Operational Resilience Audit

Posts about:

audit (9)

ORA [Plan] Questionnaires: Confirm Risk Appetite

ORA [Plan] Questionnaires: Confirm Risk Appetite

New call-to-action

Confirm Risk Appetite

OR_Plan_Update Diagram

 

What is Risk Appetite?

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.  The scope is further enlarged when viewed from an operational resilience perspective.

It reflects the organization’s risk management philosophy and influences its culture and operating style.

New call-to-actionNew call-to-actionThis section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the fourth stage of the Plan phase: Confirm Risk Appetite.

Audit Checklist to Confirm Risk Appetite

 

1. Risk Appetite Framework

  • Is there a documented risk appetite framework in place?
  • Have senior management, and the board approved the risk appetite framework?
  • Does the risk appetite framework align with the organization's objectives and strategy?
  • Is the risk appetite framework effectively communicated throughout the organization?
  • Are risk appetite statements measurable and specific, allowing for meaningful risk assessments?
  • Are risk appetite limits clearly defined for different types of operational risks?
  • Are risk appetite limits regularly reviewed and updated to reflect changes in the business environment?
  • Is there a mechanism to monitor and report on adherence to risk appetite limits?

Checklist

  • Review the documented risk appetite framework and ensure it is easily accessible to relevant stakeholders.
  • Verify that senior management and the board have approved the risk appetite framework.
  • Evaluate the alignment of the risk appetite framework with the organization's overall objectives and strategy.
  • Assess the effectiveness of communication channels that convey the risk appetite framework to employees.
  • Review risk appetite statements, assess whether they are measurable and specific, and facilitate meaningful risk assessments.
  • Evaluate the clarity and specificity of risk appetite limits set for different types of operational risks.
  • Confirm that risk appetite limits are regularly reviewed and updated to reflect changes in the business environment.
  • Assess the availability of mechanisms to monitor and report on adherence to risk appetite limits.

2. Risk Identification and Assessment

  • Has the organization conducted a comprehensive identification of operational risks?
  • Are risk assessments conducted regularly to identify new and emerging risks?
  • Are risk assessments based on a combination of qualitative and quantitative factors?
  • Are risk assessments conducted consistently across all relevant business areas?
  • Are risk assessments aligned with the organization's risk appetite framework?
  • Are potential impacts on critical business processes and systems considered in risk assessments?
  • Is there a process to validate and review risk assessments conducted by different business units?
  • Do appropriate data and evidence support risk assessments?
Checklist
  • Evaluate the comprehensiveness of the organization's risk identification process.
  • Review documented risk assessments and evaluate if they cover various operational risks.
  • Assess the frequency of risk assessments to determine if they are conducted regularly and reflect current risks.
  • Verify that risk assessments consider both qualitative and quantitative factors in evaluating risks.
  • Review risk assessment processes across different business areas for consistency and standardization.
  • Confirm that risk assessments are aligned with the organization's risk appetite framework.
  • Evaluate if risk assessments consider potential impacts on critical business processes and systems.
  • Assess the process for validating and reviewing risk assessments conducted by different business units.

3. Risk Tolerance and Risk Mitigation:

  • Has the organization established risk tolerance levels for different operational risks?
  • Are risk tolerance levels consistent with the risk appetite framework?
  • Are risk tolerance levels clearly defined and communicated to relevant stakeholders?
  • Is there a process to monitor and measure risks against established tolerance levels regularly?
  • Are risk mitigation strategies in place for risks exceeding the risk tolerance levels?
  • Are risk mitigation strategies aligned with the organization's risk appetite and overall strategy?
  • Are risk mitigation actions prioritized based on their potential impact on operational resilience?
  • Is there a mechanism to monitor and evaluate the effectiveness of risk mitigation measures?
Checklist
  • Verify the establishment of risk tolerance levels for different operational risks.
  • Assess the consistency of risk tolerance levels with the risk appetite framework.
  • Review the clarity and effectiveness of communication regarding risk tolerance levels to relevant stakeholders.
  • Evaluate the monitoring and measurement mechanisms to track risks against established tolerance levels.
  • Assess the effectiveness of risk mitigation strategies for risks exceeding the risk tolerance levels.
  • Confirm the alignment of risk mitigation strategies with the organization's risk appetite and overall strategy.
  • Assess the prioritization process for risk mitigation actions based on the potential impact on operational resilience.
  • Evaluate the availability of mechanisms to monitor and evaluate the effectiveness of risk mitigation measures.

4. Incident Management and Response

  • Does the organization have a documented incident management plan in place?
  • Is the plan regularly reviewed and updated to reflect changes in the business environment?
  • Are roles and responsibilities clearly defined for incident response teams?
  • Are there defined escalation procedures for different types of incidents?
  • Is there a process for identifying, assessing, and prioritizing incidents based on their potential impact?
  • Does the organization have a communication plan for notifying stakeholders about incidents?
  • Are there established metrics and thresholds for measuring the effectiveness of incident response activities?
  • Has the organization conducted post-incident reviews to identify areas for improvement?
  • Are incident response procedures aligned with the organization's risk appetite?
Checklist
  • Review the documented incident management plan and assess its alignment with the organization's risk appetite.
  • Evaluate whether the plan includes clear roles and responsibilities for incident response teams.
  • Assess the defined escalation procedures for different incidents and their alignment with risk appetite.
  • Verify the presence of a process for identifying, assessing, and prioritizing incidents based on potential impact and risk appetite.
  • Examine the communication plan for notifying stakeholders about incidents and assess its effectiveness in aligning with risk appetite.
  • Check if there are established metrics and thresholds for measuring the effectiveness of incident response activities and their alignment with risk appetite.
  • Evaluate whether the organization conducts post-incident reviews to identify areas for improvement and ensure they align with risk appetite.
  • Assess the alignment of incident response procedures with the organization's risk appetite.

5. Business Continuity Planning

  • Has the organization conducted a business impact analysis to identify critical business functions and their dependencies?
  • Are there documented business continuity plans in place for critical functions?
  • Have the plans been tested and validated to ensure their effectiveness?
  • Are there defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions?
  • e. Is there a process for regularly reviewing and updating the business continuity plans?
  • Are employees aware of their roles and responsibilities during business disruption?
  • Has the organization identified alternative work locations or facilities in case of a site failure?
  • Are there established communication channels and procedures for coordinating the execution of business continuity plans?
  • Are business continuity plans aligned with the organization's risk appetite?
Checklist
  • Review the business impact analysis to identify critical business functions and their dependencies.
  • Assess the presence and effectiveness of documented business continuity plans for critical functions.
  • Verify if the plans have been tested and validated to ensure their effectiveness aligns with risk appetite.
  • Evaluate the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions and their alignment with risk appetite.
  • Assess the process for regularly reviewing and updating the business continuity plans to ensure they align with risk appetite.
  • Evaluate the awareness among employees regarding their roles and responsibilities in the event of business disruption and their alignment with risk appetite.
  • Verify the identification of alternative work locations or facilities in case of site failure and their alignment with risk appetite.
  • Assess the communication channels and procedures for coordinating the execution of business continuity plans and their alignment with risk appetite.
  • Evaluate the alignment of business continuity plans with the organization's risk appetite.

5. Testing and Exercising

  • Has the organization conducted regular testing and exercising of its operational resilience plans?
  • Are different scenarios and incidents considered during testing, including worst-case scenarios?
  • Is there a process for capturing and documenting lessons learned from testing exercises?
  • Are test results and findings communicated to relevant stakeholders for review and remediation?
  • Are there established criteria for evaluating the effectiveness of testing exercises?
  • Based on testing results, has the organization addressed any identified deficiencies or gaps in the operational resilience plans?
  • Are testing and exercising activities aligned with the organization's risk appetite?
Checklist
  • Assess whether the organization conducts regular testing and exercising its operational resilience plans.
  • Evaluate if different scenarios and incidents, including worst-case scenarios, are considered during testing in alignment with risk appetite.
  • Verify the presence of a process for capturing and documenting lessons learned from testing exercises and their alignment with risk appetite.
  • Assess the communication of test results and findings to relevant stakeholders for review and remediation, aligning with risk appetite.
  • Verify the existence of established criteria for evaluating the effectiveness of testing exercises and their alignment with risk appetite.
  • Evaluate if the organization addresses identified deficiencies or gaps in operational resilience plans based on testing results and risk appetite.
  • Assess the alignment of testing and exercising activities with the organization's risk appetite.

6. Governance and Oversight

  • Does the organization have a designated governance body responsible for overseeing operational resilience?
  • Are governance responsibilities and decision-making authorities clearly defined?
  • Does governance regularly assess the organization's operational resilience strategy and plans?
  • Is there a process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs)?
  • Are there mechanisms to ensure compliance with applicable laws, regulations, and industry standards?
  • Does the organization have a risk appetite statement that includes operational resilience?
  • Are risk appetite thresholds and tolerances clearly defined for operational resilience? h
  • Is there a process for regularly reviewing and updating the risk appetite statement?
  • Are governance and oversight activities aligned with the organization's risk appetite?
Checklist
  • Assess the presence of a designated governance body responsible for overseeing operational resilience.
  • Evaluate if governance responsibilities and decision-making authorities are clearly defined and align with risk appetite.
  • Review the regular review and assessment process for the organization's operational resilience strategy and plans, aligning with risk appetite.
  • Assess the process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs) in alignment with risk appetite.
  • Verify the mechanisms to ensure compliance with applicable laws, regulations, and industry standards, aligning with risk appetite.
  • Evaluate the presence and alignment of a risk appetite statement that includes operational resilience.
  • Assess the clarity and regular review process of risk appetite thresholds and tolerances for operational resilience.
  • Evaluate the overall alignment of governance and oversight activities with the organization's risk appetite.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Plan" Phase

Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
ORA [Sustain] Questionnaires: Introduce Cultural Change

ORA [Sustain] Questionnaires: Introduce Cultural Change

New call-to-action

Introduce Cultural Change

New call-to-action

 

What is Cultural Change?

Organisational Culture is not created by memo or a decision from senior management but developed over time and plays a crucial role in achieving organizational objectives, especially in this new area of operational resilience.

Amid rising expectations from key stakeholders, the executive management must foster an organizational culture of resilience to set appropriate expectations for critical stakeholders, including regulators, the board, customers, and employees.

 

New call-to-actionNew call-to-actionThis section is the "Sustain" phase of the Operational Resilience Planning Methodology.  It is the first stage of the plan phase: Introducing cultural change.

Audit Checklist for Introduce Cultural Change

 

  • 1. Leadership and Governance

  • Are senior leaders actively promoting a culture of operational resilience?
  • Do leaders demonstrate a strong commitment to operational resilience initiatives?
  • Are there clear roles and responsibilities assigned to individuals responsible for operational resilience?
  • Is a governance structure in place to oversee and drive operational resilience efforts?
Checklist
  • Review leadership statements and communications to assess their emphasis on operational resilience and cultural change.
  • Evaluate the organization's mission and vision statements to determine if they incorporate operational resilience as a core value.
  • Assess the effectiveness of leadership in fostering a culture that values resilience, adaptability, and continuous improvement.
  • Review organizational policies and procedures to ensure they align with operational resilience objectives and promote cultural change.
  • Assess the level of leadership involvement in decision-making related to operational resilience.
  • 2. Communication and Awareness

  • OR Sustain Phase Questionnaires: Develop  Communication StrategyIs there a comprehensive communication strategy to promote operational resilience and cultural change?
  • Are employees aware of the organization's operational resilience objectives and their role in achieving them?
  • Are there effective communication channels to report potential risks or disruptions?
  • Are regular training sessions conducted to enhance awareness of operational resilience and its importance?
Checklist
  • Assess the clarity, consistency, and frequency of internal communications related to operational resilience.
  • Evaluate the accessibility and usability of reporting channels for employees to raise concerns or report incidents.
  • Review training programs and materials to address operational resilience and cultural change adequately.
  • Evaluate the effectiveness of communication methods to inform employees about changes in processes, procedures, or policies related to operational resilience.
  • Assess the feedback mechanisms to gauge employee understanding and engagement with operational resilience initiatives.
  • 3. Risk Assessment and Management

  • Are comprehensive risk assessments conducted to identify potential vulnerabilities and disruptions?
  • Is there a systematic process to prioritize and mitigate identified risks?
  • Are risk management practices integrated into business decision-making processes?
  • Is there a mechanism in place to track and monitor risk mitigation efforts?
Checklist
  • Review the organization's risk assessment methodology and evaluate its effectiveness in identifying operational vulnerabilities.
  • Assess the documentation of identified risks, including their potential impact and likelihood.
  • Evaluate the organization's risk mitigation strategies and controls to address identified risks.
  • Review incident response plans and assess their alignment with identified risks and mitigation strategies.
  • Evaluate the process for monitoring and reporting on risk mitigation efforts, including key performance indicators (KPIs) and metrics.

4. Business Continuity Planning

  • Are there documented business continuity plans in place for critical processes?
  • Have the plans been tested and validated through simulations or real-life scenarios?
  • Is there a process to review and update the plans periodically?
  • Are there clear guidelines for employees to follow during disruptions?
Checklist
  • Review the completeness and comprehensiveness of business continuity plans for critical processes.
  • Assess the level of engagement and participation from relevant stakeholders in developing business continuity plans.
  • Evaluate the effectiveness of testing and validation processes for business continuity plans.
  • Review the process for reviewing and updating business continuity plans to ensure their relevance and effectiveness.
  • Assess the availability and accessibility of business continuity plans for employees during disruptions.
  • 5. Incident Response and Recovery

  • Is there a well-defined incident response plan to address operational disruptions?
  • Are key personnel trained on the response plan and their roles during incidents?
  • Is there a process to evaluate the effectiveness of incident response efforts?
  • Are lessons learned from past incidents incorporated into the response plan?
Checklist
  • Evaluate the clarity and comprehensiveness of the incident response plan.
  • Assess the level of awareness and training provided to key personnel on their roles and responsibilities during incidents.
  • Review the documentation and analysis of past incidents to identify lessons learned and areas for improvement.
  • Assess the effectiveness of incident response drills and exercises to validate the response plan.
  • Evaluate the process for capturing feedback and making necessary adjustments to the incident response plan based on lessons learned.

6. Performance Measuring and Monitoring

  • Are key performance indicators (KPIs) established to measure operational resilience?
  • Is there a process to monitor and report on the KPIs regularly?
  • Are there mechanisms in place to identify and address performance gaps?
  • Is there a culture of continuous improvement regarding operational resilience?
Checklist
  • Assess the establishment of relevant KPIs and metrics to measure operational resilience.
  • Review the monitoring and reporting processes to track and communicate performance against established KPIs.
  • Evaluate the effectiveness of mechanisms to identify and address performance gaps or areas for improvement.
  • Assess the level of organizational commitment to a culture of continuous improvement in operational resilience.
  • Review the process for capturing and implementing feedback from performance monitoring activities.

7. Change Management

  • Is there a structured change management process in place for operational resilience initiatives?
  • Are changes communicated effectively to employees and stakeholders?
  • Is there a mechanism to assess the impact of changes on operational resilience?
  • Are lessons learned from change management experiences incorporated into future initiatives?
Checklist
  • Assess the presence of a formal change management process for operational resilience initiatives.
  • Review the effectiveness of communication strategies used to inform employees and stakeholders about changes related to operational resilience.
  • Evaluate the process for assessing and managing the impact of changes on operational resilience.
  • Assess the incorporation of lessons from previous change management experiences into future initiatives.
  • Review the documentation and tracking of changes to operational resilience practices and procedures.

8. Vendor and Third-Party Management

  • Is there a robust vendor management program to assess and manage third-party risks?
  • Are contractual agreements in place to ensure operational resilience expectations are met?
  • Is there a process to regularly evaluate and monitor vendor performance?
  • Are there contingency plans in case of disruptions caused by vendors or third parties?
Checklist
  • Assess the adequacy of the vendor management program in identifying and addressing third-party risks.
  • Review contractual agreements to ensure they incorporate operational resilience requirements and expectations.
  • Evaluate the process for assessing and monitoring vendor performance related to operational resilience.
  • Assess the availability and effectiveness of contingency plans in case of disruptions caused by vendors or third parties.
  • Review incident or disruption data related to vendors or third parties and evaluate the organization's response and recovery processes.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Sustain" Phase

Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

New call-to-action New call-to-action OR Sustain Phase Questionnaires: Develop  Communication Strategy OR [Sustain] Questionnaires:  Implement Training and Awareness OR Sustain Phase Questionnaires: Provide Self-assessments OR Sustain Phase Questionnaires: Conduct Independent Quality Reviews

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
OR [Sustain] Questionnaires: Conduct Independent Quality Reviews

OR [Sustain] Questionnaires: Conduct Independent Quality Reviews

New call-to-action

Conduct Independent Quality Reviews

New call-to-action

What is an Independent Quality Review?

A significant part of independent quality review revolves around audit and assurance.  It significantly contributes to achieving organisational objectives and value creation for shareholders and stakeholders, especially when implementing operational resilience.

New call-to-actionOR Sustain Phase Questionnaires: Conduct Independent Quality ReviewsThis section is the "Sustain" phase of the Operational Resilience Planning Methodology.  The fifth and final stage of the Sustain phase is to "Conduct Independent Quality Reviews."

Audit Checklist for Conduct Independent Quality Reviews

 

1. Documentation and Policy Review

  • Are operational resilience policies and procedures well-documented and up to date?
  • Is there evidence of a comprehensive operational resilience framework?
  • Are the policies and procedures aligned with industry best practices and regulatory requirements?
  • Are there clear guidelines and standards for operational resilience practices?
  • Is there evidence of senior management endorsement and approval of operational resilience policies?
Checklist
  • Review operational resilience policies and procedures documentation.
  • Assess the comprehensiveness and currency of the operational resilience framework.
  • Evaluate the alignment of policies and procedures with industry best practices and regulations.
  • Verify the presence of clear guidelines and standards for operational resilience practices.
  • Determine if senior management has endorsed and approved the operational resilience policies.

2. Training and Awareness

  • Has training on operational resilience been provided to employees at all levels?
  • Is there evidence of awareness campaigns and communication initiatives related to operational resilience?
  • Are training materials comprehensive and effectively communicated to employees?
  • Is there a mechanism to track and monitor employee completion of operational resilience training?
  • Are training programs periodically updated to reflect changes in operational resilience requirements?
Checklist
  • Verify the provision of operational resilience training to employees at all levels.
  • Assess the effectiveness of awareness campaigns and communication initiatives.
  • Evaluate the comprehensiveness and clarity of training materials.
  • Determine if there is a mechanism to track and monitor employee completion of training.
  • Review the process for updating training programs based on changes in requirements.

3. Testing and Exercise Evaluation

  • Have operational resilience plans and procedures been tested through exercises and simulations?
  • Is there a documented schedule for testing and exercising operational resilience capabilities?
  • Are different scenarios and levels of disruptions considered during testing?
  • Are testing results analyzed to identify areas for improvement and corrective actions?
  • Are there mechanisms to track and follow up on implementing corrective actions identified during testing?
Checklist
  • Review documentation of operational resilience testing and exercise plans.
  • Evaluate the adequacy of the testing schedule and the consideration of various scenarios.
  • Assess the analysis of testing results to identify areas for improvement.
  • Verify the existence of mechanisms to track and follow up on corrective actions.
  • Determine if lessons learned from testing and exercises are documented and incorporated into improvements.

4. Incident Response Evaluation

  • Is there an incident response plan in place for operational resilience incidents?
  • Has the incident response plan been tested and validated?
  • Are roles, responsibilities, and communication channels clearly defined within the incident response plan?
  • Is there a designated incident response team and a straightforward escalation process?
  • Is there a process for post-incident analysis and continuous improvement of the incident response capabilities?
Checklist
  • Review the incident response plan documentation for operational resilience incidents.
  • Evaluate the testing and validation activities conducted on the incident response plan.
  • Assess the clarity and accuracy of roles, responsibilities, and communication channels.
  • Verify the incident response team's existence and composition and escalation process.
  • Determine if there is a process for post-incident analysis and continuous improvement.

5. Compliance and Regulatory Requirements

  • Are there mechanisms to monitor and ensure compliance with operational resilience regulations?
  • Is there evidence of regular assessments and audits to evaluate compliance?
  • Are compliance gaps and deficiencies promptly addressed and remediated?
  • Are there documented processes to stay updated with evolving regulatory requirements?
  • Are there precise mechanisms for reporting and escalating non-compliance issues?
Checklist
  • Evaluate the mechanisms to monitor and ensure compliance with operational resilience regulations.
  • Review evidence of regular assessments and audits to evaluate compliance.
  • Assess the effectiveness of processes for addressing compliance gaps and deficiencies.
  • Verify the existence of processes to stay updated with evolving regulatory requirements.
  • Determine the clarity and effectiveness of mechanisms for reporting and escalating non-compliance issues.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Sustain" Phase

Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

New call-to-action New call-to-action OR Sustain Phase Questionnaires: Develop  Communication Strategy OR [Sustain] Questionnaires:  Implement Training and Awareness OR Sustain Phase Questionnaires: Provide Self-assessments OR Sustain Phase Questionnaires: Conduct Independent Quality Reviews

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
 
Read More
ORA [Sustain] Questionnaires: Conduct and Provide Self-assessments

ORA [Sustain] Questionnaires: Conduct and Provide Self-assessments

New call-to-action

Provide Self-assessments

New call-to-action

What is Self-assessment?

Self-Assessment in Operational Resilience ensures that the regulated organisation captures and documents the steps taken towards operational resilience and provides a comprehensive and objective evaluation of the organisation's strategy and overall ability to respond to disruptions.

New call-to-actionOR Sustain Phase Questionnaires: Provide Self-assessmentsThis section is the "Sustain" phase of the Operational Resilience Planning Methodology.  It is the fourth stage of the Sustain phase: Provide Self-assessment.

 

Audit Checklist for Provide Self-assessments

 

1. Documentation and Policies

  • Are operational resilience policies and procedures well-documented and readily accessible?
  • Are the policies and procedures aligned with industry best practices and regulatory requirements?
  • Do the documented policies clearly define roles, responsibilities, and accountability for operational resilience?
  • Is there evidence of regular reviews and updates to the operational resilience documentation?
Checklist
  • Review the documentation of operational resilience policies and procedures.
  • Assess the alignment of policies with industry best practices and regulations.
  • Evaluate the clarity and completeness of roles, responsibilities, and accountability definitions.
  • Verify the existence of a process for regular reviews and updates to the documentation.

2. Risk Assessment and Analysis

  • Has a comprehensive risk assessment been conducted to identify and assess potential risks?
  • Are risks prioritized based on their potential impact and likelihood?
  • Are mitigation strategies and controls in place to address identified risks?
  • Is there a process for regularly monitoring and updating risk assessments?
Checklist
  • Evaluate the documentation of the risk assessment process.
  • Assess the comprehensiveness of the risk assessment, including identification and assessment of risks.
  • Verify the prioritization of risks based on impact and likelihood.
  • Review the documented mitigation strategies and controls.
  • Determine if there is a process for regularly monitoring and updating risk assessments

3. Business Impact Analysis (BIA)

  • OR Implement Phase Questionnaires: Identify Critical Business ServicesHas a thorough business impact analysis (BIA) been conducted to identify critical processes and systems?
  • Have the potential impacts of disruptions to critical processes and systems been assessed?
  • Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
  • Are mitigation strategies and plans in place to ensure the timely recovery of critical processes?
Checklist
  • Review the business impact analysis (BIA) process documentation.
  • Evaluate the completeness and accuracy of the identification of critical processes and systems.
  • Assess the thoroughness of the assessment of potential impacts.
  • Verify the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
  • Review the mitigation strategies and plans to ensure timely recovery.

4. Training and Awareness

  • OR [Sustain] Questionnaires:  Implement Training and AwarenessIs there a training program in place to educate employees on operational resilience?
  • Are employees aware of their roles and responsibilities regarding operational resilience?
  • Are there mechanisms to track and monitor employee completion of operational resilience training?
  • Are there regular communication and awareness campaigns to promote a culture of operational resilience?
Checklist
  • Review the training program documentation for operational resilience.
  • Evaluate the effectiveness of the training in educating employees.
  • Assess the mechanisms in place to track and monitor employee completion of training.
  • Verify the existence of regular communication and awareness campaigns.
  • Determine the extent of the culture of operational resilience within the organization.

5. Testing and Exercise Evaluation

  • Conduct Scenario TestingHave operational resilience plans and procedures been tested through exercises and simulations?
  • Is there a documented schedule for testing and exercising operational resilience capabilities?
  • Are different scenarios and levels of disruptions considered during testing?
  • Are testing results analyzed to identify areas for improvement and corrective actions?
  • Are there mechanisms to track and follow up on implementing corrective actions identified during testing?
Checklist
  • Review the operational resilience testing and exercise plan documentation. 
  • Evaluate the adequacy of the testing schedule and the consideration of various scenarios.
  • Assess the testing results analysis to identify improvement areas.
  • Determine if lessons learned from testing and exercises are documented and incorporated into improvements.

5. Incident Response Evaluation

  • Is there an incident response plan for operational resilience incidents?
  • Has the incident response plan been tested and validated?
  • Are roles, responsibilities, and communication channels clearly defined within the incident response plan?
  • Is there a designated incident response team and a straightforward escalation process?
  • Is there a process for post-incident analysis and continuous improvement of the incident response capabilities?
Checklist
  • Review the incident response plan documentation for operational resilience incidents.
  • Evaluate the testing and validation activities conducted on the incident response plan.
  • Assess the clarity and accuracy of roles, responsibilities, and communication channels.
  • Verify the incident response team's existence and composition and escalation process.
  • Determine if there is a process for post-incident analysis and continuous improvement.

5. Continuous Improvement

  • New call-to-actionIs there a process in place to monitor and review the effectiveness of the operational resilience program?
  • Are lessons learned from incidents, tests, and exercises incorporated into improvements?
  • Is there a mechanism to capture and address feedback and suggestions for operational resilience?
  • Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
  • Is there a culture of continuous improvement and learning within the organization?
Checklist
  • Evaluate the process for monitoring and reviewing the effectiveness of the operational resilience program.
  • Assess the incorporation of lessons learned from incidents, tests, and exercises into improvements.
  • Verify the existence of a mechanism to capture and address feedback and suggestions.
  • Review the metrics and performance indicators for measuring program effectiveness.
  • Determine the extent of the organization's continuous improvement and learning culture.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Sustain" Phase

Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

New call-to-action New call-to-action OR Sustain Phase Questionnaires: Develop  Communication Strategy OR [Sustain] Questionnaires:  Implement Training and Awareness OR Sustain Phase Questionnaires: Provide Self-assessments OR Sustain Phase Questionnaires: Conduct Independent Quality Reviews

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
 
Read More
OR [Sustain] Questionnaires: Develop Communication Strategy

OR [Sustain] Questionnaires: Develop Communication Strategy

New call-to-action

Develop the Communication Strategy

New call-to-action

 

What is a Communication Strategy?

A communication strategy is a guide or a plan that helps an organization share information and achieve its communication and business objectives.  In this case, the operational resilience initiative.

Ensuring effective and timely communication of the internal and external communication plans is essential to help the organization keep customers and other stakeholders informed.


New call-to-actionOR Sustain Phase Questionnaires: Develop  Communication StrategyThis section is the "Sustain" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Sustain phase: Develop the Communication Strategy.

Audit Checklist for Developing the Communication Strategy

 

1. Stakeholder Identification

  • Have key stakeholders for operational resilience been identified?
  • Is there a clear understanding of each stakeholder group's communication needs and expectations?
  • Have internal and external stakeholders, including employees, customers, suppliers, and regulators, been considered?
  • Is there a process to regularly review and update the stakeholder list and their communication requirements?
Checklist
  • Review the documentation of stakeholder identification for operational resilience.
  • Assess the clarity and completeness of understanding each stakeholder group's communication needs and expectations.
  • Verify that both internal and external stakeholders have been considered.
  • Determine the existence of a process for regular review and update of the stakeholder list and their communication requirements.

2. Communication Objectives and Key Messages

  • Have communication objectives for operational resilience been defined?
  • Are there clear and concise key messages that must be communicated to stakeholders?
  • Do the key messages align with the operational resilience goals and priorities?
  • Is there a process to regularly review and update the communication objectives and key messages?
Checklist
  • Evaluate the documentation of communication objectives for operational resilience.

  • Assess the clarity and alignment of key messages with operational resilience goals and priorities.
  • Verify the existence of a process for regular review and update of the communication objectives and key messages.

3. Communication Channels and Tools

  • Are there appropriate communication channels to reach each stakeholder group effectively?
  • Have the advantages and limitations of different communication channels been considered?
  • Is there a mix of channels, including both traditional and digital, to ensure comprehensive communication?
  • Are there tools and platforms in place to facilitate efficient and secure communication?
Checklist
  • Assess the availability and suitability of communication channels for each stakeholder group.
  • Evaluate the advantages and limitations of different communication channels.
  • Verify the presence of a mix of traditional and digital channels for comprehensive communication.
  • Determine the availability and effectiveness of tools and platforms for efficient and secure communication.

4. Communication Plan Development

  • Is there a documented communication plan for operational resilience?
  • Does the communication plan include a timeline, responsibilities, and deliverables?
  • Are there mechanisms to ensure timely and consistent communication?
  • Are there processes in place to handle urgent and sensitive communications?
Checklist
  • Review the documentation of the communication plan for operational resilience.
  • Evaluate the inclusion of a timeline, responsibilities, and deliverables in the communication plan.
  • Verify the existence of mechanisms to ensure timely and consistent communication.
  • Determine the presence of processes to handle urgent and sensitive communications.

5. Measurement and Evaluation

  • Is there a process to measure and evaluate the effectiveness of communication activities?
  • Are there metrics and performance indicators to assess the impact of communication efforts?
  • Is feedback from stakeholders collected and analyzed to identify areas for improvement?
  • Are there mechanisms to monitor and address misconceptions or misinformation?
Checklist
  • Assess the existence of a process to measure and evaluate the effectiveness of communication activities.
  • Evaluate the availability of metrics and performance indicators to assess the impact of communication efforts.
  • Verify the collection and analysis of stakeholder feedback to identify improvement areas.
  • Determine the presence of mechanisms to monitor and address misconceptions or misinformation.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Sustain" Phase

Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

New call-to-action New call-to-action OR Sustain Phase Questionnaires: Develop  Communication Strategy OR [Sustain] Questionnaires:  Implement Training and Awareness OR Sustain Phase Questionnaires: Provide Self-assessments OR Sustain Phase Questionnaires: Conduct Independent Quality Reviews

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
 
Read More