For firms wishing to align protective disciplines, we undertake a current state assessment which determines a firm’s readiness to align, and captures their overall capability across the in-scope domains.
In addition to Operational Resilience, the assessment usually focuses on Third-Party Risk Management, Business Continuity Management, and IT Disaster Recovery capabilities.
We’ve documented Operational Resilience findings previously, so here are the common improvement areas for firms relating to Business Continuity Management and IT Disaster Recovery we’ve encountered.
- Informal and undocumented programmes with a heavy focus on a single, onerous, and outdated policy not reflective of operational realities,
- BCM and ITDR programmes lack clear structure and are not aligned to recognised ISO standards or Good Practice Guidance,
- Lack of integration between BCM and ITDR programmes limits touchpoints, with taxonomies misaligned,
- Criticality assessments are either not in place, meaning everything is critical or not aligned across BCM and ITDR programmes,
- ICT Risk and threat identification is immature or non-existent with no formal IT Risk Management framework in most cases,
- Poor oversight of critical ICT third-parties response and recovery capabilities creating misalignment with internal initiatives,
- Service owners set recovery priorities, objectives, RPOs and RTOs without an understanding of SLAs or system recovery capability.
This deck summarises our findings and includes a summary of best practices, the key challenges, along with our programme, and review methodology.
Please get in touch or book a meeting if any of the above resonates and you’d like to understand how we could support your programme objectives.