Provide Self-assessments
|
What is Self-assessment?
Self-Assessment in Operational Resilience ensures that the regulated organisation captures and documents the steps taken towards operational resilience and provides a comprehensive and objective evaluation of the organisation's strategy and overall ability to respond to disruptions.
|
This section is the "Sustain" phase of the Operational Resilience Planning Methodology. It is the fourth stage of the Sustain phase: Provide Self-assessment.
Audit Checklist for Provide Self-assessments
1. Documentation and Policies
|
- Are operational resilience policies and procedures well-documented and readily accessible?
- Are the policies and procedures aligned with industry best practices and regulatory requirements?
- Do the documented policies clearly define roles, responsibilities, and accountability for operational resilience?
- Is there evidence of regular reviews and updates to the operational resilience documentation?
|
Checklist |
- Review the documentation of operational resilience policies and procedures.
- Assess the alignment of policies with industry best practices and regulations.
- Evaluate the clarity and completeness of roles, responsibilities, and accountability definitions.
- Verify the existence of a process for regular reviews and updates to the documentation.
|
2. Risk Assessment and Analysis
|
- Has a comprehensive risk assessment been conducted to identify and assess potential risks?
- Are risks prioritized based on their potential impact and likelihood?
- Are mitigation strategies and controls in place to address identified risks?
- Is there a process for regularly monitoring and updating risk assessments?
|
- Evaluate the documentation of the risk assessment process.
- Assess the comprehensiveness of the risk assessment, including identification and assessment of risks.
- Verify the prioritization of risks based on impact and likelihood.
- Review the documented mitigation strategies and controls.
- Determine if there is a process for regularly monitoring and updating risk assessments
|
3. Business Impact Analysis (BIA)
|
-
Has a thorough business impact analysis (BIA) been conducted to identify critical processes and systems?
- Have the potential impacts of disruptions to critical processes and systems been assessed?
- Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
- Are mitigation strategies and plans in place to ensure the timely recovery of critical processes?
|
- Review the business impact analysis (BIA) process documentation.
- Evaluate the completeness and accuracy of the identification of critical processes and systems.
- Assess the thoroughness of the assessment of potential impacts.
- Verify the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
- Review the mitigation strategies and plans to ensure timely recovery.
|
4. Training and Awareness
|
-
Is there a training program in place to educate employees on operational resilience?
- Are employees aware of their roles and responsibilities regarding operational resilience?
- Are there mechanisms to track and monitor employee completion of operational resilience training?
- Are there regular communication and awareness campaigns to promote a culture of operational resilience?
|
- Review the training program documentation for operational resilience.
- Evaluate the effectiveness of the training in educating employees.
- Assess the mechanisms in place to track and monitor employee completion of training.
- Verify the existence of regular communication and awareness campaigns.
- Determine the extent of the culture of operational resilience within the organization.
|
5. Testing and Exercise Evaluation
|
-
Have operational resilience plans and procedures been tested through exercises and simulations?
- Is there a documented schedule for testing and exercising operational resilience capabilities?
- Are different scenarios and levels of disruptions considered during testing?
- Are testing results analyzed to identify areas for improvement and corrective actions?
- Are there mechanisms to track and follow up on implementing corrective actions identified during testing?
|
- Review the operational resilience testing and exercise plan documentation.
- Evaluate the adequacy of the testing schedule and the consideration of various scenarios.
- Assess the testing results analysis to identify improvement areas.
- Determine if lessons learned from testing and exercises are documented and incorporated into improvements.
|
5. Incident Response Evaluation
|
- Is there an incident response plan for operational resilience incidents?
- Has the incident response plan been tested and validated?
- Are roles, responsibilities, and communication channels clearly defined within the incident response plan?
- Is there a designated incident response team and a straightforward escalation process?
- Is there a process for post-incident analysis and continuous improvement of the incident response capabilities?
|
- Review the incident response plan documentation for operational resilience incidents.
- Evaluate the testing and validation activities conducted on the incident response plan.
- Assess the clarity and accuracy of roles, responsibilities, and communication channels.
- Verify the incident response team's existence and composition and escalation process.
- Determine if there is a process for post-incident analysis and continuous improvement.
|
5. Continuous Improvement
|
-
Is there a process in place to monitor and review the effectiveness of the operational resilience program?
- Are lessons learned from incidents, tests, and exercises incorporated into improvements?
- Is there a mechanism to capture and address feedback and suggestions for operational resilience?
- Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
- Is there a culture of continuous improvement and learning within the organization?
|
- Evaluate the process for monitoring and reviewing the effectiveness of the operational resilience program.
- Assess the incorporation of lessons learned from incidents, tests, and exercises into improvements.
- Verify the existence of a mechanism to capture and address feedback and suggestions.
- Review the metrics and performance indicators for measuring program effectiveness.
- Determine the extent of the organization's continuous improvement and learning culture.
|
Do note that some steps may overlap or appear similar in the other stages of the OR planning phases. If this occurs, the questionnaires and checklists must be contextualised to the topic under review.
|
Questionnaires and Checklist "Sustain" Phase
|
Introduce Cultural Change |
Develop Communication Strategy |
Implement Training and Awareness
|
Provide Self-assessment
|
Conduct Independent Quality Review
|
|
|
|
|
|
|
More Information About Blended Learning Operational Resilience Audit (ORA) Courses
BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.
|
|
|
|
|
|
|
|
|
|
Please feel free to send us a note if you have any questions. |
|