So far in this series we have identified your important business services, and designed impact tolerances. Now we turn to an important step in understanding how your important business services hang together: mapping.
A key outcome of operational resilience is to avoid disruption, absorb shocks if disruption occurs, be able to operate through disruption, and recover as quickly as practical while operating within impact tolerance. To achieve that – particularly through future steps of scenario testing and actioning any weaknesses – we must understand the elements that make up our important business services. Let’s take a look at:
- Hierarchy of mapping
- Mapping processes
- Mapping resources
- Top-down and bottom-up approaches
- Critical vs non-critical resources
- Mapping beyond important business services
Hierarchy of mapping
We recommend a two-tiered approach to mapping your important business services. For each service:
- Identify and map the processes that are required to deliver it
- For each of the processes identified here, mapping the required resources to perform that process
A single process may support multiple important business services. For example, an Anti-Money Laundering check might be used by multiple payment or credit processes. Similarly, a single resource may be required for multiple processes.
Separating processes from the resources that support them allows flexibility when it comes to improving your operational resilience over time; either through process re-engineering (removing single points of failure), re-assigning resources to different processes, adding additional redundancies, or conducting what-if scenarios.
If a new service is introduced that also requires an Anti-Money Laundering check, that process can be assigned without having to re-remap each individual resource.
This approach also emphasises a point we made earlier in this series: processes and resources are not important business services in and of themselves. The mapping process will help identify any miscategorised important business services.
Mapping processes
Services are described at a level that delivers an outcome to a customer. There may be one or many processes that are required to be taken to provide that service to the customer.
An important question to resolve here is the level of detail that is required. It’s easy to get quickly lost in detailed tasks and steps. Many processes also have exceptions, multiple pathways or other complexities.
Given that we’ve started with our service – focusing on the outcome – what are the key steps that are required to deliver that outcome? Here we are moving from outcome down to the activities that enable it. For the purposes of operational resilience, we recommend having a single level of activities. As a simple rule of thumb, if you’ve defined more than 10 processes to deliver your service, consider whether you can roll any of them up.
Keeping the next step in mind – mapping the resources to processes – can also help identify the boundaries of each process. If a series of tasks all require the same set of resources, then it makes sense to capture these as a single process.
As a litmus test, consider how you would verbally describe the processes that lead to an outcome to a customer, new employee in your business, or a regulator. If it takes longer than a minute, you might have too much detail.
Mapping resources
Once you’ve identified the processes that make up your services, you can start mapping the resources that are required to perform those processes. A resource is something that, if it was removed, would not allow the process to be completed (and ultimately, any services that rely on that process).
We recommend identifying the following resources:
- Software
- Hardware/infrastructure
- Facilities/physical locations
- People
- Information/data
You should also recognise which third parties support your processes. Usually, they will be providing one or more of the above identified resources.
If your organisation doesn’t already have them, now is the perfect time to establish libraries or taxonomies for these resources and standardise any additional details you want to capture (e.g., business owners, description of the resources). This ensures they are used consistently by everyone in the organisation, even if they are for different purposes.
Critical vs non-critical resources
One nuance to consider is whether to capture or categorise non-critical resources. These might be resources that are part of business as usual, but their absence either makes processes less efficient or delivered to a lower – but acceptable – standard than usual. We recommend only identifying critical resources – those that would cause the process to fail if they were missing.
Top-down and bottom-up approaches
The above sections on processes and resources cover the structure of mapping, but how do you actually go about it?
By definition, operational resilience as a process requires us to start from the top down. What are our services that are being provided? Particularly in larger organisations, the processes and the resources required to support them can move organically over time, which may result in limited visibility over the end-to-end process (or perhaps worse, incorrect assumptions that come undone when disruption occurs). Engaging with management is key in finding out who is supporting those services and how.
A bottom-up approach is also useful. Once you have a list of resources and processes, you can ask owners of those resources and processes why they think they are important: what purpose do they serve? They may not have the big picture, but it might identify resources that have not been linked to processes, or processes that are not linked to services. Once identified, these gaps can be closed.
Mapping beyond important business services
We have intentionally used the term ‘service’ instead of important business services for most of this article. While some organisations – particularly those with regulatory obligations – will focus on externally facing services, this process can apply to all services, including externally facing services that are less important, or internal facing services that are important.
The benefit to mapping all of your services and their associated processes and resources allows you to get the full picture of how disruption might affect your organisation or your stakeholders. Multiple non-critical services may still have a significant effect on your stakeholders or organisation if they are disrupted at the same time.
About this series
We’ve now identified and mapped your important business services. In the next blog we we can start considering the scenarios that would disrupt them.
- What is operational resilience?
- What are your important business services?
- Designing your impact tolerances
- Mapping your important business services [this blog]
- Design and running of a scenario
- Identification of weaknesses and actions in your operational resilience
- What reporting do management want to see?
- Designing a good self-assessment process
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module
Note on regulation and terminologyWhile this series primarily discusses regulated entities, the guidance can apply to any organisation seeking to improve their operational resilience by looking through an external stakeholder lens, whether they operate in financial services, critical infrastructure, healthcare or indeed any other industry. We use the term ‘important business services’, which aligns with the UK’s Financial Conduct Authority/Prudential Regulation Authority terminology but can and should be adapted to different regions and sectors. For Australian financial service providers, we recommend replacing ‘important business services’ with ‘critical operations’, and impact tolerance with ‘tolerance levels’ to align with APRA draft standard CPS 230 on Operational Risk. We use the term ‘customer’ in this blog, which can include direct consumers, business to business relationships, patients in health care settings, or recipients of government services. The defining factor is that they are external recipients of the services you provide. |