Operational Resilience Audit

What is Governance?

The need to embed operational resilience in the governance structure is essential.  

This will start with the board of directors and senior management, who will actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.

• Review the documented governance framework for operational resilience.
• Evaluate if the framework aligns with industry best practices and regulatory requirements.
• Assess the framework's effectiveness in providing clear roles, responsibilities, and decision-making authority.
• Verify if the governance framework is communicated and understood by relevant stakeholders.
• Check if there is a process to review and update the governance framework periodically.
  
  

• Are senior management and executives actively involved in driving operational resilience? 
• Is a designated individual or team responsible for overseeing the operational resilience program? 
• Is there a reporting mechanism for the operational resilience program to senior management and the board?
  

• Assess the level of senior management and executive involvement in operational resilience initiatives.
• Determine if a designated individual or team oversees and implements the operational resilience program.
• Evaluate the communication channels between senior management, the operational resilience team, and other stakeholders.
• Verify if there is a process to escalate operational resilience issues to senior management and the board.
• Assess the effectiveness of leadership in promoting a culture of operational resilience throughout the organization.

• Has a comprehensive risk assessment been conducted to identify and prioritize operational risks?
• Are risk mitigation strategies and controls in place to address identified risks?
• Are risk management policies and procedures effectively communicated and implemented?

• Review the methodology and process used for conducting operational risk assessments.
• Evaluate the comprehensiveness and accuracy of the identified risks.
• Assess if there are clear risk mitigation strategies and controls in place.
• Verify if risk management policies and procedures are effectively communicated and implemented.
• Assess the monitoring and reporting mechanisms for identified risks and risk mitigation efforts.

• Has a BIA been conducted to assess the potential impact of disruptions on critical business processes?
• Are the identified critical processes adequately documented?
• Are there contingency plans and backup arrangements in place for critical processes?

• Review the BIA methodology and documentation to ensure it covers critical business processes and dependencies.
• Verify if there is a process for identifying and prioritizing critical business processes. 
• Assess if the BIA adequately addresses the potential impact of disruptions on critical processes.
• Evaluate the existence and effectiveness of contingency plans and backup arrangements for critical processes.
• Verify if the BIA is periodically updated to reflect organisational operations and risk landscape changes.

• Evaluate the existence and effectiveness of incident response plans for different operational disruptions.
• Verify if the incident response plans are regularly tested, reviewed, and updated.
• Assess the adequacy of incident escalation and communication procedures.
• Review documentation of past incidents, including response actions and lessons learned.
• Assess if there is a process for continuous improvement of incident response and recovery capabilities.

Questionnaires and Checklist "Plan" Phase

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

What is Strategy Roadmap?

A strategy roadmap is a bridge between strategy and execution. It visualizes the critical outcomes of the operational resilience effort that must be delivered over a particular time horizon to achieve the organisation’s strategic vision.

The outcomes on the strategy roadmap are substantiated by a clear understanding of the organisation’s capabilities; gaps and priorities must be addressed.

• Is there a clear governance structure in place for the operational resilience program?
• Are roles and responsibilities for program leadership clearly defined?
• Is there senior management oversight and involvement in the program?
• Are there mechanisms to escalate and resolve issues related to operational resilience?

• Establish a clear governance structure with defined roles and responsibilities for operational resilience.
• Ensure senior management oversight and involvement in the program.
• Develop policies and procedures to support effective governance and decision-making.
• Define mechanisms for escalation and resolution of operational resilience issues.

• Has a comprehensive risk assessment been conducted to identify potential operational risks?
• Are all critical business processes and dependencies identified?
• Have risk thresholds and impact tolerances been established?
• Is there a process to regularly update and reassess risks and dependencies?

• Has a business impact analysis been performed to assess the potential consequences of operational disruptions?
• Are critical functions and processes prioritized based on their impact on the organization?
• Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
• Has the impact of interdependencies between processes been considered?

• Conduct a comprehensive business impact analysis to assess the potential consequences of operational disruptions.
• Prioritize critical functions and processes based on their impact on the organization.
• Define recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
• Analyze interdependencies between processes to identify potential ripple effects.

4. Strategy Development

• Define the vision, goals, and objectives of the operational resilience program.
• Align the strategy with the organization's overall risk management and business continuity plans.
• Identify resource requirements, including budget, personnel, and technology.
• Develop a roadmap with clear milestones and timelines for implementation.

5. Incident Response and Recovery

• Establish an incident response plan that outlines procedures for responding to and recovering from operational disruptions.
• Define roles and responsibilities for incident management, including incident response teams.
• Regularly test and update the incident response plan to ensure its effectiveness.
• Establish mechanisms for learning from incidents and incorporating improvements into the operational resilience program.

6. Communication and Coordination

• Define the vision and objectives of the operational resilience program.
• Conduct a thorough assessment of the current state of operational resilience.
• Identify key stakeholders and establish communication channels.
• Develop a governance structure with clear roles and responsibilities.
• Define risk assessment methodologies and criteria.
• Perform a comprehensive risk assessment and document the findings.
• Conduct a business impact analysis to prioritize critical functions and processes.
• Develop recovery strategies and plans for critical processes.
• Identify resource requirements and budget considerations.
• Establish performance metrics and key performance indicators (KPIs) for measuring progress.
• Develop an incident response plan with clear escalation procedures.
• Test and validate the incident response plan through simulations and drills.
• Develop a communication plan for internal and external stakeholders.
• Establish mechanisms for ongoing monitoring and reporting of operational resilience.
• Regularly review and update the strategy roadmap to incorporate lessons learned and evolving risks.

Questionnaires and Checklist "Plan" Phase

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

What is Risk Appetite?

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.  The scope is further enlarged when viewed from an operational resilience perspective.

It reflects the organization’s risk management philosophy and influences its culture and operating style.

• Is there a documented risk appetite framework in place?
• Have senior management, and the board approved the risk appetite framework?
• Does the risk appetite framework align with the organization's objectives and strategy?
• Is the risk appetite framework effectively communicated throughout the organization?
• Are risk appetite statements measurable and specific, allowing for meaningful risk assessments?
• Are risk appetite limits clearly defined for different types of operational risks?
• Are risk appetite limits regularly reviewed and updated to reflect changes in the business environment?
• Is there a mechanism to monitor and report on adherence to risk appetite limits?

• Review the documented risk appetite framework and ensure it is easily accessible to relevant stakeholders.
• Verify that senior management and the board have approved the risk appetite framework.
• Evaluate the alignment of the risk appetite framework with the organization's overall objectives and strategy.
• Assess the effectiveness of communication channels that convey the risk appetite framework to employees.
• Review risk appetite statements, assess whether they are measurable and specific, and facilitate meaningful risk assessments.
• Evaluate the clarity and specificity of risk appetite limits set for different types of operational risks.
• Confirm that risk appetite limits are regularly reviewed and updated to reflect changes in the business environment.
• Assess the availability of mechanisms to monitor and report on adherence to risk appetite limits.

• Has the organization conducted a comprehensive identification of operational risks?
• Are risk assessments conducted regularly to identify new and emerging risks?
• Are risk assessments based on a combination of qualitative and quantitative factors?
• Are risk assessments conducted consistently across all relevant business areas?
• Are risk assessments aligned with the organization's risk appetite framework?
• Are potential impacts on critical business processes and systems considered in risk assessments?
• Is there a process to validate and review risk assessments conducted by different business units?
• Do appropriate data and evidence support risk assessments?

• Evaluate the comprehensiveness of the organization's risk identification process.
• Review documented risk assessments and evaluate if they cover various operational risks.
• Assess the frequency of risk assessments to determine if they are conducted regularly and reflect current risks.
• Verify that risk assessments consider both qualitative and quantitative factors in evaluating risks.
• Review risk assessment processes across different business areas for consistency and standardization.
• Confirm that risk assessments are aligned with the organization's risk appetite framework.
• Evaluate if risk assessments consider potential impacts on critical business processes and systems.
• Assess the process for validating and reviewing risk assessments conducted by different business units.

• Has the organization established risk tolerance levels for different operational risks?
• Are risk tolerance levels consistent with the risk appetite framework?
• Are risk tolerance levels clearly defined and communicated to relevant stakeholders?
• Is there a process to monitor and measure risks against established tolerance levels regularly?
• Are risk mitigation strategies in place for risks exceeding the risk tolerance levels?
• Are risk mitigation strategies aligned with the organization's risk appetite and overall strategy?
• Are risk mitigation actions prioritized based on their potential impact on operational resilience?
• Is there a mechanism to monitor and evaluate the effectiveness of risk mitigation measures?

• Verify the establishment of risk tolerance levels for different operational risks.
• Assess the consistency of risk tolerance levels with the risk appetite framework.
• Review the clarity and effectiveness of communication regarding risk tolerance levels to relevant stakeholders.
• Evaluate the monitoring and measurement mechanisms to track risks against established tolerance levels.
• Assess the effectiveness of risk mitigation strategies for risks exceeding the risk tolerance levels.
• Confirm the alignment of risk mitigation strategies with the organization's risk appetite and overall strategy.
• Assess the prioritization process for risk mitigation actions based on the potential impact on operational resilience.
• Evaluate the availability of mechanisms to monitor and evaluate the effectiveness of risk mitigation measures.

• Does the organization have a documented incident management plan in place?
• Is the plan regularly reviewed and updated to reflect changes in the business environment?
• Are roles and responsibilities clearly defined for incident response teams?
• Are there defined escalation procedures for different types of incidents?
• Is there a process for identifying, assessing, and prioritizing incidents based on their potential impact?
• Does the organization have a communication plan for notifying stakeholders about incidents?
• Are there established metrics and thresholds for measuring the effectiveness of incident response activities?
• Has the organization conducted post-incident reviews to identify areas for improvement?
• Are incident response procedures aligned with the organization's risk appetite?

• Review the documented incident management plan and assess its alignment with the organization's risk appetite.
• Evaluate whether the plan includes clear roles and responsibilities for incident response teams.
• Assess the defined escalation procedures for different incidents and their alignment with risk appetite.
• Verify the presence of a process for identifying, assessing, and prioritizing incidents based on potential impact and risk appetite.
• Examine the communication plan for notifying stakeholders about incidents and assess its effectiveness in aligning with risk appetite.
• Check if there are established metrics and thresholds for measuring the effectiveness of incident response activities and their alignment with risk appetite.
• Evaluate whether the organization conducts post-incident reviews to identify areas for improvement and ensure they align with risk appetite.
• Assess the alignment of incident response procedures with the organization's risk appetite.

• Has the organization conducted a business impact analysis to identify critical business functions and their dependencies?
• Are there documented business continuity plans in place for critical functions?
• Have the plans been tested and validated to ensure their effectiveness?
• Are there defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions?
• e. Is there a process for regularly reviewing and updating the business continuity plans?
• Are employees aware of their roles and responsibilities during business disruption?
• Has the organization identified alternative work locations or facilities in case of a site failure?
• Are there established communication channels and procedures for coordinating the execution of business continuity plans?
• Are business continuity plans aligned with the organization's risk appetite?

• Review the business impact analysis to identify critical business functions and their dependencies.
• Assess the presence and effectiveness of documented business continuity plans for critical functions.
• Verify if the plans have been tested and validated to ensure their effectiveness aligns with risk appetite.
• Evaluate the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions and their alignment with risk appetite.
• Assess the process for regularly reviewing and updating the business continuity plans to ensure they align with risk appetite.
• Evaluate the awareness among employees regarding their roles and responsibilities in the event of business disruption and their alignment with risk appetite.
• Verify the identification of alternative work locations or facilities in case of site failure and their alignment with risk appetite.
• Assess the communication channels and procedures for coordinating the execution of business continuity plans and their alignment with risk appetite.
• Evaluate the alignment of business continuity plans with the organization's risk appetite.

• Has the organization conducted regular testing and exercising of its operational resilience plans?
• Are different scenarios and incidents considered during testing, including worst-case scenarios?
• Is there a process for capturing and documenting lessons learned from testing exercises?
• Are test results and findings communicated to relevant stakeholders for review and remediation?
• Are there established criteria for evaluating the effectiveness of testing exercises?
• Based on testing results, has the organization addressed any identified deficiencies or gaps in the operational resilience plans?
• Are testing and exercising activities aligned with the organization's risk appetite?

• Assess whether the organization conducts regular testing and exercising its operational resilience plans.
• Evaluate if different scenarios and incidents, including worst-case scenarios, are considered during testing in alignment with risk appetite.
• Verify the presence of a process for capturing and documenting lessons learned from testing exercises and their alignment with risk appetite.
• Assess the communication of test results and findings to relevant stakeholders for review and remediation, aligning with risk appetite.
• Verify the existence of established criteria for evaluating the effectiveness of testing exercises and their alignment with risk appetite.
• Evaluate if the organization addresses identified deficiencies or gaps in operational resilience plans based on testing results and risk appetite.
• Assess the alignment of testing and exercising activities with the organization's risk appetite.

• Does the organization have a designated governance body responsible for overseeing operational resilience?
• Are governance responsibilities and decision-making authorities clearly defined?
• Does governance regularly assess the organization's operational resilience strategy and plans?
• Is there a process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs)?
• Are there mechanisms to ensure compliance with applicable laws, regulations, and industry standards?
• Does the organization have a risk appetite statement that includes operational resilience?
• Are risk appetite thresholds and tolerances clearly defined for operational resilience? h
• Is there a process for regularly reviewing and updating the risk appetite statement?
• Are governance and oversight activities aligned with the organization's risk appetite?

• Assess the presence of a designated governance body responsible for overseeing operational resilience.
• Evaluate if governance responsibilities and decision-making authorities are clearly defined and align with risk appetite.
• Review the regular review and assessment process for the organization's operational resilience strategy and plans, aligning with risk appetite.
• Assess the process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs) in alignment with risk appetite.
• Verify the mechanisms to ensure compliance with applicable laws, regulations, and industry standards, aligning with risk appetite.
• Evaluate the presence and alignment of a risk appetite statement that includes operational resilience.
• Assess the clarity and regular review process of risk appetite thresholds and tolerances for operational resilience.
• Evaluate the overall alignment of governance and oversight activities with the organization's risk appetite.

Questionnaires and Checklist "Plan" Phase

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

What is Cultural Change?

Organisational Culture is not created by memo or a decision from senior management but developed over time and plays a crucial role in achieving organizational objectives, especially in this new area of operational resilience.

Amid rising expectations from key stakeholders, the executive management must foster an organizational culture of resilience to set appropriate expectations for critical stakeholders, including regulators, the board, customers, and employees.

• Review leadership statements and communications to assess their emphasis on operational resilience and cultural change.
• Evaluate the organization's mission and vision statements to determine if they incorporate operational resilience as a core value.
• Assess the effectiveness of leadership in fostering a culture that values resilience, adaptability, and continuous improvement.
• Review organizational policies and procedures to ensure they align with operational resilience objectives and promote cultural change.
• Assess the level of leadership involvement in decision-making related to operational resilience.

• 2. Communication and Awareness

• Is there a comprehensive communication strategy to promote operational resilience and cultural change?
• Are employees aware of the organization's operational resilience objectives and their role in achieving them?
• Are there effective communication channels to report potential risks or disruptions?
• Are regular training sessions conducted to enhance awareness of operational resilience and its importance?

• Review the organization's risk assessment methodology and evaluate its effectiveness in identifying operational vulnerabilities.
• Assess the documentation of identified risks, including their potential impact and likelihood.
• Evaluate the organization's risk mitigation strategies and controls to address identified risks.
• Review incident response plans and assess their alignment with identified risks and mitigation strategies.
• Evaluate the process for monitoring and reporting on risk mitigation efforts, including key performance indicators (KPIs) and metrics.

4. Business Continuity Planning

• Are there documented business continuity plans in place for critical processes?
• Have the plans been tested and validated through simulations or real-life scenarios?
• Is there a process to review and update the plans periodically?
• Are there clear guidelines for employees to follow during disruptions?

Questionnaires and Checklist "Sustain" Phase

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

What is an Independent Quality Review?

A significant part of independent quality review revolves around audit and assurance.  It significantly contributes to achieving organisational objectives and value creation for shareholders and stakeholders, especially when implementing operational resilience.

• Are operational resilience policies and procedures well-documented and up to date?
• Is there evidence of a comprehensive operational resilience framework?
• Are the policies and procedures aligned with industry best practices and regulatory requirements?
• Are there clear guidelines and standards for operational resilience practices?
• Is there evidence of senior management endorsement and approval of operational resilience policies?

• Review operational resilience policies and procedures documentation.
• Assess the comprehensiveness and currency of the operational resilience framework.
• Evaluate the alignment of policies and procedures with industry best practices and regulations.
• Verify the presence of clear guidelines and standards for operational resilience practices.
• Determine if senior management has endorsed and approved the operational resilience policies.

• Has training on operational resilience been provided to employees at all levels?
• Is there evidence of awareness campaigns and communication initiatives related to operational resilience?
• Are training materials comprehensive and effectively communicated to employees?
• Is there a mechanism to track and monitor employee completion of operational resilience training?
• Are training programs periodically updated to reflect changes in operational resilience requirements?

• Verify the provision of operational resilience training to employees at all levels.
• Assess the effectiveness of awareness campaigns and communication initiatives.
• Evaluate the comprehensiveness and clarity of training materials.
• Determine if there is a mechanism to track and monitor employee completion of training.
• Review the process for updating training programs based on changes in requirements.

• Have operational resilience plans and procedures been tested through exercises and simulations?
• Is there a documented schedule for testing and exercising operational resilience capabilities?
• Are different scenarios and levels of disruptions considered during testing?
• Are testing results analyzed to identify areas for improvement and corrective actions?
• Are there mechanisms to track and follow up on implementing corrective actions identified during testing?

• Review documentation of operational resilience testing and exercise plans.
• Evaluate the adequacy of the testing schedule and the consideration of various scenarios.
• Assess the analysis of testing results to identify areas for improvement.
• Verify the existence of mechanisms to track and follow up on corrective actions.
• Determine if lessons learned from testing and exercises are documented and incorporated into improvements.

• Is there an incident response plan in place for operational resilience incidents?
• Has the incident response plan been tested and validated?
• Are roles, responsibilities, and communication channels clearly defined within the incident response plan?
• Is there a designated incident response team and a straightforward escalation process?
• Is there a process for post-incident analysis and continuous improvement of the incident response capabilities?

• Review the incident response plan documentation for operational resilience incidents.
• Evaluate the testing and validation activities conducted on the incident response plan.
• Assess the clarity and accuracy of roles, responsibilities, and communication channels.
• Verify the incident response team's existence and composition and escalation process.
• Determine if there is a process for post-incident analysis and continuous improvement.

• Are there mechanisms to monitor and ensure compliance with operational resilience regulations?
• Is there evidence of regular assessments and audits to evaluate compliance?
• Are compliance gaps and deficiencies promptly addressed and remediated?
• Are there documented processes to stay updated with evolving regulatory requirements?
• Are there precise mechanisms for reporting and escalating non-compliance issues?

• Evaluate the mechanisms to monitor and ensure compliance with operational resilience regulations.
• Review evidence of regular assessments and audits to evaluate compliance.
• Assess the effectiveness of processes for addressing compliance gaps and deficiencies.
• Verify the existence of processes to stay updated with evolving regulatory requirements.
• Determine the clarity and effectiveness of mechanisms for reporting and escalating non-compliance issues.

Questionnaires and Checklist "Sustain" Phase

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review