Analyse the Gap: Concentration Risk
|
|
What is Concentration Risk?
Concentration Risk refers to the vulnerability and potential impact that arises from a significant dependence or concentration of critical operations, resources, or dependencies within an organization.
It occurs when there is an overreliance on a single point of failure or a limited number of entities, systems, or processes that, if disrupted, could significantly impact the organization's ability to deliver its critical services or functions.
|
This section is the "Plan" phase of the Operational Resilience Planning Methodology. It is the second stage of the Plan phase: Analyse Gap.
These questions, checklists, and details should help assess the concentration risk and operational resilience measures related to primary-secondary site operation, critical business functions segregation, split team and backup team arrangements cross-training cross-border support, and alternative service provider considerations and requirements of the MAS BCM Policy.
Audit Checklist for Analysing the Gap: Concentration Risk
1. Primary-Secondary Site Operation
|
- Are primary and secondary sites geographically distant enough to mitigate the impact of a localised event?
- Is there a documented plan for transitioning operations from primary to secondary sites?
- Has the secondary site been tested for readiness and functionality?
- Are the necessary infrastructure and resources available at the secondary site?
- Are there redundant systems in place to ensure seamless operations during the transition?
|
|
Checklist
|
- Verify if the primary and secondary sites are geographically distant enough to mitigate localised events.
- Review the documented plan for transitioning operations from primary to secondary sites.
- Assess if the secondary site has been tested for readiness and functionality.
- Verify the availability of necessary infrastructure and resources at the secondary site.
- Assess the presence of redundant systems to ensure seamless operations during the transition.
|
2. Critical Business Functions Segregation
|
- Are critical business functions identified and documented?
- Is there segregation of critical business functions across different locations?
- Have dependencies between critical business functions been assessed and addressed?
- Is there a contingency plan to maintain critical business functions during disruption at one location?
- Are there regular tests or drills to validate the effectiveness of critical business function segregation?
|
| Checklists |
- Determine if critical business functions have been identified and documented.
- Assess the segregation of critical business functions across different locations.
- Review the assessment and addressing of dependencies between critical business functions.
- Verify the existence of a contingency plan to maintain critical business functions in case of disruption at one location.
- Assess the regular testing or drills to validate the effectiveness of critical business function segregation.
|
3. Split Team and Backup Team Arrangements
|
- Are split team arrangements established to ensure business continuity in the event of staff unavailability?
- Is there a clear communication plan for coordinating split team operations?
- Are backup teams identified and trained to take over in case of primary team unavailability?
- Has the effectiveness of split and backup team arrangements been tested in simulated scenarios?
- Are there documented procedures for transitioning between primary and backup teams?
|
Checklists
|
- Verify the establishment of split team arrangements to ensure business continuity during staff unavailability.
- Assess the presence of a clear communication plan for coordinating split team operations.
- Review the identification and training of backup teams to take over in case of primary team unavailability.
- Verify the testing of the split team and backup team arrangements in simulated scenarios.
- Assess the availability of documented procedures for transitioning between primary and backup teams.
|
4. Cross-Training
|
- Are employees cross-trained to perform multiple roles within critical business functions?
- Is a training program in place to ensure employees have the necessary skills for cross-functional roles?
- Are cross-training records maintained for tracking employee capabilities?
- Is cross-training periodically tested or validated through drills or exercises?
- Are there escalation procedures in place to address skill gaps during disruptions?
|
| Checklists |
- Determine if employees are cross-trained to perform multiple roles within critical business functions.
- Assess the presence of a training program to ensure employees have the necessary skills for cross-functional roles.
- Review the maintenance of cross-training records for tracking employee capabilities.
- Verify the periodic testing or validation of cross-training through drills or exercises.
- Assess the presence of escalation procedures to address skill gaps during disruptions.
|
- Are there dependencies on systems, processes, or resources located in other countries?
- Are the risks associated with cross-border dependencies identified and assessed?
- Is there a contingency plan in place to address disruptions in cross-border support?
- Have legal, regulatory, or compliance considerations related to cross-border operations been addressed?
- Are there alternative arrangements or redundancies for critical cross-border dependencies?
|
Checklists
|
- Determine if there are dependencies on systems, processes, or resources in other countries.
- Assess the identification and assessment of risks associated with cross-border dependencies.
- Verify the presence of a contingency plan to address disruptions in cross-border support.
- Review addressing legal, regulatory, or compliance considerations related to cross-border operations.
- Assess the presence of alternative arrangements or redundancies for critical cross-border dependencies.
|
6. Alternative Service Provider
|
- Are alternative service providers identified for critical business functions?
- Have due diligence assessments been conducted for alternative service providers?
- Is there a documented plan for transitioning to alternative service providers during disruptions?
- Are contractual agreements with alternative service providers in place and up to date?
- Has the feasibility and effectiveness of alternative service providers been tested or validated?
|
| Checklists |
| |
Do note that some steps may overlap or appear similar in the other stages of the OR planning phases. If this occurs, the questionnaires and checklists must be contextualised to the topic under review.
|
|
|
Questionnaires and Checklist "Plan" Phase
|
Assess Capability and Maturity |
Analyse Gap |
Develop Strategy Roadmap
|
Confirm Risk Appetite
|
Develop and Embed Governance
|
|
|
|
|
|
|
|
Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]
|
|
|
|
|
|
|
|
|
|
Please feel free to send us a note if you have any of these questions.
|
|