[OR] [BDCB] [E2] [C9] Identifying Critical Business Services

Chapter 9

Identify Critical Business Services

Identify Critical Business Services” stage of the Implement phase in an Operational Resilience Planning Methodology for the Brunei Darussalam Central Bank (BDCB). It elaborates each implementation step with tangible examples tied to the bank’s defined critical business services (CBS-1 to CBS-7).

Identify Critical Business Services

In this foundational step, BDCB must clearly define, validate, and document the essential services that must remain resilient during disruptions. This ensures focused risk planning and resource allocation.

1. Establish a Governance and Alignment Framework

Objective: Secure leadership buy-in, define roles, and formalise the process for identifying critical services.

• Board and Senior Management Oversight: The board should approve criteria for identifying critical services, embed this process within the existing Operational Risk Management Framework, and routinely review outcomes. BDCB
• Operational Risk Management Unit (ORMU): Tasked with designing, facilitating, and challenging the identification process. BDCB

Example: BDCB’s board approves the following criteria — services whose prolonged disruption directly jeopardise monetary stability, financial system integrity, or public trust.

2. Define and Validate Critical Business Services

Objective: Confirm that BDCB’s seven CBS categories comprehensively represent core mission-critical functions.

• Review each service for criticality: Evaluate the impact of disruption on monetary stability, public confidence, and regulatory compliance.

Example Table:

3. Establish Criticality Criteria & Impact Tolerance

Objective: Develop measurable thresholds that define service disruption through the lens of maximum tolerable duration or impact.

• Criteria traits: Financial loss threshold, systemic risk exposure, legal non-compliance, reputational harm, and ability to restore functionality.

Example:

• For CBS-1 (RTGS): Maximum acceptable downtime is 30 minutes before systemic risk rises.
• For CBS-2 (Currency Management): Local currency shortages beyond 4 hours trigger increased costs and public inconvenience.

4. Conduct Service-Level Risk Assessment

Objective: Evaluate the vulnerability of each CBS using organisational risk tools within ORMF, such as self-assessments, event data, and scenario analysis. BDCB

Example:

• CBS-5 (AML/CFT & FIU) gets a high risk rating due to evolving cyber threats and the complexity of international financial networks.
• CBS-7 (Financial Education) may be rated lower, but any disruption during a financial literacy campaign could reduce public confidence.

5. Document and Map Service Delivery Components

Objective: Map out the human, technical, process, and third-party elements essential to each CBS. Central Bank of Irelandbis.org

Example for CBS-1 (RTGS):

• People: Payment operations team, banking partners.
• Technology: RTGS platform, supporting network infrastructure.
• Processes: Intraday settlement workflow, business continuity protocols.
• Third Parties: Regional settlement system providers (e.g., RPC partners).
• Interdependencies: Power supply, data centres, cross-border connectivity.

6. Identify Third-Party and Interdependency Risks

Objective: Catalogue and assess third-party dependencies and potential failure points. bis.org

Example:

• CBS-6 (RPC): The RPC network relies on regional banks’ systems. If one participant's platform fails, cross-border settlement stalls—impacting liquidity.

7. Validate Findings with Stakeholders

Objective: Review and refine mappings and criticality judgments with internal departments (Operations, IT, Policy) and external parties (payment network partners, selected licensed banks).

Example: Present RTGS mapping and impact thresholds to the Payment Operations team and regional ROC stakeholders for validation.

8. Formalise Documentation and Integration

Objective: Create a completed internal catalogue (e.g., “Critical Business Service Register”), including:

• Detailed description of each CBS
• Impact tolerances
• Risk assessments
• Interdependencies and third-party maps

Integrate this register into BDCB’s wider resilience framework and future recovery planning processes, such as Recovery Plans mentioned in BDCB's work with financial institutions. BDCB

9. Reporting and Oversight

Objective: Provide regular updates to the board and senior management on:

• Evolution of service criticality
• Risk exposure shifts
• Review of impact tolerance adequacy
• Emerging external or internal threats

This ensures dynamic alignment with BDCB’s governance expectations. BDCB

Summary of Implementation Steps with Examples

1. Governance Setup: Board approves criticality criteria; ORMU leads the process.
2. Service Definition & Validation: CBS-1 to CBS-7 are validated as essential.
3. Impact Tolerances: Downtime thresholds set (e.g., RTGS 30 mins, currency management 4 hrs).
4. Risk Assessment: Example: AML/CFT risks prioritised.
5. Service Mapping: RTGS mapped across people, tech, and dependencies.
6. Third-Party Exposure: RPC's reliance on counterpart banks’ platforms highlighted.
7. Stakeholder Validation: Collaborative review ensures accuracy.
8. Documentation: A formal resilience register is compiled.
9. Ongoing Governance: Continuous oversight and updates feed into recovery and resilience plans.

Why This Matters

Structured identification of critical business services ensures that BDCB:

• Focuses on resilience planning where disruptions could cause systemic harm.
• Aligns seamlessly with industry best practices in operational resilience, such as those championed by central banks like Ireland and guidance from BCBS. Central Bank of IrelandPwC
• Integrates operational risk, third-party risk, and business continuity planning cohesively.

Summing Up ...

The process of identifying Critical Business Services (CBS) provides BDCB with a structured foundation to safeguard its core mandate of monetary stability, financial integrity, and public trust. By systematically defining, validating, and documenting CBS-1 to CBS-7, the bank establishes clarity on what truly matters in times of disruption. The integration of governance oversight, impact tolerances, risk assessments, and service-mapping ensures that resilience planning is both practical and targeted.

This stage is not just an administrative exercise—it sets the tone for operational resilience across the institution. It compels alignment between senior leadership, technical teams, and external stakeholders while embedding resilience into the wider Operational Risk Management Framework. Ultimately, this approach strengthens BDCB’s ability to anticipate, withstand, and recover from shocks, ensuring continuity of critical services that underpin Brunei Darussalam’s financial system.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.