Protecting your most important business services
Discover important business services, including common examples and the crucial role they play in your organisation's operational resilience strategy.
What are important business services?
‘Important business services’ (or ‘critical operations’) refer to the core services or functions within an organisation. These services are essential for the business to continue operating.
What are critical operations?
Critical operations and important business services both mean the same thing. In the UK, the Financial Conduct Authority (FCA) uses the term ‘important business services’. In Australia, the Australian Prudential Regulatory Authority (APRA) uses the term ‘critical operations’.
What are critical processes and resources?
To manage risks, important business services need to be broken down into the specific processes and resources that support them. Critical processes are any actions that are essential to keep these services running. The resources that support these processes might include people, data, systems, or third-party providers.
Why are these services so important?
Safeguarding and maintaining essential business services is crucial, as disruptions can greatly affect a company's ability to deliver value. Protecting them means protecting the business’s reputation.
​
That’s why identifying and protecting important business services is a fundamental part of an organisation’s operational resilience strategy. To make sure these crucial operations keep working - especially during tough times - it's important to conduct a thorough risk assessment. This helps ensure their continued availability and functionality.
​
Regulatory standards in the UK and Australia require companies to set impact tolerances for each of these important business services. An impact tolerance is the maximum level of harm a business can withstand. It measures the potential impact over time. ‘Intolerable harm’ is the point at which they have crossed the threshold.
​
To put these impacts to the test in a safe environment, the next step is conducting robust scenario testing. This involves using severe - but plausible - scenarios to assess your ability to remain within your defined impact tolerances.
Tests should include failures within your control (e.g. IT system failures) as well as those outside of your control (e.g. cyber attack or disruption to power supply). Every sector and organisation will be different.
​
Learn more: What is operational resilience?
Examples of important business services
Below, we look at examples of important business services in a few different industries and how they pertain to operational resilience.
Financial services industry
Payment processing is an important business service for financial services firms. The uninterrupted flow of payments out is critical. Without it, the integrity of the financial system could be at risk. Operational resilience in this context involves redundant payment systems, disaster recovery plans, and cybersecurity measures to prevent service disruptions.​
Healthcare industry
Access to patient information is an essential service for healthcare providers. Operational resilience could involve secure access control and disaster recovery plans to make sure electronic health records are always available.
Manufacturing industry
Supply chain management is an essential service for manufacturing companies that rely on a smooth supply chain for raw materials. Operational resilience related to supply chain management involves diversifying suppliers and having contingency plans for supplier disruptions.
Technology industry
Tech companies rely heavily on data storage and cloud services. Operational resilience for a tech company involves redundant data centres, backup power systems, and data recovery plans to prevent service interruptions.
Retail industry
For retailers, ensuring the availability of E-commerce and online shopping platforms is crucial. Operational resilience includes redundancy in servers, load balancing, and DDoS protection to maintain online service availability.
Identifying critical services
for operational resilience
To keep a business running smoothly, it's crucial to know your most important services. These services rely on different factors like how the business works, its technology, the people, data, and outside partners. If any of these key services break down or face issues, it can seriously harm the business. So, it's important to carefully assess these vital services and their connections for effective business planning and managing risks.
​
Special attention must be given to ensuring the resilience of these services. This may involve backup systems, disaster recovery plans, and other risk mitigation strategies.
How to determine your important business services
When determining your organisation’s more important business services, it’s important to consider the following. If they fit into any of these categories, they are most likely critical operations to consider.
-
Necessity: These services or operations are vital for the organisation's survival, regulatory compliance, and the fulfilment of its mission. They are the highest priority functions.
-
Interconnectedness: They are often interlinked with other operations within the organisation. That means a failure could have cascading effects on other processes or services.
-
Impact: Disruption or failure of these services can result in severe financial, reputational, operational, or legal consequences for the organisation.
-
Continuity: Organisations prioritise the continuity of these services during and after disruptions. This is to minimise downtime and ensure they can continue to serve customers and stakeholders.
-
Regulatory compliance: Compliance with regulatory requirements and industry standards is often a crucial aspect of managing and protecting important business services.
Drova for operational resilience
Drova provides a complete governance, risk and compliance solution, integrating all facets of operational resilience. Our platform covers risk management, control assessment, event tracking, contract management, policy compliance, regulatory scanning and more. It not only maps critical processes, but also enhances visibility into third-party resources, supply chains, digital assets, and cybersecurity.
​
The operational resilience module in Drova uses AI technology to generate a list of business services relevant to your organisation. You can edit these services as a template or add your own instead. For each important business service, the system helps you break down critical processes into the resources that support them. From there, you are able to map each process flow to understand any conditions and resource dependencies.
-
Create a centralised and accessible register of critical services
-
Assign these to stakeholders and rate their priority & criticality
-
Understand and maintain critical operations to minimise the likelihood and impact of disruption
-
Link services to other records throughout the GRC system, enabling links to third parties, time-based metrics, risks, events and scenarios
-
Ensure the resources that enable critical services and processes can adapt in the face of disruption
-
Set alternate processes or resources where a disruption occurs