Operational Resilience Audit

What Are You Required to Complete for  Module 1 of the ORA-300 Programme?

Module 1: E-Learning

To complete Module 1 of the ORA-300 Operational Resilience Audit Specialist (ORAS) course.

Module 1 of the OR Audit Specialist/ Expert Course

Module 1 is the first of the [1] four-module for the ORA-5000 Blended Learning (BL-ORA-5) [2] two-module ORA-300 Blended Learning (BL-ORA-3) or [3] stand-alone module for the ORA-200 Blended Learning (BL-ORA-2) course.

Participants must attend a walk-through of one introduction to operational resilience (OR) and another module of the OR Implementation process. 

Learning Modules: Fundamentals of Operational Resilience Audit

1. Overview of Operational Resilience
2. Operational Resilience Terminology and Related Concepts
3. Operational Resilience Planning Methodology
4. Identify Critical Business Services
5. Map Processes and Resources
6. Set Impact Tolerance
7. Conduct Scenario Testing
8. Improve Lesson Learnt

The participant is required to spend about 1 hour per E-Learning sub-module

Note that Module 1 is also Module 1 (of 4) for participants attending the Blended Learning ORA-5000 course [BL-ORA-5] leading to the Operational Resilience Audit Expert (ORAE). At the same time, it is also Module 1 (of 2) for the Blended Learning ORA-300 [BL-ORA-3] leading to Operational Resilience Audit Specialist (ORAS).

Lastly, Module 1 can also be taken as a stand-alone OR-200 or BL-OR-2 course leading to Operational Resilience Certified Planner (ORCP).

The participant is required to spend about 8 hours. 

Click the "Course Content" button to learn more about this module's syllabus.

 

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

	Please feel free to send us a note if you have any questions.

What Are You Required to Complete for Module 4 of the ORA-5000 Programme?

Module 4: Web Training and Discussion Workshop

To complete Module 4 of the ORA-5000 Blended Learning (ORA-5) course, participants must attend two 3-hour sessions. 

The participants must review and audit the OR requirements of an operational resilience program based on a case study organization.

Ensuing group discussions are conducted to crystallize the concepts, an experienced lead auditor facilitates their sharing of their challenges and learning.

In summary, participants should be able to:

• Determine audit findings of OR requirements
• Write audit reports
• Know the areas for follow-up and corrective actions after the audit

[M4-S1] Audit Review and Reporting

• Summarise Findings and Categorise Impact
• Prepare a Final Audit Report [Audit Reporting]

[M4-S2] Audit Follow-up

• Understand and Anticipate Challenges of Executing and Finalising the OR Audit [Audit Challenges]

The Sequence of A Typical Module 4 1/2 Day Session

A typical  1/2 day session consists of the following:

1. Pre-reading [Maximum of one hour]
   
   
2. Attend Facilitated Online Workshop [Maximum of three hours]

Managing the Operational Resilience Audit program includes the following core steps:

• Introduce Cultural Change Management
• Develop Communication Strategy
• Implement Training and Awareness 
• Provide Self-assessment
• Conduct Independent Quality Review 

1. Presentation and discussion with the facilitator [Three Hours]

Click the "Course Content" icon on the right to view the detailed course content of Module 4.

2 to 4 blog articles extracted from the chapters of A Manager’s Guide to Audit & Review Your Operational Resilience Program.

Participants are recommended to complete them before the session as it serves as  'bite-sized' background information, allowing participants to familiarize themselves with the concepts to be discussed. 

It would also assist participants in completing their assignment in the following  1 hour online session.

All Blended Learning ORA-5000 course participants are to attend two 3-hour sessions. The first 3-hour session would require them to participate in a facilitated online training session.

Facilitated by an industry practitioner and armed with the pre-reading knowledge, this session would need participants to focus on the detailed aspect of audit review and reporting:

• Write audit findings
• Present audit findings (severe findings resulting in non-compliance)
• Write and issue the final audit report
• Present final audit report
• Conduct exit or closing meeting

This would be followed by another 3-hour session on a different day where participants could wrap up the auditing of the case study and navigate how to coordinate and manage the closure of an audit report. 

The course will end with sharing and discussing the anticipated challenges of executing and finalising the OR Audit.

Both sessions are compulsory and run at the pre-determined online schedule. There would not be a repeat or substitute session for anyone who missed it.

Breakdown of Time Spent

Here is a breakdown of the time spent:

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses BL-ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the BL-ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

Please feel free to send us a note if you have any questions.

Module 3: Online Training and Discussion Workshop

To complete Module 3, participants must attend two half-day sessions of the OR audit implementation process. These are:

Before attending each of the two separate  1/2-day facilitated online workshops, the typical activities to complete the assignment are:

• developing the audit program or checklist;
• reviewing the stages of a typical BCM Audit planning process
• having access to the live BCMS portal.

Sequence of A Walkthrough of Each Session

1. Pre-reading [Maximum of one hour]
   • Review the OR planning methodology
   • Review the content of the BCMPedia for OR and OR Audit

1. Attending Facilitated Online Workshop [Maximum of three-hour]
   • Review and discuss the issues and challenges in developing an audit program (Financial / IT) or checklist
     

The content of Module 3 can be found by clicking on the "Course Content" icon.

[M3-S2] What is expected from Session 2 [S2] for Module 3 [M3] consists of the following:

1. Pre-reading  [Maximum of one hour]
   • OR Audit Planning Process [4 ten-minute articles]
     
     
2. Download the "Standardise Audit Program" template and complete the template [Maximum of one hour]
   
   • Develop an audit questionnaire in the audit checklist
     • You are strongly encouraged to attempt two significant stages of the "Implement" phase   as practice before attending class
       
       
3. Facilitated Online Workshop [Maximum of three hours]
   • Guide the review of the key deliverable of the BCM Audit planning process
   • Develop audit checklist/ program using the Standardise Audit Program template.
     
     

Pre-readings of at least 8 to 10 blogs or articles located in the eCampus are assigned for each session. Participants are recommended to complete them before the session as it serves as  'bite-sized' background information, allowing participants to familiarize themselves with the concepts to be discussed. 

It would also assist participants in completing their assignment in the following  1 hour online session.

[M3-S2] Once the schedule for the specific phase is confirmed, you will be notified to proceed to download the Audit Checklist template.  

Develop OR Audit Questionnaire within the Audit Program/ Checklist Template (Assignment) Before Attending the Facilitated Online Workshop

What if you are completing the form and do not understand the purpose or requirement of the field that you are completing?

Reference Guide: Refer to "A Manager's Guide to Review and Audit Your Operation Resilience Program [LITE]" and "A Manager's Guide to Implement Your Operation Resilience" as they provide a reasonably comprehensive explanation for each field as required in the template.

Sample Questionnaires: For auditor/ lead auditor course attendees, you are provided with a complete series of sample questions for all the clauses to assist you in developing the BM Audit questionnaires as "Pre-reading" titled Audit Questionnaires: Table of Content.

Objectives

The objective is to fully understand the purpose and requirements of each entry in the template before you attend the corresponding online workshop.

You may wonder why you are doing the assignment when the lesson has not yet been conducted.

It will also allow you to contextualize your business environment and ask related questions.

 

[M3-S2] Attend Facilitated Online Workshop

 

For the Module 3 course, participants must attend two 3-hour online workshop sessions.  All sessions are compulsory and run at the pre-determined online schedule. There would not be a repeat or substitute session for anyone who missed it.

These are the key features and deliverables of Module 3:

1. Develop OR Audit Program/ Checklist
2. Understand the OR Audit Planning Process 

Submit your completed "Audit Checklist" template to the facilitator within two days after finishing the Facilitated Online session M3-S2.  Do note that you should have completed version 1 of this template before you attend the Online session. 

 

Time Requirement

Module 3: Session 1 & 2

Three Hour (Per Session)

 

Breakdown of Time Spent

Here is a breakdown of the time spent for Module 3 for two 3-hour per session.

 

Module	Mode of Study	Hours
M3-S1	Web Training and Discussion Workshop 1-Hour Self Study (Pre-reading and review of the case study) 3-Hour Schedule Online Classes	4
M3-S2	Web Training and Discussion Workshop 1-Hour Self Study (Pre-reading and review of the case study) 1-Hour Preparation Assignment to complete the Audit Questionnaires 3-Hour Schedule Online Classes	5
	Total Hours	9

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 or ORA-300 Operational Resilience Audit Specialist and the ORA-5 or ORA-5000 Operational Resilience Audit Expert.

Please feel free to send us a note if you have any questions.

 

Internal vs External OR Auditing: Roles, Responsibilities and Ethics

While internal and external auditors contribute to assessing and strengthening operational resilience, their roles, responsibilities, and ethical considerations differ significantly.

Hence, it is helpful to understand the differences in roles, responsibilities and ethical considerations between IA and EA.

Internal Auditors (IA)

Roles of IA

• Independent assurance provider. Evaluating the effectiveness of existing resilience programs and controls within the organization.
• Risk consultant. Collaborating with business units to identify and mitigate operational risks impacting resilience.
• Process improvement advocate. Proposing recommendations to enhance OR posture and optimize processes.
• Change agent. Driving improvements in risk management culture and awareness across the organization.

Responsibilities of IA

• Conducting risk assessments and audits focused on operational resilience.
  Testing controls and processes designed to mitigate identified risks.
• Evaluating the adequacy and effectiveness of resilience plans and preparedness.
• Reporting findings and recommendations to management and relevant stakeholders.
• Monitoring and measuring the effectiveness of implemented improvements.

Ethical Considerations of IA

• Maintaining independence and objectivity: Avoiding undue influence from management or bias towards specific outcomes.
• Confidentiality: Protecting sensitive information obtained during audits while ensuring adequate reporting for oversight purposes.
• Competence and professional diligence: Continuously updating knowledge and skills to perform audits effectively and adhere to professional standards.
• Acting in the organisation's best interests: Balancing adherence to regulations with supporting the organization's long-term sustainability and ethical conduct.

External Auditors (EA)

Roles of EA

• Independent opinion provider: Offering an external perspective on the organization's overall risk management and resilience posture.
• Regulatory compliance assurer: Verifying adherence to relevant regulations and standards impacting operational resilience.
• Stakeholder assurance provider: Building confidence for investors, creditors, and other stakeholders regarding the organization's resilience capabilities.

Responsibilities of EA

• Conducting audits focused on specific regulatory requirements or contractual obligations related to operational resilience.
• Assessing the design and effectiveness of controls based on agreed-upon procedures.
• Reporting findings and opinions to relevant stakeholders, potentially including public disclosure.
• May not delve as deeply into operational details as internal auditors.

Ethical Considerations of EA

• Maintaining independence and objectivity. Avoiding conflicts of interest and undue influence from clients or regulators.
• Professional scepticism. Maintaining a critical questioning stance ensures audit conclusions are based on accurate and sufficient evidence.
• Confidentiality. Protecting sensitive information obtained during audits while fulfilling reporting requirements to designated parties.
• Communication and transparency. Communicating limitations and uncertainties associated with their audit findings and opinions.

Key Differences

• Focus.  Internal auditors focus on broader operational resilience within the organisation, while external auditors may have a narrower scope dictated by regulations or contracts.
• Reporting. Internal auditors report primarily to management and internal stakeholders, while external auditors report to their clients and potentially publicly.
• Depth of engagement. Internal auditors typically understand the organisation's internal workings and may conduct more in-depth assessments.
• Impact. Internal auditors directly impact internal change and improvement within the organisation, while external auditors provide assurance and may trigger regulatory consequences.

Collaboration and Coordination

While their roles and responsibilities differ, effective operational resilience relies on collaboration and coordination between internal and external auditors.

• Sharing information and insights. Internal auditors can provide external auditors valuable context and understanding of the organisation's operations and risk landscape.
• Joint assessments. In some cases, collaborative audits can leverage the strengths of both parties for a more comprehensive evaluation.
• Mutual respect and understanding. Recognising the value each type of auditor brings to building a robust operational resilience framework.

By understanding internal and external auditors' different roles, responsibilities, and ethical considerations, organisations can effectively leverage their combined expertise to assess and strengthen their operational resilience posture.

	Please feel free to send us a note if you have any of these questions.

Roles and Responsibilities of Operational Resilience Auditors

Operational resilience auditors ensure organisations can withstand disruptions and maintain critical operations. Their responsibilities involve diverse tasks, requiring a unique blend of technical expertise, communication skills, and problem-solving abilities.

Here is a breakdown of their key roles and responsibilities:

Assessment and Evaluation

• Identify and assess potential threats.   
  • Analyse various sources to understand internal and external factors that could disrupt critical operations.
    
    
• Evaluate existing resilience programs. 
  • Assess the effectiveness of existing controls, plans, and processes in mitigating identified risks.
    
    
• Perform risk assessments. 
  • Utilise various methodologies (e.g., scenario-based, data-driven) to quantify the likelihood and impact of potential disruptions.
    
    
• Conduct audits and investigations.
  • Analyse documentation, interview stakeholders, and test controls to evaluate program effectiveness and identify vulnerabilities.

Planning and Implementation

• Develop and recommend improvements. 
  • Based on their findings, propose enhancements to existing programs, controls, and processes.
    
    
• Collaborate with stakeholders. 
  • Engage with business units, risk management teams, and senior leadership to understand needs and ensure aligned recommendations.
    
    
• Develop and implement audit plans. 
  • Design the scope, objectives, and methodologies for conducting operational resilience audits.
    
    
• Manage and lead audit teams. 
  • Build, train, and motivate teams with diverse skill sets to achieve audit objectives effectively.

Communication and Reporting

• Communicate effectively. 
  • Present audit findings and recommendations clearly and concisely to various stakeholders, tailored to their needs and knowledge level.
    
    
• Prepare audit reports. 
  • Draft comprehensive and actionable reports documenting findings, conclusions, and recommendations, adhering to relevant standards and regulations.
    
    
• Facilitate discussion and action. 
  • Collaborate with stakeholders to address concerns, answer questions, and implement agreed-upon actions.

Continuous Improvement and Development

• Monitor and update assessments.
  • Keep updated with evolving threats, regulatory changes, and industry best practices, and refine assessments and recommendations accordingly.
    
    
• Stay informed about emerging trends. 
  • Learn and adapt continuously to new technologies, techniques, and methodologies in operational resilience auditing.
    
    
• Share knowledge and expertise. 
  • Contribute to the profession's development by sharing best practices, participating in professional organisations, and mentoring others.

Additional Responsibilities and Specific Role

• Third-party risk assessments. 
  • Evaluate the resilience of critical vendors and suppliers.
    
    
• Regulatory compliance audits. 
  • Ensure adherence to relevant regulations impacting operational resilience.
    
    
• Information security audits. 
  • Assess the cybersecurity posture of systems and controls related to operational resilience.

Summing Up ...

Overall, operational resilience auditors are critical in protecting organisations from disruptions and ensuring business continuity.

They require a comprehensive skill set, critical thinking abilities, and the ability to effectively communicate complex information to diverse stakeholders.

As the field evolves, their responsibilities will continue to adapt and expand, requiring continuous learning and development to address emerging challenges and effectively contribute to organisational resilience.

	Please feel free to send us a note if you have any of these questions.