What follows is the article as I originally posted there (with a little added formatting to make it easier to read). Enjoy.
I think the responses to the top article show that there is quite a bit of disparity, even among industry professionals, about how to define business continuity, disaster recovery, crisis management, risk management and organizational resiliency. I don't think anyone is right or wrong, but I do believe it's important that the terminology is defined and used consistently within an organization. How do these terms apply in companies I work with?
Risk Management
First, with respect to "risk", in contrast to the other posts and common usage of the word, risk management is not just about reducing the loss impact of unexpected events. Risk management is about managing uncertainty as it relates to the business and business outcomes. These uncertainties can be both good and bad and have both positive and negative impact. We call the good risks "opportunities". We might call the bad risks "threats".
From a very high level, there are two components to any uncertainty:
- The probability that an uncertain event will occur or scenario will be realized, and
- The impact of that uncertainty should it occur or be realized.
Within risk management, we (need to/should) tackle both.
For opportunities, we work to identify what positive scenarios could happen, how the organization can take advantage of those opportunities if/when they happen and finally how the organization might influence and increase the likelihood that that the opportunity does happen.
Regarding the bad, we do the same. We identify threats to the organization, how the organization can reduce the impact should the threat become reality and finally how can the organization decrease the likelihood of or prevent that event.
Business Continuity
From this perspective, among all the uncertainties (risks) identified, many of them have to do with projects/programs or corporate level strategy including product launches, marketing campaigns, public relations, trademarks/copyrights/patents, etc. But a number of these involve day-to-day operations and the potential to interrupt critical activities that keep the business going.
Among these operational risks one might include threats to process management (increased variation), regulatory compliance, legal liability, employee safety/security, the supply chain, IT system and service availability and information security. The threats to each of these critical functions include things like lack of or inadequate process control, lack of policies or inadequate policy enforcement, environmental/safety hazards, viruses, hackers, lost laptops and, of course, natural and man-made 'disasters'.
As a subset of Risk Management, Business Continuity Management deals with a specific category of risks to the organization that have the potential to impact critical day-to-day business activities. And while we primarily deal with threats that could, if left alone long enough, result in losses fatal to the company, BC planners are often in a unique position within the company to identify and help the company take advantage of a number of opportunities. There is much more value in a BC program that is not limited to only mitigating loss.
Disaster Recovery
Distinguishing between Business Continuity and Disaster Recovery, then, is a dubious distinction. For historical reasons, because "disaster recovery" was usually associated with mainframes and data recovery in the good ol' days of information systems, we primarily use DR to refer to and label threats, targets and vulnerabilities specifically within the realm of IT. At best, Disaster Recovery is a sub-discipline of Business Continuity, and is only broken out due to the technical skill-set often required to perform adequate risk analysis and mitigation on IT infrastructure, systems and applications. But in the end, DR applies the same principles of Business Continuity.
Conclusion
As I mentioned at the top of this post, there is much disparity, even among professionals in the industry, in the use of specific terminology and how to apply it. And while I would prefer to see a universal adoption of standard terminology because I think it would help tremendously in communicating outside our industry, I also think it really only matters within an organization where it is important to define and delineate scope of responsibilities and identify goals and objectives of ERM, BCP and DRP programs.
So, what do you think? Are Business Continuity and Disaster Recovery the same, or related but significantly different or truly different disciplines altogether?
Image Credit: shawnzlea
[...] This post was mentioned on Twitter by Lisa Jordan, Chad M. Goode. Chad M. Goode said: New Blog Post -> RE: The differences between business continuity and disaster recovery explained - http://bit.ly/90Y3nF [...]
ReplyDeleteHi Chad -
ReplyDeleteI'm still struggling with the overlap in these definitions myself and let me add another one to the list: "Organizational Resilience".
I have understood business continuity to incorporate disaster recovery into itself as its IT component. The difference, however, is that IT recovery plans that become part of a business continuity initiative morph into IT continuty plans. These plans use information from the BIA to prioritize recovery operations and examine IT system monitoring and end-user recovery as part of the IT continuity process. Specifically, the failure of a critical system still begins with the drive going bad, but does not end with the restore job completing. It ends once all impacted users have reconnected back to the system and resumed working. The response plan to the outage might also include interim workarounds for impacted users. The focus shifts from IT-centric to business-centric.
"Organizational resilience" is a term that is being applied to refer to the way in which a company's culture and reporting structure provide it inherent capabilities to recover from a disruption or disaster. I am still reading on this and have not decided if it is just academic observation, if its completely utopian or if there is something more substantial to it.
I really enjoyed your post.
Thanks,
-Erik
Hi, Erik,
ReplyDeleteI appreciate the input.
I don't believe "organizational resilience" is academic. Another way to look at disaster recovery, IT service continuity, business continuity and organizational resilience is on a time-line of organizational maturity. Invariably, efforts begin within IT, and more specifically, with building means to protect and restore data for specific systems. As that program matures to include data integrity across systems, the need to include business processes and work-arounds in planning becomes evident. Finally, an organization could mature to the point that they make changes to how they operate and are structured such that little has to change when faced with a major disruption other than shifting work-load to another business unit.
What concerns me most, and I see often, is that orgs tend to manage DR and BC as separate initiatives... think of them as two separate efforts that have some overlap. Organizational resiliency, as a sign of maturity, tells me an org has broken down those silos.