Operational Resilience Audit

Returning to the New Normal

BCM Institute is reintroducing its on-site courses. However, due to extensive training and development enhancement work on our courses, the first two modules continue to be offered online.

We have observed and learned that the grounding of BCM works best with some self-paced work and preparatory work undertaken by each participant. 

This is independent of the experience level. Module 1 is the "Know" competency, and Module 2 is the "Do" competency, which is completed over four weeks before commencing Modules 3 and 4.

Operational Resilience Audit Courses

These operational resilience audit (ORA) courses are designed with BCM professionals operating globally in mind.

Courses are available as Blended Learning (100% Online) as well as Hybrid Learning (50% Online and 50% Onsite) and are divided into three levels of competencies:

At the end of each course, participants would be assessed through assessments and examinations to ascertain his/her level of competency.

They can look forward to receiving an internationally recognised OR certification through any of our OR certification courses.

Overview of the ORA-400 Operational Resilience Audit Manager Course

BCM Institute’s ORA-400 course is conducted in two modules over four weeks. Module 3 and Module 4 are the ORA-400 Operational Resilience Audit Manager* or the ORA-5000 Operational Resilience Audit Expert courses.

*Please be informed that you must complete the ORA-300 OR Audit Specialist course or BL-ORA-3 before starting the ORA-400 course.

This protracted time frame for this blended learning course allows one to understand the concepts taught in digestible bite sizes with targeted online interactions. Care and consideration have been implemented to ensure that the content and syllabus taught are of the same standard and rigour as our onsite classes.

You will learn the same syllabus and be taught by the same industry practitioners as you would onsite. The same practitioner will be available to you during the scheduled online classes.

The roadmap above provides a snapshot of the programme's content. It is divided into modules 3 to 4.  

Below is a snapshot of what you can expect from the programme. It is divided into the respective modules 3 to 4.  Find out each module's syllabus by clicking any of the two [Course Content] buttons.  The content has been carefully crafted to ensure that your participation and outcome match each day of the ORA-5000 Operational Resilience Audit Expert competency level.  Click any of the two buttons [Course Requirement] to learn more about your participation and involvement in this course.

The course fee is SGD 2,400 for 100% online and SGD 2,700 for onsite, payable before the class starts. 

Module
Course Content
Course Requirement

Welcome to the frequently asked questions or FAQ for BCM Institute's ORA-300 Blended Learning course.

Should I attend ORA-300 or ORA-5000?

This is the course to attend if you are exploring to understand operational resilience audit.

However, if you are designated as part of the ORA audit team, proceed to attend the ORA-5000 course.  The OR Audit Expert or ORA-5000 course will provide the participants with a complete framework to plan for the ORA initiative, implement the ORA program, and sustain the ORA program.

For our colleagues operating in financial institutions, OR-5000 should be your pre-requisite.

ORA-5000 Operational Resilience Audit Expert (ORAE) Training Roadmap

[Module 2] 

Emerging Trends in Operational Resilience Auditing: A 2024 Report

Operational resilience has become a top priority for organizations across industries, prompting the rise of specialized auditing practices.

This report explores key emerging trends shaping the landscape of operational resilience auditing in 2024.

1. Increased Regulatory Scrutiny

Regulatory bodies worldwide are implementing stricter requirements for operational resilience, mandating regular audits and stress testing exercises. This drives demand for skilled auditors familiar with relevant regulatory frameworks.

2. Focus on Third-Party Risk Management

Modern businesses' interconnectedness amplifies third-party vulnerabilities' impact. Audits increasingly scrutinize third-party contracts, risk management procedures, and control environments to ensure supply chain resilience.

3. Integration with Cybersecurity Audits

The convergence of cyber and operational risks necessitates combined audits examining IT infrastructure, data security, and incident response capabilities alongside traditional operational resilience assessments.

4. Adoption of Technology-Assisted Auditing

Advanced analytics, artificial intelligence (AI), and automation are transforming how audits are conducted. These tools enable auditors to analyze vast datasets, identify hidden patterns, and streamline data collection, freeing time for deeper analysis and judgment.

5. Shift Towards Scenario-Based Testing

Static assessments give way to dynamic scenario-based testing that simulates real-world disruptions. This approach helps organizations refine their resilience plans and identify vulnerabilities under pressure.

6. Evolving Threat Landscape

Auditors must stay informed about emerging threats like climate change, geopolitical instability, and cyberattacks, continuously adapting their methodologies to address these dynamic risks.

7. Growing Demand for Skilled Professionals

The burgeoning field of operational resilience auditing creates a talent gap.

Training and certification programs are crucial to upskill existing professionals and attract new talent to meet the rising demand.

8. Emphasis on Business Continuity Management (BCM) Integration

Effective operational resilience relies on integrating resilience principles into existing BCM frameworks.

Auditors focus on ensuring BCM programs align with organizational objectives and address emerging threats.

9. Continuous Improvement and Learning

Operational resilience is an ongoing journey, not a destination.

Audits should emphasize the importance of continuous improvement, learning from incidents, and adapting resilience plans based on evolving threats and organizational changes.

10. International Collaboration and Harmonization

Harmonization across jurisdictions and industries is critical as regulations and best practices evolve.

International collaboration among regulators, auditors, and professional bodies is gaining momentum to facilitate knowledge sharing and consistent approaches.

By staying informed about these trends, audit professionals can adapt their practices, embrace new technologies, and contribute to building robust and adaptable operational resilience for organizations in the face of ever-changing risks.

What Are You Required to Complete for  Module 1 of the ORA-300 Programme?

Module 1: E-Learning

To complete Module 1 of the ORA-300 Operational Resilience Audit Specialist (ORAS) course.

What Are You Required to Complete for Module 4 of the ORA-5000 Programme?

Module 4: Web Training and Discussion Workshop

To complete Module 4 of the ORA-5000 Blended Learning (ORA-5) course, participants must attend two 3-hour sessions. 

The participants must review and audit the OR requirements of an operational resilience program based on a case study organization.

Ensuing group discussions are conducted to crystallize the concepts, an experienced lead auditor facilitates their sharing of their challenges and learning.

In summary, participants should be able to:

• Determine audit findings of OR requirements
• Write audit reports
• Know the areas for follow-up and corrective actions after the audit

[M4-S1] Audit Review and Reporting

• Summarise Findings and Categorise Impact
• Prepare a Final Audit Report [Audit Reporting]

[M4-S2] Audit Follow-up

• Understand and Anticipate Challenges of Executing and Finalising the OR Audit [Audit Challenges]

Internal vs External OR Auditing: Roles, Responsibilities and Ethics

While internal and external auditors contribute to assessing and strengthening operational resilience, their roles, responsibilities, and ethical considerations differ significantly.

Hence, it is helpful to understand the differences in roles, responsibilities and ethical considerations between IA and EA.

Internal Auditors (IA)

Roles of IA

• Independent assurance provider. Evaluating the effectiveness of existing resilience programs and controls within the organization.
• Risk consultant. Collaborating with business units to identify and mitigate operational risks impacting resilience.
• Process improvement advocate. Proposing recommendations to enhance OR posture and optimize processes.
• Change agent. Driving improvements in risk management culture and awareness across the organization.

Responsibilities of IA

• Conducting risk assessments and audits focused on operational resilience.
  Testing controls and processes designed to mitigate identified risks.
• Evaluating the adequacy and effectiveness of resilience plans and preparedness.
• Reporting findings and recommendations to management and relevant stakeholders.
• Monitoring and measuring the effectiveness of implemented improvements.

Ethical Considerations of IA

• Maintaining independence and objectivity: Avoiding undue influence from management or bias towards specific outcomes.
• Confidentiality: Protecting sensitive information obtained during audits while ensuring adequate reporting for oversight purposes.
• Competence and professional diligence: Continuously updating knowledge and skills to perform audits effectively and adhere to professional standards.
• Acting in the organisation's best interests: Balancing adherence to regulations with supporting the organization's long-term sustainability and ethical conduct.

External Auditors (EA)

Roles of EA

• Independent opinion provider: Offering an external perspective on the organization's overall risk management and resilience posture.
• Regulatory compliance assurer: Verifying adherence to relevant regulations and standards impacting operational resilience.
• Stakeholder assurance provider: Building confidence for investors, creditors, and other stakeholders regarding the organization's resilience capabilities.

Responsibilities of EA

• Conducting audits focused on specific regulatory requirements or contractual obligations related to operational resilience.
• Assessing the design and effectiveness of controls based on agreed-upon procedures.
• Reporting findings and opinions to relevant stakeholders, potentially including public disclosure.
• May not delve as deeply into operational details as internal auditors.

Ethical Considerations of EA

• Maintaining independence and objectivity. Avoiding conflicts of interest and undue influence from clients or regulators.
• Professional scepticism. Maintaining a critical questioning stance ensures audit conclusions are based on accurate and sufficient evidence.
• Confidentiality. Protecting sensitive information obtained during audits while fulfilling reporting requirements to designated parties.
• Communication and transparency. Communicating limitations and uncertainties associated with their audit findings and opinions.

Key Differences

• Focus.  Internal auditors focus on broader operational resilience within the organisation, while external auditors may have a narrower scope dictated by regulations or contracts.
• Reporting. Internal auditors report primarily to management and internal stakeholders, while external auditors report to their clients and potentially publicly.
• Depth of engagement. Internal auditors typically understand the organisation's internal workings and may conduct more in-depth assessments.
• Impact. Internal auditors directly impact internal change and improvement within the organisation, while external auditors provide assurance and may trigger regulatory consequences.

Collaboration and Coordination

While their roles and responsibilities differ, effective operational resilience relies on collaboration and coordination between internal and external auditors.

• Sharing information and insights. Internal auditors can provide external auditors valuable context and understanding of the organisation's operations and risk landscape.
• Joint assessments. In some cases, collaborative audits can leverage the strengths of both parties for a more comprehensive evaluation.
• Mutual respect and understanding. Recognising the value each type of auditor brings to building a robust operational resilience framework.

By understanding internal and external auditors' different roles, responsibilities, and ethical considerations, organisations can effectively leverage their combined expertise to assess and strengthen their operational resilience posture.