You’re not alone if the first thing that comes to mind from the heading above is: “Aren’t Business Continuity and Disaster Recovery the same?”
It’s both the IT support industry and business at large’s fault for the confusion between Business Continuity (BC) and Disaster Recovery (DR) plans. Much current online copy confuses the two as well, which doesn’t help matters. The blur enabled by the tech era has meant that Business Continuity and Disaster Recovery are often used interchangeably by all parties, and often exclusively meant to refer to IT tech issues.
Yes, disaster today is often data loss or theft or a bad hardware crash, but many countries in the world have bad weather the rest of us live without. Remember the whole of New Orleans half-submerged? America is a prime example of being in the path of a hurricane, literally.
In the US, the number of weather and fire disasters as a percentage of business disasters overall is far higher than those in more benign climes. London-based EC-MSP might find clients wet and soggy at times, for example, but seldom destroyed by freak weather. Europe as a whole has a more genteel climate – at least in terms of violent storms and winds – so one might more easily confuse BC with DR in the EU, as both are more likely to refer to an IT issue.
It’s important to understand Business Continuity and Disaster Recovery plans demand different strategies, and that recovery after an IT failure is typically very successful, assuming sound IT infrastructure and support were in place at the time of catastrophe.
The difference between Business Continuity and Disaster Recovery
Disasters compel us to put out fires, metaphorically or literally. This might mean draining flooded offices, stemming the loss of data – unplugging – or rebuilding components of a business’ IT or other infrastructure, or even moving premises. A company needs to keep functioning – servicing clients, making sales – amidst disaster, hence a Business Continuity Plan (BCP) addresses the initial phase of a disaster. BC halts any leaking or loss of data, equipment or damage to premises, and swings into continuity mode so the usual daily functioning of a going concern can persist while it stabilizes post-disaster.
A business needs to regain its lost fitness, however, so almost simultaneous with continuity, the Disaster Recovery Plan (DRP) will kick in. In an ideal world, a company comes back leaner and keener after a serious setback. It needs (at least) to recover the initial baseline functionality after a disaster as much as possible, and to some extent, the success of the DRP depends on the successful implementation of the BCP in the face of a catastrophe.
One key difference between BC (initial) and DR (after) is when the appropriate plan takes effect. Business continuing is essential when dealing with the disaster, while Disaster Recovery refers to recovering lost ground and pushing forwards to regain or even exceed the previous operational level. Staff might work remotely during BC, but DR should see them all housed in a central location again if that was and remains optimal for the company concerned. Disaster Recovery can almost be seen as a subset of Business Continuity – that’s a good way to get the chronology right and understand how both a BC and DR plan work.
Coming back to the definition of disaster mentioned above, while the terms have been largely employed to refer exclusively to IT infrastructure, a disaster that requires BC and subsequent DR plans can take many forms. Typically, IT tech is impacted by any disaster, so it’s always a component of the response to the catastrophe, and that’s certainly true for the modern business.
BC and DR are both decisive plans of action
Although force majeure events – the current Covid-19 lockdown is a classic example – and indeed the exact nature of any disaster is hard to predict, a good Business Continuity Plan will have anticipated all possible scenarios, up to and including earthquakes. A BCP looks at innumerable negative inputs and formulates a plan to mitigate their inevitable implications (including the fallout) for whatever catastrophe might strike. There will be many overlapping reactions regardless of the nature of dire events, but also very specific responses based on what’s happening exactly, hence the value of prior planning.
Business Continuity plans center on the immediate need to maintain business functionality. Disaster Recovery plans are designed to restore vital support systems and get back to normal business from an undesirable or awkwardly functioning state. Continuity plans focus on the exact steps to be taken based on the nature of the disaster. Disaster Recovery plans assume they were effective, and have maintained business functioning, and work from there to most cost-effectively get business back to its comfort zone. A DRP works from the point of emergency business processes to transition – without further business interruption – back to business as usual.
A snap list of IT Business Continuity considerations
- The systems and information (people, tech and data) critical to broad daily functioning need to be identified – what is essential to maintain business operations?
- Which networks are crucial for business operations to continue?
- What software is critical to continuity, and how will any given disaster impact it, and the company’s systems and protocols?
- With the normal daily ‘shell’ of the business weakened or destroyed, what cyber risks does the company face in this moment of disaster?
- How will the nature of the catastrophe impact third party services that might immediately affect business operations?
- What protocols are currently in place to inhibit fallout from a disaster?
- What are the alternatives and their cost to potentially impacted third parties that might fail alongside you in the moment of your own disaster?
- Does the business trust to cloud storage or off-site backing up on a server or hardware device(s), and how complete is remote access to data?
- What is the chain of command, and what are the necessary authorizations that will enable Business Continuity?
A snap list of IT Disaster Recovery considerations
- What are the individual responsibilities when moving towards recovery? What is the Plan B (who will fill in should someone be off or otherwise unavailable during the moment of disaster), and is the chain of command agreed upon and unambiguous (as military-grade clarity is needed on this point)?
- What will be the acceptable timeline that governs recovery?
- How will the company implement data recovery?
- How will recovered data be dealt with in terms of permissions and safe handling while the business recovers?
- What will signal the expiration of the state of recovery and how will this be conveyed to staff acting in certain capacities during a disaster?
- Is the DRP available and known to all staff, and has the company had meetings or interviews around individual roles?