Critical Business Process Review
Most people believe they understand the core business processes they rely on every day to complete routine tasks. Digital transformation initiatives promised to increase productivity, profitability, and employee satisfaction by leveraging automation, machine learning, and access to more data to improve the quality of decisions. For most organizations, these two preceding statements may be true, but more likely than not, they are flawed and influenced by a dangerous anchoring bias. Anchoring bias is the human tendency to ‘rely too heavily on the first piece of information offered when making decisions.’ From an organizational perspective, this bias is frequently referred to as ‘tribal knowledge.’ It typically originates when groups of individuals are engaged in a shared task to achieve an overall objective or create an organizational capability required to achieve the desired outcome. The risk associated with this mindset is that if a critical business process is producing its desired output, then someone must have a detailed understanding of how it works. Unfortunately, this statement is NOT always accurate for many critical business processes.
One of the fundamental challenges and risks is that business processes tend to be built organically out of necessity and are modified over time as needs change. With no formal process to document or model, much less analyze the risk of a mission-critical process, the most common assumption is that someone else has taken the time to accurately capture the component details and necessary dependencies required to complete a specific task. This challenge is compounded by the fact that critical business processes are often established early in an organization’s lifecycle. They frequently evolve over time to adapt to changing requirements and can be migrated to new technology platforms to improve support for them. Even if the tough decision is made to tackle this daunting task, it may be difficult if the original executive sponsor, architects, and key stakeholders are no longer associated with the organization.
Consider fundamental capabilities that all businesses have to address regardless of industry, like having a qualified lead to cash business process. Who would you ask in your organization for the up to date diagram for this or any other business process that, if it was interrupted, could introduce a severe risk into your environment? Would the diagram include an up to date description of the following:
- Description, including the criticality, of the business process
- Logical data flow diagram
- Asset inventory and interdependencies required for compliance, privacy, integrity and availability requirements
- Physical and/or virtual asset infrastructure architecture diagrams
- Role-Based Access Control (RBAC) for data and network resources
- Use cases to describe standard and anticipated input and output
- Inherent and residual risk entries in the risk register to account for the impact of implemented controls
- Specifically named business leaders that are assigned as risk owners in the risk register for the overall business process, critical sub-processes, 3 rd party providers (e.g., software manufacture or cloud/hosting providers) and periodic testing to verify controls are working properly
- FAIR Model analysis for the most frequent events/scenarios the organization can anticipate based on historical or industry provided intelligence
- Threat models to describe how abuse cases and bad actors could exploit the critical business processes
- Testing scenarios to verify the proper operation and implementation of controls are functioning as expected in pre-production and/or production environments
- Key Performance Indicates (KPIs) and Key Risk Indicators (KRIs) to monitor that the business process is operating within tolerances to achieve corporate goals while remaining within boundaries established by the organization’s risk appetite statement
This is a representative list of some of the core elements that go into any Core Business Process Review (CBPR). This level of detail and analysis should be undertaken for the handful of business processes that must be in place to achieve the organization’s strategic goals and to meet compliance requirements. Merchant banks, card brands, and other digital data exchanges continue to refine their requirements to achieve an adequate level of transparency to gain an understanding and assurance that business processes are sound and secure. The other very important use of these documents and process models is for budgeting and prioritization of risk treatment and response at an enterprise level. If an organization has this level of understanding of its core business process, it should be easy to evaluate any request to implement additional controls to address specific threats. Any budget request to address a specific threat scenario should be able to easily highlight and quantify what amount of risk will be reduced in a given critical business process. The business case should be easy to evaluate with threat modeling and a corresponding impact assessment using FAIR to establish a clear financial return across a range of preferred risk response options.