[OR] [P2] [S1] [CBS] [C10] Governance and Continuous Review

Chapter 10 Governance and Continuous Review

Introduction

Effective governance and continuous review are essential to ensure that the identification and management of Critical Business Services (CBS) remain relevant, accurate, and aligned with the organisation’s evolving risk landscape. Without strong governance, CBS identification risks becoming outdated, inconsistent, or disconnected from strategic priorities and regulatory expectations.

This section outlines how organisations can establish robust governance structures and embed continuous review mechanisms to sustain the effectiveness of their CBS framework.

Ownership of CBS

A clear ownership model is fundamental to the governance of CBS. Ownership should be defined at multiple levels to ensure accountability and effective oversight.

Typical ownership structure includes:

Business Owners (First Line of Defence):
Responsible for defining, maintaining, and delivering CBS. They ensure that services operate within defined impact tolerances and that dependencies are accurately documented.
Risk and Compliance Functions (Second Line of Defence):
Provide oversight, challenge, and independent validation of CBS identification, criteria, and methodologies. They ensure alignment with regulatory expectations and organisational risk appetite.
Internal Audit (Third Line of Defence):
Conduct independent reviews of the CBS framework, governance processes, and effectiveness of controls.

Clear delineation of responsibilities ensures that CBS governance is not fragmented and that accountability is embedded across the organisation.

Governance Structure and Oversight

CBS identification and management should be embedded within the organisation’s broader governance framework, with oversight provided by senior management and board-level committees.

Key governance elements include:

Executive Risk Committees: Review and approve the list of CBS and associated impact tolerances
Operational Resilience Steering Committees: Oversee implementation and integration across business units
Board-Level Oversight: Ensure alignment with strategic objectives and regulatory expectations

Regular reporting should be established to provide visibility on:

Changes to CBS
Performance against impact tolerances
Outcomes of scenario testing and incidents

This structured oversight ensures that CBS remains a strategic priority rather than an operational afterthought.

Periodic Review and Update of CBS

CBS should not be static. Organisations must conduct periodic reviews to ensure that the list of CBS reflects current business operations and risk exposures.

Typical review cycles include:

Annual Reviews: Comprehensive reassessment of all business services and their criticality
Interim Reviews: Targeted updates based on specific triggers or changes

During reviews, organisations should:

Reassess criticality criteria and thresholds
Validate service boundaries and dependencies
Incorporate lessons learned from incidents and testing

Regular reviews ensure that CBS identification remains accurate and aligned with the organisation’s operating environment.

Trigger-Based Reviews

In addition to periodic reviews, CBS should be reassessed when specific events or changes occur. These triggers ensure that the framework remains responsive to dynamic conditions.

Common triggers include:

Introduction of new products or services
Significant changes in business models or operating structures
Regulatory updates or new guidelines
Major incidents or disruption events
Changes in third-party arrangements or outsourcing

Trigger-based reviews allow organisations to proactively adjust their CBS framework rather than relying solely on scheduled assessments.

Embedding CBS into Enterprise Risk Management (ERM)

To ensure sustainability, CBS must be embedded in the broader Enterprise Risk Management (ERM) framework. This integration ensures that CBS considerations are reflected in risk assessments, control design, and strategic decision-making.

Key integration points include:

Risk Identification and Assessment: CBS informs which risks are prioritised
Control Frameworks: Controls are designed to protect critical services
Risk Appetite Statements: Aligned with impact tolerances for CBS
Incident Management: Prioritisation based on affected CBS

Embedding CBS into ERM ensures that operational resilience is not treated as a standalone initiative but as an integral part of the organisation’s risk management approach.

Documentation, Auditability, and Version Control

Proper documentation is critical for transparency, auditability, and regulatory compliance. Organisations must maintain clear and up-to-date records of:

CBS definitions and boundaries
Criticality criteria and scoring methodologies
Approval and governance decisions
Changes and updates over time

Version control mechanisms should be implemented to track revisions and ensure that historical records are preserved for audit and regulatory review.

Strong governance and continuous review mechanisms are essential to sustain the effectiveness of Critical Business Services within an operational resilience framework. By establishing clear ownership, robust oversight, and structured review processes, organisations can ensure that their CBS framework remains relevant, accurate, and aligned with both business objectives and regulatory expectations.

Ultimately, governance transforms CBS from a one-time identification exercise into a living framework—one that evolves with the organisation and continues to support the delivery of critical services under all conditions.

C1	C2	C3	C4	C5	C6

C7	C8	C9	C10	C11

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.