The purpose of Financial Resource Management is to request, receive, manage, and apply financial resources to support resilience objectives and requirements.
Every activity that an organization performs requires a commitment of financial resources. This is particularly true for managing operational resilience—activities like security and business continuity are resource-intensive, and the cost of these activities continues to increase as new threats emerge, technology becomes more pervasive and complex, and the organization shifts its asset base from tangible assets to intangible assets such as information. As the building blocks of organizational services, assets require increasingly sophisticated protection strategies and continuity plans. This requires the organization to make a financial commitment to asset development, implementation, and long-term operation and support.
Besides ensuring proper funding considerations for resilience activities, effective consideration of financial resources is also an organizational necessity for managing these activities. The cost of strategies to protect and sustain assets and services must be optimized to the value of the potential loss of the productivity of assets and services. In addition, understanding the true cost of protecting and sustaining these assets and services is paramount for effectively managing their resilience. Without relevant information about the costs of protecting and sustaining assets, the organization cannot know when costs are misaligned with asset value and contribution.
Financial Resource Management is focused on improving the organization’s ability to apply financial resources to fund resilience activities while helping the organization to actively manage the cost and return on investment of these activities. The organization establishes a plan for defining financial resources and needs and assigning these resources to resilience activities. Budgets are established, funding gaps are identified, and costs are tracked and documented. Through effective financial management, the organization establishes its ability to measure return on resilience investments through calculating “risk versus reward” and by identifying cost recovery opportunities. In short, financial resource management provides for the possibility that resilience activities can become investments that the organization uses to move its strategic objectives forward and that can be recouped through improved value to stakeholders and customers.
Visible and active sponsorship and support for funding resilience activities are addressed in the Enterprise Focus process area.
The processes for identifying, analyzing, and mitigating risks that result from underfunding or lack of funding for resilience requirements are addressed in the Risk Management process area.
A commitment to funding resilience activities is established.
Establishing a commitment to funding the organization’s operational resilience management system is a key factor in its success. Typically, funding for resilience activities is indirect, drawn as required from other budgets in areas such as information technology and security rather than allocated based on resilience needs and requirements. This leads to an ineffective and inefficient allocation of financial resources for managing operational resilience, which ultimately affects the organization’s ability to successfully achieve resilience objectives.
Dedicated funding for operational resilience management requires active and visible sponsorship from higher-level managers. The budgeting and funding activity for resilience should coexist with activities used to develop funding for strategic objectives and operational plans. A structure to enforce and reinforce financial planning, budgeting, and resource allocation must be developed and implemented to ensure ongoing support for the operational resilience management system and to avoid funding these activities in an ad hoc, event-driven, or funds-available manner. The organization’s commitment to funding operational resilience management should also extend to identifying the resources in the organization who are responsible for developing and funding resilience budgets and for managing the costs of resilience activities against these budgets.
A commitment by higher-level managers to fund resilience activities is established.
(This practice is repeated from the Enterprise Focus process area and enhanced for emphasis. It assumes that there is visible and active support and sponsorship for the operational resilience management system by higher-level managers in the organization.)
Budgeting is a process of allocating funds to organizational activities that support and promote strategic objectives. When resilience is considered a strategic competency, funding for resilience activities must be included as part of the organization’s capital and expense funding needs rather than as an afterthought that is indirectly funded through IT activities or as needed when disruptive events occur.
Sponsorship of the operational resilience management system is made actionable by higher-level managers’ commitments to funding the resilience program and the accompanying activities and tasks. This requires that they commit to
• supporting the business case for operational resilience management
• including resilience needs in the funding of strategic objectives
• ensuring that resilience needs are adequately funded
• releasing funds as necessary to support the attainment of strategic resilience objectives
Typical work products
Subpractices
Sponsorship of the investment in the operational resilience management system must be based on a sound business case. The investment in resilience must bring about tangible, measurable, and demonstrable value to the organization. The business case for resilience should
• justify the investment through itemization of tangible benefits and results
• articulate the strategic outcomes that would result from investments in resilience activities
• articulate the potential risks and costs associated with not investing in resilience activities
• establish that the funding necessary for resilience is appropriate and adequate
• provide sufficient information to allow comparative evaluations of alternative actions
• establish the accountability and commitments for the achievement of the benefits and strategic outcomes
The development of budgets to support the operational resilience management system is addressed in FRM:SG2.SP2.
As part of their sponsorship of the operational resilience management system, higher-level managers must identify the sources of funds that will be used. Higher-level managers may allocate a portion of existing operating budgets to resilience, create a pool of resources at the enterprise level for allocation, or develop dedicated funding streams (such as an add-on charge to customer services or products) to fund the resilience activities of the organization.
The allocation of funding for operational resilience management activities is addressed in FRM:SG3.SP1.
The structure that supports the assignment and management of financial resources to resilience activities is established.
Organizations typically have a standardized budgeting and accounting structure that ensures consistency, accuracy, and reliability of financial data for financial management. The structure helps the organization to develop budgets, allocate funds to capital projects or to support operational processes, and to account for the use of funds against budgets—in essence, to control organizational finances.
Because the operational resilience management system is often cost-intensive, the organization must have a structure and process that extend to managing the financial aspects of resilience, including providing a means for
• budgeting for resilience activities
• allocating and delivering funds to resilience activities (whether these activities are scheduled or are performed during an emergency or event)
• accounting for and tracking the costs of providing resilience services
• identifying and understanding cost variances in providing resilience services
• providing financial governance over the operational resilience management system
• determining the cost-benefit ratio of resilience decisions and performing other analytical activities related to resilience
• forecasting future operational-resilience-management-related costs and investments
• committing resources to authority and accountability for managing the financial aspects of operational resilience management
• communicating the financial process and structure for operational resilience management to all in the organization with a need to know
Addressing the financial aspects of operational resilience management separately from other operating expenses and capital outlays ensures that the cost (and potential revenue) related to operational resilience is visible and can be actively managed as are other organizational expenses and capital improvements. In turn, this allows the organization to take actions to control costs, shift financial resources as necessary, and explain variations in costs related to events or other disruptions—in other words, to provide resilience at the lowest possible cost and highest possible return to the organization. In addition, implementing a structure that supports specific funding for managing operational resilience ensures that it is considered as a separate item, distinct from pools of funding supplied to less specific activities such as security, business continuity planning, and IT operations management.
Typical work products
Subpractices
Resilience accounting policies and procedures establish the ways in which the organization expects resilience costs and investments to be documented, budgeted, funded, tracked, and accounted for. These policies and procedures should establish the financial management structure necessary for resilience accounting and should specifically address
• expansion of the organization’s chart of accounts to include resilience accounts
• establishment of related charge strings and budgets for resilience activities and projects (which would roll up into the chart of accounts)
• funding policies and procedures to fund resilience activities
• policies and procedures for funding off-cycle or emergency funding requests related to resilience activities (to avoid overspending and lack of accountability)
• resilience financial reporting requirements (both internally and externally)
Accountability for achieving the benefits, controlling the costs, managing the risks, and coordinating the activities and interdependencies of multiple projects should be clearly and unambiguously assigned and monitored. In order to assign financial responsibility, the organization specifically identifies and documents those staff who are authorized to make financial commitments to resilience management activities.
Planning for funding resilience management activities is performed.
Resilience activities tend to be funded in one or more of the following ways:
• as part of an organizational unit or line of business budget (typically for building and executing service continuity plans)
• as part of other support department budgets (typically IT, IT security, or IT operations, or possibly as part of the organization’s risk management budget)
• when emergencies, events, or other disruptions arise (ad hoc, without specific budget or spending controls)
While these funding methodologies may be effective in the short term, the increasing importance of actively managing resilience demands that the organization be able to understand its resilience financial obligations, determine how to fund these obligations, and identify cost savings and optimization opportunities where possible to continually improve the efficiency of applying financial resources to what is traditionally thought of as a cost center.
Funding resilience competes with projects, activities, and initiatives that the organization may have in its sights to meet strategic objectives, improve revenue, and improve return to stakeholders. Because of this, specific consideration of and planning for resilience financial obligations give the organization control over these obligations so that they can not only be cost-effective but become investments in meeting these competing goals.
To perform financial planning for operational resilience management, the organization must specifically define its financial obligations, establish resilience budgets, and resolve funding gaps and conflicts that arise from competing objectives.
The financial obligations for managing the operational resilience management system are established.
The activities necessary for protecting and sustaining organizational assets and services are often cost-intensive and result in vaguely discernible returns to the organization. In some cases, they are simply a cost of operations—to keep services productive toward their mission and assets deployed to support services as necessary.
Unfortunately, the cost of resilience activities, particularly when viewed at the asset or service level, is often addressed through discretionary funds—those that have not been earmarked for any particular purpose. Thus, the funding of these activities is inconsistent, prone to reaction-based allocation, and not typically based on requirements. Meeting resilience requirements requires a certain level of non-discretionary, specifically allocated funding that provides for the people, processes, and technology necessary to meet the requirements. In other words, funding needs for managing resilience should be specifically identified and funds must be considered, allocated, and earmarked based on need.
To make effective optimization and trade-off decisions, the organization must confront the true cost of the requirements it has set to manage resilience. Viewing resilience costs from a requirements perspective provides a more accurate picture of the true cost of managing operational resilience, laying the groundwork for cost reduction and reallocation based on need rather than discretionary and arbitrary decisions.
Typical work products
Subpractices
Historical data includes the cost, effort, and schedule data from previously executed projects, activities, and tasks.
Determining resilience funding requirements is not a trivial task. It takes a thorough examination of many factors at the asset, service, and enterprise levels. The following should be considered when determining resilience funding requirements:
• the costs associated with developing, implementing, monitoring, and maintaining protective controls for assets and services
• the costs associated with developing, testing, implementing, and maintaining service continuity plans
• direct and indirect labor costs associated with resilience tasks and activities
• allocated costs from the enterprise for shared services such as network security, physical security controls on buildings and facilities, and other allocated IT and facilities security services
• associated overhead costs levied by the enterprise
• costs for performing risk assessments and business impact analyses, and developing and implementing corrective actions
• costs for tools, methodologies, and software licenses to support resilience activities
• costs for labor, including direct labor, training, skills development, etc.
• costs for external assistance (consulting and labor)
• special projects that must be funded to improve or sustain resilience
• costs related to potential operational environment changes that may occur in the future that would affect the budget
• allowances for emergency funding or future-looking needs
• actual costs of resilience services and activities in past performance periods
Funding assumptions must support the satisfaction of resilience requirements. Thus, they must be compared to these requirements for validation.
Capital and expense budgets for resilience management are established.
Budgeting is an activity that emanates from strategic planning. The organization develops budgets to ensure that funding is available and allocated to support its strategic objectives. In much the same way, resilience objectives (which support strategic objectives) must be specifically funded.
As part of the organization’s regular budgeting process, resilience budgets should be developed based on funding assumptions. In practice, this typically refers to organizational unit level budgeting of specific resilience accounts and/or the expansion of existing account budgets to allow for allocated costs from the enterprise.
The organization may also have to establish enterprise-level budgets that provide resilience services that are allocated across the organization and may have to specifically fund enterprise-level resilience program activities that support the operational resilience management system that traverses the organization.
Subpractices
There are a number of budgeting methods that may be in use in a typical organization. These methods should be employed when developing resilience budgets as well. Budgeting methods include activity-based costing, zero-based budgeting, and incremental budgeting.
The budget should be based on the funding requirements as considered in FRM:SG2.SP1.
These budgets are typically owned by departments such as information technology, IT security, risk management, legal, audit, or other enterprise departments that are responsible for aspects of security, business continuity, and IT operations management.
To ensure that budgets are used as a primary financial control in the deployment and execution of resilience activities and tasks, clear responsibility and authority for developing and managing resilience budgets must be assigned.
Tying performance measures to resilience budgets ensures adequate financial performance and commitment to meeting resilience requirements.
Identify and resolve gaps in funding for resilience management and mitigate associated risks.
Identifying and resolving funding gaps for managing operational resilience are a process check that ensures that essential activities necessary for meeting resilience requirements are funded adequately. The failure to include essential activities and fund them appropriately potentially exposes the organization to additional risk.
The organization actively compares resilience budgets to the cost of activities necessary to support operational resilience, identifies potential gaps, and attempts to resolve these gaps by taking mitigating actions such as increasing budgets, reprioritizing activities, or developing other options.
Risks that result due to funding gaps may have to be resolved and mitigated. In addition, these risks may have to be escalated to oversight or governance personnel to ensure that they are aware that essential resilience functions are not being covered. Governance may result in corrective actions such as reallocation of funds, reprioritization of activities, or other actions to mitigate resulting risks.
Risks that result from underfunding of resilience requirements may have to be considered in the Risk Management process area. Escalating operational risk issues to higher-level managers for consideration and corrective action is addressed in the Enterprise Focus process area.
Typical work products
Subpractices
Risks identified as related to budget shortfalls should be referred to the organization’s risk management process for inclusion in the continuous risk management cycle. (The processes for identifying, analyzing, and mitigating risk are included in the Risk Management process area.)
The organization’s essential activities for managing and sustaining operational resilience are funded.
The organization must have processes in place to ensure that access to funds for managing and sustaining operational resilience is provided. Typically, this occurs through normal funding mechanisms, but due to the nature of managing operational resilience, additional provisions may have to be made to ensure that off-cycle requests are handled in a timely manner.
Access to funds for resilience management activities is provided.
Establishing and sustaining resilience requires the organization to have a structure and process for allocating and distributing funding for procuring the necessary goods and services to support resilience and the development, implementation, and management of strategies to both protect and sustain services and supporting assets. Access to resilience-directed funding is typically made through the organization’s regular mechanisms for funding activities, expenses, and capital purchases, but special circumstances often arise when managing operational resilience that require off-cycle budget requests that must be met in a timely manner.
Funds requests are generally handled through funding mechanisms that are common to most organizations:
• Expense requests provide access to funds for approved expenses related to providing resilience services (such as travel).
• Purchase requests provide access to funds for approved expense-related and capital purchases (such as hardware and software or office supplies).
• Labor related to providing resilience services is generally funded through time and effort reporting.
• Overhead associated with shared costs of providing resilience services is generally funded through overhead allocation.
Off-budget or off-cycle requests for funds to provide resilience services can be a control weakness for many organizations because they typically occur during times of stress, and the usual mechanisms for funding are abandoned. Thus, the organization must have generally accepted processes and procedures for these types of funding requests so that they can be controlled to the extent possible.
Typical work products
Subpractices
Policies and procedures should include provisions for
• funding justifications
• reviewing justifications and approving funding requests
• emergency funding requests
• reviewing and validating labor and allocation charges to resilience budgets (that are not part of a request process)
Resilience projects (such as the development, design, and implementation of resilience requirements in a system or software development project) should be funded directly through project funding mechanisms.
This process should include a proper approval structure that allows for expedient provision of funds but does not impair the time-dependent nature of the requests.
Accounting for the financial commitment to resilience activities is performed and used for process improvement.
Gathering data on the cost of managing and supporting operational resilience is an essential activity for establishing financial management and responsibility and for performing cost-benefit analysis on the impact and value of these services. Without financial data, no conclusions can be drawn as to whether the investment in managing operational resilience is worth the organization’s commitment. The organization establishes accounting processes that accumulate data on the expenditures and costs associated with providing services to manage and support the operational resilience of services and associated assets.
Accounting for resilience activities requires the organization to track and document related costs and to analyze these costs to ensure they are in line with expectations, to identify variances, and to determine the true cost of providing resilience services.
The costs associated with resilience management are tracked and documented.
In order to consider the true cost of providing resilience services to the organization, and the potential return on investment that results, the organization must have established and consistent procedures for tracking and documenting the various costs associated with managing operational resilience. This information is a fundamental element in accounting for resilience activities and is an essential input to controlling and managing costs. Without this information, organizational managers cannot provide an adequate level of resilience at the lowest possible cost to the organization.
Typical work products
Subpractices
There are several levels of cost accumulation and tracking that an organization must consider:
• organizational level, including enterprise, organizational unit, line of business, or department
• organizational unit, including asset, service, or project
• expenditure type, including labor, overhead, software, hardware, facilities management, etc.
The organization’s accounting system should be able to produce financial data to a level of granularity that allows the organization to track resilience costs for assets or services, or any other unit that the organization chooses. Financial data should be supplied regularly to authorized staff (such as department managers who are responsible for controlling resilience costs).
Budget variances may be identified by any of the levels that the organization establishes for cost accumulation (as suggested in subpractice 1). The variances should be calculated at the levels that are most helpful for the organization to manage resilience costs.
Cost and performance analysis for funded resilience management activities is performed.
Cost accounting and analysis for resilience activities provides the organization a tool for determining effectiveness and efficiency, to manage costs within budgets, to determine return on resilience investment, and to accurately project budgets and costs for resilience in the future.
Typical work products
Subpractices
The organization should attempt to determine if the variance is meaningful and whether it should be reduced or eliminated. The organization should particularly attempt to determine if the variance is the result of necessary increases in expenditure to maintain operational resilience.
Based on cost accumulation and tracking, the organization should attempt to determine the true cost of providing resilience services so that this information can be used in optimization and return on investment calculations. The COR should be calculated at the level appropriate for making financial decisions about resilience (such as at the asset or service level).
Financial exceptions may be indicators of issues and concerns in the operational resilience management system that must be escalated to oversight managers and committees. The organization should determine which types of financial exceptions should be reported and have a mechanism in place to report these exceptions on an as-needed basis.
The return to the organization for investment in resilience activities is measured and assessed.
The organization ultimately “invests” in operational resilience as a means for ensuring that its strategic objectives can be met. Foremost, the investment in resilience should optimize strategies to protect and sustain assets and services at the lowest possible cost to the organization. However, because resilience is typically a cost-driven activity, an organization may also seek to determine if its investment in resilience services and activities actually brings a return (by paying for itself through improved service uptime, quality, and reliability).
Optimizing resilience expenditures and investments requires the organization to examine the optimization of costs for providing resilience services, determining a “return on resilience investment,” and seeking out ways to continually reduce overall costs while providing and supporting an acceptable level of resilience services.
The costs to implement and manage strategies to protect and sustain services and assets are optimized against the benefits.
The costs of attaining and sustaining an adequate level of operational resilience for an asset or service must be optimized against the value of the asset or service to the organization in order to rationalize and maximize the organization’s investment in resilience.
Overspending on resilience services potentially redirects limited resources away from assets and services that need them; underspending results in high-value assets and services that are not adequately protected and likely cannot be sustained when disrupted.
In addition, optimization helps the organization to determine the right mix of strategies. For example, the development of a service continuity plan may be a lower-cost option than implementing a protective control while still adequately satisfying the asset’s or service’s resilience requirements.
Typical work products
Subpractices
The organization must determine which of the assets and services should be candidates for consideration of optimization review and calculation. The assets and services prioritized as high-value are a foundational starting point for determining the scope of this activity.
This process relies upon accurate and timely cost accumulation and reporting and an accurate determination of the value of the assets or services under examination. Optimization calculations should be expressed in monetary values, but other acceptable values to the organization can be considered when necessary (such as productive hours or product output).
Optimization is a balancing act that requires consideration of many aspects of managing operational resilience, including
• the current cost of protective controls and their effectiveness
• the costs related to developing, testing, and maintaining service continuity plans
• the value of the asset or service to the organization
• risk assumptions regarding how much risk the organization would be willing to accept based on the current and future optimized mix of strategies for protecting and sustaining services and assets
Organizations may choose to take no action after analyzing their current balance of strategies for protecting and sustaining services and assets or may choose to develop a revised mix of these strategies that balances cost with the value of the assets and services. When optimization is not performed, the organization should document the rationale for taking no action and ensure that appropriate stakeholders in the organization are notified of this decision.
A return on resilience investments is calculated where possible.
Resilience activities are typically viewed by the organization as cost-intensive rather than an investment in the organization’s ability to move toward the achievement of strategic objectives. In much the same way that information technology was once seen as a burden to the organization but is now viewed as a strategic enabler, the resources used in supporting resilience activities must be transformed into an organizational asset that improves stakeholder value and organizational growth.
To the extent possible, it is to the organization’s advantage to quantify the true return that the organization realizes on the investment it makes in resilience. To do this, the organization must establish and collect objective and quantifiable variables that it wants to include in the calculation of return on investment, including quantifiable benefits, earnings, and avoided costs that result from the investment.
Calculating the return on resilience investment not only provides a way to justify resilience costs but provides direct support for the contributions that managing operational resilience makes toward achieving strategic objectives.
Typical work products
Subpractices
The scope of the calculation must be determined by the organization. Scope includes
• the time period being measured (one month, a year, a production period)
• the services and/or assets for which RORI is being calculated
• the targeted RORI that will be used to establish whether the calculated RORI is acceptable
Example of a simple RORI calculation:
Compare the results of the RORI calculation based on the targeted results and analyze the difference. If the RORI is negative, the organization must consider strategies to improve the RORI.
This may involve an analysis of cost optimization (as described in FRM:SG5.SP1) and a determination of cost reduction strategies that will result in a projected RORI that is acceptable to the organization.
Opportunities for the organization to recover costs and investments in resilience management activities are identified.
Resilience activities are a cost of doing business. Organizational units must budget for resilience activities and include these costs in the production of products or the delivery of services. Allocation of these costs helps organizational units to budget for resilience activities.
Resilience investments are capitalized where possible so that their costs can be amortized, reducing impact on the bottom line. Moving resilience costs to a capital investment where possible boosts the value of services and assets and provides an amortizable asset to the organization in lieu of an expense that has direct impact on the organization’s bottom line.
Improved operational resilience benefits everyone connected to the organization, including customers. Recovery of resilience costs means that the organization shares the burden for this activity with partners or others that have an active interest in the organization’s operational resilience instead of assuming these costs as an expense.
Typical work products
Consider that resilience costs may be included in projects (software or system development, the construction of a facility, etc.) as well as in standard services and products.
The level of resilience costs that are appropriate to include in standard costs is determined and validated.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Financial Resource Management process area.
The operational resilience management system supports and enables achievement of the specific goals of the Financial Resource Management process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Financial Resource Management process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices FRM:SG1.SP1 through FRM:SG5.SP3 are performed to achieve the goals of the financial resource management process.
Financial resource management is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the financial resource management process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the financial resource management process.
Elaboration:
FRM:SG1.SP2 calls for putting a process and structure in place for financial governance over the entire operational resilience management system. FRM:SG2.SP3 describes the role of governance in assessing the risks and taking appropriate action when essential resilience functions are not adequately funded.
Elaboration:
Establish and maintain the plan for performing the financial resource management process.
Elaboration:
The plan for the financial resource management process should not be confused with goal FRM:SG2, in which resilience funding requirements and line-item and program and project budgets are established.
Subpractices
Provide adequate resources for performing the financial resource management process, developing the work products, and providing the services of the process.
Subpractices
Elaboration:
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Elaboration:
This generic practice applies to funding financial resource management process activities. This practice is separate and distinct from funding all of the other operational resilience management process areas.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for the operational resilience management system.
Elaboration:
Many of these tools, techniques, and methods should be available as applied to other aspects of organizational financial resource management. The intent here is to apply these to managing operational resilience.
Assign responsibility and authority for performing the financial resource management process, developing the work products, and providing the services of the process.
Elaboration:
FRM:SG1.SP2 and FRM:SG2.SP2 call for assigning responsibility and authority for resilience budgeting, funding, and accounting activities. FRM:SG2.SP2 states that operational resilience management budgets may be owned by various departments, and FRM:SG4.SP1 requires budget owners to be responsible for controlling resilience costs. These activities apply universally to the operational resilience management system.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
Elaboration:
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the financial resource management process as needed.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about creating an inventory of skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill set deficiencies.
Subpractices
Elaboration:
Elaboration:
Place designated work products of the financial resource management process under appropriate levels of control.
Elaboration:
Identify and involve the relevant stakeholders of the financial resource management process as planned.
FRM:SG5.SP1 requires that stakeholders be notified when the organization decides not to revise strategies that protect and sustain services and assets for optimal operational resilience.
Subpractices
Elaboration:
Monitor and control the financial resource management process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
Objectively evaluate adherence of the financial resource management process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the financial resource management process with higher-level managers and resolve issues.
Elaboration:
Status reporting on the financial resource management process is likely part of the formal governance structure or may be performed through other organizational reporting requirements (such as through the chief financial officer or the chief resilience officer to an immediate superior). Audits of the process may be escalated to higher-level managers and board directors through the organization’s audit committee of the board of directors or similar construct.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Financial resource management is institutionalized as a defined process.
Establish and maintain the description of a defined financial resource management process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect financial resource management work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices