Thursday, August 30, 2018

Business Continuity vs. Disaster Recovery; What’s the Difference?


Picture courtesy: https://msinfokom.com/

A lot of people use the terms disaster recovery (DR) and business continuity (BC) plans interchangeably, but technically there is a difference. A disaster recovery plan is more reactive while a business continuity plan is more proactive.

Business Continuity Planning (BCP) and Disaster Recovery (DR) are used together so often that people often begin to forget that there is a difference between the two. The idea of this post is to try to define these terms from a practical point of view. 

In day to day lingo, BCP refers to plans about how a business should plan for continuing in case of a disaster. DR refers to how the IT (information technology) should recover in case of a disaster. It may sound a bit weird, but after the first 500 times, you sort of start getting used to it and start preaching it as well. I think these definitions must have started off as a practical joke played by mischievous IT staff on their organization, or maybe it was some consultant trying to wiggle out of a situation where he forgot to make a BCP for IT.

If you think practically, a BCP is a plan that allows a business to plan in advance what it needs to do to ensure that its key products and services continue to be delivered (technicality: at a predefined level) in case of a disaster, while a DR allows a business to plan what needs to be done immediately after a disaster to recover from the event. So, a BCP tells your business the steps to be taken to continue its key product and services, while a DR tells your business the steps to be taken to recover post an incident.

Your impact analysis, your business continuity strategy and business continuity plans are a part of BCP. Your incident response, emergency response, damage assessment, evacuation plans, etc. are all a part of DR. It makes sense to divide your planning into two parts
  1. Planning to continue your business operations and 
  2. Planning to recover from disaster situations

If you use these definitions of BCP and DR, you would probably end up having a practical and effective BCMS for your organisation.

Let us assume a practical scenario in an organization, where the IT team is the one that is really worried about data backup and recovery. No one else gives two hoots. Roughly translated, it means the others will run to IT in case of disaster and say: “What do you mean you cannot recover it. I assumed it was being backed up.”

So, the IT team takes it upon itself to build a business continuity plan. The problem, however, is that they will receive no data from business about esoteric terms like ‘criticality of activities supporting key products and services’. They have to do the next best thing. Ask the business “What will happen if this application crashes and is not recoverable?” This becomes the applications RTO. They ask “What will happen if we lose data for 1 min, 1 hour, 1 day, 1 week, 1 year, etc. progressively (until they see the business users pupils dilate). This becomes their RPO. Armed with this data they create a plan to recover these key applications and services (provided and supported by IT) within the RTO and RPO. Calling this a business continuity plan is not the right thing to do, hence the IT calls it a DR plan. It is then free to make statements like “We have a DR, but not a BCP” to the half-read consultant and get away by showing this document as a BCP to the untrained auditor (believe me there are plenty of those around). The auditor sees some calculation of RTO and RPO and accepts the plan as a BCP, thus obfuscating the definitions further.

The Bottom Line
Business Continuity is the first defense against a disaster threatening the proper function of business. However, Disaster Recovery is a must for any organization who cannot function without its vital business data. Although Disaster Recovery is just a smaller part of the larger Business Continuity umbrella, enterprise organizations would be wise to employ both strategies for full protection. Disaster Recovery techniques are more preventative in nature than continuity tools, which are typically used to maintain smooth business operations.

Practical advice
Plan in two parts as above. A plan to continue business processes (Including support processes like IT) and a plan to respond to and recover from incidents (Emergency Management) and you should be good. If you are in IT and the business is not responding for a BCMS, use the tactic shown above to have a minimalist practical plan."