Operational Resilience Audit

ORA [Plan] Questionnaires: Analyse Gap for Incident and Crisis Management

Written by Moh Heng Goh | Jun 15, 2023 11:48:42 AM

Analyse the Gap 

 

What is Incident and Crisis Management?

Incident Management or IM refers to an organisation's activities to identify, analyze and correct threats.

Crisis Management or CM is the overall coordination of an organization's response to a crisis in an effective, timely manner, intending to avoid or minimize damage to the organization's profitability, reputation, or ability to operate.

This section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Plan phase: Analyse Gap.

Audit Checklist for Analysing the Gap for Incident and Crisis Management

 

1. Crisis Management Structure

  • Is there a documented crisis management structure in place?
  • Are the structure's roles, responsibilities, reporting lines, and chain of command clearly defined?
  • Have alternates been designated for primary representatives in case of unavailability?
  • Are there regular training and awareness programs for personnel involved in the crisis management structure?

Checklist

  • Check if there is a documented crisis management structure.
  • Verify if roles, responsibilities, reporting lines, and chain of command are clearly defined within the structure.
  • Assess if alternates have been designated for primary representatives.
  • Review training and awareness programs for personnel involved in the crisis management structure.

2. Triggers and Activation Criteria

  • Are there pre-defined triggers and criteria for activating the crisis management structure?
  • Are these triggers and criteria reviewed and updated periodically to reflect organisational risk landscape changes?
  • Is there a mechanism for timely monitoring and identification of triggers to activate the crisis management structure?
  • Has the effectiveness of the triggers and activation criteria been tested through simulations or exercises?

Checklist

  • Determine if there are pre-defined triggers and criteria for activating the crisis management structure.
  • Verify if these triggers and criteria are reviewed and updated periodically.
  • Assess the mechanism for monitoring and identifying triggers to activate the crisis management structure.
  • Review simulations or exercises to test the effectiveness of the triggers and activation criteria.

3. Crisis Management Plans and Procedures

  • Are there comprehensive crisis management plans and procedures in place to guide actions and decisions during a crisis?
  • Have the crisis plans been developed based on a thorough assessment of potential risks and scenarios?
  • Are the plans regularly reviewed, updated, and tested for their effectiveness?
  • Are there clear guidelines on the roles and responsibilities of senior management during a crisis?
  • Is there a process for post-crisis evaluation and improvement of the crisis plans and procedures?

Checklist

  • Check if comprehensive crisis plans and procedures are in place to guide actions and decisions during a crisis.
  • Verify if the crisis plans are based on a thorough assessment of potential risks and scenarios.
  • Assess whether the plans are regularly reviewed, updated, and tested for effectiveness.
  • Review guidelines on the roles and responsibilities of senior management during a crisis.
  • Determine if there is a process for post-crisis evaluation and improvement of the crisis plans and procedures.

4. Tools and Processes for Situation Assessment

  • Are there tools and processes in place to facilitate timely updating and assessment of the latest situation during a crisis?
  • Is there a dedicated team responsible for gathering, analysing, and disseminating information to support decision-making?
  • Are the tools and processes regularly tested and updated to ensure their effectiveness?
  • Is there a mechanism to integrate information from various sources and stakeholders for a comprehensive situational assessment?

Checklist

  • Determine if tools and processes are in place to facilitate timely updating and assessment of the latest situation during a crisis.

  • Assess if a dedicated team is responsible for gathering, analysing, and disseminating information to support decision-making.

  • Verify if the tools and processes are regularly tested and updated.

  • Determine if there is a mechanism to integrate information from various sources and stakeholders for a comprehensive situational assessment.

5. Stakeholder Communication

  • Is there a list of internal and external stakeholders to be informed when a critical business service is disrupted?
  • Are communication plans and requirements documented for each stakeholder group?
  • Do the communication plans include criteria for determining the severity and timing of notifications?
  • Are there predefined communication channels for efficient stakeholder communication, such as email distribution lists or notification systems?
  • Are alternative communication channels identified and documented in case the primary channels are unavailable?

Checklist

  • Verify if there is a list of internal and external stakeholders to be informed when a critical business service is disrupted.

  • Review communication plans and requirements documented for each stakeholder group.

  • Assess if the communication plans include criteria for determining the severity and timing of notifications.

  • Verify if there are predefined communication channels, such as email distribution lists or notification systems, for efficient communication with stakeholders.

  • Determine if alternative communication channels have been identified and documented in case the primary channels are unavailable.

6. Mainstream and Social Media Communication

  • Are communication channels effectively established to reach stakeholders through mainstream and social media platforms?
  • Are designated personnel responsible for managing communications on these channels during a crisis?
  • Are there guidelines or protocols to ensure consistent and accurate messaging through mainstream and social media?

Checklist

  • Assess if there are established communication channels to effectively reach stakeholders through mainstream and social media platforms.
  • Verify if designated personnel manage communications on these channels during a crisis.
  • Review guidelines or protocols to ensure consistent and accurate mainstream and social media messaging.
  • Assess if there are mechanisms to monitor and respond to public sentiment and feedback during a crisis.
 

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

 

Questionnaires and Checklist "Plan" Phase

Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

 

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

Please feel free to send us a note if you have any of these questions.