Case Studies » Major National Credit Union

Operational risk management

Documenting operational controls for IT security and compliance

Delivering the knowledge and framework needed to minimize operational risk well into the future.

A leading credit union offers a catalog of managed services, each of which requires operational controls to ensure IT security and the stability of systems and data. These controls might cover areas such as vulnerability & patching, access & identity management, information protection, and third-party management—areas of IT operation with processes and rules that must be met for proper use.

Each of these control areas use regulatory, industry and internal standards as their baseline, so every organization’s controls are unique. Identifying these controls, who is responsible for them, and documenting the associated objectives, processes and procedures takes time and business process mapping expertise, neither of which the credit union had enough of. Yet that documentation is critical to ensure the controls are understood by all employees.

Having worked with the credit union’s audit and risk management (ARM) team before and having pre-established relationships with the IT stakeholders for this project, Celerity was a natural fit to lead the credit union into a new era of IT security.

Using best practices and proven processes to drive operational risk processes

Celerity’s team of business analysts and process engineers begins each of these operational risk engagements with certain best practices. First, we confirm priorities and which operational controls to focus on first. Then we provide a framework for doing that, including a roadmap, timeframe and deliverables.

Communication is also critical to a project’s success, so Celerity worked with the credit union’s team to develop a communications plan, beginning with asking senior management for their active participation and feedback. At the same time, we also set expectations so stakeholders knew this would be a long-term effort that would require regular maintenance.

Focusing on one area to demonstrate the operational controls documentation process

The client chose to focus on the vulnerability and patching control area first. Since senior management was driving the effort and regulators would be tracking its progress, Celerity proactively created a dashboard to track progress and documentation. While they did not originally ask for this, they loved the idea. Now, with everything in place, Celerity began a three-pronged process, including:


After a series of kickoff meetings with managers to identify SMEs and gather documentation, we interviewed the SMEs to get a detailed accounting of their vulnerability patching workflows.


After the discovery, Celerity mapped out the processes using Business Process Model and Notation (BPMN 2.0). These were vetted by the SMEs and, once final approval was obtained, the process maps were finalized. Every step was recorded in the dashboard and weekly updates were sent to leadership.


As the contract drew to a close, we held multiple knowledge transfer meetings to transition project activities to the credit union’s team. They learned how to run the discovery meetings, the basics of BPMN 2.0, and how to update the dashboard.

In all, Celerity identified 79 different process workflows associated with the vulnerability and patching control area. These workflows included activities such as scanning for vulnerabilities and prioritizing them, reporting and distributing vulnerability reports, coordinating and tracking patching activities, asking for exceptions, and receiving, testing, and deploying patches.

Getting a good start in the never-ending job of operational risk management

By the time the project came to a close, Celerity produced 14 patching process maps related to the vulnerability and patching control area, with another 10 maps in the approval pipeline. In addition, we produced:

  • 6 process maps related to the third-party risk control area
  • 2 process maps related to the access identity control area
  • 1 process map related to the information protection control area

Not to be overlooked, however, is the power of the knowledge transfer. The client’s team went through the processes with us and was given the knowledge they needed to continue on without us. Mitigating operational risk and ensuring IT security is a job that never ends. With the tools and knowledge Celerity brought to the engagement, the credit union will be able to move forward on their own in the future.

Before Celerity

Operational riskNo knowledge of amount of unique roles in vulnerability and patching control area

Operational riskUnknown number of workflows related to vulnerability and patching control area

Operational riskNo standardized workflow process maps for any control areas

Operational riskLittle knowledge of BPMN 2.0

With Celerity

Operational risk36 confirmed IT support teams with roles in the vulnerability and patching control area

Operational riskNearly 80 confirmed workflows related to vulnerability and patching control area

Operational risk23 completed workflows for standardized control area

Operational riskHands-on experience and expert guidance in BPMN 2.0

Related case studies

Major National Credit Union

IT Governance

Retirement Planning Non-Profit

Enterprise automation