What are a football club's "important business services"? Identifying the operations that cannot be allowed to fail
Ask a club's leadership team what the business actually does and the answer, understandably, will be some version of football. Ask which specific services genuinely cannot be allowed to fail, and most boards have never been asked to answer with any precision. The exercise is narrower and more revealing than it first appears and doing it properly is the essential first step of any genuine operational resilience programme.
This article is the second in our series on Operational Resilience for Football clubs. You can find other articles in this series here.
Why "playing football" is not the answer
The first article in this series introduced the concept of an important business service: the small, specific set of activities an organisation delivers whose interruption would cause serious, potentially intolerable harm to the people who depend on it. The natural instinct, when a football club is asked to apply this thinking to itself, is to answer at the level of the whole enterprise, the club exists to play football, therefore playing football is the important business service.
That answer is both true and useless. It is too broad to build a resilience programme around, because it gives no indication of what, specifically, needs to be protected, mapped and tested. "Playing football" is not a service in the operational resilience sense -- it is the outcome of dozens of underlying services working correctly at once. The discipline that the FCA required of financial services firms, and that translates directly to football, is to break the enterprise down into the specific, narrower services whose individual failure would cause real and immediate harm, and then to focus the resilience work there.
The test: what counts as an important business service
Not every activity a club undertakes qualifies. A club runs dozens, arguably hundreds, of distinct operational processes, from community outreach programmes to merchandise fulfilment to stadium tour bookings. Most of these matter to the business, but their failure, while regrettable, would not cause the kind of serious or intolerable harm that the important business services discipline is designed to identify and protect.
The FCA's own test is useful precisely because it is deliberately narrow: a service qualifies as important if its disruption could cause intolerable harm to the people who depend on it, or put the organisation's wider standing and integrity at risk. Applied to football, the equivalent test asks three questions of any candidate service.
First, who is harmed, and how badly, if this fails?
Second, is the harm time-critical -- does delay make it worse, or can it wait?
Third, is there a genuine substitute if this service is unavailable, or does the club have no alternative route to the same outcome?
A service that fails all three tests, serious harm, time-critical, no substitute, is an important business service. A service that fails only one or two is not, however operationally significant it may otherwise feel to the people who run it day to day.
The instinct is to list everything the club does. The discipline is to identify the small number of services where failure is genuinely intolerable, not merely inconvenient.
The services football clubs consistently underestimate
Applying that test across a typical football club surfaces a shorter and more specific list than most boards expect -- and it is worth working through what each one actually involves, because the detail is where the genuine exposure sits.
Matchday operations, safely delivered. This is the most obvious candidate, but the precision matters. The important business service is not "playing the match" -- it is the combination of ticketing, access control, stewarding, crowd management and safety systems that allow a fixture to proceed lawfully and safely. Ticketing and access-control outages on matchday are a widely recognised category of failure across professional sport internationally, and when they occur they are immediate, visible and carry both safety and regulatory consequences that a delayed kick-off does not begin to capture. A club that has never asked what happens if its access-control system fails ninety minutes before kick-off has not identified this service with the precision the discipline requires.
Player registration and transfer processing, within deadline. Transfer windows close at a fixed moment, and the systems used to process and confirm registrations, whether internal or those of the relevant football authority, do not extend that deadline for a club experiencing a technical failure. This is a service where the harm is entirely time-critical: a registration submitted correctly but too late is, for regulatory purposes, the same as a registration never submitted at all. Instances of clubs across European football narrowly missing, or nearly missing, transfer deadlines because of system or process failures are widely reported in most transfer windows, and they illustrate a service where there is no substitute and no possibility of a graceful recovery after the fact.
Payroll for players and staff. A missed or delayed payroll run is not merely an administrative inconvenience. For players, it can engage specific contractual and, in some competition frameworks, regulatory consequences. For all staff, it is an employment law matter with a defined tolerance for delay that is measured in days, not weeks. Payroll is a service most clubs assume is resilient because it has never failed -- which is a very different thing from having tested whether it would survive the loss of a key system, a key individual, or a key third-party payroll provider.
Broadcast feed delivery. For any club whose revenue depends on broadcast distribution, the technical delivery of the match feed to broadcast partners is a contractual obligation with real financial consequences attached to failure. This service sits partly within the club's control and partly within that of broadcast partners and stadium technology providers, which makes it a good early illustration of a theme this series will return to directly: many important business services are only partially within the club's own operational control, and mapping the third-party dependency is as important as mapping the internal one.
Protection of supporter and player data. Ticketing systems, loyalty schemes and membership databases hold significant volumes of supporter personal data; player medical, performance and biometric data is amongst the most sensitive data any club holds. A failure here is different in character from the others on this list -- it is not primarily about continuity of service but about the integrity and confidentiality of the data itself, and the harm from a breach can be significant, immediate, and largely irreversible. Any resilience programme that treats this purely as an IT security matter, rather than as an important business service in its own right, has under-scoped the risk.
Financial reporting relied upon by UEFA and the IFR. This is the service category clubs are least likely to identify unprompted, and arguably the most consequential given the current regulatory environment. UEFA's Club Licensing and Financial Sustainability Regulations and the IFR's licensing conditions both depend on the accuracy, timeliness and integrity of a club's financial reporting. A failure in the systems or processes that produce that reporting -- whether through data corruption, key-person unavailability, or a third-party finance system outage -- does not just create an internal headache. It can directly compromise a club's ability to meet a regulatory submission deadline, with consequences that reach well beyond the immediate operational disruption.
Why most clubs have never done this exercise formally
The pattern across organisations first attempting this discipline -- observed consistently in the financial services sector as firms worked through their own PS21/3 obligations -- is that the exercise is assumed to already have been done, informally, by people who understand the business. It has not. Knowing intuitively that matchday operations matter is not the same as having formally identified the service, defined its boundaries, agreed who owns it at board level, and set out what ‘acceptable’ looks like if it is disrupted.
The formal exercise consistently surfaces services that the informal, intuitive view missed entirely -- financial reporting integrity is the clearest example in a football context, precisely because it does not feel like an operational service in the way that matchday delivery obviously does, even though its failure carries some of the most serious consequences on the entire list.
A method for identifying your own
The list above is a starting point, not a template to adopt unmodified. Every club's own set of important business services will differ in emphasis depending on its ownership structure, its revenue mix, its competition status and its existing operational maturity. What matters is the method used to identify them, not the specific list arrived at.
Start with harm, not with activity. List the people who could be seriously harmed by an operational failure -- supporters, players, staff, lenders, regulators -- before listing the club's activities. Work backwards from each group to the specific services whose failure would harm them, rather than working forwards from an activity list and asking whether it matters.
Apply the three-part test rigorously. Serious harm, time-critical, no substitute. A service that only meets one of these criteria is important to the business in a general sense but is not an important business service in the resilience sense, and including it dilutes the focus of the entire programme.
Name a senior owner for each service identified. An important business service without a named, senior, accountable owner is not yet properly identified -- it is a shared assumption that no individual is actually responsible for protecting. This is the governance discipline the FCA's supervisory observations found firms most often got wrong: delegating the identification exercise to a technical team rather than requiring board-level ownership of the judgement.
Review the list at least annually, and after any material change. A new stadium technology provider, a change of broadcast partner, a new ownership structure or a change to the club's competition status can all change which services qualify, or how they should be defined. The list is a living document, not a one-off exercise.
The next article in this series addresses the question that follows naturally once a club's important business services have been identified: how to set a genuinely defensible impact tolerance for each one -- the maximum disruption the club can accept before the harm becomes unacceptable, and the evidence a board needs to justify that judgement rather than simply assert it.
Most clubs discover their most serious gaps the first time they try to name their important business services properly.
Lagom Sports Compliance works with football clubs across governance, risk, compliance and operational resilience. If your board has not yet formally identified and agreed its important business services, we would welcome a conversation about what that process looks like for your club.
Frequently asked questions: important business services for football clubs
-
Important business services are the small, specific set of services a football club delivers whose interruption would cause serious or potentially intolerable harm to the people who depend on them -- as distinct from every activity the club undertakes. Likely candidates include safe matchday operations (ticketing, access control and stewarding), player registration and transfer processing within regulatory deadlines, payroll for players and staff, broadcast feed delivery, protection of supporter and player data, and the financial reporting relied upon by UEFA and the Independent Football Regulator. The exact list will differ by club depending on ownership, revenue mix and competition status.
-
A useful test, adapted from the FCA's operational resilience framework, asks three questions of any candidate service: would its failure cause serious harm to the people who depend on it; is that harm time-critical, such that delay makes it worse rather than something that can simply wait; and is there a genuine substitute available if the service becomes unavailable, or does the organisation have no alternative route to the same outcome. A service that meets all three criteria -- serious harm, time-critical, no substitute -- qualifies as an important business service. A service meeting only one or two criteria may still matter operationally but does not require the same level of dedicated resilience investment.
-
Playing football is the outcome of many underlying services functioning correctly at once, not a discrete service that can itself be mapped, resourced and tested. Operational resilience requires organisations to break their operations down into narrower, more specific services -- such as ticketing and access control, transfer registration processing, or payroll -- because only at that level of granularity is it possible to identify genuine dependencies, set a meaningful tolerance for disruption, and design a testing programme that actually reveals vulnerabilities.
-
Financial reporting does not feel like an operational service in the way that matchday delivery or payroll obviously do, which means it is frequently missed in an informal or intuitive assessment of what matters to the business. However, the accuracy, timeliness and integrity of a club's financial reporting underpins its ability to meet obligations under UEFA's Club Licensing and Financial Sustainability Regulations and the Independent Football Regulator's licensing conditions. A failure in the systems or processes producing that reporting -- whether through data corruption, key-person unavailability or a third-party system outage -- can directly compromise a club's ability to meet a regulatory deadline, making it one of the more consequential services on a typical club's list despite being one of the least intuitively obvious.
-
The identification exercise should be a board-level governance responsibility, not a task delegated entirely to an operations or IT team. Financial services firms working through the equivalent exercise under the FCA's PS21/3 framework were found by the regulator to have under-scoped their important business services most often when the judgement was delegated rather than owned senior. Each important business service identified should have a named, senior, accountable owner -- without one, the service has not genuinely been identified in the resilience sense, only informally acknowledged.