I have been going through couple of articles and noticing that most of them have defined BC and DR in a different way. My understanding of BC and DR is slightly different and I would like to post this here to get your views of the same.
What I have seen in several blogs is that Business Continuity will look at how to recover the business and Disaster Recovery is about recovering IT Infrastructure. This is mentioned not only in some of the blogs but also some of the institutes preach the same. This is not to comment that they are wrong, but to spread the word and understand what others think of the same.
Looking at the statement that says Business Continuity (BC) is looking at how to recover business, does this mean that those organizations that use IT Services for carrying out their business would be recovered to a certain extent without recovering any IT infrastructure…??? I wouldn’t agree with that…. Also it states that those organizations which do not use any IT services will not have any Disaster Recovery Plans (DRP).
Let’s say an incident had occurred and the organization is unable to deliver its services. The incident could have been caused due to a natural disaster such as fire. If the fire has occurred at a location where it has no impact on business, this can be controllable and immediate actions can be taken. If you look at a scenario where the entire building is under fire, then your Emergency Response plan would kick-in and evacuations, contacts with authorities etc, public addressing will be exercised.
The next action is to continue providing the services of the organization to its clients. So the organization might have to start operating from a different location with minimal resources (which include IT and People). This is triggered from the business continuity plan and is looking at continuing the business which will also require the support of IT Infrastructure.
Now going back to the original site and recovering back that site to its normal working condition is triggered by the Disaster Recovery Plan, which is also a part of the Business Continuity Plan (BCP). When I say normal working conditions, it means to recover the entire site to how it was before and the organization start to function as before from that location (or a new location). Now the organization will move from its minimal service delivery to full service delivery with all its force.
So according to me
Business Continuity (BC) = Business Continuity Plan (BCP) + Emergency Recovery Plan (ERP) + Disaster Recovery Plan (DRP)
Irrespective or whether the organization uses IT Infrastructure for its operations or not.
#1 by Vinod Kumar Agrasala on July 17th, 2008
Quote
A good point raised here. Even I don’t get convinced on the popular definition that you quoted above – saying DRP is only for IT!
I have the following difference of opinion on the thoughts noted above:
A) If the organization (after the fire has completely impacted one office) kicks in Emergency response – and then “start” operating from a different office, this is not reall continuity, according to me – This is still a ‘recovery’. In fact “Immediate recovery” Option is this.
Real Continuity (again according to me) – is when the minimal vital business function can continue (without interruption) even in the occurence of such an event.
For example, if the vital business functions are distributed in two different locations instead of concentrating in a single location – at least a part of the businss will “Continue” from the other location, when the disaster occurs in one of the location.
B) DRP should encompass the recovery during a disaster situation – (like start operations on a mirror site, like you mentioned above) as well as the plan to come back to normal condition, post the disaster scenario.
C)If I go with point B, then Emergency response plan is a subset of your Disaster Recovery Plan.
So,as per me, overall BCP = Plan for continuing Vital business functions (if exists) + DRP
Here DRP = ERP+ Recovery plan + Restoration plan
The terms used above are just for explanation purpose. I am not sure about their authenticity
#2 by Manpreet on September 9th, 2008
Quote
interesting discussion but i have a query
how ISO 27001 helps in implementing BCP and DRP
#3 by Vinod Kumar Puthuseeri on October 13th, 2008
Quote
Manpreet,
Though ISO 27001 does not help in implementing BCP/DR, but certainly emphasizes on the “availability” of information, wherever it is required to those authorized personnel’s. Having this in mind it is required to ensure that whatever information that is critical to the organization is available to the users even after a disaster. This can be achieved by implementing a BCM program.
#4 by BCTravelGuides on February 26th, 2009
Quote
Of course, what a great site and informative posts, I will add backlink – bookmark this site? Regards, Reader.
#5 by jtbevis on April 18th, 2009
Quote
I think your explanation is accurate. Business Continuity should encompass emergency response, disaster recovery, and even incident response. How formally or informally they are tied together within in organization is another question.
Typically disaster recovery is considered only an IT function in many organizations, but in reality disaster recovery is simply recovery from anything that the organization defines or has assessed can be a disaster (i.e. fire, flood, etc.).
For example, you may have a building burned down and there are business services not functioning. Business continuity dictates an emergency services reaction to save lives and a business reaction to get the services functioning again. Disaster recovery dictates getting back to normal operating mode, which may take several years since the building and its entire infrastructure may need replaced (regardless of whether its IT or physical infrastructure). Hence you’re in disaster mode until you fully recover.
Jason
http://infosecalways.com
#6 by Manoj Reddy on July 27th, 2009
Quote
Recovery typically means resumtion of what is lost. Therefore DR is resumtion of full fledged services from the primary site of disaster.
Eg: assessment of damage, purchase/rent of new infrastructurea, facility, recruitment of replacement staff etc.
Business Continuity shall include minimum level of crtical services to continue at remote site for a limited period of time (till the primary disater site is back to its full shape)
#7 by SpoifsSooro on August 29th, 2010
Quote
very interesting, thanks
#8 by Taha on January 11th, 2011
Quote
Ideally, true Business Continuity can only be achieved if there were no disasters.
We are not living in a perfect world therefore disasters (minor or major) are bound to occur every now and then. Objective of BCP is to keep the business running – How can we keep the business running if we know disasters are bound to happen? – For that we devise strategies to counter each and every disaster our business is subject to. It doesn’t matter if we use IT resources for countering the disaster (remember we need to need to keep the business running at any cost). This takes us to the conclusion that BCP should always be proactive. For instance, if you have a DR site located at a different city from that of the primary site and both cities are not subject to the same disaster and you have set up mechanism for real time mirroring then this should be included in your BCP because you have taken proactive measure to counter a disaster.
DRP on the other hand is always reactive. DRP is called into action when the disaster has occurred. It includes what facilities are made available at DR site to recover the disrupted business services.
Both should not be thought of different documents as both support each other in one way or other but it is vital to understand the function that each document addresses.
#9 by Allan Kawele on September 13th, 2011
Quote
I would like to bring some precision here:
BCM (Business Continuity Management Systems) is responding to the question seeking to know WHAT SHOULD BE PUT IN PLACE in order to AVOID or REDUCE the IMPACT of a disaster on the organisation’s ability to offer its basic services while
DRP (Disaster Recovery Plans) which could also be part of a BC (Busines Continuity) strategy, is seeking to respond to the question that wants to know WHAT IT IS THAT WE NEED TO PUT IN PLACE IN ORDER TO REDUCE THE DOWN TIME OF CRITICAL systems and processes in order for the organisation to continue offering its basic services.
DR is reactive while BC is proactive.
Thanks.