eBook OR

[OR] [P2] [S3] [ITo] [C9] Role of Dependency Mapping in Impact Tolerance

Written by Moh Heng Goh | May 8, 2026 9:50:01 AM

[P2] [S3] Chapter 9

Role of Dependency Mapping in Impact Tolerance

Introduction

Impact tolerance cannot be set in isolation. It must reflect the true operating reality of how a Critical Business Service (CBS) is delivered, including all the underlying interconnections and dependencies that enable it to function.

Many organisations initially set impact tolerances based on assumed recovery capabilities or high-level process views. However, without detailed dependency mapping, these tolerances often prove unrealistic when tested under stress.

Hidden dependencies, single points of failure, and cascading disruptions can quickly invalidate even well-defined thresholds.

This chapter explains how dependency mapping provides the foundation for realistic, evidence-based impact tolerance by revealing how services are supported and where vulnerabilities exist.

Purpose of the Chapter

The purpose of this chapter is to:

  • Highlight the importance of mapping interconnections and dependencies
  • Identify hidden vulnerabilities that influence impact tolerance
  • Explain how dependency mapping supports tolerance calibration
  • Demonstrate the role of process-resource mapping in resilience analysis
  • Provide practical templates for integrating mapping into impact tolerance assessment

Understanding Dependency Mapping

Dependency mapping is the process of identifying and documenting all components required to deliver a CBS. It provides a holistic, end-to-end view of how services operate.

A complete dependency map covers four key domains:

People
  • Frontline staff (e.g., branch, call centre)
  • Operations teams
  • Technology and support staff
  • Subject matter experts and key personnel

Key Considerations:

  • Availability of skilled resources
  • Cross-training and backup capability
  • Reliance on key individuals
Process
  • Business workflows and procedures
  • Manual and automated processes
  • Control mechanisms and approvals

Key Considerations:

  • Process complexity
  • Dependency on sequential steps
  • Manual intervention requirements
Technology
  • Core systems and applications
  • Infrastructure (servers, networks, databases)
  • Interfaces and integration layers

Key Considerations:

  • System resilience and redundancy
  • Recovery capabilities (failover, backup)
  • Inter-system dependencies
Third Parties
  • Outsourced service providers
  • Cloud and technology vendors
  • Payment networks and clearing houses
  • Data providers and utilities

Key Considerations:

  • Vendor reliability and SLAs
  • Concentration risk
  • Limited control over recovery timelines

Dependency Mapping and Impact Tolerance

Dependency mapping directly influences how impact tolerance is defined.

Key Linkages

Mapping Insight

Impact on Tolerance

Critical dependency identified

May reduce acceptable downtime

Multiple dependencies

Increases risk of failure

Lack of redundancy

Requires stricter tolerance or remediation

Strong resilience capability

Supports more confident tolerance setting

Without mapping, organisations risk:

  • Underestimating disruption impact
  • Overestimating recovery capability
  • Setting tolerances that are not achievable in practice

Identifying Single Points of Failure

A Single Point of Failure (SPOF) is any component whose failure would cause a service disruption.

Examples

Dependency Type

Single Point of Failure Example

People

Only one staff member has critical system knowledge

Process

Manual approval step with no backup approver

Technology

Single data centre hosting the core banking system

Third Party

Sole provider for payment gateway services
Impact on Tolerance

SPOFs significantly increase the likelihood of:

  • Rapid service disruption
  • Extended downtime
  • Breach of impact tolerance
Mitigation Strategies
  • Introduce redundancy (e.g., backup systems, alternate vendors)
  • Cross-train staff
  • Automate manual processes
  • Diversify third-party dependencies

Identifying SPOFs is critical to ensuring that impact tolerances are realistic and achievable.

Cascading Failure Analysis

Disruptions rarely occur in isolation. Failure in one component can trigger a chain reaction across multiple services.

Example of Cascading Failure
  1. Cloud provider outage
  2. Digital banking platform becomes unavailable
  3. Payment initiation fails
  4. Clearing and settlement are delayed
  5. Customer transactions disrupted
  6. Regulatory reporting impacted

Key Observations

  • Dependencies are interconnected and interdependent
  • Failure can propagate across CBS and Sub-CBS
  • Impact escalates rapidly beyond initial disruption
Role in Impact Tolerance

Cascading failure analysis helps organisations:

  • Understand how quickly disruption spreads
  • Identify critical nodes in the dependency chain
  • Set tolerances that account for end-to-end service impact

This ensures that tolerances are not based on isolated components but reflect full service delivery risk.

Integration with Dependency Mapping Tables

Dependency mapping should be documented using structured tables to support analysis and decision-making.

Example: Dependency Mapping Table

Sub-CBS Code

Sub-CBS

Dependency Type

Dependency Detail

Connectivity

1.6

Deposit Transactions Processing

Technology

Core banking system

Processes all deposit transactions

1.6

Deposit Transactions Processing

Third Party

ATM network provider

Enables ATM deposit services

2.1

Payment Initiation

Technology

Payment gateway

Routes payment instructions

2.7

Clearing and Settlement

Third Party

Clearing house

Settles interbank transactions
Key Benefits
  • Provides clear visibility of dependencies
  • Enables identification of critical components
  • Supports scenario testing and impact analysis
  • Links directly to impact tolerance assessment

Integration with Process-Resource Mapping

Dependency mapping is closely linked to process-resource mapping, which provides a deeper view of how services operate.

Example: Process-Resource Mapping Table

Sub-CBS Code

Sub-CBS

Processes

People

Technology

Third Parties

Upstream / Downstream Dependencies

1.1

Customer Onboarding

Application,  verification, approval

Onboarding team, compliance

CRM, KYC system

eKYC provider

Account opening, digital access

1.6

Deposit Transactions

Deposit capture, validation, posting

Operations, branch staff

Core banking, ATM switch

ATM network

Account balance, reporting

2.7

Clearing and Settlement

Clearing, settlement, reconciliation

Payments ops, treasury

Payment switch, RTGS

Clearing house

Liquidity, customer notification
Role in Impact Tolerance

Process-resource mapping enables organisations to:

  • Quantify how disruptions affect each resource layer
  • Identify bottlenecks and constraints
  • Assess manual workaround feasibility
  • Understand recovery sequencing requirements

This level of detail is essential for setting accurate and defensible tolerances.

Practical Application in Impact Tolerance Setting

Dependency mapping informs multiple aspects of tolerance setting:

Defining Realistic Time Thresholds
  • If recovery depends on multiple systems, downtime may increase
  • If redundancy exists, tolerance can be tighter
Assessing Data Loss Tolerance
  • Data replication capabilities influence MTDL
  • Single data storage points increase risk
Evaluating Service Capacity
  • Availability of people and systems affects throughput
  • Third-party limitations may constrain recovery speed
Supporting Scenario Testing
  • Identifies failure points to include in scenarios
  • Enables realistic simulation of disruptions

Common Challenges

Challenge

Description

Incomplete mapping

Missing dependencies lead to inaccurate tolerance

Siloed information

Lack of cross-functional visibility

Outdated mapping

Changes in systems or vendors not reflected

Over-complex mapping

Excessive detail without actionable insights

Lack of ownership

No clear accountability for maintaining maps

Best Practices

To maximise effectiveness:

  • Maintain end-to-end service view, not siloed components
  • Regularly update mapping to reflect changes
  • Involve cross-functional stakeholders
  • Focus on critical dependencies, not every detail
  • Align mapping outputs with scenario testing and tolerance setting
  • Use mapping as a living document, not a one-time exercise

Dependency mapping is a critical enabler of effective impact tolerance setting. It reveals the interconnections that underpin service delivery, identifies hidden vulnerabilities, and highlights where disruptions are most likely to occur and propagate.

By systematically mapping people, processes, technology, and third-party dependencies, organisations can uncover single points of failure, analyse cascading impacts, and ensure that impact tolerances are grounded in operational reality.

Ultimately, dependency mapping transforms impact tolerance from an abstract concept into a practical, evidence-based capability, ensuring that organisations can confidently define, test, and operate within their resilience thresholds.

In the next chapter, we will explore how to embed impact tolerance into governance, monitoring, and reporting frameworks, ensuring sustained oversight and continuous improvement.

C1 C2 C3 C4 C5 C6
C7 C8 C9 C10 C11 C12 
C13 C14 C15 C16 C17 C18

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

 
View full post