QuestionsAnswered.net
What's Your Question?
Making a Risk Management Plan for Your Business
It’s impossible to eliminate all business risk. Therefore, it’s essential for having a plan for its management. You’ll be developing one covering compliance, environmental, financial, operational and reputation risk management. These guidelines are for making a risk management plan for your business.
Developing Your Executive Summary
When you start the risk management plan with an executive summary, you’re breaking apart what it will be compromised of into easy to understand chunks. Even though this summary is the project’s high-level overview, the goal is describing the risk management plan’s approach and scope. In doing so, you’re informing all stakeholders regarding what to expect when they’re reviewing these plans so that they can set their expectations appropriately.
Who Are the Stakeholders and What Potential Problems Need Identifying?
During this phase of making the risk management plan, you’re going to need to have a team meeting. Every member of the team must be vocal regarding what they believe could be potential problems or risks. Stakeholders should also be involved in this meeting as well to help you collect ideas regarding what could become a potential risk. All who are participating should look at past projects, what went wrong, what is going wrong in current projects and what everyone hopes to achieve from what they learned from these experiences. During this session, you’ll be creating a sample risk management plan that begins to outline risk management standards and risk management strategies.
Evaluate the Potential Risks Identified
A myriad of internal and external sources can pose as risks including commercial, management and technical, for example. When you’re identifying what these potential risks are and have your list complete, the next step is organizing it according to importance and likelihood. Categorize each risk according to how it could impact your project. For example, does the risk threaten to throw off timelines or budgets? Using a risk breakdown structure is an effective way to help ensure all potential risks are effectively categorized and considered. Use of this risk management plan template keeps everything organized and paints a clear picture of everything you’re identifying.
Assign Ownership and Create Responses
It’s essential to ensure a team member is overseeing each potential risk. That way, they can jump into action should an issue occur. Those who are assigned a risk, as well as the project manager, should work as a team to develop responses before problems arise. That way, if there are issues, the person overseeing the risk can refer to the response that was predetermined.
Have a System for Monitoring
Having effective risk management companies plans includes having a system for monitoring. It’s not wise to develop a security risk management or compliance risk management plan, for example, without having a system for monitoring. What this means is there’s a system for monitoring in place to ensure risk doesn’t occur until the project is finished. In doing so, you’re ensuring no new risks will potentially surface. If one does, like during the IT risk management process, for example, your team will know how to react.
MORE FROM QUESTIONSANSWERED.NET
Life123.com
- Home & Garden
- Relationships
- Celebrations
Writing a Business Plan
While it may be tempting to put off, creating a business plan is an essential part of starting your own business. Plans and proposals should be put in a clear format making it easy for potential investors to understand. Because every company has a different goal and product or service to offer, there are business plan templates readily available to help you get on the right track. Many of these templates can be adapted for any company. In general, a business plan writing guide will recommend that the following sections be incorporated into your plan.
Executive Summary
The executive summary is the first section that business plans open with, but is often the last section to actually be written as it’s the most difficult to write. The executive summary is a summary of the overall plan that highlights the key points and gives the reader an idea of what lies ahead in the document. It should include areas such as the business opportunity, target market, marketing and sales strategy, competition, the summary of the financial plan, staff members and a summary of how the plan will be implemented. This section needs to be extremely clear, concise and engaging as you don’t want the reader to push your hard work aside.
Company Description
The company description follows the executive summary and should cover all the details about the company itself. For example, if you are writing a business plan for an internet café, you would want to include the name of the company, where the café would be located, who the main team members involved are and why, how large the company is, who the target market for the internet cafe is, what type of business structure the café is, such as LLC, sole proprietorship, partnership, or corporation, what the internet café business mission and vision statements are, and what the business’s short-term objectives are.
Services and Products
This is the exciting part of the plan where you get to explain what new and improved services or products you are offering. On top of describing the product or service itself, include in the plan what is currently in the market in this area, what problems there are in this area and how your product is the solution. For example, in a business plan for a food truck, perhaps there are numerous other food trucks in the area, but they are all fast –food style and unhealthy so, you want to introduce fast food that serves only organic and fresh ingredients every day. This is where you can also list your price points and future products or services you anticipate.
Market Analysis
The market analysis section will take time to write and research as a lot of effort and research need to go into it. Here is where you have the opportunity to describe what trends are showing up, what the growth rate in this sector looks like, what the current size of this industry is and who your target audience is. A cleaning business plan, for example, may include how this sector has been growing by 10% every year due to an increase in large businesses being built in the city.
Organization and Management
Marketing and sales are the part of the business plan where you explain how you will attract and retain clients. How are you reaching your target customers and what incentives do you offer that will keep them coming back? For a dry cleaner business plan, perhaps if they refer customers, they will get 10% off their next visit. In addition, you may want to explain what needs to be done in order for the business to be profitable. This is a great way of showing that you are conscious about what clear steps need to be taken to make a business successful.
Financial Projections & Appendix
The financial business plan section can be a tricky one to write as it is based on projections. Usually what is included is the short-term projection, which is a year broken down by month and should include start-up permits, equipment, and licenses that are required. This is followed by a three-year projection broken down by year and many often write a five-year projection, but this does not need to be included in the business plan.
The appendix is the last section and contains all the supporting documents and/or required material. This often includes resumes of those involved in the company, letters of reference, product pictures and credit histories. Keep in mind that your business plan is always in development and should be adjusted regularly as your business grows and changes.
MORE FROM LIFE123.COM
Business Continuity vs. Disaster Recovery: 5 Key Differences
Fill out the form below and we’ll email you more information about UCF’s online Leadership and Management programs.
- Name * First Last
- Degree * Career and Technical Education, BS Career and Workforce Education, MA College Teaching and Leadership Corrections Leadership Destination Marketing and Management Educational Leadership, MA Emergency and Crisis Management, MECM Engineering Management, MS Event Management Health Informatics and Information Management, BS Health Services Administration, BS Hospitality Management, BS Industrial Engineering, MSIE Local Director of Career & Technical Education Lodging and Restaurant Management, BS Master of Public Administration, MPA Nonprofit Management Nonprofit Management, MNM Police Leadership Project Engineering Public Administration Senior Living Management, BS
- Comments This field is for validation purposes and should be left unchanged.
Privacy Notice
Many professionals operate under the assumption that their workplace will remain largely unchanged from one day to the next, finding comfort in rhythms and routines. Sometimes, however, events disrupt business as usual. A critical aspect of leadership is preparing for those interruptions, creating strategies and plans that can keep core business functions intact even under duress.
Two specific fields address potential business interruptions: business continuity and disaster recovery. These disciplines minimize the impact that a catastrophic event might have on a business’s ability to reliably deliver its products and services.
While both fields are important, and even similar in some aspects, they are not synonymous. There are important differences in business continuity vs. disaster recovery, and those in leadership or emergency preparedness roles can benefit from understanding the core distinctions.
One way to develop a clear understanding of business continuity vs. disaster recovery is through studying emergency management. An online program in this field can offer professionals the skills needed to successfully lead companies through different kinds of crises.
Why Business Continuity and Disaster Recovery Matter
Business continuity outlines exactly how a business will proceed during and following a disaster. It may provide contingency plans, outlining how the business will continue to operate even if it has to move to an alternate location. Business continuity planning may also take into account smaller interruptions or minor disasters, such as extended power outages.
Disaster recovery refers to the plans a business puts into place for responding to a catastrophic event, such as a natural disaster, fire, act of terror, active shooter or cybercrime. Disaster recovery involves the measures a business takes to respond to an event and return to safe, normal operation as quickly as possible.
The Importance of Advanced Planning
When businesses face disasters and don’t have the proper plans in place, the effects can be catastrophic. The most obvious effect is financial loss; the longer a business goes without delivering its products and services, the greater its financial losses. Eventually, these losses may force a business to make tough decisions, such as cutting employees. But there can also be technological consequences, including the loss of important or sensitive data.
Having business continuity and disaster recovery plans in place can help companies minimize the consequences of a catastrophic event. They can also provide peace of mind; employees and business owners alike may feel more comfortable in a work setting where there are clear policies for how to respond to disasters.
In many companies, crisis management professionals are responsible for developing and implementing these plans, evaluating and revising them as needed, and training employees to ensure they know how to follow the specified strategies.
Similarities Between Business Continuity and Disaster Recovery
Business continuity planning and disaster recovery planning often seem interdependent. While the two concepts are not the same, they overlap in some areas and work best when developed in tandem.
- Both are proactive strategies that help a business prepare for sudden, cataclysmic events. Instead of reacting to a disaster, both disciplines take a preemptive approach, seeking to minimize the effects of a catastrophe before it occurs.
- Businesses can use both to prepare for a range of ecological and human-made disasters. Business continuity and disaster recovery are instrumental to preparing for pandemics, natural disasters, wildfires and even cyberattacks.
- Both require regular review, and they may sometimes require revision to ensure they match the company’s evolving goals. An emergency management leader will continually test and modify these plans as needed.
Differences Between Business Continuity and Disaster Recovery
A closer look at business continuity vs. disaster recovery reveals some key distinctions. Ultimately, these differences highlight the fact that businesses need to have plans of both kinds in place to be sufficiently prepared for disaster.
- Business continuity focuses on keeping business operational during a disaster, while disaster recovery focuses on restoring data access and IT infrastructure after a disaster. In other words, the former is concerned with keeping the shop open even in unusual or unfavorable circumstances, while the latter focuses on returning it to normal as expediently as possible.
- Unlike business continuity plans, disaster recovery strategies may involve creating additional employee safety measures, such as conducting fire drills or purchasing emergency supplies. Combining the two allows a business to place equal focus on maintaining operations and ensuring that employees are safe.
- Business continuity and disaster recovery have different goals. Effective business continuity plans limit operational downtime, whereas effective disaster recovery plans limit abnormal or inefficient system function. Only by combining the two plans can businesses comprehensively prepare for disastrous events.
- A business continuity strategy can ensure communication methods such as phones and network servers continue operating in the midst of a crisis. Meanwhile, a disaster recovery strategy helps to ensure an organization’s ability to return to full functionality after a disaster occurs. To put it differently, business continuity focuses on keeping the lights on and the business open in some capacity, while disaster recovery focuses on getting operations back to normal.
- Some businesses may incorporate disaster recovery strategies as part of their overall business continuity plans. Disaster recovery is one step in the broader process of safeguarding a company against all contingencies.
Leadership in Times of Crisis
Crisis management is an important skill for all business leaders. In fact, crisis management draws upon many of the other skills necessary for business success. Analytical and problem-solving skills as well as flexibility in decision making are essential for assessing potential threats and determining how to proactively address them. Communication skills, both verbal and written, are necessary for articulating a plan and training employees on how they should act in response to a crisis.
“Leadership in managing crises can minimize the damage imposed by an incident while lack of effective leadership worsens the impact,” says Naim Kapucu, Pegasus Professor and director of the School of Public Administration at the University of Central Florida (UCF) . “Organizations should have leaders with crisis management competencies to effectively manage disasters and crises based on the contingencies and environmental and organizational factors.”
Crisis management skills matter because any company can experience a catastrophe that limits its ability to function as normal, and often it will have little time to pivot and adapt. “Crises are not a good time to reorganize adequately operating organizational systems, much less try to implement wholesale organizational changes or reforms,” says Kapucu. Having a plan in place, ready to be executed, can make all the difference. The COVID-19 pandemic has brought into stark relief the uncertainty that businesses face and the extreme disruptions that can take place.
Programs such as the University of Central Florida’s online Master of Emergency and Crisis Management can help leaders fortify the knowledge, competencies, and skills they need to help their enterprises weather these times of crisis.
Crisis Management Careers
Crisis management is a key part of several careers. Each of the following positions offers a different level of leadership through tumultuous times.
Emergency Management Director
Emergency management directors develop and execute the plans that businesses follow to respond to natural disasters and other emergencies. Strong analytical, problem-solving, delegation and communication skills are essential. According to the U.S. Bureau of Labor Statistics, the annual median salary for emergency management directors in 2019 was $74,590.
Disaster Program Manager
Disaster program managers may coordinate shelters, manage triage centers or organize other services in the wake of a disaster. These professionals must be skilled in remaining calm under extreme pressure; empathy and understanding are also important. The annual median salary for this role was around $48,000, according to May 2020 PayScale data.
Geographic Systems Information Coordinator
Geographic systems information coordinators use a wide range of data sources, such as land surveys, to help anticipate and prepare for different disasters. Technical skills and data analysis competencies are vital for success in this role. PayScale reports that the annual median salary for these coordinators was around $58,000 as of May 2020.
Emergency Preparedness Manager
Emergency preparedness managers are typically responsible for making sure employees and customers are safe. They may report directly to the emergency preparedness director, whose role is more comprehensive. The annual median salary of emergency preparedness managers was around $69,000 as of May 2020, according to PayScale.
Developing a Career in Emergency Management
Business continuity and disaster recovery plans help businesses prepare for worst-case scenarios; they provide peace of mind, a sense of stability and key safeguards against major loss and disruption. The University of Central Florida’s online Master of Emergency and Crisis Management (MECM) degree program helps professionals prepare for this important work.
The MECM curriculum exposes students to key emergency management skills, including developing, testing and communicating plans. It emphasizes the financial, ethical, political and practical dimensions of disaster response. Find out more about the MECM degree program today and embark on a new career on the front lines of crisis management.
Online Leadership and Management Degrees at UCF
- Career and Technical Education, BS
- Career and Workforce Education, MA
- College Teaching and Leadership
- Corrections Leadership
- Destination Marketing and Management
- Educational Leadership, MA
- Emergency and Crisis Management, MECM
- Engineering Management, MS
- Event Management
- Health Informatics and Information Management, BS
- Health Services Administration, BS
- Hospitality Management, BS
- Industrial Engineering, MSIE
- Local Director of Career & Technical Education
- Lodging and Restaurant Management, BS
- Master of Public Administration, MPA
- Nonprofit Management
- Nonprofit Management, MNM
- Police Leadership
- Project Engineering
- Public Administration
- Senior Living Management, BS
You May Also Enjoy
- Desktop Pop-up Alert
- Desktop Scrolling Ticker
- Login Screen Alert
- One-Click Alert
- Corporate Screensaver
- Corporate Wallpaper
- Corporate Lockscreen
- Mobile Alert App
- SMS Notification
- AD Integration
- SSO Integration
- API Integration
- Automated incident notifications
- MS Teams Integration
- Emergency alert
- Extended reports
- RSVP Invitation
- Digital Signage
- Video Alert
- E-mail Notification
- Skin Editor and Skin Services
- Corporate News (Templates)
- Product Overview
- How It Works
- Product Packages
- Compliance communications
- COVID-19 communications
- Crisis Communications
- Emergency communications
- Employee engagement
- HR Communications
- Remote Communications
- Email Overload
- Change communications
- IT Alerting
- Engineering
- Hospitality
- Manufacturing
- Oil and gas
- Case Studies
- Documentation
- Knowledge Base
- System Requirements
- Cybersecurity webinar
- Internal communications webinars
- Technical Support
- Maintenance
- Professional Services
- Our Partners
- Become Our Partner
Disaster Recovery vs Business Continuity: 5 Top Differences
Table of contents
What is business continuity?
What is disaster recovery, 5 differences between disaster recovery and business continuity.
Business continuity plan vs disaster recovery plan: do you need both?
What to include in a business continuity plan
What to include in a disaster recovery plan, the risks of not having business continuity and disaster recovery plans, why communication is critical in disaster situations.
The term business continuity is used to describe a business's process to remain operational during and after a disaster. This includes contingency planning for how a company will operate, who will carry out particular roles, where the business will operate from, and what effects this will have on normal business operations.
hbspt.cta._relativeUrls=true;hbspt.cta.load(2607633, '5069c8e2-ab41-4c12-be05-2c66b3d0562d', {"useNewLoader":"true","region":"na1"});
Disaster recovery is a term that describes the plans a company puts into place that it will use to respond to a disaster or other critical event. This can include natural disasters, fire, data loss, cyber-attacks, terrorism, accidents, active shooters and other incidents that have the ability to hamper the business’ operations. Disaster recovery plans help to guide the organization in its response to the incident or event and provide guidance on returning to usual operations safely.
Download 9 IT outage messages
What is the difference between business continuity and disaster recovery? There are some similarities between the two planning processes: they empower a business with proactive strategies to help it prepare for a catastrophic event. However, there are several differences that organizations should be aware of when it comes to business continuity vs disaster recovery:
- Essentially, business continuity is a focus on keeping the business operational while a disaster unfolds and in its immediate aftermath. On the other hand, disaster recovery32 is a focus on restoring processes, systems and IT infrastructure and data following a critical event.
- Disaster recovery plans often involve scenario planning and conducting preparedness drills and other exercises long before there is an actual incident.
- The delivery of a business continuity plan is at a different time from a disaster recovery plan.
- They have different goals: business continuity plans are concerned with limiting downtime, while disaster recovery plans are concerned with ensuring the company doesn’t suffer from inefficient systems functions.
- Business continuity is concerned with functioning in some capacity, albeit possibly reduced. Disaster recovery is concerned with getting back to normal business functions.
Real-life example of business continuity: Back in 2013, lightning struck the office building of a South Carolina based IT company that hosted servers for 200 clients. The company’s infrastructure was badly affected: cables were melted, computer hardware was burnt, equipment was destroyed and the office couldn’t be used at all. The company had already implemented business continuity plans five years earlier that included relocating its client servers to a remote data server where continual backups were kept. Clients didn’t experience any issues, and employees had to relocate to temporary office premises for a period of time.
Business continuity vs disaster recovery plans: do you need both?
In order to ensure business continuity or disaster recovery, it is essential to have formal plans in place.
While it is possible to have just one or the other, businesses really should have both disaster recovery plans (DRP) and business continuity plans (BCP) in place to successfully navigate and recover from a disaster. While they are different, they do have some overlap and work well together to help minimize disruption and losses.
When developing a business continuity plan for your organization, you need to consider the following:
- Create a list of all the critical business functions in your organization
- Create a business impact analysis
- Develop a range of different crises scenarios and consider how they could interrupt your business operations
- Develop strategies to mitigate any vulnerabilities you have identified to maintain functionality in a disaster.
- Identify employees who will have key roles in implementing business continuity processes.
- Provide training to relevant employees
- Review and evaluate your business continuity plan regularly.
The disaster recovery plan has some similar requirements and features to the business continuity plan. When developing one, you need to consider the following:
- Identify people in your organization who should form a disaster recovery team.
- Identify the critical processes and functions that could be affected by a disaster.
- Identify potential disaster risks and consider how they could affect your business operations.
- Design disaster recovery strategies and processes.
- Devise back-up plans and procedures.
- Ensure your employees are trained.
- Test and maintain your plan on a regular basis.
Failing to be prepared for a critical situation or a disaster can have significant consequences for a business if it is caught out without appropriate plans.
This can include:
- The inability for the business to function following a crisis
- Reduction in productivity following a crisis
- Financial losses
- Reputational damage
- Potential legal consequences, particularly if failure to plan and protect data results in regulatory violations
- Death or injury to employees, customers, the public etc.
- Complete data loss.
10 free emergency messages
When your organization faces a crisis, it is important that your keep employees informed from the outset.
You must send regular, relevant, concise and factual information to employees, letting them know what is happening and providing them with any instructions to follow if necessary. As the situation changes, you should keep updating your staff.
Failure to inform your employees can cause false information and rumors to take hold. This can lead to mistrust, mistakes and can even worsen the situation.
If you need to reach all your employees quickly, using IT alerting software or an emergency alert system is one of the most successful methods of doing so.
DeskAlerts combines both functions. It will enable you to send messages quickly to thousands of employees at once in a way that can’t be ignored. You can reach employees no matter where they are working: in the office, on the road, in a non-desk role or at home, all over the world. The system uses a variety of communications channels, including pop-up alerts , desktop tickers , digital signage and push notifications on mobile phones to ensure your messages get through.
We’ve prepared some examples to help you get started using DeskAlerts pop-up alerts:
Example of a business continuity message that can be tailored to suit your company:.
Important information for all staff. There has been a [type of incident] that is affecting our operations at [location]. As a result the following services/activities are unavailable and/or have been significantly affected [list these here]. We are enacting our business continuity plan so that we can continue to operate, although in a reduced capacity. Our website, social media channels and call centers have been updated to keep our customers and the community informed about the situation. We expect that the situation will last for [time frame] and are doing everything possible to get back up and running as normal. We will keep you updated as the situation unfolds. Staff who have been affected should [list what is required of them during this time] Your patience and cooperation at this difficult time is appreciated. [CEO name]
Example of a disaster recovery message that can be tailored to suit your company:
Important information for all staff. As a result of [describe incident] our systems have been severely impacted. This is affecting [company name’s] ability to carry out business. We have now enacted our disaster recovery plan and we have a dedicated team working on resolving the issue and restoring our systems and data. This issue is expected to take up to [estimated time frame] to be resolved. In the meantime, staff can [list what tasks or work you may have employees do in the interim]. Further information will be communicated as the situation unfolds. Staff are reminded to maintain confidentiality about this situation and not to post on social media or talk to the press. Customers with questions can be referred to our call center who will have the most up to date information and will prevent misinformation or old information from being circulated. Your patience and cooperation at this challenging time is appreciated. [CEO name}
Any business can find itself mired in a disaster when it least expects it. Having robust contingency plans in place will help to ensure that the business comes out the other side still able to operate.
What are disaster recovery and business continuity plans?
A disaster recovery plan is designed to save and recover data and other business processes in the event of a critical incident. A business continuity plan is designed to keep a business functioning in some capacity when it finds itself involved in a critical incident.
How is business continuity planning different from disaster recovery planning?
Business continuity plans are concerned with establishing how business operations will function in the event of abnormal circumstances as a result of an emergency or disaster. A disaster recovery plan is concerned with how applications and systems will be reinstated and returned to normal operation.
What is the difference between BCM and DR?
BCM – business continuity management – is an organization’s ability to keep delivering its products and services during a disaster. DR – disaster recovery – is generally about technology and refers to how an organization recovers from an incident.
What is BCP in disaster recovery?
In the disaster recovery process, a BCP is a business continuity plan that describes the way a company may mitigate loss of business and define the requirements to continue operations in a disaster situation.
What comes first, disaster recovery or business continuity?
Business continuity planning and disaster recovery involves following a process. A company should have business continuity planning as the foundation of its disaster planning – therefore it needs to happen before disaster recovery planning.
Is business continuity a new name for disaster recovery?
Business continuity is different from disaster recovery. It is focussed on keeping a business functioning in some capacity after a critical incident.
What is the difference between DRP and BCP in cyber security?
There are some differences in disaster recovery versus business continuity. Business continuity planning involves strategic long-term plans for a business’s uninterrupted operations in the event of a threat or disruption. Disaster recovery planning is a short-term tactical plan used to deal with specific computing and other IT-related outages .
Learn more about cybersecurity in the workplace .
Topics: Emergency Alert System - IT Outage - Business Continuity - IT communications - Emergency communications
Recent Posts
Useful Links
- Сase Studies
[email protected]
- Android App
- License Agreement
- Privacy Policy
- en Português Italiano Français Español Deutsch
The Key Differences Between a Disaster Recovery Plan vs. a Business Continuity Plan
As a managed services provider (MSP), you may have been asked for your recommendation on whether to implement a disaster recovery plan or a business continuity plan. At face value, these two terms have a lot in common—they both share the long-term goal of keeping your business up and running. There are, however, key differences between the purposes of a business disaster recovery plan versus a business continuity plan, which is why it’s so important for businesses to prepare both. Your customers should know that these two plans are not interchangeable, because they each perform a specific role.
Manage large networks or scale IT operations with RMM made for growing service providers.
To help you answer this question for your customers, this guide will outline the key differences between a disaster recovery plan, sometimes called a data recovery plan, and a business continuity plan . It will also explain the importance of each and how to go about creating them.
What is a business continuity plan?
A business continuity plan is a broad plan designed to keep a business running, even in the event of a disaster. This plan focuses on the business as a whole, but drills down to specific scenarios that might create operational risks. With business continuity planning, the aim is to keep critical operations functioning, so that your business can continue to conduct regular business activities even under unusual circumstances.
When followed correctly, a business continuity plan should be able to continue to provide services to customers, with minimal disruption, either during or immediately after a disaster. A comprehensive plan should also address the needs of business partners and vendors.
The continuity plan itself should live as a written document that outlines the business’ critical functions. This is likely to include a list of critical supplies, crucial business functions, copies of important records, and employee contact information. The information included in the plan should allow the business to be up and running as soon as possible after a disruptive event has occurred.
What is a disaster recovery plan?
A disaster or data recovery plan is a more focused, specific part of the wider business continuity plan. The scope of a disaster recovery plan is sometimes narrowed to focus on the data and information systems of a business. In the simplest of terms, a disaster recovery plan is designed to save data with the sole purpose of being able to recover it quickly in the event of a disaster. With this aim in mind, disaster recovery plans are usually developed to address the specific requirements of the IT department to get back up and running—which ultimately affects the business as a whole.
Depending on the type of disaster that occurs, the plan could involve everything from recovering a small data set to an entire datacenter. Most businesses are heavily reliant on information technology, which is why the disaster recovery plan is such an important part of successful business continuity planning.
In some cases, disaster recovery planning may also refer to protocols that exist outside the IT department. For example, disaster recovery plans could include steps for recovery personnel to seek a backup business location so that critical operations can be resumed. This might be useful in the event of an environmental disaster, such as flooding, which might render the existing business premises unusable. The plan might also include guidance on how to restore communication between emergency staff if the usual communication lines are unavailable. If your IT department is creating an IT-focused plan, you should include all non-IT recovery protocols in the wider business continuity plan.
A disaster recovery plan vs. business continuity plan
To summarize, disaster recovery refers to the way data, servers, files, software applications, and operating systems are restored following a damaging event. In contrast, business continuity refers to the way a business maintains operations during a time of technological malfunction or outage. In other words, a disaster or data recovery plan dictates how a business should respond to a disaster, while a business continuity plan dictates how a business can continue to operate throughout a disaster.
What specific ways can disaster recovery plans be tested?
To help ensure that any disaster recovery plan can hold its own in the event of a real disaster, it’s advisable to run a series of disaster recovery tests. Here are five common types of disaster recovery tests:
- Paper test: individuals in your IT department read and annotate recovery plans to flag any issues
- Walkthrough test: in a group, your IT department walks through the plans to identify any problems and recommend changes
- Simulation: your IT department simulates a disaster to determine whether the response plans are appropriate
- Parallel test: recovery systems are implemented and tested to see if they can perform actual business transactions in the event of a disaster. Primary systems still carry the full production workload
- Cutover test: primary systems are disconnected and recovery systems are implemented and assume the full production workload to see if they can perform business operations in the event of a disaster
What should you include in a disaster recovery plan?
A disaster recovery plan should encompass all the procedures, technologies, and objectives necessary for making a rapid recovery after a disaster. At minimum, your plan should account for the following:
- Recovery technologies: all systems currently implemented, or those that should be, in support of recovery
- Recovery time objective (RTO) : this refers to your desired timeframe for completing recovery before the situation becomes critical
- Recovery point objective (RPO) : RPO refers to the age of data backups—it’s the desired recovery point for restoring data from a backup
- Recovery protocols: these protocols should identify who does what in the event of a disaster, including clearly defined roles and how you expect recovery personnel to communicate with each other
- Vendors, suppliers, and other third parties: your plan should include a list of any parties who may be needed to support recovery, as well as their emergency contact details
- Recovery testing: outline periodic tests and mock disaster scenarios to confirm your recovery systems work as they should
Your disaster recovery plan and all the above facets should be updated regularly to help ensure that it remains accurate, as you never know when disaster might strike.
What does a business continuity plan typically include?
Your business continuity plan should act as a single, multifaceted document for managing every aspect of disaster preparedness in your business.
A typical business continuity plan will usually require the following sections:
- Contact details: specifically for those who developed the plan, as well as any key recovery personnel
- Plan objectives: describes the overall aim of the plan and what it will try to accomplish
- Risk assessment: this involves conducting a thorough assessment of disaster scenarios, their likelihood, and their impact
- Impact analysis: an outline of how each possible disaster scenario could impact your business (i.e., costs of repair, disruption to services, etc.)
- Prevention: steps and systems for helping prevent each of the disasters listed, such as implementing anti malware to prevent cyberattacks
- Response: this section should detail how the business will respond to each disaster to minimize the impact
- Areas for improvement: any weaknesses identified during the creation of the plan, as well as recommended solutions
- Contingencies: a list of secondary backup assets, such as a backup office location to be used in the event of a disaster
- Communication: protocols for maintaining communication with recovery personnel, such as a text alert system
Choosing the right disaster recovery and business continuity software
Devising a disaster recovery and business continuity plan is a time-consuming, complicated, and ongoing process. For MSPs, creating these types of plans is even more of a challenge, as they typically manage the recovery and continuity strategy for multiple customers. To do this effectively, it’s crucial that MSPs have access to reliable software so they can manage their approach to business continuity and disaster recovery in a cost-efficient and streamlined way.
N-able ® N-central ® helps MSPs tackle disaster recovery and business continuity with an all-in-one solution. N-central is a powerful option because it provides a scalable solution to disaster recovery and business continuity planning—alongside a whole slew of other critical MSP capabilities. N-central includes the capabilities necessary for MSPs to effectively manage complex networks with maximum precision—all from one powerful dashboard.
This remote monitoring and management tool offers a range of backup management features to support effective disaster recovery and business continuity . This includes cloud and on-premises backup, bare metal recovery, virtual machine support, private keys, data archiving, and more. By having such features alongside patch management, network topology mapping , remote monitoring, and more, MSPs gain access to a single dashboard that allows them to offer more streamlined customer services. To learn more, a 30-day free trial of N-central is available.
Want to stay up to date?
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.
Loading form....
If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.
If this issue persists, please visit our Contact Sales page for local phone numbers.
Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site
Business Continuity vs Disaster Recovery – Understanding the difference
It can often be confusing when talking about business continuity vs disaster recovery. Not only is there an overlap in between business continuity (BCP) and disaster recovery (DR), but these terms are often used interchangeably, which further adds to the confusion.
Simply put, the purpose of business continuity is to ensure that critical business functions work continuously with minimal downtime in case of disruption. On the other hand, disaster recovery aims to restore business processes as soon as possible.
Presented below is a detailed explanation of these terms, what they are, how they overlap, and what makes them distinct from one another.
On this page:
Understanding Business Continuity
What is disaster recovery, what is the difference between business continuity and disaster recovery, how do they work together – where business continuity and disaster recovery overlap, business continuity vs disaster recovery – does your business need one, or both, business continuity: risk management, business continuity planning: risk assessment, how to start disaster recovery planning.
Business continuity is a way of temporarily addressing the disruption until the issue can be fixed. In the event of a disruption, to ensure that your organization can continue to operate, you need to undertake business continuity planning exercise.
As an example, say your office experiences flooding. A business continuity plan (BCP) details the actions, processes, and responsibilities required to secure your essential assets, continue your critical business processes, and ensure staff still have somewhere to work from. Such steps may include the setting up of a temporary office or arranging for your employees to work from home.
Business continuity plans usually focus on business applications and online systems, network and telecommunications services, and network and server access. Effective business continuity plans can enable a business to get its systems back up and running promptly, limiting damage to your organizations’ productivity.
Business continuity planning starts with a risk assessment, and business impact analysis (BIA) to determine the scope of the plan, regulatory, and legal obligations. These first two steps form the foundation of the BCP, allowing you to gauge the risk and impact of any potential disruption to your business.
A business continuity plan must have an alternative to maintain customer service in case of disruption. These alternatives can include data backup, emergency office locations, and emergency IT administrative rights. Moreover, the BCP must outline clear risk management strategies and set clear objectives for measuring success.
The process of dealing with interruptions in business operations due to natural disasters, power outages, and human errors is called disaster recovery (DR). DR focuses on the immediate mitigation of any damage caused by a disaster.
When it comes to business continuity vs disaster recovery, disaster recovery is the process of resolving a disruption by identifying the incident source and applying a way to fix it. As such, most disaster recovery plans (DRP) focus on specific deadlines that must be met, and are very technical to prevent significant damage in the event of a catastrophic incident.
Disaster recovery plans will include RTOs (recovery time objectives) , which state how soon a product, service or activity must become available following an incident. The failure to meet the RTO will result in the levels of disruption escalating.
In the previous example of a flood: your business should address any likelihood that your computer systems may become water-damaged. As such, you may mitigate this by restoring your systems from a backup to new computer hardware. The RTO will be duration it takes to restore the data to new hardware, which could be from a couple of hours, to up to a few days or weeks.
In this scenario, your business will need to find a way to continue to operate without its systems for the duration of the RTO, i.e. the time taken to restore your data to new systems. There will likely be other issues too, such as addressing the cause and any broader damage.
Business continuity plans are determined according to the estimated recovery time. BCP is no longer in operation once the business can return to its original setup, having fixed every part of the organization that is impacted.
When it comes to business continuity vs disaster recovery, the key difference between business continuity and disaster recovery is when the action plan takes effect.
Disaster recovery forms a part of your overall business continuity plan (BCP), a subset of your broader BCP, forming part of the “mitigate” and “recover” portion of your business continuity plan.
For example, in business continuity, you have to keep your processes functional during and after the event. On the other hand, disaster recovery focuses on how to return to normal when the event has been completed.
Business continuity aims to keep your business operational in the event of a disruption, enabling a return to full normal business operations after the end of the crisis.
BCP, or business continuity planning, focuses on preserving the functionality of the overall business, through continuous improvement in both internal and external operations, including the set up of preventative controls and management of customers and employees.
Disaster recovery aims to restore your operations and IT systems as quickly and efficiently as possible following a catastrophic incident. Disaster recovery includes the IT contingency methods and mechanisms, such as data backup, for your critical business applications and functions.
Disaster recovery planning aims to minimize business downtime, maintaining, where possible, access to your critical IT infrastructure and operations, such as data, hardware, software, networking equipment, power, and connectivity, to get your business back up and running.
Business continuity planning establishes the blueprint to enable you to maintain business processes and procedures as close to “business as usual”. Disaster recovery planning, on the other hand, focuses on the tools and solutions needed to restore your affected technology and data.
While disaster recovery is a component of business continuity, there instances when disaster recovery plans can be activated without invoking your broader business continuity plan.
For example, if you experience a power outage, you will have a reliable disaster recovery plan in place, allowing you to failover to a secondary site and be back up and running with minimal disruption to your employees and customer. In such a scenario, your entire business continuity plan would not need to be activated.
Provided any incident has not impacted your data, IT systems or IT infrastructure, business continuity can be invoked independently of your disaster, in certain instances.
If, for example, your business is facing a public relations crisis, you may need to issue statements to both internal and external stakeholders, to come out of the crises. Since there is no impact on your IT infrastructure, only your business continuity plan will be activated.
Of course, as in the flood example given earlier, your business continuity and disaster recovery plans can overlap.
Having understood the differences in disaster recovery and business continuity, it now becomes clear that you need both .
Having a business continuity plan, without a disaster recovery element to it, will cause most businesses to scramble to try and fix the technology crucial to your business operations.
The lack of a disaster recovery strategy will take you longer to identify and implement a fix in the event of a catastrophic incident, significantly impacting your business.
On the other hand, while a disaster recovery strategy will enable you to fix and restore your technology and data quickly, the lack of a broader business continuity plan will hamper productivity and communication, severely impacting your ability to manage your teams proactively to ensure the maintenance of service, consistency, and recovery from a disaster.
Most of the time, business continuity risks are manageable. You can quickly identify natural disasters, but it’s not easy to identify cyber events. It depends on your business location; for example, your office or business is in an area where the risk of a hurricane is always there, so you can expect business interruptions from a hurricane.
You also need to take IT risks into account. DDoS attacks are on the rise, and these attacks cause servers to slow down or stop working. Regardless of the service you provide, these attacks can interrupt your business. So there should be a proper plan for risk identification and mitigation.
It is similar to other risk identification processes , and you need to understand the IT infrastructure. It would help if you considered the following questions.
- What software, systems, information, and networks are critical for maintaining business operations? How are all these connected?
- Which cyber attacks threaten this software, systems, and networks?
- How could natural disasters affect these systems?
- Which third-party vendors are critical for maintaining business operations?
- What action plans and measures are in place to prevent cyber risks to our software and systems?
- What measures are in place to prevent third-party vendors from affecting our business operations?
- Do we have a data encryption system in place for remote access in case of a business interruption?
- Do we have a data backup and recovery systems in place?
- Can we maintain the endpoint encryption in case of a business interruption?
- Is there a system to maintain emergency administrative authorization to keep business running?
All these questions can help in the risk identification process.
When you have created a risk list for potential software, system, network, and third-party outages, you need to establish a policy to recover from these interruptions and get back to normal. For disaster recovery planning, you need to consider the following questions:
- Do we have a detailed written plan and chain of command for recovering from these interruptions?
- Who will do the recovery tasks?
- Do we have any specific timeline for disaster recovery?
- Which documentation is required for full recovery?
- How to recover business data ?
- How to get back to normal operations once the event is over?
- How can we measure our compliance with user authorization policy?
- How to measure the efficiency of event response?
- How to document all the corrective actions?
- Is there any process to interview individuals involved in the process of disaster recovery?
These questions can help create a proper disaster recovery plan.
A disaster recovery plan provides assurances to the survival of your business, both during and after a disaster. When formulating your disaster recovery plan, you should consider, and include both RTO and RPO, to ensure your business can recover effectively from a disaster.
Recovery time objective (rto) – helps to calculate how quickly your business needs to recover it infrastructure and services in the event of a disaster or incident to maintain business continuity., recovery point objective (rpo) – this is the maximum tolerable amount of data your business can ‘afford’ to lose. rpo is a useful metric for determining how often your business should perform data backups., for instance, you identify an rto of 4 hours for your business, and your systems are capable of a 2 hour restore time. consequently, it would be unnecessary to make a large investment in hardware/software to decrease the restore time to 1 hour, as the existing capability of a 2 hour restore time meets business needs..
- Understanding business continuity and crisis management
- Creating a business continuity plan
- Managing Technology Risks
- Why all organizations need a data breach response plan
- Using cloud computing to achieve business continuity
- How to perform a cybersecurity risk assessment
Lucy has more than 23 years of experience in the technology industry. Specialising in the cloud and telecommunications sectors, Lucy has previously worked in senior management roles within HR & Operations for major national and international organisations such as BT, O2 and more recently, Vodafone. Lucy is currently the Deputy Online Editor at BusinessTechWeekly.com
Advantages and disadvantages of wireless networks
Using Cloud Computing to achieve Business Continuity
Choosing a Data Loss Prevention (DLP) Solution
Looking for HIPAA-Compliant Cloud Storage? 5 Cloud Storage Services that meet HIPPA…
First Time selling on eBay? Here are some helpful tips and insights
Should you be Tracking Your employees’ Internet Usage?
Business Continuity
What’s the difference b/w disaster recovery plan and business continuity plan, november 3, 2022.
Dale Shulmistra
by Dale Shulmistra Nov 3, 2022 Business Continuity
People often use the terms disaster recovery and business continuity planning interchangeably, but while these two terms are similar, they describe two different approaches businesses take to bounce back in the event of a disaster .
So what is the difference between a disaster recovery plan and business continuity plan? The answer varies a little depending on who you ask, but the basic rule of thumb is this:
A business continuity plan is focused on all aspects of disaster planning as it relates to preventing an interruption to business operations. A disaster recovery plan is focused more specifically on the response and recovery stages of a disaster, especially in regards to IT systems.
To further differentiate these concepts, let’s look at each plan individually:
- A business continuity plan (BCP) refers to a series of protocols designed to ensure the business can continue operating during a disruptive event. In simplest terms, a BCP aims to answer the question: “How can we keep the business running if disaster strikes?”
- A disaster recovery plan (DRP) refers more specifically to the steps and technologies for recovering from a disruptive event, especially as it pertains to restoring lost data, resolving infrastructure failure or troubleshooting other technological components. This plan aims to answer the question: “How do we recover from a disaster?”
According to Dell, a business continuity plan is a strategy that businesses put in place to continue operating with minimal disruption in the event of a disaster. A disaster recovery plan is more specific. It’s a plan to “restore the data and applications that run your business should your data center, servers or other infrastructure get damaged or destroyed.”
Below, we dig a little deeper into the unique components of each plan and how they differ, but first, let’s talk about why they’re essential in the first place.
Why are a DRP and BCP Important?
Businesses face a wide variety of threats that can impede their ability to function. These could result from natural disasters like fires, floods, tornados, earthquakes or hurricanes. There are also many man-made threats, like malware, cyberattacks, ransomware, accidental data deletion or even internal sabotage. Without both a business continuity plan and a disaster recovery plan in place, businesses face the dire consequences of being ill-prepared when disaster strikes.
Research shows that half of all businesses that experience a major disaster “never return to the marketplace.” Of businesses that are involved in a major fire, 70 percent “fail within 3 years.”
The stakes are especially high for small businesses. According to FEMA (Federal Emergency Management Agency), 90% of smaller companies fail within one year after a disaster if they’re unable to resume operations within 5 days. Without detailed plans for preparing for such a disaster, businesses are setting themselves up for failure.
By focusing on both business continuity and disaster recovery planning, you can ensure your business can withstand these challenges.
Alarming Statistics about the Need for Disaster Planning
The rates of business failure are especially high for businesses that do not have a business continuity plan or disaster recovery plan. Consider some of these alarming business continuity statistics :
- Operational downtime can cost as much as $10,000 per hour for small businesses, according to estimates from BC/DR provider Datto. For larger companies, this downtime can cost millions of dollars per hour.
- In a broad survey of businesses conducted by DataCore, more than half of businesses reported they had recently experienced a downtime event lasting at least 8 hours.
- More than 200,000 businesses in the U.S. were forced to close due to disruptions from Covid-19 – a prime example of the impact that a large, unexpected disaster (such as a pandemic) can have on businesses that have not planned for such incidents.
How a Business Continuity Plan and Disaster Recovery Plan Overlap
In reality, both plans are referred to generally when describing a business’s disaster preparedness, whether for prevention or response or both.
But also, it’s important to remember that a comprehensive business continuity plan will actually have a disaster recovery plan built into it. Your BCP is a master document that should encompass all aspects of a company’s disaster prevention, mitigation and response, including the recovery protocols (whether tech-focused or not). You cannot have an effective business continuity plan without addressing how the business will recover from different kinds of disasters.
Confused? Don’t be. Let’s take a closer look at each plan.
Business Continuity Planning
A business continuity plan is a broad plan to keep a business up and running in the event of a disaster. It focuses on the business as a whole, but also drills down to very specific scenarios that create risks for operations.
With business continuity planning, generally speaking, you’re focusing on the critical operations that the business needs to get up and running again after a disruption in order to conduct regular business. If the plan is followed correctly, businesses should be able to continue to provide services to customers during or immediately after a disaster with minimal disruption. The plan also focuses on the needs of business partners and vendors.
A business continuity plan is a written document that lists the business’s essential functions. According to TechTarget, these are things like a list of critical supplies, employee contact information, a list of crucial business functions or copies of important records. Basically, the business continuity plan includes all the necessary information to get the business up and running as soon as possible after a disruptive event.
But even that is only one small component of a BCP, as we address below.
Disaster Recovery Planning
A disaster recovery plan can be considered a more focused, specific part of a business continuity plan.
Depending on who you talk to, a disaster recovery plan is sometimes narrowly focused on a business’s data and information systems. According to Data Center Knowledge , for example, a disaster recovery plan is designed to save “data with the sole purpose of being able to recover it in the event of a disaster.” For this reason, disaster recovery planning is usually focused on the needs of the IT department.
Depending on the type of disaster, the plan could involve everything from recovering a small data set to the loss of an entire datacenter. Since most businesses are increasingly reliant on information technology, the disaster recovery plan is an important part of business continuity planning.
A disaster recovery plan can also refer to protocols that are outside the realm of IT. For example, the plan could include steps for recovery personnel to seek a secondary business location to resume critical operations. Or, it could include guidance for how to restore communication between emergency staff if primary lines of communication are unavailable.
In other words, disaster recovery planning does not always have to be strictly IT-focused, though it often is. If your IT personnel are creating an IT-focused disaster recovery plan, just be sure that all non-IT recovery protocols are included within the larger BCP documentation.
What to Include in a Business Continuity Plan
Your BCP should serve as the single, multifaceted document for managing all ends of disaster preparedness at your organization:
- Prevention : Steps and systems to prevent certain disasters from occurring in the first place.
- Mitigation : Processes to limit the impact of disasters when they occur.
- Recovery : Protocols for restoring operations as quickly as possible to limit downtime or other adverse consequences.
These are broad categories that need to be defined individually for each possible disaster scenario. To do so, you need to gain a better understanding of the unique risks that pose a threat to your organization and how those events will impact the business in terms of downtime, costs, reputation damage and so on.
As such, a typical business continuity plan will usually require the following sections:
- Contact information : Contact details for those who developed the BCP, and/or key recovery personnel within each department.
- Plan objectives : The overall objective for the plan, i.e. its purpose and overall goal – what it aims to accomplish, why it’s critical, what areas it focuses on, etc.
- Risk assessment : A thorough assessment of disaster scenarios that could disrupt operations, prioritized by likelihood and/or severity of impact.
- Impact analysis : Specific outcomes for each disaster scenario in terms of how much they negatively impact the business, i.e. the costs for idle workers, recovery costs, hardware damage and repair, etc.
- Prevention : Steps and systems for preventing each of those disasters, such as the implementation of antimalware systems to prevent certain cyberattacks.
- Response : How the business should respond to each disaster to minimize impact and initiate a rapid recovery, such as restoring backups after a data loss.
- Areas for improvement : Any weaknesses identified in the creation of the BCP, along with recommended solutions and steps for filling these holes. (Your BCP is an evolving document that should be updated periodically to reassess risks and incorporate any changes made.)
- Contingencies : A list of secondary backup assets and/or protocols, such as a backup office location, backup equipment and so on.
- Communication : Protocols for staying in communication with recovery personnel and/or all personnel at large, such as a text alert system, company extranet, calling trees, etc.
What to Include in a Disaster Recovery Plan
A disaster recovery plan is essentially the “Response” component of your business continuity plan. It encompasses all the procedures, technologies and objectives necessary for completing a quick recovery after a disaster. This recovery could pertain to lost data, damaged hardware, network outages, application failure or virtually any other point of failure across your operations.
Here are some things you’ll want to identify within your disaster recovery plan:
- Recovery technologies : All systems currently implemented (or those that should be) that support the recovery process. An example would be a data backup and disaster recovery system that enables you to recover critical files that have gone missing or large datasets that have been infected with ransomware.
- Recovery Time Objective (RTO) : Your RTO is a desired timeframe for completing recovery before things take a turn for the worse. It can be applied to the business as a whole or individual layers of IT, like data recovery. For example, an RTO of 30 minutes would mean that all data should be recovered or restored within 30 minutes after a loss is discovered.
- Recovery Point Objective (RPO) : RPO refers specifically to the age of data backups. It’s the desired recovery point for restoring data from a backup to minimize the amount of data loss. An example RPO might be 6 hours – meaning that your last backup would never be more than 6 hours old. So if your systems were suddenly infected with ransomware, the data you restore from a backup shouldn’t be more than 6 hours old. (Thus, a longer RPO, such as 24 hours, would create the risk of losing a lot more data.)
- Recovery protocols: Who does what in a disaster situation? Your DRP should clearly define the roles of your recovery personnel, so that there is no confusion and not a minute wasted when disaster strikes. In the case of a data recovery, who oversees it? How, exactly, do they do it? Who do they communicate with, and how are updates communicated with other personnel? All of this should be spelled out to ensure that recovery teams know what to do and can refer back to this guidance when needed.
- Vendors, supplies & other third parties : These could be IT providers, telecommunications companies or other third parties that may be needed to support the recovery process. For example, in case of an Internet outage, your DRP should identify your Internet provider’s emergency contact information (ideally a specific point of contact) to ensure a faster resolution.
- Recovery testing : Periodic tests and mock disaster scenarios to confirm your recovery systems work as they should. One example could be a test data recovery to confirm that backups are available and can be restored without integrity issues.
Like your BCP, your disaster recovery plan should also be updated periodically to ensure all the information is still accurate.
Also, remember that the information in your DRP should be dictated in part by a thorough business analysis, like the risk assessments and impact analyses from your overall continuity planning. It is indeed important to understand the differences between a business continuity plan and a disaster recovery plan, but perhaps even more important is understanding how these two documents hinge on each other and play a connected role in maintaining continuity.
Backup & Disaster Recovery
One of the best strategies in disaster recovery planning is to keep all of your data backed up on a server at a secondary site. This way, if a disaster occurs at the primary site, a backup of all vital data is available. A good disaster recovery plan will dictate how you manage and access data from the secondary site as quickly as possible.
For example, in the case of hybrid-cloud backup systems like the Datto SIRIS , you have several recovery options available to you. If a disaster occurs at the primary site, you can restore data from the cloud or boot the entire backup as a virtual machine. The virtualization method allows for instant access to data and applications while a full recovery is in process.
Ultimately, the reliability of your disaster recovery plan is dependent on everything you’ve included in the plan: all the infrastructure, processes, planning and testing.
Frequently Asked Questions
1) what’s the difference between a business continuity plan and a disaster recovery plan.
The main difference is that a disaster recovery plan is more focused on the procedures for recovering from a disaster, especially in regards to IT systems, while a business continuity plan focuses on the bigger picture of preventing all operational disruptions.
Disaster recovery planning is typically considered a subset of business continuity planning.
2) Which comes first: business continuity or disaster recovery?
Business continuity planning is the foundation of a business’s disaster planning and thus should come before disaster recovery planning. Continuity planning will identify the primary threats to a business using a risk assessment and impact analysis. Those assessments can be used to inform IT disaster recovery planning.
3) What is an example of a business continuity strategy?
One example of a business continuity strategy is creating frequent data backups that can be restored in case files are deleted, destroyed or lost. This strategy involves using a dependable business continuity and disaster recovery (BC/DR) system that enables frequent backups and prompt restore methods.
4) What is business continuity and disaster recovery?
Business continuity and disaster recovery (or BC/DR) refers to the systems and procedures that help a business continue operating through a disaster. The term is commonly used in reference to data backup and recovery systems, but it can apply to other IT systems as well.
Don’t Go without a Plan! Get the Protection You Need.
Being prepared for a disaster is one of the most important things a business can do to prevent costly downtime—or permanent closure—when these disruptive incidents occur. Get in touch with our experts at Invenio IT to explore the technology your organization needs for business continuity, data backup and disaster recovery. Request a free demo or contact our specialists at Invenio IT by calling (646) 395-1170 or by emailing [email protected] .
Assessing Threats: A Complete Guide to BCP Risk Management
Jan 11, 2023
Risks are everywhere. They're in your building, the aging utility lines, the...
SMB Ransomware: Why Businesses Face Big Risks from Attackers
Jan 3, 2023
Large organizations like the Colonial Pipeline get major media attention when they...
What is the Cost of Data Loss in 2023?
Jan 1, 2023
Data loss is one of the most common causes of business disruption today—and one of...
- Search OnSolve
Business Continuity vs. Disaster Recovery: 5 Key Differences and the BC/DR Relationship
Business continuity (BC) and disaster recovery (DR) are easily confused terms. They seem almost interchangeable, but they’re not quite the same functions. Disaster recovery is actually a part of business continuity and involves a plan for getting business back to normal after a disaster occurs. Business continuity involves a wider breadth of planning and encompasses plans for keeping a business running during and following a disaster or disruption of any kind.
Every organization should have both a business continuity plan and a disaster recovery plan in place before disaster strikes, in order to keep everything functioning as smoothly as possible with minimal disruption for stakeholders. Let’s review five differences between business continuity and disaster recovery while looking into ways the two are interrelated.
A key difference between business continuity and disaster recovery is business continuity is wider in scope, encompassing all business functions necessary to keep the organization running, regardless of what kind of crisis arises. Disaster recovery has a narrower scope, focusing on systems impacted by a disaster that need to be recovered or replaced for an organization to get back up and running.
Whereas business continuity includes strategies to maintain all essential business functions, from supply and delivery chains to human resources and operations, disaster recovery focuses specifically on restoring any adversely affected business functions. For example, a business continuity plan would likely include a strategy for maintaining operations in the event of a cyber attack , while a disaster recovery plan would include steps for recovering any lost data and patching up vulnerabilities to return to business as usual.
Another key difference between business continuity and disaster recovery is the timeline during which you would implement each set of plans. Business continuity plans are set in motion the moment a crisis occurs and sustained during and after the crisis. In the case of a pandemic , you would implement your continuity plan when it becomes likely your stakeholders are going to be impacted by an outbreak. You would continue to employ any continuity measures, such as working from home and sourcing from backup vendors, until the threat has completely subsided.
Disaster recovery plans are set in motion after an emergency event is over, and these plans are sustained until business has returned to some semblance of normal. In a pandemic scenario, an organization might begin implementing a disaster recovery plan, which could include bringing employees back to the office, once case numbers dropped significantly and the threat of contagion was minimal.
3. Plan Components
The key components of business continuity plans and disaster recovery plans also vary. When creating a business continuity plan , you should take the following general steps:
- Form a continuity planning team
- Perform a business impact analysis
- Design and implement your plan
- Train and educate your employees
- Regularly assess and evaluate your plan
As you’re putting together a business continuity plan, you’ll want to create a list of all critical business functions and consider how a variety of different crisis scenarios could disrupt each of them. Once you have identified potential vulnerabilities, brainstorm strategies for maintaining those functions during a crisis.
For example, if you realize your organization is relying heavily on one or two suppliers, consider diversifying or creating a list of backup vendors. You should also earmark the resources you’ll need in likely crisis scenarios, train personnel to carry out the plan and implement software to enable communication in the midst of a crisis. Your organization must be able to maintain communication with all stakeholders before, during and following a crisis. An emergency mass notification system is often the best solution.
When creating a disaster response plan, you’ll likely take the following general steps:
- Form a disaster recovery team
- Identify critical functions and potential disaster risks
- Design and implement a disaster recovery plan
- Create backup procedures (in case of cyber attack)
- Train personnel
- Regularly test and maintain the plan
When preparing your disaster recovery plan, key proactive steps include conducting a business impact analysis and figuring out how you’ll restore data, critical applications and business operations after you’ve been hit with a disaster or emergency.
4. Processes and Actions
Once you’ve created business continuity and disaster recovery plans, the actions taken to implement each plan will differ.
If your organization is faced with a threat to business continuity, your continuity planning team will take actions appropriate for the specific scenario. In the event of a hurricane, for example, those actions might include:
- Alerting all stakeholders to the threat
- Advising employees on emergency procedures and points of contact
- Transitioning to alternative operations, whether that’s a backup workspace or remote work
- Maintaining internal network infrastructure
- Checking in with all employees to ensure safety and administer assistance, if necessary
- Adjusting supply chains if vendors or partners have been affected
- Communicating any changes with customers and other stakeholders
Once a crisis has subsided, actions taken toward disaster recovery will include any steps necessary to return to normal. In the case of a hurricane, those actions might include:
- Assisting any employees who have been directly affected by the storm
- Rebuilding or restoring any damaged company property
- Restoring or recovering any lost data or company systems
- Welcoming employees back into the workplace once it’s safe
- Bringing production levels back up to normal
Processes and actions taken to maintain business continuity and ensure disaster recovery will depend on the specific crisis, which is why it’s important to consider a variety of scenarios when forming your organizational plans.
5. Stakeholders Involved
The stakeholders involved in business continuity and disaster recovery will overlap substantially, but there are slight differences.
The primary stakeholders involved with business continuity include the business continuity planning team, employees, customers, vendors and partners. Key stakeholders involved in disaster recovery include the disaster recovery team, customers, employees, and critical vendors and partners.
The well-being of stakeholders should be the top priority whenever an organization is faced with a crisis.
The Importance of Communications in Business Continuity and Disaster Recovery
Although there are differences between business continuity and disaster recovery, one of the overall keys to success for both strategies is the emphasis on effective communications. Your teams should have a plan in place for sharing relevant information with your stakeholders throughout a crisis. Timeliness is critical in any critical event. You’ll want to make sure you can quickly send and receive important information. Using a platform built for these types of scenarios can make it easier for your organization to send alerts and notifications.
Business continuity is a strategy for maintaining critical business functions in the face of crisis, and disaster recovery is a key factor in restoring those business functions to full strength. Your organization’s continuity plan should include a disaster recovery plan, and the various team members in charge of each aspect of both plans must work together and be on the same page before, during and after a crisis.
To learn more about how to improve your business continuity and disaster recovery plans, check out our ebook, 4 Misconceptions of Business Continuity Communications (and How to Fix Them) .
Emergency notification best practices and free customizable message templates.
Share this article:
OnSolve is a leading critical event management provider that proactively mitigates physical threats, allowing organizations to remain agile when a crisis strikes. Using the most trusted expertise and reliable AI-powered risk intelligence, critical communications and incident management technology, the OnSolve Platform enables enterprises, SMB organizations and all levels of government to detect, anticipate and mitigate physical threats that impact their people, places and property. With billions of alerts sent annually and proven support for both the public and private sectors, OnSolve is used by thousands of entities to save lives, protect communities, safeguard critical infrastructure and enable agility for the organizations that power our economy.
Mitigate Risk and Strengthen Organizational Resilience Today
- Australasia
- Asia Pacific
- Middle East
- North America
The latest business continuity news from around the world
What’s the difference between business continuity and disaster recovery.
- " onclick="window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no'); return false;" rel="nofollow"> Print
In an article aimed at people new to business continuity and disaster recovery, Mitch Mitchell explains what the difference between these two vital disciplines is and why it is a mistake to use the two terms interchangeably.
In a nutshell, business continuity focuses on maintaining vital operations during disruptions, while disaster recovery refers to restoring data and infrastructure.
The terms business continuity and disaster recovery are often used interchangeably, but they are different things. Although closely related and often working in tandem, the disciplines have distinct goals, both of which address interruptions to mission-critical lines of business. It is essential, however, that stakeholders understand the differences between the two and how to deploy both business continuity and disaster recovery planning in a unified manner.
What is business continuity?
Business continuity is exactly what it sounds like – a way of addressing any disruption to business operations until the underlying problem can be resolved. During the pandemic, for example, businesses faced enormous pressure to adopt temporary measures that would allow them to continue their operations as best as possible. In this case, business continuity often involved giving employees the tools required for them to work from home.
Business continuity involves a planning process, the outcome of which is a business continuity plan. This normally begins with a risk assessment and a business impact analysis. Together, these outputs help stakeholders determine the required scope of the business continuity plan, while also taking into consideration any regulatory or legal implications. Many business continuity plans focus heavily on IT and communications systems, given the central role they play in most businesses.
Business continuity plans must take into account all the possible risks facing the organization, such as natural disasters, cyber attacks, and service outages. The goal of business continuity is not to resolve these problems, but to keep mission-critical operations running as smoothly as possible during the period of disruption. Planning also involves proactively mitigating risks, such as by maintaining redundant computing systems and real-time copies of your data.
What is disaster recovery?
Whereas business continuity concerns working through a disruptive event, disaster recovery planning is all about resolving the underlying issue, be it a data breach, system failure, or any other unexpected event. As such, it focuses on the immediacy of an undesired event and often happens alongside business continuity. A disaster recovery process comprises several stages: from identifying the source of the incident to applying various ways to fix it. To that end, it does not only concern data recovery, but also the recovery of damaged or malfunctioning hardware and software applications.
Deadlines play a central role in disaster recovery planning, since any business can only afford to lose so much time or data. The two key parameters are your recovery time objective (RTO) and recovery point objective (RPO), both of which concern the operation of critical business functions and the availability of essential data. Your RTO refers to the maximum amount of time it should take to resolve a problem, while the RPO refers to the maximum amount of data your business can afford to lose.
As is the case with business continuity planning, prioritisation is vital in disaster recovery planning. This is why you need to assign different RTO and RPO values to different applications and systems. For example, your company might be able to lose access to non-essential marketing systems or data for a few days or weeks, but the same probably cannot be said of payroll systems and data. All assets must be classified in terms of how essential they are to your business, before being prioritised accordingly.
Why businesses need both business continuity and disaster recovery
The main difference between business continuity and disaster recovery is when each plan of action takes effect. Whereas business continuity is about maintaining functional operations, a disaster recovery plan focuses on returning to normal within a given timeframe. To that end, it is also accurate to consider disaster recovery planning as a subset of the broader continuum that is business continuity planning.
Although both plans are closely related, they need not necessarily be used at the same time. For example, in the case of a minor disruption, it might not even be necessary to activate your business continuity plan. If you have automated failovers and real-time data backups, then the disaster recovery plan will likely be enough. However, for longer-lasting and more complicated disruptions, business continuity plan activation is a must.
Things can also work the other way around, as they did for businesses during the pandemic. If, for example, your business faces a longer-term disruption, such as a public relations crisis or a lasting shortage of staff, your business continuity plan should kick in to minimise damage to your business. By contrast, disaster recovery planning largely focuses on the immediacy of an acute disruption, such as a data breach or network outage.
In many cases, both plans will overlap one another. Take a natural disaster, such as a flood, for example. Having your office flooded could result in immediate damage or destruction to your data and systems, in which case they will need to be recovered as soon as possible. That said, it might take weeks or even months before your office can be rendered workable again, hence the need for business continuity to help you weather the storm in the meantime.
The case for an all-in-one solution
The close relationship between business continuity and disaster recovery planning means that both are likely to be more effective if they are managed in a single, cohesive environment. An integrated approach offers the means to enhance and protect mission-critical operations and gain a granular view into the various risks that face them. Of course, these risks and the responses to them must also be regularly reviewed and your plans updated as appropriate.
An integrated management system provides even broader coverage by keeping all essential business data in a centrally managed location. For example, integration with human resources and task-management systems makes it easier to assign and schedule people and assets to recovery and continuity operations. Similarly, integration with governance, risk management, and compliance (GRC) solutions can help ensure that your business continuity and disaster recovery plans align with the demands of regulatory compliance and broader enterprise risk management.
The most effective approach to business continuity and disaster recovery is to have both seamlessly integrated into your organizational culture and broader technology environment. With a complete, end-to-end solution, you can gain complete visibility into your business processes, develop and maintain your plans, and implement them without a hitch.
Mitch Mitchell is a founder of ContinuSys , which is an integrated business management system (IBMS) that helps organizations become resilient against short and long-term disruptions.
Want news and features emailed to you?
Additional Resources
- 2023 predictions
- Operational resilience
- Cyber resilience
- Pandemic planning and response
- Business continuity standards
A website you can trust
Business continuity, get the latest news and information sent to you by email.
Cloudian Products
The object storage buyer’s guide.
Technical/financial benefits; how to evaluate for your environment.
HyperIQ Observability & Analytics
Watch 2-min Intro
Evaluator Group Webinar
Skills Shortage? Ease the Storage Management Burden. Watch On-Demand
Scaling Object Storage with Adaptive Data Management
Get White Paper
Solutions
Industries , 2021 enterprise ransomware victims report.
Don’t Be a Victim
Scalable S3-Compatible Storage, On-Prem with AWS Outposts
Trending topic: on-prem s3 for data analytics.
Watch Webinar
Ransomware 2021: A Conversation with Veeam CISO Gil Vega
Hear His Thoughts
How a Private Cloud Addresses the Kubernetes Storage Challenge
Free White Paper
Data Security & Compliance: 3 ?s Every CIO Should Ask
Ask the Right ??s
5 Things Every MSP Should Know About Sovereign Cloud
Get Free eBook
TCO Report: NAS File Tiering
Learn how object storage can dramatically reduce Tier 1 storage costs
Get TCO Analysis
Satellite Application Catapult Deploys Cloudian for Scalable Storage
Replaces conventional NAS, saves 75%
Read Their Story
On-Demand Webinar
Veeam & Cloudian: Office 365 Backup – It’s Essential
Blog: How to Grow Your Storage and Not Your CAPEX Spend
Pay as you grow, starting at 1.3 cents/GB/month
Read the Blog
Why the FBI Can’t Stop Cybercrime and How You Can
Register Now
8 Reasons to Choose Cloudian for State & Local Government Data
Get 8 Reasons
Cloudian HyperStore SEC17a-4 Cohasset Assessment Report
Read the Assessment
Hybrid Cloud for Manufacturers
Tape: does it measure up, customer testimonial: university of leicester.
Hear from Mark
Public Health England: Resilient IT Infrastructure for an Uncertain Time
Watch On-Demand
How to Accelerate Genomics Data Analysis Pipelines by 10X
Hear from Weka
How MSPs Can Build Profitable Revenue Streams with Storage Services
Get IDC’s Take
Technology Partners
Get scalable storage on-prem for aws outposts.
Hear from AWS
Lock Ransomware Out with Commvault & Cloudian
Cribl stream with cloudian hyperstore s3 data lake, why object storage is best for advanced analytics apps in greenplum.
Explore Solution
Customer Video: NTT Communications
Hear from NTT
How to Store Kasten Backups to Cloudian
Klik.solutions delivers world-class backup-as-a-service with lenovo & cloudian.
Why They Chose Us
Modernize SQL Server with S3 Data Lake
Find Out How
How to Run Cloudian on OpenShift as a Container
Immutable object storage for european smbs from rnt rausch and cloudian, backup/archive to cloudian with rubrik nas cloud direct, on-premises object storage for snowflake analytics workloads.
Get the Details
Splunk, ClearShark, and Cloudian discuss Federal Industry Storage Trends
Teradata & cloudian: modern data analytics for hybrid and multi-cloud, 1-step to data protection: all you need to know about veeam v12 + cloudian.
Step up to Cloudian
Modernize Your Enterprise Archive Storage with Cloudian and Veritas
Read About It
Unified Analytics Data Lake Platform with Vertica and Cloudian HyperStore
Vmware cloud providers: get started in cloud storage, free..
Get Started
Weka + Cloudian: High-Performance, Exabyte-Scalable Storage for AI/ML
Customers , cloudian enables leading swiss financial institution to retain and analyze more big data.
Read Case Study
Indonesian Financial Services Company Replaces NAS With Cloudian
State of california selects storage-as-a-service offering powered by cloudian, cloudian provides utah state agencies with rubrik-compatible backup target, cuts costs by 75 percent, australian genomic sequencing leader accelerates research with cloudian, swiss education non-profit achieves scale and flexibility of public cloud on-prem with cloudian, indonesia ministry of education deploys cloudian object storage to keep up with data growth, leading german paper company meets growing data backup needs with cloudian, vox media automates archive process to accelerate workflow by 10x, wgbh boston builds a hybrid cloud active archive with cloudian hyperstore, large german retailer consolidates primary and secondary storage to cloudian, how a sovereign cloud provider succeeds in cloud storage services.
View On-Demand
IT Service Provider Drives Business Growth with Cloudian-based Offering
Calcasieu parish sheriff deploys hybrid cloud for digital evidence data, montebello bus lines mobile video surveillance with cloudian object storage, resources , storage guides , ransomware protection buyer’s guide.
Get Free Guide
Company
Cloudian named a gartner peer insights customers’ choice for distributed file systems and object storage.
Read Reviews
Disaster Recovery and Business Continuity Plans
Disaster recovery and business continuity are tightly related. In the 1970s, organizations started preparing Disaster Recovery (DR) plans, which were mainly focused on natural disasters. In the 1980s and onwards, the focus shifted to a more holistic view, named Business Continuity (BC).
While disaster recovery narrowly focused on how to bring systems back online after a disaster, business continuity aimed to develop a proactive process that would keep businesses alive and operating even in the face of a major crisis. Accordingly, a disaster recovery plan is limited to ensuring data protection, preventing damage to systems and recovering them as quickly as possible, while a business continuity plan covers all aspects of the business including business processes, manpower, partners and suppliers.
In this article you learn: • What is a business continuity plan? • 7 chapters of a sample business continuity plan • The difference between a DR and BC plan • A BC plan in action: hour by hour • Ensuring business continuity for your data with Cloudian
What is a Business Continuity Plan?
A business continuity plan details how a business will continue operating and serving its customers, even in the face of a dramatic event like a natural disaster, major IT failure, or a cyberattack. The end goal is to preserve a company’s financial viability, market position, reputation, and customers, even in the face of a crisis.
Business continuity planning covers every aspect of the business including:
- Business processes —how can a process continue working even if critical equipment or supplies were missing?
- Human resources —how can critical staff continue performing their work if, for example, workstations are destroyed or there is no Internet connection?
- Business partners and suppliers —how can suppliers continue their work with the company if, for example, lines of communication or road transport is unavailable?
A business continuity plan must consider important questions and provide good answers. What single points of failure exist in the organization? What are the critical dependencies on equipment, in-house staff, suppliers or other third parties? What workarounds exist for disruption of any of these? Which organizational processes, staff, skills and technology are needed to maintain business operations and fully recover from a disaster?
7 Chapters of a Business Continuity Plan
A typical business continuity plan contains the following sections:
- Goals of the plan —should quantify which parts of the business are considered critical and how smoothly they should be able to operate during a crisis
- Budget —resources allocated to business continuity planning and preparation
- Personnel —who is responsible for maintaining the business continuity program and executing practical steps during a crisis. Which other stakeholders exist—senior management, legal, PR, customers, partners, etc—and how they should be involved or notified.
- Business Impact Analysis —a holistic review of critical business processes, their weak points and how they are likely to be affected by different types of disasters.
- Proactive strategies —processes that should be carried out on a regular basis to prevent or more easily overcome disasters.
- This chapter includes an IT disaster recovery plan.
- Long-term reactive strategies —what the organization should do on “day two”, after the disaster has ended, to fully recover and rebuild systems to their original state.
Business Continuity vs. Disaster Recovery Plan
The terms business continuity plan and disaster recovery plan are sometimes used interchangeably. However, as we illustrated in our plan structure above, a disaster recovery plan is an important section within a business continuity plan. See our article about IT disaster recovery plans.
The table below illustrates how a business continuity plan differs from an IT disaster recovery plan—it touches on the same aspects but from a holistic business perspective.
Business Continuity Plan in Action: Hour by Hour
Once you have a business continuity plan, here is what a crisis could look like, hour by hour, as the plan unfolds. The activities below are just examples, and of course, will vary depending on the crisis and the nature of the business.
Ensuring Business Continuity for Your Data with Cloudian
Cloudian offers low-cost disk-based storage that lets you store up to 1.5 Petabytes of backups. The Cloudian appliance can be deployed in your local data center, or in a remote DR site. We provide integrated data management tools that let you store data seamlessly to a remote appliance.
Cloudian also supports a hybrid cloud setup. The Cloudian appliance can replicate your data to a cloud storage service such as Amazon S3, Azure Blob Storage or Google Cloud Storage. This allows you to backup data frequently and enjoy fast local access while keeping a copy of data on the cloud in case the on-premise data center goes down.
Learn more about Cloudian’s data protection solutions.
Get Started With Cloudian Today
Request a Demo
Join a 30 minute demo with a Cloudian expert.
Download a Free Trial
Try Cloudian in your shop. Run on any VM, even your laptop.
Receive a Cloudian quote and see how much you can save.
- Disaster recovery planning and management
- Share this item with your network:
Tech Accelerator
What is bcdr business continuity and disaster recovery guide.
- John Moore, Industry Editor
- Stephen J. Bigelow, Senior Technology Editor
- Paul Crocetti, Senior Site Editor
Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organization's ability to remain operational after an adverse event.
Resiliency has become the watchword for organizations facing an array of threats, from natural disasters to the latest round of cyber attacks.
In this climate, business continuity and disaster recovery (BCDR) has a higher profile than ever before. Every organization, from small operations to the largest enterprises, is increasingly dependent on digital technologies to generate revenue, provide services and support customers who always expect applications and data to be available.
"Mission-critical data has no time for downtime," said Christophe Bertrand, practice director of data management and analytics at Enterprise Strategy Group (ESG), a division of TechTarget. "Even for noncritical data, people have very little tolerance."
More than two-thirds of respondents to Uptime Institute's 2021 Global Data Center Survey had some sort of outage in the past three years. And disruption isn't just an inconvenience for customers.
"[W]hen an outage occurs, about a fifth are classified as severe or serious, meaning there were big financial, reputational and other consequences," according to Uptime Institute, a Seattle-based data center standards organization.
Why is BCDR important?
The role of BCDR is to minimize the effects of outages and disruptions on business operations. BCDR practices enable an organization to get back on its feet after problems occur, reduce the risk of data loss and reputational harm, and improve operations while decreasing the chance of emergencies.
Some businesses might have a head start on BCDR. DR is an established function in many IT departments with respect to individual systems. However, BCDR is broader than IT, encompassing a range of considerations -- including crisis management, employee safety and alternative work locations.
A holistic BCDR approach requires thorough planning and preparation. BCDR professionals can help an organization create a strategy for achieving resiliency. Developing such a strategy is a complex process that involves conducting a business impact analysis (BIA) and risk analysis as well as developing BCDR plans, tests, exercises and training.
Planning documents -- the cornerstone of an effective BCDR strategy -- also help with resource management, providing information such as employee contact lists, emergency contact lists, vendor lists, instructions for performing tests, equipment lists, and technical diagrams of systems and networks.
BCDR expert and consultant Paul Kirvan noted several other reasons for the importance of BCDR planning:
- Results of the BIA identify opportunities for process improvement and ways the organization can use technology better.
- Information in the plan serves as an alternate source of documentation.
- The plan provides a single source of key contact information.
- The plan serves as a reference document for use in product planning and design, service design and delivery, and other activities.
An organization should strive for continual improvement, driven by the BCDR process.
What is business continuity and disaster recovery?
An organization's ability to remain operational after an incident relies on both BC and DR procedures. The goal of BCDR is to limit risk and get an organization running as close to normal as possible after an unexpected interruption. These practices also reduce the risk of data loss and decrease the chance of emergencies, which helps maintain and even improve the organization's reputation.
The trend of combining business continuity and disaster recovery into a single term, BCDR, is the result of a growing recognition that business and technology executives need to collaborate closely when planning for incident responses instead of developing schemes in isolation.
What's the difference between business continuity and disaster recovery?
BC is more proactive and generally refers to the processes and procedures an organization must implement to ensure that mission-critical functions can continue during and after a disaster. This area involves more comprehensive planning geared toward long-term challenges to an organization's success.
DR is more reactive and comprises specific steps an organization must take to resume operations following an incident. Disaster recovery actions take place after the incident, and response times can range from seconds to days.
BC typically focuses on the organization, whereas DR zeroes in on the technology infrastructure. Disaster recovery is a piece of business continuity planning and concentrates on accessing data easily following a disaster. BC includes this element but also considers risk management and any other planning an organization needs to stay afloat during an event.
There are similarities between business continuity and disaster recovery. They both consider various unplanned events, from cyber attacks to human error to a natural disaster. They also have the goal of getting the business running as close to normal as possible, especially concerning mission-critical applications. In many cases, the same team is involved with both BC and DR.
What's the difference between business resilience and business continuity?
Business resilience and resiliency began appearing in the BCDR vocabulary in the early 2000s. Resilience, at times, has been used interchangeably with business continuity, but the terms have different shades of meaning .
Kirvan said a resilient business can return to its previous operational state following an event that shut it down. Business continuity management, technology disaster recovery and incident response are among the disciplines that fuel an organization's resiliency.
Resilience focuses on building a business to be impervious to potential disruptions of various kinds, according to Jeff Ton, strategic IT advisor at InterVision Systems, an IT service provider with regional headquarters in San Jose, Calif., and Chesterfield, Mo. Business continuity, in contrast, involves resuming operations from an outage once it has occurred, Ton noted.
Resiliency "is more about being able to resist and withstand issues, and business continuity is about being able to continue business after something has disrupted your business," Ton said.
Using a rubber band analogy, Ton said an event might stretch an organization; but, if resiliency has been achieved, it resists and reassumes its shape. Business continuity kicks in when the rubber band snaps and the organization takes steps to address the breakage, he added.
ESG's Bertrand said business continuity revolves around the ability to fail over and maintain systems at a high level of availability, while resilience is the ability to resist disruption and prevent problems from happening in the first place.
What’s the difference between organizational resilience and operational resilience?
The idea of resilience and its role in business continuance has also diversified into the concepts of organizational and operational resilience.
Organizational resilience (OR) is the ability of the entire organization to guard against disruptive events. The entire organization includes all personnel in every department or business unit; the applications, infrastructure and other technologies across the enterprise; facilities, including buildings and workspaces; and the processes and policies involved in running the organization.
In order for OR to be fully realized, every element of the organization must be protected from adverse events and demonstrate the capability to change and adapt -- even just temporarily -- to continue running the business until the disruption is alleviated and normal operations are restored.
Operational resilience (OpR) is generally regarded as a close subset of organizational resilience, but OpR focuses on the people, processes and infrastructure of the business to respond and adapt to changing patterns. It's worth noting that this description isn't solely about BCDR but can apply to any issues or situations that affect business conditions.
Where OR takes a more holistic view of resilience, OpR slants the view in favor of resilience issues involved in running the business day to day. There are several standards that relate to OpR, including international standard ISO 22316:2017 and British standard BS 65000:2014.
OR and OpR require careful attention to prediction and planning so potential disruptions are identified and prepared for in advance. Disruptions that aren't considered or planned for can overcome an organization's resilience posture and cause major, long-lasting business impacts.
The role of risk analysis, BIA and BCDR strategies
Risk analysis and BIA are critical tools for organizations facing the question of how to build a BCDR strategy.
Determining internal and external risks is important to the BCDR process. The risk analysis identifies risks and the likelihood they will occur. This risk assessment works in tandem with the BIA, which helps quantify the potential effects of disruption. Financial analysis is one aspect of a BIA, but this exercise also considers the non-financial costs of unplanned outages. In addition, the BIA identifies the mission-critical functions an organization must maintain or restore following an incident, and the resources needed to support those functions.
It's important to gain management support when pursuing a BIA, given the intensity of the process. The BIA provides a way for an organization to learn about itself and details opportunities for improvement.
An organization uses risk analysis and BIA data to determine business continuity and disaster recovery strategies and the appropriate responses. Each strategy is turned into a series of actions that will help achieve operational recovery, such as data replication, failing over to a cloud-based service , activating alternate network routes and working remotely.
Why should you use BCDR, and when should it be activated?
Motivations for an organization developing a BCDR strategy might include protecting the lives and safety of employees, ensuring the availability of services to customers and protecting revenue streams. Competitive positioning and reputational management are factors that often underlie other motivators: A business perceived as unable to protect employees or deliver services will struggle to attract workers and customers.
The regulatory and compliance environment also influences organizations in their pursuit of BCDR. The HIPAA Security Rule, for example, requires covered entities such as hospitals to provide an emergency mode operation plan, which includes "procedures to enable continuation of critical business processes for protection of the security of electronic protected health information."
The Financial Industry Regulatory Authority (FINRA), an organization that oversees broker-dealers, requires firms to "create and maintain written business continuity plans" that address emergencies or disruptions to the business. FINRA spells out its required business continuity measures in its emergency preparedness rule.
U.S. federal agencies, meanwhile, are also required to develop BCDR strategies, which in government terminology are called continuity of operations plans . The aim is to "ensure that essential government services are available in emergencies -- such as terrorist attacks, severe weather, or building-level emergencies," according to the Government Accountability Office.
Customers might also put pressure on businesses to develop adequate BCDR plans. An assessment of a organization's BCDR stance might be part of a prospective client's vetting process. Federal regulators, such as the Office of the Comptroller of the Currency, encourage banks to include resilience as part of the vendor due diligence process. Specifically, OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," states that banks should "determine whether the third party maintains disaster recovery and business continuity plans that specify the time frame to resume activities and recover data."
The "why" of BCDR potentially has many answers, and the "when" of business continuity and disaster recovery is similarly nuanced. Organizations must weigh several factors before declaring a disaster and triggering the BCDR plan. Chief among those are the expected duration of the outage, the outage's effects on the organization, the financial cost of activating the BCDR plan and the BCDR plan's potential for causing disruption. Paradoxically, the process of failing over from an organization's primary place of business to a backup facility -- and then failing back after an event -- might significantly interrupt operations, noted Paul Thomann, regional principal for cloud and data center transformation at Insight Enterprises Inc., an IT services provider based in Tempe, Ariz.
Accordingly, an organization's leadership must carefully size up when to enact the BCDR plan. Migrating to a backup facility, Thomann said, "comes with an impact to the budget." An organization, for instance, might deem a six-hour outage not significant enough to make the disaster call.
That decision, particularly in larger enterprises, is typically made by a committee rather than an individual executive, Thomann said. The committee might consist of the CEO, CFO, CIO and other C-suite executives, he added.
How to build a BCDR plan
Organizations can break down a BCDR plan into BC and DR components.
Specifically, according to BCDR consultant Kirvan, a business continuity plan ( BCP ) contains contact information, change management procedures, guidelines on how and when to use the plan, step-by-step procedures and a schedule for reviewing, testing and updating. A disaster recovery plan ( DRP ) features a summary of key action steps and contact information, the defined responsibilities of the DR team, guidelines for when to use the plan, the DR policy statement, plan goals, incident response and recovery steps, authentication tools, geographical risks and plan history. The DRP should also take staffing into account, ensuring that personnel able to execute the various steps of a DR plan are always available to enact critical recovery tasks.
Good business continuity and disaster recovery plans are clear about the varying levels of risks to the organization; provide well-defined and actionable steps for resilience and recovery; protect the organization's employees, facilities and brand; include a communications plan; and are comprehensive in detailing actions from beginning to end.
A BCDR policy is an important initial step. The policy sets the foundation for the process and typically covers the scope of the business continuity management system, which employees are responsible for it and the activities performed, such as plan development and BIA. A policy might also establish a common set of metrics, such as key performance indicators and key risk indicators. The policy aspect is often overlooked, but it's an important business continuity auditing item.
Developing the BCP and DRP typically starts by gathering BCDR team members and performing a risk analysis and BIA. The organization identifies the most critical aspects of the business, and how quickly and to what extent they must be running after an incident. After the organization writes the step-by-step procedures, the documents should be consistently tested, reviewed and updated.
Although certain aspects of the process involve select members of the organization, it's important that everyone understand the plan and is included at some point. The plan should also encompass third parties and the services they provide. A bank, for example, might rely on data that a third-party firm supplies, so the relationship should be documented in the BCDR plan. Such outside entities must be kept in the loop so they understand how the plan is going to work.
Other steps in a BCDR planning checklist include risk mitigation and an emergency communications plan. The latter details the method, or methods, an organization will use to disseminate information on an emergency to employees.
In summary, the process of building a BCDR plan will typically involve the following activities:
- risk identification
- infrastructure review
- plan design
- plan implementation
BCDR testing
Testing a business continuity and disaster recovery plan provides assurance that the recovery procedures put in place will work as expected to preserve business operations. The testing phase might also highlight areas for improvement, which the organization can address and incorporate into the next version of the plan.
Tests can range from simple to complex. A discussion-based tabletop exercise brings together participants to walk through the plan steps. This type of test helps employees with BCDR roles become more familiar with the response process, while letting administrators assess the effectiveness of the BCDR plan.
On the other end of the testing spectrum, a full-scale test simulation calls for participants to perform their BCDR functions rather than discussing them in a tabletop exercise. These drills might involve the use of backup systems and recovery sites.
Still, testing requires time, funding, management support and employee participation. The testing process also includes pre-test planning, training test participants and reporting on the test.
The frequency of testing varies by organization. Larger enterprises should conduct tabletop exercises at least quarterly, while smaller organizations can test less often, Insight Enterprises' Thomann said. A full BCDR test, which is more time- and resource-intensive, can be conducted annually, he added.
InterVision's Ton also recommended a quarterly testing schedule, with a DR test conducted twice a year with tabletop exercises in between those tests. Business continuity, as a separate test, can be conducted annually. Ton said he's found it more effective to separate the tests because conducting the DR test on its own is less disruptive to the organization.
Periodic testing, plan maintenance and resilience are interrelated. An organization improves its resilience when it updates its BC and DR plans and then tests them continually.
BCDR cost management
Changes in the threat landscape or new business ventures might compel an organization to expand its BCDR coverage. That change in scope could call for spending on consulting services or backup and disaster recovery technologies.
BCDR managers might need to seek new funding for the expanded BCDR plan and resilience technologies if the dollars aren't available in the current budget.
An investment proposal should be built on a business case that emphasizes the positive results the new BCDR capabilities will provide for the organization. The bid for funding should also determine whether the revised BCDR plan will affect other areas, such as cybersecurity. Other steps toward obtaining funding include vetting products and services that support the expanded requirements and preparing a procurement request with enough documentation, according to BCDR consultant Kirvan.
Ton said organizations should strike a balance between the level of investment in BCDR approaches and the anticipated financial effects of a given disaster scenario. "You don't want to come up with a solution that costs 200 times more than the disaster would have," he said.
Asking business leaders from various corporate disciplines to estimate the expected costs associated with different types of events can help organizations establish a baseline from which they can make informed BCDR investment decisions.
Standards, templates, software and services for BCDR planning
Organizations embarking on a business continuity and disaster recovery planning process have numerous resources to draw upon. Those include standards, tools ranging from templates to software products, and advisory services.
"To build a plan, you have many templates that exist and many best practices and many consultants," ESG's Bertrand said. "There's no reason not to have a strong DR plan."
BCDR standards
Government and private sector standards bodies, including the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), have published BCDR guidelines. The standards, which cover topics from crisis management to risk assessment, provide frameworks on which businesses can build their BCDR plans.
The following is a sampling of standards:
- ISO 22301:2019 Security and resilience -- Business continuity management systems -- Requirements
- ISO 22313:2012 Societal security -- Business continuity management systems -- Guidance
- ISO 22320:2018 Security and resilience -- Emergency management -- Guidelines for incident management
- ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity
- ISO 31000:2018 Risk management -- Guidelines
- ISO Guide 73:2009 Risk management -- Vocabulary
- IEC 31010:2019 Risk management -- Risk assessment techniques
- ISO/TS 22317:2021 Security and resilience -- Business continuity management systems -- Guidelines for business impact analysis
- FINRA Rule 4370. Business Continuity Plans and Emergency Contact Information
- National Fire Protection Association 1600: Standard on Continuity, Emergency, and Crisis Management (new consolidated draft pending)
- NIST Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems
- American National Standards Institute/ASIS ORM.1.201 Security and Resilience in Organizations and Their Supply Chains
Business continuity and disaster recovery plan templates
Templates provide preset forms that organizations can fill out to create BCDR planning documents. Some templates cover the BCDR plan as a whole or address particular aspects of the BCDR planning.
This general BCP , for example, includes provisions for natural disasters, fires, network service provider outages and floods or other water damage. A planning template can also assist SMBs, which could simplify the process, depending on organization's size and complexity.
A BCDR plan might call for a service-level agreement (SLA), which sets standards for the quality of an organization's BCDR recovery program. It can also help ensure services obtained through third parties, such as DR hot sites, perform at acceptable levels. Kirvan created a template that addresses SLAs for BCDR programs .
As noted above, conducting a BIA can help organizations with business continuity planning. This BIA report template provides a mechanism for documenting parent processes, subprocesses and the financial and operational effects in the event of an interruption.
Organizations can also benefit from scheduling BCDR activities for the ongoing care and maintenance of business continuity strategy. Activities range from scheduling a BIA to reviewing a technology disaster recovery plan.
BCDR software
Specialized BCDR software provides another tool for organizations ready to build a plan. BCDR products, sometimes referred to as business continuity software or business continuity management software, aim to help organizations build business continuity and disaster recovery plans. They typically cover a range of planning activities, such as BIA and risk assessment, and offer incident response capabilities.
Vendors in the market include Castellan Solutions, Continuity Logic, Dell Technologies, eBRP Solutions Network, Fusion Risk Management and SAI Global.
BCDR planning services
Another option is to outsource the organization's BCDR needs to a third-party firm that can provide risk analysis, plan development and maintenance, and training. It's incumbent upon the business to analyze its needs before selecting a BCDR firm, nailing down such information as what it wants to outsource, what services it expects of the vendor, the risks of an outsourcing agreement and how much it plans to spend.
Potential sources of planning support include accounting firms, which can perform BIAs as part of the business continuity planning process. Accounting firms should typically be able to help clients determine the cost of workload outages, but buyers should ideally select a firm with experience in business continuity or IT resource planning, according to technology writer and former CIO Brien Posey. Consulting firms can also help with BCDR planning, Posey added.
Managed service providers (MSPs) often serve as virtual CIOs for their SMB customers. In that role, MSPs can help with planning. Because their business is to manage a customer's IT assets, they are able to develop a plan for dealing with technology outages.
Supporting technologies and strategies
The technology options for executing the DR portion of a BCDR plan have expanded in recent years due to the advent of cloud computing. Traditionally, organizations built or hired out an off-site facility to handle their disaster recovery needs. Such disaster recovery sites require a duplication of in-house production systems, so they could prove out of the financial reach of many SMBs. However, cloud-based offerings such as disaster recovery as a service have made DR more accessible for smaller organizations.
Other resilience offerings include emergency notification systems, cybersecurity systems and incident response systems, which might be included in business continuity management products. Organizations might also tap work area recovery vendors that provide alternative work locations for employees.
BCDR management
The team that builds, manages and -- in the event of a disaster -- executes a BCDR plan should be cross-functional, drawing upon multiple stakeholders and pockets of expertise across the organization.
The team's leadership varies somewhat by organization. In a large enterprise, for example, the risk management officer often chairs the BCDR team with a representative from the IT department as a vice chair, InterVision's Ton said. Smaller organizations lacking a risk management department might appoint the CFO to lead the team, he noted. And, in some cases, the IT department head might direct the BCDR team.
Other members of the team typically include representatives from the organization's key business functions: finance and accounting, facilities, legal -- including in-house and outside counsel -- marketing and public relations, for example.
The task of pulling multiple stakeholders together to develop a BCDR plan -- and conducting the necessary impact and risk analyses -- can prove challenging. Project management thus becomes an important consideration. Organizations should think about appointing a project manager to shepherd the process of building a BCDR plan, Ton noted.
The BCDR team should also take on the task of ongoing business continuity management, making sure plans are up to date. Business initiatives and data center technologies change frequently, so BCDR plans will need regular maintenance to stay on point. As a first step, an organization should assess if the current plan can be updated or whether an entirely new plan is in order, according to George Crump, president of Storage Switzerland, an IT analyst firm. Organizations should conduct BCDR testing to determine the extent to which a plan needs to be overhauled.
In addition to testing, a BCDR team might also want to consider a business continuity plan audit , which assesses the effectiveness of a plan. The audit should detail the risks that could threaten the plan's success and test the controls currently in place to determine whether those risks are acceptable to the organization. An IT General Controls audit can also be used to assess risks to the infrastructure and identify areas for improvement, according to BCDR consultant Kirvan.
The various roles and responsibilities of BCDR team members, from planning to testing, can be detailed in an organization's business continuity policy . Such a policy might also encompass external personnel, such as vendors and customers.
Another aspect of BCDR team building is getting individuals up to speed on BCDR best practices. To that end, BCDR team members can avail themselves of business continuity training and certification programs.
The Business Continuity Institute, a global professional organization, offers its Certificate of the Business Continuity Institute, which covers business continuity management process and practices. The institute also offers a Business Continuity Management BCI Diploma for individuals looking for additional insight into business continuity management.
The BCM Institute, meanwhile, offers its Business Continuity Certified Planner (BCCP) accreditation. The BCCP certification aims to recognize a business continuity professional's understanding of core business continuity management concepts.
Other organizations granting professional business continuity certifications include DRI International, the National Institute for Business Continuity Management and the International Consortium for Organizational Resilience. Such certification bodies usually work with an internal or external training group that prepares students to sit for exams, Kirvan noted.
Conferences also provide an opportunity to educate BCDR team members. Ton cited DRI and Disaster Recovery Journal events as helpful for people looking to learn more about business continuity.
BCDR pitfalls: Mind the gap
Change is perhaps a BCDR plan's key nemesis. As the pace of technology change accelerates, organizations are left updating IT equipment -- from storage and servers to networks and their associated devices. Some IT assets are moving to the cloud. A 5-year-old BCDR plan is unlikely to reflect -- and prove adequate to protect -- the current IT estate.
An organization's change management process can help address this issue. Change management oversees adjustments to systems, networks, infrastructure and documents. It addresses similar situations as BCDR planning and testing, so an organization might decide to include business continuity and disaster recovery in the change management process.
The change management process contains six major activities, according to Kirvan:
- identify a potential change;
- analyze the change request;
- evaluate the change;
- plan the change;
- implement the change; and
- review and close out the change process.
An organization, of course, is also subject to change. Organizations make acquisitions, divest non-core operations and create new lines of business, for example. An effective BCDR plan must be periodically updated to account for those developments. Regularly scheduled BCDR testing can expose gaps in the plan where it has failed to account for technology or business changes.
Perceptual gaps can also undercut BCDR plans. ESG's Bertrand said many organizations adopting SaaS offerings have a false sense of security regarding data protection. A third of the respondents to an ESG survey said SaaS apps, such as Microsoft 365 and Salesforce, don't need to be backed up. Bertrand said that's simply not the case. He cited the example of recovering email an organization's users have sent to the trash bin. He said Office 365, depending on the customer's subscription level, retains deleted email for a limited time.
"SaaS application resilience is being conflated with SaaS data availability," Bertrand said. "SaaS-based applications are not being properly protected today."
Organizations using such cloud-based applications should become acquainted with their vendors' data protection and recovery SLAs and make sure BCDR plans cover SaaS applications and their availability requirements. Bertrand said the percentage of people who are aware of SaaS vendors' SLAs is improving, but not everyone is up to speed. He said 58% of ESG survey respondents said they were familiar with SaaS vendors' data protection and recovery provisions.
An organization can use a BCDR checklist -- or a series of checklists -- covering plans, policies and recovery strategies to root out potential problems and flag BCDR weak points. BCDR teams should also stay abreast of the changing threat landscape to make sure their plans reflect emerging threats. Business continuity risks that organizations should monitor range from evolving cybersecurity attacks to active shooter incidents.
The future of BCDR
BCDR planning and execution will continue to evolve with the changing nature of threats. Below are a few developments to consider.
The confluence of cybersecurity and business continuity. The role of cyber attacks, such as ransomware, in disrupting business operations appears set to continue -- if not accelerate. Cybersecurity and business continuity are typically separate and distinct functions in an organization. Kirvan, speaking on the future of business continuity, said he believes those disciplines "ought to be under the same roof."
Going back to the future with tape storage. Backup files might be encrypted in a ransomware attack. Organizations, however, can isolate the files they need for recovery from the corporate network, creating an air gap. That's where time-testing tape storage comes into play. Bertrand said tape storage is reemerging as a way for organizations to preserve a "gold copy" of their data, offline and off site. "It's coming back," he said of the backup method.
AI's influence on BCDR planning. AI and its cognitive functions might help BCDR teams make decisions on organizing their plans and might also play a role in conducting BIAs and risk assessments, according to Kirvan. AI could also support incident response, recommending actions based on the details of unfolding disaster scenarios.
Service providers play a bigger BCDR role. A large percentage of MSPs are involved in backup and disaster recovery. The MSP sector is likely to emerge as a one-stop shop for business continuity services, particularly for SMBs lacking internal expertise. MSPs, in their trusted advisor role, can advise clients on BCDR planning and make technology recommendations. Some provide their own disaster recovery as a service, while others partner with vendors that provide that tool.
Continue Reading About What is BCDR? Business continuity and disaster recovery guide
- Build a BCDR employee training program for peak resilience
- 12 skills business continuity managers need to succeed
- IT resilience management, planning top of mind for DR pros
- Business continuity interview questions for aspiring managers
- Make a power outage business continuity plan with these tips
Dig Deeper on Disaster recovery planning and management
Where do business continuity plans fit in a ransomware attack?
Why a HIPAA disaster recovery plan is critical
Where does security fit into a business continuity plan?
Free disaster recovery budget template to justify BCDR spending
A new SaaS backup specialist emerges from stealth to protect data in apps such as Trello, GitHub and GitLab, which CEO Rob ...
A growing number of enterprise Kubernetes users presents an opportunity for CloudCasa, currently a division of Catalogic, with ...
Organizations with SaaS-based applications are still relying on the providers for data protection, even though the vendors are ...
Pure Storage expanded its storage offerings with FlashBlade//E designed for the unstructured data market with an acquisition cost...
Data governance manages the availability, usability, integrity and security of data. Follow these best practices for governance ...
Vast Data Universal Storage brought out data services, including set performance, metadata cataloging, better security, container...
An incident response program ensures security events are addressed quickly and effectively as soon as they occur. These best ...
The Biden-Harris administration's 39-page National Cybersecurity Strategy covers multiple areas, including disrupting ransomware ...
While ransomware incidents appear to be decreasing, several high-profile organizations, including Dole, Dish Network and the U.S....
Policymakers want federal data privacy legislation limiting businesses' ability to collect data on individuals and banning ...
Public, private, hybrid or consortium, each blockchain network has distinct pluses and minuses that largely drive its ideal uses ...
Get the lowdown on the major features, differentiators, strengths and weaknesses of the blockchain platforms getting the most ...
Prepare for Emergencies with Business Continuity and Disaster Recovery Plans
How a company responds during an emergency or other unexpected event can drastically impact how quickly it can resume operations and its prospects for future success. Planning ahead and having systems in place for such events can be just as important as the actual response once an event occurs.
To prepare, companies should have both business continuity plans and disaster recovery plans in place. While business continuity and disaster recovery plans are two separate types of plans, they should complement each other as there are many similar concerns for each.
Below, we outline how these plans differ and steps your company can take to design effective plans should an emergency arise:
- What Is a Business Continuity Plan?
- What Is a Disaster Recovery Plan?
- How Does Disaster Recovering Planning Differ from Business Continuity Planning?
- What Types of Events Should Be Included in a Disaster Recovery Plan?
What Are the Benefits of Planning Ahead?
- What Does a Business Continuity Plan Typically Include?
- What Processes and Procedures Belong in a Business Continuity Plan?
- What Is the Purpose of a Disaster Recovery Plan?
- What Does a Disaster Recovery Plan Typically Include?
How Do You Test a Disaster Recovery Plan?
A business continuity plan is a predefined approach and procedure for how a business will continue to run when coping with an emergency.
A disaster recovery plan is a predefined approach and procedure for restoring the business to full functionality, following a system failure or compromise, while keeping the impact to a minimum.
While a business continuity plan focuses on defining how business operations should function under abnormal circumstances during a disaster or emergency, a disaster recovery plan focuses on getting applications and systems back to normal.
Business emergencies can include events that are intentionally or accidentally caused by humans as well as natural disasters.
Potential disasters and threats can include the following:
- Pandemic flu
- Computer and server shutdown or denial-of-service and sabotage
- Ransomware attack
- Bomb threat
- Severe weather or wildfire
Regardless of the origin, business disasters may cause:
- Death or significant injury
- Damage to property or environmental damage
- Closing of business
- Work or service stoppage
- Negative impact on the company’s financial standing or company image
Business continuity planning and disaster recovering planning both provide several benefits to your organization, especially when they’re drafted in tandem, including:
- People and property protection
- Morale boost
- Improved decision-making
- Risk management
People and Property Protection
Having emergency plans in place can help safeguard life and property of the company and its employees. The Occupational Safety and Health Administration (OSHA) even requires companies with more than 10 employees to write these plans in compliance with its Regulation 1910.38 Emergency Action Plans .
Morale Boost
When employees know plans are in place, they may feel safer. This can help boost morale and potentially increase business value perception to buyers who recognize the responsibility and preparedness of the company.
Improved Decision-Making
Planning ahead allows for systemic, structured, and timely implementation of your plan and helps you make decisions based on the best available information, should an emergency occur.
It also provides room to be dynamic and responsive to change. Flexibility can allow you to take human and cultural factors into account, such as supporting workers with medical needs or managing teams that operate across geographic regions, and allows the company to be transparent and inclusive with its plans.
Even if you haven’t faced an emergency, planning for one can help facilitate continual improvement of the organization and become an integral part of all organizational processes.
Risk Management
Managing risk for organizations includes risks posed by relationships with third parties, such as service providers or vendors. These third parties can play a significant part in the overall risk for an organization based on the types of data they have access to or handle. They can also be used to provide recovery services or high availability for systems that need to meet high levels of up time.
For companies serving highly regulated industries, such as health care, financial services, and utilities, third-party risk management often includes assessing business continuity plans and disaster recovering plans. By documenting and testing these plans, organizations are better equipped to meet the expectations of those they serve.
There are several key factors to consider when creating a business continuity plan. While employees and customer safety should be your top concern, there are also other areas of focus that are especially important.
Business continuity planning should focus on:
- Duration your business can last without its tools, assets, operating locations, and other elements crucial to operations
- Possible outcomes if you’re denied access to facilities, servers, customer records, or other needs
- Length of time you can operate without telephone service, electricity, or temporary electricity if running only on generators, water, and other utilities
- Necessary changes to processes and workflows to maintain critical operations until the situation can be returned to normal
- Scenarios most likely to occur that would create the greatest disruption to the organization
To prepare for those concerns, a business continuity plan should define processes and procedures for the following:
- Assessing and planning for threats to business operations
- Maintaining operations and meeting obligations during emergencies
- Testing your plan, including test types, testing schedules, and documentation requirements
Steps to assess various risks should include the following:
- Estimating the likelihood of the event based on data, such as the historical frequency of natural disasters in an area
- Defining risk categories, such as operational, legal, reputational, or security risks
- Estimating the impact to assets or processes based on the defined risk categories—for example, a natural disaster that causes a server outage may affect a public website hosting a storefront, which could impact revenue or relationships with partners
- Mitigating controls such as backups and alternate operating locations
Primary and secondary points of contact should be determined internally and externally. It may help to create templates or prewritten communications as well as communications schedules that can be deployed immediately in the event of an emergency. This helps put plans into action and address employee and public concerns.
Emergencies can require all hands on deck, so it’s important to identify top personnel and their responsibilities in your plan, as well as team members to serve as alternates in case the primary role player is unavailable.
Responsibilities should be defined and assigned for the following roles:
- Crisis manager or site coordinator
- Engineering or maintenance officer
- Human resources officer
- Communications or public relations officer
- Outside members such as police, fire, and government personnel
Employees will need to be notified and provided instruction in an emergency situation. Employee contact information should be up-to-date and easily accessible with departmental organizational charts as well as cell and home phone numbers and emergency contact information included.
Planning should also consider the likelihood that communications systems may be inaccessible and define alternative means of connecting with employees and team members, including any third parties supporting business continuity efforts.
What Safety and Security Measures Are Included?
First-aid kits and other resources should be inspected at least on a monthly basis. Identify local hospitals, medical treatment options, and available 911 services so the correct parties can be contacted as quickly as possible if needed.
Evacuation and Access to Property
Evacuation plans from all company buildings should be readily available, and employees can be instructed on evacuation routes through drills. Additionally, they should be provided directions to shelter and safe areas.
For those not at a company location or to plan for how to access property following an emergency, alternate routes to key facilities should also be provided in the event of damaged roads.
How Will You Access Contractors, Support Equipment, and Utility Companies?
Should you require the assistance of emergency personnel, repairs to infrastructure, or equipment, it’s important to consider how you’ll access these resources. Contractor contact information and tools and equipment requirements, as well as rentals, should be readily available.
Equipment you should consider having access to includes the following:
- Generators for backup power including portable options such as trailers
- Computing equipment and storage
- Trailers to transport fuel to generators, equipment for repairs, or sandbags before storms
In addition to requesting these materials, it’s important to make sure anyone who will come in contact with the equipment has a deep knowledge of how to properly operate machinery and assess any safety concerns.
Other important vendors and contacts to have easy access to include the following:
- Banks and financial institutions
- Computer and IT backup support providers
- Building contractors
- Fuel companies
Do You Have Proper Insurance?
Should damage take place to your property or if people are harmed, you’ll want to make sure the proper insurance protocol is in place. You should be able to easily access the contact and claims reporting information for the following:
- Property-casualty agent
- Group health insurance
- Life or accidental death and dismemberment insurance
Insurance concerns can also extend to cars and other vehicles, so it’s important to have access to vehicle identification numbers (VINs) in case they go missing or are damaged.
The purpose of disaster recovery planning is to support critical operations by returning IT systems to full functionality. This should be prioritized based on customer needs, regulatory requirements, and the importance to your organization or the operations that the IT system supports.
You should be able to determine the availability of workaround options compared to work stoppages to do the following:
- Reduce the likelihood or impact of an event through technology and controls
- Maintain minimum mission-critical systems to allow for eventual full restoration
- Recover post-disaster by bringing all systems back online to full operational state
A disaster recovery plan has many of the same elements of a business continuity plan that need to be documented and defined ahead of time, but there are several key elements that are different. These elements include:
- Business impact analysis
- Assumptions and constraints
- Communication processes
- Data and system backup plan
- Damage and impact assessment
- Response communication and action plan
A business impact analysis is essential for determining and evaluating the effects of an interruption to critical business operations. It assesses a disaster’s impact over time and helps establish recovery strategies, priorities, and requirements based on system criticality.
Business leaders and management should be involved in determining the system recovery priorities as this analysis will be used to document the critical systems, document dependencies with other systems, and prioritize the system recovery efforts.
What Is the Importance of Communication Processes and Role Assignments?
Communication is a key process during the recovery effort so recovery teams should understand their roles and responsibilities. A disaster recovery coordinator should be established, along with a backup to this position. These persons will be responsible for coordinating, communicating, and managing staff during the recovery efforts.
An emergency response team should also be documented as these personnel will be responsible for the actual recovery of the systems. They will need to prepare the recovery site for operation, coordinate recovery steps and activities, interface with system vendors, and ensure recovery is complete once systems are restored.
Disaster preparedness is rooted in an agreed-upon backup strategy that addresses acceptable recovery time and data loss, adequate system redundancy, and sound data restoration processes. The data backup plan details the backup strategy employed to ensure that data is available in order to restore systems during emergency and nonemergency situations.
This plan outlines the backup strategy for all of the critical systems identified in the business impact analysis. The recovery and response action plan provides detailed steps on the recovery procedures that need to be performed in order to restore systems and data. The recovery steps are critical as they will help guide staff in the steps necessary to fully recover a system.
Once a plan is in place, perform tests that help verify that it can be properly executed.
Diverse testing methods must be deployed so that multiple scenarios can be addressed and tested. Suggested testing methods include the following:
- Walkthrough testing
- Simulation testing
- Checklist testing
- Full-interruption testing
- Parallel testing
Testing can be done for several purposes including the following:
- Exercising the recovery processes and procedures
- Familiarizing staff with the recovery process and documentation
- Verifying the effectiveness of the recovery documentation and site
- Establishing if recovery objectives are achievable
- Identifying improvements to the disaster recovery strategy, infrastructure, and recovery processes
We’re Here to Help
Emergency preparedness is all about planning, training, and maintaining a supportive culture. To learn more about how your business can organize business continuity and disaster recovery plans and confidently test and execute them, contact your Moss Adams professional.
Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.
Related Topics
Contact us with questions.
IMAGES
VIDEO
COMMENTS
Preparing a financial plan for your business is important if you plan to pursue business finance options such as loans, according to Inc. Business finance companies look at the short-term viability as well as the long-term potential of a bu...
It’s impossible to eliminate all business risk. Therefore, it’s essential for having a plan for its management. You’ll be developing one covering compliance, environmental, financial, operational and reputation risk management.
While it may be tempting to put off, creating a business plan is an essential part of starting your own business. Plans and proposals should be put in a clear format making it easy for potential investors to understand.
A business continuity strategy can ensure communication methods such as phones and network servers continue operating in the midst of a crisis. Meanwhile, a
Business continuity plans are concerned with establishing how business operations will function in the event of abnormal circumstances as a
In other words, a disaster or data recovery plan dictates how a business should respond to a disaster, while a business continuity plan dictates
The key difference is when the plan takes effect. For example, business continuity requires you to keep operations functional during the event
Business continuity planning establishes the blueprint to enable you to maintain business processes and procedures as close
The main difference is that a disaster recovery plan is more focused on the procedures for recovering from a disaster, especially in regards to IT systems
Disaster recovery is actually a part of business continuity and involves a plan for getting business back to normal after a disaster occurs. Business continuity
The main difference between business continuity and disaster recovery is when each plan of action takes effect. Whereas business continuity
Accordingly, a disaster recovery plan is limited to ensuring data protection, preventing damage to systems and recovering them as quickly as possible, while a
BC typically focuses on the organization, whereas DR zeroes in on the technology infrastructure. Disaster recovery is a piece of business continuity planning
While a business continuity plan focuses on defining how business operations should function under abnormal circumstances during a disaster or