The next step is to map the identified vital services to the processes that realize them. This mapping helps to understand the relationship between services and the activities that support them.
The Service Owner is accountable for this activity and relies on business and IT SMEs. It is thus mandatory for architects to first get in touch with the Service Owner and the Operational Resilience Manager prior to organizing any workshop.
The RISK Process Library[1], maintained by the RISK ORM team and other operational risk management actors, serves as a valuable resource for mapping vital services to processes. It contains a comprehensive list of activities within the organization, organized into Generic Processes.
Each generic process in the RISK Process Library has a unique identifier (e.g., PR00106), a name, and a description in both French and English. The library also includes flags to indicate if the related activity is considered critical by regulators such as the European Banking Authority (EBA).
Each vital service is mapped to the specific processes[2] that contribute to its realization. This mapping (that can usually be done with the help of business SMEs from the 1st or 2nd Line of Defense) provides a clear understanding of the activities involved in delivering the vital services.
In most cases, it is necessary to decompose the high-level and generic processes defined in the RISK Process Library into sub-processes usually called Organized Processes. This list of organized processes (modeled as ArchiMate Business Processes) is typically small, ranging from 2 to 5, and corresponds to the processes that will be detailed in the next step.
The following diagram illustrates how the Cash Payments vital service is realized by generic and organized processes.