Disaster Recovery vs. Business Continuity
The terms Disaster Recovery and Business Continuity are often intermingled and used as if they are the synonymous. While closely related, they are are quite distinct. They have different objectives, inputs, and methodologies. Although there will be overlap, different teams are involved in planning, rehearsal, and execution. Finally, they are triggered and executed by different incidents and situations.
Before we talk about their differences, let's talk about a commonality. You will develop both your Disaster Recovery and Business Continuity plans based on what are the critical functions of your business. Critical functions are those where, if they're not operating, then your business is considered to be out of business. For example, you provide information services on your website, and your web servers or database become inaccessible. Or, you sell stuff, but can't take orders or deliver what you sell. Examples of non-critical functions might be the activities of your research department, product designers, market risk planners, facilities managers, and even your IT help desk. Some types of functions may or may not be critical, depending on the exact nature of how the function supports your business, whether it overlaps with other functions, and/or contractual obligations. For example, your customer service call center may be only a minor factor in providing products and services to your customers, in which case the operation of your call center might not be a critical function. But, if you have only a few major customers and a contract with all of them requiring availability of your customer service center, then your Business Continuity planning will proceed quite differently. Criticality of the availability of your call center might further be determined by other factors, such as how easily other departments could take over the tasks of the call center if it went offline. This is why careful analysis and accurate representation of your business is so very important. If this isn't done right, your Disaster Recovery and Business Continuity plans may look good, but completely fail to deliver results when needed.
Definitions and Relations
Here are the concise J.D. Fox Exec definitions of Disaster Recovery and Business Continuity:
Disaster Recovery involves restoring your information technology (IT) systems to normal operations and recovering lost data in the event of an outage that, without active intervention to restore service, would impact critical business functions beyond a maximum specified threshold (how long the outage will last, the number of customers impacted, etc.). Thresholds are defined by management in relation to business requirements. The outage can be hardware, software, or communications failure, or a loss of data due to accidental or malicious corruption or deletion.
The discipline of Disaster Recovery doesn't only involve performing planned recovery operations following an outage or loss of data. A Disaster Recovery plan must also integrate high availability into your routine operations. High availability means redundant equipment and other technology implementations to enable continuous or nearly continuous operation during failures, with minimal or no human intervention. A Disaster Recovery plan will also ensure that appropriate scheduled data backups are performed, and that the data can be recovered from the backup storage within acceptable time limits. The amount of time and money to invest in high availability and data backups will be determined during the Risk Management process.
- Business Continuity enables your business to continue operations with alternative arrangements in the event that:
- A failure in the IT system occurs, with an impact to your business operations beyond what your Disaster Recovery plan was designed to handle, due to cost and risk assessment considerations.
- The recovery procedures in your Disaster Recovery plan fail in execution, in spite of being designed and expected to handle the outage or problem at hand. This can happen if the Disaster Recovery plan was inadequately planned, or neglected and thus rendered out of date.
- There is an incident that impacts your operations not related to IT, such as an earthquake, fire, flood, terrorist attack, sudden loss of key personnel, or a key supplier or business partner going out of business.
Disaster Recovery deals with your IT systems only, and is a component of Business Continuity management. When fully developed, Business Continuity planning will cover all potential threats to the operation of your business, and all activities needed to resume business following an interruption. Even if only dealing with an IT problem, there is still a distinction: Disaster Recovery is about restoring the IT system to the way it was, while Business Continuity focuses on alternate arrangements (temporary or permanent) and continuing operations even in the face of unrecoverable losses, and it therefore has much broader requirements for participation and preparation on the part of management, employees, partners, and customers.
The main reason Disaster Recovery is often mixed up with Business Continuity is because, for virtually all businesses in our modern era, the single most significant potential threat to Business Continuity is IT system downtime or unrecoverable data loss, and the IT system is among the factors that require the most consideration and preparation when planning for alternate arrangements following most any kind of calamity. So, articles you might read elsewhere about this topic, especially when discussing resuming business following destruction of the IT system, might refer to the process as Disaster Recovery, Business Continuity, or both interchangeably. The distinction, why it matters, where they overlap and interact, and who should know and why, will become even more clear as you read through the succeeding articles on this topic, which include a broad range of practical illustrations.