Business continuity (BC) and disaster recovery (DR) are often used together and interchangeably. They are indeed connected, as both are designed to prepare an organization for, and work it back from, adversity. Continued smooth operation is a fairy tale in the business world. Every minute of every day, something can happen that prevents people from performing properly or operations from functioning efficiently.
Put simply, BC is an organization’s hedge against disaster. DR is what digs it out of a crater (even literally).
Let’s break it down.
Andrew Hiles has a particularly good definition of disaster recovery in his book Business Continuity Management, Global Best Practices. He writes that disaster recovery is an integral part of an organization’s BCM plan by which the organization intends to recover and restore its information technology, infrastructure and telecommunications capabilities following an incident. Note the focus is on the aspects of the business affected by the loss of technology. Within the DR plan, there will be individual component systems, application and hardware recovery plans that specify steps to recover. This clearly links business functions and technology.
Business continuity is a set of plans and procedures to implement during a time of disruption. It’s a process that begins with the realization that the business needs to have a Plan B for its most critical processes and functions. Each segment of the organization identifies critical processes, applications, resources, personnel, and recovery timeframes (through a business impact analysis (BIA)). Once aligned, they brainstorm solutions and procedures, which are called recovery strategies, for addressing those problems. These solutions are tested through a variety of methods that refine thinking and confirm their validity. A fire at your server farm? There should be a plan for that. An overseas vendor can’t deliver because its port is shut down because of a pandemic? Your BC plan should cover that.
In short, BC is focused on keeping all essential functions of an organization running when there is a significant interruption to any part of the organization, including IT systems, critical infrastructure, people, and facilities.
DR is where planning becomes reality. After all, restoration without data and infrastructure would be challenging, and returning the enterprise to normal after an earthquake collapses its main assembly plant or a flood destroys equipment isn’t easy. BC provides the plan for handling these things, and DR provides technology-related support. Planning to recover from any catastrophic event means determining a realistic recovery time objective (RTO) and doing the work to meet the RTO. When damage to the main road to the plant renders it inaccessible, the BC plan will have determined the solution is to operate from a predetermined alternate facility. The DR plan will lay out the steps for moving equipment, inventory, technology, people, and cyber infrastructure to the new facility while meeting the RTO.
Once can argue that both business continuity plans (BCP) and DR are reactive. However, both are needed in tandem to support a complete recovery.
Disaster recovery is impossible without business continuity and vice versa. The BC process inventories all critical aspects of an enterprise, identifies which ones are susceptible to interruption from a threat, how critical each is to enterprise resiliency, and brings the expertise of the organization’s personnel to build the plan for what’s necessary to work normally. DR will specify how the technological recovery of a business area will be achieved. In this way, the two are complementary, and work together to provide a function greater than the sum of its parts.
To obtain the best results for later implementation, BC planning should be undertaken first. Each division or business function should be represented in identifying critical operations, resources, and people to continue everyday performance. Interruption to the business by loss of facility, technology, or employees should be identified and then brainstormed. What would happen if you could not meet your SLA (service level agreements) of stamping out 100 widgets an hour? Or what would be the effect of a wildfire taking out the power facility that generates electricity for the factory?
Once that’s found, step-by-step instructions for recovery from these disasters should be developed. These procedures are the business continuity plan and should be tested. Initially, a desktop walkthrough will be sufficient, but as the plan becomes more fixed and crosses the organization’s silos, more exhaustive tests should be undertaken. All the involved players would then conduct a tabletop exercise, where they walk through what to do in the event of a disaster. Once that test appears to be sufficient, a functional exercise can be done with each relevant employee at their station working through the problem. If that proves effective, a full-scale exercise in which the organization works solely on the test supplies practice and one last opportunity to make corrections before any disaster happens — or the next round of updates to both plans occurs.
BC and DR work to make the organization resilient. There are two types of resilience to consider: enterprise resilience and operational resilience. Enterprise resilience is an organization’s ability to (1) plan, prepare, and understand risks and critical functions; (2) anticipate disruptions and potential downstream impacts; (3) respond in a coordinated, organized, and controlled manner; and (4) recover, adapt, and evolve to be able to manage challenges even more effectively in the future. Operational resilience focuses on functions of individual divisions or aspects of the business. Not every problem affects the entire organization — at least not at first. If weather problems keep parts from arriving at a production facility, sales, marketing, and other vital functions can continue. But each of these pieces should be prepared to recover from problems unique to it — before they affect the entire operation.
Use the table below as a cheat sheet to understand the main differences between business continuity and disaster recovery:
How BC and DR Differ
|Objective||Provide the tools and plans to keep business running during a disruption||Determine critical applications, hardware, and infrastructure required to return an enterprise to optimal function
|When Triggered||BC plans are made in anticipation of a business interruption and activated when that occurs||DR occurs in parallel or in some cases before a BC plan is initiated. In many cases, infrastructure needs to be restored priorto the business restoration
|Milestones||BC milestones are determined by each business segment (marketing, fabrication, IT) and are driven by RTOs||Pre-established recovery times based on impact tolerance provide the framework for return to customary conditions
|Ongoing||BC plans are reviewed regularly for revisions driven by new key personnel, new corporate objectives, new equipment, and any other significant change. BC plans should be tested annually or when there have been material changes to the organization||DR plans are tested at least annually and recovery times revised to establish expectations for return to customary conditions. RTOs and RPOs (recovery point objectives) should agree with the business requirements. DR plans should support business recovery.
|Span||Holistically finds potential threats to an organization and the impacts to business operations those threats, if realized, might cause
|Shows recovery order based on impact tolerances|
Whether performed serially or in parallel, BC and DR planning provide a clear plan of action at a time when people and systems tend to spin out of control. Not every manager can improvise. More importantly, both BC and DR planning minimize downtime. A thorough BC plan ensures all bases are covered. In addition, the planning process of creating a BIA itself will find unseen weaknesses or problems before they affect the business. Finally, when a problem occurs — and one will — having worked through the problem in advance will reduce stress and provide less wasted effort in returning to normal.
The best management processes of every organization require both BC and DR planning. A body needs both a brain and a heart. A football team needs both offense and defense. And, like sports or scholastics, study and repetition supply the best results.
Reach out for a no obligation, initial conversation.