Business Continuity Planning vs. Disaster Recovery: Understanding the Difference
Many people use the phrases "business continuity planning" and "disaster recovery" interchangeably, but they aren't the same thing.
Let's take a look at the difference.
What Is a Business Continuity Plan?
A business continuity plan (BCP) allows a business to make advanced plans to address what needs to be done to ensure that it can continue to deliver key products and services. It identifies critical functions and the minimum service levels that need to be met.
A BCP has a wide scope, looking at the enterprise as a whole. It includes a business impact analysis (BIA), which analyzes critical systems, business functions, and services and the elements that support them to determine how a business interruption might impact them.
What Is a Disaster Recovery Plan?
A disaster recovery (DR) plan allows a business to plan what needs to be done immediately after a disaster to recover from an event. It includes detailed procedures for addressing problems and getting systems like data backup back online.
It should address elements from the BIA:
- Recovery point objectives (RPOs). An RPO determines the point in time which data must be recovered from backup storage so normal operations can resume. It's basically how much data your institution can afford to lose. For instance, if an RPO is one hour, backups should be made at least once per hour.
- Recovery time objectives (RTOs). An RTO is the time goal for restoring systems, applications, and business functions after an outage. This includes systems like the core and remote deposit.
- Maximum allowable downtime (MAD). The longest period of time a system can be down.
Understanding the Difference
A disaster recovery plan is one element of a business continuity plan. The BCP is concerned with the whole enterprise. The DR plan is focused on specific steps to recover from an incident.
Elements of a BCP
When Disaster Strikes Do You Implement BCP or DR First?
BCP and DR fill different roles and determining which plan to put into place first depends on the disaster. Ideally, BCP and DR should come into play simultaneously, with the institution working to provide services while recovering, but sometimes one needs to take precedent over the other.
For example, if a disaster is causing injuries or loss of life, disaster recovery will be the top priority as your institution works to ensure people are safe. Once people are taken care of, then BCP can take over.
A cyber attack is one example of when a BCP might take precedence. Your institution's first priority is to stop the attack, understand what's happening, and start servicing members and customers who are experiencing problems. Once the institution has a grasp on what's happening and has found a way to stop it, it can use its DR plan to recover.
To learn more about this important topic, we invite you to download our prerecorded educational webinar - Fending Off Disaster: The Role of Vendor Management in Business Continuity Planning or visit our guide to Business Resiliency.