Operational Resilience Audit

Posts about:

ORAE (4)

ORA: Data Collection

ORA Planning [2] Data Collection

Operational Resilience Audit Planning Step

Data Collection


Detailed Data Collection StepsORA Planning Level Data Collection Stage 2

When collecting data during an operational resilience audit, gathering comprehensive and reliable information to assess the organisation's resilience capabilities is crucial. 

The following are detailed steps for the conduct of data collection:

  1. Review Documentation
  2. Conduct Interviews
  3. Observe Processes and Activities
  4. Data Sampling
  5. Analyse Incident Data
  6. Assess Testing and Exercising
  7. Data Validation
  8. Analyse Quantitative Data
  9. Document Findings
  10. Maintain Confidentiality and Security
  11. Seek Clarification and Additional Information
  12. Review and Validate Data Collection
  13. Review Documentation
  • Examine relevant documentation, such as business impact analyses, risk assessments, incident response plans, business continuity plans, and testing reports. 
  • Evaluate these documents' adequacy, completeness, and effectiveness in addressing operational resilience.

Conduct Interviews

  • Schedule interviews with key personnel responsible for operational resilience, such as business unit managers, IT managers, risk managers, and incident response team members.
  • Prepare a list of interview questions covering various operational resilience aspects, including preparedness, response and recovery, governance, and monitoring.

Observe Processes and Activities

  • Observe critical processes, operations, and activities related to operational resilience. 
    •  This may involve attending meetings, walkthroughs, or simulations. 
  • Take notes and gather information about the organisation's response mechanisms, decision-making processes, and communication strategies during disruptions.

Data Sampling

  • Select a representative sample of incidents, disruptions, or crises the organisation has experienced.
  • Analyse these cases to understand the organisation's response, recovery efforts, and the effectiveness of existing plans and procedures.
  • Ensure the sample includes both successful and unsuccessful responses.

Analyse Incident Data

  • Review incident logs, reports, and incident management databases to identify trends, recurring issues, and lessons learned.
  • Analyse the organisation's ability to detect, respond to, and recover from incidents effectively.
  • Look for patterns and indicators of weaknesses or areas requiring improvement.

Assess Testing and Exercising

  • Review testing plans, reports, and outcomes by evaluating the organisation's testing and exercising mechanisms.
  • Examine the scope, frequency, and realism of the exercises conducted.
  • Assess the effectiveness of these activities in identifying vulnerabilities, validating response plans, and improving resilience capabilities.

Data Validation

  • Cross-reference and validate the data collected from various sources to ensure accuracy and reliability.
  • Seek supporting evidence, such as documented procedures, incident reports, or system logs, to verify the information gathered during interviews or observations.

Analyse Quantitative Data

  • Analyse quantitative data related to operational resilience, such as key performance indicators (KPIs), metrics, or benchmarks.
  • Assess trends, performance levels, and deviations from targets to identify areas of concern or improvement opportunities.

Document Findings

  • Record all relevant findings, observations, and insights from the data collection process.
  • Document gaps, weaknesses, or non-compliance with regulatory requirements or industry best practices.
  • Include supporting evidence and examples to strengthen the audit findings.

Maintain Confidentiality and Security

  • Ensure that all data collected and analysed during the audit process are kept confidential and stored securely.
  • Adhere to data protection and privacy policies to safeguard sensitive information.

Seek Clarification and Additional Information

  • Request additional information, clarification, or validation from stakeholders or subject matter experts to ensure a comprehensive understanding of the organisation's operational resilience practices.

Review and Validate Data Collection

  • Review the collected data and validate its accuracy and completeness.
  • Verify that all relevant aspects of operational resilience have been adequately addressed and documented.

 

By following these detailed steps for data collection, the operational resilience audit can gather reliable and comprehensive information, enabling a thorough assessment of the organisation's resilience capabilities.

Operational Resilience Audit Planning Steps ORA Planning Level Planning Stage 1 ORA Planning Level Data Collection Stage 2 ORA Planning Level Analysis Stage 3 ORA Planning Level Summarise Findings Stage 4 ORA Planning Level_Reporting Stage 5
Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

 

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
ORA: Audit Planning

ORA Planning [1] Audit Planning

Operational Resilience Audit Planning Step

Audit Planning

 

 

Preparation for AuditORA Planning Level Planning Stage 1

When conducting audit planning during an operational resilience audit, it is essential to ensure thorough preparation to achieve the audit objectives effectively.

The following are detailed steps for the conduct of audit planning:

  1. Define Audit Objectives
  2. Determine Audit Scope
  3. Identify the Audit Team and Assign Roles
  4. Conduct Preliminary Research
  5. Develop an Audit Plan
  6. Conduct Risk Assessment
  7. Plan Data Collection Methods
  8. Establish Communication Channels
  9. Develop an Audit Schedule
  10. Conduct Entrance Meeting
  11. Prepare Audit Documentation
  12. Obtain Necessary Permissions and Access
  13. Finalise Audit Plan

Define Audit Objectives

  • Establish the specific objectives of the operational resilience audit.
  • Outline what the audit aims to achieve. This includes identifying the key areas to be assessed, such as:
    • The effectiveness of operational resilience measures
    • Identify vulnerabilities
    • Ensure compliance with established standards
    • Preparedness, response and recovery plans
    • Prepare testing mechanisms
    • Provide governance and monitoring/reporting

Determine Audit Scope

  • Define the boundaries and extent of the audit.
  • Identify the departments, processes, systems, or locations included in the audit.
  • Consider any regulatory requirements, industry standards, or internal policies that should be considered.

Identify the Audit Team and Assign Roles

  • Assemble an audit team comprising individuals with relevant expertise and knowledge in operational resilience.
  • Assign specific roles and responsibilities to team members, including an audit lead, subject matter experts, and support staff.

Conduct Preliminary Research

  • Gather background information about the organisation's operational resilience framework, previous audits, incident reports, and relevant policies and procedures.
    • This research will provide a foundation for understanding the organisation's context and identify potential focus areas.

Develop an Audit Plan

  • Create a comprehensive audit plan that outlines the approach, timelines, and resources required.
    • The plan should include specific audit procedures, sampling methodologies, data collection methods, and analysis techniques.
  • Ensure that the plan aligns with the audit objectives and scope.

Conduct Risk Assessment

  • Perform a risk assessment to identify and prioritise areas of potential concern within the operational resilience framework.
    • This assessment helps determine which areas require more in-depth scrutiny and guides the allocation of audit resources accordingly.

Plan Data Collection Methods

  • Determine the appropriate methods for collecting relevant data during the audit.
    • This may involve document reviews, interviews with key personnel, observation of processes, or analysis of incident records.
  • Develop data collection templates or checklists to guide the audit team.

Establish Communication Channels

  • Set up communication channels with key stakeholders, including senior management, process owners, and relevant staff members.
  • Communicate the purpose and scope of the audit, expected timelines, and the level of cooperation required from stakeholders.

Develop an Audit Schedule

  • Create a detailed schedule that outlines the timing and duration of audit activities.
  • Consider the availability of key personnel and any potential disruptions to operations.
  • Allow sufficient time for on-site visits, interviews, and data analysis.

Conduct Entrance Meeting

Arrange an entrance meeting with key stakeholders to:

  • Introduce the audit team formally
  • Discuss the audit objectives, scope, and expectations and address any questions or concerns.
    • This meeting helps establish a collaborative and transparent approach to the audit.

Prepare Audit Documentation

  • Develop standardised templates or tools to consistently document audit procedures, findings, and recommendations.
  • Ensure the documentation aligns with regulatory requirements, industry standards, and internal audit protocols.

Obtain Necessary Permissions and Access

  • Ensure that the audit team has the required permissions, access rights, and security clearances to perform the audit effectively.
  • Coordinate with relevant departments or IT personnel to obtain necessary access to systems, databases, and facilities.

Finalise Audit Plan

  • Review and finalise the audit plan based on any additional insights or feedback received during the preliminary stages of audit planning.
  • Obtain approval from relevant stakeholders before proceeding with the execution of the audit.
  •  

Following these detailed steps for audit planning, the operational resilience audit can be conducted systematically and efficiently, setting the stage for a comprehensive assessment of the organisation's resilience capabilities.

 

Operational Resilience Audit Planning Steps ORA Planning Level Planning Stage 1 ORA Planning Level Data Collection Stage 2 ORA Planning Level Analysis Stage 3 ORA Planning Level Summarise Findings Stage 4 ORA Planning Level_Reporting Stage 5

 

 

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
[ORA-5] What is an ORA-5000 Operational Resilience Expert Auditor Course?

[ORA-5] What is an ORA-5000 Operational Resilience Expert Auditor Course?

BG Bann_ORA_ORA-5000 General Banner

Overview of ORA-5000 Operational Resilience Expert Auditor [ORA-5] Course

While professionals generally still prefer to attend an onsite classroom-based course with a facilitator or instructor being present, (electronic) online video face-to-face workshop practices are fast gaining momentum as a participant prefer to acquire the learning over some time.  The other preference is reducing travelling as remote work or attending courses in the office is becoming the norm.

New call-to-action

The roadmap above is a snapshot of what you can expect from the programme. It is divided into the respective modules 1 to 4.  Find each module's syllabus by clicking the four [Course Content] buttons.  The content has been carefully crafted to ensure that your participation and outcome match each day of the ORA-5000 OR Audit Expert competency level. 

Click any of the four buttons [Course Requirement] to learn more about your participation and involvement in this course.

The course fee is SGD 3,850 for 100% online and SGD 4,150 for online + onsite, payable before the class starts. 

 

Module

New call-to-action [BL-ORA] [3] M2 What is ORA-300? New call-to-action [BL-ORA] [4] [5] M4 What is ORA-5000?

Course Content

New call-to-action New call-to-action New call-to-action New call-to-action

Course Requirement

New call-to-action New call-to-action New call-to-action New call-to-action

Breakdown of the Time Spent

Module Mode of Study Flexible (Hours) Mandatory & Fixed Timing (Hours)
New call-to-action Online Self-pace eLearning (Eight 1-Hour Self Pace eLearning Classes) 1 8 (1-hour self-pace eLearning sessions)
[BL-ORA] [3] M2 What is ORA-300?

Facilitated Online Workshop (1 Hour Self-Reading + 6 Hours Scheduled Online Classes)

1 6 (3-hour x 2 separate sessions)
New call-to-action Online Training and Discussion Workshop (2 Hours Reading/ Assignment + 3-Hour Schedule Online Classes) 2 6 (3-hour x 2 separate sessions)
[BL-ORA] [4] [5] M4 What is ORA-5000? Online Training and Discussion Workshop (2 Hours Self Reading/ Assignment + 3 Hours Schedule Online Classes) 2 6 (3-hour x 2 separate sessions)
  Total Hours 6 24
 

 

   
 

Attempt Qualifying Examination

Question Duration
New call-to-action

Operational Resilience Audit Expert (ORAE) after ORA-5 course

100 2 and 1/2 hours
Operational Resilience Audit Specialist (ORAS) Certification Operational Resilience Audit Specialist (ORAS) after ORA-3 course 100 Completed during the Module 1 eLearning Module
ORCP Operational Resilience Certified Planner Certification Operational Resilience Certified Planner (ORCP) after ORA-2 course 50 1 and 1/2 hours

Operational Resilience Audit for Financial Institutions

Post-COVID-19, various regulatory developments have impacted the financial services industry, such as refining the management of disruptions, increasing interconnectedness and third-party/ outsourcing dependencies and dependencies on IT.  This emphasises that operational resilience will remain a significant concern for the board, regulators, policymakers, investors and customers.

The challenge is organizations' approaches to dealing with differing regulations globally. In terms of resilience structure, organizations have looked at their governance frameworks and ensured they are fit for purpose. They utilise stress and scenario testing to assess their capabilities, which is more than their existing business continuity and crisis management programs.

What are the Differences and Concerns?

Hybrid vs Blended Learning OR Audit

Click the icon on the right to learn more about the difference between Blended Learning and Hybrid Learning offered by BCM Institute.

The entire process is redesigned with pre-reading (at your own time and pace) and preparatory work (rather than one hour doing the work in class) supported by proprietary guidance notes. In fact, after several cohorts, the content from those who had attended our other advanced-level courses highlights a better way to provide the same outcome.

Instructors: Note that instructors delivering the modules will remain the same as those providing the onsite training.  At BCM Institute, most instructors still practise BCM and risk management professionals (in this case, operational resilience and operational risk) with a minimum of 12 years of direct BCM experience as they hold regional or global resilience responsibilities.

International Participation: Another significant change will be the participation of more international delegates compared to the traditional majority of Asian participants.  Be expected to discuss and work as teams from around the world.

New call-to-actionBe expected to have more pre-readings as the objective is to ensure that knowledge that could be acquired via reading should be done outside the training session.  More time is allocated to sharing experiences between the participants and facilitators.

Schedule for Courses: This is the schedule and dates for the start of the next course.  Click "ORA-5000 Course Calendar" to learn more about the "RUNs" for the year.

Find out more about ORA-5000 [ORA-5] & ORA-300 [ORA-3]
 
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
New call-to-action

New call-to-action

New call-to-action

 

Read More
[BL-HL-ORA-5] What is a OR Audit Expert Blended or Hybrid Learning Course?

[BL-HL-ORA-5] What is an OR Audit Expert Blended or Hybrid Learning Course?

New call-to-action

Click to learn more about ORA-5000

Tell Me More About BCM- 8030

Click to learn more about ORA-300


Overview of ORA-5000 Blended [BL] or Hybrid Learning [HL] Course [ORA-5]

ORA-5000_Handbook_Cover_3DThe Operational Resilience (OR) Audit blended learning is the most advanced level of OR audit training for certification, financial, IT internal and external auditors.

This comprehensive course is equivalent to the international certification of an  Operational Resilience (OR) Auditor. Its combination of online interaction allows busy and interested auditors to study with minimal schedule disruption.

This course is NOT a four-day, hour-by-hour direct conversion course from its brick-and-mortar version but revamped with several guiding principles.

  • Complete the course by developing the relevant toolkits for the entire auditing process.
  • Built with OR knowledge, followed by the integration of OR auditing concepts.
  • Provide participants with downloadable handbooks and the latest OR audit program based on the latest global regulatory update.
  • Access to additional audit readings for those who are already experienced
  • Facilitated by experienced IT/Financial and also OR implementer/auditors
  • Able to conduct the audit via an electronic platform without travelling to another country or state.

ORCP Operational Resilience Certified Planner Certification

Here is a quick overview of the course, divided into modules 1 to 4. Module 1 to 4 and their relationship to the ORA-300-400-5000 level courses are explained.

 

New call-to-action

The conduct of each module is described with the corresponding on-site learning outcome.

Below is a snapshot of what you can expect from the program. Each module's syllabus has been carefully crafted to ensure that the outcome matches each day of the ORA-5000 OR Auditor competency level.  

Click the "Course Content" icon to learn more about each module's content (syllabus).  Click the "Course Requirement" icon to determine what you can expect as participants for each module.

 

Module (Day) Course Content Course Requirement

New call-to-action

New call-to-action New call-to-action
[BL-ORA] [3] M2 What is ORA-300? New call-to-action New call-to-action

New call-to-action

New call-to-action New call-to-action

[BL-ORA] [4] [5] M4 What is ORA-5000?

New call-to-action New call-to-action

Breakdown of the Time Spent

Module Mode of Study Flexible (Hours) Mandatory & Fixed Timing (Hours)
New call-to-action E-learning/ Self Study 8 -
[BL-ORA] [3] M2 What is ORA-300?

Facilitated Online Workshop

(3 Hours Self Study = Assignment + 6 Hours Schedule Online Classes)

3 6 (3-hour x 2 separate sessions)
Total Hours Blended Learning [BL]

Module 1 and 2 Note that participants attending Hybrid Learning [HL] will attend the same BL Module 1 and Module 2

11

6

 

Breakdown of the Time Spent Blended Learning (BL) Module 3 & 4

New call-to-action Online Web Training and Discussion Workshop (2 Hours Self Study + 3-Hour Schedule Online Classes) Two sessions 6 (3-hour x 2 separate sessions)
[BL-ORA] [4] [5] M4 What is ORA-5000? Online Web Training and Discussion Workshop (2 Hours Self Study + 2 Hours Schedule Online Classes) Two sessions 6 (3-hour x 2 separate sessions)
Total  Hours

Blended Learning [BL] Online

Modules 3 and 4 

Four 3-hour sessions 18
       
Breakdown of the Time Spent Hybrid Learning (HL) Module 3 & 4
New call-to-action Hybrid Learning [HL] Onsite Face-to-face Workshop 1-day onsite 8
[BL-ORA] [4] [5] M4 What is ORA-5000? Hybrid Learning [HL] Onsite Face-to-face Workshop 1-day onsite 8
Total Hours Hybrid Learning [HL] Onsite Day 3 and Day 4  2-day onsite 16
 

 

   
Qualifying Examination for OR Audit Specialist/ Expert
New call-to-action

ORAE Qualifying Examination for OR Audit Expert  (after BL-HL-ORA-5 course)

100 Multiple-choice Questions 2 and 1/2 hour
Operational Resilience Audit Specialist (ORAS) Certification

ORAS Qualifying Examination for OR Audit Specialist (after BL-HL-ORA-3 course)

100 Multiple-choice Questions 2 and 1/2 hour

What are the Differences and Concerns?

Hybrid vs Blended Learning AuditThe primary concern with blended learning is that it will be another E-Learning training over a video channel.

The entire process is designed such that the content will provide the same outcome with pre-readings provided before the class, preparation of assignments supported by detailed guidance notes, eLearning for learning of fundamentals, and the online "face-to-face" is for sharing and elaboration by experienced facilitators.

Instructors: Note that instructors delivering the modules remain the same as the onsite training.  They have at least 5 to 30 years of OR and audit-related experience.

International Participation: Another significant change will be the participation of more international delegates compared to the traditional majority of Asian participants.  Be expected to discuss and work as teams from around the world.

Readings: Be expected to have more pre-readings as the objective is to ensure that knowledge that could be acquired via reading should be done outside the training session.  More time is allocated to sharing experiences with the participants and facilitators.

Live Audit: Despite being virtual, there is a balance between knowledge-based acquisition activities, presentations, discussions, exercises and case studies. About two-thirds of the time is spent on activity-based learning. A live audit will be conducted. 

IC_ORA-5000_Course Schedule_SquareThis is the course schedule.  Click the "ORA-5000 Course Schedule" icon to learn more about the "RUNs" for the year. 

Blended Learning is entirely online, Hybrid Learning is Module 1 and 2 online, and Module 3 and 4 onsite.

 

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
Read More

[ORA-3/5] Module (Day) 1 of ORA-300/5000 Operational Resilience Audit Expert

 

[Back to] What is [BL-ORA] [3]?ORA-5000 Operational Resilience Audit Expert (ORAE) Training Roadmap

Module 1 

ORA-Know-Do-Manage-Diagram

You can attend Module 1, which leads to the Operational Resilience (OR) Certified Planner course, which has the course code BL-OR-2. This course provides you with the knowledge or KNOW competency. 

If you are assigned to audit or review your organisation's OR program, it is highly recommended that you attend both Module 1 and 2, the OR Audit Specialist course, or ORA-3.  Module 2 allows you to have practicums on operationalising the OR framework. 

It gives you an in-depth understanding of the critical OR deliverables required. This course provides you with KNOW-DO competency. 

Description of Module [Day] 1 Course 

New call-to-action

You will be introduced to Operational Resilience (OR) Audit Requirements. 

Note that this course is also Module 1 of the Operational Resilience Implementer OR-300 course.

Module 1 defines operational resilience (OR) and provides the participants with a contextual overview of its scope in different operating environments. Key concepts are explained with examples to illustrate. The value of OR in today’s organizations and critical success factors for building resilient organizations are highlighted.

Session Breakdown: What Lies Ahead

As we progress through this course, it's essential to understand the structure and content of each session. Let's break it down to sessions one and 2 of the ORA-300/5000 Module 1.

Module 1 Session 1: We will provide a foundational understanding of operational resilience. You will learn about its nuances and the critical role of regulators in shaping your approach. We'll clarify the distinction between key concepts such as operational risk management, organisational resilience, business continuity management and crisis management.

Module 1 Session 2: Building upon the first session, we'll explore regulatory requirements and how to align your organization with a planning methodology. We'll also explore practical tools and strategies to assist you in this operational resilience endeavour.

 

Detailed Course Content

 Lesson &
Topic
Description
Module 1 Session 1
Overview of Operational Resilience
  • Understand basic OR Concepts and terminologies
  • Discuss the distractions and confusion between the many related fields and disciplines.
  • Identify the critical success factors and benefits of OR

Update on Regulatory Positions

  • Update on the latest issuance of OR regulations and updates
  • Compare with the various authorities and the regional implications for Financial Services Institutions (FSI)
OR Planning Methodology:  Framework and Principles
  • Understand the phases and stages within the OR planning methodology
  • Identify the critical components of the OR planning methodology.
  • Walkthrough of the relevance of the OR planning methodology to the organisation
  • Define the principles supporting OR for the financial institutions
Module 1 Session 2
Types of operational disruptions
  • Identify and determine the types of operational disruptions covered by operational resilience.
Define Critical Business Services
  • Define and identify critical business services
  • Understand the components of typical critical business functions and critical business services.
Types and Levels of Impact Tolerances 
  • Identify impact types and set impact tolerances for each type
  • Understand impact tolerances to risk appetite and to risk assessment scales or "level of harm."
Understand and review critical activities, processes and resources
  • Map the resources and processes for operational resilience within an organisation for its critical business services.
  • Link critical activities, underpinning services and internal services.
Define and develop Scenario Testing
  • Define and develop OR scenarios
  • Identify and understand plausible scenarios and link them with operational/ resource disruption.
  • Determine the types of testing for the specific disruptive events

New call-to-action

Deliverables

  • Be competent with the knowledge of operational resilience
  • Have a strong understanding of the respective building blocks and methodology to implement your OR program

 

Course Content for BL-ORA-5
New call-to-action New call-to-action New call-to-action New call-to-action

 


More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
     
New call-to-action New call-to-action Please feel free to send us a note if you have any questions.Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification New call-to-action

 

Read More