The purpose of External Dependencies Management is to establish and manage an appropriate level of controls to ensure the resilience of services and assets that are dependent on the actions of external entities.
Outsourcing services, development, production, and even asset management have become normal and routine operational elements for many organizations because they often provide the ability to engage specialist skills and equipment at a cost savings over internal equivalents. Increasingly, organizations are also exposing technology systems, information, and other high-value assets to customers to enable the seamless and efficient flow of business processes. The External Dependencies Management process area addresses the identification of risks associated with the actions of external entities, the formalization of the relationship with such entities, and the ongoing management of those dependencies and relationships, all in a manner to ensure that appropriate resilience measures are in place to protect and sustain the organization’s services and assets that are dependent upon such actions and entities.
For the purpose of this process area, the term organization is used to refer to the entity—the enterprise or a part of the enterprise such as an organizational unit or department—that is using the process area. An external dependency exists when an entity that is external to the organization has access to, control of, ownership in, possession of, responsibility for (including development, operations, maintenance, or support), or other defined obligations related to one or more assets or services of the organization. Such entities may be contractors or customers, but they may also be other units or groups within the enterprise. In this process area, all such entities are referred to as “external entities.”
The success of the organization in accomplishing its overall mission depends on its ability to sustain mission assurance of services in a consistent and efficient manner. Some services are fully executed inside of organizational boundaries, giving the organization more direct control over mission assurance. However, in many cases, the organization does not control all of the activities in a service that contribute to meeting the service mission; instead, these activities may be performed by external entities.
Dependence on external entities may increase risk levels for organizations in managing the end-to-end resilience of their services. When the execution of a service extends outside of the organization’s direct control, there is less ability to directly affect or predict mission assurance, in part because mission assurance is dependent on the resilience of the external entity. From an asset perspective—people, information, technology, and facilities—this can be problematic. In its role in support of a service, an external entity may
• use its own assets—If the external entity fails to protect and sustain these assets, the service and its outcome may be compromised.
• access the assets of the organization (which likely includes the ability to control or modify those assets)—The external entity’s actions could affect the resilience of the assets and thereby compromise the service.
• possess and use the assets of the organization (which includes the responsibility for custodial care of those assets)—If the external entity fails to meet the resilience requirements of the assets (as specified by the organization), there is a potential impact on the service mission.
• develop, deliver, commission, or install a new or revised asset for the organization.
• provide supporting services that aid in protecting and sustaining an organization’s asset.
Consider also that an external entity may not have a direct role in executing a specific service. In a support role (for example, storing information in an off-site storage facility), an external entity may also fail to adequately protect and sustain the asset such that it will not be available for use in a service when needed.
Regardless of the degree of external dependence, the organization retains responsibility for service mission assurance. The organization is responsible for setting the resilience requirements for services and related assets, communicating them to and requiring them of external entities, and monitoring to ensure external entities are meeting them. The evaluation and selection of external entities based on their abilities to sustain resilience are important first steps in ensuring service resilience.
External dependencies also arise when the organization outsources asset design or development activities—including facility development or software or system development. (Refer to the Resilient Technical Solutions Engineering process area for more information about developing systems and software in a manner that supports the organization’s resilience requirements and program.) Additional external dependencies arise when the organization is reliant on services that are part of the environment in which it operates, such as energy, telecommunications, and emergency response providers. All such external dependencies can significantly affect an organization’s ability to achieve its service missions.
The External Dependencies Management process area comprises four goals: to identify and prioritize external dependencies, to manage risks associated with external dependencies, to formalize binding relationships with external entities, and to monitor and manage external entity performance against all contractual specifications, including those for operational resilience.
The establishment and management of resilience requirements for the organization’s assets, including those provided or controlled by external entities, are performed in the Resilience Requirements Development and the Resilience Requirements Management process areas.
The risk management cycle for external dependencies is addressed in the Risk Management process area.
The development, validation, testing, and improvement of plans to sustain service continuity for both the organization and external entities are addressed in the Service Continuity process area.
The availability of people to support the continued operation of services, including both employees of the organization and people provided by external entities, is addressed in the People Management process area.
Controls to manage the performance of people in support of the resilient operation of services, including both employees of the organization and people provided by external entities, are addressed in the Human Resource Management process area.
The identification, definition, management, and control of the organization’s assets, including those provided or controlled by external entities, are addressed in the Asset Definition and Management process area.
The resilience of technology assets, including those in the control of the organization and those developed, provided, managed, or controlled by external entities, is addressed in the Technology Management process area.
The resilience of information assets, including those in the control of the organization and those provided, controlled, or accessed by external entities, is addressed in the Knowledge and Information Management process area.
The resilience of facility assets and control of the physical environment, including facilities in the full control of the organization and those provided or managed by external entities, are addressed in the Environmental Control process area.
The development of software and system assets that meet the organization’s resilience requirements is addressed in the Resilient Technical Solution Engineering process area.
External dependencies are identified and prioritized to ensure the resilience of the high-value services that they support.
In this goal, the organization identifies, characterizes, and prioritizes its external dependencies. The prioritization of external dependencies establishes one or more subsets on which the organization must focus its operational resilience activities due to the external dependencies’ importance to the sustained operation of high-value services.
Prioritization of external dependencies is a risk management activity. The organization establishes the dependencies that are of most value to the services they support and that require controls to protect and sustain them. Failure to prioritize external dependencies may lead to inadequate operational resilience of high-value services and assets and excessive levels of operational resilience for services and assets that are not high-value.
A list of external dependencies is established and maintained.
Organizations have many types of external dependencies. Any asset or service that is subject to the actions of an external entity is the source of an external dependency. It is important for the organization to identify and characterize all such external dependencies so that they can be understood, formalized, monitored, and managed as part of the organization’s comprehensive risk management process.
The most common type of external dependency occurs when the organization outsources certain activities of a service (or the entire service) to an external entity. Another example would be outsourcing the development of a technology asset, such as a software application, or an information asset, such as a custom database.
A less common type of external dependency occurs when the organization provides its customers with access to or use of high-value organizational assets. This is becoming more and more common in certain types of enterprises, particularly in cases where technology interfaces are provided to key customers for the seamless integration of services between the two organizations. (For example, the organization may process certain transactions on behalf of the customer through a tightly coupled technological interface that provides the customer with access to certain organizational assets.)
The organization may use any number of techniques to establish a catalog or detailed list of external dependencies. The organization’s list of services should be examined to discover services that may be subject to external dependencies, in whole or in part. The organization’s inventory of assets should also be examined to discover assets that are in the control of external entities or are in other ways subject to external dependencies. The organization may find value and efficiency in establishing close service links or overlap to facilitate information sharing between the external dependencies list, the services listing, and the asset inventory. (Services are addressed in the Enterprise Focus process area; assets are addressed in the Asset Definition and Management process area.)
The organization’s customer database and supplier database may also be valuable sources of insight when establishing the catalog of external dependencies. The organization’s set of current supplier and vendor contracts and related service level agreements (SLAs) are additional sources.
The purpose of the catalog of external dependencies is to support the identification and prioritization of external dependencies and the management of risks associated with selected dependencies.
The organization’s external dependencies will change over time as a result of changes to relationships with essential suppliers and customers, changes in services, the life cycle of assets, and many other reasons. Once the list of external dependencies is established, it is important that it be maintained. A process for updating the list on a regular basis should be established.
Typical work products
The data that is collected, stored, and routinely updated as part of defining an external dependency and its corresponding external entity is used to help prioritize the external dependency and identify risks associated with the external dependency. The data fields should therefore be set in consideration of the criteria, thresholds, and process for prioritizing external dependencies (see EXD:SG1.SP2) and in consideration of the risk identification process for external dependencies (see EXD:SG2.SP1).
The frequency and timing of such updates should be adjusted as a function of the organization’s risk tolerance to the external dependencies. It may be prudent to update different external dependencies at different frequencies based on the risks and characterization details of external dependencies and the relevant external entities. It may be appropriate to increase the update frequency during times of increased risk to the organization or when an external entity is undergoing change or is at risk. Contract award, renewal, or termination should trigger appropriate updates to the external dependency list, as should changes in points of contact or other material changes in the relationship.
Understanding the risks identified in EXD:SG2.SP1 may assist in setting and revising the update frequency.
External dependencies are prioritized relative to their importance in supporting the delivery of high-value services.
The prioritization of external dependencies must be performed to ensure that the organization properly directs its operational resilience resources to the external dependencies that most directly impact and contribute to services that support the organization’s mission. These external dependencies require the organization’s direct attention because their disruption has the potential to cause the most significant organizational consequences.
External dependency prioritization is performed relative to services—that is, external dependencies associated with high-value services are those that must be given the highest priority for operational resilience activities.
However, the organization can use other criteria to establish high-priority external dependencies, such as
• actions of the external entity in the support, maintenance, or custodial care of high-value organizational assets
• the extent to which the organization would rely on the actions of the external entity during off-normal operations, crises, or other times of operational stress
• actions of the external entity in supporting the organization’s resilience process
• an external dependency resulting from external entity access to highly sensitive or classified information or to the organization’s trade secrets or proprietary information such as intellectual property (Categorization of information assets is addressed in KIM:SG1.SP2, and intellectual property management is addressed in KIM:SG4.SP2.)
• external dependencies that are of high value to more than one service
• actions of the external entity in developing, providing, or commissioning new assets for the organization
• the organization’s tolerance for “pain”—the degree to which it can suffer degraded performance of the external dependency and continue to meet its mission
Several tiers or classes of prioritization may be appropriate depending on the complexity of the organization’s operations and variations in the nature of the external dependencies. It is important that consistent and meaningful criteria be developed for prioritizing the external dependencies and that the criteria be uniformly applied to the full set of external dependencies. The prioritization and criteria should be reviewed and updated on a regular basis to ensure that the prioritization scheme and the list of prioritized external dependencies are appropriate for the organization’s risk environment and tolerance.
Subpractices
Prioritization criteria should express and distinguish the importance of external dependencies in the continued operation of the organization. The prioritization scheme should be developed in consideration of the various types of external dependencies and external entities on which the organization relies. Thresholds should be considered to distinguish one or more tiers of external dependencies so that appropriate controls can be applied to the various sets of external dependencies to protect and sustain the organization’s operations.
Depending on the prioritization scheme developed by the organization, the result might be several lists, tiers, or sets of external dependencies.
Be sure that external dependencies that are required for the successful execution of security activities, service continuity plans, and service restoration plans are prioritized appropriately.
Affinity analyses should be performed to identify situations such as
• the reliance of more than one high-value asset or service on a single external dependency or entity
• external entities that are dependent on others to meet their agreements with the organization and thus may create chains of external dependencies that are very difficult to manage or control
Risks due to external dependencies are identified and managed.
The management of risk due to external dependencies is the specific application of risk management tools, techniques, and methods to these high-value relationships of the organization. Most organizations have many external dependencies, all of which can be the source of additional risks. Risks from external dependencies can result in consequences due to the impact on assets or services that may be in the control of, supplied by, operated by, or otherwise affected by external entities.
Managing risks due to external dependencies involves understanding the nature of each essential external dependency and the specifics of how the organization may be affected by the realization of such risks.
Risks associated with external dependencies are periodically identified and assessed.
Risks due to external dependencies must be identified and assessed so that they can be effectively managed to maintain the resilience of the organization’s high-value services.
The identification of risks due to external dependencies forms a baseline from which a continuous risk management process can be established and managed.
The subpractices included in this practice are generically addressed in RISK:SG3 and RISK:SG4 in the Risk Management process area.
Typical work products
Subpractices
Determining which external dependencies to include in regular risk assessment activities depends on many factors, including the impact on the organization of any disruption in a high-value service that could result due to the realization of such risks.
Identification of risks due to external dependencies requires an understanding of the actions of the associated external entity in the operation, support, or resilience of the organization’s services. External entities will be responsible for varying dependencies in the support of the organization’s operations. The information gathered in the identification and characterization of the external dependencies in support of EXD:SG1.SP1 may be useful in identifying such risks.
Risk statements should be developed for each identified risk. (RISK:SG3.SP1 and RISK:SG3.SP2 provide additional information about identifying risks and developing risk statements.)
The analysis of risks should include an evaluation of the potential impact of the risk on the organization.
RISK:SG4.SP2 provides additional information about risk categorization and prioritization.
RISK:SG4.SP3 provides additional information about risk disposition.
Risk mitigation strategies for external dependencies are developed and implemented.
The mitigation of risk due to external dependencies involves the development of strategies that seek to minimize the risk to an acceptable level. This includes reducing the likelihood of risks, minimizing exposure to them, developing service continuity plans, and developing recovery and restoration plans to address the consequences of realized risk.
Risk mitigation for external dependencies requires the development of risk mitigation plans (which may include the development of new controls or the revision of existing controls that apply to external dependencies and external entities) and the implementation and monitoring of these plans for effectiveness.
The subpractices included in this practice are generically addressed in RISK:SG5 in the Risk Management process area.
Typical work products
Subpractices
Relationships with external entities are formally established and maintained.
Requirements in the form of contractual specifications provide the basis for formal agreements that are established to define and govern the relationships between the organization and the actions of external entities. Enterprise-level requirements are established and included in any such agreement with an external entity. Specifications (including those for satisfying resilience requirements) are established that are unique to a particular external dependency. Ideally, external entities are selected from a qualified set of candidates based on their demonstrable ability to achieve the specifications established by the organization; any specifications that cannot be met are identified and managed as risks by the organization. The entire relationship between the organization and the external entity is established, defined, and bound by a formal agreement that includes all contractual specifications. The agreement is updated throughout the life cycle of the relationship with the external entity as needed.
Enterprise specifications that apply in general to external entities are established and maintained.
The organization has a set of values and behaviors that it follows when carrying out its operations. These values and behaviors may be derived to support the organization’s strategy or designed to create or reinforce the organization’s public image. They may also be a reflection of the organization’s market sector or the function of regulations or other constraints with which the organization must comply. Regardless of the source, the organization’s values and behaviors should be reflected in high-level organizational policies that govern the behavior of staff and external entities whenever they are representing or performing services for the organization.
From a resilience perspective, such policies, standards, and guidelines are essential controls that aid in protecting and sustaining the organization’s operation. For example, the organization may have a policy that requires certain minimum due diligence prior to allowing staff members to access certain information assets.
When external entities support the execution of the organization’s services, they become an extension of the organization and should be subject to the same or similar policies, standards, and guidelines as the organization’s staff. These enterprise-level policies, standards, and guidelines must be translated to a set of enterprise-level specifications and reflected in agreements with each external entity to ensure a seamless implementation of the organization’s resilience strategy.
The enterprise specifications for external dependencies should consider the prioritization criteria and scheme for external dependencies (see EXD:SG1.SP2). It may be appropriate for certain or all enterprise specifications to apply to all external entities. Alternatively, it may be appropriate for different sets of enterprise specifications to apply to different tiers or sets of prioritized external dependencies and the relevant external entities.
The organization’s enterprise resilience requirements should be reflected in the enterprise specifications for external dependencies. (Enterprise resilience requirements are addressed in the Resilience Requirements Development process area.)
Typical work products
Subpractices
Resilience specifications that apply to specific external dependencies and entities are established and maintained.
External dependencies occur as a result of an external entity’s access to, control of, ownership in, development of, possession of, responsibility for (including operations, maintenance, or support), or other defined obligations related to one or more high-value assets or services of the organization. The organization’s high-value assets and services all have specific resilience requirements that must be established as specifications for any associated external dependency and responsible entity.
For each external dependency, the organization should establish a detailed set of specifications that the external entity must meet in order to support and extend the resilience of the organization’s operations. It is important that these specifications be thorough, detailed, definitive, adequate for use as criteria when selecting external entities, suitable as language in agreements with external entities, and appropriate for use as a basis for monitoring the performance of the external entity.
The specifications for a specific external dependency and entity include, as appropriate, required characteristics of the external entity (e.g., financial condition and experience), required behaviors of the external entity (e.g., security and training practices), and performance parameters that must be exhibited by the external entity (e.g., recovery time after an incident and response time to service calls).
When developing specifications for external dependencies, the organization should
• consider the type of organizational assets or services impacted by the external dependency and their importance to the organization’s mission and operations
• understand the extent to which the external entity takes custodial control of the organization’s assets, and any resilience requirements of those assets that must be satisfied
• consult internal and external stakeholders responsible for the associated assets and services
• be aware of other assets or services that may rely upon the same external dependency and entity (as would be indicated by the affinity analysis in EXD:SG1.SP2)
• review the resilience requirements established in the Resilience Requirements Development process area for the assets or services in question
• review and select appropriate resilience guidelines established in the Resilient Technical Solution Engineering process area for the development of all software and system assets
• include the enterprise-level specifications (as identified in EXD:SG3.SP1)
The resilience specifications for an external dependency must clearly cover the resilience requirements of the assets or services that rely on the external entity. They should also include key features and capabilities of the external entity.
Typical work products
Subpractices
The process for determining and documenting the resilience specifications that apply to an external dependency and entity will vary based on the action of the entity in relation to the organization’s operations and the priority of the external dependency (as determined in EXD:SG1.SP2).
At a minimum, the resilience specifications should include a clear and definitive statement of the external entity’s services, support, products, assets, or staff on which the organization relies.
Specifications for characteristics are often expressed as minimum acceptable characteristics.
Specifications that describe required behaviors and performance parameters are often documented as SLAs that are included in requests for proposals (RFPs) (see EXD:SG3.SP3). It is valuable to develop the SLA before entering into a relationship with an external entity so that the SLA can be used as part of the evaluation process to select an external entity. Ultimately, the SLA should be incorporated into the formal contractual agreement with an external entity (see EXD:SG3.SP4).
From a resilience perspective, the SLA should include the performance specifications for security, business continuity, and IT operations that are necessary to support the resilience of the associated asset or service (the external dependency). For example, if the external entity is performing payroll operations for the organization, the SLA may require that the external entity keep all payroll data confidential and destroy the data within a specific number of days of its use. SLAs often specify deadlines or time parameters for availability, support, and/or recovery activities (such as a requirement for X% availability over a Y-month period).
External entities are selected based on an evaluation of their ability to meet the specifications for external dependencies.
External entities should be selected according to an organized and thorough process and according to explicit specifications and selection criteria. The selection process and criteria should be designed to ensure that the selected entity can fully meet the organization’s specifications as established in EXD:SG3.SP1 and EXD:SG3.SP2.
From a resilience perspective, the selection process for external entities is often an extension of or supplement to the organization’s standard procurement processes. Resilience specifications may simply serve as additional requirements for consideration and evaluation as part of the standard procurement process. In all cases, due diligence should be performed on candidate external entities to evaluate their ability to meet the resilience specifications that have been established for the actions they hope to perform for the organization.
In some cases, external entities cannot be selected from a pool of candidates; they may be inherited in the course of an acquisition or merger, or they may be the only provider of a high-value service on which the organization depends (this is often the case for public services). In cases in which external entities cannot be selected, the due diligence process for selection should still be performed to identify any specifications that are not met by the external entity. It may be appropriate to alter the specifications by changing the actions or nature of the dependence on the external entity to resolve the unmet specifications. In cases where the specifications cannot be changed, any unmet specifications should be treated as risks under EXD:SG2.
Typical work products
Subpractices
The criteria should include measures and thresholds of the candidate external entity’s ability to meet the resilience specifications established in EXD:SG3.SP1 and EXD:SG3.SP2.
The due diligence process should be designed to verify that the candidate can meet the organization’s specifications. If the external entity is engaged with a high-value service or asset in support of the organization’s mission, it may be appropriate to test the controls that are in use by the candidate to protect and sustain its services and assets as part of the due diligence process.
The due diligence may be performed iteratively as part of a staged procurement process with multiple down-select stages, or the due diligence may be performed completely on each qualified candidate to help understand and reveal differences among the candidates.
The due diligence process and results should be documented. The resulting documents should be adequately protected in accordance with the organization’s policies and in compliance with any non-disclosure or other agreements in place with the candidate.
Formal agreements with external entities are established and maintained.
Formal agreements should be established with external entities. The agreement content may take different forms depending on the
• type of relationship between the organization and the external entity
• type of products or services (external dependencies) being provided by the external entity (particularly if the services are for sustaining security and resilience rather than general services)
• level of integration of the external entity with the service (i.e., the extent to which the organization relies on the external entity to meet the service mission)
• degree to which the external entity takes custodial control of the organization’s asset(s) in order to provide necessary products and services
Types of agreements may include contracts, memoranda of agreement, purchase orders, and licensing agreements. In some cases, agreements such as mutual-aid agreements may spell out what services a public authority provides for the organization during normal operations and during crises. In cases in which the external entity and the organization are part of the same legal entity or share a common parent legal entity, the organization or the parent entity may have special procedures for establishing and enforcing agreements. Agreements are often composed from multiple sections or multiple documents, each of which describes some aspect of the arrangement and agreement. In all cases, the agreement, regardless of form, should
• be enforceable by the organization
• include detailed and complete specifications that must be met by the external entity (See EXD:SG3.SP1 and EXD:SG3.SP2.)
• include any required performance standards or work products from the organization
• be changed to reflect changes in specifications over the life of the relationship
Typical work products
Subpractices
All agreement provisions should be documented in the agreement in language that is unambiguous.
The agreement should not contain any general exceptions for achieving the resilience specifications unless they are carefully considered and negotiated. It may, however, contain scenarios of types of unforeseen events for which the external entity is not expected to prepare. Any exceptions granted to resilience specifications or scenarios for which the external entity is not required to prepare should be treated as risks under EXD:SG2.
All agreements should establish and enable procedures for monitoring the performance of external entities and inspecting the services or products they deliver to the organization.
Negotiation may be required to reach agreement with the external entity on all of the agreement provisions. Any specifications that are waived as a result of negotiations should be treated as risks under EXD:SG2. Once negotiations are complete and the organization and the external entity agree to all of the agreement provisions, the agreement should be executed by representatives from both organizations.
The performance of external entities is managed.
The organization must manage external entities by monitoring performance against specifications and taking corrective actions as appropriate.
The performance of external entities is monitored against the specifications.
The performance of external entities against the agreement terms and specifications—particularly those focused on the resilience of the organization’s assets and services—must be periodically monitored. This includes all external dependencies for which the entity is responsible. The organization uses the specifications and formal agreements established in EXD:SG3 as the basis and criteria for monitoring the external entity. Any deviations from the established specifications must be analyzed to understand the potential impact on the organization.
To ensure that performance monitoring is performed on a timely and consistent basis, the organization should establish procedures that determine the frequency, protocol, and responsibility for monitoring a particular external entity. (Responsibility is typically assigned to the organizational owner of the relationship.) These procedures should be consistent with the terms of the agreement with the external entity (see EXD:SG3.SP4). It may be appropriate to adjust the monitoring frequency in response to changes in the risk environment, changes to external dependencies, or changes in the external entity.
When the external entity is responsible for producing or delivering assets to the organization, the monitoring process should include inspection of the assets to ensure that they meet all stated specifications, including asset resilience requirements.
Typical work products
Subpractices
Procedures should be consistent with the agreement between the organization and the external entity and should be based on verifying that the external entity is achieving the specifications as defined in the agreement. All agreement specifications should be considered for monitoring; it may be appropriate to prioritize monitoring and inspection activities based on a risk analysis of the specifications (which includes all external dependencies). Monitoring and inspection procedures should address the external entity’s required characteristics, required behaviors, and required performance parameters.
Corrective actions are implemented to support external entity performance as necessary.
Implementing corrective actions is a necessary part of managing external entity performance. The objective of any corrective action is to minimize the disruption to the organization’s operation or the risk of any such disruption based on external dependencies. The range of corrective actions should be established in the agreement with the external entity, and an evaluation of alternatives should be completed prior to implementing corrective actions.
In cases in which the external entity is developing or otherwise providing an asset or assets to the organization, the appropriate corrective action may be to reject the delivery of the assets.
Corrective actions should be documented in accordance with specifications in the agreement and used to inform and improve ongoing monitoring of the external entity.
Subpractices
The agreement should be reviewed to identify appropriate and allowable corrective actions for consideration. The various alternatives should be evaluated based on their likelihood to succeed in correcting the situation and mitigating any associated risks.
It may be valuable and appropriate to include the external entity in the discussion and consideration of alternatives, especially if both the organization and the external entity desire to continue the relationship.
Communication provisions in the agreement should be followed to formalize the communication.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the External Dependencies Management process area.
The operational resilience management system supports and enables achievement of the specific goals of the External Dependencies Management process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the External Dependencies Management process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices EXD:SG1.SP1 through EXD:SG4.SP2 are performed to achieve the goals of the external dependencies management process.
External dependencies management is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the external dependencies management process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the external dependencies management process area.
Subpractices
Elaboration:
Elaboration:
Establish and maintain the plan for performing the external dependencies management process.
Elaboration:
A plan for performing the external dependencies management process is developed to ensure that the organization can satisfy its operational resilience requirements when an external entity has access to, control of, ownership in, possession of, responsibility for (including development, operations, maintenance, or support), or other defined obligations related to one or more assets or services of the organization. The plan must address the enterprise and resilience specifications for the service being performed or the product being provided (i.e., the external dependency) by the external entity. In addition, because external entities can be located in many geographical locations, the plan must address those external entities and stakeholders that can enable or adversely affect operational resilience.
The plan for the external dependencies management process should not be confused with service continuity (recovery, restoration) plans for assets and services that are under the control of external entities. The plan for the external dependencies management process details how the organization will manage external dependencies and relationships with external entities, including the development of service continuity plans where such entities are involved. (The generic practices for service continuity planning are described in SC:SG1 through SC:SG4 in the Service Continuity process area.)
Subpractices
Provide adequate resources for performing the external dependencies management process, developing the work products, and providing the services of the process.
Elaboration:
A wide range of organizational resources and skills is required to oversee and manage external entity access to, control of, ownership in, possession of, responsibility for (including development, operations, maintenance, or support), or other defined obligations related to one or more assets or services of the organization. This includes the diversity of activities required to identify, prioritize, evaluate, select, formalize agreements with, and manage a wide range of relationships with external entities. In addition, these activities may require a major commitment of financial resources (both expense and capital) from the organization.
Subpractices
Elaboration:
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for external dependencies.
Assign responsibility and authority for performing the external dependencies management process, developing the work products, and providing the services of the process.
Elaboration:
Those responsible for services and assets are involved in identifying and prioritizing external dependencies and establishing resilience specifications that external entities must fulfill. Formal agreements identify external entity actions, including ensuring continuity of operations during times of stress. EXD:SG1.SP1 calls for identifying the organizational owner of each relationship with an external entity; EXD:SG4.SP1 calls for monitoring the performance of external entities against their specifications. Similarly, EXD:SG2.SP2 requires the identification of those responsible for addressing, tracking, and mitigating risks that arise from external dependencies and relationships with external entities.
In EXD:GG2.GP4, responsibilities are assigned to activities of the external dependencies management process.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
The organization must ensure that responsibility and authority extend to all external entities and to any entities with which the external entity has contracted to provide services or products in support of the external entity’s formal agreement with the organization.
Elaboration:
Train the people performing or supporting the external dependencies management process as needed.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Subpractices
Elaboration:
Place designated work products of the external dependencies management process under appropriate levels of control.
Elaboration:
Identify and involve the relevant stakeholders of the external dependencies management process as planned.
Subpractices
Because external entities may reside in a wide range of physical locations and provide and support numerous processes, services, and assets, a substantial number of stakeholders are likely to be external to the organization.
Monitor and control the external dependencies management process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
Reviews will likely verify the accuracy and completeness of the list of external dependencies and their current status.
Elaboration:
Corrective action may require the revision of existing formal agreements.
Objectively evaluate adherence of the external dependencies management process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the external dependencies management process with higher-level managers and resolve issues.
Elaboration:
Status reporting on the external dependencies management process may be part of the formal governance structure or be performed through other organizational reporting requirements (such as through the chief acquisition or procurement officer level or equivalent). Audits of the process may be escalated to higher-level managers through the organization’s audit committee of the board of directors or similar construct in private or non-profit organizations.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
External dependencies management is institutionalized as a defined process.
Establish and maintain the description of a defined external dependencies management process.
Elaboration:
Managing external dependencies, including relationships with the external entities responsible for them, is typically carried out at the organizational unit or line of business level (where ownership of the relevant service or asset resides) and may have to be geographically focused (due to the location of specific external entities). However, to achieve consistent results in managing these relationships, the activities at the organizational unit or line of business level must be derived from an enterprise definition of the external dependencies management process. Agreements (including resilience specifications), dependency priorities, and performance monitoring may be inconsistent across organizational units, particularly when a specific external entity supports multiple units or multiple external entities support a specific service or asset. Inconsistencies in managing relationships with external entities across the enterprise can impede operational resilience.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect external dependencies work products, measures, measurement results, and improvement information derived from planning and performing the process to support the future use and improvement of the organization’s processes and process assets.
Elaboration:
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices