Business Continuity Management (BCM) has traditionally focused on ensuring that organisations can recover critical business functions following a disruptive event.
For many years, BCM programmes were built around identifying critical activities, establishing recovery objectives, developing recovery strategies, and maintaining continuity plans.
While these remain essential elements of organisational resilience, regulators and industry leaders increasingly recognise that traditional BCM alone may not provide sufficient assurance in today's highly interconnected and technology-dependent operating environment.
The emergence of Operational Resilience has fundamentally changed the way organisations view disruption management.
Rather than focusing solely on internal recovery capabilities, Operational Resilience emphasises the organisation's ability to continue delivering critical business services to customers, stakeholders, and the wider economy, even during severe disruptions.
Consequently, auditors must evolve their approach from auditing traditional BCM programmes to evaluating Operational Resilience capabilities. This chapter examines how auditors can assess Operational Resilience programmes and integrate resilience assurance into existing BCM audit frameworks.
Operational Resilience refers to an organisation's ability to:
The primary objective is to ensure the continued delivery of critical business services despite disruptions.
Operational Resilience extends beyond traditional BCM by focusing on customer outcomes, service continuity, and organisational adaptability.
|
Traditional BCM |
Operational Resilience |
|
Focus on the recovery of business functions |
Focus on continuity of critical business services |
|
Recovery Time Objectives (RTOs) |
Impact Tolerances |
|
Department-centric |
Service-centric |
|
Plan-driven |
Outcome-driven |
|
Recovery capability |
Service continuity capability |
|
Internal focus |
Internal and external ecosystem focus |
|
Business continuity exercises |
Severe but plausible scenario testing |
Several global events have accelerated regulatory focus on resilience:
These events demonstrated that organisations may possess recovery plans but still struggle to maintain critical services during prolonged disruptions.
Financial institutions in Malaysia are increasingly expected to strengthen resilience through:
Auditors should evaluate how BCM programmes support broader resilience objectives.
Operational Resilience expectations are reflected in guidance from:
These frameworks consistently emphasise:
Historically, auditors focused on reviewing:
Today, auditors must also assess:
The question has evolved from:
"Can the organisation recover?"
to
"Can the organisation continue delivering critical services throughout a disruption?"
Critical Business Services (CBS) are services whose disruption would result in:
Examples include:
Banking
Telecommunications
Healthcare
Determine whether:
Finding 1
Critical services are defined at a departmental rather than service level.
Finding 2
Customer impact assessments are incomplete.
Finding 3
Service ownership is unclear.
Impact tolerance represents the maximum level of disruption an organisation is willing to tolerate before unacceptable harm occurs.
Unlike traditional RTOs, impact tolerances focus on customer and stakeholder outcomes.
Examples:
|
Critical Service |
Impact Tolerance |
|
Online Banking |
Maximum 4 hours of unavailability |
|
Payment Services |
Maximum 2 hours of disruption |
|
Securities Trading |
Maximum 30 minutes of disruption |
Determine whether:
Finding 1
Impact tolerances are not formally approved.
Finding 2
Tolerances are based on assumptions rather than analysis.
Finding 3
No monitoring exists to measure tolerance breaches.
Many disruptions occur not because a service fails directly, but because a supporting dependency fails.
Operational Resilience requires organisations to understand the dependencies that support critical services.
People
Examples:
Processes
Examples:
Technology
Examples:
Information
Examples:
Facilities
Examples:
Third Parties
Examples:
Determine whether:
Finding 1
Dependency mapping is incomplete.
Finding 2
Fourth-party dependencies are not assessed.
Finding 3
Single points of failure remain unresolved.
Traditional BCM exercises typically validate plans.
Operational Resilience scenario testing validates service continuity under extreme conditions.
Examples include:
Technology Scenarios
Third-Party Scenarios
People Scenarios
Physical Scenarios
Determine whether:
Finding 1
Scenarios are unrealistic.
Finding 2
Exercises focus on individual departments rather than services.
Finding 3
Impact tolerances are not evaluated.
Operational Resilience requires strong oversight.
Auditors should review:
|
Audit Domain |
Review Focus |
|
Governance |
Oversight and accountability |
|
Critical Business Services |
Identification and ownership |
|
Impact Tolerance |
Definition and validation |
|
Dependency Mapping |
Resource and service dependencies |
|
Scenario Testing |
Severe but plausible testing |
|
Third-Party Resilience |
External dependencies |
|
Technology Resilience |
Recovery and cyber capabilities |
|
Continuous Improvement |
Lessons learned and remediation |
Operational Resilience continues to evolve.
Emerging audit considerations include:
Auditors must continually adapt to evaluate these evolving risks.
Operational Resilience represents the next evolution of organisational resilience. While BCM remains an essential foundation, regulators and stakeholders increasingly expect organisations to demonstrate their ability to continue delivering critical services during severe disruptions.
Auditors, therefore, play a critical role in providing assurance that resilience capabilities are not merely documented but are operational, measurable, and effective.
This requires evaluating critical business services, impact tolerances, dependency mapping, scenario testing, governance arrangements, and continuous improvement processes.
The future of resilience auditing lies not in verifying the existence of plans but in assessing whether the organisation can successfully maintain critical services and protect customers, stakeholders, and the broader economy when disruption occurs.
The key audit question becomes:
"Can the organisation continue delivering its critical business services within acceptable impact tolerances when confronted with severe but plausible disruptions?"
| Introductory | C1 | C2 | C3 |
| eBook Cover | C4 | C5 | C6 |
BCM Institute offers two levels of BCM auditing courses: A-3 BCM-8030 ISO22301 BCMS Auditor [A-3] and the ISO22301 BCMS Lead Auditor [A-5].
| Please feel free to send us a note if you have any questions. |
| Click to View 5000-Level or 300-Level Catalogue. What Expert- and Intermediate-level Learning Courses are Available? |