Operational Resilience

[OR] [P3-S5] Conduct Independent Quality & Assurance Review in Operational Resilience?

Written by Moh Heng Goh | Apr 8, 2023 2:20:29 PM

What is an Independent Quality & Assurance Review?

A significant part of the independent quality review (IQR) revolves around audit and assurance. It contributes to achieving organisational objectives and creating value for shareholders and stakeholders, especially when implementing operational resilience.

Therefore, it is essential to consider this combined assurance model, or the "Three Lines Model," adapted from the Institute of Internal Auditors (IIA, 2020).

The Three Lines Model, previously known as the "Three Lines of Defence’" explains the relationship between the elements of an organisation’s assurance and independent review environment. 

These include the governing body, board, executive management, board committees, external auditors, and regulators.

Three Line Model

First Line Role

The First Line involves managers and staff who own and manage risk.

It is focused on real-time risk management and is concerned with managing risks and controls.

  Second Line Role

The Second Line monitors risk. It incorporates functions that oversee or specialise in compliance or risk management.

It is mainly concerned with risk oversight and review of First-Line activities.

Third Line Role

The Third Line assures the strategic management of risk and provides independent assurance beyond the First and Second Lines.

Its primary role is to evaluate the adequacy and effectiveness of the first two Lines.

Fourth Line Role

Often called the Fourth Line, although it sits outside the Three Lines, external assurance plays a vital role in the organisation’s governance and risk management approach. 

Looking Out for Weakness

The independent reviewer or auditors should consider potential red flags indicating weaknesses when conducting an independent review.

These include:

  • Lack of skills and understanding at senior levels
  • Lack of substantiated analysis of essential and critical business services and the required resilience levels
  • Limited data and unrealistic assumptions supporting scenario analysis and testing
  • Limited/incomprehensive register of business services
  • Limited/incomprehensive inventory of people, processes, technology, facilities and data (especially those relevant to critical services
  • Overreliance on end-user computing
  • Qualification, experience and the role of personnel involved in performing resilience arrangements (including analysis and design activities)
  • Significant/unexplained fluctuations in probability assessments, disruptions and the potential impact
  • Poor articulation and understanding of risk appetite and risk tolerances across the organisation
  • Inflexible legacy infrastructure that is hard to fix and further complicated by adding ever more layers and systems to manage
  • New regulations that increase operational resilience challenges (particularly regarding the risk of illegally sharing sensitive customer information).

How to Conduct Independent Quality & Assurance Review?

An Independent Quality and Assurance Review (IQR) is an external validation of the operational resilience program's effectiveness in the sustain phase.

Here is a detailed breakdown of the steps involved:

Prepare IQR

  • [1-1] Scope Determination.  Identify the areas of your operational resilience program to be reviewed using the three-line model.
    • This could encompass specific risks, critical processes, controls, incident response capabilities, or the entire program.

  • [1-2] Reviewer Selection. Choose an independent reviewer with relevant expertise in operational resilience and risk management.
    • This could be an internal audit team, external auditors, industry specialists, or regulatory bodies (depending on your chosen model).

  • [1-3] Review Criteria.  Establish clear criteria for the review based on industry best practices, internal standards, and regulatory requirements.

  • [1-4] Data Preparation. Assemble relevant documentation, reports, test results, and other materials for the reviewer's inspection.

  • [1-4] Communication and Agreement. Communicate the IQR's scope, objectives, and methodology to the reviewer and obtain their agreement.

Conduct IQR

  • [2-1] On-site Review.  Visit on-site by the reviewer to observe processes, interview personnel, and review documentation.

  • [2-2] Testing and Evaluation.  Assess the effectiveness of controls, incident response plans, and training programs through simulations or other testing methods.

  • [2-3] Data Analysis.  Compare the collected data to the established criteria by the reviewer.

  • [2-4] Draft Report.  Create a draft report summarising their findings, including strengths, weaknesses, opportunities for improvement, and recommendations.

Review and Report IQR

  • [3-1] Management Response. Respond formally to the draft report, addressing the reviewer's findings and outlining an action plan for improvement.

  • [3-2] Final Report. Finalise the report with your responses and recommendations for senior management consideration.

  • [3-3] Implementation of Action Plan. Develop and implement a detailed action plan based on the IQR findings, with clear timelines, responsibilities, and resource allocation.

  • [3-4] Monitoring and Reporting.  Monitor progress on the action plan and report regularly to senior management on its effectiveness.

Additional Explanatory Note 


  Definition Explanation Definition  
   Independent Review 

is a critical assessment of the operational resilience project or programme conducted by qualified and objective individuals (or reviewers) at arm’s length from the project/programme.

Such a review supports enhanced OR  project/programme decision-making and oversight by applying expert analysis and providing impartially obtained evidence.

 
  Internal Audit

individuals operating independently from management to provide assurance and insight into the adequacy and effectiveness of 
governance and the management of risk, including internal control.

 
  External Audit is an examination that an independent accountant conducts. This type of audit is most commonly intended to result in a certification of the financial statements of an entity.   
  Risk Oversight describes the board’s role in the risk management process    
  The Three Lines Model The model is previously known as the "Three Lines  of Defence."  
         

IIA. (2022). IIA's Three line model,  The Institute of Internal Auditors, Inc

"Sustain" Phase of the OR Planning Methodology

 

Introduce Culture Change Develop Communication Strategy Implement Training and Awareness Provide Self-assessment Conduct Independent Quality Review  
 

 

More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.