[OR] [MAS] [E2] [C3] Mapping Dependencies and Interconnections

eBook 2: Chapter 3

Mapping Dependencies and Interconnections

Introduction

A defining characteristic of operational resilience is the ability to understand   how services are delivered end-to-end, and more importantly, what they depend on.

Financial institutions today operate in highly interconnected environments, where disruptions rarely remain isolated—they propagate across systems, functions, and even organisations.

The Monetary Authority of Singapore (MAS), through its operational resilience guidance, emphasises the need for institutions to map the interdependencies and interconnections that support Critical Business Services (CBS).

This requirement is aligned with the BCM Institute’s Operational Resilience methodology, particularly [OR-P2-S2], which focuses on understanding how resources and relationships enable service delivery.

This chapter explores:

• The mapping of People, Process, Technology, and Third Parties
• The importance of end-to-end service mapping
• The risks arising from interconnected systems and cascading failures

Purpose of Mapping Dependencies and Interconnections

Mapping dependencies and interconnections enables organisations to answer a critical question:

“What must function correctly for our Critical Business Services to be delivered without disruption?”

This mapping is essential because:

• Disruptions often originate in supporting components, not the service itself
• Dependencies may be hidden or poorly understood
• Interconnections can create single points of failure or concentration risks

MAS expects institutions to:

• Identify all critical resources supporting CBS
• Understand how these resources are interconnected
• Assess the impact of disruption across the service chain

The objective is not documentation for its own sake, but actionable insight into vulnerabilities and resilience gaps.

Core Components of Dependency Mapping

The BCM Institute framework identifies four primary dependency categories:

People

People represent the human element required to deliver services.

Key considerations:

• Critical roles and skill sets
• Availability of trained personnel
• Reliance on key individuals (key person risk)
• Workforce distribution (on-site, remote, offshore)

Examples:

• Operations staff processing transactions
• IT personnel maintaining critical systems
• Customer service teams handling client interactions

Risk: Staff unavailability (e.g., pandemic, industrial action) can disrupt service delivery.

Process

Processes define the workflow and activities required to deliver services.

Key considerations:

• Process complexity and manual dependencies
• Process standardisation and documentation
• Upstream and downstream process linkages
• Degree of automation

Examples:

• Payment processing workflows
• Account onboarding procedures
• Reconciliation and settlement processes

Risk: Process breakdowns or bottlenecks can halt service delivery.

Technology

Technology is often the backbone of modern financial services.

Key considerations:

• Critical applications and systems
• Infrastructure (servers, networks, data centres)
• System interdependencies
• Cybersecurity vulnerabilities

Examples:

• Core banking systems
• Payment gateways
• Digital banking platforms

Risk: Technology failures or cyber incidents can cause immediate and widespread disruption.

Third Parties

Third parties introduce external dependencies into the service chain.

Key considerations:

• Outsourced service providers
• Cloud service providers
• Payment networks and clearing systems
• Vendors supporting critical functions

Examples:

• Cloud hosting providers
• Payment processors
• IT service vendors

Risk: Third-party failures can create concentration risk and reduce direct control over resilience.

End-to-End Service Mapping

From Fragmented Views to Holistic Understanding

Traditional approaches often focus on:

• Individual systems
• Departmental processes

Operational resilience requires a shift to:

• End-to-end service mapping

This means mapping the entire service delivery chain:

Customer Interaction → Front-End Systems → Processing → Settlement → Confirmation

Key Elements of End-to-End Mapping

Effective mapping should capture:

• Service boundaries
• Where the service starts and ends
• Supporting resources
• People, processes, technology, third parties
• Interconnections
• How each component interacts with others
• Data flows
• Movement of information across systems

MAS Expectations

The Monetary Authority of Singapore expects financial institutions to:

• Map CBS at a sufficient level of granularity
• Identify critical dependencies and single points of failure
• Understand cross-border and cross-entity linkages
• Maintain mapping that is accurate, current, and usable

The emphasis is on practical usability, not overly complex diagrams.

Interconnected Risks and Cascading Failures

Understanding Interconnected Risks

Modern financial services operate within a networked ecosystem, where:

• Systems are interconnected
• Processes are interdependent
• Institutions rely on shared infrastructure

This creates interconnected risks, where a failure in one component can affect multiple services.

Cascading Failures

A cascading failure occurs when:

A disruption in one component triggers a chain reaction across interconnected systems.

Examples:

• A cloud service outage affects multiple applications
• A payment gateway failure disrupts multiple banks
• A cyberattack spreads across interconnected systems

Types of Interconnection Risks

a. Concentration Risk

• Over-reliance on a single provider or system

b. Common Mode Failure

• Multiple systems fail due to a shared dependency

c. Contagion Risk

• Disruption spreads across institutions or markets

MAS Focus on Systemic Risk

MAS places strong emphasis on:

• Managing systemic interdependencies
• Reducing single points of failure
• Ensuring resilience across the financial ecosystem

Institutions must consider not only internal risks but also external ecosystem risks.

Methodology for Mapping Dependencies

Aligned with BCM Institute’s [OR-P2-S2], the mapping process typically involves:

Step 1: Identify CBS

• Define the service to be mapped

Step 2: Break Down into Sub-Services

• Decompose CBS into sub-CBS or detailed processes

Step 3: Identify Supporting Resources

• Map:
• People
• Processes
• Technology
• Third parties

Step 4: Map Interconnections

• Identify how each component interacts
• Highlight dependencies and linkages

Step 5: Identify Vulnerabilities

• Single points of failure
• Concentration risks
• Weak controls

Step 6: Validate and Maintain

• Engage stakeholders
• Update regularly

Output: A comprehensive dependency and interconnection map.

Practical Example: Digital Banking Service

For a Digital Banking CBS, dependencies may include:

• People
• IT support teams
• Customer service representatives
• Process
• Login authentication
• Transaction processing
• Technology
• Mobile application
• Core banking system
• Network infrastructure
• Third Parties
• Cloud hosting provider
• Authentication service provider

Interconnections:

• Mobile app connects to authentication service
• The authentication service connects to the core banking
• Core banking processes transactions

A failure in any component (e.g., authentication service) can disrupt the entire service.

Key Challenges

Organisations commonly face:

• Incomplete visibility of dependencies
• Overly complex mapping that is difficult to maintain
• Siloed information across departments
• Underestimation of third-party dependencies
• Rapid technology changes are affecting accuracy

Key Success Factors

To ensure effective mapping:

• Focus on critical services first (CBS-driven approach)
• Maintain an appropriate level of detail (fit-for-purpose)
• Leverage technology tools for mapping and visualisation
• Ensure cross-functional collaboration
• Regularly update mappings based on changes

Mapping dependencies and interconnections is a critical enabler of operational resilience, providing organisations with a clear understanding of how services are delivered and where vulnerabilities lie.

Aligned with the expectations of the Monetary Authority of Singapore and the BCM Institute’s methodology, effective mapping allows financial institutions to:

• Identify critical dependencies across people, process, technology, and third parties
• Understand end-to-end service delivery
• Detect and mitigate interconnected risks
• Prevent cascading failures

Ultimately, this capability transforms operational resilience from a conceptual framework into a practical, actionable discipline, ensuring that organisations can anticipate disruptions, manage complexity, and sustain critical services in an increasingly interconnected world.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.