Governance, Risk & Compliance: GRC
Business Continuity vs. Disaster Recovery: Which Side of the Fence are You on?
What’s the difference between business continuity management (BC) and disaster recovery programs?
Image of two elk fighting. Or maybe the Great Wall of China.
In financial services, one unmonitored trade, careless click, or botched back-up can mean a missed quarter. In manufacturing, the threat of supply chain disruptions has put a spotlight on preparedness. Across all industries, around the world, business continuity and disaster recovery teams have pushed through pandemic planning and into a new phase of resilience, focused on maintaining and growing businesses in a world beset by natural and man-made disasters.
The question is, why, during this period of profound change, do many large organizations have separate teams for business continuity and disaster recovery? Why do executives refer to “business continuity” for business processes and “disaster recovery” for IT? Is business continuity just the current term for any preparedness planning going on in the organization? Does use of the terms depend on who is the driving force behind the need to create a plan – was it IT, a business line, audit or risk management that got it started?
The stark truth is that in most companies the people on either side of the fence don’t often talk to each other. And it has been that way for years.
The great divide between business and IT
An internet search on the topic of “Business Continuity vs. Disaster Recovery”, finds posts going back many years. In 2013, Jim Mitchell posted a blog that said, “Unless and until IT and ‘the business’ work together as equal partners in the development of comprehensive Business Continuity, we haven’t moved into a truly ‘post-DR’ world. As long as the two extremes see themselves as adversaries, they are unlikely to reach true Business Continuity objectives. As long as they fight separately over the same budget dollars (and we all know who usually wins that battle), they will never truly be partners in organization recoverability.”
Almost a decade later, this still rings true.
In its glossary for resiliency, the Disaster Recovery Institute (DRI) defines Business Continuity Management (BCM) as: “Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”
Recognizing threats to the business is a lofty goal that all parts of an organization should strive for, not just the business side or the IT side. If an organization cannot provide its services or products because of an event, no one wins.
Mind the gap
Where business and IT should meet is in the Business Impact Analysis (BIA) and resulting Gap Analysis processes.
- Qualitative and quantitative impacts from negative events on the whole organization are analyzed.
- The resulting Recovery Time Objectives (RTO) prioritize business processes.
- Then the supporting areas such as IT and Facilities determine if they can meet those priorities.
If there is a difference between the business need and the supporting capabilities (the gap) – this is where business and IT can really work together.
In this process, both sides can have some give and take. The usiness can put strategies in place where they can still function at some level while resources are restored. And IT has many strategies they can use to shorten the time it takes to recover. Recovery strategies must be approved and funded.
The question of funding is usually where the first skirmishes in the battle between disaster recovery and business continuity begin. Of course, customers and partners don’t care whose budgets fund preparedness. And C-level executives just want the business up and running smoothly.
But everything, in the end, comes down to money. Only by working together, ideally using shared processes, workstreams, metrics and dashboards, can business continuity and disaster recovery teams show executives the return on investment for money and time spent on recovery strategies.
An integrated approach to risk and recovery can cushion businesses during turbulent times. Some companies have torn down the fence between business continuity and disaster recovery. Some have included emergency management, crisis management and corporate communications on the team. These companies have found ways for representatives from each side to work together, using tools like matrixed organizational structures, new processes, and business continuity software to knit teams together.
Learn about SAI360’s solutions for disaster recovery and business continuity management.