The terms appear together so frequently, it’s easy to get confused about business continuity vs disaster recovery. They do go hand-in-hand, but they are not the same: business continuity programs are designed to ensure that critical business functions can continue working with minimal downtime in the event of an interruption, while disaster recovery plans (DR plans) consider how to restore business processes within a certain amount of time — the recovery time objective (RTO) –in the event of a disaster.
What is business continuity?
According to the International Standards Organization (ISO), the concept of business continuity arose when governments and regulators recognized the need to mitigate the effects that disruptive events such as a cyberattack have on society, with businesses recognizing their interdependence.
Industry-specific regulators including the Federal Deposit Insurance Corporation and the Payment Card Security Standards Council also incorporate business continuity as part of their compliance management programs.
All include a requirement to create a business continuity plan (BCP) as part of business continuity management.
A BCP most often begins with a business impact analysis (BIA) that determines the plan’s scope; determines legal, contractual, and regulatory obligations; and provides a basis for planning and justifying the costs of the BC program. A BIA often gets conducted in tandem with a risk assessment. It also considers the impacts on your business that could occur if disaster strikes your service providers.
The COVID-19 pandemic is a case in point. With employees suddenly ill or working from home, many businesses scrambled to maintain critical functions while transitioning to a new model. Risk management and compliance face unique challenges during pandemics, and experts predict that climate change will bring about more of them. Your BCP should include provisions for pandemic management.
Business continuity management must incorporate a comprehensive written plan for maintaining or resuming business operations when a natural or cybersecurity event occurs.
Business continuity focuses on implementing risk management strategies in your IT department and elsewhere that set clear objectives and criteria for measuring success.
You BCP should incorporate alternatives that allow you to maintain customer services and continue data protection even if there’s a catastrophic event. These alternatives can include emergency office locations, data backup, and emergency information technology administrative rights.
What is disaster recovery?
Disaster recovery assumes the interruption of business operations “as usual” by events such as power outages, natural disasters, or just plain human error. Rather than simply finding a way to mitigate the damage caused by the event, disaster recovery focuses on getting business back to normal.
A disaster recovery plan (DRP) helps you transition from alternative business processes back to your regular processes.
What is the key difference between business continuity and disaster recovery?
The key difference is when the plan takes effect. For example, business continuity requires you to keep operations functional during the event and immediately after. Disaster recovery focuses on how you respond after the event has completed and how you return to normal.
While both functionally incorporate the “after” response, disaster recovery is about getting yourself back to where you started before the event occurred. Although they overlap, they remain distinct in how they operate.
For example, if a hurricane destroys your office building, your business recovery solution may be to allow employees to work remotely. However, this solution only works as part of emergency response and is not sustainable long term. Your disaster recovery solution focuses on ways to get employees back in a single location and how to replace equipment.
What are business continuity risks?
In some cases, business continuity risks are easy. Natural disasters can more easily be identified than cyber events. For example, if you do business in Florida or Louisiana, you know that you’re at a higher risk of business interruption from a hurricane. Simultaneously, businesses on the west coast, such as in California or Oregon, may need to account for business interruption arising out of wildfires.
Increasingly, business continuity strategies need to focus on IT risks. For example, in June 2020, internet infrastructure firm Akamai got hit with the largest Distributed Denial of Service (DDoS) attack in history. These kinds of attacks are on the rise. A DDoS attack occurs when malicious actors overwhelm servers with requests, thus causing the server to slow down or stop working.
Whether you provide services to customers that use the internet, such as online banking, or use a Software-as-a-Service platform to enable internal business operations, these attacks can interrupt or even impair your business.
How to identify business continuity risks
As with any risk identification process, you need to understand your IT infrastructure. Some questions to consider include:
- What information, systems, networks, and software are critical to maintaining our business operations? How do they connect to one another?
- What natural disasters could affect these critical systems, networks, and software?
- What cyber risks threaten these systems, networks, and software?
- What third-party services or vendors are critical to maintaining business operations?
- What controls are in place to prevent cyber risks to our critical systems, networks, and software?
- What controls are in place to prevent critical third-party service providers and vendors from affecting business operations?
- What backup systems do we use? Do we have a data center or other data backup and recovery service off-site?
- Do we maintain in-transit encryption for remote access in the event of a business interruption?
- Do we maintain endpoint encryption in the event of business interruption?
- Do we have a process for emergency administrative authorizations to maintain continuous business operations?
How to incorporate disaster recovery planning
Once you’ve created a risk list for potential system, network, software, or third-party outages, you need to establish policies that help you to recover from your interruption. Some questions to ask as part of recovery planning include:
- Who is responsible for recovery tasks?
- Do we have an official, documented chain of command for recovering from the event?
- Do we have a timeline for recovery?
- Have we complied in the past with our internal timeline for recovery?
- What documentation proves full recovery?
- How do we recover business data?
- How do we reinstate normal administrative authorizations once the event is over?
- How do we measure compliance with our user authorization policy?
- How do we measure efficacy of incident response?
- Do we document all corrective actions?
- Do we review nonconformities and the actions taken to address them?
- After an event, did we interview individuals involved in the disaster recovery process?
How ZenGRC Enables Business Continuity Planning and Disaster Recovery
Business continuity planning and disaster recovery planning require communication throughout the enterprise–and working together as a team.
With ZenGRC’s workflows, you can create a BCP/DR program that focuses on risk management, incident response handling, documentation, and recovery processes. Our software-as-a-service also includes a connector to ServiceNow for two-way integration and communication.
Zen’s task management feature lets you assign tasks to those responsible for them, and track task completion.
And because we’re a SaaS platform, you can maintain operations even when your physical facilities are down.
Zen’s centralized dashboard gives managers and your Board of Directors a user-friendly view of activities, time frames, and key performance indicators of your business continuity and disaster recovery programs.
Worry-free BCP/DR is the Zen way. For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.