ORA [Plan] Questionnaires: Confirm Risk Appetite

What is Risk Appetite?

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.  The scope is further enlarged when viewed from an operational resilience perspective.

It reflects the organization’s risk management philosophy and influences its culture and operating style.

• Is there a documented risk appetite framework in place?
• Have senior management, and the board approved the risk appetite framework?
• Does the risk appetite framework align with the organization's objectives and strategy?
• Is the risk appetite framework effectively communicated throughout the organization?
• Are risk appetite statements measurable and specific, allowing for meaningful risk assessments?
• Are risk appetite limits clearly defined for different types of operational risks?
• Are risk appetite limits regularly reviewed and updated to reflect changes in the business environment?
• Is there a mechanism to monitor and report on adherence to risk appetite limits?

• Review the documented risk appetite framework and ensure it is easily accessible to relevant stakeholders.
• Verify that senior management and the board have approved the risk appetite framework.
• Evaluate the alignment of the risk appetite framework with the organization's overall objectives and strategy.
• Assess the effectiveness of communication channels that convey the risk appetite framework to employees.
• Review risk appetite statements, assess whether they are measurable and specific, and facilitate meaningful risk assessments.
• Evaluate the clarity and specificity of risk appetite limits set for different types of operational risks.
• Confirm that risk appetite limits are regularly reviewed and updated to reflect changes in the business environment.
• Assess the availability of mechanisms to monitor and report on adherence to risk appetite limits.

• Has the organization conducted a comprehensive identification of operational risks?
• Are risk assessments conducted regularly to identify new and emerging risks?
• Are risk assessments based on a combination of qualitative and quantitative factors?
• Are risk assessments conducted consistently across all relevant business areas?
• Are risk assessments aligned with the organization's risk appetite framework?
• Are potential impacts on critical business processes and systems considered in risk assessments?
• Is there a process to validate and review risk assessments conducted by different business units?
• Do appropriate data and evidence support risk assessments?

• Evaluate the comprehensiveness of the organization's risk identification process.
• Review documented risk assessments and evaluate if they cover various operational risks.
• Assess the frequency of risk assessments to determine if they are conducted regularly and reflect current risks.
• Verify that risk assessments consider both qualitative and quantitative factors in evaluating risks.
• Review risk assessment processes across different business areas for consistency and standardization.
• Confirm that risk assessments are aligned with the organization's risk appetite framework.
• Evaluate if risk assessments consider potential impacts on critical business processes and systems.
• Assess the process for validating and reviewing risk assessments conducted by different business units.

• Has the organization established risk tolerance levels for different operational risks?
• Are risk tolerance levels consistent with the risk appetite framework?
• Are risk tolerance levels clearly defined and communicated to relevant stakeholders?
• Is there a process to monitor and measure risks against established tolerance levels regularly?
• Are risk mitigation strategies in place for risks exceeding the risk tolerance levels?
• Are risk mitigation strategies aligned with the organization's risk appetite and overall strategy?
• Are risk mitigation actions prioritized based on their potential impact on operational resilience?
• Is there a mechanism to monitor and evaluate the effectiveness of risk mitigation measures?

• Verify the establishment of risk tolerance levels for different operational risks.
• Assess the consistency of risk tolerance levels with the risk appetite framework.
• Review the clarity and effectiveness of communication regarding risk tolerance levels to relevant stakeholders.
• Evaluate the monitoring and measurement mechanisms to track risks against established tolerance levels.
• Assess the effectiveness of risk mitigation strategies for risks exceeding the risk tolerance levels.
• Confirm the alignment of risk mitigation strategies with the organization's risk appetite and overall strategy.
• Assess the prioritization process for risk mitigation actions based on the potential impact on operational resilience.
• Evaluate the availability of mechanisms to monitor and evaluate the effectiveness of risk mitigation measures.

• Does the organization have a documented incident management plan in place?
• Is the plan regularly reviewed and updated to reflect changes in the business environment?
• Are roles and responsibilities clearly defined for incident response teams?
• Are there defined escalation procedures for different types of incidents?
• Is there a process for identifying, assessing, and prioritizing incidents based on their potential impact?
• Does the organization have a communication plan for notifying stakeholders about incidents?
• Are there established metrics and thresholds for measuring the effectiveness of incident response activities?
• Has the organization conducted post-incident reviews to identify areas for improvement?
• Are incident response procedures aligned with the organization's risk appetite?

• Review the documented incident management plan and assess its alignment with the organization's risk appetite.
• Evaluate whether the plan includes clear roles and responsibilities for incident response teams.
• Assess the defined escalation procedures for different incidents and their alignment with risk appetite.
• Verify the presence of a process for identifying, assessing, and prioritizing incidents based on potential impact and risk appetite.
• Examine the communication plan for notifying stakeholders about incidents and assess its effectiveness in aligning with risk appetite.
• Check if there are established metrics and thresholds for measuring the effectiveness of incident response activities and their alignment with risk appetite.
• Evaluate whether the organization conducts post-incident reviews to identify areas for improvement and ensure they align with risk appetite.
• Assess the alignment of incident response procedures with the organization's risk appetite.

• Has the organization conducted a business impact analysis to identify critical business functions and their dependencies?
• Are there documented business continuity plans in place for critical functions?
• Have the plans been tested and validated to ensure their effectiveness?
• Are there defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions?
• e. Is there a process for regularly reviewing and updating the business continuity plans?
• Are employees aware of their roles and responsibilities during business disruption?
• Has the organization identified alternative work locations or facilities in case of a site failure?
• Are there established communication channels and procedures for coordinating the execution of business continuity plans?
• Are business continuity plans aligned with the organization's risk appetite?

• Review the business impact analysis to identify critical business functions and their dependencies.
• Assess the presence and effectiveness of documented business continuity plans for critical functions.
• Verify if the plans have been tested and validated to ensure their effectiveness aligns with risk appetite.
• Evaluate the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions and their alignment with risk appetite.
• Assess the process for regularly reviewing and updating the business continuity plans to ensure they align with risk appetite.
• Evaluate the awareness among employees regarding their roles and responsibilities in the event of business disruption and their alignment with risk appetite.
• Verify the identification of alternative work locations or facilities in case of site failure and their alignment with risk appetite.
• Assess the communication channels and procedures for coordinating the execution of business continuity plans and their alignment with risk appetite.
• Evaluate the alignment of business continuity plans with the organization's risk appetite.

• Has the organization conducted regular testing and exercising of its operational resilience plans?
• Are different scenarios and incidents considered during testing, including worst-case scenarios?
• Is there a process for capturing and documenting lessons learned from testing exercises?
• Are test results and findings communicated to relevant stakeholders for review and remediation?
• Are there established criteria for evaluating the effectiveness of testing exercises?
• Based on testing results, has the organization addressed any identified deficiencies or gaps in the operational resilience plans?
• Are testing and exercising activities aligned with the organization's risk appetite?

• Assess whether the organization conducts regular testing and exercising its operational resilience plans.
• Evaluate if different scenarios and incidents, including worst-case scenarios, are considered during testing in alignment with risk appetite.
• Verify the presence of a process for capturing and documenting lessons learned from testing exercises and their alignment with risk appetite.
• Assess the communication of test results and findings to relevant stakeholders for review and remediation, aligning with risk appetite.
• Verify the existence of established criteria for evaluating the effectiveness of testing exercises and their alignment with risk appetite.
• Evaluate if the organization addresses identified deficiencies or gaps in operational resilience plans based on testing results and risk appetite.
• Assess the alignment of testing and exercising activities with the organization's risk appetite.

• Does the organization have a designated governance body responsible for overseeing operational resilience?
• Are governance responsibilities and decision-making authorities clearly defined?
• Does governance regularly assess the organization's operational resilience strategy and plans?
• Is there a process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs)?
• Are there mechanisms to ensure compliance with applicable laws, regulations, and industry standards?
• Does the organization have a risk appetite statement that includes operational resilience?
• Are risk appetite thresholds and tolerances clearly defined for operational resilience? h
• Is there a process for regularly reviewing and updating the risk appetite statement?
• Are governance and oversight activities aligned with the organization's risk appetite?

• Assess the presence of a designated governance body responsible for overseeing operational resilience.
• Evaluate if governance responsibilities and decision-making authorities are clearly defined and align with risk appetite.
• Review the regular review and assessment process for the organization's operational resilience strategy and plans, aligning with risk appetite.
• Assess the process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs) in alignment with risk appetite.
• Verify the mechanisms to ensure compliance with applicable laws, regulations, and industry standards, aligning with risk appetite.
• Evaluate the presence and alignment of a risk appetite statement that includes operational resilience.
• Assess the clarity and regular review process of risk appetite thresholds and tolerances for operational resilience.
• Evaluate the overall alignment of governance and oversight activities with the organization's risk appetite.

Questionnaires and Checklist "Plan" Phase

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance