Financial Resource Management

Enterprise

Purpose

The purpose of Financial Resource Management is to request, receive, manage, and apply financial resources to support resilience objectives and requirements.

Introductory Notes

Every activity that an organization performs requires a commitment of financial resources. This is particularly true for managing operational resilience—activities like security and business continuity are resource-intensive, and the cost of these activities continues to increase as new threats emerge, technology becomes more pervasive and complex, and the organization shifts its asset base from tangible assets to intangible assets such as information. As the building blocks of organizational services, assets require increasingly sophisticated protection strategies and continuity plans. This requires the organization to make a financial commitment to asset development, implementation, and long-term operation and support.

Besides ensuring proper funding considerations for resilience activities, effective consideration of financial resources is also an organizational necessity for managing these activities. The cost of strategies to protect and sustain assets and services must be optimized to the value of the potential loss of the productivity of assets and services. In addition, understanding the true cost of protecting and sustaining these assets and services is paramount for effectively managing their resilience. Without relevant information about the costs of protecting and sustaining assets, the organization cannot know when costs are misaligned with asset value and contribution.

Financial Resource Management is focused on improving the organization’s ability to apply financial resources to fund resilience activities while helping the organization to actively manage the cost and return on investment of these activities. The organization establishes a plan for defining financial resources and needs and assigning these resources to resilience activities. Budgets are established, funding gaps are identified, and costs are tracked and documented. Through effective financial management, the organization establishes its ability to measure return on resilience investments through calculating “risk versus reward” and by identifying cost recovery opportunities. In short, financial resource management provides for the possibility that resilience activities can become investments that the organization uses to move its strategic objectives forward and that can be recouped through improved value to stakeholders and customers.

Related Process Areas

Visible and active sponsorship and support for funding resilience activities are addressed in the Enterprise Focus process area.

The processes for identifying, analyzing, and mitigating risks that result from underfunding or lack of funding for resilience requirements are addressed in the Risk Management process area.

Summary of Specific Goals and Practices

Specific Practices by Goal

Establish Financial Commitment

A commitment to funding resilience activities is established.

Establishing a commitment to funding the organization’s operational resilience management system is a key factor in its success. Typically, funding for resilience activities is indirect, drawn as required from other budgets in areas such as information technology and security rather than allocated based on resilience needs and requirements. This leads to an ineffective and inefficient allocation of financial resources for managing operational resilience, which ultimately affects the organization’s ability to successfully achieve resilience objectives.

Dedicated funding for operational resilience management requires active and visible sponsorship from higher-level managers. The budgeting and funding activity for resilience should coexist with activities used to develop funding for strategic objectives and operational plans. A structure to enforce and reinforce financial planning, budgeting, and resource allocation must be developed and implemented to ensure ongoing support for the operational resilience management system and to avoid funding these activities in an ad hoc, event-driven, or funds-available manner. The organization’s commitment to funding operational resilience management should also extend to identifying the resources in the organization who are responsible for developing and funding resilience budgets and for managing the costs of resilience activities against these budgets.

Commit Funding for Operational Resilience Management

A commitment by higher-level managers to fund resilience activities is established.

(This practice is repeated from the Enterprise Focus process area and enhanced for emphasis. It assumes that there is visible and active support and sponsorship for the operational resilience management system by higher-level managers in the organization.)

Budgeting is a process of allocating funds to organizational activities that support and promote strategic objectives. When resilience is considered a strategic competency, funding for resilience activities must be included as part of the organization’s capital and expense funding needs rather than as an afterthought that is indirectly funded through IT activities or as needed when disruptive events occur.

Sponsorship of the operational resilience management system is made actionable by higher-level managers’ commitments to funding the resilience program and the accompanying activities and tasks. This requires that they commit to

• supporting the business case for operational resilience management

• including resilience needs in the funding of strategic objectives

• ensuring that resilience needs are adequately funded

• releasing funds as necessary to support the attainment of strategic resilience objectives

Typical work products

1. Business case for resilience
2. Documented strategy for funding resilience activities

Subpractices

1. Develop the business case for the operational resilience management program and process.

   Sponsorship of the investment in the operational resilience management system must be based on a sound business case. The investment in resilience must bring about tangible, measurable, and demonstrable value to the organization. The business case for resilience should

   • justify the investment through itemization of tangible benefits and results

   • articulate the strategic outcomes that would result from investments in resilience activities

   • articulate the potential risks and costs associated with not investing in resilience activities

   • establish that the funding necessary for resilience is appropriate and adequate

   • provide sufficient information to allow comparative evaluations of alternative actions

   • establish the accountability and commitments for the achievement of the benefits and strategic outcomes

2. Establish operational resilience management program and process funding as a regular part of the organization’s strategic plan budgeting (capital and expense) exercise.

   The development of budgets to support the operational resilience management system is addressed in FRM:SG2.SP2.

3. Define the sources of funds that will be used to fund the operational resilience management program and process activities.

   As part of their sponsorship of the operational resilience management system, higher-level managers must identify the sources of funds that will be used. Higher-level managers may allocate a portion of existing operating budgets to resilience, create a pool of resources at the enterprise level for allocation, or develop dedicated funding streams (such as an add-on charge to customer services or products) to fund the resilience activities of the organization.

4. Approve allocation of funding to operational resilience management program and process activities.

   The allocation of funding for operational resilience management activities is addressed in FRM:SG3.SP1.

Establish Structure to Support Financial Management

The structure that supports the assignment and management of financial resources to resilience activities is established.

Organizations typically have a standardized budgeting and accounting structure that ensures consistency, accuracy, and reliability of financial data for financial management. The structure helps the organization to develop budgets, allocate funds to capital projects or to support operational processes, and to account for the use of funds against budgets—in essence, to control organizational finances.

Because the operational resilience management system is often cost-intensive, the organization must have a structure and process that extend to managing the financial aspects of resilience, including providing a means for

• budgeting for resilience activities

• allocating and delivering funds to resilience activities (whether these activities are scheduled or are performed during an emergency or event)

• accounting for and tracking the costs of providing resilience services

• identifying and understanding cost variances in providing resilience services

• providing financial governance over the operational resilience management system

• determining the cost-benefit ratio of resilience decisions and performing other analytical activities related to resilience

• forecasting future operational-resilience-management-related costs and investments

• committing resources to authority and accountability for managing the financial aspects of operational resilience management

• communicating the financial process and structure for operational resilience management to all in the organization with a need to know

Addressing the financial aspects of operational resilience management separately from other operating expenses and capital outlays ensures that the cost (and potential revenue) related to operational resilience is visible and can be actively managed as are other organizational expenses and capital improvements. In turn, this allows the organization to take actions to control costs, shift financial resources as necessary, and explain variations in costs related to events or other disruptions—in other words, to provide resilience at the lowest possible cost and highest possible return to the organization. In addition, implementing a structure that supports specific funding for managing operational resilience ensures that it is considered as a separate item, distinct from pools of funding supplied to less specific activities such as security, business continuity planning, and IT operations management.

Typical work products

1. Resilience accounting policies, procedures, and acceptable practices
2. Resilience chart of accounts
3. Tools and techniques for financial management

Subpractices

1. Establish resilience accounting policies and procedures.

   Resilience accounting policies and procedures establish the ways in which the organization expects resilience costs and investments to be documented, budgeted, funded, tracked, and accounted for. These policies and procedures should establish the financial management structure necessary for resilience accounting and should specifically address

   • expansion of the organization’s chart of accounts to include resilience accounts

   • establishment of related charge strings and budgets for resilience activities and projects (which would roll up into the chart of accounts)

   • funding policies and procedures to fund resilience activities

   • policies and procedures for funding off-cycle or emergency funding requests related to resilience activities (to avoid overspending and lack of accountability)

   • resilience financial reporting requirements (both internally and externally)

2. Establish resilience accounts, cost strings, and budgeting processes.
3. Establish tools and techniques for resilience financial management.

   These are examples of tools and techniques that may be used to support financial management of resilience:

   • policies and procedures for generally accepted budgeting and accounting practices for operational resilience management

   • cost and accounting tracking systems

   • effort reporting systems

   • action item tracking systems

   • project management and scheduling programs

   • analytical programs or methods that provide for cost-benefit analysis or “what-if” analyses

4. Assign responsibility and accountability for resilience budgeting, funding, and accounting activities.

   Accountability for achieving the benefits, controlling the costs, managing the risks, and coordinating the activities and interdependencies of multiple projects should be clearly and unambiguously assigned and monitored. In order to assign financial responsibility, the organization specifically identifies and documents those staff who are authorized to make financial commitments to resilience management activities.

Perform Financial Planning

Planning for funding resilience management activities is performed.

Resilience activities tend to be funded in one or more of the following ways:

• as part of an organizational unit or line of business budget (typically for building and executing service continuity plans)

• as part of other support department budgets (typically IT, IT security, or IT operations, or possibly as part of the organization’s risk management budget)

• when emergencies, events, or other disruptions arise (ad hoc, without specific budget or spending controls)

While these funding methodologies may be effective in the short term, the increasing importance of actively managing resilience demands that the organization be able to understand its resilience financial obligations, determine how to fund these obligations, and identify cost savings and optimization opportunities where possible to continually improve the efficiency of applying financial resources to what is traditionally thought of as a cost center.

Funding resilience competes with projects, activities, and initiatives that the organization may have in its sights to meet strategic objectives, improve revenue, and improve return to stakeholders. Because of this, specific consideration of and planning for resilience financial obligations give the organization control over these obligations so that they can not only be cost-effective but become investments in meeting these competing goals.

To perform financial planning for operational resilience management, the organization must specifically define its financial obligations, establish resilience budgets, and resolve funding gaps and conflicts that arise from competing objectives.

Define Funding Needs

The financial obligations for managing the operational resilience management system are established.

The activities necessary for protecting and sustaining organizational assets and services are often cost-intensive and result in vaguely discernible returns to the organization. In some cases, they are simply a cost of operations—to keep services productive toward their mission and assets deployed to support services as necessary.

Unfortunately, the cost of resilience activities, particularly when viewed at the asset or service level, is often addressed through discretionary funds—those that have not been earmarked for any particular purpose. Thus, the funding of these activities is inconsistent, prone to reaction-based allocation, and not typically based on requirements. Meeting resilience requirements requires a certain level of non-discretionary, specifically allocated funding that provides for the people, processes, and technology necessary to meet the requirements. In other words, funding needs for managing resilience should be specifically identified and funds must be considered, allocated, and earmarked based on need.

To make effective optimization and trade-off decisions, the organization must confront the true cost of the requirements it has set to manage resilience. Viewing resilience costs from a requirements perspective provides a more accurate picture of the true cost of managing operational resilience, laying the groundwork for cost reduction and reallocation based on need rather than discretionary and arbitrary decisions.

Typical work products

1. Historical resilience accounting data
2. Resilience funding requirements (by asset or service, or both)
3. Estimation rationale and calculations for funding

Subpractices

1. Collect historical data that will be used as the basis for developing funding requirements.

   Historical data includes the cost, effort, and schedule data from previously executed projects, activities, and tasks.

2. Determine and document resilience funding requirements.

   Determining resilience funding requirements is not a trivial task. It takes a thorough examination of many factors at the asset, service, and enterprise levels. The following should be considered when determining resilience funding requirements:

   • the costs associated with developing, implementing, monitoring, and maintaining protective controls for assets and services

   • the costs associated with developing, testing, implementing, and maintaining service continuity plans

   • direct and indirect labor costs associated with resilience tasks and activities

   • allocated costs from the enterprise for shared services such as network security, physical security controls on buildings and facilities, and other allocated IT and facilities security services

   • associated overhead costs levied by the enterprise

   • costs for performing risk assessments and business impact analyses, and developing and implementing corrective actions

   • costs for tools, methodologies, and software licenses to support resilience activities

   • costs for labor, including direct labor, training, skills development, etc.

   • costs for external assistance (consulting and labor)

   • special projects that must be funded to improve or sustain resilience

   • costs related to potential operational environment changes that may occur in the future that would affect the budget

   • allowances for emergency funding or future-looking needs

   • actual costs of resilience services and activities in past performance periods

3. Validate funding assumptions through detailed analysis of resilience requirements.

   Funding assumptions must support the satisfaction of resilience requirements. Thus, they must be compared to these requirements for validation.

Establish Resilience Budgets

Capital and expense budgets for resilience management are established.

Budgeting is an activity that emanates from strategic planning. The organization develops budgets to ensure that funding is available and allocated to support its strategic objectives. In much the same way, resilience objectives (which support strategic objectives) must be specifically funded.

As part of the organization’s regular budgeting process, resilience budgets should be developed based on funding assumptions. In practice, this typically refers to organizational unit level budgeting of specific resilience accounts and/or the expansion of existing account budgets to allow for allocated costs from the enterprise.

The organization may also have to establish enterprise-level budgets that provide resilience services that are allocated across the organization and may have to specifically fund enterprise-level resilience program activities that support the operational resilience management system that traverses the organization.

Typical work products

1. Resilience line-item budgets (at organizational unit or line of business level)
2. Resilience line-item budgets (at enterprise level)
3. Project budgets for resilience projects
4. Resilience program budget

Subpractices

1. Determine the budget available for the resilience program.
2. Establish a budgeting method and process for resilience.

   There are a number of budgeting methods that may be in use in a typical organization. These methods should be employed when developing resilience budgets as well. Budgeting methods include activity-based costing, zero-based budgeting, and incremental budgeting.

3. Develop the operational-level resilience budgets.

   The budget should be based on the funding requirements as considered in FRM:SG2.SP1.

4. Develop the enterprise-level resilience budgets.

   These budgets are typically owned by departments such as information technology, IT security, risk management, legal, audit, or other enterprise departments that are responsible for aspects of security, business continuity, and IT operations management.

5. Assign authority and accountability for developing and managing the budgets.

   To ensure that budgets are used as a primary financial control in the deployment and execution of resilience activities and tasks, clear responsibility and authority for developing and managing resilience budgets must be assigned.

6. Review budgets on a regular basis and update as necessary.
7. Tie performance measures to the resilience budgets.

   Tying performance measures to resilience budgets ensures adequate financial performance and commitment to meeting resilience requirements.

Resolve Funding Gaps

Identify and resolve gaps in funding for resilience management and mitigate associated risks.

Identifying and resolving funding gaps for managing operational resilience are a process check that ensures that essential activities necessary for meeting resilience requirements are funded adequately. The failure to include essential activities and fund them appropriately potentially exposes the organization to additional risk.

The organization actively compares resilience budgets to the cost of activities necessary to support operational resilience, identifies potential gaps, and attempts to resolve these gaps by taking mitigating actions such as increasing budgets, reprioritizing activities, or developing other options.

Risks that result due to funding gaps may have to be resolved and mitigated. In addition, these risks may have to be escalated to oversight or governance personnel to ensure that they are aware that essential resilience functions are not being covered. Governance may result in corrective actions such as reallocation of funds, reprioritization of activities, or other actions to mitigate resulting risks.

Risks that result from underfunding of resilience requirements may have to be considered in the Risk Management process area. Escalating operational risk issues to higher-level managers for consideration and corrective action is addressed in the Enterprise Focus process area.

Typical work products

1. Documented resilience funding gaps
2. Resolution decisions for funding gaps

Subpractices

1. Perform gap analysis between resilience funding needs and established budgets.
2. Identify budget shortfalls.
3. Identify risks related to budget shortfalls.

   Risks identified as related to budget shortfalls should be referred to the organization’s risk management process for inclusion in the continuous risk management cycle. (The processes for identifying, analyzing, and mitigating risk are included in the Risk Management process area.)

4. Develop and document decisions to resolve potential issues, concerns, and risks that result from funding gaps.

Fund Resilience Activities

The organization’s essential activities for managing and sustaining operational resilience are funded.

The organization must have processes in place to ensure that access to funds for managing and sustaining operational resilience is provided. Typically, this occurs through normal funding mechanisms, but due to the nature of managing operational resilience, additional provisions may have to be made to ensure that off-cycle requests are handled in a timely manner.

Fund Resilience Activities

Access to funds for resilience management activities is provided.

Establishing and sustaining resilience requires the organization to have a structure and process for allocating and distributing funding for procuring the necessary goods and services to support resilience and the development, implementation, and management of strategies to both protect and sustain services and supporting assets. Access to resilience-directed funding is typically made through the organization’s regular mechanisms for funding activities, expenses, and capital purchases, but special circumstances often arise when managing operational resilience that require off-cycle budget requests that must be met in a timely manner.

Funds requests are generally handled through funding mechanisms that are common to most organizations:

• Expense requests provide access to funds for approved expenses related to providing resilience services (such as travel).

• Purchase requests provide access to funds for approved expense-related and capital purchases (such as hardware and software or office supplies).

• Labor related to providing resilience services is generally funded through time and effort reporting.

• Overhead associated with shared costs of providing resilience services is generally funded through overhead allocation.

Off-budget or off-cycle requests for funds to provide resilience services can be a control weakness for many organizations because they typically occur during times of stress, and the usual mechanisms for funding are abandoned. Thus, the organization must have generally accepted processes and procedures for these types of funding requests so that they can be controlled to the extent possible.

Typical work products

1. Policies and procedures for funds access and application
2. Budget commitment request
3. Off-budget funding justification

Subpractices

1. Develop policies and procedures for accessing budgeted resilience funds.

   Policies and procedures should include provisions for

   • funding justifications

   • reviewing justifications and approving funding requests

   • emergency funding requests

   • reviewing and validating labor and allocation charges to resilience budgets (that are not part of a request process)

   Resilience projects (such as the development, design, and implementation of resilience requirements in a system or software development project) should be funded directly through project funding mechanisms.

2. Develop a process for addressing off-cycle or off-budget funds requests and approvals.

   This process should include a proper approval structure that allows for expedient provision of funds but does not impair the time-dependent nature of the requests.

Account for Resilience Activities

Accounting for the financial commitment to resilience activities is performed and used for process improvement.

Gathering data on the cost of managing and supporting operational resilience is an essential activity for establishing financial management and responsibility and for performing cost-benefit analysis on the impact and value of these services. Without financial data, no conclusions can be drawn as to whether the investment in managing operational resilience is worth the organization’s commitment. The organization establishes accounting processes that accumulate data on the expenditures and costs associated with providing services to manage and support the operational resilience of services and associated assets.

Accounting for resilience activities requires the organization to track and document related costs and to analyze these costs to ensure they are in line with expectations, to identify variances, and to determine the true cost of providing resilience services.

Track and Document Costs

The costs associated with resilience management are tracked and documented.

In order to consider the true cost of providing resilience services to the organization, and the potential return on investment that results, the organization must have established and consistent procedures for tracking and documenting the various costs associated with managing operational resilience. This information is a fundamental element in accounting for resilience activities and is an essential input to controlling and managing costs. Without this information, organizational managers cannot provide an adequate level of resilience at the lowest possible cost to the organization.

Typical work products

1. Financial reports (on resilience costs)
2. Documentation of variances between budgeted and actual expenditures
3. Resilience cost accumulation and categorization scheme
4. Resilience budget projections

Subpractices

1. Develop and implement a means for collecting and tracking costs.

   There are several levels of cost accumulation and tracking that an organization must consider:

   • organizational level, including enterprise, organizational unit, line of business, or department

   • organizational unit, including asset, service, or project

   • expenditure type, including labor, overhead, software, hardware, facilities management, etc.

2. Collect financial data on the costs related to providing resilience services.

   The organization’s accounting system should be able to produce financial data to a level of granularity that allows the organization to track resilience costs for assets or services, or any other unit that the organization chooses. Financial data should be supplied regularly to authorized staff (such as department managers who are responsible for controlling resilience costs).

3. Calculate variances between budgeted costs and actual costs.

   Budget variances may be identified by any of the levels that the organization establishes for cost accumulation (as suggested in subpractice 1). The variances should be calculated at the levels that are most helpful for the organization to manage resilience costs.

4. Identify and document major budget variances.
5. Analyze budgets on a regular basis to determine potential period shortfalls or unspent items.
6. Revise budgets based on actual data if necessary.

Perform Cost and Performance Analysis

Cost and performance analysis for funded resilience management activities is performed.

Cost accounting and analysis for resilience activities provides the organization a tool for determining effectiveness and efficiency, to manage costs within budgets, to determine return on resilience investment, and to accurately project budgets and costs for resilience in the future.

Typical work products

1. Variance analysis reports
2. Recommendations and explanations for reducing variance
3. Determination of true cost of resilience (COR)

Subpractices

1. Perform analysis on budget variances and document explanations for the variances.

   The organization should attempt to determine if the variance is meaningful and whether it should be reduced or eliminated. The organization should particularly attempt to determine if the variance is the result of necessary increases in expenditure to maintain operational resilience.

2. Develop plans for reducing or eliminating variances.
3. Calculate the true cost of providing resilience services (COR).

   Based on cost accumulation and tracking, the organization should attempt to determine the true cost of providing resilience services so that this information can be used in optimization and return on investment calculations. The COR should be calculated at the level appropriate for making financial decisions about resilience (such as at the asset or service level).

4. Report financial exceptions.

   Financial exceptions may be indicators of issues and concerns in the operational resilience management system that must be escalated to oversight managers and committees. The organization should determine which types of financial exceptions should be reported and have a mechanism in place to report these exceptions on an as-needed basis.

Optimize Resilience Expenditures and Investments

The return to the organization for investment in resilience activities is measured and assessed.

The organization ultimately “invests” in operational resilience as a means for ensuring that its strategic objectives can be met. Foremost, the investment in resilience should optimize strategies to protect and sustain assets and services at the lowest possible cost to the organization. However, because resilience is typically a cost-driven activity, an organization may also seek to determine if its investment in resilience services and activities actually brings a return (by paying for itself through improved service uptime, quality, and reliability).

Optimizing resilience expenditures and investments requires the organization to examine the optimization of costs for providing resilience services, determining a “return on resilience investment,” and seeking out ways to continually reduce overall costs while providing and supporting an acceptable level of resilience services.

Optimize Resilience Expenditures

The costs to implement and manage strategies to protect and sustain services and assets are optimized against the benefits.

The costs of attaining and sustaining an adequate level of operational resilience for an asset or service must be optimized against the value of the asset or service to the organization in order to rationalize and maximize the organization’s investment in resilience.

Overspending on resilience services potentially redirects limited resources away from assets and services that need them; underspending results in high-value assets and services that are not adequately protected and likely cannot be sustained when disrupted.

In addition, optimization helps the organization to determine the right mix of strategies. For example, the development of a service continuity plan may be a lower-cost option than implementing a protective control while still adequately satisfying the asset’s or service’s resilience requirements.

Typical work products

1. Optimization calculations by asset, service, or other unit
2. Plan for re-optimizing resilience costs and services

Subpractices

1. Establish the scope of optimization calculations and examination.

   The organization must determine which of the assets and services should be candidates for consideration of optimization review and calculation. The assets and services prioritized as high-value are a foundational starting point for determining the scope of this activity.

2. Perform optimization calculations on high-value assets and/or services.

   This process relies upon accurate and timely cost accumulation and reporting and an accurate determination of the value of the assets or services under examination. Optimization calculations should be expressed in monetary values, but other acceptable values to the organization can be considered when necessary (such as productive hours or product output).

3. Identify opportunities for optimization.

   Optimization is a balancing act that requires consideration of many aspects of managing operational resilience, including

   • the current cost of protective controls and their effectiveness

   • the costs related to developing, testing, and maintaining service continuity plans

   • the value of the asset or service to the organization

   • risk assumptions regarding how much risk the organization would be willing to accept based on the current and future optimized mix of strategies for protecting and sustaining services and assets

4. Revise strategies to provide optimal operational resilience.

   Organizations may choose to take no action after analyzing their current balance of strategies for protecting and sustaining services and assets or may choose to develop a revised mix of these strategies that balances cost with the value of the assets and services. When optimization is not performed, the organization should document the rationale for taking no action and ensure that appropriate stakeholders in the organization are notified of this decision.

Determine Return on Resilience Investments

A return on resilience investments is calculated where possible.

Resilience activities are typically viewed by the organization as cost-intensive rather than an investment in the organization’s ability to move toward the achievement of strategic objectives. In much the same way that information technology was once seen as a burden to the organization but is now viewed as a strategic enabler, the resources used in supporting resilience activities must be transformed into an organizational asset that improves stakeholder value and organizational growth.

To the extent possible, it is to the organization’s advantage to quantify the true return that the organization realizes on the investment it makes in resilience. To do this, the organization must establish and collect objective and quantifiable variables that it wants to include in the calculation of return on investment, including quantifiable benefits, earnings, and avoided costs that result from the investment.

Calculating the return on resilience investment not only provides a way to justify resilience costs but provides direct support for the contributions that managing operational resilience makes toward achieving strategic objectives.

Typical work products

1. Established variables for determining return on resilience investment (RORI)
2. Calculated RORI for select resilience investments

Subpractices

1. Establish and collect objective and quantifiable variables to include in the RORI calculation.

   These are examples of variables to include in the RORI calculation:

   • relevant investment costs, including

   — costs of protection strategies

   — costs of service continuity strategies

   — other labor, overhead, and materials costs related to the service or asset for which RORI is being calculated

   • relevant benefits of the investment that can be quantified, including

   — revenue improvements

   — quantifiable improvements in productivity and output

   — reductions in labor and overhead costs

   — costs that have been avoided

2. Establish the scope of the calculation.

   The scope of the calculation must be determined by the organization. Scope includes

   • the time period being measured (one month, a year, a production period)

   • the services and/or assets for which RORI is being calculated

   • the targeted RORI that will be used to establish whether the calculated RORI is acceptable

3. Perform the RORI calculation.

   Example of a simple RORI calculation:

   

4. Analyze results of the RORI calculation.

   Compare the results of the RORI calculation based on the targeted results and analyze the difference. If the RORI is negative, the organization must consider strategies to improve the RORI.

5. Develop and implement strategies to improve RORI.

   This may involve an analysis of cost optimization (as described in FRM:SG5.SP1) and a determination of cost reduction strategies that will result in a projected RORI that is acceptable to the organization.

Identify Cost Recovery Opportunities

Opportunities for the organization to recover costs and investments in resilience management activities are identified.

Resilience activities are a cost of doing business. Organizational units must budget for resilience activities and include these costs in the production of products or the delivery of services. Allocation of these costs helps organizational units to budget for resilience activities.

Resilience investments are capitalized where possible so that their costs can be amortized, reducing impact on the bottom line. Moving resilience costs to a capital investment where possible boosts the value of services and assets and provides an amortizable asset to the organization in lieu of an expense that has direct impact on the organization’s bottom line.

Improved operational resilience benefits everyone connected to the organization, including customers. Recovery of resilience costs means that the organization shares the burden for this activity with partners or others that have an active interest in the organization’s operational resilience instead of assuming these costs as an expense.

Typical work products

1. Resilience cost charge-backs
2. Standard costs for services and products (which include resilience costs)

Subpractices

1. Determine areas where resilience costs can be assigned to and included in the production costs for services and products.

   Consider that resilience costs may be included in projects (software or system development, the construction of a facility, etc.) as well as in standard services and products.

2. Determine the appropriate level of resilience cost charge-backs.

   The level of resilience costs that are appropriate to include in standard costs is determined and validated.

3. Include resilience costs in the determination of standard costs for services and products.

Elaborated Generic Practices by Goal

Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Financial Resource Management process area.

Achieve Specific Goals

The operational resilience management system supports and enables achievement of the specific goals of the Financial Resource Management process area by transforming identifiable input work products to produce identifiable output work products.

Perform Specific Practices

Perform the specific practices of the Financial Resource Management process area to develop work products and provide services to achieve the specific goals of the process area.

Elaboration:

Specific practices FRM:SG1.SP1 through FRM:SG5.SP3 are performed to achieve the goals of the financial resource management process.

Institutionalize a Managed Process

Financial resource management is institutionalized as a managed process.

Establish Process Governance

Establish and maintain governance over the planning and performance of the financial resource management process.

Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the financial resource management process.

Subpractices

1. Establish governance over process activities.

   Elaboration:

   FRM:SG1.SP2 calls for putting a process and structure in place for financial governance over the entire operational resilience management system. FRM:SG2.SP3 describes the role of governance in assessing the risks and taking appropriate action when essential resilience functions are not adequately funded.

   Governance over the financial resource management process may be exhibited by

   • developing and publicizing higher-level managers’ objectives for funding resilience obligations and activities

   • establishing a higher-level position and steering committee to provide direct oversight of the process and to interface with higher-level managers

   • sponsoring process policies, procedures, standards, and guidelines

   • sponsoring and providing oversight of the organization’s process program, plans, and strategies

   • sponsoring and funding process activities

   • aligning the funding of resilience obligations with identified resilience needs and objectives and stakeholder needs and requirements

   • regular reporting from organizational units to higher-level managers on funding resilience activities and results based on funds expended

   • making higher-level managers aware of applicable compliance obligations with respect to financial obligations, and regularly reporting on the organization’s satisfaction of these obligations to higher-level managers

   • creating dedicated higher-level management feedback loops on decisions about the process and recommendations for improving the process

   • providing input on identifying, assessing, and managing operational risks due to resilience funding gaps or budget shortfalls

   • conducting regular internal and external audits and related reporting to audit committees on the effectiveness of funding resilience obligations and activities

   • creating formal programs to measure the effectiveness of process activities, and reporting these measurements to higher-level managers

2. Develop and publish organizational policy for the process.

   Elaboration:

   The financial resource management policy should address

   • responsibility, authority, and ownership for performing process activities

   • resilience budgeting, funding, accounting, and accessing and applying funds

   • procedures, standards, and guidelines for

   — conducting resilience accounting, including budgets, off-cycle and emergency funding, and financial reporting

   — allocating resources

   — preparing, reviewing, and approving funding justifications

   — requesting emergency funding

   — reviewing and validating labor and allocation charges

   — determining COR and RORI (Refer to FRM:SG4.SP2 and FRM:SG5.SP2.)

   • regularly reviewing and tracking the status of all operational resilience management budgets and expenditures, and adjusting as necessary, including regularly calculating and reviewing COR and RORI to ensure that these are within agreed-to thresholds

   • methods for measuring adherence to policy, exceptions granted, and policy violations

Plan the Process

Establish and maintain the plan for performing the financial resource management process.

Elaboration:

The plan for the financial resource management process should not be confused with goal FRM:SG2, in which resilience funding requirements and line-item and program and project budgets are established.

Subpractices

1. Define and document the plan for performing the process.
2. Define and document the process description.
3. Review the plan with relevant stakeholders and get their agreement.
4. Revise the plan as necessary.

Provide Resources

Provide adequate resources for performing the financial resource management process, developing the work products, and providing the services of the process.

Subpractices

1. Staff the process.

   Elaboration:

   These are examples of staff required to perform the financial resource management process:

   • staff responsible for building the business case for resilience

   • higher-level and other managers responsible for determining, committing, allocating, budgeting, applying, and controlling funds for the operational resilience management system

   • higher-level and other managers responsible for ensuring that the organization meets its resilience-relevant financial obligations

   • higher-level and other managers responsible for establishing process policies and ensuring they are enforced

   • security, business continuity, and IT operations officers, directors, and managers with operational resilience management roles and responsibilities that require financial resources

   • line and business unit managers and project managers with operational resilience management roles and responsibilities that require financial resources

   • owners and custodians of high-value services and assets that support the accomplishment of operational resilience management objectives

   • staff responsible for financial accounting and reporting of operational resilience management activities, including COR and RORI

   • staff responsible for managing external entities to ensure such entities meet their resilience financial obligations

   • internal and external auditors responsible for reporting to appropriate committees on process effectiveness and the adequacy of financial resources to fund resilience obligations

   Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.

   Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.

2. Fund the process.

   Elaboration:

   This generic practice applies to funding financial resource management process activities. This practice is separate and distinct from funding all of the other operational resilience management process areas.

   Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for the operational resilience management system.

3. Provide necessary tools, techniques, and methods to perform the process.

   Elaboration:

   Many of these tools, techniques, and methods should be available as applied to other aspects of organizational financial resource management. The intent here is to apply these to managing operational resilience.

   These are examples of tools, techniques, and methods to support the financial resource management process:

   • methods, techniques, and tools that support developing the business case for resilience, such as cost-benefit and “what-if” analyses, as well as collecting historical resilience accounting data

   • methods and tools for determining budgets for resilience activities, such as activity-based costing, zero-based budgeting, and incremental budgeting

   • tools and techniques for financial management, such as cost and accounting tracking systems and effort reporting systems

   • methods for performing funding gap analysis between funding needs and established budgets

   • scheme for resilience cost accumulation and categorization, such as by organizational level, organizational unit, asset, service, project, or expenditure type (labor, overhead, asset category, etc.)

   • chart of accounts specific to resilience activities

   • tools for performing variance analysis

   • methods, techniques, and tools for determining COR and RORI

   • tools for performing optimization calculations by asset, by service, or another categorization approach

Assign Responsibility

Assign responsibility and authority for performing the financial resource management process, developing the work products, and providing the services of the process.

Elaboration:

FRM:SG1.SP2 and FRM:SG2.SP2 call for assigning responsibility and authority for resilience budgeting, funding, and accounting activities. FRM:SG2.SP2 states that operational resilience management budgets may be owned by various departments, and FRM:SG4.SP1 requires budget owners to be responsible for controlling resilience costs. These activities apply universally to the operational resilience management system.

Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.

Subpractices

1. Assign responsibility and authority for performing the process.
2. Assign responsibility and authority for performing the specific tasks of the process.

   Elaboration:

   Responsibility and authority for performing financial resource management tasks can be formalized by

   • defining roles and responsibilities in the process plan to include roles responsible for addressing and tracking financial risk

   • including process tasks and responsibility for these tasks in specific job descriptions, particularly those of staff who own high-value organizational assets and services

   • developing and implementing contractual instruments (including service level agreements) with external entities to ensure such entities meet their resilience financial obligations for outsourced functions

   • developing policy requiring organizational unit managers, line of business managers, project managers, and asset and service owners to participate in and derive benefit from the process for budgets, assets, and services under their ownership or custodianship

   • including process tasks in staff performance management goals and objectives with requisite measurement of progress against these goals

   Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.

3. Confirm that people assigned with responsibility and authority understand it and are willing and able to accept it.

Train People

Train the people performing or supporting the financial resource management process as needed.

Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.

Refer to the Human Resource Management process area for more information about creating an inventory of skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill set deficiencies.

Subpractices

1. Identify process skill needs.

   Elaboration:

   These are examples of skills required in the financial resource management process:

   • knowledge of tools, techniques, and methods that can be used for budgeting, funding, accounting, accessing, applying, and reporting on resilience budgets and funding, including those necessary to perform the process using the selected methods, techniques, and tools identified in FRM:GG2.GP3 subpractice 3

   • knowledge necessary to develop operational resilience management business cases, determine COR, and calculate RORI

   • strong communication skills for conveying the operational resilience management and process strategy, funding sources, budget allocations, and financial status to higher-level managers and key stakeholders so as to obtain their commitment

   • knowledge necessary to elicit and prioritize stakeholder requirements and needs and interpret them to develop effective process requirements, funding justifications, and budgets

2. Identify process skill gaps based on available resources and their current skill levels.
3. Identify training opportunities to address skill gaps.

   Elaboration:

   These are examples of training topics:

   • process concepts and activities (e.g., cost accounting, variance analysis, budgeting, optimization)

   • cost-benefit and return on investment analyses

   • developing process strategy and structure

   • establishing and managing a continuous process

   • using process methods, tools, and techniques, including those identified in FRM:GG2.GP3 subpractice 3

4. Provide training and review the training needs as necessary.

Manage Work Product Configurations

Place designated work products of the financial resource management process under appropriate levels of control.

Elaboration:

Identify and Involve Relevant Stakeholders

Identify and involve the relevant stakeholders of the financial resource management process as planned.

Elaboration:

FRM:SG5.SP1 requires that stakeholders be notified when the organization decides not to revise strategies that protect and sustain services and assets for optimal operational resilience.

Subpractices

1. Identify process stakeholders and their appropriate involvement.

   Elaboration:

   These are examples of stakeholders of the financial resource management process:

   • managers and staff

   — contributing to and reviewing resilience funding requirements and funding assumptions

   — contributing to and reviewing the business case for the operational resilience management program and process

   — whose existing operating budgets may be allocated to fund operational resilience management activities (such as line and business unit managers, project managers, IT security, IT operations, and those responsible for services and products that may incur an add-on charge)

   — contributing to funding gap analysis and assessing risks to budget shortfalls

   — contributing to optimization and return on investment calculations

   — involved in the review and adjustment of strategies to protect and sustain services and assets

   • owners of identified assets and services

   — for which operational resilience management budgets and resources are accessed, allocated, and applied

   — who help determine asset and service values and the cost of controls to aid in optimization and return on investment decisions

   • custodians of identified assets and services (who may need to participate in funding planning)

   Stakeholders are involved in various tasks in the financial resource management process, such as

   • planning for the process

   • making decisions about the process

   • making commitments to process plans and activities

   • communicating process plans and activities

   • coordinating process activities

   • identifying budget sources and ownership for operational resilience management activities

   • reviewing and appraising the effectiveness of process activities, including analysis of variances as well as COR and RORI calculations

   • establishing requirements for the process

   • resolving issues in the process

   • identifying stakeholders associated with each line of business, program, asset, and service budget that contributes to operational resilience management activities

   • identifying stakeholders that have to be notified when optimization is not performed and when optimization actions are not taken (Such notification includes supporting rationale.)

2. Communicate the list of stakeholders to planners and those responsible for process performance.
3. Involve relevant stakeholders in the process as planned.

Monitor and Control the Process

Monitor and control the financial resource management process against the plan for performing the process and take appropriate corrective action.

Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.

Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.

Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.

Subpractices

1. Measure actual performance against the plan for performing the process.
2. Review accomplishments and results of the process against the plan for performing the process.

   Elaboration:

   These are examples of metrics for the financial resource management process:

   • financial cost data that is used as the basis for developing resilience funding requirements

   • COR and RORI calculations, both current and historical for trend analysis purposes

   • percentage of resilience activities with required budgets assigned, allocated, and applied, organized by line of business unit, project, asset, and service or other meaningful categorization scheme

   • percentage of resilience activities without required budget allocations for which gap and risk analysis has been performed

   • percentage of resilience activities subject to off-cycle or off-budget funding requests

   • percentage of resilience activities tracking to planned budgets

   • percentage of resilience activities with budget variances outside of established thresholds and for which resolution plans have been developed to reduce or eliminate these variances

   • percentage of financial exceptions by reporting period

   • percentage of high-value assets and services for which optimization calculations have been performed

   • percentage of optimization opportunities where no action has been taken

   • number of financial resource risks referred to the risk management process; number of risks where corrective action is still pending (by risk rank)

   • level of adherence to process policies; number of policy violations; number of policy exceptions requested and number approved

   • number of process activities that are on track per plan

   • rate of change of resource needs to support the process

   • rate of change of costs to support the process

3. Review activities, status, and results of the process with the immediate level of managers responsible for the process and identify issues.

   Elaboration:

   Periodic reviews of the financial resource management process are needed to ensure that

   • resilience activities are being budgeted, accounted for, and controlled

   • strategic operational resilience management activities and budgets are on track

   • key financial metrics are within acceptable ranges as demonstrated in governance dashboards or scorecards and financial reports

   • administrative, technical, and physical controls are operating as intended

   • controls are meeting the stated intent of the resilience requirements

   • financial reports are provided to appropriate stakeholders in a timely manner

   • actions resulting from internal and external audits are being closed in a timely manner

4. Identify and evaluate the effects of significant deviations from the plan for performing the process.
5. Identify problems in the plan for performing and executing the process.
6. Take corrective action when requirements and objectives are not being satisfied, when issues are identified, or when progress differs significantly from the plan for performing the process.
7. Track corrective action to closure.

Objectively Evaluate Adherence

Objectively evaluate adherence of the financial resource management process against its process description, standards, and procedures, and address non-compliance.

Elaboration:

Review Status with Higher-Level Managers

Review the activities, status, and results of the financial resource management process with higher-level managers and resolve issues.

Elaboration:

Status reporting on the financial resource management process is likely part of the formal governance structure or may be performed through other organizational reporting requirements (such as through the chief financial officer or the chief resilience officer to an immediate superior). Audits of the process may be escalated to higher-level managers and board directors through the organization’s audit committee of the board of directors or similar construct.

Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.

Institutionalize a Defined Process

Financial resource management is institutionalized as a defined process.

Establish a Defined Process

Establish and maintain the description of a defined financial resource management process.

Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.

Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.

Subpractices

1. Select from the organization’s set of standard processes those processes that cover the financial resource management process and best meet the needs of the organizational unit or line of business.
2. Establish the defined process by tailoring the selected processes according to the organization’s tailoring guidelines.
3. Ensure that the organization’s process objectives are appropriately addressed in the defined process, and ensure that process oversight extends to the tailored processes.
4. Document the defined process and the records of the tailoring.
5. Revise the description of the defined process as necessary.

Collect Improvement Information

Collect financial resource management work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.

Elaboration:

Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.

Subpractices

1. Store process and work product measures in the organization’s measurement repository.
2. Submit documentation for inclusion in the organization’s process asset library.
3. Document lessons learned from the process for inclusion in the organization’s process asset library.
4. Propose improvements to the organizational process assets.