ORA [Sustain] Questionnaires: Introduce Cultural Change

• 1. Leadership and Governance

• Are senior leaders actively promoting a culture of operational resilience?
• Do leaders demonstrate a strong commitment to operational resilience initiatives?
• Are there clear roles and responsibilities assigned to individuals responsible for operational resilience?
• Is a governance structure in place to oversee and drive operational resilience efforts?

• Assess the clarity, consistency, and frequency of internal communications related to operational resilience.
• Evaluate the accessibility and usability of reporting channels for employees to raise concerns or report incidents.
• Review training programs and materials to address operational resilience and cultural change adequately.
• Evaluate the effectiveness of communication methods to inform employees about changes in processes, procedures, or policies related to operational resilience.
• Assess the feedback mechanisms to gauge employee understanding and engagement with operational resilience initiatives.

• 3. Risk Assessment and Management

• Are comprehensive risk assessments conducted to identify potential vulnerabilities and disruptions?
• Is there a systematic process to prioritize and mitigate identified risks?
• Are risk management practices integrated into business decision-making processes?
• Is there a mechanism in place to track and monitor risk mitigation efforts?

• Review the completeness and comprehensiveness of business continuity plans for critical processes.
• Assess the level of engagement and participation from relevant stakeholders in developing business continuity plans.
• Evaluate the effectiveness of testing and validation processes for business continuity plans.
• Review the process for reviewing and updating business continuity plans to ensure their relevance and effectiveness.
• Assess the availability and accessibility of business continuity plans for employees during disruptions.

• 5. Incident Response and Recovery

• Is there a well-defined incident response plan to address operational disruptions?
• Are key personnel trained on the response plan and their roles during incidents?
• Is there a process to evaluate the effectiveness of incident response efforts?
• Are lessons learned from past incidents incorporated into the response plan?

• Evaluate the clarity and comprehensiveness of the incident response plan.
• Assess the level of awareness and training provided to key personnel on their roles and responsibilities during incidents.
• Review the documentation and analysis of past incidents to identify lessons learned and areas for improvement.
• Assess the effectiveness of incident response drills and exercises to validate the response plan.
• Evaluate the process for capturing feedback and making necessary adjustments to the incident response plan based on lessons learned.

6. Performance Measuring and Monitoring

• Are key performance indicators (KPIs) established to measure operational resilience?
• Is there a process to monitor and report on the KPIs regularly?
• Are there mechanisms in place to identify and address performance gaps?
• Is there a culture of continuous improvement regarding operational resilience?

• Assess the establishment of relevant KPIs and metrics to measure operational resilience.
• Review the monitoring and reporting processes to track and communicate performance against established KPIs.
• Evaluate the effectiveness of mechanisms to identify and address performance gaps or areas for improvement.
• Assess the level of organizational commitment to a culture of continuous improvement in operational resilience.
• Review the process for capturing and implementing feedback from performance monitoring activities.

7. Change Management

• Is there a structured change management process in place for operational resilience initiatives?
• Are changes communicated effectively to employees and stakeholders?
• Is there a mechanism to assess the impact of changes on operational resilience?
• Are lessons learned from change management experiences incorporated into future initiatives?

• Assess the presence of a formal change management process for operational resilience initiatives.
• Review the effectiveness of communication strategies used to inform employees and stakeholders about changes related to operational resilience.
• Evaluate the process for assessing and managing the impact of changes on operational resilience.
• Assess the incorporation of lessons from previous change management experiences into future initiatives.
• Review the documentation and tracking of changes to operational resilience practices and procedures.

8. Vendor and Third-Party Management

• Is there a robust vendor management program to assess and manage third-party risks?
• Are contractual agreements in place to ensure operational resilience expectations are met?
• Is there a process to regularly evaluate and monitor vendor performance?
• Are there contingency plans in case of disruptions caused by vendors or third parties?

• Assess the adequacy of the vendor management program in identifying and addressing third-party risks.
• Review contractual agreements to ensure they incorporate operational resilience requirements and expectations.
• Evaluate the process for assessing and monitoring vendor performance related to operational resilience.
• Assess the availability and effectiveness of contingency plans in case of disruptions caused by vendors or third parties.
• Review incident or disruption data related to vendors or third parties and evaluate the organization's response and recovery processes.

Please feel free to send us a note if you have any of these questions.