opportunity to provide comments on the report's findings, recommendations and management considerations.

Finding 1: Lack of Coordination May Affect the Board's Ability to Perform Its Mission During an Emergency

Recommendation

We recommend that the Director of the Management Division

1. Develop strategies to implement across the Board's divisions all the necessary aspects of the Board· s continuity of operations plan (COOP).
   

Management Division's Response
The Management Division has implemented a more collaborative approach to develop and implement continuity programs throughout the Board. One example of this is that the Readiness and Resiliency Working Group (RRWG) division representatives decided in the April 2014 meeting to increase the frequency of RRWG meetings from quarterly to monthly. The primary reason for increasing the frequency of the RR WG meetings was to ensure collaboration and consistency of knowledge and implementation throughout the Board. Additionally, Intelligence & Resiliency Programs (IRP) personnel met individually with almost all of the division continuity representatives in February and March 2014 to talk with them about continuity programs and ways to improve IRP's support and increase collaboration. Since then, IRP has met individually with divisions on the Mission Essential Functions (MEF) process. IRP also drafted a template for Volume II-Division Plans for the divisions to use while drafting their continuity plans. This draft is currently with the divisions for final review and comment, and IRP is updating the plan as they receive comments. Another strategy that IRP is using is working with the divisions to increase the flow of information to division continuity representatives. Additionally, the responses to Finding 2 further elaborate on the Management Division's efforts to improve and implement COOP planning and readiness preparation at both the division and Board levels. 

Finding 2: Deficiencies in the Board's COOP May Affect the Board's Ability to Perform Its Mission During an Emergency 

Recommendation

We recommend that the Director of the Management Division 

2. Develop a Test, Training, and Exercise program, a reconstitution plan, and a devolution plan for the Board's COOP, in accordance with the guidance provided in Federal Continuity Directive (FCD)-1.
3. Perform a comprehensive Business Process Analysis to identify and prioritize all the inputs and outputs that are necessary to perfonn the Board's Mission-essential Functions.
4. Ensure that the Board's Volume I and II COOPs correctly reflect all activities, inputs and systems that are required for the Board to resume its Mission-essential Functions. 

Management Division's Response

Recommendation 2

Develop a test, training, and exercise (TT&E) program. The IRP section of the Management Division is currently in the process of completing a contract for the development ofa continuity TT&E program. The Solicitation, Offer, and Award (SOA) document stipulates that the contractor utilizes both Homeland Security Exercise and Evaluation Program (HSEEP) and FCD-1 requirements as further detailed in the Continuity Evaluation Tool developed by the Federal Emergency Management Agency (FEMA) in creating the TT&E program. HSEEP provides a set of guiding principles for exercise programs, as well as a common approach to exercise program management, design and development, conduct, evaluation, and improvement planning and was the guidance for FEMA's National Continuity Program Directorate used to draft the IT&E portion of FCD-1. The Continuity Evaluation Tool breaks out the requirements established in FCD-1 and is the tool FEMA uses to evaluate continuity programs. The SOA document encompasses the entire breadth of a continuity TT&E program and not only includes developing a TT&E program, but also scenarios and documentation that the Board will use to conduct training and exercises as well as maintain the program. The SOA was released out for bid on September 26, 2014.

Develop a reconstitution plan. A reconstitution plan supports the restoration of full normal operations after a continuity event. IRP plans to begin development of a reconstitution plan in 2015 and is in the process of developing a schedule that will address reconstitution of leadership, staff, communications, and facilities. Additionally, IRP continuity staff who will be working on the Board's reconstitution planning will also take an online course on reconstitution offered through FEMA's Emergency Management Institute (EMI). The course is titled IS-545: Reconstitution Planning Course and IRP continuity staff will complete it during December 2014 and January 2015. IRP will train Board staff and develop templates, forms, and other tools that Reconstitution Team members can use throughout reconstitution plan development.

Develop a devolution plan. Devolution planning supports continuity planning by allowing the Board to continue essential functions if the organization's leadership and relocation team members are unavailable or incapable of performing their essential functions. FEMA expects devolution counterparts to have the capability to perform Primary Mission Essential Functions (PMEF) within 12 hours, and other essential functions within an acceptable recovery time. Because much of the decisions on devolution are based on validated PMEFs and MEFs, IRP has linked beginning this plan with completion of the MEF validation which is scheduled to be completed in January 2015. IRP has drafted and is currently coordinating a division COOP plan template that includes overview sections on both devolution and reconstitution that will begin laying a foundation for work that the Board will start in 2015. Additionally, IRP continuity staff who will be working on Board devolution planning will also take the IS-551: Devolution Planning course through FEMA's EMI in December 2014 and January 2015 in preparation for 2015 devolution planning. IRP will develop plan templates and other tools that they will use in meetings with Board divisions to complete individual division devolution plans, as well as a Board Devolution Plan. 

Recommendation 3

 In accordance with FCD-2, Federal Executive Branch MEF and Candidate PMEF Identification and Submission Process dated 2013, IRP has already begun the process to conduct a Business Process Analysis (BPA) and Business Impact Analysis (BIA). Developing a BPA is part of a linear process that first involves development of Division/Board MEF, second is development of the BPA for the MEF, and the third step is to conduct the BIA.

IRP began the MEF revalidation and identification process in April 2014. On April 22^nd, IRP continuity and emergency preparedness staff participated in a one day training session on MEF and PMEF development, and received a primer on the BIA and BP A process. This training was taught by FEMA National Continuity Program (NCP) staff, and was tailored for the Board and conducted onsite. IRP discussed with FEMA NCP staff BIA and BP A training, and FEMA will return to conduct additional training after the Board has concluded the MEF process.

IRP discussed the MEF process with the divisions at the RRWG meeting on May 7, 2014 and reviewed a schedule to have one on one meetings with the divisions on the MEFs. As of August 22, 2014, IRP has conducted meetings with fourteen divisions and the COO, and is planning to meet with the remaining divisions on October 16, 2014. Prior to the meetings, IRP drafted a list of potential MEFs based upon a review of the divisions' most recent continuity plans as well as the mission and functions documents that they submitted during the 2015 budget planning process to the Division of Financial Management (DFM). IRP also walked each division through the MEF process to ensure that the divisions use a common set of criteria and definitions while reviewing and updating their MEF. 

IRP plans to complete the division MEF process around the end of November 2014, and complete the determination of Board MEFs in January 2015. IRP plans to have the additional training from FEMA on the BIA and BPA process in January 2015. lRP will begin meeting with divisions in February 2015 to develop the BPA for division MEFs, and will plan to complete the process in September 2015. In parallel to the MEF initiative with the divisions, IRP is also developing a Board threat and hazard document that the Board will use during the BIA process. IRP has scheduled completion of this document for the end of November 2014. 

Recommendation 4

Completing this recommendation is linked to the Management Division's response to recommendations 2 and 3. The first step is developing a clear understanding of Board and divisions MEFs. This process is already underway. As part of the MEF development process and completing the MEF Data Sheet, divisions and the Board will identify the Recovery Time Objective for individual MEFs. Also, in another part of the BPA they will identify the resources, to include communications and information technology (IT) requirements, necessary to perform the MEFs; and will identify customers and resource suppliers for mission accomplishment. This information will be included in both the Board's Volume I COOP plan, as well as the Volume II Division continuity plans. IRP has also already had a conversation with the Division of IT about cross walking the results of the PMEF/MEF process with the systems that divisions have already identified as critical. IRP will be able to meet with IT to crosswalk the MEF, and upon completion of the BPA will be able to crosswalk the systems listed in the BPA to match them with IT's prioritization. IRP and IT can then work with the divisions to reconcile any discrepancies that are noted during the review. 

The audit provided three items for management to consider. These items along with the divisions' responses are given below. 

Consideration 1: Hotel Contracts Do Not Guarantee Room Availability

We suggest that the Director of the Management Division assess other approaches to ensuring that living accommodations for critical Board employees and their families who are required to relocate to the alternate work site will be available. 

Management Division's Response

The division has established contracts with approximately twenty hotel properties in the area of the relocation site to provide lodging for staff, their families and for the tenants, as needed. Since a hotel is a business, it is not possible to "guarantee" rooms for our staff, but the contracts provide a mechanism and assurance for the Board to secure any open rooms and others as they are vacated. Other agencies have tried to establish similar agreements over the years and the hotel properties have honored their relationships with the Board. 

There is no cost to the Board for these contracts. And in discussions with the hotel sales staff, they are confident that if a major emergency scenario occurs, resident guests would try to leave the properties as soon as possible. If the Board makes the decision to relocate to the alternative work site, designated IRP staff would then make calls to all of the hotel properties and secure all available rooms in preparation for the deployment of staff and their families. 

The division is not averse to researching other approaches to providing living arrangements for employees who are relocated to the alternative work site. In the near future, it will begin assessing residence alternatives for employees. 

Consideration 2: Board Divisions Do Not Use Specific Line Items or Accounting Codes to Track Board-Related COOP Costs 

Management Division and DFM's Response

In response to the observations made by the OIG in April 2014, the Directors of the Management Division and the DFM stated that they had separated the COOP and intelligence functions into discrete cost centers at the start of 2014. The Directors also expresses that they would work with the Division of IT to ensure that existing codes are used consistently and to determine whether additional tracking is warranted from a decision-making and/or cost analysis perspective. The divisions will continue to monitor the Board's progress to track COOP related costs during future audit work. 

Consideration 3: The Board Has Not Analyzed Its Alternate Work Site Leasing Expenses or Rental Income From Subtenants 

We suggest that the Management Division and the DFM continue to analyze leasing expenses and rental income from subtenants against market rates to identify any potential cost savings. 

Management Division's Response

As noted in the April 2014 response memo to the OIG's observations, the division diligently oversees and administers its responsibilities for the contingency site's leases. This function includes determining on an annual basis which operating site assessments are passed onto tenants and charging requested services to the tenants. At this time, the division will not be conducting a market analysis on office rates in the area but will revisit this issue in the future. It will continue administering its lease duties and monitoring and reviewing expenses and rental income to ensure tenants are paying their fair share for their spaces and services.