BCM Basics: the Difference Between Business Continuity and Disaster Recovery
This post is part of BCM Basics, a series of occasional, entry-level blogs on some of the key concepts in business continuity management.
For business continuity newcomers, few topics are as confusing as the difference between business continuity and IT disaster recovery. Readers of this week’s blog will never again be in doubt about the meaning of these two critical terms.
Related on MHA Consulting: Mark My Words: Commonly Confused Business Continuity Terms
Two Fundamental Terms
One of the most common BC-related internet searches is by people trying to learn the difference between business continuity and IT disaster recovery. As consultants, we are continually surprised to discover that many of our clients do not understand the meaning of these fundamental terms.
There is certainly no shortage of BC training courses and programs, but many people who are tasked with taking on BC duties are expected to educate themselves about their new assignment. They soon find the field contains an abundance of specialist terms such as inherent risk, mitigation controls, and recovery time objective.
However the most important terms to learn at the outset are surely business continuity and IT disaster recovery since they speak to the principal division of the entire field. Let’s go over them.
Defining BC and IT/DR
Business continuity (BC) is informally used as an umbrella term encompassing both business continuity and IT disaster recovery. Sometimes the form business continuity management (BCM) is used. (The activity of crisis management is also included under the umbrella though that tends to be treated separately.)
When used more precisely, business continuity refers to an organization’s ability to resume the performance of its business functions in a timely manner following a disruption. Whether the broad or more narrow meaning is intended is usually clear from the context.
Business continuity is associated with the recovery of the business processes and all of the requirements needed to keep those processes operational in a timeframe consistent with minimizing the impacts to stakeholders.
Examples of covered business functions include manufacturing products, delivering services, running payroll, and providing customer service.
IT disaster recovery is commonly abbreviated IT/DR (the IT of course stands for information technology). IT/DR refers to an organization’s ability to recover anything tech-related that it uses, whether it’s laptops, systems, networks, or apps, from a disaster such as a cyberattack or data-center fire.
IT/DR is the province of the IT department, and it draws on their unique, highly technical expertise.
That’s all there is to it. But while we’re on the subject, let’s talk about the area where BC and IT/DR meet.
Bringing BC and IT into Alignment
BC and IT/DR couldn’t be more different, but they are also intimately related.
You might have heard us or others talk about the need for BC and IT to come into alignment if an organization’s BC program is to have any practical value.
Theoretically, the business departments are free to say anything they want in terms of how quickly the business functions need to be brought back online in order to keep the impact of a disruption within acceptable levels. (The standard way of arriving at these targets is by conducting a BIA, or business impact analysis.)
The business departments might conclude, for example, that departments X, Y, and Z need to be restored to full functionality within two hours of a disruption in order for the organization to avoid unacceptable quantitative and qualitative impacts.
IT is the department that knows that such things are easier said than done. Only they know what it is actually achievable given the current conditions. “Yes, fine,” they might say. “We agree that it would be nice if the IT-related functions of departments X,Y, and Z could be fully restored within two hours. But it is not currently within our capabilities.”
There is often a gap between what BC wants and what IT can deliver. The process of aligning BC and IT is the process of closing this gap, either by reducing BC’s expectations, enhancing IT’s capabilities, or both. (Another way of saying “enhancing IT’s capabilities” is “getting the company to spend more money on IT/DR,” for additional equipment, DRaaS, or what have you.)
What often happens is, when the senior leadership sees how much it would cost to meet the lofty goals of the BC department, they realize that the damage of a longer outage might not be quite as great as they first thought—and that maybe their recovery goals don’t have to be quite so stringent.
The larger point is, this is the zone where BC and IT/DR meet. Its criticality points up the need for everyone involved in improving the organization’s resilience to have a clear understanding of these two fundamental terms and activities.
Fortifying Resilience and Ensuring Success
Understanding the difference between business continuity (BC) and IT disaster recovery (IT/DR) is of crucial importance for anyone involved in resilience planning. BC encompasses the ability to swiftly resume all business functions following a disruption, addressing critical processes from manufacturing to customer service. IT/DR focuses on the recovery of technological assets, whether computers, networks, systems, or applications following a disaster such as a successful cyberattack.
BC and IT/DR converge in the activity of aligning business recovery requirements with the IT department’s capabilities. Achieving alignment between these components is imperative for organizations that wish to enhance their ability to weather disruptions effectively. For this reason, grasping the nuances of BC and IT/DR is essential for all stakeholders involved in fortifying an organization’s resilience and ensuring its long-term success.
Further Reading
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
