What Is the Difference Between Disaster Recovery and Business Continuity?
Though the terms disaster recovery and business continuity are often used interchangeably, they are different. Business continuity is the process of restoring an organization’s operations after a disruptive event. Disaster recovery focuses on restoring the technical and communications equipment and processes after an emergency.
The term business continuity, disaster recovery (BCDR) refers to a comprehensive approach to facing an unplanned disruption, such as a natural disaster, a pandemic, or a denial-of-service attack. Business continuity planning creates procedures to ensure the safety of human resources and physical assets, as well as critical business activities continue during and after a crisis. Disaster recovery is a subset of business continuity that focuses on sustaining technology and communications systems. You can learn more in our comprehensive guide to business continuity.
“Business continuity is really about how we continue our business operations to generate revenue,” says Bryan Strawser, Principal and Chief Executive at Bryghtpath LLC. “Disaster recovery is more specifically about how to make the technology systems that the business relies upon redundant and recoverable.”
Disaster recovery and business continuity also differ in timing. Disaster recovery applies at the moment (or immediately after) a crisis begins, and business continuity guides the business post-crisis and helps it to return to normal.
In short, disaster recovery is reactive, and business continuity is proactive. With disaster recovery, the focus is on mitigating the disruptive incident’s immediate effects. Conversely, in business continuity you anticipate and protect against disruptions to boost the organization’s resilience, as well as guide the entire organization (including human, data, and infrastructure assets) through a crisis.
Michael Fraser is CEO, Co-Founder, and Chief Architect at Refactr. He provides the following example of how business continuity and disaster recovery differ: “Disaster recovery is, ‘I had some services go down. How will I migrate the services or do what I need with these services to get them back up and running?’
“Continuity is the holistic plan to support all your business functions. For example, if there’s a disaster at your on-premises office, [the plan would be], ‘I have to forward all the phones to this number,’” he adds.
The following example shows how disaster recovery and business continuity work together when heavy rains flood a business park:
|Disaster Recovery Plan||Business Continuity Plan|
|IT manager gets assurance from the local power company that electricity was cut to the office park before staff enters the building to move servers and other vital equipment out of flood waters' reach.||Team uses plan to ensure that certain data is backed up offsite.|
|IT manager sets up a VPN connection that allows everyone to access programs and data.||Ops manager contacts insurance and begins building remediation.|
Disaster Recovery Plan vs. Business Continuity Plan
In the event of a disaster or an emergency, a business continuity plan provides a plan for maintaining activities through a crisis to limit disruption. A disaster recovery plan provides steps to restore data, equipment, and key programs immediately after an event.
A disaster recovery plan describes the minimum function necessary for an organization to continue, while a business continuity plan describes the effort needed to restore the business to full operations.
What Business Continuity and Disaster Recovery Plans Cover
|Business Continuity Plan||Disaster Recovery Plan|
|Outlines roles and responsibilities for complete business recovery activities||Outlines roles and responsibilities for IT and technical recovery activities|
|Includes procedures and guidelines for ensuring the continuity of key business processes in all functional areas||Includes procedures and guidelines for recovering IT, communications, and technology|
|Specifies continuity plan testing schedules||Specifies IT backup and recovery testing schedules|
How Business Continuity and Disaster Recovery Overlap
Although disaster recovery is considered a subset of business continuity, the methods can overlap. Following is a list of functional similarities:
- Emphasize protecting staff and other stakeholders and critical assets.
- Prioritize activities and facilities that must resume operations quickly.
- Anticipate and analyze potential risks and threats, including events that could impact equipment and physical facilities or disrupt a distributed platform.
- Detail end-to-end steps for avoiding damage and disruption and recovering from disasters.
“Some organizations just do disaster recovery,” explains Fraser. “They don't do a full business continuity plan. The smaller the business, the more likely it is that you’re making sure that your internal systems and customer systems don't go down. The next piece is, ‘How do I make sure that the business itself continues to operate?’”
Business Continuity Plan
A business continuity plan describes the steps a company takes to move through disruption to resume regular business. A plan provides a way for the business to survive and avoid complete closure.
A business continuity plan should detail the following items, as appropriate for your organization:
- Contact information for continuity leaders, key staff, and all employees
- Guidelines for when and how to use the plan
- Step-by-step procedures and checklists for recovery and continuity
- Communication plans for managing stakeholder relationships
- Opportunities to test the plans in order to prepare employees to deal with disruptions
- Continuous improvement strategies to include new learning from exercises and incidents in plan updates
To learn more about writing a plan, see our how-to guide to writing a business continuity plan. For most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article.
Disaster Recovery Plan
A disaster recovery plan includes the steps to avoid unplanned outages or recover from a disaster. A disaster recovery plan usually covers critical systems such as IT and communications equipment and technical operations.
“We think about disasters, but we don't think about the impact to us until it hits us directly,” says Fraser. Disaster recovery is critical for companies that can’t work without their data or access to online tools. See our article about the importance of business continuity to learn more.
The concept of disaster recovery is sometimes bundled together with backup for disaster recovery. When you back up your data, you make copies of it (and other programs), either via on-premises media like flash drives or tapes, or in the cloud. Disaster recovery allows you to use those copies, if needed, for recovery. Today, backup and disaster recovery services are usually merged with malware protection.
“People are scared and nervous because today it's all about malware locking up your corpus of data and you have to pay a ransom,” says Harry Brelsford, CEO of SMB Nation and O365nation.
Although you deploy disaster recovery as a reaction to an incident, in a disaster recovery plan, you have to account for a time span of minutes or days and address the following items:
- Essential procedures and steps to recover critical equipment and processes (see this example of disaster recovery procedures)
- Contact information for all internal and external stakeholders, and a hierarchy chart of recovery team roles and responsibilities
- Guidelines for when and how to initiate the plan
- Test guidelines to ensure that recovery plans work when needed
- Assurance that data will be available with minimal downtime.
To make disaster recovery planning easier, download one of these disaster recovery plan templates.
The Cloud and Disaster Recovery
With the advent of cloud computing, much restoration falls to what is sometimes called disaster recovery as a service (DRaaS). Simply put, DRaaS is the complete backup of all applications and data to the cloud.
In addition to backup, cloud services may provide failover services. In failover, when a system fails, another redundant system immediately resumes the functions of the original system. Learn more about the benefits of and best practices for including the cloud in disaster recovery in our article about cloud computing and business continuity.
Service-Level Agreements and Disaster Recovery
Service-level agreements (SLAs) specify your customers’ expectations of you, as well as your expectations of your own IT and cloud vendors. In an SLA, you describe recovery point objectives (RPO) and recovery time objectives (RTO) as service-time tier levels.
You can also include tier levels in your recovery plan. If you don’t have well-defined SLAs, consider using this downloadable SLA template to build them.
Disaster Recovery Plan for IT and Network Assessments
As you develop a disaster recovery plan, a critical method of understanding your IT assets is to audit your end-to-end digital environment. A network assessment tool analyzes and reports on your IT infrastructure, including device types, applications, security, processes, and performance.
IT and network assessments are valuable for a few reasons. With readily available, user-friendly SaaS applications, small-scale devices, and remote work, it's easy for people to add assets without first getting approval (this is known as shadow IT). You also need to be aware of whether you've outgrown your setup — and if you are making significant changes (such as migrating to the cloud), you need to understand what assets you have.
“Use a tool, not a notebook,” advises Brelsford. Online assessment tools trace your network to detect open ports and note which programs people use. For small shops, a physical inventory may be sufficient.
At-a-Glance IT Assessment Template
An IT assessment is important even for small and micro-businesses. Download this simple, customizable template to note all devices, like desktops and printers, and the software on each, and current antivirus programs.
Download At-a-Glance IT Assessment Template
Word | PDF | Google Docs
Consider the guideline ISO 24762, Information and Communications Technology Disaster Recovery, to gain a strong understanding of disaster recovery practices. This document provides a framework of requirements for third-party disaster recovery vendors.
Even if your organization is small, you can use these guidelines to shape your internal recovery activities.
Disaster Recovery Policy vs. Business Continuity Policy
Business continuity and disaster recovery policies provide the framework for BCDR planning for individual organizations. Each policy specifies the scope of efforts, responsible roles, and required recovery planning activities. For regulated businesses, policies may be imperative.
In addition to defining legal and contractual obligations, as well as the limitations, exclusions, and assumptions for BCDR planning, policies may specify metrics for gauging compliance with the plans. Examples of continuity and recovery metrics include key performance indicators (KPIs) and key risk indicators (KRIs). Learn more about KPIs in our guide to KPI dashboards and learn about KRIs from our guide to risk management.
What Business Continuity and Disaster Recovery Policies Cover
|Business Continuity Policy||Disaster Recovery Policy|
|Anticipates issues to avoid problems and focuses on continuity||Responds to incidents|
|Builds resiliency and redundancy||Restores critical technical functions|
|Reduces or prevents an organization’s loss of customers, productivity, reputation, or revenue||Protects and secures IT and communications infrastructure against disruptions and disasters|
|Focuses on management responsibilities for guiding planning and leadership in disruptive events||Focuses on training employees in the plan and testing and updates of the plan|
Business Continuity and Disaster Recovery Policy Differences
The two types of policies have some differences. Disaster recovery policy focuses on protecting data and restoring the minimum technical functions for the business to continue. Conversely, business continuity policy focuses on processes to support IT and the rest of the business functions as the firm resumes normal activities.
Business Continuity and Disaster Recovery Policy Similarities
Business continuity and disaster recovery policies are similar in the following functions:
- Provide a foundation for each plan to limit disruption and continue key operations.
- Detail continuity or recovery leadership, roles, and responsibilities.
- Specify scope of the plan, including exclusions, inclusions, and limitations.
- Note any legal, regulatory, or other standards an organization must observe.
- Prescribe the type and frequency of testing and exercises.
- List restoration priority for functions and departments.
- Note who verifies compliance and resolves disputes and questions.
- Provide a benchmark for evaluating adherence to plan and compliance, as well as understanding how to mitigate implementation problems.
- Specify a schedule for regularly updating plans to reflect business changes and learnings from continuous improvement efforts.
- Document risk tolerance, which is often expressed as tiers of service or through the five nines of availability:
- One Nine: 9 percent availability, which equates to more than 332 days of downtime out of 365 days
- Two Nines: 99 percent availability, or 3 days, 15 hours, and 40 minutes of downtime per year
- Three Nines: 99.9 percent availability, or 8 hours, 46 minutes of downtime per year
- Four Nines: 99.99 percent availability, or 52 minutes, 36 seconds of downtime per year
- Five Nines: 99.999 percent availability, or 5 minutes, 15 seconds, or less, of downtime per year
Disaster Recovery Policy Examples
Many organizations post their policies online. You’ll often find these policies are brief and straightforward.
Both of these policies for nonprofit and government organizations contain detailed definitions. They also emphasize responsibility and detail plan requirements:
One of these corporate records is more of a policy statement for a large company. The other is a smartly designed customer-facing document.
These disaster recovery policies for IT at educational facilities display different approaches to an online document: a web page versus an online PDF.
Empower Your Teams to Achieve Business Continuity with Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.