Operational Resilience Audit

ORA [Plan] Questionnaires: Analyse Gap Concentration Risk
audit, Operational Resilience

ORA [Plan] Questionnaires: Analyse Gap Concentration Risk

Analyse the Gap: Concentration Risk

OR_Plan_Update Diagram

 
What is Concentration Risk?

Concentration Risk refers to the vulnerability and potential impact that arises from a significant dependence or concentration of critical operations, resources, or dependencies within an organization.

It occurs when there is an overreliance on a single point of failure or a limited number of entities, systems, or processes that, if disrupted, could significantly impact the organization's ability to deliver its critical services or functions.

This section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Plan phase: Analyse Gap.

These questions, checklists, and details should help assess the concentration risk and operational resilience measures related to primary-secondary site operation, critical business functions segregation, split team and backup team arrangements cross-training cross-border support, and alternative service provider considerations and requirements of the MAS BCM Policy.

Audit Checklist for Analysing the Gap: Concentration Risk

 

1. Primary-Secondary Site Operation
  • Are primary and secondary sites geographically distant enough to mitigate the impact of a localised event?
  • Is there a documented plan for transitioning operations from primary to secondary sites?
  • Has the secondary site been tested for readiness and functionality?
  • Are the necessary infrastructure and resources available at the secondary site?
  • Are there redundant systems in place to ensure seamless operations during the transition?

Checklist
  • Verify if the primary and secondary sites are geographically distant enough to mitigate localised events.
  • Review the documented plan for transitioning operations from primary to secondary sites.
  • Assess if the secondary site has been tested for readiness and functionality.
  • Verify the availability of necessary infrastructure and resources at the secondary site.
  • Assess the presence of redundant systems to ensure seamless operations during the transition.

2. Critical Business Functions Segregation
  • Are critical business functions identified and documented?
  • Is there segregation of critical business functions across different locations?
  • Have dependencies between critical business functions been assessed and addressed?
  • Is there a contingency plan to maintain critical business functions during disruption at one location?
  • Are there regular tests or drills to validate the effectiveness of critical business function segregation?
Checklists
  • Determine if critical business functions have been identified and documented.
  • Assess the segregation of critical business functions across different locations.
  • Review the assessment and addressing of dependencies between critical business functions.
  • Verify the existence of a contingency plan to maintain critical business functions in case of disruption at one location.
  • Assess the regular testing or drills to validate the effectiveness of critical business function segregation.

3. Split Team and Backup Team Arrangements
  • Are split team arrangements established to ensure business continuity in the event of staff unavailability?
  • Is there a clear communication plan for coordinating split team operations?
  • Are backup teams identified and trained to take over in case of primary team unavailability?
  • Has the effectiveness of split and backup team arrangements been tested in simulated scenarios?
  • Are there documented procedures for transitioning between primary and backup teams?

Checklists
  • Verify the establishment of split team arrangements to ensure business continuity during staff unavailability.
  • Assess the presence of a clear communication plan for coordinating split team operations.
  • Review the identification and training of backup teams to take over in case of primary team unavailability.
  • Verify the testing of the split team and backup team arrangements in simulated scenarios.
  • Assess the availability of documented procedures for transitioning between primary and backup teams.

4. Cross-Training
  • Are employees cross-trained to perform multiple roles within critical business functions?
  • Is a training program in place to ensure employees have the necessary skills for cross-functional roles?
  • Are cross-training records maintained for tracking employee capabilities?
  • Is cross-training periodically tested or validated through drills or exercises?
  • Are there escalation procedures in place to address skill gaps during disruptions?
Checklists
  • Determine if employees are cross-trained to perform multiple roles within critical business functions.
  • Assess the presence of a training program to ensure employees have the necessary skills for cross-functional roles.
  • Review the maintenance of cross-training records for tracking employee capabilities.
  • Verify the periodic testing or validation of cross-training through drills or exercises.
  • Assess the presence of escalation procedures to address skill gaps during disruptions.

5. Cross-Border Support
  • Are there dependencies on systems, processes, or resources located in other countries?
  • Are the risks associated with cross-border dependencies identified and assessed?
  • Is there a contingency plan in place to address disruptions in cross-border support?
  • Have legal, regulatory, or compliance considerations related to cross-border operations been addressed?
  • Are there alternative arrangements or redundancies for critical cross-border dependencies?

Checklists
  • Determine if there are dependencies on systems, processes, or resources in other countries.
  • Assess the identification and assessment of risks associated with cross-border dependencies.
  • Verify the presence of a contingency plan to address disruptions in cross-border support.
  • Review addressing legal, regulatory, or compliance considerations related to cross-border operations.
  • Assess the presence of alternative arrangements or redundancies for critical cross-border dependencies.

6. Alternative Service Provider
  • Are alternative service providers identified for critical business functions?
  • Have due diligence assessments been conducted for alternative service providers?
  • Is there a documented plan for transitioning to alternative service providers during disruptions?
  • Are contractual agreements with alternative service providers in place and up to date?
  • Has the feasibility and effectiveness of alternative service providers been tested or validated?
Checklists
 
 Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

 

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

Please feel free to send us a note if you have any of these questions.
Moh Heng Goh
Moh Heng Goh
Read More
Table of Content for Operational Resilience Audit and Review [Cross Reference to MAS BCM Guidelines]
audit, Operational Resilience

Table of Content for Operational Resilience Audit and Review [Cross Reference to MAS BCM Guidelines]

 

Operational Resilience Audit Questionnaires and Checklist

Operational Resilience Planning Methodology

Operational Resilience Planning Methodology.  The three phases are "Plan", "Implement", and "Sustain."  Each phase has five stages.  

Click each of the five stages within each phase to find out more about the detailed questions to be asked and the checklist supports it.  Note that there is overlap for some of the stages in terms of content. 

The rationale is that you, as a reviewer or auditor, will not be conducting the audit of review for all three phases together, and hence, the key controls are still needed to be embedded in several stages.

Click the icon on the right to access MAS BCM Guidelines.

 

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance
 

5. Concentration Risk

     7. Responsibilities of Board and Senior Management
 

 

Questionnaires and Checklist "Implement" Phase

 Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt
2 Critical Business Services and Functions 4. Dependency Mapping 3. Service Recovery Time Objectives 7. Testing 6. Continous Review and Improvement

 

Questionnaires and Checklist "Sustain" Phase

 Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review
7. Responsibilities of Board and Senior Management

9. Incident and Crisis Management (Communication with staff and Stakeholders)

     8. Audit

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

Please feel free to send us a note if you have any of these questions.
Moh Heng Goh
Moh Heng Goh
Read More
Summary of Guidelines on Business Continuity Management issued by the Monetary Authority of Singapore
Operational Resilience, Monetary Authority of Singapore

Summary of Guidelines on Business Continuity Management Guidelines issued by the Monetary Authority of Singapore

Key Focus Areas for Guidelines on Business Continuity Management by the Monetary Authority of Singapore

The Monetary Authority of Singapore (MAS) has issued comprehensive guidelines on Business Continuity Management (BCM) to assist financial institutions (FIs) in Singapore in effectively managing potential disruptions and ensuring the continuity of critical business services. 

Objective

This blog aims to provide an overview of the critical aspects of the MAS Guidelines on BCM, with a specific focus on the ten areas mentioned in the guidelines.  Refer to the guideline by clicking on the MAS's webpage.

The article is also part of the pre-reading for participants attending the operational resilience implementer or expert implementer course to understand the relationship between the MAS's Business Continuity Management guidelines and Operational Resilience guidelines issued by other regulatory jurisdictions.

Application of MAS Guidelines

The first section of the MAS Guidelines on BCM emphasised that they apply to all financial institutions MAS regulates in Singapore, including banks, insurers, and capital market intermediaries.

The guidelines ensure financial institutions have robust and effective BCM frameworks to identify potential risks, implement appropriate risk mitigation measures, and establish resilient business continuity plans.

Compliance with these guidelines is mandatory, and institutions are expected to maintain a state of readiness to respond to and recover from disruptions.

OR Versus BCM Full wordNotes on OR Vs BCM: These are the related regulatory requirements or guidelines (Click the "Regulatory Requirement" icon on the right) issued by the other central banks worldwide. These regulations will be under your purview if you have global or regional responsibilities. 

Critical Business Services and Functions

Financial institutions must identify and prioritise their critical business services (CBS) and critical business functions (CBF), essential for maintaining financial stability and providing uninterrupted services to customers.

Please note that CBS and CBF differ. Click the button below to find out more.

The guidelines provide a framework for identifying these critical services, assessing their impact on the institution and its customers, and establishing appropriate recovery strategies.

Financial institutions must maintain a comprehensive inventory of critical business services and functions and ensure recovery plans are in place to minimise disruption and ensure timely recovery.

OR Versus BCM Full wordNotes on OR vs. BCM: These are similar terms used by regulators from other jurisdictions. It is also helpful to understand that MAS issues Critical Business Services, while Critical Operations is from the US FED and Hong Kong Monetary Authority. Below are some of the similar definitions published by the other regulators. 

Service Recovery Time Objective (SRTO)


The Service Recovery Time Objective (SRTO) refers to the timeframe within which critical business services and functions should be recovered following a disruption.

The MAS Guidelines on BCM emphasise the importance of setting realistic and achievable recovery time objectives to minimise the impact of disruptions.

Financial institutions must define RTOs for their critical services and functions based on their business impact analysis.

The RTOs should be regularly reviewed and tested to ensure their effectiveness.

OR Versus BCM Full word

 

 Notes on OR vs. BCM: These are similar terms used by regulators from other jurisdictions. It is also helpful to understand the difference between the SRTO issued by MAS and the actual RTO from the BCM practices with the Impact Tolerance spelt out by the other regulators. Below are some of the similar definitions.

Dependency Mapping

Dependency mapping is a crucial aspect of BCM that involves identifying and understanding the interdependencies between various systems, processes, and external parties.

Financial institutions must conduct dependency mapping exercises to identify critical dependencies, including technology systems, infrastructure, third-party service providers, and key personnel.

The guidelines emphasise the need for financial institutions to establish contingency plans to mitigate potential risks associated with these dependencies and ensure alternative arrangements are in place.

Concentration Risk

Concentration risk refers to the exposure an organisation faces due to a significant reliance on a single point of failure.

The MAS Guidelines on BCM stress the critical component of business continuity planning: identifying and mitigating concentration risk.

Financial institutions must thoroughly assess their operations, processes, systems, and third-party dependencies to identify risk concentrations.

By diversifying critical services and functions, financial institutions can reduce their vulnerability to disruptions caused by a single event or failure.

The guidelines recommend implementing appropriate risk mitigation strategies, such as redundancy, alternate sites, and contingency plans, to address concentration risk effectively.

Continuous Review and Improvement

The MAS Guidelines on BCM emphasise the need for financial institutions to adopt a proactive approach by continuously reviewing and improving their BCM frameworks.

BCM is not a one-time exercise but a dynamic process that should evolve alongside changes in the business environment and emerging risks.

Financial institutions are encouraged to establish robust governance mechanisms to monitor the effectiveness of their BCM frameworks and ensure regular updates.

The guidelines also highlight the importance of feedback loops, incident reporting, and lessons-learned exercises to identify areas for improvement and drive continuous enhancements in BCM capabilities.

OR Versus BCM Full wordNotes on OR Vs BCM: The word "continuous improvement" is published as part of the standard in most published regulations. The key is to learn from lessons from past incidents and deficiencies identified during testing and exercise.

Testing

Testing is a critical aspect of BCM and plays a vital role in validating the effectiveness of business continuity plans.

The MAS Guidelines on BCM emphasise the importance of regular testing to ensure that plans are practical, executable, and aligned with recovery time objectives.

Financial institutions must conduct comprehensive and realistic testing exercises, including tabletop exercises, simulation drills, and full-scale recovery tests.

Testing should encompass various scenarios, including different types of disruptions, to assess the resilience and responsiveness of critical business services and functions.

The guidelines also emphasise the involvement of key stakeholders, including internal teams, external vendors, and regulatory authorities, in testing exercises to ensure coordination and collaboration.

OR Versus BCM Full wordNotes on OR vs. BCM: End-to-end testing based on a scenario is called Scenario Testing. It is helpful to review the difference between operational resilience and BC testing.

Related Topics  

Audit

The MAS Guidelines on BCM emphasise the importance of conducting regular audits to assess the effectiveness and adequacy of a financial institution's BCM framework.

Audits play a crucial role in verifying the implementation of BCM measures, identifying gaps or weaknesses, and recommending improvements. Financial institutions should establish an independent internal audit function or engage external auditors to conduct comprehensive audits.

These audits should cover all aspects of the BCM framework, including risk assessments, business impact analysis, recovery strategies, and documentation of policies and procedures. Audit findings and recommendations should be reported to the appropriate levels of management and the board for prompt action.

Incident and Crisis Management

Incident and crisis management is a critical component of BCM that involves effectively responding to and managing disruptions and crises when they occur.

The MAS Guidelines on BCM emphasise the need for financial institutions to establish robust incident and crisis management frameworks. This includes defining roles and responsibilities, establishing communication protocols, and implementing escalation procedures.

Financial institutions should also establish incident identification, reporting, and resolution processes. Regular training and drills should be conducted to enhance staff readiness and capability to respond to incidents and crises promptly and effectively.

Responsibilities of Board and Senior Management

The MAS Guidelines on BCM highlight the crucial role of the board and senior management in ensuring the effectiveness of the BCM framework.

Financial institutions should establish a clear governance structure and assign accountability to the board and senior management for BCM.

The board and senior management are responsible for setting the strategic direction, providing oversight, and allocating adequate resources for BCM initiatives.

They should also ensure BCM policies and procedures align with the institution's risk appetite and regulatory requirements.

The board and senior management should receive regular reporting on BCM performance, including key metrics and progress against action plans.

OR Versus BCM Full word

Notes on OR Vs BCM: The challenge in implementing OR is that despite the COVID experiences, the board and most senior management are informed of the response after an event.

To achieve this requirement, the board of directors and senior management must actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.

Summing Up ...

The MAS Guidelines on Business Continuity Management provide a comprehensive framework for financial institutions in Singapore to establish effective BCM practices.

Adhering to these guidelines can enhance financial institutions' resilience and ability to respond to disruptions, thereby ensuring the continuity of critical business services. 

 

Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.


 

Moh Heng Goh
Moh Heng Goh
Read More
ORA [Sustain] Questionnaires: Implement Training and Awareness
audit

ORA [Sustain] Questionnaires: Implement Training and Awareness

Implement Training and Awareness
What is Training and Awareness?

Training is a planned and organized activity to impart operational resilience skills, techniques and methodologies to all staff to assist them in establishing and maintaining their respective OR programs.

Awareness aims to focus attention and create an understanding of fundamental operational resilience concerns. It is knowing or having knowledge of something through alertness or observing or interpolating what with the primary senses.

This section is the "Sustain" phase of the Operational Resilience Planning Methodology.  It is the third stage of the Plan phase: Implement Training and Awareness.

 

Audit Checklist for Implement Training and Awareness

 

1. Training Program Development
  • Is there a documented training program for operational resilience?
  • Are training objectives clearly defined and aligned with operational resilience goals?
  • Is the training program comprehensive and covers all relevant aspects of operational resilience?
  • Are training materials current and reflect the latest policies and procedures?
  • Is there a process for regularly evaluating and updating the training program?
Checklist
  • Review the documentation of the training program for operational resilience.
  • Assess the clarity and alignment of training objectives with operational resilience goals.
  • Evaluate the comprehensiveness of the training program in covering all relevant aspects.
  • Verify the currency of training materials and their alignment with the latest policies and procedures.
  • Determine a process for regular evaluation and updating of the training program.

2. Employee Training and Engagement
  • Have all relevant employees received training on operational resilience?
  • Is there a mechanism in place to track and monitor employee completion of training
  • Are there methods to assess the effectiveness of the training program?
  • Is there employee engagement and participation in operational resilience initiatives
  • Are there channels for employees to provide feedback and suggestions for improving
    operational resilience?
Checklist
  • Verify that all relevant employees have received training on operational resilience.
  • Assesses a mechanism to track and monitor employee completion of training.
  • Evaluate the methods used to assess the effectiveness of the training program.
  • Determine employee engagement and participation in operational resilience initiatives.
  • Review the channels available for employees to provide feedback and suggestions for improvement.

3. Awareness Campaigns and Communication
  • Are there regular awareness campaigns to promote operational resilience?
  • Is there effective communication about operational resilience policies and procedures
  • Are employees aware of their roles and responsibilities in operational resilience?
  • Is there clarity in communication regarding incident reporting and escalation procedures?
  • Are there channels for employees to report concerns and seek clarification on operational resilience matters?
Checklist
  • Assess the frequency and effectiveness of awareness campaigns promoting operational resilience.
  • Evaluate the clarity and effectiveness of communication about operational resilience policies and procedures.
  • Determine employee awareness regarding their roles and responsibilities in operational resilience.
  • Review the clarity of communication regarding incident reporting and escalation procedures.
  • Verify the availability of channels for employees to report concerns and seek clarification on operational resilience matters.

4. Training Effectiveness Evaluation
  • Is there a process to evaluate the effectiveness of the operational resilience training?
  • Are there metrics and performance indicators to assess the training program's impact?
  • Are there mechanisms to collect employee feedback regarding the training program?
  • Is there a process for analyzing training evaluation results and implementing improvements?
  • Are there mechanisms to track the application of learned knowledge and skills in operational resilience practices?
Checklist
  • Review the process for evaluating the effectiveness of the operational resilience training.
  • Assess the availability of metrics and performance indicators to assess the training program's impact.
  • Determine the existence of mechanisms to collect feedback from employees regarding the training program.
  • Evaluate the process for analyzing training evaluation results and implementing improvements.
  • Verify the existence of mechanisms to track the application of learned knowledge and skills in operational resilience practices.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

Questionnaires and Checklist "Sustain" Phase

 Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

Please feel free to send us a note if you have any questions.
 
 
Moh Heng Goh
Moh Heng Goh
Read More
ORA [Plan] Questionnaires: Develop and Embed Governance
audit

ORA [Plan] Questionnaires: Develop and Embed Governance

Develop and Embed Governance

 
What is Governance?

The need to embed operational resilience in the governance structure is essential.  

This will start with the board of directors and senior management, who will actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.

This section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the third stage of the Plan phase: Develop and Embed Governance.

 

Audit Checklist for Develop and Embed Governance

 

1. Governance Framework
  • Is there a documented governance framework in place for operational resilience? 
  • Has the framework been communicated to all relevant stakeholders?
  • Are roles and responsibilities clearly defined within the governance framework?

Checklist
  • Review the documented governance framework for operational resilience.
  • Evaluate if the framework aligns with industry best practices and regulatory requirements.
  • Assess the framework's effectiveness in providing clear roles, responsibilities, and decision-making authority.
  • Verify if the governance framework is communicated and understood by relevant stakeholders.
  • Check if there is a process to review and update the governance framework periodically.

2. Leadership and Accountability
  • Are senior management and executives actively involved in driving operational resilience? 
  • Is a designated individual or team responsible for overseeing the operational resilience program? 
  • Is there a reporting mechanism for the operational resilience program to senior management and the board?
Checklist
  • Assess the level of senior management and executive involvement in operational resilience initiatives.
  • Determine if a designated individual or team oversees and implements the operational resilience program.
  • Evaluate the communication channels between senior management, the operational resilience team, and other stakeholders.
  • Verify if there is a process to escalate operational resilience issues to senior management and the board.
  • Assess the effectiveness of leadership in promoting a culture of operational resilience throughout the organization.

3. Risk Assessment and Management
  • Has a comprehensive risk assessment been conducted to identify and prioritize operational risks?
  • Are risk mitigation strategies and controls in place to address identified risks?
  • Are risk management policies and procedures effectively communicated and implemented?
Checklist
  • Review the methodology and process used for conducting operational risk assessments.
  • Evaluate the comprehensiveness and accuracy of the identified risks.
  • Assess if there are clear risk mitigation strategies and controls in place.
  • Verify if risk management policies and procedures are effectively communicated and implemented.
  • Assess the monitoring and reporting mechanisms for identified risks and risk mitigation efforts.

4. Business Impact Analysis (BIA)
  • Has a BIA been conducted to assess the potential impact of disruptions on critical business processes?
  • Are the identified critical processes adequately documented?
  • Are there contingency plans and backup arrangements in place for critical processes?
Checklist
  • Review the BIA methodology and documentation to ensure it covers critical business processes and dependencies.
  • Verify if there is a process for identifying and prioritizing critical business processes. 
  • Assess if the BIA adequately addresses the potential impact of disruptions on critical processes.
  • Evaluate the existence and effectiveness of contingency plans and backup arrangements for critical processes.
  • Verify if the BIA is periodically updated to reflect organisational operations and risk landscape changes.

5. Incident Response and Recovery
  • Are there well-defined incident response plans for different types of operational disruptions?
  • Have tabletop exercises or simulations been conducted to test the effectiveness of the incident response plans?
  • Is there a process for documenting and reviewing lessons learned from incidents
Checklist
  • Evaluate the existence and effectiveness of incident response plans for different operational disruptions.
  • Verify if the incident response plans are regularly tested, reviewed, and updated.
  • Assess the adequacy of incident escalation and communication procedures.
  • Review documentation of past incidents, including response actions and lessons learned.
  • Assess if there is a process for continuous improvement of incident response and recovery capabilities.

6. Testing and Exercising
  • Has a comprehensive testing program been established to validate the effectiveness of operational resilience measures?
  • Are different types of tests conducted, such as scenario-based testing, technology testing, or third-party testing?
  • Are test results documented, reviewed, and acted upon to enhance operationally
Checklist
  • Assess the comprehensiveness and frequency of testing programs for operational resilience measures.
  • Review the test types, such as tabletop exercises, simulations, or technology testing.
  • Evaluate the documentation and remediation processes for identified issues during testing.
  • Assess if a process exists to capture and implement lessons learned from testing exercises.
  • Verify if the testing program is periodically reviewed and updated to align with threats and organizational changes.

7. Training and Awareness
  • Is there an ongoing training program to ensure employees understand their roles and responsibilities related to operational resilience?
  • Are employees aware of the key risks, controls, and incident response procedures?
  • Is there a mechanism to assess the effectiveness of training programs?
Checklist
  • Evaluate the training programs provided to employees on operational resilience. 
  • Assess if employees know their roles and responsibilities related to operational resilience.
  • Verify if there are training programs specifically tailored for different job roles and functions.
  • Assess the effectiveness of training programs through employee feedback and assessment mechanisms.
  • Evaluate the organization's communication channels for disseminating information on operational resilience.

8. Third-Party Management
  • Are there processes in place to assess the operational resilience of critical third-party vendors and service providers?
  • Is there ongoing monitoring of third-party resilience and the adequacy of their business continuity plans?
  • Is there a contingency plan to mitigate risks arising from third-party failures or
Checklist
  • Assess if there is a process for evaluating and managing the operational resilience of critical third-party vendors and service providers.
  • Review the documentation of due diligence processes for third-party selection and ongoing monitoring. 
  • Verify if there are contractual requirements for third parties to maintain operational resilience standards.
  • Assess if there are contingency plans and alternate arrangements to mitigate risks arising from third-party failures.
  • Review the monitoring and reporting mechanisms for third-party operational resilience.

9. Reporting and Metrics
  • Are there clear reporting mechanisms to provide regular updates on the status of operational resilience to relevant stakeholders? 
  • Are key performance indicators (KPIs) and metrics defined to measure the effectiveness of operational resilience efforts?
  • Are reports reviewed and acted upon to drive continuous improvement?
Checklist
  • Evaluate the reporting mechanisms to provide regular updates on operational resilience to relevant stakeholders.
  • Assess the adequacy of key performance indicators (KPIs) and metrics to measure operational resilience effectiveness.
  • Verify if reports are reviewed, acted upon, and used to drive continuous improvement.
  • Assess the availability and accuracy of data and information used for reporting. e. Evaluate if reporting aligns with regulatory requirements and internal governance expectations.

10. Compliance and Regulatory Requirements
  • Are there processes to ensure compliance with relevant laws, regulations, and industry standards? 
  • Has the operational resilience program been subjected to external audits or regulatory examinations?
  • Are there mechanisms to track and address any deficiencies or non-compliance issues identified?
Checklist
  • Review the organization's processes for identifying and complying with relevant laws, regulations, and industry standards related to operational resilience.
  • Assess the effectiveness of controls and procedures in place to ensure compliance.
  • Verify if there is a process for monitoring regulation changes and updating operational resilience practices accordingly.
  • Assess the documentation and evidence of external audits or regulatory examinations related to operational resilience.
  • Review any identified deficiencies or non-compliance issues and the subsequent remediation efforts.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

Questionnaires and Checklist "Plan" Phase

 Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

Please feel free to send us a note if you have any questions.
 
 
Moh Heng Goh
Moh Heng Goh
Read More