The URL can be used to link to this page

Home My WebLink About2223-6 Continuity of Operations Plans (Final 6-7-23)22/23-6 Continuity of operations plans assessment June 2023 County continuity of operations plans – initial assessment To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@deschutes.org Deschutes County, Oregon The Office of County Internal Audit David Givans, CPA, CIA – County Internal Auditor Aaron Kay – Performance Auditor internal.audit@deschutes.org Audit committee: Daryl Parrish, Chair - Public member Jodi Burch – Public member Joe Healy - Public member Scott Reich - Public member Summer Sears – Public member Stan Turel - Public member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director Take survey by clicking HERE Recommendations 6 22/23-6 Continuity of operations plans assessment June 2023 TABLE OF CONTENTS: 1. INTRODUCTION ..................................................................................................................................................................1 1.1. BACKGROUND ON CONTINUITY OF OPERATIONS PLANNING ............................................................................................ 1 1.2. BACKGROUND ON CONTINUITY OF OPERATIONS PLAN ASSESSMENTS ............................................................................ 3 2. FINDINGS AND OBSERVATIONS.........................................................................................................................................6 2.1. INITIAL ASSESSMENT – COUNTY OVERALL ............................................................................................................................. 7 2.2. INITIAL ASSESSMENT – MATURITY .......................................................................................................................................... 8 2.3. INITIAL ASSESSMENT – POETE ELEMENTS .............................................................................................................................. 8 County COOP Planning ................................................................................................................................................................... 8 County COOP Organizing ............................................................................................................................................................. 12 County COOP Equipping ............................................................................................................................................................... 13 County COOP Training .................................................................................................................................................................. 13 County COOP Exercising ............................................................................................................................................................... 14 3. MANAGEMENT RESPONSES ............................................................................................................................................. 16 County Administration .................................................................................................................................................................. 16 Sheriff’s Office ................................................................................................................................................................................ 18 Department of Solid Waste .......................................................................................................................................................... 20 APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY ....................................................................................................... 22 I. OBJECTIVES AND SCOPE .......................................................................................................................................................... 22 II. METHODOLOGY ..................................................................................................................................................................... 23 APPENDIX B: GLOSSARY OF TERMS ........................................................................................................................................ 24 APPENDIX C: REFERENCE MATERIALS .................................................................................................................................... 24 22/23-6 Continuity of operations plans assessment June 2023 HIGHLIGHTS Why this audit was performed: To provide an evaluation of the County’s continuity of operations plans. What was recommended: Recommendations include: • determining whether the new COOP software system will meet the requirements of the County or consider alternatives; • directing staff to complete COOP planning areas not captured in the current COOP software system; • re-establishing regular COOP planning meetings; • expanding activation scenarios; • establishing a COOP training program; and • conducting regular COOP exercises. Continuity of operations plans – initial assessment The focus of the audit is to provide an initial assessment of the County’s continuity of operations (COOP) plans to meet acceptable levels of service delivery and essential functions following a disruption when compared to industry best practices. What was found The assessment score of 4.9 out of ten indicates moderate progress towards creating a comprehensive COOP plan. The County has taken significant steps to establish COOP plans, identify essential functions, and consider critical operational capacities. Planning efforts were hindered because of the use of the State-contracted software system to guide individual office/department COOP development. The system contained conflicting directions and limited user options, so several aspects of planning were absent or insufficiently developed. The State is currently transitioning to a new software system provider, but the details of the system capabilities are unknown. During the COVID-19 pandemic and its subsequent disruptions the County successfully applied some planned COOP strategies, such as remote work, yielding a more agile work environment. However, County COOP plans were not formally activated as guidance to navigate the pandemic largely due to the absence of pandemics in the activation scenarios and lack of overall staff awareness. Continuous improvement of the County’s COOP plans was hampered by the pandemic as it impacted regular evaluations and planned exercises. Assessments found a consistent need for additional COOP training to effectively increase staff awareness and understanding of the plans. The Office of County Internal Audit 22/23-6 Continuity of operations plans assessment June 2023 Page 1 1. Introduction Audit Authority: The Deschutes County Audit Committee authorized the assessment of County continuity of operations plans in the Internal Audit Program Work Plan for 2022-2023. Audit objectives, scope, and methodology can be found in Appendix A. 1.1. BACKGROUND ON CONTINUITY OF OPERATIONS PLANNING Figure I A disruptive event has the potential to affect all essential functions of government that support the community. Source: FEMA 2018 Continuity Guidance Circular The County provides many essential service functions for public safety, infrastructure, healthcare, and leadership. A continuity of operations (COOP) plan ensures those essential functions (EFs) can continue during a disruption to normal operations. The plan identifies and prioritizes EFs that cannot be delayed. The primary objectives of a COOP plan are to limit downtime during a disruption, protect personnel in the event of an emergency, and restore EFs following an incident. Not every activity of the organization needs to have a COOP plan. Disruptive events can range from snowstorms, to cyberattacks, to supply chain failures, and can last from hours to months. These events are difficult to predict and often happen parallel to a larger 22/23-6 Continuity of operations plans assessment June 2023 Page 2 Figure II Cyclical representation of the four phases of emergency management 1 emergency event. A COOP plan is part of an emergency management system, including other emergency preparedness efforts like an Emergency Operations Plan, Building Evacuation Plan, and Information Technology Disaster Recovery Plan. All four phases of emergency management are represented in a COOP plan. The creation of the plan focuses on preparation in case of disruptions; while its procedures direct a functional response; anticipate recovery of operations; and employ mitigation efforts to safeguard lives and resources. Governmental responsibility for emergency preparation and response is placed at the local level by State statute ORS 401.032 (2). Deschutes County Sheriff’s Office Emergency Services Unit (DCSO-ESU) is responsible for coordinated planning of the components of an overall emergency management system, including COOP coordination, for the County. In 2016, Deschutes County participated in the Cascadia Rising multi-state exercise to evaluate emergency management response to a 9.0 magnitude earthquake. The exercise identified critical gaps in preparedness at all levels of government to provide EFs following a disaster. To address this gap, the State of Oregon contracted with a COOP software provider to create the website, OregonCOOP.com. This software system provides guidance for COOP plan development and includes a common repository of all State and local agencies' COOP plans, enabling coordinated efforts during a large-scale disaster. In 2017, Deschutes County initiated efforts to establish COOP plans for identified essential functions. With coordination and support provided by DCSO-ESU, each office or department was tasked with the construction of their plans using OregonCOOP.com’s guidance. 1 “Effective training improves disaster response” – J. Hunter Adams Jan. 2022 22/23-6 Continuity of operations plans assessment June 2023 Page 3 1.2. BACKGROUND ON CONTINUITY OF OPERATIONS PLAN ASSESSMENTS Table I Progressive Assessment System Source: FEMA Continuity Assessment Tool The Federal Emergency Management Agency (FEMA) publishes a continuity guidance circular which defines best practices for establishing and sustaining COOP plans 2. FEMA builds upon its experiences from national emergency response to design a capability-based approach to preparedness and resiliency. To assist organizations, FEMA provides an assessment tool of COOP plans using a 10-point scoring system to identify areas of strength and areas of improvement. With support from DCSO-ESU, Internal Audit chose FEMA’s Continuity Assessment Tool for non-federal organizations to evaluate the current state of the County’s COOP plans. The tool provides a consistent basis for evaluation of each COOP plan on a continuum measuring progress towards a comprehensive COOP plan. The conditional color scale used by the FEMA tool will be referenced throughout the report, although there are some known accessibility issues with red-green color scales. Alternate formats of this report are available on request. Each COOP plan is evaluated for maturity, along with five strategic elements known as POETE: planning, organizing, equipping, training, and exercising. With this format, overall progress towards a comprehensive plan can be observed, as well as progress towards the individual POETE elements. 2 FEMA National Continuity Programs - 2018 Continuity Guidance Circular 22/23-6 Continuity of operations plans assessment June 2023 Page 4 Figure III COOP plan maturation process Figure IV POETE Cycle of Improvement Maturity Maturity typically refers to the different stages of development an organization goes through to establish and maintain a COOP plan. • Initiating a plan Initiation involves creating a strategy supported by leadership; establishing a COOP planning team with defined roles and responsibilities; developing plan timelines and goals; and identifying preliminary budget and resource requirements. These activities form the foundation of a well-crafted plan. • Building capability Preparing for disruptions begins with identification of EFs and the procedures used to carry them out; assessing the risks of potential threats and hazards to the EFs; identifying mitigating options to address the risks; and recognizing dependencies supporting the EF (i.e., people, technology). • Maintaining capability Regular plan maintenance helps assure plan completeness through testing, training, and exercise. Corrective action programs following these activities evaluate the success of the plan in delivering EFs. POETE Elements The elements are presented sequentially, but one can also view them as circular as seen in Figure IV, addressing the constantly evolving risk environment through continuous assessment and improvement. • Planning COOP planning describes of the development, review, Planning Organizing EquippingTraining Exercising Planning 22/23-6 Continuity of operations plans assessment June 2023 Page 5 Planning and revision of plans that include: o Business Process Analysis (BPA) – identifies EFs and details the resources needed to perform them during normal operations through a nine-step process 3. Resources are assets and services that support the EFs, i.e., internet access, office supplies, and vehicles. o Risk Assessment – identifies the most likely threats and hazards to the organization which can cause a disruption. o Business Impact Analysis (BIA) – measures the impact of identified risks on the EFs and develops strategies to mitigate the risks. o Communication Strategies – ensure effective communication of operating status and instructions to the public; County personnel for their safety; and positioning staff where they are most needed. o Succession and Delegation of Authority – maintains continuity of leadership during an emergency, where individuals in leadership or management roles may be unable to perform their duties. o Community Preparedness – includes guidance for home preparedness planning as a disruptive event may impact staff personally. o Essential Records – identify the legal and operational information needed for EFs and employ safeguards against information loss. o Recovery Plans – detail a return to normal operations after a disruption has ended. o Performance Metrics – measure the COOP plan’s success in meeting the management expectations to recover EFs. • Organizing COOP organization includes clearly defined roles and responsibilities for continuity staff; support and participation from leadership; point-of-contact rosters; regular review and revision of COOP plans; and documentation of improvements observed during testing, training, or real- world activities. 3 FEMA National Continuity Programs BPA/BIA User Guide https://www.fema.gov/sites/default/files/2020-07/fema_BPA-BIA-Users-Guide_070119.pdf Organizing 22/23-6 Continuity of operations plans assessment June 2023 Page 6 • Equipping COOP equipping involves acquiring resources needed to perform EFs and limit downtime, which could include system back-ups, either manual or electronic. Alternatively, the organization may choose to have available budgeted funds for acquisition in case of disruption, but this strategy comes with increased risk and is dependent upon activation of the COOP plan. • Training Training for the COOP covers all maturity stages, starting with training for the assigned planners when they begin development of the plan. This is followed by expanded training to provide awareness of the plan to all staff to build capacity, so they are prepared to act quickly during an activation of the COOP. Finally, regular internal and external trainings integrating other COOP plans are carried out. • Exercising Regular testing of readiness and preparedness activities through exercises, along with evaluating the effectiveness of these exercises, guides further development of the COOP plans. Evaluations can be made from stand-alone tabletops scenarios, full-scale exercises, or real- world events. 2. Findings and Observations The audit included limited procedures to understand the systems of internal controls associated with COOP plan implementation. No significant deficiencies were found in this audit. A significant deficiency is defined as an internal control deficiency that could adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. The findings noted were primarily compliance and efficiency matters. Audit findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The audit disclosed certain policies, procedures, and practices that could be improved. The audit was neither designed nor intended to be a detailed study of every relevant system, procedure, or transaction. Accordingly, the Exercising Equipping Training 22/23-6 Continuity of operations plans assessment June 2023 Page 7 opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of internal control. Management has responsibility for the system of internal controls, including monitoring internal controls on an ongoing basis to ensure that any weaknesses or non-compliance are promptly identified and corrected. Internal controls provide reasonable but not absolute assurance that an organization’s goals and objectives will be achieved. 2.1. INITIAL ASSESSMENT – COUNTY OVERALL County Progress Score Deschutes County has established eighteen (18) COOP plans for EFs and the supporting annex documents. Annexes contain supplemental information of specific resources, contacts, and details for each plan. Most plans were finalized in late 2019 or early 2020. Overall, the County’s COOP progress score was 4.9 out of 10. The assessment calculated the progress score by weighting the overall FEMA tool score of each office or department by their budgetary requirements. This approach more accurately reflects the size and complexity of the essential services provided when aggregated. The score reflects moderate progress towards supporting the performance of the County’s EFs during a disruption. The County’s capability to sustain EFs during a disruption are not reflected by the scoring of the documented COOP plans. The following offices or departments have COOP plans (matrix sorted by budgetary requirements): • Sheriff’s Office • Health Services • Road • 9-1-1 • Community Justice • Solid Waste • Community Development • Office of the District Attorney • Assessor’s Office • Facilities • Fair and Expo Center • Information Technology 4.9 22/23-6 Continuity of operations plans assessment June 2023 Page 8 Graph I Distribution of Deschutes County office/ department progress scores • Finance/Tax • Clerk’s Office • Human Resources • Justice Court • Administration (including Board of County Commissioners, Legal Counsel, Risk Management, Natural Resources, and Communications) • Veteran’s Services 2.2. INITIAL ASSESSMENT – MATURITY County maturity progress scores: Separating the overall progress score into the County’s stage of maturity provides a clearer representation of COOP development. The County has made significant efforts to create COOP plans, identify EFs, and consider critical operational capacities. However, the maintenance of the plans was suspended as the County navigated through the ever-changing and unique crisis of the COVID-19 pandemic. Initiating Building Maintaining 2.3. INITIAL ASSESSMENT – POETE ELEMENTS County COOP Planning The County planning score was positively impacted by support from leadership, efforts undertaken to create the COOP plans, and well-documented procedures to activate the COOP as well as return to normal operations. The score shows moderate progress towards planning for a continuity event. 5.7 5.6 3.5 County Progress Score 4.9 22/23-6 Continuity of operations plans assessment June 2023 Page 9 County Planning Score The State contracted software system limited the effectiveness of COOP planning. The OregonCOOP.com software system and guidance hindered the County’s COOP plan development. The software’s conflicting direction and system limitations were noted in the following areas: • directed users on minimum standards for risk assessment, but lacked any area for risk assessment information; • directed users on minimum standards for business impact analysis (BIA), but lacked any area for BIA information; • blended essential records and resources into a single annex, directing users to combine items such as manuals (record) with internet services (resource); and • restricted office/department level business process analysis (BPA) to dropdown menus that were unable to capture the breadth of EFs provided by the County. According to FEMA, a comprehensive COOP plan should be scalable, flexible, and adaptable, with key planning areas including risk assessments, mitigation strategies, essential records, and resources. A COOP plan that is not comprehensive can leave an organization vulnerable to various risks, including extended downtime, misallocated resources, or an inability to perform essential functions. DCSO-ESU has spent time addressing some of the systematic issues with the current software to increase its usability. Without proper evaluation of the software, the County could continue to invest time and effort into a COOP system which has weaknesses undermining the efforts to develop effective COOP plans. The impact of the website on planning can be seen in the Clerk’s Office, which has a statutory requirement, ORS 254.074, to establish continuity plans for elections. Despite having a well- 4.5 22/23-6 Continuity of operations plans assessment June 2023 Page 10 Table II Comparison of planning areas in the Clerk’s Office Business Continuity Plan to the COOP plan from OregonCOOP.co m including a planning assessment. developed “Business Continuity Plan” meeting the statutory requirement, the continuity planning areas outlined in the plan did not transfer to their COOP plan due to the software limitations, as shown on Table II. Legend: - Not In Plan - In Plan - Partly In Plan OregonCOOP.com Continuity Plan User Guide provided insufficient guidance on developing a comprehensive plan, leaving planners with little direction towards best practices. Instruction for how to create, update, and report COOP plans on the website states “This is only an introduction to plan development; something to get you started.” Although DCSO-ESU recognized some deficiencies and simplified the base COOP plan, the system's limited flexibility and insufficient guidance still impacted the detail of the COOP plans and the associated annexes. In July 2023, the State will transition to a new COOP software system provider. As of the issuance of this report, it is unclear whether the new COOP software system will more successfully address the needs for documenting COOP plans. DCSO-ESU has not been invited to provide input into the development of the software; received any training; or been asked to participate in any software launch events despite repeated requests. It is recommended the County determine whether the capabilities of the new COOP software system meet their requirements or explore other viable alternatives. The Clerks COOP planning score was impacted 25% by the software. Assessed Planning Score Plan Business Process Analysis Risk Assessment Business Impact Analysis Communication Strategies Essential Records Recovery Performance Metrics 6.6 Business Continuity 4.1 OregonCOOP.com Critical Planning Areas 22/23-6 Continuity of operations plans assessment June 2023 Page 11 County COOP planning requires additional work. The planning aspects of all County COOP plans were either absent or insufficiently developed in the following areas: • BPA was partially completed identifying EFs and leadership required, but lacked staff identification, dependencies, and process description; • BIA was absent; • risk assessments were absent; • other emergency management plans were not included; • the definition of roles and responsibilities for all County staff is unclear; • no noted process to account for all staff; and • missing an acknowledgement of disabilities (both visible and hidden) and reasonable accommodation/accessibility at alternate facilities, if requested. The BPA serves as the foundational cornerstone upon which all other components of a COOP plan are constructed. FEMA’s BPA/BIA User Guide3 outlines a nine-step BPA process supporting the development of detailed EF documentation. It is important to use risk management principles to identify and evaluate potential impacts resulting from disruptive events during all stages of COOP planning. By doing so, it is possible to create a resilient plan that can withstand various risks and limit downtime following a disruption. A poorly planned COOP may lead to gaps in preparedness, leaving the organization vulnerable to failing to meet acceptable levels of service during a disruption. Without a robust and well- planned COOP, the County may not have the necessary resources and procedures in place to ensure continuity of EFs. OregonCOOP.com was responsible for some of the missing critical planning development areas. Although DCSO-ESU coordinated COOP planning efforts, the COOP plan development was left to planners in each office/department who may lack the extensive knowledge, 22/23-6 Continuity of operations plans assessment June 2023 Page 12 County Organizing Score experience, and expertise in developing a COOP plan. It is recommended the County direct staff to complete comprehensive COOP planning documentation with the support of DCSO-ESU. County COOP Organizing The County COOP plans demonstrate a strength in organization, as they have made substantial progress highlighted by the FEMA tool score. Office and departmental level support for the COOP plans, along with continuously updated personnel rosters, have contributed to this progress. County Human Resources and DCSO-ESU established a process to ensure staffing changes are communicated effectively. This was evidenced by COOP plan rosters that were less than 5% out of sync with current employees. Beyond personnel roster updates, most County COOP plans are out of date. Since they were finalized over three years ago, seventeen of the eighteen COOP plans have not been revised in any area other than personnel rosters. The Sheriff’s Office annual revisions have occurred on schedule. COOP planning teams are responsible for the ongoing maintenance of the plans. All eighteen of the County COOP plans have an annual review schedule. FEMA urges organizations to periodically review and revise their COOP plan. Changes in leadership, communication tools, or EFs are constantly occurring. Without periodic review and revision, incorrect information may lead to inefficiencies in delivering EFs, lack of succession awareness, or misallocated resources. The COVID-19 pandemic caused offices/departments to shift resources during the crisis, and although some offices/departments continued to hold regular COOP planning meetings, 7.5 22/23-6 Continuity of operations plans assessment June 2023 Page 13 County Equipping Score County Training Score others did not prioritize them during the pandemic. It is recommended the County re-establish regular COOP planning meetings to review and revise COOP plans. County COOP Equipping The County has successfully acquired many of the necessary resources to continue essential functions. The pandemic restrictions accelerated the acquisition of laptops to accommodate remote work options, which is one mitigating strategy in BIA. County COOP Training Ongoing education and training can improve organizational competence for COOP plans countywide. Currently, one DCSO-ESU staff member is working towards obtaining a FEMA Level I Continuity Practitioner certificate to improve their expertise in this area and offer support to County offices/departments. The pandemic was a missed opportunity to utilize County COOP plans. The County did not formally activate any of the eighteen COOP plans as guidance for navigating the disruption caused by the COVID-19 pandemic. Some plan elements were used as a management framework to react to unexpected conditions, but most staff remained unaware of established COOP plans and strategies. FEMA’s guidelines for COOP activation prioritize the safety of personnel, interruption of EFs, and determination of the appropriateness of a COOP response. COOP activation scenarios should be broad enough to provide direction for all potential disruptive events. Lack of organizational preparedness and unclear expectations for COOP plan activation could 3.2 8.2 22/23-6 Continuity of operations plans assessment June 2023 Page 14 County Exercising Score cause delays, errors, or inefficiencies in providing EFs. The County COOP plans did not include pandemics as an activation scenario, which indicates an oversight in planning. This gap in preparedness was compounded by a lack of overall awareness among staff, many of whom were not involved in establishing the plans. However, the County was able to maintain service delivery in the evolving pandemic environment by implementing several solutions, including remote work and home dispatching. These measures have proven to be successful and continue to be used today, highlighting the importance of flexibility and adaptation in times of crisis. It is recommended the County review and update its COOP activation scenarios to include pandemics and other potential crises. It is recommended the County establish a COOP training program for all personnel. This could include awareness training during onboarding for all new staff, as well as informational tools on the County intranet for existing employees. County COOP Exercising Exercises provide a low-risk environment to assess capabilities, test COOP plans, and increase organizational preparedness by identifying areas of improvement. Identified improvements can then aid in revising plans to address the constantly evolving County EFs. Regular COOP exercises are needed to strengthen COOP plans. The County canceled a planned all-office/department tabletop exercise in April 2020 and did not reschedule it. Although the pandemic provided a real-world event to improve preparedness efforts, since finalizing COOP plans in early 2020, stand-alone exercises have occurred only once in each office/department,. Table III illustrates the impact of the canceled 2.6 22/23-6 Continuity of operations plans assessment June 2023 Page 15 Table III Missed Exercise Assessment exercise on the County’s exercising assessment score. FEMA promotes using exercises as an opportunity to improve preparedness and validate the organization’s strategy. Weaknesses identified during exercises can be used to reinforce or refine current plans. Regular COOP exercises are critical to maintaining the effectiveness and efficiency of plans during a disruption. Without testing and refining the plans, they are mere ideas and concepts that may not be effective when they are needed most. Failure to exercise the plans can result in critical gaps in preparedness, leaving the organization vulnerable to service disruptions. DCSO-ESU had organized the countywide tabletop exercise, but it was canceled due to social distancing requirements to prevent the spread of COVID-19. Social distancing requirements persisted until the summer of 2021; other restrictions were lifted in April 2022. As noted under County COOP Organizing, any improvements noted during the pandemic have not been documented within most County COOP plans through the annual planning review and revision process. It is recommended the County conduct regular COOP exercises and make necessary improvements identified as weaknesses. County COOP Exercising score was reduced significantly from one canceled exercise. Assessed Exercising Score 4.6 With Exercise 2.6 Without Exercise 22/23-6 Continuity of operations plans assessment June 2023 Page 16 3. MANAGEMENT RESPONSES County Administration Nick Lelack, County Administrator To: David Givans, County Internal Auditor From: Nick Lelack, County Administrator Subject: Response to County Continuity of Operations Plans (COOP) Initial Assessment ______________________________________________________________________________________________________ Thank you for the detailed review of the County’s continuity of operations plans (COOP). We recognize the importance of COOP planning and will continue to support this and other elements of our emergency management system in partnership with the Deschutes County Sheriff’s Office Emergency Services Unit. Please see Administration’s responses to specific findings below: 1. It is recommended the County determine whether the capabilities of the new COOP software system meet their requirements or explore other viable alternatives. Administration will defer to the expertise of DCSO Emergency Services in coordination with County departments and offices. 2. It is recommended the County direct staff to complete comprehensive COOP planning documentation with the support of DCSO-ESU. Administration will continue to communicate about and support COOP activities and planning. Participation for offices led by elected officials will continue to be at the discretion of those elected COUNTY ADMINISTRATOR NICK LELACK 22/23-6 Continuity of operations plans assessment June 2023 Page 17 County Administration (continued) officials. 3. It is recommended the County re-establish regular COOP planning meetings to review and revise COOP plans. Administration is supportive of re-establishing regular COOP planning meetings. Administration will coordinate with DCSO Emergency Services to discuss how Administration can support these County-wide efforts. 4. It is recommended the County review and update its COOP activation scenarios to include pandemics and other potential crises. Administration will defer to the expertise of the DCSO Emergency Services on activation scenarios included in the COOP plan. Based on preliminary discussions, this may include broader language such as “any event that impacts people, infrastructure locations or vital records.” 5. It is recommended the County establish a COOP training program for all personnel. Administration will request that departments and offices highlight their COOP plans and processes annually with staff. 6. It is recommended the County conduct regular COOP exercises and make necessary improvements identified as weaknesses. Administration will continue to coordinate with DSCO Emergency Services on future COOP exercises. 22/23-6 Continuity of operations plans assessment June 2023 Page 18 Sheriff’s Office Captain Paul Garrison To: Aaron Kay, Performance Auditor From: Captain Paul Garrison Subject: Management’s response to Audit report 1. It is recommended the County determine whether the capabilities of the new COOP software system meet their requirements or explore other viable alternatives. At the present time, DCSO Emergency Management’s assessment is that the previous system was outdated and the replacement software still requires vetting and evaluation to determine if it is a valid option to meet the needs. Furthermore, DCSO Emergency Management believes and supports that the other offices and departments within Deschutes County individually evaluate, on a user basis, to determine if their specific needs are being met. 2. It is recommended the County direct staff to complete comprehensive COOP planning documentation with the support of DCSO-ESU. DCSO Emergency Management in cooperation with County Administration will continue communicating and supporting COOP activities and planning. 3. It is recommended the County re-establish regular COOP planning meetings to review and revise COOP plans. 22/23-6 Continuity of operations plans assessment June 2023 Page 19 Sheriff’s Office (continued) DCSO Emergency Management is willing to partner with County Administration to re-establish regular COOP planning meetings. Additionally, DCSO Emergency Management recommends that each County office and department identify their COOP Planners to further facilitate this process. 4. It is recommended the County review and update its COOP activation scenarios to include pandemics and other potential crises. DCSO Emergency Management, in cooperation with the County offices and departments, is willing to facilitate, plan and coordinate regular scenarios, to include those of a pandemic nature, in order to vet the current processes included in the COOP. 5. It is recommended the County establish a COOP training program for all personnel. DCSO Emergency Management will coordinate with the DCSO Training Unit to provide the COOP plan and processes annually with DCSO staff. 6. It is recommended the County conduct regular COOP exercises and make necessary improvements identified as weaknesses. As previously mentioned DCSO Emergency Management will cooperatively work with County Administration to regularly conduct training on the COOP in order to ensure that current practices are appropriate and efficient to deliver services when the COOP is employed. 22/23-6 Continuity of operations plans assessment June 2023 Page 20 Department of Solid Waste Chad Centola, Director To: Aaron Kay From: Chad Centola Subject: Solid Waste Department Response to the County continuity of operations plans – initial assessment report #22/23-6 Recommendation #1 - It is recommended the County determine whether the capabilities of the new COOP software system meet their requirements or explore other viable alternatives. Management agrees. There was a bit of a learning curve to developing Solid Waste's COOP and some of it was by trial and error. Credit to Ashley Volz for providing training and guidance. The structure of the COOP made it difficult to include items that we had in our emergency response and contingency plans. Recommendation #2 - It is recommended the County direct staff to complete comprehensive COOP planning documentation with the support of DCSO-ESU. Management agrees. Recommendation #3 - It is recommended the County re-establish regular COOP planning meetings to review and revise COOP plans. Management agrees. There has been no need to update Solid Waste’s COOP since created other than staff. Operations and facilities are as they were three years ago. Department of Solid Waste 22/23-6 Continuity of operations plans assessment June 2023 Page 21 Department of Solid Waste (continued) Recommendation #4 - It is recommended the County review and update its COOP activation scenarios to include pandemics and other potential crises. Management agrees. Solid Waste did not have any staffing impacts during the pandemic. There were staff that contracted Covid and a few quarantine situations. While the COOP did not address pandemics specifically, our COOP did address sequentially closing of sites with staffing shortages, which we would have followed if warranted. Recommendation #5 - It is recommended the County establish a COOP training program for all personnel. This could include awareness training during onboarding for all new staff, as well as informational tools on the County intranet for existing employees. Management agrees. Something during onboarding is a good idea. Recommendation #6 - It is recommended the County conduct regular COOP exercises and make necessary improvements identified as weaknesses. Management agrees. 22/23-6 Continuity of operations plans assessment June 2023 Page 22 Appendix A: Objective, Scope, and Methodology The Office of County Internal Audit was created by the Deschutes County Code as an independent office conducting performance audits to provide information and recommendations for improvement. “Audit objectives” define the goals of the audit. i. OBJECTIVES and SCOPE Objectives included: 1. Assess and evaluate County continuity of operations plans against best practices outlined in FEMA’s Continuity Guidance Circular. 2. Be aware of any opportunities providing increased effectiveness, efficiency, or equity. 3. Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. Scope and timing: The overall assessment work commenced in January and ran through March 2023. The assessment included County COOP plans in place as of January 2023 for departments, offices, or functions whom management identified as essential. The evaluation used the Federal Emergency Management Agency (FEMA) assessment tool. This tool provides an assessment of an existing COOP plan against the concepts to develop and maintain a successful COOP plan outlined by FEMA’s Continuity Guidance Circular. The assessment relies on interviews and guidance provided by the Deschutes County Sheriff’s Office Emergency Services Unit staff and County office/departmental staff. The audit scope excludes the County’s risk appetite. The County may choose not to fully implement best practices if they determine the cost of doing so outweighs the risk. The assessment included limited procedures to understand the system of internal controls associated with COOP plan implementation. 22/23-6 Continuity of operations plans assessment June 2023 Page 23 This report does not contain any information considered confidential. The report considered the risks posed by publicly releasing any information related to continuity of operations planning. In accordance with ORS 192.345 (23) and generally accepted government auditing standards, the report may exclude some details of the assessment from this public report and provide them confidentially to County management. ii. METHODOLOGY “Audit procedures are created to address the audit objectives.” Audit procedures included: • Interviews of selected departmental management and staff. • Assess the written COOP plans of departments, offices, and functions in place. o Utilize FEMA’s continuity assessment tool to aggregate each COOP assessment, as well as the County as a whole. • Support and coordination of assessment with Deschutes County Sheriff’s Office Emergency Services Unit. • Analyze and present continuity assessment information. • Other procedures deemed necessary. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2018 Revision of Government Auditing Standards, issued by the Comptroller General of the United States.) 22/23-6 Continuity of operations plans assessment June 2023 Page 24 Appendix B: Glossary of Terms Acronym or abbreviated name Meaning or Full Name BIA Business Impact Analysis BPA Business Process Analysis COOP Continuity of Operations DCSO-ESU Deschutes County Sheriff’s Office Emergency Services Unit EFs Essential Functions FEMA Federal Emergency Management Agency IT Information Technology ORS Oregon Revised Statute POETE Planning, Organization, Equipment, Training, and Exercise Appendix C: Reference Materials The following links provided contain some source materials on best practices for continuity of operations plans. They are provided here to assist in further development of the County’s COOP plans and exploration of the topic. Links can be provided upon request by contacting the Office of County Internal Audit. FEMA Information: Continuity Guidance Circular COOP Brochure Continuity Essential Records Management Continuity Assessment Tool 22/23-6 Continuity of operations plans assessment June 2023 Page 25 Oregon Emergency Management Information: Deschutes County Information: {End of Report} Guide to Continuity of Government Guide to Continuity Program Management BPA/BIA User Guide Continuity Plan Template and Instructions State of Oregon Comprehensive Emergency Management Plan Deschutes County Emergency Operations Plan Deschutes County Natural Hazards Mitigation Plan Deschutes County Sheriff’s Office Ready Preparedness Plan Deschutes County Sheriff’s Office 72 Hour Kit 22/23-6 Continuity of operations plans assessment June 2023 Page 26 Please take a survey on this report by clicking on the attached link: https://www.surveymonkey.com/r/2223-6 If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.