In this series, we have discussed the areas to be included in a post-crisis assessment of an operational resilience program. The second area that should be reassessed is the identification and re-validation of critical business processes.
Underpinning a financial institution’s operational resilience plan is an inventory of business processes that are critical to maintaining core business operations during a disruption. More complex organizations have an even greater risk of not identifying key elements of, or even entire, critical business processes.
A post-crisis assessment should focus on re-evaluating the accuracy of the initial inventory of critical business processes and include the following steps:
- Assess any critical changes to existing business processes required to stay operational throughout the disruption; determine if this new way of working will be in place temporarily or permanently. If permanent, determine if it will require a reassessment and redefinition of the end-to-end process.
- Review incident logs arising from both internal (employees) and external (customers) complaints/ issues and map these back to the critical business processes previously identified. Assess if any incidents could be traced back to business processes that were not previously identified as critical and identify the impact – financial or non-financial (e.g., reputational or loss of productivity).
- Examine the list of identified critical business processes that had very few or no incidents raised. Investigate if this was because the operational resilience plan mitigated the risks relating to these processes or if the business process was ultimately not critical.
Because each organizational silo’s operational resilience plan revolves around protecting and responding to threats to business processes and systems, having a firm and accurate understanding of which ones are the most critical underpins the operational resilience framework. Management must understand the internal critical processes and be able to assess if they operated effectively in a crisis environment.
Next, we will discuss performing a post-crisis reassessment of the business continuity/ disaster recovery function.