Sign up to receive updates for the latest tech thought leadership insights, videos, and podcasts.
The terms ‘disaster recovery’ and ‘business continuity’ are often used interchangeably. In defence of those that make this common mistake, the two terms are used to describe similar approaches. Understanding how the two differ, however, is vital. If this comprehension is not developed, any individual responsible for enhancing an organisation’s resilience is likely to commit one of two fatal errors: failing to identify a prominent threat or to create a contingency plan addressing the loss of key systems.
Whilst business continuity and disaster recovery strategies are closely related, both being predominantly concerned with keeping organisations operative and minimising loss, they have a clear hierarchy. The former is designed to negate threat, the latter to contain and moderate damage in the event the initial strategy is unable to prevent an incident. One relies on proactivity, the other on predefined sets of protocols to be followed in specific circumstances.
Here, I will outline what both of these strategies are, the pain points each should address and how to successfully implement them. In doing so, I will make it clear why both are needed and how they typically overlap with one another:
Overarching and multi-faceted, the business continuity plan’s purpose is to identify threats to an organisation’s status quo and how to maintain operations in the event that they come to pass. It will need to consider all potential concerns. The perpetuation of regulatory compliance and continued observance of contractual obligations are prominent examples. Alterations to infrastructure, how resources will be allocated in certain scenarios and the induction of cultural shifts are further key considerations.
The coronavirus pandemic serves as a reminder of the importance of business continuity plans. Organisations that had formulated such strategies would have pivoted to models reliant on home working with greater ease and success. Those without them invariably encountered greater disruption which, in turn, will have adversely impacted productivity.
This may, due to the pandemic’s unprecedented and far-reaching effects, be viewed as an extreme example. Nevertheless, all organisations face multiple threats to their continuity. In 2019, a survey revealed that business continuity was a priority concern amongst 76% of respondents.1 The inference is that nearly a quarter of organisations do not give sufficient credence to a vital practice.
In order to create an effective business continuity plan, the following steps should be followed:
Identifying risks to stability and operations is the logical starting point when creating a business continuity plan. These should include broad threats such as cyber attacks, as well as any specific to sectors or individual organisations such as parameters set out by governing bodies or the sudden loss of an internal resource.
Once identified, decision makers need to assess the ways in which conceivable threats are likely to affect their organisations. These likely outcomes should then be assigned scores dependent on the severity of their impact on organisational health. The total number of outcomes relating to each scenario can then be used to assign a ‘threat score’ to scenarios to create a hierarchy and effectively prioritise the next step in this process.
Once the hazards that pose the greatest threat to performance have been identified, plans for preventing them from disrupting operations can be developed.
Here, it should be remembered that prevention is better than cure; improvements to cyber security measures are superior to those that isolate infections and limit damage post breach, for example. In short, wherever possible, change should be made that negates threats in their entirety. Where this is not possible, change needed to mitigate events should be outlined and implemented in accordance with threat hierarchies. Mitigation processes themselves, however, should feature within disaster recovery plans, which will be discussed in more depth later.
Ensuring that changes have been implemented correctly and continue to function as intended is integral to any business continuity plan. Solutions should be tested both following their realisation and at regular intervals.
As threats to an organisation’s wellbeing will continuously evolve, the risk identification and assessment element stage of continuity planning should also be revisited frequently and updated as required.
A business continuity plan is designed to counter threats and maintain ‘business as usual’. A disaster recovery plan is concerned with remediating situations and allowing organisations to return to normality within the shortest possible timeframe when something does go wrong.
In short, a business continuity plan is proactive. A disaster recovery plan is reactive. It outlines the exact steps that are to be followed within specific circumstances and the individual responsibilities of both internal and external stakeholders.
Creating an effective disaster recovery strategy involves the following steps:
Returning key systems to working order is amongst any disaster recovery strategy’s most important goals. This part of the strategy should be closely aligned to a business continuity plan, particularly any tech-centric change that was deemed necessary at that stage. In particular, documents outlining what technology will enable the recoveries of systems and data, and the relevant processes should be developed for continuity.
Identify which stakeholders will be required to undertake key responsibilities and brief them accordingly. Vitally, it is essential that the responsibilities of third parties such as vendors and suppliers are determined, also. Again, all of this should be documented.
Once backup and recovery processes are established, they should be tested thoroughly. Tests should be conducted regularly to ensure they remain fit for purpose, also. These tests will provide means through which recovery times can be estimated and documented.
Both a business continuity and disaster recovery plan are essential. The former is certain to be implemented and used. The latter will hopefully never be required. Nonetheless, operating without both is a significant and wholly unnecessary risk.
1. Continuitycentral.com (2019) Results from the 2019 Business Continuity Benchmark Study, https://www.continuitycentral.com/index.php/news/business-continuity-news/4450-results-from-the-2019-business-continuity-benchmark-study