Operational Resilience Audit

Examination, BCM Planning Methodology, Blended Learning, ORCP, Operational Resilience Roadmap, Operational Resilience Audit, ORAE, ORAS

[ORA-3/5] Module (Day) 1 of ORA-300/5000 Operational Resilience Audit Expert

 

ORA-5000 Operational Resilience Audit Expert (ORAE) Training Roadmap

Module 1 

ORA-Know-Do-Manage-Diagram

You can attend Module 1, which leads to the Operational Resilience (OR) Certified Planner course, which has the course code BL-OR-2. This course provides you with the knowledge or KNOW competency. 

If you are assigned to audit or review your organisation's OR program, it is highly recommended that you attend both Module 1 and 2, the OR Audit Specialist course, or ORA-3.  Module 2 allows you to have practicums on operationalising the OR framework. 

It gives you an in-depth understanding of the critical OR deliverables required. This course provides you with KNOW-DO competency. 

Description of Module [Day] 1 Course 

You will be introduced to Operational Resilience (OR) Audit Requirements. 

Note that this course is also Module 1 of the Operational Resilience Implementer OR-300 course.

Module 1 defines operational resilience (OR) and provides the participants with a contextual overview of its scope in different operating environments. Key concepts are explained with examples to illustrate. The value of OR in today’s organizations and critical success factors for building resilient organizations are highlighted.

Session Breakdown: What Lies Ahead

As we progress through this course, it's essential to understand the structure and content of each session. Let's break it down to sessions one and 2 of the ORA-300/5000 Module 1.

Module 1 Session 1: We will provide a foundational understanding of operational resilience. You will learn about its nuances and the critical role of regulators in shaping your approach. We'll clarify the distinction between key concepts such as operational risk management, organisational resilience, business continuity management and crisis management.

Module 1 Session 2: Building upon the first session, we'll explore regulatory requirements and how to align your organization with a planning methodology. We'll also explore practical tools and strategies to assist you in this operational resilience endeavour.

 

Detailed Course Content

 Lesson &
Topic		 Description
Module 1 Session 1
Overview of Operational Resilience
  • Understand basic OR Concepts and terminologies
  • Discuss the distractions and confusion between the many related fields and disciplines.
  • Identify the critical success factors and benefits of OR

Update on Regulatory Positions
  • Update on the latest issuance of OR regulations and updates
  • Compare with the various authorities and the regional implications for Financial Services Institutions (FSI)
OR Planning Methodology:  Framework and Principles
  • Understand the phases and stages within the OR planning methodology
  • Identify the critical components of the OR planning methodology.
  • Walkthrough of the relevance of the OR planning methodology to the organisation
  • Define the principles supporting OR for the financial institutions
Module 1 Session 2
Types of operational disruptions
  • Identify and determine the types of operational disruptions covered by operational resilience.
Define Critical Business Services
  • Define and identify critical business services
  • Understand the components of typical critical business functions and critical business services.
Types and Levels of Impact Tolerances 
  • Identify impact types and set impact tolerances for each type
  • Understand impact tolerances to risk appetite and to risk assessment scales or "level of harm."
Understand and review critical activities, processes and resources
  • Map the resources and processes for operational resilience within an organisation for its critical business services.
  • Link critical activities, underpinning services and internal services.
Define and develop Scenario Testing
  • Define and develop OR scenarios
  • Identify and understand plausible scenarios and link them with operational/ resource disruption.
  • Determine the types of testing for the specific disruptive events

Deliverables

  • Be competent with the knowledge of operational resilience
  • Have a strong understanding of the respective building blocks and methodology to implement your OR program

 

Course Content for BL-ORA-5

 

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

     
Please feel free to send us a note if you have any questions.

 

Suhana Sunreh
Suhana Sunreh
Read More
ORA Sustain Phase Questionnaires: Introduce Cultural Change
audit

ORA [Sustain] Questionnaires: Introduce Cultural Change

OR Audit Questionnaires

Implement Phase

Introduce Cultural Change

OR_Roadmap_Sustain_Diagram

 
What is Organisational Culture?

Organisational Culture is not created by memo or a decision from senior management but developed over time and plays a crucial role in achieving organisational objectives, especially in this new area of operational resilience.

This section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the first stage of the Implement phase: Identify Critical Business Services.

 

Audit Checklist for Introducing Cultural Change

 

Identification of Critical Business Services
  • Has the organisation identified its critical business services?
  • Are the critical business services clearly defined and documented?
  • Has the organisation prioritised the criticality of each business service?

 

Interdependencies and Interconnections
  • Are the dependencies and interconnections of critical business services identified?
  • Has the organisation mapped the dependencies between critical business services and supporting functions, systems, and vendors?
  • Are there contingency plans in place to address disruptions independent services?

 

Business Impact Analysis
  • Has a business impact analysis (BIA) been conducted for each critical business service?
  • Are the potential financial, operational, and reputational impacts of disruptions to critical business services assessed?
  • Are each critical business service's recovery time objectives (RTOs) and recovery point objectives (RPOs) defined?

 

Risk Assessment
  • Has a comprehensive risk assessment been conducted for each critical business service?
  • Are the risks to each critical business service identified and assessed?
  • Are risk mitigation measures in place for identified risks?
  • Is there a process to regularly review and update risk assessments for critical business services?

 

Business Continuity Planning
  • Are business continuity plans in place for each critical business service?
    Have the plans been tested and validated?
  • Are the business continuity plans documented and easily accessible to relevant personnel?
  • Are there clearly defined procedures for invoking and executing the business continuity plans?
  

 

Incident Management
  • Is there an incident management framework specifically tailored for critical business services?
  • Are there documented incident response procedures for critical business services?
  • Are roles and responsibilities clearly defined for managing incidents related to critical business services?
  • Is there a process to track and report incidents related to critical business services?
  

 

Communication and Stakeholder Management
  • Is there a communication plan to keep stakeholders informed during disruptions to critical business services?
  • Are there established communication channels to reach internal and external stakeholders?
  • Is there a process to prioritise and communicate with stakeholders based on the severity and impact of the disruption?
  

 

Testing and Exercises
  • Are regular testing and exercising of critical business services conducted?
  • Are the testing and exercising scenarios designed to simulate realistic disruptions?
  • Are the lessons learned from testing and exercises used to improve the operational resilience of critical business services?

 

Training and Awareness
  • Is there a training program to educate employees on the operational resilience of critical business services?
  • Are employees aware of their roles and responsibilities in maintaining the operational resilience of critical business services?
  • Are there regular awareness campaigns to promote a culture of operational resilience for critical business services?
  • Are training records maintained for compliance and audit purposes?

 

Continuous Improvement
  • Is there a process to capture and analyse lessons learned from disruptions to critical business services?
  • Are there mechanisms to incorporate the lessons learned into improvements for the operational resilience of critical business services?
  • Is there a culture of continuous improvement in managing the operational resilience of critical business services?
  • Are regular reviews and updates to the business continuity plans and procedures for critical business services

 

Note that some of the steps may overlap with the other stages of the "Implement" phase stages.

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

Please feel free to send us a note if you have any of these questions.
Moh Heng Goh
Moh Heng Goh
Read More
Table of Content: Operational Resilience Audit Questionnaires
audit, BCM-8530, BCM-8030, BCM-200, BCCLA

Table of Content: Operational Resilience Audit Questionnaires

Bann_Managers Guide Book_Audit_

Detailed Operational Resilience Audit Questionnaires

This list of OR Questionnaires is intended to guide Auditors in developing their Standardized Audit Program. Refer to OR Questionnaires.

 

Plan        
         
         
Implement        
         

Identify Critical Business Services

Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt
Sustain        
         
         

 

 

 

 

S/No

BCM Audit Questionnaires

 

 

1

BC Roles And Responsibilities

 

 

2

Project Management

 

 

3

Risk Analysis and Review

 

 

4

Business Impact Analysis

 

 

5

Business Continuity Strategy

 

 

6

Plan Development

 

 

7

Testing And Exercising

 

 

8

Program Management: Training and Awareness

 

 

9

Program Management: Maintenance

 

 

10

Crisis Management

 

Click the icon to access the respective “BCM Audit Questionnaires” questions.


Table of Content

     

C9

 C10 C11
BC Roles and Responsibilities Project Management Risk Analysis and Review


C12 C13 C14
Business Impact Analysis Business Continuity Strategy Plan Development
C15 C16 C17
 Testing and Exercising Program Management: Training and Awareness Program Management: Maintenane
C18    
Crisis Management     
   
Book Series   BCMPedia
    Audit
TheBCMSpecialistSeriesSet_Facebook

 

 

BCMI Logo

Do You Want to Attend a Comprehensive BCM Audit course remotely? Better still be certified?

Book Certification Course

Reference Guide

Goh, M. H. (2010). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Specialist Series (1st ed., p. 192). Singapore: GMH Pte Ltd.

Extracted from "Chapters 9 to 13"

Note: This version is the 2nd Edition being updated in 2021. The numeric in the square bracket {C##] is the cross-referencing of the actual chapters in the 2010 Edition.

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org
Moh Heng Goh
Moh Heng Goh
Read More
Guidelines on Operational Resilience by the Hong Kong Monetary Authority
Operational Resilience, Hong Kong Monetary Authority

Guidelines on Operational Resilience by the Hong Kong Monetary Authority

Guidelines on Operational Resilience by the Hong Kong Monetary Authority

Operational resilience is critical for financial institutions in ensuring uninterrupted services and maintaining the financial system's stability. The Hong Kong Monetary Authority (HKMA) has issued guidelines to provide a comprehensive framework for financial institutions in Hong Kong to enhance their operational resilience. 

Referring to the actual "Supervisory Policy" or "SPM OR-2" is important, which sets out HKMA’s approach and supervisory expectations on operational resilience.  Refer to the guideline by clicking on the HKMA webpage.

Objective

This blog aims to provide participants attending the Operational Resilience Implementer and Expert Implementer course with global or regional responsibilities to understand the:

  • The general principles outlined by the Hong Kong Monetary Authority (HKMA) that institutions must consider when developing their operational resilience framework.  
  • Guidelines and be able to compare with those issued by other central banks from other regional justifications.

Definition of Operational Resilience

Operational resilience refers to a financial institution's ability to consistently deliver critical operations and services, even during disruptions or unexpected events.

It encompasses the organisation's ability to prevent, adapt, respond, and recover from operational disruptions to maintain continuity and protect the interests of customers and stakeholders.

Operational Resilience Framework

Financial institutions are expected to establish an operational resilience framework that integrates people, processes, and technology to enhance their overall resilience.

The framework should include the following components:

Governance and Accountability

The board and senior management should demonstrate clear responsibility and accountability for operational resilience. They should oversee and approve the institution's operational resilience strategy, policies, and risk tolerance levels.

Risk Identification and Assessment

Financial institutions should identify and assess the potential risks and vulnerabilities associated with their critical business services, processes, and systems. This includes conducting regular impact assessments and scenario analyses to understand the potential consequences of operational disruptions.

Business Impact Tolerance

Institutions should define their business impact tolerance, reflecting the maximum tolerable disruption to critical services, processes, and systems. This determination should consider the institution's risk appetite, customer expectations, and market conditions.

Planning and Strategy

Institutions should develop robust and comprehensive plans to address operational disruptions effectively. Considering various scenarios and potential impacts, these plans should cover incident response, crisis management, and business continuity.

Testing and Validation

Regular testing and validation exercises should be conducted to evaluate the effectiveness of the operational resilience framework. Institutions should identify gaps, areas for improvement and implement corrective actions based on the test results.

Reporting and Communication

Institutions should establish clear lines of communication and report for operational disruptions. This includes promptly reporting incidents to the HKMA and maintaining effective communication with customers, stakeholders, and regulatory authorities.

Role of the Board and Senior Management

The guidelines emphasise the board's and senior management's crucial role in ensuring operational resilience. They should demonstrate strong leadership, establish a culture of resilience, and promote effective governance practices within the organisation. Key responsibilities include:

Setting the Operational Resilience Strategy

The board and senior management should define the institution's strategic objectives regarding operational resilience, aligning them with the overall business strategy.

Risk Management Oversight

They should oversee the identification, assessment, and management of operational risks, ensuring appropriate risk controls and mitigation measures are in place.

Resource Allocation

The board and senior management should allocate sufficient resources, including budget, staff, and technology, to support the implementation and maintenance of the operational resilience framework.

Monitoring and Reporting

They should establish mechanisms to monitor the effectiveness of the operational resilience framework and receive regular reports on key resilience indicators and performance metrics.

Determining Operational Resilience Parameters

Financial institutions should establish operational resilience parameters to define the levels of resilience required for their critical business services, processes, and systems. These parameters should be determined based on factors such as:

Criticality and Impact

Institutions should consider the criticality and potential impact of a disruption on customers, financial stability, and the broader economy.

Recovery Time Objectives (RTOs)

RTOs specify the maximum tolerable downtime for critical services, processes, and systems, guiding the planning and recovery strategies.

Recovery Point Objectives (RPOs)

RPOs define the maximum acceptable data loss in case of disruptions, guiding data backup and recovery measures.

Dependencies and Interconnections

Institutions should consider the dependencies and interconnections between their internal and external systems and third-party service providers to ensure comprehensive resilience.

Mapping Interconnections and Interdependencies

Financial institutions must map the interconnections and interdependencies that underlie their critical operations. This includes identifying the key business services, processes, systems, and resources, both internal and external, on which their operations rely. 

By mapping these interconnections, institutions can understand the potential impact and dependencies in the event of disruptions. This knowledge enables them to identify vulnerabilities and implement appropriate measures to enhance resilience.

Preparing for and Managing Risks to Critical Operations Delivery

Financial institutions should proactively prepare for and manage risks that could affect the delivery of critical operations. 

This involves robust risk assessments to identify potential threats, vulnerabilities, and impacts. Institutions must establish risk management frameworks that identify, measure, monitor, and mitigate risks. These frameworks should align with the institution's risk appetite and regulatory requirements. By effectively managing risks, institutions can enhance their ability to withstand disruptions and ensure the continuity of critical operations.

Testing Ability to Deliver Critical Operations under Severe but Plausible Scenarios

Financial institutions must test their ability to deliver critical operations under severe yet plausible scenarios. 

This includes scenario-based exercises to simulate disruptions and assess the institution's response and recovery capabilities. Testing should cover various aspects, such as incident response, crisis management, communication, and business continuity. Regular testing helps identify weaknesses, refine response plans, and enhance the institution's overall operational resilience.

Responding to and Recovering from Incidents

Financial institutions should establish robust response and recovery plans to address operational incidents effectively. 

This involves defining clear roles, responsibilities, and escalation procedures to ensure a coordinated response. Institutions should also establish mechanisms for timely communication with stakeholders, including customers, regulators, and relevant authorities.

By promptly responding to incidents and implementing effective recovery measures, institutions can minimise the impact on critical operations and expedite the restoration of services.

Implementation of Operational Resilience Requirements

Financial institutions are expected to implement operational resilience requirements throughout their organisation. 

This includes embedding a culture of resilience, providing appropriate training and awareness programs for employees, and integrating operational resilience considerations into decision-making processes. 

Institutions should allocate sufficient resources to support the implementation of operational resilience requirements and establish mechanisms for monitoring, reporting, and ongoing improvement.

Conclusion

The HKMA's guidelines on operational resilience provide financial institutions in Hong Kong with a comprehensive framework to strengthen their operational resilience. 

By considering the general principles outlined in these guidelines, institutions can develop robust operational resilience frameworks that ensure the continuity of critical operations and protect the interests of customers and stakeholders.

Implementing these guidelines is essential for maintaining the financial system's stability and safeguarding the reputation of financial institutions in Hong Kong.

 

 

Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.


 

Moh Heng Goh
Moh Heng Goh
Read More
ORA [Plan] Questionnaires: Anaylse Gap for Incident and Crisis Management
audit, Operational Resilience

ORA [Plan] Questionnaires: Analyse Gap for Incident and Crisis Management

Analyse the Gap 

OR_Plan_Update Diagram

 
What is Incident and Crisis Management?

Incident Management or IM refers to an organisation's activities to identify, analyze and correct threats.

Crisis Management or CM is the overall coordination of an organization's response to a crisis in an effective, timely manner, intending to avoid or minimize damage to the organization's profitability, reputation, or ability to operate.

This section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Plan phase: Analyse Gap.

Audit Checklist for Analysing the Gap for Incident and Crisis Management

 

1. Crisis Management Structure
  • Is there a documented crisis management structure in place?
  • Are the structure's roles, responsibilities, reporting lines, and chain of command clearly defined?
  • Have alternates been designated for primary representatives in case of unavailability?
  • Are there regular training and awareness programs for personnel involved in the crisis management structure?

Checklist
  • Check if there is a documented crisis management structure.
  • Verify if roles, responsibilities, reporting lines, and chain of command are clearly defined within the structure.
  • Assess if alternates have been designated for primary representatives.
  • Review training and awareness programs for personnel involved in the crisis management structure.

2. Triggers and Activation Criteria
  • Are there pre-defined triggers and criteria for activating the crisis management structure?
  • Are these triggers and criteria reviewed and updated periodically to reflect organisational risk landscape changes?
  • Is there a mechanism for timely monitoring and identification of triggers to activate the crisis management structure?
  • Has the effectiveness of the triggers and activation criteria been tested through simulations or exercises?

Checklist
  • Determine if there are pre-defined triggers and criteria for activating the crisis management structure.
  • Verify if these triggers and criteria are reviewed and updated periodically.
  • Assess the mechanism for monitoring and identifying triggers to activate the crisis management structure.
  • Review simulations or exercises to test the effectiveness of the triggers and activation criteria.

3. Crisis Management Plans and Procedures
  • Are there comprehensive crisis management plans and procedures in place to guide actions and decisions during a crisis?
  • Have the crisis plans been developed based on a thorough assessment of potential risks and scenarios?
  • Are the plans regularly reviewed, updated, and tested for their effectiveness?
  • Are there clear guidelines on the roles and responsibilities of senior management during a crisis?
  • Is there a process for post-crisis evaluation and improvement of the crisis plans and procedures?

Checklist
  • Check if comprehensive crisis plans and procedures are in place to guide actions and decisions during a crisis.
  • Verify if the crisis plans are based on a thorough assessment of potential risks and scenarios.
  • Assess whether the plans are regularly reviewed, updated, and tested for effectiveness.
  • Review guidelines on the roles and responsibilities of senior management during a crisis.
  • Determine if there is a process for post-crisis evaluation and improvement of the crisis plans and procedures.

4. Tools and Processes for Situation Assessment
  • Are there tools and processes in place to facilitate timely updating and assessment of the latest situation during a crisis?
  • Is there a dedicated team responsible for gathering, analysing, and disseminating information to support decision-making?
  • Are the tools and processes regularly tested and updated to ensure their effectiveness?
  • Is there a mechanism to integrate information from various sources and stakeholders for a comprehensive situational assessment?

Checklist

  • Determine if tools and processes are in place to facilitate timely updating and assessment of the latest situation during a crisis.

  • Assess if a dedicated team is responsible for gathering, analysing, and disseminating information to support decision-making.

  • Verify if the tools and processes are regularly tested and updated.

  • Determine if there is a mechanism to integrate information from various sources and stakeholders for a comprehensive situational assessment.

5. Stakeholder Communication
  • Is there a list of internal and external stakeholders to be informed when a critical business service is disrupted?
  • Are communication plans and requirements documented for each stakeholder group?
  • Do the communication plans include criteria for determining the severity and timing of notifications?
  • Are there predefined communication channels for efficient stakeholder communication, such as email distribution lists or notification systems?
  • Are alternative communication channels identified and documented in case the primary channels are unavailable?

Checklist

  • Verify if there is a list of internal and external stakeholders to be informed when a critical business service is disrupted.

  • Review communication plans and requirements documented for each stakeholder group.

  • Assess if the communication plans include criteria for determining the severity and timing of notifications.

  • Verify if there are predefined communication channels, such as email distribution lists or notification systems, for efficient communication with stakeholders.

  • Determine if alternative communication channels have been identified and documented in case the primary channels are unavailable.

6. Mainstream and Social Media Communication
  • Are communication channels effectively established to reach stakeholders through mainstream and social media platforms?
  • Are designated personnel responsible for managing communications on these channels during a crisis?
  • Are there guidelines or protocols to ensure consistent and accurate messaging through mainstream and social media?

Checklist
  • Assess if there are established communication channels to effectively reach stakeholders through mainstream and social media platforms.
  • Verify if designated personnel manage communications on these channels during a crisis.
  • Review guidelines or protocols to ensure consistent and accurate mainstream and social media messaging.
  • Assess if there are mechanisms to monitor and respond to public sentiment and feedback during a crisis.
 

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

 

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

 

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

Please feel free to send us a note if you have any of these questions.
Moh Heng Goh
Moh Heng Goh
Read More