Defining Important Business Services: Prioritizing What Matters Most for Organizational Resilience

EDITOR’S NOTE: This article is part of a seven-part “Cross-Departmental Resilience Framework” series by Scott Balentine of Methodist Le Bonheur Healthcare. The series offers a practical roadmap for embedding resilience across governance, operations, and culture.

Previous article in the series:

Establishing a Resilience Council: Bridging the Gap Between Strategy and Practice

Organizational resilience depends on clarity: which services must never fail, which can tolerate short-term disruption, and which are less essential. Yet many organizations still approach continuity from an asset-centric perspective—focusing on recovering data centers, applications, or departments without understanding how these elements support end-to-end services. This siloed view often results in resource misallocation, fragmented recovery, and customer harm.

Shifting to a service-based model ensures resilience planning aligns with customer outcomes, regulatory obligations, and organizational strategy. The NIST Cybersecurity Framework 2.0 highlights the importance of linking resilience priorities to mission objectives, embedding resilience into governance and operations. Similarly, ISO 22301 requires organizations to identify “activities supporting products and services” through business impact analysis. Regulators have formalized this shift: the Financial Conduct Authority (FCA) mandates that financial institutions define “important business services,” set impact tolerances, and demonstrate resilience against severe but plausible scenarios.

This evolution from assets to services represents one of the most important paradigm shifts in the resilience discipline.

From Assets to Services: Why the Shift Matters

Traditional continuity programs emphasize systems (servers, databases) or departments (IT, HR). While useful, this approach risks overlooking interdependencies. For example, a payroll system outage might not appear critical to IT, but if employees are not paid on time, workforce readiness and morale may deteriorate, directly impacting patient care in a hospital or production in a factory.

A service-based approach integrates perspectives across IT, operations, HR, finance, legal, and customer service to define resilience around outcomes. This creates several advantages:

1. Customer-Centricity: Preserves stakeholder-facing services rather than just internal assets.
2. Cross-Department Alignment: Forces departments to collaborate in mapping dependencies and tolerances.
3. Regulatory Compliance: Aligns with FCA PS21/3, ISO 22301, and global resilience standards.
4. Resource Efficiency: Directs investment toward services where downtime causes greatest harm.

By moving from silos to services, organizations embed resilience into strategy rather than treating it as a technical afterthought.

Framework Foundations

ISO 22301

The ISO 22301:2019 standard requires organizations to conduct a business impact analysis (BIA) to identify activities supporting critical products and services. It also emphasizes setting recovery time objectives (RTOs) and maximum tolerable periods of disruption (MTPDs).

NIST SP 800-34

The NIST SP 800-34 Contingency Planning Guide highlights the importance of identifying “critical functions” and ensuring contingency plans prioritize these over less essential activities.

FCA PS21/3

The FCA’s operational resilience policy requires financial firms to:

• Identify important business services
• Define impact tolerances—the maximum tolerable level of disruption
• Test resilience against severe but plausible scenarios

This service-based framework has become a global benchmark, influencing regulators in Europe, North America, and Asia.

Case Studies

Toyota: Redefining Supply Chain Resilience

Following the 2011 Tōhoku earthquake and tsunami, Toyota discovered that focusing narrowly on tier-one suppliers left its supply chain vulnerable. The company shifted to a service-based resilience model, mapping essential components across multi-tier suppliers and standardizing critical parts. This allowed Toyota to prioritize continuity of production, not individual supplier relationships, making the system far more shock-tolerant.

TSB Bank: IT Migration Failure

In 2018, TSB Bank suffered catastrophic IT failures during a core system migration. Millions of customers lost access to accounts, and the outage lasted weeks. Continuity planning had emphasized system recovery, but not service-level resilience, such as ensuring customer access to payments and balances. Regulatory scrutiny from the FCA and UK Parliament reinforced the need to identify important services and define tolerances.

Cleveland Clinic: Service Continuity in Healthcare

During COVID-19, Cleveland Clinic defined resilience around essential clinical services, not individual IT systems. By prioritizing outcomes such as emergency care, elective surgeries, and supply chain delivery, the clinic dynamically reallocated resources while preserving patient care quality. This demonstrated how service-based resilience improves both clinical safety and organizational trust.

Actionable Steps for Defining Important Business Services

Conduct Service Identification Workshops

The first step in service-based resilience planning is to conduct a service identification workshop. This workshop should bring together cross-departmental leaders to collaboratively identify the five to 10 most critical services that underpin the organization’s mission. Facilitators from the resilience council should guide the discussion to avoid departmental bias and ensure enterprise-wide alignment. Leaders must ask difficult but essential questions: Which services, if disrupted, would cause intolerable harm to customers or patients? Which are bound by regulatory or contractual obligations? Which generate significant revenue or directly safeguard safety? By working through these considerations together, organizations can establish a shared understanding of their most vital services.

Map Dependencies

Once important services are identified, the next step is to map their dependencies. Each service relies on a combination of people, processes, technology, vendors, and facilities, and a thorough dependency analysis ensures no critical element is overlooked. For people, this means documenting essential roles, certifications, and workforce availability. For processes, both manual and automated workflows must be considered. Technology dependencies include applications, networks, and data centers, while vendor dependencies involve third-party suppliers and cloud providers. Physical facilities and utilities also play a role, from headquarters buildings to regional backup sites. This mapping exercise should be documented and maintained within a centralized, accessible platform such as ServiceNow, Fusion, or Archer, providing all departments with visibility into how services interconnect across the enterprise.

Define Impact Tolerances

Defining impact tolerances is the third step and is critical for establishing measurable thresholds that guide decision-making. Tolerances quantify how long services can be disrupted before unacceptable consequences occur. For example, a hospital may determine that four hours of downtime could cause patient harm, while a financial institution might recognize that 24 hours of disruption could lead to contractual penalties. Similarly, an organization may set a 48-hour limit before reputational damage is considered irreparable. These tolerances must be reviewed and approved by the resilience council to ensure alignment with overall risk appetite and should be incorporated into board-level risk statements. By establishing tolerances upfront, organizations create clear boundaries for acceptable risk.

Align Playbooks and Testing Activities

The fourth step is to align playbooks and testing activities with the identified services and their tolerances. Both technical playbooks, which detail IT and infrastructure recovery, and business playbooks, which outline communication, compliance, and operational procedures, must be directly tied to critical services. Testing should move beyond generic scenarios such as “server outage” and instead simulate real-world service disruptions, such as a “pharmacy dispensing disruption” in healthcare or a “payments processing disruption” in financial services. Testing against service outcomes ensures recovery plans address the true impact on stakeholders and customers, rather than focusing narrowly on systems or departments.

Report Outcomes

Finally, organizations must report outcomes to the board to ensure transparency and accountability. A resilience scorecard is an effective tool for consolidating and presenting key information. The scorecard should summarize which services have been identified as most important, the defined impact tolerances for each, the results of recent testing, and any outstanding gaps or remediation plans. By providing this information to both the board and regulators, organizations not only meet governance requirements but also demonstrate a proactive commitment to resilience. Board-level oversight ensures resilience remains a strategic priority and encourages ongoing investment in people, processes, and tools that sustain organizational readiness.

Challenges in Defining Services

One of the primary challenges in defining important business services is departmental bias. Individual departments may overstate the criticality of their own functions, believing their services are more essential than others. This can create inflated lists of “critical services” that dilute focus and undermine prioritization. To mitigate this issue, organizations should rely on structured business impact analysis (BIA) criteria and facilitate workshops that incorporate cross-departmental perspectives. Involving multiple stakeholders helps balance differing views and ensures designations are based on enterprise-level importance rather than departmental self-interest.

Another obstacle lies in the complexity of interdependencies. Services rarely operate in isolation; they depend on a web of people, processes, technologies, vendors, and facilities. Mapping these dependencies, particularly across multi-tier vendors and supply chains, can be resource-intensive and time-consuming. To address this, organizations should prioritize mapping for services with the greatest customer or regulatory impact. This ensures limited resources are focused on areas where disruption would be most harmful, creating a pragmatic balance between comprehensiveness and feasibility.

Defining services is also complicated by the reality of changing business models. As organizations adopt new technologies, expand into new markets, or undergo mergers and acquisitions, the importance of certain services evolves. Services which were once peripheral may become central, while others may decline in relevance. To manage this dynamic environment, organizations should commit to reviewing services at least annually or whenever major organizational changes occur, such as a product launch, regulatory shift, or restructuring. This regular reassessment ensures resilience strategies remain aligned with current priorities.

Finally, many organizations encounter cultural resistance when mapping services. Employees may perceive the process as a bureaucratic exercise disconnected from day-to-day realities. This lack of buy-in undermines accuracy and engagement. Leaders can overcome this challenge by clearly communicating the real-world stakes of service disruption. By linking the exercise to customer or patient outcomes—such as highlighting how delayed payroll affects workforce readiness or how disrupted clinical services impact patient safety—employees are more likely to understand its importance and engage meaningfully in the process.

Benefits of Service-Based Resilience

• Customer Trust: Ensures customers and patients receive uninterrupted critical services
• Regulatory Alignment: Meets global resilience expectations (ISO 22301, NIST, FCA)
• Operational Efficiency: Focuses resources where downtime matters most
• Cross-Functional Collaboration: Breaks down silos by integrating perspectives from IT, operations, HR, and customer service
• Strategic Alignment: Embeds resilience into enterprise risk appetite and board-level oversight

Conclusion

Defining important business services transforms resilience from a siloed, asset-based exercise into a coordinated, outcome-driven strategy. Frameworks such as ISO 22301, NIST SP 800-34, and FCA PS21/3 provide structure, but organizations must tailor them to their context. Case studies from Toyota, TSB Bank, and Cleveland Clinic highlight both the benefits and risks of this shift.

By identifying services, mapping dependencies, setting impact tolerances, and aligning governance, organizations ensure resilience planning protects what matters most: the ability to deliver criticaloutcomes to customers, patients, and stakeholders.

***

The third article in this seven-part series, “Creating Dual Playbooks: Bridging Technical Recovery and Business Continuity,” examines how resilient organizations synchronize technical recovery with business operations during crises. It explains why traditional single-track response plans fall short and introduces the concept of dual playbooks—one guiding IT containment and restoration, the other ensuring regulatory compliance, communication, and stakeholder confidence. Drawing on ISO 22301, NIST SP 800-34, and the NIST Cybersecurity Framework 2.0, the article provides actionable guidance for integrating these parallel playbooks into governance structures. Case studies from Colonial Pipeline, Norsk Hydro, and healthcare systems demonstrate how this dual-track approach transforms crisis response into coordinated, transparent resilience.