Element
|
Description
|
Purpose
|
To identify the gaps between the organisation’s current resilience capabilities and the desired target state, based on regulatory expectations, industry best practices, and organisational objectives.
|
Objectives |
- Assess the current state of resilience across BCM, ITDR, CM, risk, and related frameworks.
- Identify alignment gaps with regulatory and industry requirements.
- Determine capability shortfalls in delivering critical business services (CBS).
- Provide a prioritised basis for remediation planning in subsequent phases.
|
Inputs
|
- Organisational objectives and scope from Stage 1 (Establish Context).
- Existing frameworks: BCM, ITDR, Crisis Management, Risk, Cybersecurity, Outsourcing/Vendor Risk.
- Regulatory guidelines and supervisory expectations (e.g., MAS, FCA, DORA).
- Industry standards (e.g., ISO 22301, ISO 27001, NIST, FFIEC).
|
Activities
|
- Review Existing Frameworks – assess governance, policies, and resilience capabilities.
- Benchmark Against Requirements – compare against regulatory and industry standards.
- Evaluate Core Components – governance, CBS, third-party risk, incident/crisis response, testing & exercising.
- Identify and Prioritise Gaps – classify gaps by criticality, regulatory impact, and business risk.
- Develop Gap Analysis Report – document findings with recommendations for remediation.
|
Outputs
|
- Gap Analysis Report – highlighting resilience strengths, weaknesses, and gaps.
- Maturity Assessment Scorecard – benchmarked against target resilience maturity.
- Prioritised Action List – short-term vs. long-term remediation.
- Executive Summary – concise overview for senior management and board.
|
Competencies Required
|
- Knowledge of BCM, ITDR, Crisis Management, Cybersecurity, and Risk Management.
- Familiarity with regulatory requirements and resilience frameworks.
- Analytical skills in process mapping, benchmarking, and assessment.
- Ability to communicate findings to technical teams and executives.
|
Challenges
|
- Siloed functions are hindering visibility across departments.
- Complexity of multi-jurisdictional regulations.
- Under-documented third-party dependencies.
- Resource limitations are slowing remediation.
|
Linkages
|
- Stage 1: Establish Context – provides the baseline scope and objectives.
- Stage 3: Define Requirements – uses gap analysis results to define resilience requirements.
- Phase 2: Implement – remediation activities to close identified gaps.
|