Analyse the Gap
|
|
What is Gap Analysis in OR?
A gap analysis is a method of assessing the performance of a business unit to determine whether operational resilience requirements or objectives are being met and, if not, what steps should be taken to meet them.
A gap analysis is called a needs analysis, needs assessment or need-gap analysis.
|
This section is the "Plan" phase of the Operational Resilience Planning Methodology. It is the second stage of the Plan phase: Analyse Gap.
Audit Checklist for Analysing the Gap
- Has a structured process been defined for conducting the gap analysis?
- Are the objectives and scope of the gap analysis clearly defined?
- Is there a designated team responsible for conducting the gap analysis?
- Are the necessary resources allocated for conducting a thorough analysis?
- Has a timeline or schedule been established for completing the gap analysis?
|
|
Checklist: Gap Analysis Process
|
- Review the documented process for conducting the gap analysis.
- Evaluate the clarity and comprehensiveness of the defined objectives and scope.
- Assess the qualifications and expertise of the team responsible for the analysis.
- Verify that sufficient resources, such as personnel and technology, are available for the analysis.
- Confirm the existence of a timeline or schedule for completing the gap analysis.
|
2. Identification of Current State
|
- Has the current state of the operational resilience program been accurately assessed?
- Are the program's key components, processes, and controls identified and documented?
- Has the maturity level of each component been evaluated?
- Are there any gaps or deficiencies identified in the current state?
- Have relevant stakeholders been involved in the identification process?
|
|
Checklist: Identification of Current State
|
- Verify the accuracy and comprehensiveness of the assessment of the current state of the operational resilience program.
- Evaluate the documentation of key components, processes, and controls.
- Assess the methodology used for evaluating the maturity level of each component.
- Identify and document any identified gaps or deficiencies in the current state.
- Confirm the involvement of relevant stakeholders in the identification process.
|
- Has a desired future state for the operational resilience program been defined?
- Are there specific objectives and targets for each component of the program?
- Is the desired future state aligned with regulatory requirements and industry best practices?
- Are the resources and capabilities required for achieving the desired future state identified?
- Has a roadmap or action plan been developed to bridge the gap between the current and desired future state?
|
Checklist: Desired Future State
|
- Review the documentation of the desired future state for the operational resilience program.
- Evaluate the clarity and specificity of the defined objectives and targets.
- Verify the alignment of the desired future state with regulatory requirements and industry best practices.
- Assess the identification of resources and capabilities needed to achieve the desired future state.
- Confirm the existence of a roadmap or action plan for bridging the gap between the current state and the desired future state.
|
4. Risk Assessment and Prioritization
|
- Has a risk assessment been conducted to identify the risks of closing the gap?
- Are the identified risks prioritized based on their potential impact and likelihood?
- Has a mitigation strategy been developed for each identified risk?
- Are the resources and efforts allocated appropriately based on risk prioritization?
- Have appropriate stakeholders reviewed and approved the risk assessment and prioritization?
|
|
Checklist: Risk Assessment and Prioritisation
|
5. Business Impact Analysis
|
- Has a comprehensive BIA been conducted to identify critical business processes, dependencies, and their impact on the organization?
- Are each critical process clearly defined recovery time objectives (RTOs) and recovery point objectives (RPOs)?
- Has the BIA identified and assessed the potential financial, operational, reputational, and regulatory impacts of disruptions to critical processes?
- Are there documented strategies and plans to mitigate the identified risks and ensure timely recovery?
|
Checklist: Business Impact Analysis
|
- Has a risk assessment been conducted to identify and evaluate potential threats and vulnerabilities to the operational resilience program?
- Are there documented processes to identify, assess, and prioritize risks?
- Has the likelihood and potential impact of identified risks been analyzed?
- Are risk mitigation strategies and controls in place to address identified risks?
- Is there a process for regularly reviewing and updating the risk assessment?
|
Checklist: Risk Assessment
|
- Verify the completion of a risk assessment specifically focused on the operational resilience program.
- Evaluate the adequacy and effectiveness of the risk identification and assessment processes.
- Assess the accuracy and comprehensiveness of the risk likelihood and impact analysis.
- Review the documented risk mitigation strategies and controls implemented to address identified risks.
- Determine if a process is in place to review and update the risk assessment periodically.
|
7. Business Continuity Planning
|
- Has a BCP framework been established to guide the development and implementation of business continuity plans?
- Are there documented business continuity plans for critical processes and systems?
- Have the plans been tested and validated through exercises and simulations?
- Are roles, responsibilities, and communication channels clearly defined within the business continuity plans?
- Is there a process to periodically review and update the business continuity plans?
|
|
Checklist: Business Continuity Planning
|
- Review the documented BCP framework and its alignment with industry standards and best practices.
- Evaluate the existence and adequacy of business continuity plans for critical processes and systems.
- Assess the documentation of testing and validation activities conducted on the business continuity plans.
- Verify the clarity and accuracy of the plans' roles, responsibilities, and communication channels.
- Determine if a process is in place to review and update the business continuity plans periodically.
|
8. Incident Response/IT Disaster Recovery
|
- Is there documented incident response and IT disaster recovery plans?
- Have the plans been tested and validated through exercises and simulations?
- Is there a designated incident response team and a clear escalation process?
- Are there backup and recovery mechanisms in place for critical IT systems and data?
- Is there a process for continuously monitoring and improving incident response and IT disaster recovery capabilities?
|
Checklist: Incident Response/IT Disaster Recovery
|
- Verify the existence and adequacy of documented incident response and IT disaster recovery plans.
- Evaluate the documentation of testing and validation activities conducted on the plans.
- Assess the existence and composition of the incident response team and the clarity of the escalation process.
- Review the backup and recovery mechanisms implemented for critical IT systems and data.
- Determine if a process is in place for continuous monitoring and improvement of incident response and IT disaster recovery capabilities.
|
9. Vendor and Third-Party Management
|
- Is there a comprehensive process in place to assess and manage the risks associated with vendors and third-party service providers
- Are there documented criteria for selecting vendors and conducting due diligence?
- Is there a mechanism to monitor and ensure the ongoing compliance of vendors with operational resilience requirements?
- Are contingency plans and alternate arrangements in case of disruptions from vendors or third-party service providers?
- Are there processes to periodically review and assess the effectiveness of vendor and third-party management practices?
|
Checklist: Vendor and Third-Party Management
|
- Review the documented vendor and third-party management processes and procedures.
- Evaluate the criteria used for vendor selection and due diligence.
- Assess the effectiveness of ongoing monitoring and compliance management mechanisms.
- Verify the existence of contingency plans and alternate arrangements for vendor disruptions.
- Determine if periodic reviews and assessments of vendor and third-party management practices exist.
10. Training and Awareness
|
- Is there a training program in place to educate employees about operational resilience policies, procedures, and best practices?
- Are employees aware of their roles and responsibilities regarding operational resilience?
- Are there regular communication and awareness campaigns to promote a culture of operational resilience?
- Are training programs periodically updated to reflect changes in operational resilience requirements?
- Is there a mechanism to track and monitor employee completion of required operational resilience training?
|
Checklist: Training and Awareness
|
- Review the documentation of the training program for operational resilience.
- Evaluate the effectiveness and comprehensiveness of the training materials and resources.
- Assess the clarity and understanding of employee roles and responsibilities.
- Verify the existence of regular communication and awareness campaigns.
- Determine if a mechanism exists to track and monitor employee completion of operational resilience training.
|
11. Governance and Oversight
|
- Is there a well-defined governance framework and structure for operational resilience?
- Are individuals or teams responsible for operational resilience assigned clear roles, responsibilities, and accountabilities?
- Is there a mechanism to ensure oversight and monitoring of operational resilience activities?
- Are there regular reporting and escalation processes to senior management or the board of directors?
- Are there mechanisms to review and update the governance framework and structure as needed?
|
|
Checklist: Governance and Oversight
|
- Review the documented governance framework and structure for operational resilience.
- Evaluate the clarity and effectiveness of assigned roles, responsibilities, and accountabilities.
- Assess the mechanisms in place for oversight and monitoring of operational resilience activities.
- Verify the existence of regular reporting and escalation processes to senior management or the board.
- Determine if there are mechanisms to review and update the governance framework and structure.
|
12. Business Continuity and Resilience Testing
|
- Are there documented plans and procedures for testing the effectiveness of business continuity and resilience measures?
- Is there a schedule for conducting regular testing and exercises?
- Are different scenarios and levels of disruptions considered during testing?
- Are testing results analyzed and used to identify areas for improvement and corrective actions?
- Are there mechanisms to track and follow up on implementing corrective actions identified during testing?
|
|
Checklist: Business Continuity and Resilience Testing
|
- Review the documented plans and procedures for business continuity and resilience testing.
- Evaluate the adequacy of the testing schedule and the consideration of different scenarios.
- Assess the analysis and use of testing results for improvement and corrective actions.
- Verify the existence of mechanisms to track and follow up on the implementation of corrective actions.
- Determine if there is a process to document lessons learned from testing and exercises.
|
13. Continuous Improvement
|
- Is there a process to identify and address gaps and deficiencies in the operational resilience program?
- Are there mechanisms to capture and document lessons learned from incidents, tests, and exercises?
- Is there a feedback loop to ensure that identified improvements are implemented?
- Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
- Is there a culture of continuous improvement and learning within the organization?
|
|
Checklist: Continuous Improvement
|
- Review the process for identifying and addressing gaps and deficiencies in the operational resilience program.
- Evaluate the mechanisms to capture and document lessons learned from incidents, tests, and exercises.
- Assess the feedback loop to ensure the implementation of identified improvements.
- Verify the existence of metrics and performance indicators for measuring program effectiveness.
- Determine if there is evidence of a culture of continuous improvement and learning within the organization.
|
Do note that some steps may overlap or appear similar in the other stages of the OR planning phases. If this occurs, the questionnaires and checklists must be contextualised to the topic under review.
|
|
|
Questionnaires and Checklist "Plan" Phase
|
Assess Capability and Maturity |
Analyse Gap |
Develop Strategy Roadmap
|
Confirm Risk Appetite
|
Develop and Embed Governance
|
|
|
|
|
|
|
|
Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]
|
|
|
|
|
|
|
|
|
|
Please feel free to send us a note if you have any of these questions.
|
|