Business Continuity and Disaster Recovery Plan are two phrases that are sometimes used interchangeably but are they the same?
The risk management discipline that is known variably as Business Continuity Planning or Business Resilience Planning started life as Disaster Recovery Planning.
The concept of the Disaster Recovery Plan (DRP) is simple. If you experience a major event such as a fire, then you have information available and identified actions to take that help you shorten the reinstatement of your operations. The information you might see in a DRP;
- List of key contacts
- Information or its whereabouts for emergency services
- Details of suppliers for assets/resources
- Emergency procedure steps that you need to take
In the '90s, Disaster Recovery Planning evolved into Business Continuity Planning (BCP) with the emphasis on minimising the likelihood of disruption, thus maintaining "continuity within the business" and also planning more proactively to recover the business, reducing the focus on Disaster Recovery to Incident Response.
A BCP will have many elements of a Disaster Recovery Plan in its Incident Response Plan, but there are significant differences between the two. Let's look at these.
Understanding the organisation's Tolerance for Disruption – in simple terms, "if we cannot deliver our products or services, how long will it be before our customers seek alternatives elsewhere, perhaps to avoid disruption to their own business" in a B2B relationship. Other factors here might be how long until we run out of money or our brand is irreparably damaged.
This information shapes the whole Business Continuity process as this timeframe is how quickly the business needs to reinstate the supply of its products or services; it's the whole purpose the BCP.
In Business Continuity language, this is known as the Maximum Tolerable Period of Disruption (MTPD).
Business Impact Analysis (BIA) – this piece of work allows the Business to understand at a more granular level the relationship between its assets and resources (that it uses to deliver its products/services) and their individual recovery times relative to its Tolerance for Disruption.
For instance, if the Business has an MTPD of 10 days and a critical piece of equipment takes 30 days to reinstate, the business needs to put in place business continuity arrangements that allow it to bridge the gap between 10 days and 30 days. If that is not possible, then they should look to minimise the likelihood of loss as much as possible with additional risk protections.
This is one of the significant differences between Business Continuity and Disaster Recovery as it protects the business from a range of events rather than a disaster. It is focussed on the timeframes in which the Business' functionality is restored, regardless of the cause for its loss or loss of use.
Many businesses we talk to who have robust BCP's were able to deal with the Covid/Confinement more easily as they had measures in place to reinstate business functionality regardless of cause.
A BIA will allow the Business to set Recovery Time Objectives for individual assets/resources that support their activities. This then supports the overall achievement of the Business Continuity Objectives – see next
Business Continuity Objectives – these are set using the information above and a key to defining the Business Continuity Strategy, or Strategies, the organisation might adopt.
The Business Continuity Objectives are simply what the BCP is to avoid reaching is Maximum Tolerable Period of Disruption.
Here is an example for an organisation that outsources production of all its product components and assembles and distributes these at its manufacturing site;
- Ensure communication to all interested parties throughout any incident.
- Reinstate HO functions within 24 hours.
- Reinstate Assembly capability within 4 weeks.
- Maintain a 2-week buffer stock at all times.
- Reinstate Plastic Goods Production within 12 weeks.
- Maintain a Dual Supplier Policy, in diverse physical locations, across all lines.
Setting the Business Continuity Strategy – the strategies adopted to achieve the BC objectives which in turn are based on how tight the Tolerance for Disruption is. There are recognised Business Continuity Strategies, you can read more here.
So again, distinct from Disaster Recovery, Business Continuity is about designing Resilience into the Business Process to minimise disruption.
One business we worked with instigated a dual supplier policy as part of their BCP for a critical component. They opted to have a primary supplier (75% of supply) and secondary (25%). Due to changes in underlying commodity supply, their primary supplier experienced significant financial difficulties, which were almost fatal to the Supplier. The Business simply flipped supply to their secondary supplier and avoided what would have been a major disruption to their supply of the product.
This again distinguishes BCP and DRP, a DRP focussed on major events is unlikely to consider the loss of a supplier and in the instance above, caused by fluctuations of commodity prices.
Putting in place Business Continuity Arrangements – in broad terms, these will:
- Reduce the likelihood of an incident (i.e. Sprinkler system, cyber risk controls, Health and Safety arrangements, Environmental controls, etc); these would be widely recognised as risk management controls.
- Allow the assets/resources to be recovered (or their functionality to the business process) within their recovery time objectives (i.e. duplicate tooling, pre-agreed outsourcing arrangements, certain Business Interruption covers that pay out for additional expenditure (air freighting product rather than sea freight), data back-ups, etc). We refer to these as Recovery Measures as they allow the business to recover functionality well within its Tolerance for Disruption.
- The Incident Response Plan – the step-by-step playbook for how the organisation manages an incident. This may also detail "Continuity Phase" - reinstating its activities and a "Recovery Phase" reinstating its infrastructure.
- Recovery Resources – these are resources the Business specifically needs to support its Incident Response assuming the loss or loss of availability of its primary infrastructure. This would include an incident response centre, key business data, and a Communications Plan.
Another big distinction between a Disaster Recovery Plan and a Business Continuity Plan is the emphasis with Business Continuity, on embedding it into the process and culture of the business ("it's the way we do things around here"). Its not a process undertaken just before auditors arrive, but embedded into peoples Role.
Finally, Business Continuity Planning also includes maintenance, testing, and exercising of the BCP and continuity arrangements to ensure they are in a state of readiness if required and all those with a role or responsibility are able to work an Incident Response.
To assess your Business Continuity arrangements, download our BC Scorecard below or get in touch for a discussion.