Operational Resilience Audit

ORA Planning [2] Data Collection

Written by Moh Heng Goh | Jan 11, 2024 7:55:37 AM

Operational Resilience Audit Planning Step

Data Collection


Detailed Data Collection Steps

When collecting data during an operational resilience audit, gathering comprehensive and reliable information to assess the organisation's resilience capabilities is crucial. 

The following are detailed steps for the conduct of data collection:

  1. Review Documentation
  2. Conduct Interviews
  3. Observe Processes and Activities
  4. Data Sampling
  5. Analyse Incident Data
  6. Assess Testing and Exercising
  7. Data Validation
  8. Analyse Quantitative Data
  9. Document Findings
  10. Maintain Confidentiality and Security
  11. Seek Clarification and Additional Information
  12. Review and Validate Data Collection
  13. Review Documentation
  • Examine relevant documentation, such as business impact analyses, risk assessments, incident response plans, business continuity plans, and testing reports. 
  • Evaluate these documents' adequacy, completeness, and effectiveness in addressing operational resilience.

Conduct Interviews

  • Schedule interviews with key personnel responsible for operational resilience, such as business unit managers, IT managers, risk managers, and incident response team members.
  • Prepare a list of interview questions covering various operational resilience aspects, including preparedness, response and recovery, governance, and monitoring.

Observe Processes and Activities

  • Observe critical processes, operations, and activities related to operational resilience. 
    •  This may involve attending meetings, walkthroughs, or simulations. 
  • Take notes and gather information about the organisation's response mechanisms, decision-making processes, and communication strategies during disruptions.

Data Sampling

  • Select a representative sample of incidents, disruptions, or crises the organisation has experienced.
  • Analyse these cases to understand the organisation's response, recovery efforts, and the effectiveness of existing plans and procedures.
  • Ensure the sample includes both successful and unsuccessful responses.

Analyse Incident Data

  • Review incident logs, reports, and incident management databases to identify trends, recurring issues, and lessons learned.
  • Analyse the organisation's ability to detect, respond to, and recover from incidents effectively.
  • Look for patterns and indicators of weaknesses or areas requiring improvement.

Assess Testing and Exercising

  • Review testing plans, reports, and outcomes by evaluating the organisation's testing and exercising mechanisms.
  • Examine the scope, frequency, and realism of the exercises conducted.
  • Assess the effectiveness of these activities in identifying vulnerabilities, validating response plans, and improving resilience capabilities.

Data Validation

  • Cross-reference and validate the data collected from various sources to ensure accuracy and reliability.
  • Seek supporting evidence, such as documented procedures, incident reports, or system logs, to verify the information gathered during interviews or observations.

Analyse Quantitative Data

  • Analyse quantitative data related to operational resilience, such as key performance indicators (KPIs), metrics, or benchmarks.
  • Assess trends, performance levels, and deviations from targets to identify areas of concern or improvement opportunities.

Document Findings

  • Record all relevant findings, observations, and insights from the data collection process.
  • Document gaps, weaknesses, or non-compliance with regulatory requirements or industry best practices.
  • Include supporting evidence and examples to strengthen the audit findings.

Maintain Confidentiality and Security

  • Ensure that all data collected and analysed during the audit process are kept confidential and stored securely.
  • Adhere to data protection and privacy policies to safeguard sensitive information.

Seek Clarification and Additional Information

  • Request additional information, clarification, or validation from stakeholders or subject matter experts to ensure a comprehensive understanding of the organisation's operational resilience practices.

Review and Validate Data Collection

  • Review the collected data and validate its accuracy and completeness.
  • Verify that all relevant aspects of operational resilience have been adequately addressed and documented.

 

By following these detailed steps for data collection, the operational resilience audit can gather reliable and comprehensive information, enabling a thorough assessment of the organisation's resilience capabilities.

Operational Resilience Audit Planning Steps
Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

 

Please feel free to send us a note if you have any of these questions.