Disaster Recovery & Business Continuity – Related but not the same
January 21, 2013
We often hear the terms ‘disaster recovery’ and ‘business continuity’ used interchangeably. The truth is they are not the same and it could be a huge mistake to think that protecting a company’s computing assets in the event of a disaster will also provide business continuity. Disaster recovery is ‘data & systems’ centric, while business continuity is ‘business operations’ centric. The thing to remember is that a declared disaster triggers the implementation of a business continuity plan before the implementation of a disaster recovery plan.
Given the tragic results following Super Storm Sandy on the East coast, the focus on disaster recovery and business continuity is at an all time high. The stakes for businesses are much too high to ignore and if someone mistakes DR for BC, they are running the risk of calamity and misfortune that could possibly have been avoided.
To emphasize the importance of disaster recovery plans and business continuity plans, a few sobering statistics from a report published by Continuity Central about the impact of disasters on businesses:
- 70% of businesses involved in a major fire fail within 3 years (Chubb)
- One out of two businesses never return to the marketplace following a major disaster (AXA)
- Within two years after Hurricane Andrew in Florida (1992), 80% of affected companies that lacked a business continuity plan went out of business (FEMA)
Before we delve into the difference between DR and BC, it might be worth defining what constitutes a disaster. Although there is not a universally accepted definition of a disaster, the following observation by US disaster relief specialist Fredrick Curry should suffice, “A situation resulting from an environmental phenomenon or armed conflict that can produce stress, personal injury, physical damage, and economic disruption of great magnitude.”
This definition applies to all forms of disasters, but it also works for significant IT outages that cause significant disruption in the operation of a business entity. It is usually up to the company experiencing the disruption to declare a disaster, based on their own particular situation.
Types of IT Disasters
Information technology disasters can be either major or minor. Determining if a disaster is major or minor does not necessarily mean how far reaching the impact on employees or how much data was put at risk. For example a small amount of the very important data could compromise an organization just as much as the loss of a large amount of data. What if a disaster caused The Coca Cola Company to lose the recipe/formula to make Coke!
Another thing to consider when determining if a disaster has caused a major or minor loss of data is how long it will take to recover the data. It is entirely possible that a small data loss would necessitate a complete restoration of the entire company database, a Herculean undertaking for most companies. So, for purposes of this article, all significant loss of data or systems will be considered a major disaster.
Some typical life-events that can lead to an IT disaster being declared include:
- Weather event (hurricane, tornado, etc.)
- Widespread and long term power outage
- Internal sabotage
- Medical emergency (e.g. widespread epidemic)
- Equipment or software malfunction on a large scale
- Communication networks disabled
- Accident that closes down a large geographic area
- Earthquake, tsunami or volcanic eruption
- Multiple events at one time (e.g. flood, weather event, and communication network down)
In a disaster recovery survey conducted by Applied Research in 2009 (1650 companies surveyed, with at least 5000 employees) they found that nearly all organizations (93 percent) suffered some type of significant IT outages in the previous year. However, most reported that they could get back up and running within about four hours and did not declare a disaster. This large percentage of impacted organizations points to the fact that all companies, no matter how large or small, are vulnerable to a disaster scenario. Additionally, IT is becoming a more critical part of an organization’s ability to function because 60 percent of all applications were deemed mission critical in 2009. This percentage is most certainly higher now as we enter 2013.
What is the difference between Business Continuity (BC) and Disaster Recovery (DR)?
As mentioned in the beginning of this blog, BC and DR are not the same. However, DR plans are part of a BC plan or strategy. Jarrett Potts, Director of Strategic Marketing for STORServer, said, ‘Disaster recovery is a subset of business continuity. It is the process of saving data with the sole purpose of being able to recover it in the event of a disaster.’ Potts went on to say, ‘The root of disaster recovery is that data is kept in a secondary site, and plans are made to insure that the data will be recovered and the business can access it in a timely fashion.’
Business continuity is all about maintaining business operations following a declared disaster. The Disaster Recovery Institute International provides the following definition of business continuity: ‘The ability of an organization to provide service and support for its customers and to maintain its viability before, during and after a business threatening continuity event.’ Certainly, recovering vital computing systems and assets is a part of business continuity. But, the elements necessary for business continuity also include the physical location of the place or places of business, staffing and equipment, inventory, and transportation/distribution channels.
Continuity represents a much larger scope of planning and maintenance than recovery. However, given the dependency most businesses have on technology, disaster recovery is usually a top priority because it supports all the other elements of the business continuity plan. Time is of the essence following a disaster. Whether the focus is on data, systems, physical locations, staff or customers, time is the biggest enemy of business continuity. The issue of time-to-recover highlights several critical business continuity questions:
- What do we need recovered first to conduct business?
- What do our customers need to be assured of our stability?
- What do our business partners require to continue their normal operations?
- What do our vendors need to continue to work with us?
In a report form Continuity Center, the biggest impediment to Business Continuity and Disaster Recovery planning is resistance on the part of executive management to provide adequate support and funding. Other challenges facing IT staff interested in implementing BC and DR activities are: high levels of change taking place within their organization, lack of support from business units, and lack of time for business continuity efforts.
In conclusion, although disasters are few and far between, and we all believe that a disaster will never happen to us, the fact is they do happen and they can happen to anyone. Responsible organizations recognize this and take the proper steps to protect all of its assets in the event of a declared disaster.