[P2] [S2] Chapter 7
Step 4 – Map Processes and Resources
Introduction
With the mapping framework established, the next step is to translate structure into detailed operational visibility by mapping processes and resources. This step bridges the gap between high-level service definitions and the actual components that enable service delivery.
Operational resilience depends on understanding not just what services exist, but how they are executed and what they depend on at a granular level. Mapping processes and resources enables organisations to identify:
- Critical operational steps
- Supporting assets and capabilities
- Dependencies that may not be visible at higher levels
This level of detail is essential for identifying vulnerabilities, assessing risks, and supporting scenario testing and recovery planning.
Purpose of the Chapter
The purpose of this chapter is to:
- Provide a structured approach to decomposing CBS into Sub-CBS and processes
- Identify and map key resources supporting each process
- Establish a detailed understanding of operational dependencies
- Achieve granular visibility to support resilience activities
Decomposing CBS into Sub-CBS and Processes
Importance of Decomposition
Critical Business Services (CBS) are typically broad and complex. To enable effective mapping, they must be broken down into:
- Sub-CBS (service components)
- Processes (operational activities)
This decomposition ensures that mapping is:
- Manageable
- Detailed enough for analysis
- Aligned with real operational workflows
Sub-CBS Identification
Sub-CBS represent distinct functional components of a CBS.
Examples (Banking Context)
For a CBS such as Payments & Funds Transfer:
- Payment Initiation
- Authentication & Authorisation
- Payment Processing
- Clearing & Settlement
- Notification and Reporting
Process Identification
Each Sub-CBS is supported by specific processes, which define:
- The sequence of activities
- Decision points
- Inputs and outputs
Examples
- Customer authentication
- Transaction validation
- Fraud screening
- Funds availability check
Mapping Considerations
When decomposing CBS:
- Ensure end-to-end coverage
- Capture both automated and manual processes
- Identify upstream and downstream relationships
- Avoid overly granular or overly broad decomposition
Mapping Resources
Once processes are identified, the next step is to map the resources required to execute those processes.
People
Definition
Individuals and roles responsible for executing and supporting processes.
Examples
- Operations staff
- Customer service teams
- IT support personnel
- Subject matter experts
Mapping Considerations
- Identify critical roles
- Highlight key person dependencies
- Assess availability and redundancy
Technology
Definition
Systems, applications, and infrastructure supporting processes.
Examples
- Core banking systems
- Payment engines
- Authentication platforms
- Cloud infrastructure
Mapping Considerations
- Identify all supporting systems
- Capture system integrations and interfaces
- Highlight shared systems across CBS
Facilities
Definition
Physical locations and infrastructure required for operations.
Examples
- Offices
- Data centres
- Branches
- Disaster recovery sites
Mapping Considerations
- Identify critical locations
- Assess geographic concentration risks
- Capture dependencies on physical infrastructure
Third Parties
Definition
External vendors and service providers supporting processes.
Examples
- Payment networks
- Cloud service providers
- Outsourcing partners
- Data providers
Mapping Considerations
- Identify all third-party dependencies
- Assess criticality and concentration risks
- Consider fourth-party dependencies where relevant
Linking Processes and Resources
Integrated View
Processes and resources must not be mapped in isolation. Instead, organisations should establish:
- Direct linkages between processes and resources
- Clear understanding of which resources support which processes
Example
Process: Transaction validation
- People: Operations team
- Technology: Payment engine
- Data: Transaction database
- Third Party: Fraud detection service
Benefits of Integration
- Provides a complete view of service delivery
- Enables identification of critical dependencies
- Supports analysis of failure scenarios
Achieving Granular Visibility
Definition
Granular visibility refers to:
A detailed understanding of all operational components supporting a CBS and how they interact.
Why Granularity Matters
Without sufficient detail:
- Dependencies may be overlooked
- Risks may be underestimated
- Recovery strategies may be ineffective
With granular visibility, organisations can:
- Identify vulnerabilities
- Understand dependency chains
- Design targeted resilience measures
Balancing Detail and Usability
While granularity is important, organisations must avoid:
- Excessive detail that complicates analysis
- Overly simplified mapping that misses critical dependencies
The goal is to achieve:
- Sufficient detail for decision-making
- Clarity and usability for stakeholders
Practical Mapping Output
A typical process and resource mapping table may include:
|
Sub-CBS Code
|
Sub-CBS
|
Processes
|
People
|
Technology
|
Facilities
|
Third Parties
|
|
2.1
|
Payment Initiation
|
Capture transaction request
|
Customer, Frontline Staff
|
Mobile App
|
Branch/Remote Access
|
None
|
|
2.2
|
Authentication
|
Verify identity
|
IT Security Team
|
Authentication System
|
Data Centre
|
MFA Provider
|
|
2.3
|
Payment Processing
|
Execute transaction
|
Operations Team
|
Payment Engine
|
Data Centre
|
Payment Network
|
Common Challenges
Incomplete Process Identification
- Missing steps or workflows
Hidden Dependencies
- Informal or undocumented processes
Resource Overlap
- Shared systems or personnel across multiple CBS
Mitigation Strategies
- Conduct stakeholder workshops
- Validate mapping through walkthroughs
- Use multiple data sources
- Align with standard templates
Key Objective of Step 4
The key objective of this step is:
To provide granular visibility of operational components supporting Critical Business Services, enabling a comprehensive understanding of how services are delivered and where dependencies exist.
Mapping processes and resources is a critical step in operational resilience implementation, providing the detailed insight needed to understand service delivery at an operational level.
By:
- Decomposing CBS into Sub-CBS and processes
- Mapping resources across people, technology, facilities, and third parties
organisations can achieve:
- A comprehensive view of operational dependencies
- Identification of vulnerabilities and risks
- A strong foundation for interdependency mapping and analysis
This step transforms high-level service definitions into actionable operational intelligence, enabling organisations to move closer to achieving true resilience.
In the next chapter, we will build on this foundation by mapping interconnections and interdependencies, linking processes and resources into a cohesive network that reflects real-world service delivery.
| C1 |
C2 |
C3 |
C4 |
C5 |
C6 |
|
|
|
|
|
|
|
| C7 |
C8 |
C9 |
C10 |
C11 |
C12 |
|
|
|
|
|
|
|
| C13 |
C14 |
C15 |
C16 |
C17 |
C18 |
|
|
|
|
|
|
|
| C19 |
C20 |
C21 |
C22 |
|
|
|
|
|
|
|
|
|
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
|
|
|
|
|
|
|
|
|
If you have any questions, click to contact us.
|
|
|
|
|
|