This article was prepared by Patrick Rivait and it is one of a series to be presented in this forum. Patrick specializes in Business Continuity planning and I recommend any reader contact him directly for advice on this valuable service. Patrick can be reached at 519.984.6633
Business Continuity Planning versus Disaster Recovery: Are they the same?
Technology has become entrenched as a cornerstone in most companies’ daily operation, regardless of their size or complexity. Given the potential risks of operating disruption or data loss arising from IT service disruptions, Disaster Recovery Planning (DRP) has become a critical function for IT departments or third party IT service providers.
A question that often is raised is “The organization has invested a great deal of money in support of a DRP by acquiring backup hardware, off-site data co-location, or hosted solutions -- so are we covered?”
While this is a broad question, the likelihood that even the best DRP will be sufficient in times of crisis is fairly small. A bit of additional background may help shed more light.
By definition, Disaster Recovery (DR) is “The technical aspect of business continuity. The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration of those operations at a more permanent site”[1]
In contrast, Business Continuity (BC) is defined as “A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. The management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the plan stays current and up to date.”[2]
It becomes a bit clearer from these definitions that DRP is essentially a sub-set of the broader process of BCP. The DR focus is solely on assets surrounding IT, whereas BC focuses on all the organization assets – people, brand, buildings, processes, and data.
To help provide further clarification-- in the event off a fire at a workplace, having DR plans to recover information and business systems will be critical in ensuring issues such as safety of client and financial data, production information, orders, compliance for accounting audits and taxation, they do not cover key considerations such as:
· how employees and customers will safely be evacuated from the building;
· where the business will operate through the immediate response period to the crisis;
· who will be responsible for overseeing various sets of activities during, and immediately following the crisis; and what authority they might have during this response and recovery period;
· how the organization will communicate to suppliers, customers, employees (and potentially their families) and shareholders or funding sources;
· where the operation will relocate immediately after the crisis - during the recovery period.
Following a serious event, while it might be useful to access accounting data from a hosted service provider, if there are no contingency plans in place to facilitate the organization’s value-generating functions (such as ongoing production) in order to meet client demands, it is still highly likely that an organization will suffer significant losses to cash-flow and profitability, potentially lose employees through attrition or layoffs, and the customers may be forced to seek alternate providers for their goods and services. While these issues may appear to be the indirect impact of the critical event (i.e. the building fire), they are actually the direct impact of a failure to have appropriate programs in place to ensure the long-term viability of the organization.
Generally, DRP’s are driven by the IT function within an organization, and hopefully consider the core IT requirements of the various stakeholders within the organization. On the other hand, a robust BCP should be driven by a Steering Committee that represents all key stakeholders across the organization, and leverage the insights and experience of all key functions that support the organization. This broader perspective helps ensure that the final plans will be more robust, and that the proposed solutions will be workable and practical in the event that they need to be actioned in the aftermath of a critical event.
In clarifying the difference between these types of plans, it is important to remember that both are critical for ensuring the long-term viability of an organization. Both plans, when developed and produced in conjunction with one another, will help and organization mitigate both the risks and impacts of a potential crisis. Both are valuable, and should be considered critical parts of an organization’s regular management process.
[1] Source – Disaster Recovery Journal - Business Continuity Glossary: http://www.drj.com/tools/tools/glossary-2.html
[2]Source – Disaster Recovery Journal - Business Continuity Glossary: http://www.drj.com/tools/tools/glossary-2.html
No comments:
Post a Comment