[Implement] What is a Critical Business Service?
Critical Business Service is a service provided by an organisation, or by another person on behalf of the organisation, to one or more clients which, if disrupted, could:
- Cause intolerable harm to any one or more of the organisation’s clients or
- Pose a risk to the soundness, stability or resilience of the industry, such as the financial industry, its system or the orderly operation of the markets.
How Does an Organisation Identify Business Services?
When considering what business services an organisation provides, looking at the customer journey in the financial industry or manufacturing the production and distribution processes is a good starting point.
Other sources of information to leverage when identifying services include but are not limited to:
- Risk registers
- Critical asset and third-party supplier lists and risk assessments
- Business continuity and recovery plans
It is essential for the OR implementer first to identify Critical Business Services or CBS, sometimes referred to as Important Business Services or Critical Operations, across different organisations operating globally.
Viewing from the lens of these business operations or services, set tolerance for disruption (will be explained as "impact tolerance" in the next stage), secure resources, and verify the appropriateness of the framework.
Differing from the current risk management framework, risk in operational resilience is viewed from an end-to-end service.
What is and is not a Business Service?
To have a detailed but not complicated presentation of each identified important business service (critical business service or critical operation), it is essential to understand that only business services will be documented once identified as important or critical.
Other related documentation, such as "underpinning services" and "internal services," will not be presented to the regulators as it would result in a very "complicated" view of a business service.
How to Identify Critical Business Services?
Identifying critical business services is a crucial step in operational resilience planning. These services are essential for the organisation's operations, revenue generation, regulatory compliance, and customer satisfaction. The following steps outline the process:
Define the Scope and Objectives
- Define the scope and objectives of the operational resilience implementation.
- Identify the areas, functions, and processes that must be assessed for criticality.
- This includes core banking services, payment processing, customer support, risk management, regulatory compliance, and other critical business functions.
Conduct Business (Services) Impact Analysis
Perform a Business (Services) Impact Analysis to assess the potential impacts of disruptions on various business processes and services.
- Note that the scope is broader than the typical "critical business function."
- Identify dependencies, interconnections, and criticality of each service.
- Identify the critical inputs, processes, and outputs associated with each service.
- Determine their recovery time objectives (RTO) and recovery point objectives (RPO).
- Consider service disruptions and financial, operational, reputational, and regulatory consequences.
Engage Relevant Stakeholders
- Collaborate with business unit leaders, department heads, risk managers, and subject matter experts to gather insights on the importance of specific services and their interdependencies.
- Ensure representation from different areas of the institution to capture diverse perspectives.
- Engage relevant stakeholders across the organisation to comprehensively understand the business services and their criticality.
Prioritise Services
- Prioritize the identified business services based on the BIA findings and stakeholder input.
- Assign a level of criticality to each service based on its impact on the institution's overall operations, regulatory compliance, customer experience, and financial stability.
- Use consistent and objective criteria to rank the services in order of importance.
Document Critical Business Services
- Create a comprehensive inventory of critical business services, including their dependencies, associated risks, and recovery requirements.
- Maintain this inventory as a living document and update it regularly.
- Document the identified critical business services in a structured manner.
- Include detailed information such as service descriptions, key inputs and outputs, dependencies, recovery objectives, and any regulatory requirements specific to each service.
- Maintain documentation as it will serve as a reference for future resilience planning and resource allocation.
Validate and Review
- Validate and review the identification of critical business services regularly to ensure their ongoing relevance and alignment with organizational goals and strategies.
Additional Explanatory Note
"Implement" Phase of the OR Planning Methodology
This is not part of the implementation methodology as it is an ongoing activity before and after the implementation.
More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
![[BL-OR] [3] What is BL-OR-3 Course?](https://no-cache.hubspot.com/cta/default/3893111/c994d645-7b4e-4495-a0c5-41f41d69aa1b.png)
![[BL-OR] [3-4-5] What is BL-OR-5 Course?](https://no-cache.hubspot.com/cta/default/3893111/28727388-f7ee-4b64-827d-c8e9d66bfdff.png)
