August 1st, 2014
The debate has been going on for a long time. Is it Business Continuity for business processes and Disaster Recovery for IT? Is Business Continuity just the current term for any preparedness planning going on in the organization? Does it depend on who is the driving force behind the need to create a plan? Was it IT, a business line, Audit or Risk Management that got it started? One thing for sure is that in most companies the people on either side of the fence don’t often talk to each other. And it has been that way for years.
When I did an internet search on the topic of Business Continuity vs Disaster Recovery, I found posts going back many years. Just last year (August 27, 2013) Jim Mitchell posted a blog that said, “Unless and until IT and ‘the business’ work together as equal partners in the development of comprehensive Business Continuity, we haven’t moved into a truly ‘post-DR’ world. As long as the two extremes see themselves as adversaries, they are unlikely to reach true Business Continuity objectives. As long as they fight separately over the same budget dollars (and we all know who usually wins that battle), they will never truly be partners in organization recoverability.” A year later this is still true.
The Disaster Recovery Institute (DRI) defines Business Continuity Management as:
“a management process that identifies risk, threats and vulnerabilities that could impact an entity’s continued operations and provides a framework for building organizational resilience and the capability for an effective response.
The objective of Business Continuity Management is to make the entity more resilient to potential threats and allow the entity to resume or continue operations under adverse or abnormal conditions. This is accomplished by the introduction of appropriate resilience strategies to reduce the likelihood and impact of a threat and the development of plans to respond and recover from threats that cannot be controlled or mitigated.”
This is a lofty goal that the whole organization should strive for, not just the business side or the IT side. If the organization can’t provide its services or products because of an event, no one wins.
An area where Business and IT should meet is in the Business Impact Analysis (BIA) and resulting Gap Analysis. The qualitative and quantitative impacts from negative events on the whole organization are analyzed. The resulting Recovery Time Objectives (RTO) prioritize the business processes. Then the supporting areas such as IT and Facilities determine if they can meet those priorities. If there is a difference between the business need and the supporting capabilities (The Gap) this is where business and IT can really work together. Both sides can have some give and take. Business can put strategies in place where they can still function at some level while resources are restored. IT has many strategies they can use to shorten the time it takes to recover. Recovery strategies must be approved and funded.
The funding question is where the battle usually begins. Whose budget is it going to come out of? If you ask the customers they don’t care about whose budget. They just want your business to keep serving them. And the executives want us to keep serving them. But everything in the end comes down to money. “Show me the money!” By working together Business Continuity and Disaster Recovery can show the executives money well spent on recovery strategies.
I have seen some companies recently who have torn down the fence between Business Continuity and Disaster Recovery. They have found a way for representatives from each side to work together. Some have even included Emergency Management and Crisis Management on the team. And some have found software that helps to bring the sides together.
I would like to know if any of you have found ways to tear down the fence between Business and IT. Please feel free to post your comments below and to share with others you think might appreciate this article.