Business Continuity vs. Disaster Recovery Planning – What You Should Know
Business Continuity vs. Disaster Recovery Planning – What You Should Know
One of the questions that business leaders ask us often is what the differences are between disaster recovery and business continuity planning.
It’s a logical question because disaster recovery and business continuity are close cousins. Having said that, there are some distinct differences.
What is Business Continuity?
Business continuity is steps, processes, procedures, and technology that are put in place to overcome day-to-day issues that may occur which aren’t disasters but can seriously affect the business.
A common example of business continuity planning that involves IT happens at companies that have sophisticated VoIP systems in place. They need to think about what happens when their internet connection goes down.
That’s a business continuity issue. If no one can telephone your business and you can’t telephone out because your internet connection is down, that can have a significant impact.
In that scenario, if you have a team-wide VoIP system, you need to know if it’s going to work on everyone’s cell phone when the internet eventually, or inevitably, goes down?
What is Disaster Recovery?
Disaster recovery is basically what it says. In the event of a significant disaster, things like server failures, fires, or ‘acts of God,’ you’ll need a full recovery of the entire system.
Disaster recovery planning usually involves orders of operations, which prioritize what must come back up first.
- Do we have detailed documentation for how to recover a system?
- What are our plans in the event of a relocation disaster, for example, the building burns down?
Again, disaster recovery is what it says. There’s a full-on disaster, it’s all hands on deck, and we need to get the business back up.
In contrast, with business continuity, you’re not in a disaster situation, but you need to plan for inevitable things that can occur. That could be working remotely during a pandemic, or the internet going down and having a backup plan for phone systems.
Mitigation Plans for Disaster Recovery
There are a few common examples of mitigation plans that organisations have in place when disaster strikes.
From a disaster recovery perspective, a documented disaster recovery plan is fairly critical.
That typically involves how we intend to restore systems as well as the order in which they will be restored. And that’s a business question that IT has to solve.
For example, companies with fleets on the road would want their website functioning and a dispatch system functioning first. A company that does application development, however, may want their repository of code up first before anything else.
The key here is to tie the business needs to the technology. First, what does the disaster look like? What things do we need to get back up first? What, if anything, can we live without for the short term if we need to? And what’s most critical to us in the event of a disaster?
One way to look at it is that disaster recovery planning is part of a broader business continuity plan. That plan might cover a wider range of things rather than just what to do in the event of a server failure or something like that.
Whereas a single server failure is a business continuity issue, it’s usually not a significant crisis. And it’s certainly doesn’t require disaster recovery to get one server back up. Typically, when we design infrastructure, we allow for that business continuity relief. A complete disaster, on the other hand, is a significant event that requires a lot more resources in order to get things back.
Disasters in the Making
There are quite a few scary things that can happen if you’re not prepared and you haven’t taken the time to make a plan.
The most common disaster that businesses face is a ransomware situation, in which the entire system has been encrypted and there’s essentially no IT infrastructure up and running. New clients of ours have often gone through a ransomware situation without a plan in place. That’s a fairly common disaster that we run across when we onboard new clients.
In that case, typically, there’s just panic. Without a plan, no one’s aware of what step one is, or how to mitigate the situation on several different levels.
First, there’s the negotiation level, dealing with the bad actors responsible for the ransomware. Second, there’s the hardware level. Are our backups encrypted? What are our choices? What are our options?
Without a plan, ransomware situations start with panic, and that’s obviously not conducive to fixing the situation. With a plan, a ransomware situation involves a checklist. You know what your options are and you can execute those options. You’ve already prioritized them and can get the system back up as soon as possible.
Other common disasters include physical disasters, like a fire in a building. Those situations are similar to ransomware in that we need to rebuild the whole system.
There are some limitations that need to be planned for in that scenario. What physical hardware is available, for example, to restore the system onto?
Physical disasters are different from ransomware too, of course. But those are two of the major types of disasters, and you need two different recovery plans in order to deal with each one.
Malicious Employee Activity
A less common one, but one that still occurs too frequently, is a malicious act by an employee.
An employee may have been terminated, for example, but the process wasn’t completed correctly. Now data is missing or deleted or lost. That’s another example of a potential disaster that companies need to plan for.
Identifying & Prioritizing Core Systems
The first big piece of a disaster recovery plan is to start by identifying core systems, or the systems that are absolutely essential to run the business. You need to prioritize them.
Sometimes a disaster recovery can take days. In that case, what do we need to get up first? What methodology will we go through to restore the information?
In the case of ransomware, we have other concerns during the recovery that need to be planned for. And in the case of a physical disaster, like a fire in a server room, we need to have detailed plans in place. What is the emergency situation? How much can we get up, how quick can we get it up, and what physical resources do we need in order to make that happen?
Businesses need to make plans for as many contingencies as possible, document those plans, and have them ready. When plans are ready, the first step of a disaster is not panicking, it’s taking out the disaster recovery plan, assessing the situation, and starting to execute those plans as soon as possible.
A well-documented disaster recovery plan enables your recovery to move much more quickly because everybody is executing the plan step by step.
With these plans, again, it’s important to have thought the stuff through before you need it. You don’t want to be making those decisions in the heat of the moment when there’s some kind of a major disaster.
The Pitfalls of Putting Off Business Continuity & Disaster Recovery Planning
One of the things that prevent people from putting these plans in place is that it seems daunting. “It will take a lot of time, we’ll have to spend all this time thinking about all our systems.”
Frankly, it’s not as complicated as people think. You don’t need to have every last little step documented. But you need to have thought through the big things and made some decisions ahead of time. And it is probably not as daunting as some people think it is.
From an IT perspective, a disaster recovery plan would include things like “rebuild the SQL Server.” It doesn’t require documenting all the steps, because IT professionals already know how to accomplish that task. It’s just a matter of saying, “What big steps do we need to take?” And then relying on the experience and professionalism of the people doing the disaster recovery to be able to handle the tasks.
So it doesn’t take as long as most business leaders think it does. And you really need to include your technology provider in your disaster recovery plan that you have or have them create one for you to make sure all of the big pieces are there. As long as all of the big pieces are there, we can perform the tasks to accomplish those goals.
Putting Your Plans In Place
When you’re putting disaster recovery and business continuity plans in place, the most important thing is to set expectations. Make sure that the client understands the actions that will take place for business continuity, during a business interruption situation, or in a disaster recovery situation.
One of our most common questions is, in the event of a disaster, what does getting back on your feet look like to you? And we get different answers.
We get, “Well, I need to be up in an hour, or I need to be up in 24 hours, or a week, or two days.” And those are conversations that have to happen. And they’re not technology conversations, they’re business cost conversations.
The CopperTree Process
When we create a disaster recovery plan or discuss business continuity issues, we rely on business leaders to tell us the impact on their business in each scenario that we go through.
For example, when we install a VoIP system, we discuss what to do when the internet goes down to make sure phone calls still come through in some form.
When we bring up disaster situations, they usually look a little quizzical. But we work through those discussions over what the most important systems are that will need to come back up again.
We document those systems and then make sure that our disaster recovery plan, which we document for each client, recognizes those needs. So we’re not restoring something that’s unimportant to the client. We’re restoring things in the order of the business’s needs.
Those conversations typically can be a little uncomfortable for clients, because no one starts a business and begins wondering, “What’s gonna happen when my building burns down?” But the reality that is we need to have plans for those events.
In most cases, business continuity plans are far more likely to occur. COVID is a great example, as no one saw a pandemic coming. But in our case, at CopperTree, we simply work from home. We’ve already created a situation where the physical location of our staff doesn’t affect our business continuity.
A lot of companies learned that the hard way in the last two years. Sending employees home requires them to have laptops, internet connections, VPNs — all sorts of technology needs to be in place to make it work smoothly.
While no one sat down and thought, “What if there’s a pandemic?”, it certainly brought home the idea of planning for the eventualities that might occur. And making sure that when they do occur, whether it’s a business continuity issue or a disaster recovery issue, we have a plan and we’re executing it.