Operational Resilience Standard - Section 1: Operational Resilience

Question 1

What is operational resilience?

Answer 1

The ability to resist operational stresses and failures, and support fast restoration and recovery.

Question 2

The Operational Resilience Framework aims to standardise resilience requirements for which 5 key resources?

Answer 2

1. Technology
2. Data
3. Suppliers
4. People
5. Property.

Question 3

How does the Operational Resilience Standard define critical processes?

Answer 3

NAB processes “that must work” (as per Process Management Standard) and are those identified to have a significant impact to Customers, our Financial Resources, and Business Resiliency via Business Continuity and C3 Tiering.

Question 4

Why does NAB prioritise its critical processes under C3 tiering?

Answer 4

To ensure critical processes are resilient by design.

Question 5

How does NAB ensure critical processes are resilient by design?

Answer 5

By prioritising its critical processes under C3 Tiering

Question 6

What benefit does C3 Tiering provide in a major disruption?

Answer 6

It provides direction on which critical processes need to be prioritised for recovery (related services/resource dependencies are tiered accordingly)

Question 7

What are two key benefits of C3 Tiering for critical processes?

Answer 7

1. Ensures they are resilient by design.
2. Provides direction on prioritisation for recovery.

Question 8

What is the priority order of the 5 tiers under C3 Tiering

Answer 8

1. Country
2. Company Critical
3. Customer Time-Critical
4. Customer Non-Time Critical
5. Company Supporting

Question 9

Under C3 Tiering, what is the definition of Country?

Answer 9

The stability of market, economy, or payments ecosystem would be threatened.

Question 10

Under C3 Tiering, what is the definition of Company Critical?

Answer 10

The existence of the organisation could be at risk (e.g., Liquidity)

Question 11

Under C3 Tiering, what is the definition of Customer Time-Critical?

Answer 11

There would be considerable detriment to end users of the process/

Question 12

Under C3 Tiering, what is the definition of Customer Non-Time Critical?

Answer 12

Continuing to process existing customers and taking on new business whilst returning to business as usual operations.

Question 13

Under C3 Tiering, what is the definition of Company Supporting?

Answer 13

Maintain back office functions that support the delivery of other operations of the firm.

Question 14

Under C3 Tiering, what are three considerations for disruptions?

Answer 14

1. Could damage financial industry.
2. Could threaten company’s viability e.g., financial loss, legal, or reputational damage.
3. Could cause intolerable harm to customers.

Question 15

Are BNZ and International branches required to localise the critical business services within their region to the C3 Tiering?

Answer 15

Yes

Question 16

What are the 5 key resources identified and mapped to support the delivery of NAB Critical Processes?

Answer 16

1. Technology
2. Data
3. Property
4. People
5. Suppliers

Question 17

What are 3 reasons to identify the resources in end-to-end NAB Critical Processes?

Answer 17

1. Understand linkages and single points of failure between operational assets.
2. Improve awareness of availability of substitute during disruptions.
3. Increase robustness of business continuity planning and incident management.

Question 18

What are the 6 key Operational Resilience activities (used to describe role expectations)?

Answer 18

1. NAB Critical Process Prioritisation and Mapping.
2. Process Resilience Assessment.
3. Identification of Emerging Risks and Threats.
4. Defining Impact Tolerance Statement
5. Treatment and Remediation Plan
6. Reporting and Monitoring

Question 19

What is the purpose of Operational Resilience activity number 1. NAB Critical Process Prioritisation and Mapping?

Answer 19

• Prioritisation - in relation to the 3Cs.
• Mapping - ensure resource dependencies identified and linked to the end-to-end NAB Critical Process, and identify any vulnerabilities in the process.

Question 20

What is the purpose of Operational Resilience activity number 2. Process Resilience Assessment?

Answer 20

Measure the end-to-end resilience of the NAB Critical Processes and their resources.

Question 21

What are 5 disciplines involved in a resilience response?

Answer 21

1. Business Continuity Management
2. Service Continuity
3. Enterprise Security
4. Incident Management
5. Crisis Management

Question 22

Why does the bank adopt a horizontal end-to-end approach to resilience?

Answer 22

To help break down silos from each division and focus on consistent identification of what is important to the country, company, and customer.

Question 23

What is Maximum Acceptable Outage (MAO)?

Answer 23

The maximum amount of time a system can be unavailable before its loss will compromise the organisation’s objectives or survival.

Question 24

How does Maximum Acceptable Outage (MAO) operate alongside C3 tiering?

Answer 24

Each business process has a defined MAO rating include C3 classification. For example, payment processes have a 30min MAO and Country C3 Classification.

Question 25

What are the Maximum Acceptable Outage (MAO) times for Critical and Non-Critical Processes?

Answer 25

• Critical -24hr MAO
• Non-Critical >24hr MAO