Operational Resilience, Consumer Duty, Digital Resilience and BCM Blogs and Insights

The impact of surface level Important Business Service (IBS) mapping

Written by Daniel Waltham | Jan 3, 2024 1:18:07 PM

FourthLine have been supporting and enabling an insurer’s Operational Resilience programme through an ongoing retained advisory engagement.  One of the activities we advised on was the firm's mapping of Important Business Services.  

As with many insurers, the firm uses a mixture of outsourcing and third parties to carry out or support business services and functions.   

We summarised our findings in three interdependent areas: 

  • Our first finding identified that the firm had conducted significant volumes of Level 1 mapping, i.e., high-level mapping which documents functions, services, and processes.  However, they had not drilled down to Level 2 mapping, which documents individual process steps and their dependent resources.   
  • Therefore, although the firm had considered third parties in their mapping, they were not able to link those suppliers to a process step and did not have clear visibility at which point in the process, the service or function moves outside of the organisation.  
  • To compound matters, this lack of visibility meant that a) the firm was unaware of sub-outsourcers in their Important Business Services delivery and b) where third, fourth or nth parties created concentration risk. 

The PRA and FCA regulations are clear on the importance of mapping, with strong supporting rhetoric in speeches dating back a year or more. 

Mapping is a cornerstone of the Operational Resilience programme.  It could be argued that it's where the value of the programme is delivered.  It shows a firm where it is not resilient and where it must improve.   

Only by mapping to an appropriate level of granularity do firms have a clear understanding of risks in Important Business Services delivery, and where vulnerabilities and Single Points of Failure exist in the resource layer.  

Alongside a firm's operational resilience strategy, that clear understanding of risks and vulnerabilities is what should drive decision making, remediation and investment activity.   

Without a clear understanding, we have found that resilience programmes struggle to articulate value to the business and are somewhat rudderless in their approach.   

 
How FourthLine can help
If you'd like to understand how our enablement and full delivery approaches may benefit your firm's operational resilience programme, enquire here or book a time with one of our consultants here now
View full post