[OR] [P2-S2] What is Mapping of Processes and Resources in Operational Resilience?

[Implement Phase]

What is the Mapping of Processes and Resources?

Mapping is identifying, documenting, and understanding the "Processes", which are the activities that deliver critical business services.

An organisation should identify, document, and map the following "Resources" that are  required to deliver each critical business service (CBS):

• people
• processes
• information
• technology
• third-party service providers
• facilities

This exercise should be undertaken collaboratively across the business to ensure comprehensive mapping.  A sample of the detailed mapping is appended below.  Each CBS has been mapped to its supporting resources.

[Sample] Mapping of Dependencies for Retail Banking

Why Do We Map Processes and Resources?

Organisations must capture the key resources and dependencies that contribute to providing each critical business service to understand the possible threats to operational resilience.

Mapping incorporates identifying interdependencies and interconnections, including people, processes, information, technology, facilities, and third-party service providers.  

The mapping process enables an organisation to have sufficient details to:

• test against the scenario
• test vulnerabilities
• test remediation

When mapping the "Processes," the relationship with key resources should be considered:

• people
• technology
• facilities
• information

How to Map OR Dependencies and Connections Across the Organisation?

Mapping operational resilience dependencies and connections is essential for understanding the interdependencies between business units, systems, processes, and external stakeholders.  The following actions are involved:

Identify Key Stakeholders

• Engage with business unit leaders, IT managers, risk management teams, and other relevant stakeholders to identify and involve the key departments and individuals responsible for critical business functions.

Conduct Dependency Analysis

• Analyze the dependencies between business units, systems, applications, processes, and external entities (suppliers, partners, regulatory bodies).
• This analysis helps identify the critical links and potential vulnerabilities.

Identify Internal Interdependencies between Different Systems, Processes, and Functions.

• Analyse how one area's failures or disruptions can impact others. 
• Consider dependencies on IT infrastructure, data centres, communication networks, and personnel. 
• Document these interdependencies to understand internal dependencies comprehensively.

Identify External Interdependencies

• Assess the external interdependencies with third-party vendors, service providers, and other external entities. 
• Identify critical relationships and dependencies the institution relies on to deliver its services.
  • includes outsourced processes, cloud service providers, regulatory reporting systems, and other external dependencies. 
• Evaluate the potential impact of disruptions in these relationships on the institution's operations.

Document Interconnectivity and Interdependencies

• Create a comprehensive inventory that documents the identified dependencies and connections.
  • Include information such as criticality, dependencies, contact persons, and relevant documentation.
• Document the identified interconnectivity and interdependencies in a structured manner. 
• Develop visual representations such as diagrams or flowcharts to illustrate the relationships and dependencies. 
  • Includes information on the relationship's nature, data flows, communication channels, and any contractual or legal obligations. 
• Serve as a reference documentation for future analysis and planning.

Establish Communication Channels

• Establish effective communication channels to facilitate ongoing collaboration and information sharing among stakeholders.
• Ensure a common understanding of dependencies and enable efficient coordination during disruptions.

Review and Update Regularly

• Review and update the dependency mapping continuously to reflect organisational structure, processes, or external relationship changes.
• Ensure the accuracy and relevance of the mapping information.

	Definition	Explanation	Definition
	Mapping	is identifying, documenting and understanding the activities involved in critical business services.  Do not map all processes at once or at a detailed level. Start by identifying and agreeing upon the critical processes, assign ownership, and map these processes according to a predefined template.
	Processes and Resources	include the processes and their relationship with key resources: People Technology Third-Party Vendors Facilities Information
	Inter-dependencies	are the internal and external dependencies on people, processes, technology, and other resources (including those involving third parties) for each critical business service.
	Inter-connections	are the linking of an organisation's network with products, services, equipment or facilities not belonging to the originating organisation's network. The term may refer to a connection between the organisation's facilities and the equipment belonging to its customer or a connection between two or more parties.
	Mapping Inter-connections and Inter-dependencies	are steps for the operational resilience mapping process, which involves identifying dependencies and connections between people, processes, information, technology, facilities, and third-party service providers required to deliver each critical business service.

"Implement" Phase of the OR Planning Methodology

Identify Important Business Services	Map Processes and Resources	Set Impact Tolerance	Conduct Scenario Testing	Improve Lesson Learnt

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.