Chapter 4
Auditing BCM in the Era of Operational Resilience
Intoduction
Business Continuity Management (BCM) has traditionally focused on ensuring that organisations can recover critical business functions following a disruptive event.
For many years, BCM programmes were built around identifying critical activities, establishing recovery objectives, developing recovery strategies, and maintaining continuity plans.
While these remain essential elements of organisational resilience, regulators and industry leaders increasingly recognise that traditional BCM alone may not provide sufficient assurance in today's highly interconnected and technology-dependent operating environment.
The emergence of Operational Resilience has fundamentally changed the way organisations view disruption management.
Rather than focusing solely on internal recovery capabilities, Operational Resilience emphasises the organisation's ability to continue delivering critical business services to customers, stakeholders, and the wider economy, even during severe disruptions.
Consequently, auditors must evolve their approach from auditing traditional BCM programmes to evaluating Operational Resilience capabilities. This chapter examines how auditors can assess Operational Resilience programmes and integrate resilience assurance into existing BCM audit frameworks.
Understanding Operational Resilience
What is Operational Resilience?
Operational Resilience refers to an organisation's ability to:
- Prevent disruptions where possible
- Adapt to changing conditions
- Respond effectively during disruption
- Recover critical services
- Learn and improve following incidents
The primary objective is to ensure the continued delivery of critical business services despite disruptions.
Operational Resilience extends beyond traditional BCM by focusing on customer outcomes, service continuity, and organisational adaptability.
Traditional BCM versus Operational Resilience
|
Traditional BCM |
Operational Resilience |
|
Focus on the recovery of business functions |
Focus on continuity of critical business services |
|
Recovery Time Objectives (RTOs) |
Impact Tolerances |
|
Department-centric |
Service-centric |
|
Plan-driven |
Outcome-driven |
|
Recovery capability |
Service continuity capability |
|
Internal focus |
Internal and external ecosystem focus |
|
Business continuity exercises |
Severe but plausible scenario testing |
Why Operational Resilience Matters
Several global events have accelerated regulatory focus on resilience:
- COVID-19 pandemic
- Major ransomware attacks
- Global cloud service outages
- Supply chain disruptions
- Geopolitical instability
- Digital transformation initiatives
These events demonstrated that organisations may possess recovery plans but still struggle to maintain critical services during prolonged disruptions.
Regulatory Drivers for Operational Resilience
Malaysia – Bank Negara Malaysia (BNM)
Financial institutions in Malaysia are increasingly expected to strengthen resilience through:
- Business Continuity Management
- Risk Management in Technology (RMiT)
- Operational Resilience Frameworks
- Third-Party Risk Management
Auditors should evaluate how BCM programmes support broader resilience objectives.
Global Regulatory Trends
Operational Resilience expectations are reflected in guidance from:
- Bank for International Settlements
- Basel Committee on Banking Supervision
- Financial Conduct Authority
- Prudential Regulation Authority
- Monetary Authority of Singapore
- Bangko Sentral ng Pilipinas
These frameworks consistently emphasise:
- Critical business services
- Dependency mapping
- Impact tolerance
- Scenario testing
- Board accountability
The Auditor's Expanded Role
Historically, auditors focused on reviewing:
- BCM policies
- BIA reports
- Recovery strategies
- Continuity plans
- Exercise reports
Today, auditors must also assess:
- Critical business service identification
- Service ownership
- Interdependencies
- Third-party resilience
- Impact tolerance validation
- Operational resilience governance
- Scenario testing effectiveness
The question has evolved from:
"Can the organisation recover?"
to
"Can the organisation continue delivering critical services throughout a disruption?"
Auditing Critical Business Services
What Are Critical Business Services?
Critical Business Services (CBS) are services whose disruption would result in:
- Significant customer harm
- Financial instability
- Regulatory breaches
- Reputational damage
- Systemic impact
Examples include:
Banking
- Deposit services
- Payment processing
- ATM services
- Digital banking
Telecommunications
- Network connectivity
- Voice services
- Data services
Healthcare
- Patient treatment
- Emergency care
- Medical records access
Audit Objectives
Determine whether:
- Critical services have been properly identified
- Service definitions are appropriate
- Service ownership is established
- Governance arrangements exist
Key Audit Questions
- How were critical services identified?
- What criteria were used?
- Has management approved the service inventory?
- Are customer impacts considered?
Common Audit Findings
Finding 1
Critical services are defined at a departmental rather than service level.
Finding 2
Customer impact assessments are incomplete.
Finding 3
Service ownership is unclear.
Auditing Impact Tolerance
What is Impact Tolerance?
Impact tolerance represents the maximum level of disruption an organisation is willing to tolerate before unacceptable harm occurs.
Unlike traditional RTOs, impact tolerances focus on customer and stakeholder outcomes.
Examples:
|
Critical Service |
Impact Tolerance |
|
Online Banking |
Maximum 4 hours of unavailability |
|
Payment Services |
Maximum 2 hours of disruption |
|
Securities Trading |
Maximum 30 minutes of disruption |
Audit Objectives
Determine whether:
- Impact tolerances have been defined
- Tolerances are evidence-based
- Management has approved tolerances
- Monitoring mechanisms exist
Key Audit Questions
- How were impact tolerances established?
- Are they linked to customer expectations?
- Are they measurable?
- Have they been tested?
Common Audit Findings
Finding 1
Impact tolerances are not formally approved.
Finding 2
Tolerances are based on assumptions rather than analysis.
Finding 3
No monitoring exists to measure tolerance breaches.
Auditing Dependency Mapping
Why Dependency Mapping Matters
Many disruptions occur not because a service fails directly, but because a supporting dependency fails.
Operational Resilience requires organisations to understand the dependencies that support critical services.
Categories of Dependencies
People
Examples:
- Key personnel
- Subject matter experts
- Vendors
Processes
Examples:
- Transaction processing
- Customer onboarding
- Payment workflows
Technology
Examples:
- Applications
- Networks
- Databases
- Cloud platforms
Information
Examples:
- Customer data
- Transaction data
- Regulatory records
Facilities
Examples:
- Offices
- Data centres
- Call centres
Third Parties
Examples:
- Cloud providers
- Outsourcing partners
- Telecommunications providers
Audit Objectives
Determine whether:
- Dependencies are identified
- Interconnections are documented
- Single points of failure are recognised
- Critical concentrations are understood
Key Audit Questions
- What resources support each critical service?
- Which dependencies are most critical?
- What happens if a dependency fails?
Common Audit Findings
Finding 1
Dependency mapping is incomplete.
Finding 2
Fourth-party dependencies are not assessed.
Finding 3
Single points of failure remain unresolved.
Auditing Scenario Testing
Moving Beyond Traditional Exercises
Traditional BCM exercises typically validate plans.
Operational Resilience scenario testing validates service continuity under extreme conditions.
Severe but Plausible Scenarios
Examples include:
Technology Scenarios
- Data centre failure
- Cloud outage
- Cyberattack
- Telecommunications disruption
Third-Party Scenarios
- Vendor insolvency
- Outsourcing failure
- Supply chain interruption
People Scenarios
- Pandemic outbreak
- Labour strike
- Key personnel loss
Physical Scenarios
- Flood
- Fire
- Power outage
Audit Objectives
Determine whether:
- Scenarios challenge organisational resilience
- Critical services are tested
- Impact tolerances are assessed
- Dependencies are stressed
Key Audit Questions
- Are scenarios sufficiently severe?
- Are multiple dependencies tested simultaneously?
- Were tolerance levels exceeded?
- What lessons were identified?
Common Audit Findings
Finding 1
Scenarios are unrealistic.
Finding 2
Exercises focus on individual departments rather than services.
Finding 3
Impact tolerances are not evaluated.
Auditing Operational Resilience Governance
Governance Expectations
Operational Resilience requires strong oversight.
Auditors should review:
Board Responsibilities
- Resilience strategy approval
- Impact tolerance approval
- Performance oversight
Senior Management Responsibilities
- Programme implementation
- Resource allocation
- Reporting
Operational Responsibilities
- Service ownership
- Scenario testing
- Continuous improvement
Key Audit Questions
- Does the Board understand resilience risks?
- Are resilience metrics reported?
- Are accountability structures effective?
Operational Resilience Audit Framework
|
Audit Domain |
Review Focus |
|
Governance |
Oversight and accountability |
|
Critical Business Services |
Identification and ownership |
|
Impact Tolerance |
Definition and validation |
|
Dependency Mapping |
Resource and service dependencies |
|
Scenario Testing |
Severe but plausible testing |
|
Third-Party Resilience |
External dependencies |
|
Technology Resilience |
Recovery and cyber capabilities |
|
Continuous Improvement |
Lessons learned and remediation |
Future Challenges for Auditors
Operational Resilience continues to evolve.
Emerging audit considerations include:
Artificial Intelligence Dependencies
- AI-driven decision-making
- AI platform outages
- Model failures
Cloud Concentration Risk
- Reliance on major cloud providers
- Geographic concentration
Digital Ecosystems
- API dependencies
- Fintech partnerships
- Shared infrastructure
Cyber Resilience
- Ransomware recovery
- Data integrity validation
- Technology restoration
Auditors must continually adapt to evaluate these evolving risks.
Operational Resilience represents the next evolution of organisational resilience. While BCM remains an essential foundation, regulators and stakeholders increasingly expect organisations to demonstrate their ability to continue delivering critical services during severe disruptions.
Auditors, therefore, play a critical role in providing assurance that resilience capabilities are not merely documented but are operational, measurable, and effective.
This requires evaluating critical business services, impact tolerances, dependency mapping, scenario testing, governance arrangements, and continuous improvement processes.
The future of resilience auditing lies not in verifying the existence of plans but in assessing whether the organisation can successfully maintain critical services and protect customers, stakeholders, and the broader economy when disruption occurs.
The key audit question becomes:
"Can the organisation continue delivering its critical business services within acceptable impact tolerances when confronted with severe but plausible disruptions?"
More Information About Auditing BCMS Courses
BCM Institute offers two levels of BCM auditing courses: A-3 BCM-8030 ISO22301 BCMS Auditor [A-3] and the ISO22301 BCMS Lead Auditor [A-5].
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Click to View 5000-Level or 300-Level Catalogue. What Expert- and Intermediate-level Learning Courses are Available? | ![]() |





![[ISACA] [BCM] [A] [C0] Auditing Business Continuity Management in the Digital Resilience Era: From Compliance Verification to Resilience Assurance](https://no-cache.hubspot.com/cta/default/3893111/979a36e3-30ae-4b10-881d-b1d0898c22d9.png)
![[ISACA] [BCM] [A] [C1] The Changing Role of Business Continuity Management Audits](https://no-cache.hubspot.com/cta/default/3893111/97be4863-e3dc-497d-b3f8-dfe8037feee3.png)
![[ISACA] [BCM] [A] [C2] Auditing the Business Continuity Management Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/777ba2bc-42b8-42e1-8bb9-131f87090e44.png)
![[ISACA] [BCM] [A] [C3] Auditing Testing and Exercising Programmes](https://no-cache.hubspot.com/cta/default/3893111/74c1d537-f600-40e8-a55b-b2cac285b3fe.png)

![[ISACA] [BCM] [A] [C4] Auditing BCM in the Era of Operational Resilience](https://no-cache.hubspot.com/cta/default/3893111/46eddab1-feab-4157-8ea1-5bafff066470.png)
![[ISACA] [BCM] [A] [C5] Cyber Resilience and BCM Auditing](https://no-cache.hubspot.com/cta/default/3893111/fbeeeecb-d028-4231-bcfb-b1abefa991c8.png)
![x [ISACA] [BCM] [A] [C6] The Future of BCM Auditing](https://no-cache.hubspot.com/cta/default/3893111/86101242-1ae6-46c8-b6c0-054d3866803e.png)

![TMM [BL-A-5]](https://no-cache.hubspot.com/cta/default/3893111/e7af9322-15cb-412d-91b6-59cd388ee6e9.png)
![Register [BL-A-5]](https://no-cache.hubspot.com/cta/default/3893111/bb38417e-6241-4057-b90c-f319f31a494e.png)





![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)


![Banner [BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/0af5fc88-8985-4a94-a49f-de0becdde9e5.png)
![[BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/2c380bfc-13aa-46a5-adcc-4ced87465acd.png)

