[OR] [P2] [S2] [MII] [C10] Step 7 – Analyse Mapping Outputs

[P2] [S2] Chapter 10

Step 7 – Analyse Mapping Outputs

Introduction

Once interconnections and interdependencies have been mapped and validated, the next step is to analyse the mapping outputs. This step is where operational resilience moves from documentation to decision-making.

Mapping on its own provides visibility—but analysis transforms that visibility into insight, prioritisation, and action. It enables organisations to identify vulnerabilities, understand systemic risks, and determine where resilience investments should be focused.

This chapter outlines how to analyse mapping outputs by identifying:

• Single points of failure
• Critical dependencies
• Concentration risks

It also explains how these insights are linked to impact tolerance setting and scenario design, ultimately transforming mapping into actionable resilience intelligence.

Purpose of the Chapter

The purpose of this chapter is to:

• Provide a structured approach to analysing mapping outputs
• Identify key risk indicators within interconnections and dependencies
• Link mapping insights to operational resilience activities
• Enable organisations to derive actionable outcomes from mapping

From Mapping to Insight

The Value of Analysis

Mapping answers the question:

“What are the components and how are they connected?”

Analysis answers the more critical question:

“Where are the risks, and what should we do about them?”

Without analysis:

• Mapping remains descriptive
• Risks remain unidentified
• Resilience actions lack focus

Analytical Objectives

The primary objectives of analysing mapping outputs are to:

• Identify vulnerabilities and weak points
• Understand dependency criticality
• Detect systemic and concentration risks
• Support risk-based prioritisation

Identifying Single Points of Failure (SPOF)

Definition

A Single Point of Failure (SPOF) is a component whose failure would result in:

• Complete disruption of a CBS
• Inability to deliver service outcomes

Examples

• A single authentication system supporting all digital channels
• A key individual with unique expertise and no backup
• A single data centre hosting critical systems

Identification Approach

Using mapping outputs, organisations should:

• Trace dependencies for each CBS
• Identify components with no redundancy or fallback
• Assess impact if the component becomes unavailable

Risk Implications

SPOFs represent:

• High vulnerability
• Immediate disruption risk
• Priority areas for mitigation

Mitigation Considerations

• Introduce redundancy (systems, personnel, locations)
• Diversify dependencies
• Strengthen controls and monitoring

Identifying Critical Dependencies

Definition

Critical dependencies are components that are essential to the delivery of a CBS, even if alternatives exist.

Characteristics

A dependency is considered critical if:

• Its failure significantly impacts service delivery
• It has a direct link to customer outcomes
• It affects regulatory or financial obligations

Identification Approach

Organisations should:

• Assess dependency strength and criticality (from mapping outputs)
• Identify components with high operational importance
• Prioritise dependencies supporting multiple CBS

Examples

• Core banking systems
• Payment processing engines
• Critical third-party service providers

Risk Implications

Critical dependencies:

• Require enhanced resilience measures
• Must be prioritised in recovery planning
• Should be included in scenario testing

Identifying Concentration Risks

Definition

Concentration risk occurs when multiple services or processes depend on a single resource, provider, or location.

Types of Concentration Risk

Technology Concentration

• Multiple CBS relying on a single system or platform

Vendor Concentration

• Heavy reliance on one third-party provider

Geographic Concentration

• Critical operations located in a single site or region

People Concentration

• Dependence on a limited number of individuals

Identification Approach

Using mapping outputs, organisations should:

• Identify shared dependencies across CBS
• Analyse clustering of dependencies
• Evaluate redundancy and diversification

Risk Implications

Concentration risks:

• Amplify the impact of disruptions
• Increase systemic vulnerability
• Limit recovery options

Mitigation Considerations

• Diversify vendors and service providers
• Implement geographic redundancy
• Distribute workloads across systems
• Strengthen third-party risk management

Linking Analysis to Impact Tolerance

Role of Mapping Insights

Analysis of dependencies provides critical inputs for defining impact tolerance, including:

• Maximum tolerable downtime
• Acceptable level of service degradation
• Data loss thresholds

Using Insights to Refine Impact Tolerance

Organisations should:

• Align tolerance levels with identified vulnerabilities
• Adjust thresholds based on dependency criticality
• Ensure tolerances are realistic and achievable

Outcome

Impact tolerances become:

• Evidence-based
• Aligned with actual operational capabilities
• Defensible to regulators

Linking Analysis to Scenario Design

Importance of Scenario Design

Scenario testing is only effective if it reflects:

• Real-world dependencies
• Actual vulnerabilities
• Plausible disruption pathways

Using Mapping Insights for Scenario Development

Analysis enables organisations to:

• Design scenarios targeting:
• SPOFs
• Critical dependencies
• Concentration risks
• Simulate cascading failures across interconnected components

Example Scenarios

• Failure of a shared technology platform impacting multiple CBS
• Outage of a key third-party provider
• Loss of critical personnel during a crisis

Outcome

Scenario testing becomes:

• Realistic
• Comprehensive
• Aligned with actual risk exposure

From Analysis to Action

Translating Insights into Actions

Organisations must convert analytical findings into:

• Risk mitigation strategies
• Resilience enhancement initiatives
• Investment priorities

Example Actions

• Implement redundancy for SPOFs
• Strengthen controls for critical dependencies
• Diversify vendors to reduce concentration risk
• Enhance monitoring of high-risk components

Integration with Operational Resilience Framework

Analysis outputs should feed into:

• Business Continuity Management (BCM)
• Crisis Management (CM)
• Third-Party Risk Management (TPRM)
• Technology Risk Management (TRM)

Outcome of Step 7

The outcome of analysing mapping outputs is:

The transformation of mapping data into actionable resilience insights that enable informed decision-making, risk prioritisation, and targeted resilience improvements.

Analysing mapping outputs is a critical step in operational resilience implementation, bridging the gap between visibility and action.

By identifying:

• Single points of failure
• Critical dependencies
• Concentration risks

organisations gain a deep understanding of where vulnerabilities exist and how disruptions may propagate.

Linking these insights to:

• Impact tolerance
• Scenario design

ensures that resilience strategies are:

• Realistic
• Targeted
• Effective

Ultimately, this step enables organisations to move from mapping what exists to strengthening what matters, ensuring that Critical Business Services can be sustained even under severe disruption.

In the next chapter, we will explore how to operationalise these insights through tools, templates, and practical implementation approaches, enabling organisations to embed interconnection mapping into their day-to-day resilience practices.