ORA [Sustain] Questionnaires: Conduct and Provide Self-assessments

What is Self-assessment?

Self-Assessment in Operational Resilience ensures that the regulated organisation captures and documents the steps taken towards operational resilience and provides a comprehensive and objective evaluation of the organisation's strategy and overall ability to respond to disruptions.

• Are operational resilience policies and procedures well-documented and readily accessible?
• Are the policies and procedures aligned with industry best practices and regulatory requirements?
• Do the documented policies clearly define roles, responsibilities, and accountability for operational resilience?
• Is there evidence of regular reviews and updates to the operational resilience documentation?

• Review the documentation of operational resilience policies and procedures.
• Assess the alignment of policies with industry best practices and regulations.
• Evaluate the clarity and completeness of roles, responsibilities, and accountability definitions.
• Verify the existence of a process for regular reviews and updates to the documentation.

• Has a comprehensive risk assessment been conducted to identify and assess potential risks?
• Are risks prioritized based on their potential impact and likelihood?
• Are mitigation strategies and controls in place to address identified risks?
• Is there a process for regularly monitoring and updating risk assessments?

• Evaluate the documentation of the risk assessment process.
• Assess the comprehensiveness of the risk assessment, including identification and assessment of risks.
• Verify the prioritization of risks based on impact and likelihood.
• Review the documented mitigation strategies and controls.
• Determine if there is a process for regularly monitoring and updating risk assessments

• Has a thorough business impact analysis (BIA) been conducted to identify critical processes and systems?
• Have the potential impacts of disruptions to critical processes and systems been assessed?
• Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
• Are mitigation strategies and plans in place to ensure the timely recovery of critical processes?

• Review the business impact analysis (BIA) process documentation.
• Evaluate the completeness and accuracy of the identification of critical processes and systems.
• Assess the thoroughness of the assessment of potential impacts.
• Verify the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
• Review the mitigation strategies and plans to ensure timely recovery.

• Is there a training program in place to educate employees on operational resilience?
• Are employees aware of their roles and responsibilities regarding operational resilience?
• Are there mechanisms to track and monitor employee completion of operational resilience training?
• Are there regular communication and awareness campaigns to promote a culture of operational resilience?

• Review the training program documentation for operational resilience.
• Evaluate the effectiveness of the training in educating employees.
• Assess the mechanisms in place to track and monitor employee completion of training.
• Verify the existence of regular communication and awareness campaigns.
• Determine the extent of the culture of operational resilience within the organization.

• Have operational resilience plans and procedures been tested through exercises and simulations?
• Is there a documented schedule for testing and exercising operational resilience capabilities?
• Are different scenarios and levels of disruptions considered during testing?
• Are testing results analyzed to identify areas for improvement and corrective actions?
• Are there mechanisms to track and follow up on implementing corrective actions identified during testing?

• Review the operational resilience testing and exercise plan documentation. 
• Evaluate the adequacy of the testing schedule and the consideration of various scenarios.
• Assess the testing results analysis to identify improvement areas.
• Determine if lessons learned from testing and exercises are documented and incorporated into improvements.

• Is there an incident response plan for operational resilience incidents?
• Has the incident response plan been tested and validated?
• Are roles, responsibilities, and communication channels clearly defined within the incident response plan?
• Is there a designated incident response team and a straightforward escalation process?
• Is there a process for post-incident analysis and continuous improvement of the incident response capabilities?

• Review the incident response plan documentation for operational resilience incidents.
• Evaluate the testing and validation activities conducted on the incident response plan.
• Assess the clarity and accuracy of roles, responsibilities, and communication channels.
• Verify the incident response team's existence and composition and escalation process.
• Determine if there is a process for post-incident analysis and continuous improvement.

• Is there a process in place to monitor and review the effectiveness of the operational resilience program?
• Are lessons learned from incidents, tests, and exercises incorporated into improvements?
• Is there a mechanism to capture and address feedback and suggestions for operational resilience?
• Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
• Is there a culture of continuous improvement and learning within the organization?

• Evaluate the process for monitoring and reviewing the effectiveness of the operational resilience program.
• Assess the incorporation of lessons learned from incidents, tests, and exercises into improvements.
• Verify the existence of a mechanism to capture and address feedback and suggestions.
• Review the metrics and performance indicators for measuring program effectiveness.
• Determine the extent of the organization's continuous improvement and learning culture.

Questionnaires and Checklist "Sustain" Phase

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review