Develop and Embed Governance
|
|
What is Governance?
The need to embed operational resilience in the governance structure is essential.
This will start with the board of directors and senior management, who will actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.
|
This section is the "Plan" phase of the Operational Resilience Planning Methodology. It is the third stage of the Plan phase: Develop and Embed Governance.
Audit Checklist for Develop and Embed Governance
- Is there a documented governance framework in place for operational resilience?
- Has the framework been communicated to all relevant stakeholders?
- Are roles and responsibilities clearly defined within the governance framework?
|
- Review the documented governance framework for operational resilience.
- Evaluate if the framework aligns with industry best practices and regulatory requirements.
- Assess the framework's effectiveness in providing clear roles, responsibilities, and decision-making authority.
- Verify if the governance framework is communicated and understood by relevant stakeholders.
- Check if there is a process to review and update the governance framework periodically.
|
2. Leadership and Accountability
|
- Are senior management and executives actively involved in driving operational resilience?
- Is a designated individual or team responsible for overseeing the operational resilience program?
- Is there a reporting mechanism for the operational resilience program to senior management and the board?
|
- Assess the level of senior management and executive involvement in operational resilience initiatives.
- Determine if a designated individual or team oversees and implements the operational resilience program.
- Evaluate the communication channels between senior management, the operational resilience team, and other stakeholders.
- Verify if there is a process to escalate operational resilience issues to senior management and the board.
- Assess the effectiveness of leadership in promoting a culture of operational resilience throughout the organization.
|
3. Risk Assessment and Management
|
- Has a comprehensive risk assessment been conducted to identify and prioritize operational risks?
- Are risk mitigation strategies and controls in place to address identified risks?
- Are risk management policies and procedures effectively communicated and implemented?
|
- Review the methodology and process used for conducting operational risk assessments.
- Evaluate the comprehensiveness and accuracy of the identified risks.
- Assess if there are clear risk mitigation strategies and controls in place.
- Verify if risk management policies and procedures are effectively communicated and implemented.
- Assess the monitoring and reporting mechanisms for identified risks and risk mitigation efforts.
|
4. Business Impact Analysis (BIA)
|
- Has a BIA been conducted to assess the potential impact of disruptions on critical business processes?
- Are the identified critical processes adequately documented?
- Are there contingency plans and backup arrangements in place for critical processes?
|
- Review the BIA methodology and documentation to ensure it covers critical business processes and dependencies.
- Verify if there is a process for identifying and prioritizing critical business processes.
- Assess if the BIA adequately addresses the potential impact of disruptions on critical processes.
- Evaluate the existence and effectiveness of contingency plans and backup arrangements for critical processes.
- Verify if the BIA is periodically updated to reflect organisational operations and risk landscape changes.
|
5. Incident Response and Recovery
|
- Are there well-defined incident response plans for different types of operational disruptions?
- Have tabletop exercises or simulations been conducted to test the effectiveness of the incident response plans?
- Is there a process for documenting and reviewing lessons learned from incidents
|
- Evaluate the existence and effectiveness of incident response plans for different operational disruptions.
- Verify if the incident response plans are regularly tested, reviewed, and updated.
- Assess the adequacy of incident escalation and communication procedures.
- Review documentation of past incidents, including response actions and lessons learned.
- Assess if there is a process for continuous improvement of incident response and recovery capabilities.
|
6. Testing and Exercising
|
- Has a comprehensive testing program been established to validate the effectiveness of operational resilience measures?
- Are different types of tests conducted, such as scenario-based testing, technology testing, or third-party testing?
- Are test results documented, reviewed, and acted upon to enhance operationally
|
- Assess the comprehensiveness and frequency of testing programs for operational resilience measures.
- Review the test types, such as tabletop exercises, simulations, or technology testing.
- Evaluate the documentation and remediation processes for identified issues during testing.
- Assess if a process exists to capture and implement lessons learned from testing exercises.
- Verify if the testing program is periodically reviewed and updated to align with threats and organizational changes.
|
7. Training and Awareness
|
- Is there an ongoing training program to ensure employees understand their roles and responsibilities related to operational resilience?
- Are employees aware of the key risks, controls, and incident response procedures?
- Is there a mechanism to assess the effectiveness of training programs?
|
|
Checklist
|
- Evaluate the training programs provided to employees on operational resilience.
- Assess if employees know their roles and responsibilities related to operational resilience.
- Verify if there are training programs specifically tailored for different job roles and functions.
- Assess the effectiveness of training programs through employee feedback and assessment mechanisms.
- Evaluate the organization's communication channels for disseminating information on operational resilience.
|
8. Third-Party Management
|
- Are there processes in place to assess the operational resilience of critical third-party vendors and service providers?
- Is there ongoing monitoring of third-party resilience and the adequacy of their business continuity plans?
- Is there a contingency plan to mitigate risks arising from third-party failures or
|
|
Checklist
|
- Assess if there is a process for evaluating and managing the operational resilience of critical third-party vendors and service providers.
- Review the documentation of due diligence processes for third-party selection and ongoing monitoring.
- Verify if there are contractual requirements for third parties to maintain operational resilience standards.
- Assess if there are contingency plans and alternate arrangements to mitigate risks arising from third-party failures.
- Review the monitoring and reporting mechanisms for third-party operational resilience.
|
9. Reporting and Metrics
|
- Are there clear reporting mechanisms to provide regular updates on the status of operational resilience to relevant stakeholders?
- Are key performance indicators (KPIs) and metrics defined to measure the effectiveness of operational resilience efforts?
- Are reports reviewed and acted upon to drive continuous improvement?
|
|
Checklist
|
- Evaluate the reporting mechanisms to provide regular updates on operational resilience to relevant stakeholders.
- Assess the adequacy of key performance indicators (KPIs) and metrics to measure operational resilience effectiveness.
- Verify if reports are reviewed, acted upon, and used to drive continuous improvement.
- Assess the availability and accuracy of data and information used for reporting. e. Evaluate if reporting aligns with regulatory requirements and internal governance expectations.
|
10. Compliance and Regulatory Requirements
|
- Are there processes to ensure compliance with relevant laws, regulations, and industry standards?
- Has the operational resilience program been subjected to external audits or regulatory examinations?
- Are there mechanisms to track and address any deficiencies or non-compliance issues identified?
|
|
Checklist
|
- Review the organization's processes for identifying and complying with relevant laws, regulations, and industry standards related to operational resilience.
- Assess the effectiveness of controls and procedures in place to ensure compliance.
- Verify if there is a process for monitoring regulation changes and updating operational resilience practices accordingly.
- Assess the documentation and evidence of external audits or regulatory examinations related to operational resilience.
- Review any identified deficiencies or non-compliance issues and the subsequent remediation efforts.
|
Do note that some steps may overlap or appear similar in the other stages of the OR planning phases. If this occurs, the questionnaires and checklists must be contextualised to the topic under review.
More Information About Blended Learning Operational Resilience Audit (ORA) Courses
BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.
 |
 |
 |
 |
 |
 |
 |
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png) |
 |
 |
Please feel free to send us a note if you have any questions. |
 |
