In the past, you may have heard the terms “business continuity” and “disaster recovery” used in conjunction, or even interchangeably, but what do they really mean? You probably won’t be surprised to discover that they have many similar goals when it comes to recovering from an unplanned incident and restoring essential functions, but it is the nuances of their differences that are really crucial to understand. Recognizing the differences between business continuity vs. ITDR will help ensure that you have a balanced and complete plan for when disaster strikes.
What Are They?
Business continuity is the process an organization goes through to get themselves back to being fully functional after a crisis. A business continuity plan outlines the steps to achieve this goal by identifying the essential functions of an organization and what resources are needed to re-establish these functions as quickly and seamlessly as possible.
Disaster recovery is one aspect of business continuity. It focuses specifically on getting IT infrastructure and operations, including hardware/software/personnel/and networks up and running after a disaster or unplanned event. As with business continuity, the goal of disaster recovery is to restore operations as efficiently as possible.
Similarities Between BC and ITDR
There are some fundamental similarities between business continuity vs. ITDR:
- Their primary goal is to help an organization resume mission critical functions after a crisis, although the nature of these functions differs.
- Planning and testing are crucial components to help ensure the plans do what they intend and that personnel understand how they operate.
- Both are living documents that need to be reviewed regularly and updated to reflect changes in an organization and its essential functions.
- They consider the possibility of various disasters or unplanned events such as local and natural disasters, fires, disease outbreaks, cyberattacks, network disruptions, and other threats.
- The biggest challenge is a lack of support and funding around these plans. Other struggles include high levels of change within an organization, time constraints, and dedication of resources to ensure the plans are current and tested.
The Specifics of Business Continuity
As previously mentioned, a business continuity plan hinges on identifying essential functions of an organization and creating a plan for how to keep these functions running in the even of a disaster or incident.
According to Tech Target, there are three essential elements that every business continuity plan should include: resiliency, recovery, and contingency. You can increase your resiliency by establishing essential functions with disasters in mind. In doing this, you’re setting yourself up for success further down the line and making your processes inherently more resilient.
Recovery can be improved upon by setting time objectives, prioritizing functions in order of importance, keeping an inventory of resources, and using third party agreements to help fill gaps during recovery times.
A contingency plan establishes procedures for crisis events or incidences and often outlines a chain of command that assigns responsibilities. This helps personnel know what their responsibilities are during a crisis when the business continuity plan is being enacted.
If you have a business continuity plan that focuses on key functions of an organization and targets resiliency, recovery, and contingency, then you have a solid foundation to work from. Read Veoci’s blog “Maintaining Institutional Knowledge: Building an Effective BCMP” to learn more about what makes a successful BC plan.
BC Plan: Getting Started
It may seem daunting trying to put all of these elements together to create a business continuity plan, but the first place an organization should start is with a Business Impact Analysis (BIA). This assessment helps you define what the essential functions of your organization are, how critical those processes are, what risks your operations face, and they ultimately quantify the cost of the loss of business functions. Then, you can move forward with developing effective plans that address your key concerns.
After completing a BIA, you will find that there are numerous areas that your business continuity plan will focus on including business recovery, IT recovery, and crisis management. Business recovery focuses on critical business practices, IT recovery deals with the recovery of technology, applications, and systems, and crisis management is a specific plan for handling a crisis event.
A business continuity plan has wide reaches in an organization and has to consider multiple factors because essential functions can exist at many levels in all departments. The lack of a BC plan can mean serious downtime for an organization after a disaster and loss of time, resources, and business as a result.
Once you have your BC plan up and running, the work is not over. These plans require regular maintenance. Exercises of the plan should be conducted regularly to identify weaknesses and areas in need of improvement. Updates should be made based on identified areas of weakness, and ongoing tests should continue to evaluate these updates. Changes should also be made to reflect any modifications in the way the organization is run. Remember, a business continuity plan should be a dynamic document, so the work is never done.
What Sets Disaster Recovery Apart?
Business continuity plans are like painting with a broad brush: they take into account all the essential functions of an organization. Disaster recovery plans are like going in and detailing specific portions of the painting after. They focus solely on providing a framework for dealing with incidents that target a company’s IT infrastructure, whether it be hardware, software, networks, data, personnel, or organizational structures.
Disaster recovery plans are crucial to understand on their own. They are an important aspect of maintaining functionality during and after a crisis situation.
Disaster recovery measures have three main goals: to prevent, correct, and detect. DR plans are for any kind of incident that can cause an outage, like a critical bug or legacy infrastructure causing a crash or major slow down of an application. They aim to prevent IT breaches from occurring, correct them if the do occur, and detect them when they have happened. With these three lines of defense, a DR plan is strong and well-rounded.
To help better understand what a disaster recovery plan entails, here is an adapted list from Network World that includes the various components:
- Identify the goals of the plan
- Contact information of important parties
- Description of the response actions that will be taken in the event of a crisis
- Diagram of the IT network and/or recovery site
- Identification of key IT assets and their maximum recovery time
- List of software, license keys and systems that will be used in the recovery effort.
- Information from vendors about recovery technology system software
- Documentation about insurance coverage.
- Plans for addressing financial issues, legal issues, and media correspondence.
As you can see, disaster recovery plans are highly developed within themselves, even though they are part of a larger whole of the business continuity plan. There is a lot of information and consideration that goes into making sure IT systems are safe, protected, and resilient in case of a disaster.
ITDR Plan: Getting Started
The first step in establishing a disaster recovery plan is communicating its importance to personnel. Having employee buy-in is key to obtaining the necessary documentation and attention to detail around the plan. It also ensures that people take the plan seriously and understand what their roles and responsibilities are in case of activation.
Once employees are aware of the disaster recovery plan and understand their role in the process, an organization can begin planning by collecting the necessary documentation. Disaster Recovery Guide outlines some of the key documents that should be included:
- Organization chart with names and positions
- Current plan
- Emergency contact information
- Suppliers and contact numbers
- Existing evacuation procedures and fire regulations
- Health and Safety procedures
- Operations and Administrative procedures
- Personnel administrative procedures
- Copies of floor plans
- Asset inventories
- Inventories of information assets
- IT inventories
- IT system specification
And many more! Take a look at the full list for a more comprehensive view of what you’ll need to get started.
Another step you need to take to build your disaster recovery plan is to rank your key business areas. You should list them in order of overall importance to your organization taking into account factors such as data available in those areas, personnel, communications coming from each area, and the dependencies on systems.
Once you have completed these basic first steps, you are ready to start building your disaster recovery plan.
Why You Need BC and DR
In today’s age of technology, it’s easy to focus more heavily on protecting IT systems. It’s also easy to fall into the trap of developing a master business continuity plan but not really considering all of the components.
It is important to recognize that business continuity vs. ITDR plans are like relatives, but also that they’re nuanced individuals with much to offer. Make sure you give both of these plans the time and attention they deserve so you can be truly prepared when disaster strikes.