There are any number of risks to business continuity. From natural disasters and power outages to cyber attack and human error, disaster can strike at any time, from anywhere.
Having a plan in place to keep your business operational in the event of an incident is the purpose of the business continuity plan and disaster recovery plan. These documents set out strategies to help the business bounce back following disruption to regular services.
While these plans would be used in similar circumstances, they do have some significant differences. Understanding these is key to developing a thorough business continuity and disaster recovery (BCDR) plan to keep your business afloat if the unthinkable happens.
What is a business continuity plan?
A business continuity plan (BCR) is a plan of action that ensures a business can continue operating after a disaster. It’s all about planning for how you can continue to deliver regular operations with minimal service outage or downtime.
In it’s simplest form, a business continuity plan seeks to answer the question: “How can we keep up an acceptable level of service in the event of a disaster?”
What is a disaster recovery plan?
A disaster recovery plan (DRP) is a more specific plan to restore critical and non-critical applications after a disaster. It’s all about prioritising which systems need to be back online first and how you can recover any lost data.
In it’s simplest form, a disaster recovery plan seeks to answer the question: “How can we recover a normal level of operation after a disaster?”
Business continuity plan vs disaster recovery plan
A business continuity plan requires careful analysis of all business operations. At a high level, it requires an assessment of what must be done in the event of a disaster. This includes the following areas:
- Resources. What resources, such as support equipment, software, hardware or stock do you need to have available to maintain a minimum level of operation.
- People. Who are the key staff necessary to make decisions and implement recovery protocols if there is an incident. Has the plan been communicated to them?
- Third parties. Which third parties, such as suppliers, vendors or stakeholders, will also be affected should you experience downtime. How will you inform them?
- Customers. How can you ensure customers experience minimal disruption? Will you focus on keeping active customers satisfied in the meantime?
- Data. Where is the data that keeps your business running stored, where is it backed up, how often is it backed up and how quickly can a backup be restored?
Business continuity planning requires a holistic look at business operations so that all critical processes can be isolated and prioritised. It must cover all steps of disaster preparedness: risk identification, prevention, mitigation and then recovery afterwards.
Disaster recovery is similar to business continuity planning it that it requires listing and prioritising. Disaster recovery plans will usually cover support systems vital to company operation such as communications, hardware, software and other IT assets. One common strategy is to split out core business functions into a three-tier system prioritising recovery:
- Tier 1: mission-critical applications. These are essential to the survival of the business and cannot sustain much, if any, downtime. Ideally, you would need these applications up and running within 2 hours for your business to survive.
- Tier 2: business-critical applications. These are needed for business operations to continue successfully. More financial and reputational damage will occur the longer these are not running. These applications must be up and running within 24 hours.
- Tier 3: non-critical applications. These are likely to be ‘nice to have’ processes that contribute to normal operations, but you can survive without them temporarily. These can be offline for over 24 hours without too much detriment to the company.
The focus of the disaster recovery plan is getting these critical technical operations back to normal as quickly as possible after a disaster. Different strategies will be outlined for different failure scenarios too, including failure due to cyber attack, hardware failure, network outages or application failure. The more prepared a business can be, the better.
Do you need both a BCP and a DRP?
Both business continuity plans and disaster recovery plans are essentially forms of insurance – you invest in measures that you hope you never have to use, safe in the knowledge that you’re prepared and protected if the worst does happen.
Using this logic, it’s best to have both. The business continuity plan can be thought of as more short-term damage control while the disaster recovery plan is your way of restoringservices and recovering lost data if critical infrastructure is damaged or destroyed.
In practice, most comprehensive business continuity plans also have disaster recovery protocols built-in. The disaster recovery plan can be thought of as a specific subset of business continuity planning that sets out how critical data will be recovered and restored.
The bottom line
While a business continuity plan can keep your business ticking over in the wake of disruption, a disaster recovery plan is necessary to get your business back up to full strength. It’s best practice to have both of these plans implemented. These plans should always be documented and communicated to the relevant people within your business.
Computers in the City, your IT partner
Computers in the City is London’s longest-standing IT partner. With over 20 years’ experience, we can assist you to meet your IT support, consulting and cloud computing needs. We’re proud to be local, offering 24-hour support in straightforward language that takes the stress out of IT support.