Operational Resilience Series
BGBann_Playbook_Crisis Management

[OR] [P3-S5] Conduct Independent Quality & Assurance Review in Operational Resilience?

Audit and assurance are significant parts of independent quality and assurance review. They contribute significantly to achieving organisational objectives and creating value for shareholders and stakeholders, especially when implementing operational resilience. 

This is the introductory blog [OR-P3-S5] to Stage 5 of the "SUSTAIN" phase of the OR Planning Methodology.  It is a pre-reading for participants attending the Operational Resilience Expert Implementer course.

Moh Heng Goh
Operational Resilience Certified Planner-Specialist-Expert

New call-to-actionOR PM Sustaining Your Operational Resilience ProgramWhat is an Independent Quality & Assurance Review?

A significant part of the independent quality review (IQR) revolves around audit and assurance. It contributes to achieving organisational objectives and creating value for shareholders and stakeholders, especially when implementing operational resilience.

Therefore, it is essential to consider this combined assurance model, or the "Three Lines Model," adapted from the Institute of Internal Auditors (IIA, 2020).

The Three Lines Model, previously known as the "Three Lines of Defence’" explains the relationship between the elements of an organisation’s assurance and independent review environment. 

These include the governing body, board, executive management, board committees, external auditors, and regulators.

OR_Three Line Model

Three Line Model

New call-to-actionOR_First Line RoleFirst Line Role

The First Line involves managers and staff who own and manage risk.

It is focused on real-time risk management and is concerned with managing risks and controls.

 OR_Second Line RoleSecond Line Role

The Second Line monitors risk. It incorporates functions that oversee or specialise in compliance or risk management.

It is mainly concerned with risk oversight and review of First-Line activities.

OR_Third Line RoleThird Line Role

The Third Line assures the strategic management of risk and provides independent assurance beyond the First and Second Lines.

Its primary role is to evaluate the adequacy and effectiveness of the first two Lines.

OR_Forth Line RoleFourth Line Role

Often called the Fourth Line, although it sits outside the Three Lines, external assurance plays a vital role in the organisation’s governance and risk management approach. 

Looking Out for Weakness

The independent reviewer or auditors should consider potential red flags indicating weaknesses when conducting an independent review.

These include:

  • Lack of skills and understanding at senior levels
  • Lack of substantiated analysis of essential and critical business services and the required resilience levels
  • Limited data and unrealistic assumptions supporting scenario analysis and testing
  • Limited/incomprehensive register of business services
  • Limited/incomprehensive inventory of people, processes, technology, facilities and data (especially those relevant to critical services
  • Overreliance on end-user computing
  • Qualification, experience and the role of personnel involved in performing resilience arrangements (including analysis and design activities)
  • Significant/unexplained fluctuations in probability assessments, disruptions and the potential impact
  • Poor articulation and understanding of risk appetite and risk tolerances across the organisation
  • Inflexible legacy infrastructure that is hard to fix and further complicated by adding ever more layers and systems to manage
  • New regulations that increase operational resilience challenges (particularly regarding the risk of illegally sharing sensitive customer information).

New call-to-actionHow to Conduct Independent Quality & Assurance Review?

An Independent Quality and Assurance Review (IQR) is an external validation of the operational resilience program's effectiveness in the sustain phase.

Here is a detailed breakdown of the steps involved:

Prepare IQR

  • [1-1] Scope Determination.  Identify the areas of your operational resilience program to be reviewed using the three-line model.
    • This could encompass specific risks, critical processes, controls, incident response capabilities, or the entire program.

  • [1-2] Reviewer Selection. Choose an independent reviewer with relevant expertise in operational resilience and risk management.
    • This could be an internal audit team, external auditors, industry specialists, or regulatory bodies (depending on your chosen model).

  • [1-3] Review Criteria.  Establish clear criteria for the review based on industry best practices, internal standards, and regulatory requirements.

  • [1-4] Data Preparation. Assemble relevant documentation, reports, test results, and other materials for the reviewer's inspection.

  • [1-4] Communication and Agreement. Communicate the IQR's scope, objectives, and methodology to the reviewer and obtain their agreement.

Conduct IQR

  • [2-1] On-site Review.  Visit on-site by the reviewer to observe processes, interview personnel, and review documentation.

  • [2-2] Testing and Evaluation.  Assess the effectiveness of controls, incident response plans, and training programs through simulations or other testing methods.

  • [2-3] Data Analysis.  Compare the collected data to the established criteria by the reviewer.

  • [2-4] Draft Report.  Create a draft report summarising their findings, including strengths, weaknesses, opportunities for improvement, and recommendations.

Review and Report IQR

  • [3-1] Management Response. Respond formally to the draft report, addressing the reviewer's findings and outlining an action plan for improvement.

  • [3-2] Final Report. Finalise the report with your responses and recommendations for senior management consideration.

  • [3-3] Implementation of Action Plan. Develop and implement a detailed action plan based on the IQR findings, with clear timelines, responsibilities, and resource allocation.

  • [3-4] Monitoring and Reporting.  Monitor progress on the action plan and report regularly to senior management on its effectiveness.
BCMPedia Operational Resilience

Additional Explanatory Note 


  Definition Explanation Definition  
   Independent Review 

is a critical assessment of the operational resilience project or programme conducted by qualified and objective individuals (or reviewers) at arm’s length from the project/programme.

Such a review supports enhanced OR  project/programme decision-making and oversight by applying expert analysis and providing impartially obtained evidence.

 OR Independent Review BCMPedia  
  Internal Audit

individuals operating independently from management to provide assurance and insight into the adequacy and effectiveness of 
governance and the management of risk, including internal control.

 OR Internal Audit BCMPedia  
  External Audit is an examination that an independent accountant conducts. This type of audit is most commonly intended to result in a certification of the financial statements of an entity.  OR External Audit BCMPedia  
  Risk Oversight describes the board’s role in the risk management process    
  The Three Lines Model The model is previously known as the "Three Lines  of Defence." OR_Three Line Model  
         

IIA. (2022). IIA's Three line model,  The Institute of Internal Auditors, Inc

"Sustain" Phase of the OR Planning Methodology

 

Introduce Culture Change Develop Communication Strategy Implement Training and Awareness Provide Self-assessment Conduct Independent Quality Review  
OR PM Sustain Introduce Cultural Change Management OR PM Develop Communication Strategy OR PM Implement Training and Awareness OR PM Sustain Provide Self-assessment New call-to-action  

 

More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

 FAQ BL-OR-5 OR-5000
New call-to-action

New call-to-action

 New call-to-action

Comments

 

More Posts

New Call-to-action
BCMIWhiteLogoSmall.png
All rights reserved. Copyright 2024