Determining the resources required for normal and emergency operation

A number of resources are needed to execute business processes. For the critical business processes, the resources needed for normal operation must be determined as well as thosewhich are used exclusively by one process, and those which are used by several processes. This information is needed to develop the recovery plans and should be determined carefully. If a security concept according to IT-Grundschutz is available, then a large portion of the information needed can be taken from the structure analysis. Some additional information on resources needs to be acquired since additional resource classes are of interest to business continuity management. The resources to be examined include:

 Personnel

When executing business processes, employees to make decisions, operate machines, enter data, or perform other tasks are needed. If special qualifications or knowledge is needed for a business process, then this information should also be recorded in addition to the information on designated, possible, or missing substitutes. If special personnel is needed for recovery or restoration, then this information should also be acquired and recorded.

 Information

processes. A rough classification of the significance of the data to the business processes and identification of the essential data for the processes is useful when performing the rest of the examination.

When recording the resource “information”, the maximum allowable loss of data (e.g. in the form of the number of transactions or age of the data) should be determined for the critical data. This value affects the data backup strategy in particular.

 Information technology

IT is understood to be applications, hardware, software, communication connections (over the Intranet or Internet, but also over PBX systems), fax machines, and scanners, for example.  Special equipment and systems

Special equipment and systems includes, among others, production plants, security gates, medical devices, or control elements.

 Services

If internal or external services are needed to supply an input to or provide resources for a process, then these services must also be noted. An example of a possible internal service is IT administration.

 Infrastructure

Infrastructure includes, for example, the property, building, warehouse, production halls, car park- s, file archives, server or office rooms, and workplaces, but also electrical, gas, water, or district heating networks, means of shipping and transportation (automobiles, lorries, trains, airplanes, etc.).

 Operating resources

Operating resources are understood to be all resources not placed in any other category yet, for example raw materials or materials for production, office supplies, or office furnishings.

 

Applications Hardware Infrastructure ...

Resource

email Database ser

ver(s)

Office application SAP EDI AutoCAD Calendar … Internet connection LAN File serve

r l File serve r 2 … Work p lace Hi g h rack … Tele p hone conn. Fax … RTO 4 92 24 … … … 48 … … … … … … … … … … Business process RTO kRTO 4 18 24 … … … 48 … … … … … … … … … … Process GP1 92 72 1 1 4 1 3 - 4 … 3 1 1 - … 1 - … 1 - … Process GP4 168 48 3 - 1 - - - 3 … - 1 - 1 … - 1 … - 2 … Process GP5 24 24 - 1 1 - - 1 - … - 1 1 - … - - … - - …

Table 8: Example of resources recorded with specification of the degree of utilisation and the recovery time objectives

When determining the resources needed by a critical process, the corresponding degree of utilisation should also be evaluated and documented. The degree of utilisation indirectly specifies how the lack of

5 Conception

this resource will affect the continuity of the process. The higher the degree of utilisation of a resource, the greater the effect of the lack of this resource. A scale of three to five levels for the degree of utilisation has proven useful in practice. Possible degrees of utilisation based on the degrees of dependency between processes are, for example, 1=“very high” (essential for the process), 2=“high” (important for the process), 3=“medium” (needed by the process), and 4=“low” (see Table 8).

The single points of failure are also identified in this step or were identified earlier. The single points of failure are very critical resources whose failure would lead to the complete failure of the (sub)process. These single points of failure must be documented, and measures for securing them must be initiated as quickly as possible.

After determining the resources required for the normal operation, the resource requirements for emergency operation need to be determined. The following must be taken into account when determining these requirements:

 Not every business process allows emergency operation

 Emergency operation can consist of switching to alternative processes (for example switching from IT applications to paper or manual processing)

 Emergency operation can consist of operating the process at reduced capacity, with lower resource requirements, but therefore at lower input and output.

It must be documented for each critical process how emergency operation will be performed and which resources are required for this. If the recovery procedure is cascaded in several stages, then the resources necessary for each stage must be determined (see Table 9).

Process D Emergency

operation

Resources Normal operation = 2 hours = 24 hours = 48 hours = 48 hours

Workplace 8 2 2 4 8 Application H 8 2 2 4 8 Application B 4 1 2 4 Telephone connection 8 1 2 2 8 Experts 8 2 2 4 8 ...

Table 9: Example of resources documented for normal and emergency operation

It takes care and skill to determine which resources are needed because even though resources such as the workplace PCs or the Intranet are usually obvious choices, there are some operating resources that are only noticed once they become unavailable.

The resource determination can be performed together with the damage analysis or after prioritisation. The advantage of the first method is that nothing needs to be determined twice, and the contact persons responsible only need to be questioned once. The advantage of the second method is that the

resource determination is limited to the critical business processes and therefore takes less time and effort.