Organizations have become increasingly complex and interconnected due to globalization, the rapid adoption of digital technologies, the rising frequency of cyber attacks and a growing reliance on third-party vendors. Numerous high-profile failures, such as the financial crisis of 2008, various IT system outages and significant data breaches have demonstrated the profound impact these disruptions can have on customers and the entire financial system.
This has caught the attention of several regulatory bodies, which are raising expectations for organizations that provide critical services to implement robust operational resiliency programs. For instance, the European Union (EU) recently rolled out the Digital Operational Resilience Act (DORA) in the financial services industry, mandating that financial entities and digital service providers operating in the EU ensure robust operational resilience by January 2025. Regulatory bodies in other jurisdictions have enacted similar legislation or will do so soon.
This specific regulation mandates that organizations implement a strong risk management function, identify critical or important functions (CIF), manage information communication technology (ICT) risk in their own operations and across their third parties, establish robust processes for incident management, reporting and classification and perform risk-based operational resiliency testing.
Challenges in meeting regulatory requirements
This represents a significant challenge for organizations that must comply with these regulations. Challenges include:
- Lack of comprehensive documentation: Most organizations lack comprehensive documentation and visibility into their IT infrastructure, operational processes and the details of their third-party relationships.
- Silos and collaboration: Resiliency has traditionally been viewed as an IT or risk function. However, regulators are increasingly looking for evidence that risk management efforts are business-led and involve leaders from across the organization. This requires breaking down silos and establishing a common language to enable collaboration across these groups.
- Complex data integration: Resiliency challenges can originate from any resource – people, processes, technology or third parties – making it a massive data integration challenge to connect the dots and maintain this intelligence over time.
Process management: A novel solution
To address these challenges, organizations need to establish a single model of everything they do and integrate operational resource data to serve as the ‘ground truth’ for their operational resiliency program. This model would enable all stakeholders to collaborate and perform their roles using a common business-oriented language. Fortunately, a framework exists that provides this level of operational intelligence – the Process Inventory Framework. This framework can serve as the basis for managing all types of risks, not just operational resiliency.
Inventory your processes
To develop a comprehensive inventory of processes, anchor the creation to a complete foundation – your organization’s hierarchy. Your process modeling team should conduct interviews starting at the top of the hierarchy with the simple question: “What do you do?” The answers should be translated into verb + noun process naming standards. This interview process is repeated as you move down the hierarchy until the desired level of detail is achieved. Formal attestations should be conducted from the bottom up so that all stakeholders explicitly validate that what has been captured is complete and accurate.
What you’re creating is a process taxonomy, called a process inventory, that describes what the organization does at various levels of granularity, including key metadata such as process description, ownership and other crucial operating information such as product alignment.
Integrate critical metadata
Organizations have many sources of internal data describing their operations – system repositories, HR information, vendor repositories and more. The challenge is that this data is often siloed, unconnected and lacking consistent business context. To address this, migrate the data to a single repository anchored to a common ‘ground truth’ – an index of business context or your process inventory. Your modeling team will then associate data elements with the relevant processes. This creates a unified model that holistically describes how your organization operates through a business-oriented lens.
Leverage a world class process modeling tool
This unified model serves as an invaluable resource for stakeholders across your organization. To create and manage it, you need a comprehensive process management tool that offers essential features such as process modeling and process mining, data integration and management, analysis, reporting and more. Fortunately, there is a mature market of tools offering these capabilities. For example, the ARIS suite is a leading tool that excels in delivering on this agenda. The tool gives organizations the intelligence needed for a detailed understanding of their processes, a clear path for improvement and the assurance that they are in control of their operations.
Leverage the process inventory to coordinate all operational resilience activities
This single comprehensive view of your business will provide seamless collaboration and communication across all stakeholders engaged in resiliency, including:
- Business leaders benefit from this list of processes to identify which are critical based on their importance to the customer and to the business.
- IT leaders can leverage this data to identify the infrastructure supporting each critical process and fortify the resiliency of that infrastructure through additional redundancy.
- Risk managers benefit from the list of processes and their accountable ownership, enabling them to perform their risk functions through a consistent business lens including the identification of adverse scenarios, assessments, reporting and testing.
- Testers can leverage this taxonomy to define the scope of processes requiring resiliency testing.
- Third-party risk management benefit from the clear connection this establishes between operational processes and the third parties that support them.
- Incident managers gain clarity on the scope needed to identify the people, processes and procedures required in case of an incident.
Integrate the process taxonomy into your risk data
To facilitate accurate reporting and information sharing, integrate this taxonomy into your risk repository (such as a GRC) data model to provide a precise process index for all risk types. This integrated approach addresses many challenges in risk data and the risk operating model across the three lines of defense, leading to more comprehensive risk assessments. In turn, this is critical for delivering an accurate view of the risk landscape to executive decision-makers and external regulators.
Create a process capability to maintain this process understanding
This is not a one-time exercise as organizations are in a constant state of change. Therefore, it is important to establish a central process capability, such as a process center of excellence, which can be accountable for defining standards, creating models, validating quality and accuracy, governing assets over time and managing the tool infrastructure and data.
Broad benefits beyond operational resiliency
It’s important to note that this level of operational intelligence has a wide range of benefits beyond operational resiliency and risk. It helps the organization define strategies with clear impacts, enables the organization to define and run transformation programs, execute change much more efficiently, drive operational excellence to remove waste and inefficiencies and design a more agile IT environment that aligns closely with the needs of the business. This requires an organizational investment and commitment. However, the benefits, in terms of improved resiliency, satisfied regulators and protected customers far outweigh the initial investment.