How Does Business Continuity Differ from Disaster Recovery?
Business Continuity and Disaster Recovery are almost inseparable these days. Some people even use them interchangeably. But did you know that, while they’re closely related, they’re actually not one and the same?
Knowing the difference between business continuity and disaster recovery is important. You’ll need it when you set out to address risks to your business’ availability and uptime. Will you be needing a business continuity plan? Or just a disaster recovery plan? Before seeking support from management or the board of trustees for your BC/DR project, you need to know exactly what you’re talking about.
Business continuity is the overarching entity
To put it in a nutshell, disaster recovery is only a component of business continuity. When you develop a business continuity plan, a key component of the entire process is the formulation of a disaster recovery strategy or plan.
Of course, you weren’t dragged all the way down this article just to be presented with a short definition, so let’s outline the steps companies normally take in putting together a business continuity plan (BCP). That way, not only will you see what a BCP consists of. You’ll also understand where disaster recovery fits in.
While there are no hard and fast rules on what specific steps should be included, companies usually take the following steps:
- Develop the business continuity plan policy statement. The policy provides guidance in the development of the BCP and is, therefore, the first step in the process.
- Conduct business impact analysis (BIA). At this point, critical functions and systems are identified, making it easy to arrange them in order of priority. It’s also at this point where vulnerabilities and threats are identified, and corresponding risks are calculated.
- Identify preventive controls. Based on the information gathered in Step 2, the organisation then identifies, develops, acquires, and sets up countermeasures and controls.
- Develop recovery strategies. This is basically where disaster recovery falls. At this point, methods are developed so that systems and functions can be brought back within an acceptable timeframe.
- Develop a contingency plan. This is where the organisation draws procedures and guidelines for keeping itself operational (albeit not completely) during the course of the disaster.
- Test the plan and conduct training and exercises. Here, the plan is tested in order to identify flaws and areas that need improvement. It’s also here where personnel are trained for their duties during and immediately after the disaster.
- Maintain the plan. Business continuity planning is supposed to be a continuous process. As new business goals, threats, vulnerabilities, and other developments come along, the BCP should be updated accordingly.
Now you see where a disaster recovery plan falls into the larger picture of a business continuity plan. Disaster recovery focuses on the processes needed for the company to get back on its feet if a disaster strikes. Business continuity, on the other hand, will also include preventive measures, in addition to disaster recovery and others. Technology-wise, preventive measures may include the use of redundant systems, load balancers, and failover systems.
Because enterprises now heavily rely on IT, IT service continuity is certainly a huge part of BC. However, in addition to IT service continuity, a business continuity plan actually includes many aspects of the business. Business continuity addresses a wide range of concerns like:
- Where employees should go and what they should do in the event of a disaster
- How the company should communicate with suppliers, customers, and stakeholders during a major calamity
- Which business functions (e.g. financial operations, customer service, healthcare) should be given top priority when bringing operations back online
- What countermeasures can be implemented to reduce the probability of downtime
Where does disaster recovery fit in all this?
As you’ve learned by now, disaster recovery is supposed to be part of a bigger picture. Ideally, the things that go into a disaster recovery plan should be based on whatever information was obtained during the BIA phase. In that phase, a risk assessment should have been conducted to determine which business functions were the most crucial.
The disaster recovery plan should, therefore, address what the company must do in order to bring back the most crucial functions in the shortest time possible. Disaster recovery strategies typically deal with the recovery of:
- Business process recovery,
- Facility recovery,
- Supply recovery,
- User environment recovery, and
- IT disaster recovery or data recovery
So, for example, IT disaster recovery or data recovery strategies usually involves picking the right data backup solution. Should you use tape, disks, or cloud backup services? At a much larger scale, disaster recovery also involves picking the appropriate type of disaster recovery site (e.g. hot site, warm, site, cold site).
But that’s for another article. The goal was to differentiate business continuity and disaster recovery, and the previous two sections have done just that.