GBS Insider ClubField Guide Free
Risk Management June 2026

Pillar 9 · Cluster 1

Risk management for GBS operations

Business continuity, vendor risk, and incident management are not theoretical frameworks — they are the operational shields that determine whether your GBS center survives disruptions or collapses under them.

75%Of organizations experienced a significant disruption in the past 3 years
4th partyVendor risk now extends beyond your direct suppliers
4 hoursMaximum acceptable downtime for critical GBS processes
GBS risk management framework — risk cycle, assessment matrix, risk categories, risk register

Risk management framework — identification through reporting

Identify Find the risks Assess Impact x likelihood Mitigate Controls and actions Monitor Track effectiveness Report Escalate as needed
Risk Management Cycle

Topic 01 · Business Continuity

Business Continuity Planning in GBS

TL;DR

Business continuity plans are tested by reality without warning. A BCP that exists only as a document is a wish with a title page. The model is in THE FIX.

The plan looked complete.
Then the building closed.

2 min read · full theory in the expandable
The Problem
P
Peter
Team lead · Year 2 · Budapest

A burst pipe closes Peter’s floor on a Tuesday. The BCP exists — nobody has ever run it.

Laptops at desks. Call trees outdated. One critical task needs a token locked in a drawer upstairs.
Recovery takes two days. The plan promised four hours.

"We had a document. We did not have a capability."

He feels humbled by a pipe.

The Trap

You equate having a plan with having tested one. Reality only grades the second.

The Fix

A living BCP has three moving parts.

CRITICAL FIRSTRanked processes. What must run within hours vs what can wait days.
WORKAROUNDSReal alternatives, pre-staged. Remote access verified, authorities delegated, contacts current.
DRILLSTested twice a year. A tabletop exercise finds in one hour what a crisis finds in two days.

The next drill takes ninety minutes and finds four gaps. Cheap lessons — bought before the next pipe.

Business continuity in depthTHEORY · 4 MIN

When your GBS center goes offline — power failure, pandemic, natural disaster, cyberattack — what happens to the 50,000 invoices, payroll runs, and customer orders that depend on it?

A BCP that has never been tested is not a plan. It is a document. Business Continuity Planning (BCP) is the discipline of ensuring critical business processes can continue during and after a disruption. For GBS operations, this means:

  • Identifying which processes are critical
  • Defining acceptable downtime
  • Establishing backup capabilities
  • Testing the plan regularly
BCP essentials for GBS
  • Business Impact Analysis (BIA) — classify every process by criticality and maximum tolerable downtime (MTD)
  • Recovery Time Objective (RTO) — how quickly must the process be restored after disruption
  • Recovery Point Objective (RPO) — how much data loss is acceptable (e.g., last backup was 4 hours ago)
  • Alternate site strategy — secondary location, remote work capability, or partner site that can absorb critical workload
  • Communication plan — who gets notified, in what order, through which channels when a disruption occurs
  • Testing cadence — tabletop exercises quarterly, full simulation annually, lessons learned documented and actioned
BIA Criticality & downtime limits RTO / RPO Recovery time & data targets ALT SITE Backup capacity & location COMMS Who, what, when, channel TEST Drill quarterly · simulate annually
BCP works only when regularly tested.
The testing gap

Most GBS organizations have a BCP document. Far fewer have tested it under realistic conditions.

  • A plan that says "employees will work from home" fails when VPN capacity is 500 users and you have 3,000 employees.
  • A plan that says "work transfers to the secondary site" fails when the secondary site has never processed a live transaction.

Test the plan, find the gaps, fix them before the disruption arrives.

RISK CATEGORIES IN GBS OPERATIONALProcess failuresErrors · Delays · Outages COMPLIANCERegulatory breachesSOX · GDPR · Tax FINANCIALMisstatement riskFraud · Errors · Write-offs STRATEGICBusiness model threatsAI disruption · Offshoring KNOW YOUR RISK CATEGORIES · CONTROLS MUST MATCH

Risk categories — operational, financial, compliance, technology, people

Monday Move

Pick your most critical task. Could you run it from home, today, with current access? Verify.

Your continuity depends on vendors too. Theirs is your problem.

Topic 02 · Third-Party Risk

Vendor risk — third and fourth party exposure

TL;DR

Your vendor’s vendor can take you down. Third- and fourth-party risk means knowing the chain, not just the contract. The model is in THE FIX.

Your vendor was fine.
Their vendor was not.

2 min read · full theory in the expandable
The Problem
K
Klaudia
Senior associate · Year 3 · Krakow

Klaudia’s data provider goes dark for a day. The provider’s own cloud subcontractor failed.

Her team’s contract covered the vendor. Nobody had ever asked who the vendor depended on.
The outage arrived through a company nobody in the building could name.

"We managed the contract. The risk lived one layer deeper."

She feels blindsided by the supply chain behind the supply chain.

The Trap

You assess the vendor you signed and ignore the chain they stand on.

The Fix

Vendor risk is a chain, mapped three links deep.

THIRD PARTYYour direct vendors. Contracts, SLAs, exit clauses — the visible layer.
FOURTH PARTYTheir critical dependencies. Ask the question; good vendors can answer it.
CONCENTRATIONShared foundations. If three of your vendors run on one cloud, you have one risk wearing three logos.

Her vendor review adds one question: "Who do you depend on?" The next outage surprises the contract — not the team.

Third- and fourth-party risk in depthTHEORY · 4 MIN

Your GBS operation depends on vendors who depend on their own vendors. A failure three layers deep in the supply chain can still shut down your operations.

Vendor risk management framework
  • Vendor tiering — classify vendors by criticality: Tier 1 (business-critical, no alternative), Tier 2 (important, alternatives exist), Tier 3 (commodity, easily replaceable)
  • Due diligence — financial stability, security certifications (ISO 27001, SOC 2), regulatory compliance, geographic risk, and concentration risk
  • Contractual protections — SLAs with penalties, audit rights, data protection clauses, termination provisions, and transition assistance obligations
  • Ongoing monitoring — quarterly business reviews, annual re-assessment, continuous monitoring of financial health and security posture
  • Fourth-party visibility — understand your vendor's critical subcontractors; their failure is your failure
Vendor concentration risk
  • Single vendor dependency — if one vendor handles 80% of your transaction processing, their outage is your outage
  • Geographic concentration — multiple vendors in the same city or country share the same natural disaster and geopolitical risks
  • Technology concentration — all vendors on the same cloud platform means a cloud outage affects everyone simultaneously
  • Mitigation — multi-vendor strategies, geographic diversification, contractual exit provisions, and maintained in-house capability for critical processes
RISK MATRIX LIKELIHOOD →IMPACT → HIGHHigh impact, Low likelyContingency plan CRITICALHigh impact, High likelyImmediate action EXTREMEHigh impact, Very likelyEscalate NOW LOWAccept & monitor MEDIUMMitigate & review HIGHActive mitigation PLOT EVERY RISK · FOCUS ON TOP-RIGHT

Risk assessment matrix — impact vs likelihood

Monday Move

For your most critical vendor, ask: "Who do you depend on to serve us?" Log the answer.

When any link snaps, the clock starts. Incidents reward the prepared.

? CHALLENGE YOURSELF click to expand
  • Can you identify the top 3 operational risks in your process area? How are they currently being managed — actively or reactively?
  • Does your team maintain a risk register? If not, could you create one for your area with likelihood, impact, and mitigation plans?
  • When was the last time your team conducted a risk assessment or BCP drill? What did it reveal?

Topic 03 · Crisis Response

Incident management and crisis escalation

TL;DR

Incidents are graded on response, not absence. Classify, communicate, restore, review — in that order, every time. The model is in THE FIX.

The outage was one hour old.
The chaos made it three.

2 min read · full theory in the expandable
The Problem
A
Amara
O2C analyst · Year 1 · Lagos

A feed failure hits Amara’s queue. Five people investigate the same thing separately.

Three stakeholders get three different stories. Nobody owns the incident; everybody touches it.
The fix takes twenty minutes — once someone finally coordinates. Finding that someone took two hours.

"The incident was small. Our response made it big."

She feels scattered — along with everyone else.

The Trap

You respond with energy instead of structure — and the response becomes the incident.

The Fix

Incident discipline is four steps in strict order.

CLASSIFYSeverity first. Impact and urgency decide who gets pulled in.
ONE OWNERA single incident lead. Everyone else reports to that person until closure.
COMMUNICATEOne message, one channel, one cadence. Stakeholders hear the same story at the same time.
REVIEWBlameless post-incident. What broke, what held, what changes.

The next feed failure gets an owner in five minutes and one status line hourly. Twenty-minute problems start taking twenty minutes.

Incident management in depthTHEORY · 4 MIN

When something goes wrong at scale — a data breach, a system outage, a regulatory violation — the quality of your escalation playbook determines whether it stays an incident or becomes a crisis.

SEV-1 Critical — full service outage, revenue impact, executive escalation within 15 min SEV-2 Major — degraded service, SLA breach risk, manager escalation within 1 hr SEV-3 Moderate — workaround exists, tracked in backlog SEV-4 Low — cosmetic, no business impact
Incident Severity Classification
1

Detect and classify

Identify the incident, assess severity (P1 critical, P2 major, P3 moderate, P4 minor), and determine the affected scope — processes, users, customers, and regulatory implications.

2

Contain immediately

Stop the bleeding. Isolate affected systems, activate workarounds, and prevent the incident from expanding. Speed matters more than perfection at this stage.

3

Escalate per playbook

Notify the right people at the right level based on severity classification. P1 incidents should reach senior leadership within 30 minutes, not 30 hours.

4

Resolve and restore

Fix the root cause, restore normal operations, and verify that the fix works. Document every action taken with timestamps.

5

Review and learn

Post-incident review within 5 business days. Root cause analysis, timeline reconstruction, what worked, what failed, and specific actions to prevent recurrence.

IC
GBS Insider Club Insights
  • The biggest incident management failure is delayed escalation. People wait hoping the problem will resolve itself. It rarely does, and the delay makes the impact worse.
  • Post-incident reviews that blame individuals instead of identifying systemic failures guarantee that the next incident will be hidden, not escalated.
RISK REGISTER IDRISKLIKELIHOODIMPACTMITIGATIONOWNER R-001Key person dependencyHighHighCross-trainingTeam Lead R-002System downtimeMedHighBCP planIT Ops REVIEW MONTHLY · UPDATE BEFORE EVERY STEERING COMMITTEE

Risk register — ID, description, owner, probability, impact, mitigation

Monday Move

Write your team’s one-line incident rule: who owns, who speaks, how often.

? CAREER CHECK click to expand
  • Risk awareness at every level is increasingly valued in GBS. How do you currently demonstrate risk thinking in your daily work?
  • Have you ever flagged a risk that prevented a problem — or caught an issue early that would have been costly later? How did you document it?
  • Understanding risk management frameworks positions you for roles in compliance, audit, and operational leadership. Where are your knowledge gaps?
GBS Insider Club learning paths offer structured career frameworks, practical templates, and guided exercises tailored to your GBS role — from entry-level to leadership.

Reference

Glossary

Full glossary at the GBS Insider Club Field Guide.

BCPBusiness Continuity Planning — the process of creating systems and procedures to ensure critical business functions continue during and after a disruption.
BIABusiness Impact Analysis — an assessment that identifies critical business processes and quantifies the impact of their disruption in terms of time, revenue, and regulatory consequences.
RTORecovery Time Objective — the maximum acceptable time a process can be down after a disruption before business impact becomes unacceptable.
RPORecovery Point Objective — the maximum acceptable age of data that must be recovered after a disruption. Determines backup frequency requirements.
Fourth-party riskRisk arising from the subcontractors and suppliers of your direct vendors. A failure in the fourth party can cascade to disrupt your operations.
Post-incident reviewA structured analysis conducted after an incident to identify root causes, evaluate the response, and define preventive actions. Sometimes called a post-mortem or lessons learned.
Sources and further reading
  1. ISO 22301 — Business Continuity Management Systems standard
  2. BCI — Business Continuity Institute Horizon Scan Report, 2025
  3. Gartner — Third-Party Risk Management framework, 2025
  4. NIST — Computer Security Incident Handling Guide, SP 800-61
Theory done. Now make it count.

Knowing the frameworks is the entry ticket. Applying them — visibly, at your actual job — is what gets you promoted.

The GBS Insider Club Career Playbooks turn this theory into a guided 90-day program for your role: self-assessment, practical exercises, templates, and Julian's unfiltered practitioner playbook.

Explore the Career Playbooks → Back to Compliance and Risk
Leave a comment
← Previous SME Participation Next → Regulatory and Internal Controls