ORA [Sustain] Questionnaires: Introduce Cultural Change

What is Organisational Culture?

Organisational Culture is not created by memo or a decision from senior management but developed over time and plays a crucial role in achieving organisational objectives, especially in this new area of operational resilience.

Identification of Critical Business Services

• Has the organisation identified its critical business services?
• Are the critical business services clearly defined and documented?
• Has the organisation prioritised the criticality of each business service?

Interdependencies and Interconnections

• Are the dependencies and interconnections of critical business services identified?
• Has the organisation mapped the dependencies between critical business services and supporting functions, systems, and vendors?
• Are there contingency plans in place to address disruptions independent services?

Business Impact Analysis

• Has a business impact analysis (BIA) been conducted for each critical business service?
• Are the potential financial, operational, and reputational impacts of disruptions to critical business services assessed?
• Are each critical business service's recovery time objectives (RTOs) and recovery point objectives (RPOs) defined?

Risk Assessment

• Has a comprehensive risk assessment been conducted for each critical business service?
• Are the risks to each critical business service identified and assessed?
• Are risk mitigation measures in place for identified risks?
• Is there a process to regularly review and update risk assessments for critical business services?

Business Continuity Planning

• Are business continuity plans in place for each critical business service?
  Have the plans been tested and validated?
• Are the business continuity plans documented and easily accessible to relevant personnel?
• Are there clearly defined procedures for invoking and executing the business continuity plans?

Incident Management

• Is there an incident management framework specifically tailored for critical business services?
• Are there documented incident response procedures for critical business services?
• Are roles and responsibilities clearly defined for managing incidents related to critical business services?
• Is there a process to track and report incidents related to critical business services?

Communication and Stakeholder Management

• Is there a communication plan to keep stakeholders informed during disruptions to critical business services?
• Are there established communication channels to reach internal and external stakeholders?
• Is there a process to prioritise and communicate with stakeholders based on the severity and impact of the disruption?

Testing and Exercises

• Are regular testing and exercising of critical business services conducted?
• Are the testing and exercising scenarios designed to simulate realistic disruptions?
• Are the lessons learned from testing and exercises used to improve the operational resilience of critical business services?

Training and Awareness

• Is there a training program to educate employees on the operational resilience of critical business services?
• Are employees aware of their roles and responsibilities in maintaining the operational resilience of critical business services?
• Are there regular awareness campaigns to promote a culture of operational resilience for critical business services?
• Are training records maintained for compliance and audit purposes?

Continuous Improvement

• Is there a process to capture and analyse lessons learned from disruptions to critical business services?
• Are there mechanisms to incorporate the lessons learned into improvements for the operational resilience of critical business services?
• Is there a culture of continuous improvement in managing the operational resilience of critical business services?
• Are regular reviews and updates to the business continuity plans and procedures for critical business services