Operational Resilience Series
Ai Gen Photo 6_OR_Best Practices_with Cert Logo

[OR] [P2-S2] What is Mapping of Processes and Resources in Operational Resilience?

To move toward operational resilience (OR), an organisation must understand its business and identify inter-dependencies and interconnectivity to learn its weaknesses.

Only when weaknesses have been identified and understood can potential risks be determined together with each risk's associated likelihood and impact.

This is the introductory blog [OR-P2-S2] to Stage 2 of the "IMPLEMENT" phase [2] of the OR Planning Methodology.  It is a pre-reading for participants attending the Operational Resilience Implementer/ Expert Implementer course.

Moh Heng Goh
Operational Resilience Certified Planner-Specialist-Expert

[Implement Phase]

What is the Mapping of Processes and Resources?

Mapping is identifying, documenting, and understanding the "Processes", which are the activities that deliver critical business services.

An organisation should identify, document, and map the following "Resources" that are  required to deliver each critical business service (CBS):

  • people
  • processes
  • information
  • technology
  • third-party service providers
  • facilities

This exercise should be undertaken collaboratively across the business to ensure comprehensive mapping.  A sample of the detailed mapping is appended below.  Each CBS has been mapped to its supporting resources.

[Sample] Mapping of Dependencies for Retail Banking

 

Dependency Category

Details

People

  • Branch staff
  • Call centre agents
  • Regional managers

Processes

  • Cash handling: Coordinating deposits and withdrawals at branches and ATMs
  • Customer onboarding: Verifying identity, account setup, compliance checks
  • Transaction processing: Real-time transaction validation and settlement
  • Compliance checks: Regular monitoring for anti-money laundering and fraud

Technology

  • Core banking systems
  • ATM networks
  • Payment gateways
  • Data storage solutions

Third-Party Vendors

  • ATM maintenance providers
  • Payment processing companies
  • IT infrastructure support

Facilities

  • Branch offices
  • Cash vaults
  • Disaster recovery sites

 

Why Do We Map Processes and Resources?

Organisations must capture the key resources and dependencies that contribute to providing each critical business service to understand the possible threats to operational resilience.

Mapping incorporates identifying interdependencies and interconnections, including people, processes, information, technology, facilities, and third-party service providers.  

OR Critical_Information Business Function_Critical Operation

The mapping process enables an organisation to have sufficient details to:

  • test against the scenario
  • test vulnerabilities
  • test remediation

When mapping the "Processes," the relationship with key resources should be considered:

  • people
  • processes
  • technology
  • third-party vendor
  • facilities
  • information
[Sample] Table on Mapping of Processes and Resources

Sub-CBS Code

Sub-CBS

People

Processes

Technology (Apps & Infra)

Third-Party Vendors

1.1

Customer Account Management

Branch staff, Account officers, Customer service agents

KYC, Account opening/closure, Data validation

Core banking system,  Document Management System (DMS), CRM

National Registration Department (NRD), eKYC provider

Explanatory Notes for Table

The objective of the above table is to present a comprehensive dependency mapping for the sub-critical business services (Sub-CBS) under the main CBS. 

Each Sub-CBS is mapped against four key dependency types—People, Process, Technology, and Third Party—with detailed descriptions of what or who is involved and how these elements interconnect or interact with the overall working of the CBF.

By establishing clear visibility into these dependencies, the organisation can effectively identify single points of failure, prioritise mitigation strategies, and strengthen its overall OR framework

How to Map OR Dependencies and Connections Across the Organisation?

Mapping operational resilience dependencies and connections is essential for understanding the interdependencies between business units, systems, processes, and external stakeholders.  The following actions are involved:

Identify Key Stakeholders
  • Engage with business unit leaders, IT managers, risk management teams, and other relevant stakeholders to identify and involve the key departments and individuals responsible for critical business functions.
Conduct Dependency Analysis
  • Analyse the dependencies between business units, systems, applications, processes, and external entities (suppliers, partners, regulatory bodies).
  • This analysis helps identify the critical links and potential vulnerabilities.
Identify Internal Interdependencies among different Systems, Processes, and Functions.
  • Analyse how one area's failures or disruptions can impact others. 
  • Consider dependencies on IT infrastructure, data centres, communication networks, and personnel. 
  • Document these interdependencies to gain a comprehensive understanding of internal dependencies.
Identify External Interdependencies
  • Assess the external interdependencies with third-party vendors, service providers, and other external entities. 
  • Identify critical relationships and dependencies that the institution relies on to deliver its services.
    • Includes outsourced processes, cloud service providers, regulatory reporting systems, and other external dependencies. 
  • Evaluate the potential impact of disruptions in these relationships on the institution's operations.
Document Interconnectivity and Interdependencies
  • Create a comprehensive inventory that documents [Refer to sample Table on Mapping of Dependencies and Connectivities] the identified dependencies and connections.
    • Include information such as criticality, dependencies, contact persons, and relevant documentation.
  • Document the identified interconnectivity and interdependencies in a structured manner. 
  • Develop visual representations such as diagrams or flowcharts to illustrate the relationships and dependencies. 
    • Includes information on the relationship's nature, data flows, communication channels, and any contractual or legal obligations. 
  • Serve as a reference documentation for future analysis and planning.
Establish Communication Channels
  • Establish effective communication channels to facilitate ongoing collaboration and information sharing among stakeholders.
  • Ensure a common understanding of dependencies and enable efficient coordination during disruptions.
Review and Update Regularly
  • Review and update the dependency mapping continuously to reflect changes in the organisational structure, processes, or external relationships.
  • Ensure the accuracy and relevance of the mapping information.

Summing Up ...

[Sample] Table on Mapping of Dependencies and Connectivities

Together, the “Dependency Detail” and “Connectivity” columns form the foundation of a meaningful dependency map.

While “Dependency Detail” clarifies what and who is involved in delivering each sub-process, “Connectivity” reveals the operational dynamics and systemic links that underpin the organisation's operational ecosystem.

This combination enables a deep understanding of the service architecture, facilitating targeted risk mitigation, business continuity planning, and operational resilience enhancement for each CBS.

 

Sub-CBS

Sub-CBS Code

Dependency Type

Dependency Detail (What/ Who is Involved)

Connectivity (How it connects/ interacts)

Customer Account Management

1.1

People

Customer Service Officers,  Branch Managers

Interact with customers to open, close, or manage accounts and feed data to the CRM and Core Banking systems.

Process

KYC, AML Checks, Account Maintenance Workflow

Integrated into core banking processes and compliance systems

Technology

Core Banking System (e.g., Silverlake), CRM, Customer Database

The core engine manages the account lifecycle, synchronising across teller, mobile, and branch services.

Third-Party

Credit Bureau, Document Verification Vendors

Third-party KYC/AML checks integrated via secure APIs

Purpose of "Dependency Detail" (What/Who is Involved)

The “Dependency Detail” column serves to identify and describe the specific internal or external components that are crucial to each process within CBS. This includes:

People: Functional roles or teams responsible for oversight, execution, or decision-making.

Processes: Key activities or workflows that form part of the payment and settlement lifecycle.

Technology: Core systems, interfaces, or digital tools used to execute, monitor, or support transactions.

Third Parties: External service providers, regulatory bodies, and partner institutions that play an operational or regulatory role.

By detailing “what” is being relied upon or “who” is involved, this column helps stakeholders understand the precise nature of each dependency, which is critical for assessing potential vulnerabilities, resource allocation, and prioritisation in resilience planning.

Purpose of "Connectivity" (Interaction with CBS or Other Components)


The “Connectivity” column explains how each dependency interacts with CBS or other components within the organisation's operational ecosystem. It articulates the operational relationship and integration points, such as:

  • How a system supports a process or links to another system (e.g., middleware connecting mobile apps to the core engine).
  • How people or teams coordinate across departments or with third parties.
  • How external platforms are integrated to facilitate transaction flow, compliance, or settlement.

This information is crucial because understanding the interdependencies and data or operational flow helps to:

  • Map single points of failure or cascading impacts in case of disruptions.
  • Design more effective contingency plans and recovery strategies.
  • Ensure alignment between internal capabilities and external obligations.
  • Strengthen real-time monitoring and reduce blind spots in operational risk.


  Definition Explanation Definition  
  Mapping

is identifying, documenting and understanding the activities involved in critical business services. 

  • Do not map all processes at once or at a detailed level.
  • Start by identifying and agreeing on the critical processes, assigning ownership, and mapping these processes according to a predefined template.
 
  Processes and Resources include the processes and their relationship with key resources:
  • People
  • Technology
  • Third-Party Vendors
  • Facilities
  • Information

 

 
  Inter-dependencies are the internal and external dependencies on people, processes, technology, and other resources (including those involving third parties) for each critical business service.  
  Inter-connections

are the linking of an organisation's network with products, services, equipment or facilities not belonging to the originating organisation's network.

The term may refer to a connection between the organisation's facilities and the equipment belonging to its customer or a connection between two or more parties.

 
  Mapping Inter-connections and Inter-dependencies are steps for the operational resilience mapping process, which involves identifying dependencies and connections between people, processes, information, technology, facilities, and third-party service providers required to deliver each critical business service.  
         
"Implement" Phase of the OR Planning Methodology
Identify Important Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing Improve Lesson Learnt  

 

 

More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

Comments

 

More Posts