Operational Resilience Audit

Posts about:

audit (11)

ORA Implement Phase Questionnaires: Map Processes and Resources

ORA [Implement] Questionnaires: Map Processes and Resources

New call-to-actionMapping of Processes and Resources

OR_Implement_Diagram

 

What is the Mapping of Processes and Resources?

Mapping is identifying, documenting and understanding the activities involved in delivering critical business services.

An organisation should identify, document and map the necessary people, processes, information, technology, facilities, and third parties service providers required to deliver each of its critical business services. This exercise should be undertaken collaboratively across the business to ensure comprehensive mapping.

New call-to-actionNew call-to-actionThis section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Implement phase: Mapping of Processes and Resources.

Audit Checklist for Mapping of Processes and Resources

 

1. People

  • Are key roles and responsibilities clearly defined for supporting the delivery of products and services?
  • Is there an organisational structure that ensures appropriate staffing levels and reporting lines?
  • Are succession plans in place to mitigate risks associated with key personnel dependencies?
  • Is there a process for identifying and addressing skill gaps or training needs?
 

 

2. Processes

  • Are the critical processes for delivering products and services identified and documented?
  • Are there documented procedures and workflows for each critical process?
  • Are process owners assigned and accountable for the effectiveness and efficiency of the processes?
  • Is there a process for regularly reviewing and updating documented procedures?
 

 

3. Technology

  • Have the necessary technology systems and applications for delivering products and services been identified?
  • Is there a comprehensive inventory of technology assets, including hardware, software, and networks?
  • Are there backup and recovery procedures in place for critical technology systems?
  • Is there a process for monitoring and updating technology infrastructure to ensure reliability and security?
 

 

4. Facilities

  • Are the physical facilities required for delivering products and services identified?
  • Is there an assessment of the adequacy and reliability of the facilities?
  • Are contingency plans in place to address facility disruptions, such as alternate locations or remote work capabilities?
  • Is there a process for maintaining and testing the infrastructure and facilities?
 

 

5. Information

  • Is there a clear understanding of the information required to support the delivery of products and services?
  • Are systems and procedures in place to ensure information integrity, availability, and confidentiality?
  • Is there a backup and recovery strategy for critical information and data?
  • Are there mechanisms for regular data backups, testing of data restoration, and protection against data breaches?
 

 

6. Inter-dependencies and Inter-connections

  • Have the dependencies and interconnections among people, processes, technology, facilities, and information been identified and documented?
  • Is there an understanding of how disruptions to one resource can impact others?
  • Are there contingency plans in place to address disruptions in dependent resources?
  • Is there a process for regularly reviewing and updating the mapping of dependencies and interconnections?
 

 

7. Performance Monitoring

  • Is there a monitoring process to track the performance and availability of resources?
  • Are there defined metrics and indicators to measure the effectiveness and efficiency of resource utilisation?
  • Is there a reporting mechanism to communicate resource performance to relevant stakeholders?
  • Are there mechanisms to identify and address resource bottlenecks or capacity constraints?
 

 

8. Testing and Validation

  • Are resources tested and validated through exercises and simulations?
  • Is there a process to assess whether the resources can adequately support the delivery of products and services?
  • Are testing and validation results used to refine and improve resource mapping and related plans?
Conduct Scenario Testing

 

9. Documentation and Communication

  • Is the mapping of resources well-documented and easily accessible to relevant personnel?
  • Is there clear communication of roles, responsibilities, and dependencies among stakeholders?
  • Are there mechanisms to ensure resource mapping updates are effectively communicated to relevant parties?
  • Is there a process for addressing feedback and incorporating suggestions for resource optimisation?
 

 

10. Continuous Improvement

  • Is there a process to capture and incorporate lessons learned from disruptions into resource mapping and planning?
  • Is there a culture of continuous improvement to enhance the organisation's ability to deliver products and services?
  • Are resource mapping and planning regularly reviewed to ensure they remain aligned with the organisation's objectives and evolving needs?
New call-to-action

 

Note that some steps may overlap with the other "Implement" phase stages.

 

New call-to-action

Questionnaires and Checklist "Implement" Phase

Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt

New call-to-action OR Implement Phase Questionnaires: Identify Critical Business Services New call-to-action OR Implement Phase Questionnaires: Set Impact Tolerance Conduct Scenario Testing New call-to-action

 

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
ORA Implement Phase Questionnaires: Identify Critical Business Services

ORA [Implement] Questionnaires: Identify Critical Business Services

New call-to-action

Identify Critical Business Services

 

 

What is Critical Business Services?

OR Critical Business Services BCMPediaNew call-to-actionCritical Business Service is a service provided by an organisation, or by another person on behalf of the organisation, to one or more clients which, if disrupted, could:

  • cause intolerable harm to any one or more of the organisation’s clients or
  • pose a risk to the soundness, stability or resilience of the industry, such as the financial industry, its system or the orderly operation of the markets.

New call-to-actionOR Implement Phase Questionnaires: Identify Critical Business ServicesThis section is the "Implement" phase of the Operational Resilience Planning Methodology.  It is the first stage of the Implement phase: Identify Critical Business Services.

Audit Checklist for Identifying  Critical Business Services

 

1. Documentation and Governance

  • Are there documented policies, procedures, and guidelines related to critical business services?
  • Is a comprehensive operational resilience program outlining objectives, scope, roles, and responsibilities in place?
  • Is there a governance structure, such as oversight committees and reporting mechanisms, to ensure effective operational resilience management?
 
Checklist
  • Verify that a comprehensive operational resilience program outlines objectives, scope, roles, and responsibilities.
  • Review documentation of policies, procedures, and guidelines related to critical business services.
  • Assess the adequacy of governance structures, including oversight committees and reporting mechanisms.

2. Business Impact Analysis (BIA)

  • Has a business impact analysis (BIA) been conducted to identify critical business services and their dependencies?
  • How is the impact of disruptions on critical services assessed? What methodology is used?
  • Are the potential financial, operational, and reputational impacts of disruptions to critical business services assessed?
  • Are the BIA documentation and results accurate, up-to-date, and accessible to relevant stakeholders?
  • Are each critical business service's recovery time objectives (RTOs) and recovery point objectives (RPOs) defined?
Critical Business Functions vs Critical Business Services
Checklist
  • Review the BIA process for identifying critical business services and their dependencies.
  • Evaluate the methodology used to assess the impact of disruptions on critical services.
  • Validate the accuracy and currency of the BIA documentation.

3. Business Continuity (BC) Planning

  • Are there business continuity (BC) plans for critical business services?
  • Do the BC Plans align with the objectives of the operational resilience program?
  • Do the BC Plans include clear roles, responsibilities, and escalation procedures?
 
Checklist
  • Review the existence and completeness of BC Plans for critical business services.
  • Are BC Plans in place for each critical business service?
  • Assess the alignment of BC Plans with the objectives of the operational resilience program.
  • Validate that BC Plans include clear roles, responsibilities, and escalation procedures.
  • Have the BC Plans been tested and validated?
  • Are the BC Plans documented and easily accessible to relevant personnel?
  • Are there clearly defined procedures for invoking and executing the BC Plans?

4. Incident Response and Management

  • Is there an incident management framework tailored explicitly for critical business services?
  • Are there documented incident response procedures for critical business services?
  • Are roles and responsibilities clearly defined for managing incidents related to critical business services?
  • Is there a process to track and report incidents related to critical business services?
  • Is there an incident response and management framework for critical business services?
  • Are incident response plans in place, and do they align with the operational resilience program?
  • Are incident response plans regularly tested, updated, and communicated to relevant stakeholders?
 
Checklist
  • Evaluate the incident response and management framework for critical business services.
  • Assess the effectiveness of incident response plans and their alignment with the operational resilience program.
  • Verify that incident response plans are regularly tested, updated, and communicated to relevant stakeholders.

5. Communication and Stakeholder Management (During Disruption)

  • Is there a communication plan to keep stakeholders informed during disruptions to critical business services?
  • Are there established communication channels to reach internal and external stakeholders?
  • Is there a process to prioritise and communicate with stakeholders based on the severity and impact of the disruption?
  • Are there effective communication channels and protocols during disruptions to critical business services?
  • Are communication plans in place and regularly updated?
 
Checklist
  • Assess the effectiveness of communication channels and protocols during disruptions.
  • Review the training and awareness programs related to operational resilience for employees.
  • Verify that communication plans are in place and regularly updated.

6. Vendor Management

  • Is there a process for assessing and monitoring the resilience of critical third-party vendors?
  • Are contracts and service level agreements (SLAs) with vendors inclusive of appropriate resilience requirements?
  • Are vendor management processes aligned with the operational resilience program?
New call-to-action
Checklist
 
  • Evaluate the process for assessing and monitoring the resilience of critical third-party vendors.
  • Review contracts and service level agreements to ensure they include appropriate resilience requirements.
  • Verify that vendor management processes are aligned with the operational resilience program.

7. Change Management

  • Is there a change management process for critical business services?
  • Are change requests, approvals, and testing procedures adequately documented?
  • Does the change management process consider the potential impact on operational resilience?
 
Checklist
  • Assess the change management process for critical business services.
  • Review documentation of change requests, approvals, and testing procedures.
  • Verify that change management procedures consider the potential impact on operational resilience.

8. Reporting and Metrics

  • Is there a reporting framework for operational resilience, including key performance indicators (KPIs) and metrics?
  • How frequently are reports provided to management and relevant stakeholders?
  • Are the metrics aligned with the objectives of the operational resilience program?
 
Checklist
  • Evaluate the reporting framework for operational resilience, including key performance indicators (KPIs) and metrics.
  • Assess the frequency and content of reports provided to management and relevant stakeholders.
  • Verify that metrics are aligned with the objectives of the operational resilience program.

9. Testing and Exercising

  • Are the dependencies and interconnections of critical business services identified?
  • Has the organisation mapped the dependencies between critical business services and supporting functions, systems, and vendors?
  • Are business continuity or crisis management plans in place to address disruptions in independent services?
  • Are regular testing and exercising of critical business services conducted?
  • Are the testing and exercising scenarios designed to simulate realistic disruptions?
  • Are the lessons learned from testing and exercises used to improve the operational resilience of critical business services?
Conduct Scenario Testing
Checklist
  • Review the testing and exercise program for critical business services.
  • Assess the frequency and comprehensiveness of testing, including scenario-based simulations.
  • Validate that lessons learned from testing and exercises are documented and incorporated into the operational resilience program.
 
Some steps may overlap with the other "Implement" phase stages.

 

New call-to-action

Questionnaires and Checklist "Implement" Phase

Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt

New call-to-action OR Implement Phase Questionnaires: Identify Critical Business Services New call-to-action OR Implement Phase Questionnaires: Set Impact Tolerance Conduct Scenario Testing New call-to-action

 

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
 
Read More
FAQ on ORA-5000 Blended Learning [ORA-5] Course

FAQ on ORA-5000 OR Audit Expert [ORA-5] Course

BG Bann_ORA_ORA-5000 General Banner

This page aims to assist you in clarifying further doubts you have about attending the ORA-5000 Operational Resilience Audit Expert [ORA-5] Course.

New call-to-action

What is included in the course fee?

When you are attending the course, the fee of Singapore Dollar (SGD)

  • 3,850 [Blended Learning] or
  • 4,150 [Hybrid Learning]

The fees include:
During the course:
  • Access to the complete set of soft copy handbooks and templates.
  • Note that hard copies of the handbook/ templates are only provided for a classroom-based course.
After the course:
  • The award of an ORCP e-certificate (upon completion of module 4 and passing the examination conducted at the end of the course)
  • Review of assessments
Not Included (Unless specified to be included in the quotation/ invoice)
  • ORAE application processing fees  of Singapore Dollars (SGD) 150

However, note that the ORAE application must be completed within three months from the notification of passing the ORA-5000 course.

An application processing fee of SGD 150 will be payable for the application for ORAE certification.  Please opt for processing fees included in the invoice if you apply for the certification.

Do I have to complete Module 1 first before joining the rest of the Modules?

  • Yes. Modules 1 and 2 are compulsory as they form the initial assessment for the "grounding" of operational resilience knowledge.  
  • Once you have completed Module 1, you will attend Modules 2, 3, and 4.
  • ORCP Operational Resilience Certified Planner CertificationThe successful completion of the course will allow the participants to be awarded the "Operational Resilience Certified Planner" certification.
  • The participant will apply for their ORAS or ORAE based on their relevant experience with Operational Resilience Audit or related experiences, such as operational resilience, business continuity management, crisis management, IT disaster recovery or cybersecurity.
Do I need to complete the ORAE exam while attending a Blended Learning course?
  • Yes
I noticed that the course is held at Asian Timing. Is there any time for me, as I reside outside the Asia Pacific Region?
  • The timing of the sessions is catered for two zones:
    • US/ Europe/ Middle East
    • Asia Pacific
 
Class Starting at 2 pm (GMT+8).  Beware of daylight saving time in your region.
 
The time of the 3-hour online workshop is set at Singapore Timing, which is Greenwich Meridian Time (GMT) + 8 hours.
  • 2:00 (pm) Singapore (SG) Time is 11:30 (am) as Mumbai is GMT+5.5 Hours
  • 2:00 (pm) Singapore (SG) Time is 10:00 (1m) as Dubai is GMT-4 Hours

Class Starting at 9 pm (GMT+8).  The course schedule or "RUN" will have an "A" suffix, e.g. RUN 4A. Beware of daylight saving time in your region.
  • 9:00 (pm) Singapore (SG) Time is 1 pm as London is GMT+0 Hours
  • 9:00 (pm) Singapore (SG) Time is 9 am as New York is GMT-12 Hours
What is so special about this course?

The ORA-5000 [ORA-5] Blended Learning is the first course aligned and developed for Operational Resilience Audit.
What Certificates will I be Receiving Upon Competing in the course?

ORCP Operational Resilience Certified Planner CertificationAs the blended learning course ORA-5000 is conducted over eight weeks (elapsed), you will be expected to receive a certificate of completion (COC) and an initial "Operational Resilience Certified Planner" certification on completion of the course.

Learn more by reading about What Certificates I will receive After Completing ORA-5000 (Blended Learning).  After completing the course, You will apply for your specialist or expert-level certification subject to your prior related experience.

Let us know if you need further clarification; we'll gladly help.

Can I attend more than one blended learning course at any given time?

Yes, you can, provided you ensure that the blended learning courses you signed up for do not have clashing schedules.

 


Pre-Requisites and Certifications

What do I need to do to attend the course?

You would need to make an upfront payment of SGD 3,850. Payment can be made via Paypal, Credit Card, Cheque and Bank/Telegraphic Transfers.

What do I need, in terms of technical specifications, to attend the course?

You need a stable internet connection for the Facilitated Online Workshop and Web Training and Discussion Workshops.

What is the pre-requisite for the course?

There is no pre-requisite for the course. Anyone who has an interest in Operational Resilience Audit is welcome to join.

ORCP_ORAS_ORAE_Cert Level
What certification do I get when I finish the course, and is the certificate awarded the same as the one from a "brick and mortar" course?

You would be awarded the Operational Resilience Certified Planner (ORCP) certificate, the same internationally recognised certificate you would get if you have attended, completed and passed the Qualifying Operational Resilience Certified Audit Expert (ORAE) certificate.

Blended Learning Regulations

Can I only attend the modules I like, or must I complete all components?

New call-to-actionNo, this is not possible as each modules are linked, and failure to complete each module would not allow you to obtain the internationally recognised Operational Resilience Certified Planner and, eventually, the Operational Resilience Audit Expert (ORAE)*

*See Operational Resilience Audit Expert certification (click icon) prerequisites for details.

What happens if I attend half of the learning and fail to complete the other half within the three weeks given? Do I still get a certificate, or must I re-register and pay to attend the whole course again from Day 1?

Where you stop in your blended learning journey will determine whether you will get a certificate.

For re-registration queries, do contact our friendly course consultants at sales.ap@bcm-institute.org, who would be able to guide you based on your situation.

Can I opt out of blended learning halfway and rejoin a brick-and-mortar class later?

The course is not structured to allow such changes. The only option is if you choose Hybrid Learning, where you can attend Modules 3 and 4 onsite, provided you have completed Modules 1 and 2 online. The course fee is marginally different.

If I already earned and am an ORCP certificate holder, can I do part of the course?

ORCPYou can only join from Module 2 as the pre-requisite to attend Module 3 and 4 is the completion of Module 2.

 

 


 

 

More Information About Blended Learning ORA-5000 [BL-ORA-5] or ORA-300 [BL-ORA-3]

Contact our friendly course consultant colleagues to know more about our blended learning program and when the next course is scheduled.

New call-to-action New call-to-action New call-to-action
New Call-to-action Tell Me More About BCM- 8030 New call-to-action
New call-to-action

If you have any questions, click to contact us.

Email to Sales Team [BCM Institute]

New call-to-action

 

 
Read More