[P2] [S5] Chapter 7
Linking Lessons Learned to Critical Business Services (CBS)
Introduction
A key principle of operational resilience is that organisations must focus on services delivered to external customers, rather than isolated processes or systems. While incidents and failures often occur at the process or system level, their true significance lies in their impact on Critical Business Services (CBS).
Many organisations fail to realise the full value of lessons learned because they:
- Analyse issues at a component level (e.g., IT systems, processes)
- Do not connect these issues to service outcomes
- Implement improvements that do not strengthen overall service resilience
This chapter emphasises the need to link lessons learned directly to CBS, ensuring that all improvements are aligned with:
- Service continuity
- Customer impact
- Regulatory expectations
Purpose of the Chapter
To establish a service-centric approach for applying Lessons Learned by linking them directly to Critical Business Services (CBS), ensuring that improvements strengthen end-to-end service resilience, protect customers, and support compliance with operational resilience requirements.
Understanding Critical Business Services (CBS)
Definition
A Critical Business Service (CBS) is a service delivered to an external end user where disruption would result in:
- Intolerable harm to customers
- Threats to market integrity
- Financial or reputational damage
- Regulatory consequences
Key Characteristics
- Service-oriented (not process or system-based)
- Customer-facing
- Outcome-driven
- Defined by impact tolerance
CBS vs Processes and Systems
|
Element
|
Description
|
|
CBS
|
End-to-end service delivered to customers
|
|
Process
|
Activities that support the service
|
|
Technology
|
Systems enabling processes
|
|
Resources
|
People and third parties supporting delivery
|
Lessons learned must ultimately focus on strengthening CBS, not just fixing individual components.
Why Linking Lessons Learned to CBS is Critical
Ensuring Service-Centric Improvements
- Align improvements with customer impact
- Avoid siloed fixes
Supporting Impact Tolerance Compliance
- Ensure services remain within defined tolerance levels
- Identify conditions leading to breaches
Enhancing End-to-End Resilience
- Address interdependencies across:
- People
- Process
- Technology
- Third parties
Meeting Regulatory Expectations
Regulators expect organisations to:
- Focus on service continuity
- Demonstrate resilience at the service level
Mapping Lessons Learned to CBS
Step-by-Step Approach
Step 1: Identify Impacted CBS
- Determine which CBS was affected by the incident or test
- Consider both direct and indirect impacts
Step 2: Map to Sub-CBS
- Break down CBS into sub-components
- Identify specific service elements affected
Step 3: Link to Dependencies
- Map issues to:
- Processes
- Systems
- Third-party services
- Human resources
Step 4: Assess Service Impact
- Evaluate:
- Duration of disruption
- Severity of impact
- Customer experience
Sample Mapping Table
|
Sub-CBS Code
|
Sub-CBS
|
Issue Identified
|
Dependency Type
|
Root Cause
|
Impact
|
|
2.1
|
Payment Processing
|
Transaction delays
|
Technology
|
System overload
|
Customer delays
|
|
2.2
|
Settlement Processing
|
Failed transactions
|
Process
|
Manual intervention errors
|
Financial impact
|
Understanding End-to-End Service Impact
Service Chain Perspective
CBS must be viewed as end-to-end service chains, involving:
- Upstream processes
- Core processing systems
- Downstream services
- External dependencies
7.5.2 Cascading Failures
A failure in one component can:
- Trigger failures in other components
- Amplify service disruption
- Lead to widespread impact
7.5.3 Example
A failure in a payment gateway may:
- Delay transaction processing
- Impact customer access
- Affect downstream settlement systems
Lessons learned must address entire service chains, not isolated failures.
Linking Lessons to Customer Impact
Customer-Centric Analysis
Lessons learned should consider:
- Number of customers affected
- Nature of service disruption
- Duration of impact
Types of Customer Impact
- Service unavailability
- Delayed transactions
- Data inaccuracies
- Poor customer experience
Enhancing Customer Outcomes
Improvements should aim to:
- Reduce disruption duration
- Improve service reliability
- Enhance communication with customers
Integration with Impact Tolerance
Assessing Tolerance Breaches
- Determine whether CBS exceeded defined tolerances
- Identify triggers of breach
Refining Impact Tolerance
- Adjust thresholds based on real-world data
- Improve monitoring mechanisms
Strengthening Controls
- Implement controls to:
- Prevent breaches
- Reduce recovery time
Strengthening Interdependencies Through Lessons Learned
Identifying Weak Dependencies
Lessons learned often reveal weaknesses in:
- Internal processes
- Technology systems
- Third-party relationships
Improving Interconnections
- Enhance communication between systems
- Strengthen integration points
Third-Party Dependencies
- Assess vendor performance
- Improve oversight and contingency planning
Embedding Service-Centric Thinking
Shift from Component to Service Perspective
- Focus on outcomes, not activities
- Align improvements with CBS
Breaking Down Silos
- Integrate insights across:
- Business units
- IT
- Risk management
Cross-Functional Collaboration
- Ensure all stakeholders understand their role in service delivery
Practical Case Example: Payments CBS
Scenario
A bank experiences a disruption in its Payments and Funds Transfer Service.
Lessons Learned Mapping
|
Component
|
Issue
|
Impact on CBS
|
|
IT System
|
System outage
|
Transactions halted
|
|
Process
|
Manual recovery delays
|
Extended downtime
|
|
Third-Party
|
Vendor latency
|
Slower processing
|
Insights
- Service disruption was caused by multiple interdependent failures
- Improvements required across:
- Technology
- Processes
- Vendor management
Outcome
- Enhanced system redundancy
- Improved recovery procedures
- Strengthened vendor SLAs
Common Pitfalls
Organisations often face the following challenges:
Component-Level Focus
- Fixing systems without considering service impact
Incomplete Mapping
- Failure to identify all dependencies
Lack of Customer Perspective
Siloed Improvements
- Lack of coordination across functions
Best Practices
Adopt a Service-Centric Framework
- Align all lessons with CBS
Maintain Updated Mapping
- Regularly update interdependency maps
Use Data and Metrics
- Measure service performance
- Monitor impact tolerance
Integrate Across Functions
- Collaborate across departments
Linking lessons learned to Critical Business Services is essential for achieving true operational resilience. By focusing on service outcomes rather than individual components, organisations can:
- Strengthen end-to-end service delivery
- Improve customer experience
- Enhance compliance with regulatory expectations
- Reduce the likelihood and impact of disruptions
This service-centric approach ensures that lessons learned translate into meaningful, organisation-wide improvements.
Transition to Next Chapter
Having established the importance of linking lessons learned to Critical Business Services, the next chapter will explore how lessons learned integrate with scenario testing and impact tolerance, ensuring continuous refinement of testing strategies and resilience thresholds.
| C1 |
C2 |
C3 |
C4 |
C5 |
C6 |
|
|
|
|
|
|
|
| C7 |
C8 |
C9 |
C10 |
C11 |
C12 |
|
|
|
|
|
|
|
| C13 |
C14 |
C15 |
C16 |
C17 |
|
|
|
|
|
|
|
|
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
|
|
|
|
|
|
|
|
|
If you have any questions, click to contact us.
|
|
|
|
|
|