Operational Resilience Audit

Challenges Faced by Auditors when Conducting an Operational Resilience Audit

Scope Definition

The challenges to defining the scope for an operational resilience audit primarily revolve around the complexities arising from the interconnected nature of an organisation's operations and the need for a comprehensive understanding of its inner workings. Interconnectedness of Business Functions Many modern organisations have intricate webs of interconnected processes and systems. Pinpointing the boundaries of the audit scope becomes challenging because disruptions in one area can ripple across others. This interconnectedness makes it difficult to isolate individual components for assessment. Dependency Identification Understanding the dependencies between various critical business services, especially the breakdown in business functions, systems, and third-party entities, is crucial. However, these dependencies might only sometimes be explicit or easily discernible. Some critical dependencies might be hidden or overlooked, potentially leaving vulnerabilities to be addressed. Depth of Understanding A deep understanding of the organisation's operations, especially in larger or more complex enterprises, demands substantial time and resources. Without a comprehensive grasp of how different functions interrelate and support each other, auditors might miss critical components or fail to evaluate their significance accurately. Dynamic Nature of Operations Businesses are in a constant state of flux. New technologies, process changes, or market adaptations might alter the operational landscape. Keeping up with these changes and adjusting the audit scope is challenging and requires continuous monitoring and updates. Subjectivity in Prioritisation Identifying and prioritising critical processes or functions can be subjective. Different organisational stakeholders may have varying opinions on what is critical or less critical. Balancing these perspectives to create an objective and practical scope can be challenging. Summarising the execution of Scope Definition ... To tackle these challenges, auditors must collaborate closely with stakeholders across departments, leverage data analytics and technology to map dependencies, conduct extensive interviews and workshops, and continuously reassess the scope throughout the audit process. Flexibility and adaptability are essential to refine the audit scope to align with the organisation's evolving operational landscape. Summing Up ... Addressing these challenges often requires a multidisciplinary approach involving collaboration across various departments, access to updated information, leveraging technological solutions for data analysis, and continuous adaptation to emerging threats. Flexibility and agility in audit methodologies are crucial to assess and enhance an organisation's operational resilience effectively. Types of Challenges Faced by OR Auditor and Reviewer     Find out more about Blended Learning ORA-5000 [ORA-5] & ORA-300 [ORA-3]

	Please feel free to send us a note if you have any of these questions.

Overview of ORA-5000 Blended [BL] or Hybrid Learning [HL] Course [ORA-5]

The Operational Resilience (OR) Audit blended learning is the most advanced level of OR audit training for certification, financial, IT internal and external auditors.

This comprehensive course is equivalent to the international certification of an  Operational Resilience (OR) Auditor. Its combination of online interaction allows busy and interested auditors to study with minimal schedule disruption.

This course is NOT a four-day, hour-by-hour direct conversion course from its brick-and-mortar version but revamped with several guiding principles.

• Complete the course by developing the relevant toolkits for the entire auditing process.
• Built with OR knowledge, followed by the integration of OR auditing concepts.
• Provide participants with downloadable handbooks and the latest OR audit program based on the latest global regulatory update.
• Access to additional audit readings for those who are already experienced
• Facilitated by experienced IT/Financial and also OR implementer/auditors
• Able to conduct the audit via an electronic platform without travelling to another country or state.

Here is a quick overview of the course, divided into modules 1 to 4. Module 1 to 4 and their relationship to the ORA-300-400-5000 level courses are explained.

The conduct of each module is described with the corresponding on-site learning outcome.

Below is a snapshot of what you can expect from the program. Each module's syllabus has been carefully crafted to ensure that the outcome matches each day of the ORA-5000 OR Auditor competency level.  

Click the "Course Content" icon to learn more about each module's content (syllabus).  Click the "Course Requirement" icon to determine what you can expect as participants for each module.

Module (Day)	Course Content	Course Requirement

Breakdown of the Time Spent

Module	Mode of Study	Flexible (Hours)	Mandatory & Fixed Timing (Hours)
	E-learning/ Self Study	8	-
	Facilitated Online Workshop (3 Hours Self Study = Assignment + 6 Hours Schedule Online Classes)	3	6 (3-hour x 2 separate sessions)
Total Hours Blended Learning [BL]	Module 1 and 2 Note that participants attending Hybrid Learning [HL] will attend the same BL Module 1 and Module 2	11	6

Breakdown of the Time Spent Blended Learning (BL) Module 3 & 4
	Online Web Training and Discussion Workshop (2 Hours Self Study + 3-Hour Schedule Online Classes)	Two sessions	6 (3-hour x 2 separate sessions)
	Online Web Training and Discussion Workshop (2 Hours Self Study + 2 Hours Schedule Online Classes)	Two sessions	6 (3-hour x 2 separate sessions)
Total  Hours	Blended Learning [BL] Online Modules 3 and 4	Four 3-hour sessions	18
Breakdown of the Time Spent Hybrid Learning (HL) Module 3 & 4
	Hybrid Learning [HL] Onsite Face-to-face Workshop	1-day onsite	8
	Hybrid Learning [HL] Onsite Face-to-face Workshop	1-day onsite	8
Total Hours Hybrid Learning [HL]	Onsite Day 3 and Day 4	2-day onsite	16
Qualifying Examination for OR Audit Specialist/ Expert
	ORAE Qualifying Examination for OR Audit Expert  (after BL-HL-ORA-5 course)	100 Multiple-choice Questions	2 and 1/2 hour
	ORAS Qualifying Examination for OR Audit Specialist (after BL-HL-ORA-3 course)	100 Multiple-choice Questions	2 and 1/2 hour

What are the Differences and Concerns?

The primary concern with blended learning is that it will be another E-Learning training over a video channel.

The entire process is designed such that the content will provide the same outcome with pre-readings provided before the class, preparation of assignments supported by detailed guidance notes, eLearning for learning of fundamentals, and the online "face-to-face" is for sharing and elaboration by experienced facilitators.

Instructors: Note that instructors delivering the modules remain the same as the onsite training.  They have at least 5 to 30 years of OR and audit-related experience.

International Participation: Another significant change will be the participation of more international delegates compared to the traditional majority of Asian participants.  Be expected to discuss and work as teams from around the world.

Readings: Be expected to have more pre-readings as the objective is to ensure that knowledge that could be acquired via reading should be done outside the training session.  More time is allocated to sharing experiences with the participants and facilitators.

Live Audit: Despite being virtual, there is a balance between knowledge-based acquisition activities, presentations, discussions, exercises and case studies. About two-thirds of the time is spent on activity-based learning. A live audit will be conducted. 

This is the course schedule.  Click the "ORA-5000 Course Schedule" icon to learn more about the "RUNs" for the year. 

Blended Learning is entirely online, Hybrid Learning is Module 1 and 2 online, and Module 3 and 4 onsite.

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

	Please feel free to send us a note if you have any questions.

OR Audit Questionnaires

Implement Phase

Introduce Cultural Change

This section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the first stage of the Implement phase: Identify Critical Business Services.

Audit Checklist for Introducing Cultural Change

Has the organisation identified its critical business services? Are the critical business services clearly defined and documented? Has the organisation prioritised the criticality of each business service?

Are the dependencies and interconnections of critical business services identified? Has the organisation mapped the dependencies between critical business services and supporting functions, systems, and vendors? Are there contingency plans in place to address disruptions independent services?

Has a business impact analysis (BIA) been conducted for each critical business service? Are the potential financial, operational, and reputational impacts of disruptions to critical business services assessed? Are each critical business service's recovery time objectives (RTOs) and recovery point objectives (RPOs) defined?

Has a comprehensive risk assessment been conducted for each critical business service? Are the risks to each critical business service identified and assessed? Are risk mitigation measures in place for identified risks? Is there a process to regularly review and update risk assessments for critical business services?

Are regular testing and exercising of critical business services conducted? Are the testing and exercising scenarios designed to simulate realistic disruptions? Are the lessons learned from testing and exercises used to improve the operational resilience of critical business services?

Is there a training program to educate employees on the operational resilience of critical business services? Are employees aware of their roles and responsibilities in maintaining the operational resilience of critical business services? Are there regular awareness campaigns to promote a culture of operational resilience for critical business services? Are training records maintained for compliance and audit purposes?

Is there a process to capture and analyse lessons learned from disruptions to critical business services? Are there mechanisms to incorporate the lessons learned into improvements for the operational resilience of critical business services? Is there a culture of continuous improvement in managing the operational resilience of critical business services? Are regular reviews and updates to the business continuity plans and procedures for critical business services

Note that some of the steps may overlap with the other stages of the "Implement" phase stages.

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

	Please feel free to send us a note if you have any of these questions.

Detailed Operational Resilience Audit Questionnaires

This list of OR Questionnaires is intended to guide Auditors in developing their Standardized Audit Program. Refer to OR Questionnaires.

Click the icon to access the respective “BCM Audit Questionnaires” questions.

Table of Content

C9	C10	C11
BC Roles and Responsibilities	Project Management	Risk Analysis and Review
C12	C13	C14
Business Impact Analysis	Business Continuity Strategy	Plan Development
C15	C16	C17
Testing and Exercising	Program Management: Training and Awareness	Program Management: Maintenane
C18
Crisis Management
Book Series		BCMPedia
		Audit

Do You Want to Attend a Comprehensive BCM Audit course remotely? Better still be certified?

Book	Certification Course

Reference Guide

Goh, M. H. (2010). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Specialist Series (1st ed., p. 192). Singapore: GMH Pte Ltd.

Extracted from "Chapters 9 to 13"

Note: This version is the 2nd Edition being updated in 2021. The numeric in the square bracket {C##] is the cross-referencing of the actual chapters in the 2010 Edition.

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

	Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org

Guidelines on Operational Resilience by the Hong Kong Monetary Authority

Operational resilience is critical for financial institutions in ensuring uninterrupted services and maintaining the financial system's stability. The Hong Kong Monetary Authority (HKMA) has issued guidelines to provide a comprehensive framework for financial institutions in Hong Kong to enhance their operational resilience. 

Referring to the actual "Supervisory Policy" or "SPM OR-2" is important, which sets out HKMA’s approach and supervisory expectations on operational resilience.  Refer to the guideline by clicking on the HKMA webpage.

Objective

This blog aims to provide participants attending the Operational Resilience Implementer and Expert Implementer course with global or regional responsibilities to understand the:

• The general principles outlined by the Hong Kong Monetary Authority (HKMA) that institutions must consider when developing their operational resilience framework.  
• Guidelines and be able to compare with those issued by other central banks from other regional justifications.

Definition of Operational Resilience

Operational resilience refers to a financial institution's ability to consistently deliver critical operations and services, even during disruptions or unexpected events.

It encompasses the organisation's ability to prevent, adapt, respond, and recover from operational disruptions to maintain continuity and protect the interests of customers and stakeholders.

Operational Resilience Framework

Financial institutions are expected to establish an operational resilience framework that integrates people, processes, and technology to enhance their overall resilience.

The framework should include the following components:

Governance and Accountability

The board and senior management should demonstrate clear responsibility and accountability for operational resilience. They should oversee and approve the institution's operational resilience strategy, policies, and risk tolerance levels.

Risk Identification and Assessment

Financial institutions should identify and assess the potential risks and vulnerabilities associated with their critical business services, processes, and systems. This includes conducting regular impact assessments and scenario analyses to understand the potential consequences of operational disruptions.

Business Impact Tolerance

Institutions should define their business impact tolerance, reflecting the maximum tolerable disruption to critical services, processes, and systems. This determination should consider the institution's risk appetite, customer expectations, and market conditions.

Planning and Strategy

Institutions should develop robust and comprehensive plans to address operational disruptions effectively. Considering various scenarios and potential impacts, these plans should cover incident response, crisis management, and business continuity.

Testing and Validation

Regular testing and validation exercises should be conducted to evaluate the effectiveness of the operational resilience framework. Institutions should identify gaps, areas for improvement and implement corrective actions based on the test results.

Reporting and Communication

Institutions should establish clear lines of communication and report for operational disruptions. This includes promptly reporting incidents to the HKMA and maintaining effective communication with customers, stakeholders, and regulatory authorities.

Role of the Board and Senior Management

The guidelines emphasise the board's and senior management's crucial role in ensuring operational resilience. They should demonstrate strong leadership, establish a culture of resilience, and promote effective governance practices within the organisation. Key responsibilities include:

Setting the Operational Resilience Strategy

The board and senior management should define the institution's strategic objectives regarding operational resilience, aligning them with the overall business strategy.

Risk Management Oversight

They should oversee the identification, assessment, and management of operational risks, ensuring appropriate risk controls and mitigation measures are in place.

Resource Allocation

The board and senior management should allocate sufficient resources, including budget, staff, and technology, to support the implementation and maintenance of the operational resilience framework.

Monitoring and Reporting

They should establish mechanisms to monitor the effectiveness of the operational resilience framework and receive regular reports on key resilience indicators and performance metrics.

Determining Operational Resilience Parameters

Financial institutions should establish operational resilience parameters to define the levels of resilience required for their critical business services, processes, and systems. These parameters should be determined based on factors such as:

Criticality and Impact

Institutions should consider the criticality and potential impact of a disruption on customers, financial stability, and the broader economy.

Recovery Time Objectives (RTOs)

RTOs specify the maximum tolerable downtime for critical services, processes, and systems, guiding the planning and recovery strategies.

Recovery Point Objectives (RPOs)

RPOs define the maximum acceptable data loss in case of disruptions, guiding data backup and recovery measures.

Dependencies and Interconnections

Institutions should consider the dependencies and interconnections between their internal and external systems and third-party service providers to ensure comprehensive resilience.

Mapping Interconnections and Interdependencies

Financial institutions must map the interconnections and interdependencies that underlie their critical operations. This includes identifying the key business services, processes, systems, and resources, both internal and external, on which their operations rely. 

By mapping these interconnections, institutions can understand the potential impact and dependencies in the event of disruptions. This knowledge enables them to identify vulnerabilities and implement appropriate measures to enhance resilience.

Preparing for and Managing Risks to Critical Operations Delivery

Financial institutions should proactively prepare for and manage risks that could affect the delivery of critical operations. 

This involves robust risk assessments to identify potential threats, vulnerabilities, and impacts. Institutions must establish risk management frameworks that identify, measure, monitor, and mitigate risks. These frameworks should align with the institution's risk appetite and regulatory requirements. By effectively managing risks, institutions can enhance their ability to withstand disruptions and ensure the continuity of critical operations.

Testing Ability to Deliver Critical Operations under Severe but Plausible Scenarios

Financial institutions must test their ability to deliver critical operations under severe yet plausible scenarios. 

This includes scenario-based exercises to simulate disruptions and assess the institution's response and recovery capabilities. Testing should cover various aspects, such as incident response, crisis management, communication, and business continuity. Regular testing helps identify weaknesses, refine response plans, and enhance the institution's overall operational resilience.

Responding to and Recovering from Incidents

Financial institutions should establish robust response and recovery plans to address operational incidents effectively. 

This involves defining clear roles, responsibilities, and escalation procedures to ensure a coordinated response. Institutions should also establish mechanisms for timely communication with stakeholders, including customers, regulators, and relevant authorities.

By promptly responding to incidents and implementing effective recovery measures, institutions can minimise the impact on critical operations and expedite the restoration of services.

Implementation of Operational Resilience Requirements

Financial institutions are expected to implement operational resilience requirements throughout their organisation. 

This includes embedding a culture of resilience, providing appropriate training and awareness programs for employees, and integrating operational resilience considerations into decision-making processes. 

Institutions should allocate sufficient resources to support the implementation of operational resilience requirements and establish mechanisms for monitoring, reporting, and ongoing improvement.

Conclusion

The HKMA's guidelines on operational resilience provide financial institutions in Hong Kong with a comprehensive framework to strengthen their operational resilience. 

By considering the general principles outlined in these guidelines, institutions can develop robust operational resilience frameworks that ensure the continuity of critical operations and protect the interests of customers and stakeholders.

Implementing these guidelines is essential for maintaining the financial system's stability and safeguarding the reputation of financial institutions in Hong Kong.

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.