[OR] [P3-S5] Conduct Independent Quality & Assurance Review in Operational Resilience?

What is an Independent Quality & Assurance Review?

A significant part of independent quality review revolves around audit and assurance.  It significantly contributes to achieving organisational objectives and value creation for shareholders and stakeholders, especially when implementing operational resilience. Therefore, it is essential to consider this combined assurance model or the "Three Lines Model" adapted from the Institute of Internal Auditors (IIA, 2020).

The Three Lines Model, previously known as the "Three Lines of Defence’" explains the relationship between the elements of an organisation’s assurance and independent review environment.  These include the governing body, board, executive management, board committees, external auditors, and regulators.

Three Line Model

First Line Role

The First Line involves managers and staff who own and manage risk.

It is focused on real-time risk management and is concerned with managing risks and controls.

 Second Line Role

The Second Line monitors risk. It incorporates functions that oversee or specialise in compliance or risk management.

It is mainly concerned with risk oversight and review of First-Line activities.

Third Line Role

The Third Line assures the strategic management of risk. The Third Line provides independent assurance outside the First and Second Line.

Its primary role is to evaluate the adequacy and effectiveness of the first two Lines.

Fourth Line Roles

Often called the Fourth Line, although it sits outside the Three Lines, external assurance plays a vital role in the organisation’s governance and risk management approach. 

Looking Out for Weakness

The independent reviewer or auditors should consider potential red flags indicating weaknesses when conducting an independent review. These include:

• Lack of skills and understanding at senior levels
• Lack of substantiated analysis of essential and critical business services and the required resilience levels
• Limited data and unrealistic assumptions supporting scenario analysis and testing
• Limited/incomprehensive register of business services
• Limited/incomprehensive inventory of people, processes, technology, facilities and data (especially those relevant to critical services
• Overreliance on end-user computing
• Qualification, experience and the role of personnel involved in performing resilience arrangements (including analysis and design activities)
• Significant/unexplained fluctuations in probability assessments, disruptions and the potential impact
• Poor articulation and understanding of risk appetite and risk tolerances across the organisation
• Inflexible legacy infrastructure that is hard to fix and further complicated by adding ever more layers and systems to manage
• New regulations that increase operational resilience challenges (particularly regarding the risk of illegally sharing sensitive customer information).

How to Conduct Independent Quality & Assurance Review?

An Independent Quality and Assurance Review (IQR) is an external validation of the operational resilience program's effectiveness in the sustain phase.

Here is a detailed breakdown of the steps involved:

Prepare IQR

• Scope determination.  Identify the areas of your operational resilience program to be reviewed using the three-line model.
  • This could encompass specific risks, critical processes, controls, incident response capabilities, or the entire program.
    
    
• Reviewer selection. Choose an independent reviewer with relevant expertise in operational resilience and risk management.
  • This could be an internal audit team, external auditors, industry specialists, or regulatory bodies (depending on your chosen model).
    
    
• Review criteria.  Establish clear criteria for the review based on industry best practices, internal standards, and regulatory requirements.
  
  
• Data preparation. Assemble relevant documentation, reports, test results, and other materials for the reviewer's inspection.
  
  
• Communication and agreement. Communicate the IQR's scope, objectives, and methodology to the reviewer and obtain their agreement.

Conduct IQR

• On-site review.  Visit on-site by the reviewer to observe processes, interview personnel, and review documentation.
  
  
• Testing and evaluation.  Assess the effectiveness of controls, incident response plans, and training programs through simulations or other testing methods.
  
  
• Data analysis.  Compare the collected data to the established criteria by the reviewer.
  
  
• Draft report.  Create a draft report summarising their findings, including strengths, weaknesses, opportunities for improvement, and recommendations.

Review and Report IQR

• Management response. Respond formally to the draft report, addressing the reviewer's findings and outlining an action plan for improvement.
  
  
• Final report. Finalise the report with your responses and recommendations for senior management consideration.
  
  
• Action plan implementation. Develop and implement a detailed action plan based on the IQR findings, with clear timelines, responsibilities, and resource allocation.
  
  
• Monitoring and reporting.  Monitor progress on the action plan and report regularly to senior management on its effectiveness.

Additional Explanatory Note 

	Definition	Explanation	Definition
	Independent Review	is a critical assessment of the operational resilience project or programme conducted by qualified and objective individuals (or reviewers) at arm’s length from the project/programme. Such a review supports enhanced OR  project/programme decision-making and oversight by applying expert analysis and providing impartially obtained evidence.
	Internal Audit	individuals operating independently from management to provide assurance and insight into the adequacy and effectiveness of  governance and the management of risk, including internal control.
	External Audit	is an examination that an independent accountant conducts. This type of audit is most commonly intended to result in a certification of the financial statements of an entity.
	Risk Oversight	describes the board’s role in the risk management process
	The Three Lines Model	The model is previously known as the "Three Lines  of Defence."

IIA. (2022). IIA's Three line model,  The Institute of Internal Auditors, Inc

"Sustain" Phase of the OR Planning Methodology

Introduce Culture Change	Develop Communication Strategy	Implement Training and Awareness	Provide Self-assessment	Conduct Independent Quality Review

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.