Where to document the output: GovAssure Scoping Document (Stage 1 - Part B: Identifying and defining essential services)
Resource material: Five Lens Model: Thinking through essential services and critical systems (a worked example)
Stage 1 - Part B of the GovAssure Scoping Document encourages the organisation to determine the essential services provided as an organisation. This is a critical step in developing the scope for GovAssure and sets the remit for the remainder of the scoping exercise as we look to link essential services to critical systems as part of Stage 2. This may take the form of a ‘longer list’ that you reduce to a prioritised number for GovAssure.
In the context of GovAssure, an essential service is a wide-ranging term that can be defined as:
“A service an organisation provides that either the UK public rely on (daily/near daily), or that is essential for maintaining societal or economic activities. An essential service could also be activities delivered that are fundamental to the delivery of an organisation's overall mission. Not being able to deliver them, would prohibit it from being able to operate its objectives or mission.”
Critical Infrastructure: Services that the UK public rely upon, on a daily or near daily basis, as per official guidance.
Operators of Essential Services (OES): Services which are essential for the maintenance of societal or economic activities, as per official guidance.
OES in the following sectors: Energy, Transport, Health, Water and Digital infrastructure.
Fundamental organisational outputs and mission: Services fundamental to the outcomes of the organisation, which the organisation must deliver, and without which it would not be able to continue to operate. For example: Government policy development, regulation, delivery and support or provide ministerial briefings, analysis and advice.
Essential services will differ between organisations, so each organisation should refer to its annual reporting, organisational outcome delivery plans and wider strategic documentation to support this identification as well as consider any other exercises that have already been conducted that may assist. For example, business continuity planning exercises. If your organisation has already performed the Criticalities process for CNI, functions and systems analysis can be reused but noting the impact criteria for CNI are different. If your organisation has not yet performed the Criticalities process for CNI, you may highlight candidate CNI systems later in this process and should consult GSG at that point.
Determining the essential services that underpin the delivery of the organisation's mission, objectives and priorities can be complex. We have developed a ‘Guide to thinking through essential services and systems through five lenses’ to support your organisation in considering and documenting the thinking (as part of the Scoping Document) behind the identification of your organisations essential services, and ultimately the critical systems that underpin them and those that will be in scope for GovAssure. Depending on the organisation, the number of services that might be considered ‘essential’ will vary and we expect organisations to articulate their essential services at a high-level.
Once the organisation's essential services have been identified these should be categorised as follows:
This will be recorded in Stage 1 - Part B of the Scoping Document.
Stage 1.6.1 involves developing a more in-depth view of the essential services that your organisation provides (Lens 1 of the Five Lens Model referred to at 1.7) and developing a prioritised view for GovAssure. Many organisations have already undertaken work to understand the essential services they provide so you may well have existing initiatives or a methodology for doing this that can be used to help support or develop this view. Ideally essential services should be catalogued. For example, ‘customer/consumer journey’ workflow process mapping helps to provide a useful ‘outside-in’ perspective that can help support the identification and articulation of essential services. This will provide both the basis for their prioritisation as well as transparency over scoping decisions - as to what is considered important to the organisation.
It is a good idea to conduct this activity as part of a workshop, with appropriate organisational representatives who can help validate the catalogue or listing of essential services.
Important considerations to support and limit this identification to what is essential can include: - What is the distinct outcome of the essential service? - Does the service provided have a discernible external end user(s) or other government organisations to whom disruption or non-delivery could cause harm, as opposed to internal functions? Priority should be given to ‘organisation services’ as opposed to those considered internal functions such as HR or Payroll, but there may well be exceptions. These exceptions can be discussed with GSG at the time of scoping. - The organisation is accountable for the essential service, even if it is provided by a third-party supplier. - The service has a defined owner - Uses a combination of resources to deliver the service. For example, technology, data, property, people and suppliers.
Service: Comprises a set of broadly repeatable processes/activities within a function, the output of which is delivered as a value to end users.
Organisation Service: Has a discernible external end user/consumer to whom disruption/non-delivert of the service could harm or prevent the organisation achieving its mission. This is a priority for inclusion as part of GovAssure.
Support Service: Has a discernible internal end user to whom disruption/non-delivery of the service could cause harm.
Think about the impact if you were unable to deliver the essential service and what or who would be harmed or affected? Could it cause ‘intolerable harm’ (something from which you cannot easily recover)? Can you achieve the outputs your department is committed to?
To help to determine the relative importance of essential services, it is good practice to adopt a prioritisation criterion relevant to your organisation to assess business services and classify the essential services, with consideration to:
External end user impact - Does a disruption to this service impact members of the public to the extent that it causes intolerable harm?
Consider: - How many users of the service would be directly impacted by disruption? - What would be the financial impact from service disruption?
Organisation impact or related organisation impact – Does a disruption of this service pose a threat to the organisation’s financial position or could it cause reputational damage or legal/regulatory fines or penalties. Also consider the knock-on effect to other related organisations. For example, where you deliver an important service to other government organisations.
Consider: - What would be the cumulative financial loss to the organisation or other related government organisations? - What would be the impact of any regulatory sanctions or fines imposed by regulatory bodies to the organisation or related organisation?
Having an agreed set of characteristics to assess the importance of business services helps support validation with senior stakeholders and service and system owners. The organisation should consider the characteristics most relevant to their organisation based on the knowledge of the organisation and the services delivered.
Once you have developed the view of the prioritised essential services, you may be able to further break these down into a functional viewpoint (Lens 2 of the Five Lens Model referred to at 1.7). This view provides a breakdown of the essential services identified as part of Step 2 into the various functions that enable delivery. This view should identify the high-level functions, and the relationships between those functions, and should help to develop the overview an organisation takes to delivering their essential services.
Each organisation will need to consult with a wide range of colleagues to support this exercise and the GovAssure accountable officer will be expected to sign-off the identified essential services recorded in Stage 1 - Part B of the Scoping Document. Only once an organisation has defined its essential services can it move on to identifying the critical systems in-scope for GovAssure (Stage 2 – Part A).
You should document the result in the GovAssure Scoping Document Stage 1 - Part B: Identifying and Defining Essential Services.
OFFICIAL