[OR] [P2] [S2] [MII] [C3] Core Components of Interconnections and Dependencies

[P2] [S2] Chapter 3

Core Components of Interconnections and Dependencies

Introduction

Operational resilience mapping requires organisations to develop a comprehensive and structured view of all elements that support the delivery of Critical Business Services (CBS).

These elements do not operate in isolation; they are interconnected and interdependent, forming a complex ecosystem that must be clearly understood to ensure resilience under disruption.

To achieve effective mapping, organisations must identify and document the core components that underpin service delivery.

These components represent the fundamental building blocks of any CBS and provide the basis for identifying vulnerabilities, assessing risks, and designing recovery strategies.

This chapter introduces the six core components of interconnections and interdependencies:

• People
• Processes
• Technology
• Information/Data
• Facilities
• Third-party and fourth-party providers

It also establishes a key principle: mapping must encompass both internal and external dependencies to provide a complete and accurate view of operational resilience.

Purpose of the Chapter

The purpose of this chapter is to:

• Define the core components that must be included in interconnection mapping
• Explain the role of each component in supporting CBS delivery
• Highlight how these components interact and depend on one another
• Reinforce the need to include both internal and external dependencies

People

Definition

The People component refers to all individuals and roles required to deliver and support a CBS, including employees, contractors, and specialised personnel.

Key Elements

• Operational staff executing processes
• Subject matter experts (SMEs)
• Management and decision-makers
• Crisis management teams
• IT and support personnel

Interdependencies

People are interdependent with:

• Processes (execution of tasks)
• Technology (use of systems and tools)
• Information (decision-making and operations)

Key Risks

• Key person dependency
• Skills shortages
• Unavailability due to pandemics, crises, or attrition

Mapping Considerations

• Identify critical roles and responsibilities
• Highlight single points of dependency (e.g., sole experts)
• Assess availability and redundancy

Processes

Definition

Processes are structured sets of activities that transform inputs into outputs to deliver a CBS.

Key Elements

• End-to-end workflows
• Business procedures
• Decision points and approvals
• Manual and automated steps

Interdependencies

Processes rely on:

• People to execute tasks
• Technology to enable automation
• Data to drive decisions
• Third parties for outsourced activities

Key Risks

• Process bottlenecks
• Manual intervention risks
• Lack of standardisation
• Incomplete documentation

Mapping Considerations

• Decompose CBS into sub-CBS and processes
• Identify upstream and downstream process flows
• Capture dependencies between processes

Technology

Definition

The Technology component includes all systems, applications, infrastructure, and networks that support CBS delivery.

Key Elements

• Core applications (e.g., banking systems)
• Supporting applications (middleware, APIs)
• Infrastructure (servers, networks, cloud platforms)
• Cybersecurity controls

Interdependencies

Technology is interconnected with:

• Processes (automation and execution)
• Data (storage and processing)
• Third-party providers (cloud, SaaS, infrastructure vendors)

Key Risks

• System failures or outages
• Cyberattacks
• Integration failures
• Over-reliance on legacy systems

Mapping Considerations

• Identify all systems supporting each CBS
• Map system interfaces and integrations
• Highlight shared infrastructure and dependencies

Information / Data

Definition

Information/Data refers to the data required to execute processes, support decision-making, and deliver services.

Key Elements

• Customer data
• Transaction data
• Operational data
• Regulatory and reporting data

Interdependencies

Data flows across:

• Systems (technology platforms)
• Processes (input and output requirements)
• People (analysis and decision-making)

Key Risks

• Data unavailability or corruption
• Data integrity issues
• Data privacy breaches
• Inadequate data governance

Mapping Considerations

• Identify critical data required for CBS
• Map data flows between systems and processes
• Highlight data dependencies and storage locations

Facilities

Definition

Facilities refer to the physical locations and infrastructure required to support CBS delivery.

Key Elements

• Offices and operational centres
• Data centres
• Branch locations
• Backup and recovery sites

Interdependencies

Facilities support:

• People (work environment)
• Technology (hosting infrastructure)
• Processes (operational execution)

Key Risks

• Physical disruptions (natural disasters, fire, denial of access)
• Infrastructure failures (power, cooling, connectivity)
• Geographic concentration risks

Mapping Considerations

• Identify critical locations supporting CBS
• Map dependencies on physical infrastructure
• Assess geographic and environmental risks

Third-Party and Fourth-Party Providers

Definition

This component includes external entities that provide products or services supporting CBS delivery, including both direct vendors (third parties) and their subcontractors (fourth parties).

Key Elements

• Outsourcing providers
• Cloud service providers
• Payment networks and clearing houses
• Technology vendors
• Logistics and support services

Interdependencies

Third-party dependencies often extend to:

• Technology platforms (e.g., cloud hosting)
• Processes (outsourced operations)
• Data (storage and processing by vendors)

Fourth-party dependencies introduce additional complexity, as organisations may have:

• Limited visibility
• Indirect exposure

Key Risks

• Vendor failure or disruption
• Concentration risk (single provider supporting multiple CBS)
• Lack of transparency over fourth parties
• Regulatory and compliance risks

Mapping Considerations

• Identify all third-party dependencies supporting CBS
• Assess criticality and concentration risk
• Map fourth-party dependencies where possible
• Align with third-party risk management frameworks

Integration of Components: A Connected Ecosystem

While each component can be analysed individually, operational resilience requires understanding how these components interact as an integrated system.

Example of Interconnection

A single CBS may involve:

• People executing processes
• Processes enabled by technology
• Technology processing data
• Data stored in third-party cloud systems
• Facilities hosting infrastructure

A disruption in any one component can impact the entire service chain.

Principle: Internal and External Dependencies

A fundamental principle of interconnection mapping is:

Operational resilience mapping must include both internal and external dependencies supporting each CBS.

Internal Dependencies

• People
• Processes
• Internal systems
• Facilities

External Dependencies

• Third-party providers
• Fourth-party ecosystems
• External infrastructure (e.g., payment networks, telecom providers)

Why This Matters

Focusing only on internal components creates:

• Incomplete mapping
• Hidden risks
• Inadequate resilience strategies

Including external dependencies ensures:

• Full visibility of the service ecosystem
• Better preparedness for systemic disruptions
• Alignment with regulatory expectations

The core components of interconnections and interdependencies—People, Processes, Technology, Information/Data, Facilities, and Third Parties—form the foundation of operational resilience mapping.

Each component plays a critical role in supporting the delivery of CBS, and their interactions define the organisation’s resilience capability.

Understanding these components in isolation is not sufficient. True resilience comes from recognising how they are interconnected and interdependent, forming a dynamic and complex ecosystem.

By adopting a structured approach to identifying and mapping these components, organisations can:

• Gain comprehensive visibility of service delivery
• Identify vulnerabilities and concentration risks
• Build a strong foundation for impact tolerance, scenario testing, and recovery planning

Most importantly, organisations must ensure that both internal and external dependencies are included, as resilience is only as strong as the weakest link in the entire service chain.

In the next chapter, we will explore the methodology for mapping interconnections and interdependencies, providing a step-by-step approach aligned with the Operational Resilience Planning Methodology.