According to the Federal Emergency Management Agency (FEMA), 90% of small businesses fail within a year unless they can resume operations within 5 days after a disaster.
To compound the problem, about one in five businesses spend time maintaining their business continuity and disaster recovery plans.
A disaster should not be thought of as:
- Cybersecurity attacks
- Hardware/software failure
- Employee mistake
- Power outages
- Natural disasters, such as: hurricanes, tornadoes, and earthquakes
A disaster is any time your business is not able to transact business in the manner your , your employees, and clients have come to expect and depend on. When it comes to disasters, business owners must expect the unexpected. It’s absolutely critical to have up-to-date procedures for recovery in place, so your business can adapt and begin recovering the moment disaster strikes.
This article will help you understand business continuity and disaster recovery, the differences between them, and why having both in place is vital to your business.
Business Continuity Plan
A business continuity plan (BCP) is a framework to follow, in order to continue business as usual is interrupted. Multiple sources can cause a business interruption, such as natural disaster, cyberattacks, or a pandemic disrupts your company. The BCP should answer the question: ‘How do we continue to operate during an unplanned crisis?’
While a BCP must look at the business as a whole and focus on very specific scenarios that can affect your operations.
For example, you are a small business with its head office situated in Boston. Your BCP covers all of the most likely forms of interruptions such as cyber-attacks, internet outages, and dreaded nor’easters in the winter. This would differ from a company in a different region that might have other weather-based threats that happen at other times of the year.
Your BCP should identify the critical functions of your business, which systems must be sustained and how to maintain them. Here is a helpful list of questions your BCP should answer:
- A prioritized list of the core business functions, and which order they are to be restored.
- How departments will function if normal operations are interrupted, such as office systems, email, internet or servers becoming unavailable.
- What is your tolerance (meaning how long are we willing to live with) downtime?
- What is your tolerance (how many days/hours/minutes) of data loss before it is unacceptable?
- How do you maintain key business systems during a disruption? Finance, customer support, vendor access, etc.
- Which staff members are needed during a crisis, and what duties will they perform?
- What are your supply chains and how do we keep them moving?
- How do we access invoices, in order to keep track of what we’re owed and what needs to be paid?
BCPs can be complex and will take several iterations to become complete. On top of creation, you need to test the plan against scenarios to work out the kinks. Building a solid plan requires extensive research of all threats your business may encounter, both present and future.
A disaster recovery plan (DRP), sometimes known as a network disaster recovery plan, is the set of steps businesses take in order to return to normal operation after disaster strikes. DRPs often focus more specifically on the technology side of things like restoring lost data and infrastructure failure. They should answer the question: ‘How do we get operations back to a pre-crisis state?
As mentioned, DRPs usually focus on a business’ data and information systems. They’re often centric to the IT department’s needs, but also overlap certain elements of a business continuity plan.
A thorough disaster recovery plan should include:
- A detailed list of all systems, applications that the businesses use is, where they are located, what business purpose do they serve, who uses them, their appropriate contact information.
- These systems should be prioritized as to recovery preference
- How is each of these systems backed up and protected?
- What is the recovery process for each of these?
- Who owns the process, who is trained on it, who has the authority to put the recovery plan in place?
- When was the recovery process tested and verified last?
- In a recovery operation, has security changed and how are the assets protected?
- If the location of these services needs to be relocated, how and where are they to be moved?
- Are there outsourced components that need to be confirmed?
As with the BCP, your disaster recovery plan should be fluid and updated periodically to ensure all information is accurate.
Disaster Recovery vs Business Continuity
Although many assume disaster recovery and business continuity are synonymous, there are distinct differences between the two.
For one, BCP is generally an executive leadership responsibility, where they can set priorities for the entire organization. It involves risk assessment, prioritizing business functions, etc. BCPs are comprehensive and designed to cover almost any type of business disruption.
Disaster recovery is more targeted to specific systems/applications and generally lives within technology responsibility. The BCP prioritizes and invokes different disaster recovery processes to be executed to bring components of the business back into operation.
Some business owners point to business insurance policies as their protection. While business insurance can be a key part, you cannot buy your data back. It is imperative that you have effective backup protection of your business data. If you have private, confidential, compliance, or financial data, there are potential fines, lawsuits, compliance problems, and client, vendor and partner confidence to lose. In this day and age, there is no excuse for effective data protection, on-premise, or in the cloud, there are many viable options.
Test, test test. run disaster simulations. This will put your recovery systems to the test, and tell you whether you’re equipped to handle the multitude of threats out there.
Now that you’re able to identify the difference between business continuity and disaster recovery, it becomes less about bcp vs drp and more about how you make sure you have the benefit of both working harmoniously together.
As the old saying goes: by failing to prepare, you are preparing to fail.
Work with your IT team when it comes to creating disaster response plans. Using your BCP as a guide to priority, be clear what your recovery timeline expectations are so appropriate systems and resources are put in place. Make sure and test these plans to make sure they are complete; nobody wants to learn steps are missing during a crisis.
To improve your results, consider engaging managed IT services providers with experience to help. Using the expertise of someone that has done this hundreds of times will provide valuable insight to the process and prove to be invaluable when it is needed the most.
Having effective business continuity and disaster recovery plans in place will ensure you’re ready to handle any threat which may arise, and that disaster won’t spell the end of your business.