The terms ‘disaster recovery’ and ‘business continuity’ are often used interchangeably. In defence of those that make this common mistake, the two terms are used to describe similar approaches. Understanding how the two differ, however, is vital. If this comprehension is not developed, any individual responsible for enhancing an organisation’s resilience is likely to commit one of two fatal errors: failing to identify a prominent threat or creating a contingency plan addressing the loss of key systems.
Whilst business continuity and disaster recovery strategies are closely related, both being predominantly concerned with keeping organisations operative and minimising loss, they have a clear hierarchy. The former is designed to negate threat, the latter to contain and moderate damage in the event the initial strategy is unable to prevent an incident. One relies on proactivity, the other on predefined sets of protocols to be followed in specific circumstances.
Here, I will outline what both of these strategies are, the pain points each should address and how to successfully implement them. In doing so, I will make it clear why both are needed and how they typically overlap with one another.
What is a business continuity plan?
Overarching and multi-faceted, the business continuity plan’s purpose is to identify threats to an organisation’s status quo and how to maintain operations in the event that they come to pass. It will need to consider all potential concerns. The perpetuation of regulatory compliance and continued observance of contractual obligations are prominent examples. Alterations to infrastructure, how resources will be allocated in certain scenarios and the induction of cultural shifts are further key considerations.
The coronavirus pandemic serves as a reminder of the importance of business continuity plans. Organisations that had formulated such strategies would have pivoted to models reliant on home working with greater ease and success. Those without them invariably encountered greater disruption which, in turn, will have adversely impacted productivity.
This may, due to the pandemic’s unprecedented and far-reaching effects, be viewed as an extreme example. Nevertheless, all organisations face multiple threats to their continuity. In 2019, a survey revealed that business continuity was a priority concern amongst 76% of respondents.1 The inference is that nearly a quarter of organisations do not give sufficient credence to a vital practice.
Do you have a business continuity plan in place?
Business continuity plan creation framework
In order to create an effective business continuity plan, the following steps should be followed:
1. Thoroughly assess business risks and their likely impact
Identifying risks to stability and operations is the logical starting point when creating a business continuity plan. These should include broad threats such as cyber-attacks, as well as any specific to sectors or individual organisations such as parameters set out by governing bodies or the sudden loss of an internal resource.
Once identified, decision-makers need to assess the ways in which conceivable threats are likely to affect their organisations. These likely outcomes should then be assigned scores dependent on the severity of their impact on organisational health. The total number of outcomes relating to each scenario can then be used to assign a ‘threat score’ to scenarios to create a hierarchy and effectively prioritise the next step in this process.
2. Implement change accordingly
Once the hazards that pose the greatest threat to performance have been identified, plans for preventing them from disrupting operations can be developed.
Here, it should be remembered that prevention is better than cure; improvements to cyber-security measures are superior to those that isolate infections and limit damage post-breach, for example. In short, wherever possible, change should be made that negates threats in their entirety. Where this is not possible, change needed to mitigate events should be outlined and implemented in accordance with threat hierarchies. Mitigation processes themselves, however, should feature within disaster recovery plans, which will be discussed in more depth later.
3. Develop testing and review frameworks
Ensuring that changes have been implemented correctly and continue to function as intended is integral to any business continuity plan. Solutions should be tested both following their realisation and at regular intervals.
As threats to an organisation’s wellbeing will continuously evolve, the risk identification and assessment element stage of continuity planning should also be revisited frequently and updated as required.
What is a disaster recovery plan?
A business continuity plan is designed to counter threats and maintain ‘business as usual’. A disaster recovery plan is concerned with remediating situations and allowing organisations to return to normality within the shortest possible timeframe when something does go wrong.
In short, a business continuity plan is proactive. A disaster recovery plan is reactive. It outlines the exact steps that are to be followed within specific circumstances and the individual responsibilities of both internal and external stakeholders.
Disaster recovery plan creation framework
Creating an effective disaster recovery strategy involves the following steps:
1. Identify recovery processes and required technologies
Returning key systems to working order is among any disaster recovery strategy’s most important goals. This part of the strategy should be closely aligned to a business continuity plan, particularly any tech-centric change that was deemed necessary at that stage. In particular, documents outlining what technology will enable the recovery of systems and data, and the relevant processes should be developed for continuity.
2. Determine individual responsibilities
Identify which stakeholders will be required to undertake key responsibilities and brief them accordingly. Vitally, it is essential that the responsibilities of third parties such as vendors and suppliers are determined, also. Again, all of this should be documented.
3. Develop testing and review frameworks
Once backup and recovery processes are established, they should be tested thoroughly. Tests should be conducted regularly to ensure they remain fit for purpose, also. These tests will provide means through which recovery times can be estimated and documented.
Protect your business with a strong disaster recovery plan.
Both a business continuity and disaster recovery plan are essential. The former is certain to be implemented and used. The latter will hopefully never be required. Nonetheless, operating without both is a significant and wholly unnecessary risk.