[OR] [P2] [S1] [CBS] [C5] Methodology for Identifying Critical Business Services

Chapter 5

Methodology for Identifying Critical Business Services

Introduction

A structured and disciplined methodology is essential for identifying Critical Business Services (CBS) in a consistent, defensible, and regulator-aligned manner.

This methodology ensures that organisations move beyond subjective judgment and adopt a systematic approach that is transparent, repeatable, and auditable.

The following six-step methodology provides a practical framework for identifying CBS, from initial service inventory to final governance approval.

Step 1: Identify All Business Services

The first step is to develop a comprehensive inventory of all business services delivered by the organisation. This serves as the foundation for subsequent analysis.

Key activities include:

• Listing all services across business lines and functions
• Grouping services into logical categories (e.g., retail banking, payments, corporate services)
• Ensuring completeness while avoiding unnecessary duplication

Key consideration:

Avoid excessive granularity. Services should be defined at a level that reflects meaningful customer outcomes rather than internal task-level activities.

Step 2: Define Service Boundaries

Once services are identified, organisations must clearly define their boundaries to ensure consistency and clarity.

Key elements include:

• Start Point: Customer request, trigger, or initiation event
• End Point: Delivery of the service outcome
• Scope: Inclusion of all supporting processes, systems, people, and third parties

Key consideration:

Service boundaries should reflect an end-to-end perspective, ensuring that the full delivery chain is captured rather than isolated components.

Step 3: Establish Criticality Criteria

To determine which services are critical, organisations must establish clear and measurable criteria for assessing criticality.

Typical criteria include:

• Customer Harm: Financial loss, inability to access essential services, or safety concerns
• Market/Systemic Impact: Disruption to the broader financial system or economy
• Financial Impact: Direct or indirect financial loss to the organisation
• Regulatory Impact: Breach of legal or regulatory obligations
• Reputational Damage: Loss of trust and brand value

Key consideration:

Criteria should be supported by defined thresholds to ensure consistency and objectivity in assessment.

Step 4: Assess and Score Services

Each service is then assessed against the defined criteria using qualitative and/or quantitative scoring models.

Key activities include:

• Assigning scores for each criterion
• Aggregating scores to determine overall criticality
• Ranking services based on the severity of impact

Common tools:

• Risk matrices (e.g., impact vs likelihood)
• Weighted scoring models
• Threshold-based classification (e.g., Critical, Important, Non-Critical)

Key consideration:

The scoring process must be transparent and documented to support auditability and regulatory review.

Step 5: Validate with Stakeholders

The preliminary list of CBS must be validated through structured engagement with key stakeholders across the organisation.

Stakeholders typically include:

• Business unit leaders
• Operations and IT teams
• Risk and compliance functions
• Senior management

Validation activities:

• Reviewing assumptions and scoring outcomes
• Challenging and refining service definitions
• Confirming alignment with business priorities and risk appetite

Key consideration:

Validation ensures that CBS identification is not purely theoretical but grounded in operational reality.

Step 6: Finalise the List of CBS

The final step is to formally approve and document the list of Critical Business Services.

Key activities include:

• Obtaining approval from relevant governance bodies (e.g., risk committee, executive management)
• Documenting CBS definitions, rationale, and supporting evidence
• Establishing version control and change management processes
• Aligning CBS with the broader operational resilience strategy

Key consideration:

Formal approval ensures accountability and provides a clear reference point for all subsequent resilience activities.

Conclusion of Methodology Section

A structured methodology for identifying Critical Business Services ensures that organisations adopt a consistent, transparent, and outcome-driven approach. By progressing through service identification, boundary definition, criticality assessment, stakeholder validation, and governance approval, organisations can confidently determine which services are truly critical.

This methodology not only supports regulatory compliance but also lays the groundwork for effective operational resilience—enabling organisations to prioritise resources, manage risks, and maintain the continuity of essential services under all conditions.