Operational Resilience Audit

Posts by:

Moh Heng Goh

Follow me on Facebook Follow me on LinkedIn

Dr Goh Moh Heng is the President of BCM Institute and the Managing Director of GMH Continuity Architects – a specialised BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 50 organisations, particularly those operating in the Asia-Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organisation certification. Prior to establishing BCM Institute and GMH BCM Consulting, Dr. Goh held senior positions with a number of large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its business continuity and crisis management. At Standard Chartered Bank Plc, he saw and manage the global implementation of its BC management and planning for 52 countries. He also managed the BCM practice at PricewaterhouseCoopers.

ORA [Plan] Questionnaires: Assess the Capability and Maturity
audit

ORA [Plan] Questionnaires: Assess the Capability and Maturity

New call-to-action

Assessing the Capability and Maturity

OR_Plan_Update Diagram

 
What is the Capability and Maturity Model?

Capability and maturity are models against which an organisation’s operational resilience performance can be measured and improved.

These capability and maturity models describe the essential elements of effective operational resilience processes and organisational work. The completeness of the continuation of business services is highly influenced by the rigour and quality of the method used to develop it.

New call-to-actionNew call-to-actionThis section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the first stage of the Plan phase: Assessing the Capability and Maturity.

Useful Terminology OR Maturity Level BCMPedia OR Maturity Assessment BCMPedia OR Capability Level BCMPedia OR Capability Assessment BCMPedia

Audit Checklist for Assessing the Capability and Maturity

 

1. Gap Analysis Process
  • Has a structured process been defined for conducting the gap analysis?
  • Are the objectives and scope of the gap analysis clearly defined?
  • Is there a designated team responsible for conducting the gap analysis?
  • Are the necessary resources allocated for conducting a thorough analysis?
  • Has a timeline or schedule been established for completing the gap analysis?

Checklist: Gap Analysis Process 
  • Review the documented process for conducting the gap analysis.
  • Evaluate the clarity and comprehensiveness of the defined objectives and scope.
  • Assess the qualifications and expertise of the team responsible for the analysis.
  • Verify that sufficient resources, such as personnel and technology, are available for the analysis.
  • Confirm the existence of a timeline or schedule for completing the gap analysis.

2. Identification of Current State
  • OR GA BCMPedia Current State Gap AnalysisHas the current state of the operational resilience program been accurately assessed?
  • Are the program's key components, processes, and controls identified and documented?
  • Has the maturity level of each component been evaluated?
  • Are there any gaps or deficiencies identified in the current state?
  • Have relevant stakeholders been involved in the identification process?

Checklist: Identification of Current State
  • Verify the accuracy and comprehensiveness of the assessment of the current state of the operational resilience program.
  • Evaluate the documentation of key components, processes, and controls.
  • Assess the methodology used for evaluating the maturity level of each component.
  • Identify and document any identified gaps or deficiencies in the current state.
  • Confirm the involvement of relevant stakeholders in the identification process.

3. Desired Future State
  • New call-to-actionHas a desired future state for the operational resilience program been defined?
  • Are there specific objectives and targets for each component of the program?
  • Is the desired future state aligned with regulatory requirements and industry best practices?
  • Are the resources and capabilities required for achieving the desired future state identified?
  • Has a roadmap or action plan been developed to bridge the gap between the current and desired future state?

ChecklistDesired Future State
  • Review the documentation of the desired future state for the operational resilience program.
  • Evaluate the clarity and specificity of the defined objectives and targets.
  • Verify the alignment of the desired future state with regulatory requirements and industry best practices.
  • Assess the identification of resources and capabilities needed to achieve the desired future state.
  • Confirm the existence of a roadmap or action plan for bridging the gap between the current state and the desired future state.

4. Risk Assessment and Prioritization
  • Has a risk assessment been conducted to identify the risks of closing the gap?
  • Are the identified risks prioritized based on their potential impact and likelihood?
  • Has a mitigation strategy been developed for each identified risk?
  • Are the resources and efforts allocated appropriately based on risk prioritization?
  • Have appropriate stakeholders reviewed and approved the risk assessment and prioritization?

ChecklistRisk Assessment and Prioritization

  • Verify the completion of a risk assessment specifically focused on the gap analysis process.

  • Evaluate the methodology used for prioritizing the identified risks.
  • Assess the effectiveness and feasibility of the mitigation strategies developed for each risk.
  • Review the allocation of resources and efforts based on =risk prioritization.
  • Confirm the review and approval of the risk assessment and prioritization by appropriate stakeholders.

4. Business Impact Analysis
  • OR Implement Phase Questionnaires: Identify Critical Business ServicesHas a comprehensive BIA been conducted to identify critical business processes, dependencies, and their impact on the organization?
  • Are each critical process clearly defined recovery time objectives (RTOs) and recovery point objectives (RPOs)?
  • Has the BIA identified and assessed the potential financial, operational, reputational, and regulatory impacts of disruptions to critical processes?
  • Are there documented strategies and plans to mitigate the identified risks and ensure timely recovery?
    Note: The Identification and Review of Critical Business Services are discussed in the "Implement" phase of the planning methodology. Click the icon above to learn more.

ChecklistBusiness Impact Analysis

  • Review the documentation of the BIA process, including its objectives and scope.

  • Evaluate the accuracy and completeness of critical process identification and dependency mapping.
  • Assess the identification and documentation of RTOs and RPOs for each critical process.
  • Verify including financial, operational, reputational, and regulatory impact assessments in the BIA.
  • Review the mitigation strategies and recovery plans developed based on the BIA findings.

5. Risk Assessment
  • Has a risk assessment been conducted to identify and evaluate potential threats and vulnerabilities to the operational resilience program?
  • Are there documented processes to identify, assess, and prioritize risks?
  • Has the likelihood and potential impact of identified risks been analyzed?
  • Are risk mitigation strategies and controls in place to address identified risks?
  • Is there a process for regularly reviewing and updating the risk assessment?
 

ChecklistRisk Assessment
  • Verify the completion of a risk assessment specifically focused on the operational resilience program.
  • Evaluate the adequacy and effectiveness of the risk identification and assessment processes.
  • Assess the accuracy and comprehensiveness of the risk likelihood and impact analysis.
  • Review the documented risk mitigation strategies and controls implemented to address identified risks.
  • Determine if a process is in place to review and update the risk assessment periodically.

6. Business Continuity Planning
  • Has a BC Planning framework been established to guide the development and implementation of business continuity plans?
  • Are there documented business continuity plans for critical processes and systems?
  • Have the plans been tested and validated through exercises and simulations?
  • Are roles, responsibilities, and communication channels clearly defined within the business continuity plans?
  • Is there a process to periodically review and update the business continuity plans?

Checklist: Business Continuity Planning
  • Review the documented BCP framework and its alignment with industry standards and best practices.
  • Evaluate the existence and adequacy of business continuity plans for critical processes and systems.
  • Assess the documentation of testing and validation activities conducted on the business continuity plans.
  • Verify the clarity and accuracy of the plans' roles, responsibilities, and communication channels.
  • Determine if a process is in place to review and update the business continuity plans periodically.

7. Incident Response/IT Disaster Recovery
  • Are there documented incident response and IT disaster recovery plans?
  • Have the plans been tested and validated through exercises and simulations?
  • Is there a designated incident response team and a straightforward escalation process?
  • Are there backup and recovery mechanisms for critical IT systems and data?
  • Is there a process for continuously monitoring and improving incident response and IT disaster recovery capabilities?

ChecklistIncident Response/IT Disaster Recovery
  • Verify the existence and adequacy of documented incident response and IT disaster recovery plans.
  • Evaluate the documentation of testing and validation activities conducted on the plans.
  • Assess the existence and composition of the incident response team and the clarity of the escalation process.
  • Review the backup and recovery mechanisms implemented for critical IT systems and data.
  • Determine if a process is in place for continuously monitoring and improving incident response and IT disaster recovery capabilities.

8. Vendor and Third-Party Management
  • Is there a comprehensive process in place to assess and manage the risks associated with vendors and third-party service providers
  • Are there documented criteria for selecting vendors and conducting due diligence?
  • Is there a mechanism to monitor and ensure the ongoing compliance of vendors with operational resilience requirements?
  • Are contingency plans and alternate arrangements in case of disruptions from vendors or third-party service providers?
  • Are there processes to periodically review and assess the effectiveness of vendor and third-party management practices?

Checklist: Vendor and Third-Party Management
  • Review the documented vendor and third-party management processes and procedures.
  • Evaluate the criteria used for vendor selection and due diligence.
  • Assess the effectiveness of ongoing monitoring and compliance management mechanisms.
  • Verify the existence of contingency plans and alternate arrangements for vendor disruptions.
  • Determine if periodic reviews and assessments of vendor and third-party management practices exist.

9. Training and Awareness
  • OR [Sustain] Questionnaires: Implement Training and AwarenessIs there a training program in place to educate employees about operational resilience policies, procedures, and best practices?
  • Are employees aware of their roles and responsibilities regarding operational resilience?
  • Are there regular communication and awareness campaigns to promote a culture of operational resilience?
  • Are training programs periodically updated to reflect changes in operational resilience requirements?
  • Is there a mechanism to track and monitor employee completion of required operational resilience training?

ChecklistTraining and Awareness
  • Review the documentation of the training program for operational resilience.
  • Evaluate the effectiveness and comprehensiveness of the training materials and resources.
  • Assess the clarity and understanding of employee roles and responsibilities.
  • Verify the existence of regular communication and awareness campaigns.
  • Determine if a mechanism exists to track and monitor employee completion of operational resilience training.

10. Governance and Oversight
  • Is there a well-defined governance framework and structure for operational resilience?
  • Are individuals or teams responsible for operational resilience assigned clear roles, responsibilities, and accountabilities?
  • Is there a mechanism to ensure oversight and monitoring of operational resilience activities?
  • Are there regular reporting and escalation processes to senior management or the board of directors?
  • Are there mechanisms to review and update the governance framework and structure as needed?

Checklist: Governance and Oversight 
  • Review the documented governance framework and structure for operational resilience.
  • Evaluate the clarity and effectiveness of assigned roles, responsibilities, and accountabilities.
  • Assess the mechanisms in place for oversight and monitoring of operational resilience activities.
  • Verify the existence of regular reporting and escalation processes to senior management or the board.
  • Determine if there are mechanisms to review and update the governance framework and structure.

11. Business Continuity and Resilience Testing
  • Conduct Scenario TestingAre there documented plans and procedures for testing the effectiveness of business continuity and resilience measures?
  • Is there a schedule for conducting regular testing and exercises?
  • Are different scenarios and levels of disruptions considered during testing?
  • Are testing results analyzed and used to identify areas for improvement and corrective actions?
  • Are there mechanisms to track and follow up on implementing corrective actions identified during testing?

Checklist: Business Continuity and Resilience Testing
  • Review the documented plans and procedures for business continuity and resilience testing.
  • Evaluate the adequacy of the testing schedule and the consideration of different scenarios.
  • Assess the analysis and use of testing results for improvement and corrective actions.
  • Verify the existence of mechanisms to track and follow up on the implementation of corrective actions.
  • Determine if there is a process to document lessons learned from testing and exercises.

12. Continuous Improvement
  • New call-to-actionIs there a process to identify and address gaps and deficiencies in the operational resilience program?
  • Are there mechanisms to capture and document lessons learned from incidents, tests, and exercises?
  • Is there a feedback loop to ensure that identified improvements are implemented?
  • Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
  • Is there a culture of continuous improvement and learning within the organization?

Checklist: Continuous Improvement
  • Review the process for identifying and addressing gaps and deficiencies in the operational resilience program.
  • Evaluate the mechanisms to capture and document lessons learned from incidents, tests, and exercises.
  • Assess the feedback loop to ensure the implementation of identified improvements.
  • Verify the existence of metrics and performance indicators for measuring program effectiveness.
  • Determine if there is evidence of a culture of continuous improvement and learning within the organization.

 

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

 

New call-to-action

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance
New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action

 

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

 New call-to-action
Moh Heng Goh
Moh Heng Goh
Read More
ORA Implement Phase Questionnaires: Set Impact Tolerance
audit

ORA [Implement] Questionnaires: Set Impact Tolerance

New call-to-action

Set Impact Tolerance

New call-to-actionWhat is Impact Tolerance?

Impact Tolerance is setting the maximum tolerable level of disruption to a critical business service.

 

New call-to-actionOR Implement Phase Questionnaires: Set Impact ToleranceThis section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the third stage of the Implement phase: Set Impact Tolerance.

Audit Checklist for Identifying  and Setting Impact Tolerance

 

1. Understanding Critical Business Services
  • Verify the documentation of critical business services and their dependencies.
  • How well does the organization understand the interdependencies and dependencies of critical business services?
  • Are the definitions and boundaries of critical business services clearly defined?
  
Checklist
  • Verify the documentation of critical business services and their dependencies.
  • How well does the organization understand the interdependencies and dependencies of critical business services?
  • Are the definitions and boundaries of critical business services clearly defined?
 

2. Impact Tolerance Framework
  • Does the organization have an impact tolerance framework or policy in place?
  • Are there predefined thresholds for various impacts (financial, operational, reputational, regulatory)?
  • How well does the impact tolerance framework align with the organization's risk appetite and strategic objectives?
  
Checklist
  • Verify the existence of an impact tolerance framework or policy within the operational resilience program.
  • Evaluate if the impact tolerance framework includes specific thresholds for different types of impacts.
  • Assess the alignment between the impact tolerance framework and the organization's risk appetite and strategic objectives.

 

3. Identification of Impact Tolerances
  • What is the process for identifying impact tolerances for each critical business service?
  • Were critical stakeholders involved in determining the impact tolerances?
  • Are the impact tolerances based on a thorough analysis of potential impacts, considering various scenarios and threat vectors?
  
Checklist
  • Review the methodology and approach to determine impact tolerances for critical business services.
  • Assess relevant stakeholders' level of involvement and engagement in setting impact tolerances.
  • Evaluate the robustness and comprehensiveness of the analysis conducted to establish impact tolerances.
 

4. Quantitative and Qualitative Measures
  • Does the organisation use quantitative and qualitative measures to set impact tolerances?
  • Are specific quantitative measures, such as recovery time (RTOs) and recovery point objectives (RPOs), included in the impact tolerances?
  • How are qualitative factors, such as customer perception and brand reputation, incorporated into setting impact tolerances?
  
Checklist
  • Verify whether measurable and subjective criteria are considered in setting impact tolerances.
  • Assess if the impact tolerances include measurable criteria for recovery time and recovery point objectives.
  • Evaluate if subjective factors are adequately considered in the establishment of impact tolerances.
 

5. Documentation and Communication
  • Are the impact tolerances for critical business services adequately documented?
  • How precise and accessible are the documented impact tolerances?
  • How are the impact tolerances communicated to relevant stakeholders, including management, operational teams, and third-party vendors?
  
Checklist
  • Verify the existence and completeness of documentation for the established impact tolerances.
  • Assess the clarity and availability of the documented impact tolerances to relevant stakeholders.
  • Evaluate the communication process and mechanisms disseminating impact tolerances to relevant parties.
 

6. Alignment with Business Continuity Plans
  • How well do the impact tolerances align with the organization's business continuity (BC) plans?
  • Do the BC plans address the identified impact tolerances for each critical business service?
  • Is there evidence of testing the BC plans against the impact tolerances?
  
Checklist
  • Assess the alignment between the established impact tolerances and the corresponding measures in the BCPs.
  • Verify if the BCPs incorporate specific provisions to address the established impact tolerances.
  • Assess if the BCPs have been tested to ensure their effectiveness in meeting the impact tolerances.
 

7. Monitoring and Reporting
  • How is the performance of critical business services against the impact tolerances monitored?
    Are regular assessments and measurements conducted to track adherence to the impact tolerances?
    How are the results of impact tolerance monitoring communicated to relevant stakeholders?
  
Checklist
  • Evaluate the mechanisms and processes in place for monitoring the performance of critical business services.
  • Assess the frequency and comprehensiveness of assessments to evaluate adherence to the impact tolerances.
    Evaluate the reporting framework for sharing the outcomes of impact tolerance monitoring with relevant stakeholders.
 

8. Continuous Review and Adjustments
  • How often are impact tolerances reviewed and adjusted?
  • What triggers a review or adjustment of impact tolerances?
  • Are there mechanisms to capture lessons learned from incidents and near misses to inform adjustments to impact tolerances?
  
Checklist
  • Assess the frequency and timeliness of reviews and adjustments to impact tolerances.
  • Determine the circumstances or factors that prompt a review or adjustment of impact tolerances.
  • Evaluate if there are processes to incorporate insights from incidents and near misses into adjusting impact tolerances.

Some steps may overlap with the other "Implement" phase stages.

New call-to-action

Questionnaires and Checklist "Implement" Phase

 Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt
New call-to-action OR Implement Phase Questionnaires: Identify Critical Business Services New call-to-action OR Implement Phase Questionnaires: Set Impact Tolerance Conduct Scenario Testing New call-to-action

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

 New call-to-action
Moh Heng Goh
Moh Heng Goh
Read More
ORA Implement Phase Questionnaires: Map Processes and Resources
audit

ORA [Implement] Questionnaires: Map Processes and Resources

New call-to-actionMapping of Processes and Resources

OR_Implement_Diagram

 
What is the Mapping of Processes and Resources?

Mapping is identifying, documenting and understanding the activities involved in delivering critical business services.

An organisation should identify, document and map the necessary people, processes, information, technology, facilities, and third parties service providers required to deliver each of its critical business services. This exercise should be undertaken collaboratively across the business to ensure comprehensive mapping.

New call-to-actionNew call-to-actionThis section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Implement phase: Mapping of Processes and Resources.

Audit Checklist for Mapping of Processes and Resources

 

1. People
  • Are key roles and responsibilities clearly defined for supporting the delivery of products and services?
  • Is there an organisational structure that ensures appropriate staffing levels and reporting lines?
  • Are succession plans in place to mitigate risks associated with key personnel dependencies?
  • Is there a process for identifying and addressing skill gaps or training needs?
  

 

2. Processes
  • Are the critical processes for delivering products and services identified and documented?
  • Are there documented procedures and workflows for each critical process?
  • Are process owners assigned and accountable for the effectiveness and efficiency of the processes?
  • Is there a process for regularly reviewing and updating documented procedures?
  

 

3. Technology
  • Have the necessary technology systems and applications for delivering products and services been identified?
  • Is there a comprehensive inventory of technology assets, including hardware, software, and networks?
  • Are there backup and recovery procedures in place for critical technology systems?
  • Is there a process for monitoring and updating technology infrastructure to ensure reliability and security?
  

 

4. Facilities
  • Are the physical facilities required for delivering products and services identified?
  • Is there an assessment of the adequacy and reliability of the facilities?
  • Are contingency plans in place to address facility disruptions, such as alternate locations or remote work capabilities?
  • Is there a process for maintaining and testing the infrastructure and facilities?
  

 

5. Information
  • Is there a clear understanding of the information required to support the delivery of products and services?
  • Are systems and procedures in place to ensure information integrity, availability, and confidentiality?
  • Is there a backup and recovery strategy for critical information and data?
  • Are there mechanisms for regular data backups, testing of data restoration, and protection against data breaches?
  

 

6. Inter-dependencies and Inter-connections
  • Have the dependencies and interconnections among people, processes, technology, facilities, and information been identified and documented?
  • Is there an understanding of how disruptions to one resource can impact others?
  • Are there contingency plans in place to address disruptions in dependent resources?
  • Is there a process for regularly reviewing and updating the mapping of dependencies and interconnections?
  

 

7. Performance Monitoring
  • Is there a monitoring process to track the performance and availability of resources?
  • Are there defined metrics and indicators to measure the effectiveness and efficiency of resource utilisation?
  • Is there a reporting mechanism to communicate resource performance to relevant stakeholders?
  • Are there mechanisms to identify and address resource bottlenecks or capacity constraints?
  

 

8. Testing and Validation
  • Are resources tested and validated through exercises and simulations?
  • Is there a process to assess whether the resources can adequately support the delivery of products and services?
  • Are testing and validation results used to refine and improve resource mapping and related plans?
 Conduct Scenario Testing

 

9. Documentation and Communication
  • Is the mapping of resources well-documented and easily accessible to relevant personnel?
  • Is there clear communication of roles, responsibilities, and dependencies among stakeholders?
  • Are there mechanisms to ensure resource mapping updates are effectively communicated to relevant parties?
  • Is there a process for addressing feedback and incorporating suggestions for resource optimisation?
  

 

10. Continuous Improvement
  • Is there a process to capture and incorporate lessons learned from disruptions into resource mapping and planning?
  • Is there a culture of continuous improvement to enhance the organisation's ability to deliver products and services?
  • Are resource mapping and planning regularly reviewed to ensure they remain aligned with the organisation's objectives and evolving needs?
 New call-to-action

 

Note that some steps may overlap with the other "Implement" phase stages.

 

New call-to-action

Questionnaires and Checklist "Implement" Phase

 Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt
New call-to-action OR Implement Phase Questionnaires: Identify Critical Business Services New call-to-action OR Implement Phase Questionnaires: Set Impact Tolerance Conduct Scenario Testing New call-to-action

 

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

 New call-to-action
Moh Heng Goh
Moh Heng Goh
Read More
ORA Implement Phase Questionnaires: Identify Critical Business Services
audit

ORA [Implement] Questionnaires: Identify Critical Business Services

New call-to-action

Identify Critical Business Services

 

 
What is Critical Business Services?

OR Critical Business Services BCMPediaNew call-to-actionCritical Business Service is a service provided by an organisation, or by another person on behalf of the organisation, to one or more clients which, if disrupted, could:

  • cause intolerable harm to any one or more of the organisation’s clients or
  • pose a risk to the soundness, stability or resilience of the industry, such as the financial industry, its system or the orderly operation of the markets.

New call-to-actionOR Implement Phase Questionnaires: Identify Critical Business ServicesThis section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the first stage of the Implement phase: Identify Critical Business Services.

Audit Checklist for Identifying  Critical Business Services

 

1. Documentation and Governance
  • Are there documented policies, procedures, and guidelines related to critical business services?
  • Is a comprehensive operational resilience program outlining objectives, scope, roles, and responsibilities in place?
  • Is there a governance structure, such as oversight committees and reporting mechanisms, to ensure effective operational resilience management?
  
Checklist
  • Verify that a comprehensive operational resilience program outlines objectives, scope, roles, and responsibilities.
  • Review documentation of policies, procedures, and guidelines related to critical business services.
  • Assess the adequacy of governance structures, including oversight committees and reporting mechanisms.

2. Business Impact Analysis (BIA)
  • Has a business impact analysis (BIA) been conducted to identify critical business services and their dependencies?
  • How is the impact of disruptions on critical services assessed? What methodology is used?
  • Are the potential financial, operational, and reputational impacts of disruptions to critical business services assessed?
  • Are the BIA documentation and results accurate, up-to-date, and accessible to relevant stakeholders?
  • Are each critical business service's recovery time objectives (RTOs) and recovery point objectives (RPOs) defined?
 Critical Business Functions vs Critical Business Services
Checklist
  • Review the BIA process for identifying critical business services and their dependencies.
  • Evaluate the methodology used to assess the impact of disruptions on critical services.
  • Validate the accuracy and currency of the BIA documentation.

3. Business Continuity (BC) Planning
  • Are there business continuity (BC) plans for critical business services?
  • Do the BC Plans align with the objectives of the operational resilience program?
  • Do the BC Plans include clear roles, responsibilities, and escalation procedures?
  
Checklist
  • Review the existence and completeness of BC Plans for critical business services.
  • Are BC Plans in place for each critical business service?
  • Assess the alignment of BC Plans with the objectives of the operational resilience program.
  • Validate that BC Plans include clear roles, responsibilities, and escalation procedures.
  • Have the BC Plans been tested and validated?
  • Are the BC Plans documented and easily accessible to relevant personnel?
  • Are there clearly defined procedures for invoking and executing the BC Plans?

4. Incident Response and Management
  • Is there an incident management framework tailored explicitly for critical business services?
  • Are there documented incident response procedures for critical business services?
  • Are roles and responsibilities clearly defined for managing incidents related to critical business services?
  • Is there a process to track and report incidents related to critical business services?
  • Is there an incident response and management framework for critical business services?
  • Are incident response plans in place, and do they align with the operational resilience program?
  • Are incident response plans regularly tested, updated, and communicated to relevant stakeholders?
  
Checklist
  • Evaluate the incident response and management framework for critical business services.
  • Assess the effectiveness of incident response plans and their alignment with the operational resilience program.
  • Verify that incident response plans are regularly tested, updated, and communicated to relevant stakeholders.

5. Communication and Stakeholder Management (During Disruption)
  • Is there a communication plan to keep stakeholders informed during disruptions to critical business services?
  • Are there established communication channels to reach internal and external stakeholders?
  • Is there a process to prioritise and communicate with stakeholders based on the severity and impact of the disruption?
  • Are there effective communication channels and protocols during disruptions to critical business services?
  • Are communication plans in place and regularly updated?
  
Checklist
  • Assess the effectiveness of communication channels and protocols during disruptions.
  • Review the training and awareness programs related to operational resilience for employees.
  • Verify that communication plans are in place and regularly updated.

6. Vendor Management
  • Is there a process for assessing and monitoring the resilience of critical third-party vendors?
  • Are contracts and service level agreements (SLAs) with vendors inclusive of appropriate resilience requirements?
  • Are vendor management processes aligned with the operational resilience program?
 New call-to-action
Checklist
 
  • Evaluate the process for assessing and monitoring the resilience of critical third-party vendors.
  • Review contracts and service level agreements to ensure they include appropriate resilience requirements.
  • Verify that vendor management processes are aligned with the operational resilience program.

7. Change Management
  • Is there a change management process for critical business services?
  • Are change requests, approvals, and testing procedures adequately documented?
  • Does the change management process consider the potential impact on operational resilience?
  
Checklist
  • Assess the change management process for critical business services.
  • Review documentation of change requests, approvals, and testing procedures.
  • Verify that change management procedures consider the potential impact on operational resilience.

8. Reporting and Metrics
  • Is there a reporting framework for operational resilience, including key performance indicators (KPIs) and metrics?
  • How frequently are reports provided to management and relevant stakeholders?
  • Are the metrics aligned with the objectives of the operational resilience program?
  
Checklist
  • Evaluate the reporting framework for operational resilience, including key performance indicators (KPIs) and metrics.
  • Assess the frequency and content of reports provided to management and relevant stakeholders.
  • Verify that metrics are aligned with the objectives of the operational resilience program.

9. Testing and Exercising
  • Are the dependencies and interconnections of critical business services identified?
  • Has the organisation mapped the dependencies between critical business services and supporting functions, systems, and vendors?
  • Are business continuity or crisis management plans in place to address disruptions in independent services?
  • Are regular testing and exercising of critical business services conducted?
  • Are the testing and exercising scenarios designed to simulate realistic disruptions?
  • Are the lessons learned from testing and exercises used to improve the operational resilience of critical business services?
 Conduct Scenario Testing
Checklist
  • Review the testing and exercise program for critical business services.
  • Assess the frequency and comprehensiveness of testing, including scenario-based simulations.
  • Validate that lessons learned from testing and exercises are documented and incorporated into the operational resilience program.
 
Some steps may overlap with the other "Implement" phase stages.

 

New call-to-action

Questionnaires and Checklist "Implement" Phase

 Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt
New call-to-action OR Implement Phase Questionnaires: Identify Critical Business Services New call-to-action OR Implement Phase Questionnaires: Set Impact Tolerance Conduct Scenario Testing New call-to-action

 

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
 
Moh Heng Goh
Moh Heng Goh
Read More