eBook Audit

[ISACA] [BCM] [A] [C4] Auditing BCM in the Era of Operational Resilience

Written by Moh Heng Goh | Jun 21, 2026 5:55:12 AM

Chapter 4

Auditing BCM in the Era of Operational Resilience

 

Intoduction

Business Continuity Management (BCM) has traditionally focused on ensuring that organisations can recover critical business functions following a disruptive event.

For many years, BCM programmes were built around identifying critical activities, establishing recovery objectives, developing recovery strategies, and maintaining continuity plans.

While these remain essential elements of organisational resilience, regulators and industry leaders increasingly recognise that traditional BCM alone may not provide sufficient assurance in today's highly interconnected and technology-dependent operating environment.

The emergence of Operational Resilience has fundamentally changed the way organisations view disruption management.

Rather than focusing solely on internal recovery capabilities, Operational Resilience emphasises the organisation's ability to continue delivering critical business services to customers, stakeholders, and the wider economy, even during severe disruptions.

Consequently, auditors must evolve their approach from auditing traditional BCM programmes to evaluating Operational Resilience capabilities. This chapter examines how auditors can assess Operational Resilience programmes and integrate resilience assurance into existing BCM audit frameworks.

Understanding Operational Resilience

What is Operational Resilience?

Operational Resilience refers to an organisation's ability to:

  • Prevent disruptions where possible
  • Adapt to changing conditions
  • Respond effectively during disruption
  • Recover critical services
  • Learn and improve following incidents

The primary objective is to ensure the continued delivery of critical business services despite disruptions.

Operational Resilience extends beyond traditional BCM by focusing on customer outcomes, service continuity, and organisational adaptability.

Traditional BCM versus Operational Resilience

 

Traditional BCM

Operational Resilience

Focus on the recovery of business functions

Focus on continuity of critical business services

Recovery Time Objectives (RTOs)

Impact Tolerances

Department-centric

Service-centric

Plan-driven

Outcome-driven

Recovery capability

Service continuity capability

Internal focus

Internal and external ecosystem focus

Business continuity exercises

Severe but plausible scenario testing

 

Why Operational Resilience Matters

Several global events have accelerated regulatory focus on resilience:

  • COVID-19 pandemic
  • Major ransomware attacks
  • Global cloud service outages
  • Supply chain disruptions
  • Geopolitical instability
  • Digital transformation initiatives

These events demonstrated that organisations may possess recovery plans but still struggle to maintain critical services during prolonged disruptions.

 

Regulatory Drivers for Operational Resilience

Malaysia – Bank Negara Malaysia (BNM)

Financial institutions in Malaysia are increasingly expected to strengthen resilience through:

  • Business Continuity Management
  • Risk Management in Technology (RMiT)
  • Operational Resilience Frameworks
  • Third-Party Risk Management

Auditors should evaluate how BCM programmes support broader resilience objectives.

Global Regulatory Trends

Operational Resilience expectations are reflected in guidance from:

  • Bank for International Settlements
  • Basel Committee on Banking Supervision
  • Financial Conduct Authority
  • Prudential Regulation Authority
  • Monetary Authority of Singapore
  • Bangko Sentral ng Pilipinas

These frameworks consistently emphasise:

  • Critical business services
  • Dependency mapping
  • Impact tolerance
  • Scenario testing
  • Board accountability

 

The Auditor's Expanded Role

Historically, auditors focused on reviewing:

  • BCM policies
  • BIA reports
  • Recovery strategies
  • Continuity plans
  • Exercise reports

Today, auditors must also assess:

  • Critical business service identification
  • Service ownership
  • Interdependencies
  • Third-party resilience
  • Impact tolerance validation
  • Operational resilience governance
  • Scenario testing effectiveness

The question has evolved from:

"Can the organisation recover?"

to

"Can the organisation continue delivering critical services throughout a disruption?"

 

Auditing Critical Business Services

What Are Critical Business Services?

Critical Business Services (CBS) are services whose disruption would result in:

  • Significant customer harm
  • Financial instability
  • Regulatory breaches
  • Reputational damage
  • Systemic impact

Examples include:

Banking

  • Deposit services
  • Payment processing
  • ATM services
  • Digital banking

Telecommunications

  • Network connectivity
  • Voice services
  • Data services

Healthcare

  • Patient treatment
  • Emergency care
  • Medical records access
Audit Objectives

Determine whether:

  • Critical services have been properly identified
  • Service definitions are appropriate
  • Service ownership is established
  • Governance arrangements exist
Key Audit Questions
  • How were critical services identified?
  • What criteria were used?
  • Has management approved the service inventory?
  • Are customer impacts considered?
Common Audit Findings

Finding 1

Critical services are defined at a departmental rather than service level.

Finding 2

Customer impact assessments are incomplete.

Finding 3

Service ownership is unclear.

 

Auditing Impact Tolerance

What is Impact Tolerance?

Impact tolerance represents the maximum level of disruption an organisation is willing to tolerate before unacceptable harm occurs.

Unlike traditional RTOs, impact tolerances focus on customer and stakeholder outcomes.

Examples:

Critical Service

Impact Tolerance

Online Banking

Maximum 4 hours of unavailability

Payment Services

Maximum 2 hours of disruption

Securities Trading

Maximum 30 minutes of disruption

Audit Objectives

Determine whether:

  • Impact tolerances have been defined
  • Tolerances are evidence-based
  • Management has approved tolerances
  • Monitoring mechanisms exist
Key Audit Questions
  • How were impact tolerances established?
  • Are they linked to customer expectations?
  • Are they measurable?
  • Have they been tested?
Common Audit Findings

Finding 1

Impact tolerances are not formally approved.

Finding 2

Tolerances are based on assumptions rather than analysis.

Finding 3

No monitoring exists to measure tolerance breaches.

 

Auditing Dependency Mapping

Why Dependency Mapping Matters

Many disruptions occur not because a service fails directly, but because a supporting dependency fails.

Operational Resilience requires organisations to understand the dependencies that support critical services.

Categories of Dependencies

People

Examples:

  • Key personnel
  • Subject matter experts
  • Vendors

Processes

Examples:

  • Transaction processing
  • Customer onboarding
  • Payment workflows

Technology

Examples:

  • Applications
  • Networks
  • Databases
  • Cloud platforms

Information

Examples:

  • Customer data
  • Transaction data
  • Regulatory records

Facilities

Examples:

  • Offices
  • Data centres
  • Call centres

Third Parties

Examples:

  • Cloud providers
  • Outsourcing partners
  • Telecommunications providers
Audit Objectives

Determine whether:

  • Dependencies are identified
  • Interconnections are documented
  • Single points of failure are recognised
  • Critical concentrations are understood
Key Audit Questions
  • What resources support each critical service?
  • Which dependencies are most critical?
  • What happens if a dependency fails?
Common Audit Findings

Finding 1

Dependency mapping is incomplete.

Finding 2

Fourth-party dependencies are not assessed.

Finding 3

Single points of failure remain unresolved.

 

Auditing Scenario Testing

Moving Beyond Traditional Exercises

Traditional BCM exercises typically validate plans.

Operational Resilience scenario testing validates service continuity under extreme conditions.

Severe but Plausible Scenarios

Examples include:

Technology Scenarios

  • Data centre failure
  • Cloud outage
  • Cyberattack
  • Telecommunications disruption

Third-Party Scenarios

  • Vendor insolvency
  • Outsourcing failure
  • Supply chain interruption

People Scenarios

  • Pandemic outbreak
  • Labour strike
  • Key personnel loss

Physical Scenarios

  • Flood
  • Fire
  • Power outage
Audit Objectives

Determine whether:

  • Scenarios challenge organisational resilience
  • Critical services are tested
  • Impact tolerances are assessed
  • Dependencies are stressed
Key Audit Questions
  • Are scenarios sufficiently severe?
  • Are multiple dependencies tested simultaneously?
  • Were tolerance levels exceeded?
  • What lessons were identified?
Common Audit Findings

Finding 1

Scenarios are unrealistic.

Finding 2

Exercises focus on individual departments rather than services.

Finding 3

Impact tolerances are not evaluated.

 

Auditing Operational Resilience Governance

Governance Expectations

Operational Resilience requires strong oversight.

Auditors should review:

Board Responsibilities
  • Resilience strategy approval
  • Impact tolerance approval
  • Performance oversight
Senior Management Responsibilities
  • Programme implementation
  • Resource allocation
  • Reporting
Operational Responsibilities
  • Service ownership
  • Scenario testing
  • Continuous improvement
Key Audit Questions
  • Does the Board understand resilience risks?
  • Are resilience metrics reported?
  • Are accountability structures effective?

 

Operational Resilience Audit Framework

 

Audit Domain

Review Focus

Governance

Oversight and accountability

Critical Business Services

Identification and ownership

Impact Tolerance

Definition and validation

Dependency Mapping

Resource and service dependencies

Scenario Testing

Severe but plausible testing

Third-Party Resilience

External dependencies

Technology Resilience

Recovery and cyber capabilities

Continuous Improvement

Lessons learned and remediation

 

Future Challenges for Auditors

Operational Resilience continues to evolve.

Emerging audit considerations include:

Artificial Intelligence Dependencies
  • AI-driven decision-making
  • AI platform outages
  • Model failures
Cloud Concentration Risk
  • Reliance on major cloud providers
  • Geographic concentration
Digital Ecosystems
  • API dependencies
  • Fintech partnerships
  • Shared infrastructure
Cyber Resilience
  • Ransomware recovery
  • Data integrity validation
  • Technology restoration

Auditors must continually adapt to evaluate these evolving risks.

 

Operational Resilience represents the next evolution of organisational resilience. While BCM remains an essential foundation, regulators and stakeholders increasingly expect organisations to demonstrate their ability to continue delivering critical services during severe disruptions.

Auditors, therefore, play a critical role in providing assurance that resilience capabilities are not merely documented but are operational, measurable, and effective.

This requires evaluating critical business services, impact tolerances, dependency mapping, scenario testing, governance arrangements, and continuous improvement processes.

The future of resilience auditing lies not in verifying the existence of plans but in assessing whether the organisation can successfully maintain critical services and protect customers, stakeholders, and the broader economy when disruption occurs.

The key audit question becomes:

"Can the organisation continue delivering its critical business services within acceptable impact tolerances when confronted with severe but plausible disruptions?"

 

Introductory C1 C2 C3
eBook Cover C4 C5 C6

More Information About Auditing BCMS Courses

BCM Institute offers two levels of BCM auditing courses: A-3 BCM-8030 ISO22301 BCMS Auditor [A-3] and the ISO22301 BCMS Lead Auditor [A-5].

     
Please feel free to send us a note if you have any questions.
Click to View 5000-Level or 300-Level Catalogue.  What Expert- and Intermediate-level Learning Courses are Available?