Basics: Recovery vs. Continuity

The Disaster Recovery Plan

A DRP is a set of procedures and controls designed to restore an organization’s capabilities to a pre-disaster state. Disasters can differ in type and magnitude but generally involve a large-scale event resulting from a natural disaster (e.g., fire, flood, hurricane, or earthquake) or human-driven event (e.g., data breach, ransomware demand, or terrorist attack). Depending on the type of business, DRPs may be heavily focused on IT — for example, backups for data and power — and operational functions that secure data and ensure the company survives and eventually resumes business as usual.

The Business Continuity Plan

A BCP contains protocols for keeping critical business processes operating during a disruption. Its primary purpose is to maintain the business’s ability to deliver products and services despite an interruption to normal business processes. Such interruptions could be large or small in magnitude and short or long in duration.

Most BCPs include a recovery time objective and recovery point objective. A recovery time objective is the maximum desired length of time between an unexpected failure and the resumption of normal operations. A recovery point objective is the most recent prior state to which the business needs to restore its systems to recover from an interruption and resume operations. The recovery point objective is often defined in terms of the maximum acceptable amount of data (e.g., 24 hours’ worth) the business can afford to lose due to the gap between the interruption and the most recent backup.

BCPs also should consider how business interruptions will affect certain localities and the potential need for a failover location when one location is impacted by the emergency. These failover sites can vary depending on the business’s need and the recovery time objective the business is seeking to maintain. Cold sites are backup resources, such as servers and storage, that are in place and ready to be powered on in an emergency; however, they may take several hours to get running. Hot sites are generally more attractive from a downtime standpoint because their resources are already running at a separate location. However, having a hot site does come at a higher cost.

This article assumes that the business desires — and is able — to return to normal operations. It should be noted, however, that more organizations are considering in the context of their BCP the possibility that a disaster could render their existing business model obsolete.

Similarities and Differences

DRPs and BCPs have some common elements such as identifying the processes and resources that are critical to the business functioning and developing the infrastructure to mitigate the effects of disaster scenarios. Because of that overlap, there sometimes can be confusion over what aspects should be included in which plan. Definitions may vary from one organization to the next, but for the sake of clear communication, it is useful to know what generally distinguishes the two plans from each other.

Although sustaining business operations is part of recovering from a disaster, DRPs are more concerned with fixing the original systems and avoiding losses, whereas BCPs are more focused on shorter-term contingencies. For example, leveraging an insurance policy that covers the renovation of a flooded building falls under a DRP, whereas, temporarily relocating critical computing processes to an alternate site until power is restored would fall under the BCP.

In addition to the operational and IT infrastructure a business needs to avoid losses, the DRP also should consider the social and environmental concerns related to employee and community well-being when responding to a disaster. Generally, concerns related to human health and safety are the domain of the DRP.

Communication is an essential element of both DRPs and BCPs. Based on the nature of the disruption, organizations may need to communicate with some or all of their employees, customers, regulators, or other government officials, as well as emergency responders, the media, and the general public.

Both BCPs and DRPs should have a documented plan that includes the chain of command, contact information for all relevant employees, and step-by-step instructions for how to engage offsite resources or contingency plans. In addition, both types of plans should be compatible and informed of the other. Depending on the business and the event, only certain aspects of each plan may be implemented to continue and recover operations.

Auditing the Plans

There are two approaches to auditing BCPs and DRPs. One approach is to examine the plans in their entirety as a discreet audit project; the other is to look at interruption/disaster preparedness within the context of auditing a particular area of the business. Either way, internal audit plays an important role in ensuring that the BCP and DRP are well-designed and will meet the needs of the organization in an emergency.

One way to do this is to verify that the plan is built on good information. A business impact analysis is the foundation on which the BCP and DRP are built. It identifies critical assets and processes, prioritizes them, and quantifies the impact to the business should these items be damaged. Any internal audit review of the BCP or DRP should include a look at the business impact analysis to determine whether it is robust, current, and reasonable.

Additionally, there are some key questions for internal audit to consider when looking at a BCP or DRP:

• Testing: How often is the plan reviewed, updated, and tested? Are these frequencies appropriate, and is testing actually happening?
• Ownership: Are there clearly defined and understood roles and responsibilities for preparing and using the BCP and DRP? Do those roles include employee contact information?
• Activation criteria: Many organizations have a “runbook” that defines the circumstances for activating the BCP and DRP and the immediate procedures and communication protocol. Is this information documented and kept current?
• Regulations and standards: If external standards/regulations apply to the BCP or DRP, is the organization in compliance?
• Third parties: If the organization is a recipient or provider of third-party products and services, is there alignment on requirements and expectations (e.g., uptime, fail-safes) between the parties? Are these documented?
• Compatibility: Are the BCP and DRP compatible and in agreement with one another?

Critical to the Organization

The BCP and DRP are critical and potentially complex depending on the business. However, the foundational elements of a BCP and DRP are constant for all businesses and should be a key consideration for management and the internal audit function.