[OR] [P2] [S2] [MII] [C8] Step 5 – Map Interconnections and Interdependencies

[P2] [S2] Chapter 8

Step 5 – Map Interconnections and Interdependencies

Introduction

Having identified Critical Business Services (CBS), mapped processes and resources, and established the necessary data inputs, the next critical step is to map interconnections and interdependencies.

This step transforms static lists of components into a dynamic, end-to-end view of how services are actually delivered.

Mapping interconnections and interdependencies provides organisations with the ability to:

• Understand how components interact
• Identify where dependencies exist
• Assess how disruptions propagate across the service chain

Without this step, operational resilience efforts remain incomplete, as organisations may understand “what exists” but not “how everything works together”.

Purpose of the Chapter

The purpose of this chapter is to:

• Explain how to identify internal and external dependencies
• Provide a structured approach to mapping connectivity between components
• Introduce methods for assessing dependency strength and criticality
• Define key types of interdependencies
• Highlight the importance of identifying concentration risks

Identifying Dependencies

The first step in mapping interconnections is to identify all relevant dependencies supporting each CBS. These dependencies can be broadly classified into internal and external.

Internal Dependencies (Within the Organisation)

Internal dependencies refer to relationships between components within the organisation.

Examples

• A payment processing system dependent on an authentication service
• A customer onboarding process reliant on internal KYC systems
• Operations teams dependent on IT support for system availability

Key Components

• People (roles and expertise)
• Processes (workflow dependencies)
• Technology (systems and applications)
• Data (information flows)
• Facilities (locations and infrastructure)

Mapping Considerations

• Identify upstream and downstream relationships
• Capture cross-functional dependencies
• Highlight shared resources across multiple CBS

External Dependencies (Vendors, Regulators, and Ecosystem)

External dependencies refer to relationships with entities outside the organisation.

Examples

• Cloud service providers hosting critical applications
• Payment networks supporting transaction processing
• Regulatory bodies requiring reporting and compliance activities

Key External Entities

• Third-party vendors
• Fourth-party providers
• Market infrastructure (e.g., clearing and settlement systems)
• Regulators and supervisory systems

Mapping Considerations

• Identify critical vendors supporting CBS
• Understand reliance on external infrastructure
• Assess visibility into fourth-party dependencies

Mapping Connectivity

Once dependencies are identified, the next step is to map connectivity, which describes how components interact with each other.

Definition of Connectivity

Connectivity refers to:

• The flow of information, transactions, or control between components
• The interaction mechanisms linking processes, systems, and entities

Types of Connectivity

Process Connectivity

• Sequence of activities within a workflow
• Example: Customer request → validation → processing → confirmation

System Connectivity

• Integration between applications and platforms
• Example: API calls between front-end and backend systems

Data Connectivity

• Movement and transformation of data
• Example: Data transfer between databases and reporting systems

Organisational Connectivity

• Interaction between teams and functions
• Example: Coordination between operations and IT during incident response

Mapping Approach

Organisations should:

• Use visual diagrams (e.g., flowcharts, dependency maps)
• Capture direction of flows (upstream vs downstream)
• Identify points of interaction and handoffs

Outcome

Connectivity mapping provides:

• A clear view of how CBS are delivered
• Insight into potential failure propagation paths
• A foundation for scenario testing and recovery planning

Assessing Dependency Strength and Criticality

Not all dependencies are equal. Organisations must assess:

• How critical a dependency is
• How strongly a component relies on another

Dependency Strength

Dependency strength reflects the degree of reliance between components.

Categories

• High Dependency: Service cannot function without the component
• Medium Dependency: Service is degraded but still operational
• Low Dependency: Minimal impact if component fails

Dependency Criticality

Criticality reflects the importance of the dependency to the CBS outcome.

Factors to Consider

• Impact on customers
• Regulatory implications
• Financial consequences
• Time sensitivity

Assessment Approach

Organisations can:

• Use scoring models (e.g., High/Medium/Low)
• Define thresholds aligned with impact tolerance
• Integrate with risk assessment frameworks

Outcome

Assessing dependency strength and criticality enables:

• Prioritisation of resilience efforts
• Identification of high-risk dependencies
• Focused mitigation strategies

Types of Interdependencies

Understanding the types of interdependencies helps organisations analyse how disruptions may propagate.

Sequential Dependencies

Sequential dependencies occur when:

• One component must function before another can operate

Example

• Authentication must occur before transaction processing
• Data validation must occur before reporting

Risk Implication

• Failure in an upstream component halts downstream processes

Shared Dependencies

Shared dependencies occur when:

• Multiple services rely on the same component

Example

• Multiple CBS relying on a single core banking system
• Several processes dependent on the same cloud provider

Risk Implication

• A single failure can impact multiple CBS simultaneously

Concentration Risks

Concentration risk arises when:

• Dependencies are heavily concentrated in a single component, vendor, or location

Examples

• Single vendor supporting multiple critical services
• Centralised data centre hosting all applications
• Limited redundancy in key personnel

Risk Implication

• High impact disruption with limited recovery options

Integrating Interdependency Mapping into Operational Resilience

Mapping interconnections and interdependencies is not an isolated activity. It directly supports:

Impact Tolerance Setting

• Identifying critical thresholds based on dependencies

Scenario Testing

• Designing realistic disruption scenarios

Recovery Planning

• Determining recovery priorities and sequencing

Third-Party Risk Management

• Understanding vendor dependencies and concentration risks

Practical Mapping Output Structure

A typical interdependency mapping table may include:

This structured output ensures consistency and usability across resilience activities.

Mapping interconnections and interdependencies is a critical step in operational resilience implementation, transforming static resource mapping into a dynamic, actionable understanding of service delivery.

By identifying both internal and external dependencies, mapping connectivity, and assessing dependency strength and criticality, organisations gain:

• Visibility into complex service ecosystems
• Insight into how disruptions propagate
• The ability to prioritise resilience efforts effectively

Understanding key interdependency types—sequential, shared, and concentration risks—further enhances an organisation’s ability to anticipate and mitigate disruptions.

Ultimately, this step enables organisations to move from understanding components to understanding how the entire system behaves under stress, which is essential for achieving true operational resilience.

In the next chapter, we will explore Step 6: Validate Mapping, ensuring that all identified interconnections and interdependencies are accurate, complete, and aligned with real-world operations.

C1	C2	C3	C4	C5	C6
C7	C8	C9	C10	C11	C12
C13	C14	C15	C16	C17	C18
C19	C20	C21	C22

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.