In 2007, the phrase “black swan” events was coined. It described moments in time that are impossible to predict—the kind that are capabable of bringing huge consequences. It showed many companies how critical it is to always assume that a black swan event was possible and to plan accordingly.
The ongoing COVID-19 crisis is the most recent “black swan” to challenge businesses around the world, and it’s forcing CIOs to ask themselves one very important question: Could they return to their previous state of operation following an event that might otherwise disrupt it or shut it down?
That’s led a lot of companies to take a hard look at their business resilience, which means knowing if they’re prepared to adapt when disruptions occur, maintain business operations, and keep staff, data, and their reputation safe. Easy, right?
There’s a lot more to it. One Google search on business resilience yields hundreds of results, each using phrases like “business continuity” and “disaster recovery.” And while many people use them interchangeably, they’re actually both very different—and equally important in ensuring a robust business resilience plan.
So, how do you know where to start? We break down the differences between business continuity and disaster recovery, why you need them, and how to make sure you’re building plans that are reliable and effective.
What is a Business Continuity Plan?
A business continuity plan refers to a series of protocols designed to ensure your business can continue operating during a disruptive event. In the simplest terms, a business continuity plan aims to answer the question: “How can we keep the business running if the unexpected strikes?”
With business continuity planning, you’re focusing on the critical operations that a business needs to get up and running again after a disruption. This can include things like business processes, critical business data, vital assets, business partners, and more. If the plan is followed correctly, businesses should be able to continue to provide services to customers during or immediately after a disaster or unplanned outage with minimal disruption.
In general, a business continuity plan will contain the following:
Business Recovery: This includes your plan to recover essential business processes, including business resumption planning, work area recovery, and building workforce resilience.
IT Disaster Recovery and Service Continuity Management: This kind of planning helps you limit the impact of downtime specifically for IT services and systems, whether from scheduled outages (infrastructure maintenance) or unscheduled incidents (like cyberattacks or technical failures).
Supplier Risk and Contingency Management: This addresses the risks associated with using external parties as part of the delivery of an organization’s products or services. It also plans for how the business process would continue if the supplier had a business disruption of its own.
Crisis and Emergency Management: This establishes authority, control, communication, and coordination in an emergency event, including internal and external communication, to limit damage.
What is a Disaster Recovery Plan?
A disaster recovery plan refers more specifically to the steps and technologies for recovering from a disruptive event, especially when it comes to restoring lost data, infrastructure failure or other technological components. This plan aims to answer the question: “How do we recover from the unexpected?” You probably noticed above that a disaster recovery plan is part of your business continuity planning.
Typically, a disaster recovery plan is focused on safeguarding a business’s data and information systems. According to Data Center Knowledge, for example, a disaster recovery plan is designed to save “data with the sole purpose of being able to recover it in the event of a disaster.” For this reason, disaster recovery planning is usually focused on the needs of the IT department. Depending on the type of disaster, the plan could involve everything from recovering a small data set to the loss of an entire datacenter. Since most businesses are increasingly reliant on information technology, the disaster recovery plan is an important part of business continuity planning.
Why are Business Continuity and Disaster Recovery Plans Important?
Every single day, businesses face a wide variety of threats that can bring their processes to a halt—whether it’s from natural disasters like fires, floods, or earthquakes, or man-made threats like cyberattacks. And without both a business continuity plan and a disaster recovery plan in place, these unexpected events (ahem, the “back swans”) can cause some pretty serious setbacks.
In fact, according to the National Archives and Records Administration (NARA) in Washington, D.C., 93% of companies that lost their data center for ten or more days due to a disaster filed for bankruptcy within one year of the disaster. Additionally, 60% of companies that lose their data shut down within six months of the disaster.
When you add in an estimated $300,000 per hour loss, this makes a business continuity and disaster recovery plan vital to ensuring your company recovers data in the shortest possible time.
The stakes are especially high for smaller businesses. According to FEMA (Federal Emergency Management Agency), 90% of smaller companies fail within one year after a disaster if they’re unable to resume operations within 5 days. Without detailed plans for preparing for such a disaster, businesses are setting themselves up for failure.
Fortunately, by focusing on both business continuity and disaster recovery planning, you can ensure your business can withstand these challenges.
How Do You Build An Effective Business Continuity and Disaster Recovery Plan?
We’ll start with the bigger picture: Your business continuity plan. This should serve as the single, multifaceted document for managing all details of your organization’s disaster preparedness.
Your business continuity plan should serve as the single, multifaceted document for managing all ends of disaster preparedness at your organization. At a high-level, this includes:
- Prevention: The steps and systems to prevent certain disasters from occurring in the first place.
- Mitigation: The processes to limit the impact of disasters when they occur.
- Recovery: The protocols for restoring operations as quickly as possible to limit downtime or other adverse consequences.
These are broad categories that need to be defined individually for each possible disaster scenario. To do so, you need to gain a better understanding of the unique risks that pose a threat to your organization and how those events will impact the business in terms of downtime, costs, reputation damage, and so on.
Your disaster recovery plan is a major cog in your entire business continuity “machine.” It encompasses all the procedures, technologies, and objectives necessary for completing a quick recovery after a disaster. This recovery could pertain to lost data, damaged hardware, network outages, application failure or virtually any other point of failure across your operations.
Here are some things you’ll want to identify within your disaster recovery plan:
A Business Impact Analysis (BIA): This involves identifying which systems and applications are most critical for operations and then prioritizing them in order for recovery.
Maximum Tolerable Downtime (MTD): The MTD is the total amount of time the system owner can accept for a business process outage or disruption.
Recovery Time Objective (RTO): The RTO is the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on the business process. It can be applied to the business as a whole or individual layers of IT, like data recovery. For example, an RTO of 30 minutes would mean that all data should be recovered or restored within 30 minutes after a loss is discovered.
Recovery Point Objective (RPO): RPO refers specifically to the age of data backups. It’s the desired recovery point for restoring data from a backup to minimize the amount of data loss. An example RPO might be 6 hours, meaning that your last backup would never be more than 6 hours old. So if your systems were suddenly hit by ransomware, the data you restore from a backup will reflect unaffected, clean data from a specific point in time.
Recovery Technology: This is where you either take inventory of—or realize the need for—specific technologies to make your data recovery possible. For example, this can be the difference between a backup or replication strategy. Backup captures the state of a given system at the time of the backup. Copies of the backup are usually archived and often moved offsite, enabling the business to use the backup copy to potentially restore your production servers in the event of some type of site failure or outage. Replication on the other hand, serves a different purpose from backup. While backup is designed to provide data protection and archiving, replication is designed to reduce Recovery Time and Point Objectives by providing very fast recovery.
Recovery Protocols: Who does what in a disaster situation? Your recovery protocol should clearly define the roles of your recovery personnel, so that there is no confusion and not a minute wasted when disaster strikes. In the case of a data recovery, who oversees it? How, exactly, do they do it? Who do they communicate with, and how are updates communicated with other personnel? All of this should be spelled out to ensure that recovery teams know what to do and can refer back to this guidance when needed.
Vendors, Supplies, and Other Third Parties: These could be IT providers or other third parties that may be needed to support your recovery process. For example, in case of a cyber attack, your disaster recovery services provider would automatically detect the error, and spin up a near-instant replication of clean data that’s stored in their off-site infrastructure, like the cloud. If you’re unsure about the right recovery technologies, a third-party disaster recovery services provider can provide their own recommended and proprietary solutions. Similarly, if you’re unsure on protocols or even lack untrained resources, a third-party provided can also lend their manpower and expertise.
Recovery Testing: Periodic tests and mock disaster scenarios can confirm your recovery systems work as they should. One example could be a test data recovery to confirm that backups are available and can be restored without any integrity issues.
Are you looking to build out your own business continuity and disaster recovery plans? Join Velocity’s VP of Product Management Michael Connolly on Thursday, May 28th at 11am ET for our "How to Build a Resilient Business With Disaster Recovery in the Cloud" webinar. You'll learn how you can mitigate risks and reduce downtime with the right disaster recovery plan. Also learn how to overcome the top challenges of implementing and managing a disaster recovery plan with limited resources.