History of Disaster Recovery and Business Continuity
Have you ever seen a photograph of an office in the 1960s or before, and marveled at the desks with no computers on them? Isn't it a wonder how they got any work done? Well, the recording and processing of information certainly was slower, but as long as your people could keep up with your business partners and competitors, then paper and ink were good enough.
Prior to the mid-twentieth century, what we now call Disaster Recovery and Business Continuity doctrine consisted primarily of fire prevention and insurance, and maybe a fireproof safe for the most important paper documents. Raging infernos were the major persistent threat to facilities, inventory, and business records. Construction and prevention measures then improved to the point that total devastation to one's business was barely a thought anymore—until the rise of computers, also known as the Information Age.
At first, only the government, universities, banks, and the airlines used computers, which were enormous and expensive in the 1950s. With each passing decade, more data could be produced, stored, indexed, and analyzed in a smaller space and far less expensively than before.
These new capabilities not only facilitated far more productivity, but also enabled a more complex and fast-paced business environment in all sectors. It was during these changing times that the terms risk management and risk manager first became common.
That's not to say risk management was unknown before then. Insurance companies have always had actuaries. The great advances through the nineteenth century and into the twentieth—such as the U.S. railroads, the Panama Canal, the Hoover Dam, and the skyscrapers in all our cities—would not have been financed without some sort of process employed by the project managers for mitigating risk. But for many ordinary businesses that went about their operations with no problems for years or decades, risk management doctrine didn't tend to go beyond buying what seemed like reasonable insurance policies against potential calamities such as fires, theft, and natural disasters. Evaluating insurance needs and purchasing the optimal policies were pretty much the extent of the risk manager's responsibility.
As the Information Age continued its progress, risk managers couldn't ignore the most significant growing threat to business operations, in terms of likelihood and impact—the fact that IT systems could spontaneously fail, making the crucial data storage and processing functions unavailable, or possibly permanently losing data.
IBM System/360, Model 40
Courtesy of International Business Machines Corporation
© (1966) International Business Machines Corporation
Used by permission granted to J.D. Fox Exec
Early on, a business computer system might have been built entirely by a single vendor, such as IBM or Digital, with a full-service contract including any and all needed spare parts, and technicians performing data backups to prevent loss due to hardware failure. With a computer that filled a single role (such as payroll, billing, or airline booking), the system itself might be complicated, but it could be managed as a discrete unit the same as any machinery. Management only had to communicate their recovery requirements, which were incorporated into the service contract terms. It was then that the term Disaster Recovery came into being, referring to restoration of data and functionality following extensive or total technical malfunction, as opposed to routine computer maintenance, diagnostics, and repair activities. The word "disaster" was appropriate, due to the potential for sudden loss of an entire segment of a business' operation, which wasn't likely when the business had a staff of loyal, intelligent, and responsive human beings who handled the tasks that have now been turned over to cold and uncaring electronic equipment.
Computers started to fill more roles and become integrated with more aspects of business operations through the 1980s and 1990s. As information technology matured and grew, businesses built more complex systems comprised of components from multiple vendors, all of which had to be integrated and managed by the company's IT staff, who had to be experts on how their system was all put together and what tasks it had to support. Along with this increased complication, management needed to be more involved to ensure the supported tasks, and recoverability in case of failure, were aligned with business objectives and risk tolerance. This coordination between management and IT defines the modern discipline of Disaster Recovery as a business process, not just a technical task. Industry organizations were founded during this era, such as the Disaster Recovery Institute (DRI) in 1988, to promote and support this new class of management-level Disaster Recovery practitioners.
Within a few years, as businesses implemented and developed Disaster Recovery doctrine, and as reliance on IT increased, it became clear that focusing on IT system recovery wasn't enough. Hardware failure, database corruption, or accidental deletion can be handled with appropriate redundancy and backups, which is what Disaster Recovery tends to focus on. But, Disaster Recovery doctrine does not address how a business will continue to serve customers, generate invoices, collect on accounts receivable, pay employees and vendors, and maintain communications while the IT system is being rebuilt and the data restored following a failure, or what to do in the event of a catastophe so great that the IT system is unrecoverable.
Thus was born Business Continuity planning as a formal discipline. The DRI expanded the scope of its flagship certification from Disaster Recovery to Business Continuity in the early 1990s, around the same time as the Business Continuity Institute (BCI) was founded. This expanded focus helped combine non-IT threats to business operations with Disaster Recovery planning into the same mitigation planning process, enabling better efficiency and value from investments of time and money in risk management.
Business Continuity continued to grow as an accepted practice, although unfortunately too many businesses did not embrace it. The prominence of Business Continuity got a boost in the U.S. after our enemies destroyed the World Trade Center on September 11, 2001. Some companies were wiped out of existence, as all of their physical assets were in one building and they were unable to continue even if their people got out in time. Major firms with nationwide operations and headquarters in the World Trade Center survived, but found their Business Continuity and Emergency Response plans to be inadequate, particularly in relation to plan validation and rehearsal, communications, and personnel accountability. As a result, the U.S. government implemented new regulations requiring Business Continuity planning and establishing guidelines for certain companies that play a critical role supporting our economy, such as those involved in securities and financial trading markets.
You can now see why these two disciplines are so often described as one and the same; one could say Business Continuity grew out of Disaster Recovery. Our historical survey also illustrates why a devastating fire, earthquake, tornado, flood, or act of war—each of which we generally refer to as a "disaster"—is covered by Business Continuity, while the term Disaster Recovery focuses on Information Technology failures.
As you know, today's IT systems mesh with all aspects of business, from, at a minimum, e-mail and document sharing, to order processing, timekeeping and payroll, inventory and warehouse operations, software development and testing, data archiving, market or financial analysis, mapping, graphic design, video editing, printing, internet telephony, video conferencing, customer relationship management, scheduling and practice management, a company website, and architectural and engineering design. And as we grapple with the emerging challenges of dispersion due to the rise of public cloud-computing and user-owned mobile devices, the need for guided, professional, doctrinal and expert planning for Disaster Recovery and Business Continuity only continues to grow.