Published: 21 December 2023
Contributors: Mesh Flinders, Ian Smalley
Business continuity disaster recovery (BCDR) refers to a process that helps organizations return to normal business operations if a disaster happens. While business continuity and disaster recovery are closely related, they describe two subtly different approaches to crisis management that businesses can take.
As data loss prevention and downtime become more expensive, many organizations are upping their investment in emergency management. In 2023, companies worldwide were set to spend USD 219 billion on cybersecurity, a 12% increase from the previous year according to a recent report by the International Data Corporation (link resides outside ibm.com).
What is a disaster recovery plan?
A disaster recovery plan (DRP) is a contingency plan for how an enterprise will recover from an unexpected event. DRPs help businesses manage different disaster scenarios, such as massive outages, natural disasters, ransomware and malware attacks, and many others.
What is a business continuity plan?
Like DRPs, business continuity plans (BCPs) play a critical role in disaster recovery and help organizations return to normal business functions when a disaster happens. Where a DRP focuses specifically on IT systems, business continuity management focuses more broadly on various aspects of preparedness.
Connect and integrate your systems to prepare your infrastructure for AI.
Register for the guide on DaaS
Most organizations divide BCDR planning into two separate processes: business continuity and disaster recovery. This approach is effective because while the two processes share many steps, there are also key differences in how organizations build, implement and test the plans.
The main difference is that BCPs are proactive, aiming to maintain operations before, during and right after a disaster. On the other hand, DRPs are reactive, focusing on how to respond and recover from an incident. This distinction should guide the creation of your BCDR strategy, with BCPs focusing on critical processes and roles, and DRPs on recovery actions post-incident.
Both processes depend heavily on two critical components: recovery time objective and recovery point objective.
Recovery time objective (RTO)
RTO refers to the amount of time it takes to restore business processes after an unplanned incident. Establishing a reasonable RTO is one of the first things businesses need do when they’re creating their DRP.
Recovery point objective (RPO)
Your business’ RPO is the amount of data it can afford to lose in a disaster and still recover. Since data protection is a core capability of many modern enterprises, some constantly copy data to a remote data center to ensure continuity in case of a massive breach. Others set an RPO of a few minutes—or even hours—for them to recover business data from a backup system, so they know they are able to recover from whatever they've lost during that time.
1. Conduct business impact analysis
To build an effective BCP, you first need to understand the various risks your organization faces. Business impact analysis (BIA) is vital in risk management and business resilience. BIA is the process of identifying and evaluating the potential impact of a disaster on normal operations. Strong BIA includes an overview of all potential existing threats and vulnerabilities—internal and external—and detailed plans for mitigation. The BIA must also identify the likelihood of an event occurring so the organization can prioritize accordingly.
2. Design responses
When your BIA is complete, the next step in building your BCP is planning effective responses to each of the threats you’ve identified. Different threats naturally require different disaster recovery strategies, so each of your responses should have a detailed plan for how the organization will spot a specific threat and address it.
3. Identify key roles and responsibilities
This step dictates how key members of your team responds when facing a crisis or disruptive event. It documents expectations for each team member and also the resources required for them to fulfill their roles. This part of the process is good to consider how individuals communicate when an incident occurs. Some threats shut down key networks—such as cellular or internet connectivity—so it’s important to have reliable fallback methods of communication.
4. Test and update your plan
To be actionable, you need to constantly practice and refine your BCDR plan. Constant testing and training of employees lead to a seamless deployment when an actual disaster strikes. Rehearse realistic scenarios like cyberattacks, fires, floods, human error, massive outages and other relevant threats so team members can build confidence in their roles and responsibilities.
Like BCPs, DRPs require BIA—the outlining of roles and responsibilities and constant testing and refinement. But because DRPs are more reactive in nature, there is more of a focus on risk analysis and data backup and recovery. Steps 2 and 3 of DRP development, analyzing risks and creating an asset inventory are not part of the BCP development process at all.
Here's a widely used five-step process for creating a DRP:
1. Conduct business impact analysis
Like in your BCP process, start by assessing each threat your company might face and what its ramifications might be. Consider how potential threats might impact daily operations, regular communication channels and worker safety. Other considerations for a strong BIA include loss of revenue, cost of downtime, cost of reputational repair (public relations), loss of customers and investors (short and long term) and any incurred penalties from compliance violations.
2. Analyze risks
DRPs typically require more careful risk assessment than BCPs since their role is to focus on recovery efforts from a potential disaster. During the risk analysis portion of planning, consider a risk’s likelihood and potential impact on your business.
3. Create an asset inventory
To create an effective DRP, you must know exactly what your enterprise owns, its purpose or function and its condition. Doing regular asset inventory helps identify hardware, software, IT infrastructure and anything else your organization might own that is crucial to your business operations. When you’ve identified your assets, you can group them into three categories: critical, important and unimportant.
- Critical: Only label assets as critical if your enterprise requires them for normal business operations.
- Important: Give this label to assets that you use at least once a day and that would have an impact on business operations (but not shut them down entirely) if they are disrupted.
- Unimportant: These are assets your business uses infrequently that are not essential for normal business operations.
4. Establish roles and responsibilities
Just like in your BCP development, you need to clearly outline responsibilities and ensure that team members have what they need to perform their required duties. Without this crucial step, no one knows how to act during a disaster. Here are some roles and responsibilities to consider when building your DRP:
- Incident reporter: Someone who maintains contact information for relevant parties and communicates with business leaders and stakeholders when disruptive events occur.
- DRP supervisor: The DRP supervisor ensures that team members perform their assigned tasks during an incident.
- Asset manager: Someone whose job it is to secure and protect critical assets when a disaster strikes.
- Third-party liaison: The person who coordinates with any third-party vendors or service providers you’ve hired as part of your DRP and updates stakeholders accordingly on how the DRP is going.
5. Test and refine
Like your BCP, your DRP requires constant practice and refinement to be effective. Practice it regularly and update it according to any meaningful changes that are necessary. For example, if your company acquires a new asset after you've formed your DRP, you’ll need to incorporate it into your plan to ensure it's protected going forward.
In terms of BCDR planning, every business is going to have its own unique set of needs. Here are a few examples of plans that are effective for companies of differing sizes and industries:
Crisis management plan
A crisis management plan, also known as an incident management plan, is a detailed plan for managing a specific incident. It provides detailed instructions on how your organization responds to a specific crisis, such as a power outage, cyberattack or natural disaster.
Communications plan
A communications plan outlines how your organization handles public relations (PR) in the event of a disaster. Business leaders typically coordinate with communications specialists to formulate communications plans that complement any crisis management activities needed to keep business operations going during an unplanned incident.
Data center recovery plan
A data center recovery plan focuses on the security of a data center facility and its ability to get back up and running after an unplanned incident. Some common threats to data storage include overstretched personnel that can result in human error, cyberattacks, power outages and difficulty following compliance requirements.
Network recovery plan
Network recovery plans help organizations recover from an interruption of network services, including internet access, cellular data, local area networks and wide area networks. Due to the critical role networked services play in business operations, network recovery plans must clearly outline the steps, roles and responsibilities needed to quickly and effectively restore services after a network compromise.
Virtualized recovery plan
A virtualized recovery plan relies on virtual machine (VM) instances that can be ready to operate within a couple of minutes of an interruption. Virtual machines are representations, or emulations, of physical computers that provide critical application recovery through high availability, or the ability of a system to operate continuously without failing.
BCDR planning helps organizations better understand the threats they face and better prepare to face them. Enterprises that don’t undertake BCDR planning face various risks, including data loss, downtime, financial penalties and reputational damage. Effective BCDR planning helps ensure business continuity and the prompt restoration of services after a business disruption. Here are some of the benefits companies with strong BCDR planning enjoy:
When an unplanned incident disrupts business as usual, it can cost hundreds of millions of dollars. Additionally, high-profile cyberattacks frequently attract unwanted attention in the press and can result in loss of confidence in both customers and investors. BCDR plans increase an organization’s ability get back up and running swiftly and smoothly after an unplanned incident.
According to IBM’s recent Cost of Data Breach Report, the average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over the previous three years. Enterprises with strong BCDR can reduce those costs by helping maintain business continuity throughout an incident and speeding recovery afterward. Another opportunity for cost-savings with strong BCDR is in cyber insurance. Many insurers won’t insure organizations that haven't established a strong BCDR plan.
Data breaches incur hefty fines when private customer information is compromised. Businesses that operate in heavily regulated sectors like healthcare and personal finance face especially costly penalties. Since these penalties are often tied to the duration and severity of a breach, maintaining business continuity and shortening response and recovery lifecycles is critical to keeping financial penalties low.
Even a minor outage can put you at a competitive disadvantage. Protect your data with a cloud disaster recovery plan.
Employ a highly durable, scalable and security-rich destination for backing up your data.
Expand capacity and consolidate data center infrastructure onto an automated and centrally managed software-defined data center with IBM Cloud for VMware Solutions.
Many factors come into play when deciding whether to invest in and manage your on-premises disaster recovery (DR) solutions or use disaster recovery as a service (DRaaS) providers.
Backup and restore refers to technologies and practices for making periodic copies of data and applications to a separate, secondary device and then using those copies to recover the data and applications.
There are critical similarities and differences between disaster recovery and backup. These solutions can both help you solve your business' most important problems.
IBM has plans and processes in place globally that help sustain its business by assessing potential disasters. This paper provides an overview of the business continuity measures used by IBM to help prevent or reduce the impact of potential threats.
Zerto helps clients access robust disaster recovery and data protection capabilities while using the agility and flexibility of IBM Cloud for VMware solutions shared in a single-click deployment.
IBM's business continuity and resiliency engagement is designed to help you enable resumption of your business operations quickly and maintain the quality of your existing services in the event of an outage.