Why You Need Both a Disaster Recovery Plan and a Business Continuity Plan
It’s not uncommon for companies to think that disaster recovery and business continuity plans are one and the same. Learn why both plans are needed.
Tornados, hurricanes, fires, floods, and other natural disasters can destroy a business. Digital disasters like ransomware attacks can be just as deadly.
Most businesses realize that they need to plan for disasters in case one strikes. Disaster recovery and business continuity plans are tools to make that happen. However, it’s not uncommon for companies to think that disaster recovery and business continuity plans are one and the same. While both are designed to help businesses deal with disasters, they are separate documents. To be fully prepared for disasters, businesses need to have both a disaster recovery plan and a business continuity plan.
The Difference between Disaster Recovery and Business Continuity
To understand what needs to go into the two types of plans, you first need to understand the difference between disaster recovery and business continuity. To do so, imagine that you are a lemonade shop owner. You loved having a lemonade stand when you were a child, so you made your passion your business. You’ve come a long way from setting up your stand next to a big maple tree so customers could enjoy their beverages in the shade. Nowadays, your customers enjoy their lemonade in a cozy shop that offers free Wi-Fi service and other hi-tech amenities.
Then, disaster strikes. The big maple tree is now in your shop and has added a new skylight to it. You also have a new waterfall feature, thanks to the water gushing out of a damaged pipe in the ceiling.
To stay in business, you will need to recover from the damage caused by the disaster (disaster recover) while continuing to provide customers with lemonade (business continuity). Disaster recovery and business continuity plans provide roadmaps for doing so.
The Disaster Recovery Plan
Disaster recovery plans discuss how to get crucial infrastructures and systems running again after various types of catastrophes. Restoring the IT infrastructure is a large part of disaster recovery in most businesses. However, there might be other types of infrastructures and systems that need to be discussed as well, depending on the nature of a business. For example, if a company’s manufacturing process relies heavily on water, the plumbing infrastructure should be addressed.
Besides identifying who should do what after a calamity occurs, the disaster recovery plan should also identify what has to be done to prepare for disasters. For instance, it should mandate that data and systems be regularly backed up and the backups be stored in several locations (including offsite ones).
The Business Continuity Plan
Business continuity plans discuss how to restore business operations in the event of a disaster. A business impact analysis can help prioritize which business operations to restore first.
Business continuity plans also need to indicate the recovery time objectives (RTOs) and recovery point objectives (RPOs) for the business operations. The RTO is the maximum tolerable length of time an operation can be down after a catastrophe, whereas RPO is the maximum acceptable amount of data loss (e.g., transactions) after a disaster, as measured in terms of time. In a perfect world, the RTO and RPO would be 0 (i.e., no downtime and no data loss). However, in reality, that is not feasible. Realistic objectives need to be set in the business continuity plan, as the disaster recovery plan needs to detail how the objectives will be met.
In some businesses, recovering the IT infrastructure is crucial for restoring most of their business operations. That is why some people assume that:
- Disaster recovery plans only cover IT infrastructures
- Disaster recovery plans and business continuity plans are one and the same
However, these two documents serve different purposes. As a result, companies should develop both disaster recovery and business continuity plans. If you need assistance with developing and implementing them, let us know.