Operational Resilience Audit

ORA [Implement] Questionnaires: Identify Critical Business Services

Written by Moh Heng Goh | Jun 4, 2023 2:33:32 PM

Identify Critical Business Services

 

 
What is Critical Business Services?

Critical Business Service is a service provided by an organisation, or by another person on behalf of the organisation, to one or more clients which, if disrupted, could:

  • cause intolerable harm to any one or more of the organisation’s clients or
  • pose a risk to the soundness, stability or resilience of the industry, such as the financial industry, its system or the orderly operation of the markets.

This section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the first stage of the Implement phase: Identify Critical Business Services.

Audit Checklist for Identifying  Critical Business Services

 

1. Documentation and Governance
  • Are there documented policies, procedures, and guidelines related to critical business services?
  • Is a comprehensive operational resilience program outlining objectives, scope, roles, and responsibilities in place?
  • Is there a governance structure, such as oversight committees and reporting mechanisms, to ensure effective operational resilience management?
  
Checklist
  • Verify that a comprehensive operational resilience program outlines objectives, scope, roles, and responsibilities.
  • Review documentation of policies, procedures, and guidelines related to critical business services.
  • Assess the adequacy of governance structures, including oversight committees and reporting mechanisms.

2. Business Impact Analysis (BIA)
  • Has a business impact analysis (BIA) been conducted to identify critical business services and their dependencies?
  • How is the impact of disruptions on critical services assessed? What methodology is used?
  • Are the potential financial, operational, and reputational impacts of disruptions to critical business services assessed?
  • Are the BIA documentation and results accurate, up-to-date, and accessible to relevant stakeholders?
  • Are each critical business service's recovery time objectives (RTOs) and recovery point objectives (RPOs) defined?
Checklist
  • Review the BIA process for identifying critical business services and their dependencies.
  • Evaluate the methodology used to assess the impact of disruptions on critical services.
  • Validate the accuracy and currency of the BIA documentation.

3. Business Continuity (BC) Planning
  • Are there business continuity (BC) plans for critical business services?
  • Do the BC Plans align with the objectives of the operational resilience program?
  • Do the BC Plans include clear roles, responsibilities, and escalation procedures?
  
Checklist
  • Review the existence and completeness of BC Plans for critical business services.
  • Are BC Plans in place for each critical business service?
  • Assess the alignment of BC Plans with the objectives of the operational resilience program.
  • Validate that BC Plans include clear roles, responsibilities, and escalation procedures.
  • Have the BC Plans been tested and validated?
  • Are the BC Plans documented and easily accessible to relevant personnel?
  • Are there clearly defined procedures for invoking and executing the BC Plans?

4. Incident Response and Management
  • Is there an incident management framework tailored explicitly for critical business services?
  • Are there documented incident response procedures for critical business services?
  • Are roles and responsibilities clearly defined for managing incidents related to critical business services?
  • Is there a process to track and report incidents related to critical business services?
  • Is there an incident response and management framework for critical business services?
  • Are incident response plans in place, and do they align with the operational resilience program?
  • Are incident response plans regularly tested, updated, and communicated to relevant stakeholders?
  
Checklist
  • Evaluate the incident response and management framework for critical business services.
  • Assess the effectiveness of incident response plans and their alignment with the operational resilience program.
  • Verify that incident response plans are regularly tested, updated, and communicated to relevant stakeholders.

5. Communication and Stakeholder Management (During Disruption)
  • Is there a communication plan to keep stakeholders informed during disruptions to critical business services?
  • Are there established communication channels to reach internal and external stakeholders?
  • Is there a process to prioritise and communicate with stakeholders based on the severity and impact of the disruption?
  • Are there effective communication channels and protocols during disruptions to critical business services?
  • Are communication plans in place and regularly updated?
  
Checklist
  • Assess the effectiveness of communication channels and protocols during disruptions.
  • Review the training and awareness programs related to operational resilience for employees.
  • Verify that communication plans are in place and regularly updated.

6. Vendor Management
  • Is there a process for assessing and monitoring the resilience of critical third-party vendors?
  • Are contracts and service level agreements (SLAs) with vendors inclusive of appropriate resilience requirements?
  • Are vendor management processes aligned with the operational resilience program?
Checklist
 
  • Evaluate the process for assessing and monitoring the resilience of critical third-party vendors.
  • Review contracts and service level agreements to ensure they include appropriate resilience requirements.
  • Verify that vendor management processes are aligned with the operational resilience program.

7. Change Management
  • Is there a change management process for critical business services?
  • Are change requests, approvals, and testing procedures adequately documented?
  • Does the change management process consider the potential impact on operational resilience?
  
Checklist
  • Assess the change management process for critical business services.
  • Review documentation of change requests, approvals, and testing procedures.
  • Verify that change management procedures consider the potential impact on operational resilience.

8. Reporting and Metrics
  • Is there a reporting framework for operational resilience, including key performance indicators (KPIs) and metrics?
  • How frequently are reports provided to management and relevant stakeholders?
  • Are the metrics aligned with the objectives of the operational resilience program?
  
Checklist
  • Evaluate the reporting framework for operational resilience, including key performance indicators (KPIs) and metrics.
  • Assess the frequency and content of reports provided to management and relevant stakeholders.
  • Verify that metrics are aligned with the objectives of the operational resilience program.

9. Testing and Exercising
  • Are the dependencies and interconnections of critical business services identified?
  • Has the organisation mapped the dependencies between critical business services and supporting functions, systems, and vendors?
  • Are business continuity or crisis management plans in place to address disruptions in independent services?
  • Are regular testing and exercising of critical business services conducted?
  • Are the testing and exercising scenarios designed to simulate realistic disruptions?
  • Are the lessons learned from testing and exercises used to improve the operational resilience of critical business services?
Checklist
  • Review the testing and exercise program for critical business services.
  • Assess the frequency and comprehensiveness of testing, including scenario-based simulations.
  • Validate that lessons learned from testing and exercises are documented and incorporated into the operational resilience program.
 
Some steps may overlap with the other "Implement" phase stages.

 

Questionnaires and Checklist "Implement" Phase

 Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt

 

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

Please feel free to send us a note if you have any questions.
 
 
View full post