[OR] [P3-S4] Provide Self-Assessment in Operational Resilience?

What is Self-Assessment?

A key feature of managing operational resilience is the responsibility of the business service owner to produce an annual Self-Assessment report. 

The organisation must submit the Self-Assessment document to demonstrate its resilience and compliance with the regulations.

The content of the Self-Assessment document should be made available to the regulators when required. The self-assessment should focus on the following:

• Ongoing evaluation of the methodology for identifying business services
• Review the approach to prioritizing critical business services.
• Ongoing evaluation of impact tolerances
• Review the organisation’s approach to mapping  critical business services.
• Ongoing evaluation of testing scenarios
• Business as usual governance of operational resilience
• Implementation of resilience procedures and ongoing review of procedures (including RACI)
• Training delivered to impacted people and teams in line with newly embedded resilience procedures and any future changes
• Investment and remediation to close out vulnerabilities identified that threaten the organisation’s ability to deliver its critical business services.

How to Provide Self-Assessment?

This stage focuses on self-assessment as part of the "Sustain" phase in operational resilience planning. It emphasizes the importance of regularly monitoring and evaluating your organisation's resilience posture to ensure its effectiveness.

Prepare Self-Assessment

• Define Scope & Objectives.
  • Establish what you want to assess (e.g., program effectiveness, specific risks) and tailor the scope accordingly.
  • Determine objectives (e.g., compliance, improvement).
    
    
• Identify Assessment Criteria.
  • Choose relevant criteria aligned with your chosen framework (e.g., BCM Institute OR framework) and consider internal policies, regulations, and industry best practices.
    
    
• Assemble Assessment Team.
  • Select appropriate individuals based on expertise and roles (e.g., risk, operations, IT).
  • Include independent assessors if needed.
    
    
• Gather Data & Evidence.
  • Collect documentation, reports, test results, and other relevant data to support your evaluation.

Perform Assessment

• Review Documentation.
  • Evaluate policies, procedures, plans, and training materials against established criteria.
  • Identify gaps and inconsistencies.
    
    
• Conduct Interviews & Surveys.
  • Gather insights from staff at various levels to understand program awareness, training effectiveness, and operational experience.
    
    
• Analyse & Discuss Findings.
  • Discuss data and observations within the assessment team, identifying strengths, weaknesses, and areas for improvement.
    
    
• Rate Performance.
  • Use a defined scoring system (e.g., maturity levels) to assess each criterion and establish an overall program performance rating.

Conduct Reporting & Action Planning

• Develop Self-Assessment Report.
  • Document findings, including strengths, weaknesses, risks, and opportunities for improvement.
  • Recommend clear and actionable steps for each issue.
    
    
• Present Report to Management.
  • Communicate key findings, recommendations, and proposed actions to senior management, seeking their approval.
    
    
• Develop Action Plan.
  • Create a detailed plan with specific activities, timelines, and responsible parties to address identified issues.
  • Monitor progress and update the plan as needed.

Additional Explanatory Note 

	Definition	Explanation	Definition
	Self-Assessment	is to capture and document the steps taken towards operational resilience. is to provide a comprehensive and objective evaluation of the organisation's strategy and ability to respond to disruptions.
	Self-Assessment Document	is to demonstrate the organisation’s resilience journey and how they have achieved compliance with the regulations.
	Important Business Service	is a service provided by an organisation, or by another person on behalf of the organisation, to one or more clients which, if disrupted, could: cause intolerable harm to any one or more of the organisation’s clients, or pose a risk to the soundness, stability or resilience of the financial system or the orderly operation of the financial markets.
	Critical Business Service	is a business service that, if disrupted, is likely to significantly impact the FSI’s safety and soundness, its customers or other FSI that depend on the business service.
	Critical Operations	is defined as a business output that, if interrupted during the operational period, will cause financial loss, damage, or interruption to the delivery of goods or services essential to the organization’s continued operation or success.

"Sustain" Phase of the OR Roadmap

Introduce Culture Change	Develop Communication Strategy	Implement Training and Awareness	Provide Self-assessment	Conduct Independent Quality Review

More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.