In the first blog in this series, we covered what operational resilience is. In this article, we will focus on identifying your important business services; those that will have adverse impact on your customers or external stakeholders.
We will look at two key criteria for an important business service and then expand on them:
- A service that provides an outcome to a customer; and
- Would cause intolerable harm to a customer if it was disrupted for a period of time
For financial services firms, regulators may also extend these requirements to factors such as financial stability and market integrity. We suggest other sectors consider similar market factors that may apply: for example, the effect that utility providers would have on the public and the economy if they are disrupted for a lengthy period of time, or the effect of an extended disruption to medical equipment/consumables availability on health care systems.
Terminology regarding operational resilience and regulatory requirements varies across different jurisdictions; please see our note on regulation and terminology for more information.
Identifying business services
For a business service to be identified, it must have a clearly identifiable customer. This highlights the importance of understanding who the stakeholders are that are using your services, which can include vulnerable customer groups.
The service needs to be described at a level that delivers an outcome to the customer. A rule of thumb is that if you’ve identified a process or service supports other services, it is probably not an important business service. For example, withdrawing money from an ATM is a service to the customer; the system verifying that there is a sufficient account balance is a process that supports that service.
There may already be a range of existing information sources in your organisation that can help identify your business services.
Business Impact Analysis
A BIA as part of your business continuity program may already include a list of your business services, if they are captured at the right level. The key criteria here is to look for services that provide an outcome to a customer. If the BIA captures lower-level processes that might support multiple business services, you may need to do some additional work or investigation to ‘roll them up’ to a service that delivers an outcome to a customer.
Process Catalogues or business maps
Some organisations may have existing process catalogues, maps or other documents that capture business services. Like the business impact analysis, these may be used to identify business services if captured at the appropriate level.
Customer journey maps
Customer journey maps usually include the full end to end lifecycle of the interactions a customer will have with your organisation. Some of those touchpoints, or perhaps collections of touchpoints – where the customer is receiving a particular outcome – may be business services.
Assessing whether business services are important
Once you have a list of business service, you can assess whether they are important. The first test is whether an impact tolerance can be applied to the identified business service: if the business service could not be delivered for a period of time, would one or more groups of customers experience intolerable harm?
This assessment of impact differs somewhat from traditional business impact analysis processes. An assessment of intolerable harm is only from the perspective of the customer; is there a period of time (or other type of tolerance) that presents a harm to the customer that cannot be recovered? For example, if you can return the customer to the same position they were in prior to the disruption (perhaps by providing adequate compensation for financial loss), then it is unlikely to meet the threshold of intolerable harm.
Examples of intolerable harm may include:
- the inability for a customer to access funds from their bank accounts, resulting in an inability to purchase groceries or essential goods
- an extended outage of telephony services that may cause economic loss that cannot be recovered
- An inability to provide a medical procedure at the required time, resulting in long-term health impacts or emotional distress to customers
Similar assessments should be made where applicable to market integrity, financial stability, safety of soundness, or policyholder protection in the case of insurers.
Common mistakes in identifying important business services
There are a few common mistakes or pitfalls to avoid when identifying your important business services, with some examples to help you avoid them.
Not externally focused – Employee payroll is the go-to example as a service that is usually very important to the organisation and delivers an outcome to a stakeholder, but is not a service focused on external users. Of course, if you provide payroll services to other organisations, you have an external customer.
Identifying a process instead of a service – An anti-money laundering check is a required step for many services in financial services, but this is not an outcome a customer requires. This is one of many processes that supports delivery of one or more services.
Identifying a resource instead of a service – A good sense-check is that an important business service as described should not be able to be disrupted in and of itself, but through disruption of the resources that enable it. An example would be suggesting that a particular gas pipeline is an important business service; the important business service is the delivery of gas to the customer.
No identifiable customer – Usually this will be identified when assessing the other categories. An example might be providing an online qualification tool for the public to use, with little information being collected on how it is being used or for what purpose. In this case there is no information on which to base an assessment of intolerable harm.
Would not result in intolerable harm – Some business services may not result in intolerable harm even if they were disrupted permanently. This may be when customers can easily switch to other providers or alternate solutions (imagine what would happen to the customer if your organisation disappeared overnight), or there will always be the opportunity to return the customer to the position they were in when disruption started.
About this series
Now that important business services have been identified, we can start to define the impact tolerances associated with them. We will explore the types of tolerances and how they can be set in the next article in the series:
- What is operational resilience?
- What are your important business services? [this blog]
- Designing your impact tolerances
- Mapping your important business services
- Design and running of a scenario
- Identification of weaknesses and actions in your operational resilience
- What reporting do management want to see?
- Designing a good self-assessment process
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module
Note on regulation and terminologyWhile this series primarily discusses regulated entities, the guidance can apply to any organisation seeking to improve their operational resilience by looking through an external stakeholder lens, whether they operate in financial services, critical infrastructure, healthcare or indeed any other industry. We use the term ‘important business services’, which aligns with the UK’s Financial Conduct Authority/Prudential Regulation Authority terminology but can and should be adapted to different regions and sectors. For Australian financial service providers, we recommend replacing ‘important business services’ with ‘critical operations’, and impact tolerance with ‘tolerance levels’ to align with APRA draft standard CPS 230 on Operational Risk. We use the term ‘customer’ in this blog, which can include direct consumers, business to business relationships, patients in health care settings, or recipients of government services. The defining factor is that they are external recipients of the services you provide. |