Disaster Recovery or Business Continuity Management (BCM)?

Disaster Recovery or Business Continuity Management (BCM)?

My research has necessitated this informative piece. Often times when engaged in discussion with professionals about business continuity, their reoccurring idea has been disaster recovery and this has been the position of scholars, business executives, accountants and many more professionals. This then suggests that there is an informative or communication gap within this discipline and this explains for the reason why it has received little or no attention in developing economies of Africa and Asia and as such many business leaders especially in Africa still do not recognize the starting point in developing these capabilities. There is need to establish that there is a significant difference between disaster recovery and business continuity while the former is reactive, the later is proactive in nature.

Prior to the September 11 attacks which awaken the need for business continuity management, disaster recovery has been the order of the day. Business continuity management has evolved significantly over the past decades following the terrorist attacks of September 11 and subsequent events. Epidemics such as the H1N1 influenza also bring BCM to the forefront since they can potentially bring a business to a halt. However, BCM has evolved from what is known to be disaster recovery. Disaster recovery is defined as “the restoration of computing and telecommunication services after an event has disrupted those services. Some scholars identified disaster recovery as mainly focusing on getting hardware, software and data up and running after a power failure. Ginn (1989) also described disaster recovery as a process required to enable survival and recovery from a disaster to a computer centre. Again, experts suggest variations of this definition, but a common point from the definitions is that disaster recovery is a reaction to a disaster and its responsibility lies solely with the IT department of the organization. These views focus more on restoration after the damage has been done with dependencies on IT infrastructures. Moreover, disaster recovery planning often overlooks the human element which is a critical resource for business survival and actual performance of the critical business functions. As disaster events were encountered and businesses were failing to fully recover based on their disaster recovery plans, it then became evident that disaster recovery has been short-sighted, limited and insufficient in so many capacities.

Disaster recovery programmes are not sufficient to protect business from the threats of business failure or act of bankruptcy following a major disaster event, rather taking a preventive measure to lessen the risk of a disaster occurring seems to be a more proactive and strategic view. It is for these reasons that gave birth to business continuity management.  Although, both terms seem to be used interchangeably, there is a distinction between them. While the former is reactive in nature with focus on technical recovery process, the later integrates strategic preventive and proactive measures. The emphasis has now shifted from reactive (recovery) to proactive (preparedness) to minimize disasters and its impacts through proper planning. It is however important to note that, many effective continuity strategies have emerged from disaster recovery efforts in the IT function during the past decades and many of the same principles as applied to disaster recovery are today been applied to BCM. In essence, an effective business Continuity management and emergency programme therefore encompasses the elements of both disaster recovery and business continuity planning.

Business continuity management has evolved over the past four decades to embrace a more comprehensive preparedness and protective measure. The convergence of crisis management, business continuity and infrastructure protection best practices has given strategic direction in the domain of enterprise resilience and a cross company perspective. BCM’s rising importance and IT based history have created internal debates about who owns the BCM function and how BCM relates to a company’s existing risk management efforts. Business Continuity Management is now identified as complementary to a broader Risk Management (RM) Framework that aims at identifying the business risks and the consequences from their occurrence and further as a subset of the entire enterprise risk management.

For most corporations in both private and public sectors of the country, focus has been on the traditional view of recovery after a disaster with heavy reliance on insurance. There are certain risks that cannot be protected by insurance, but can only be managed by business continuity or contingency planning. Although, insurance on the short term will provide compensation and support in loss events, it does not provide or guarantees organisational resilience. However, long term issues such as reputation damage, loss of market share, public and investor’s perception and customer confidence are not indemnified by such insurance. It is so saddening that as a Nation we are still of the traditional view of disaster recovery. There is no guarantee that your business or enterprise will return to normal following a disaster if you are waiting to implement recovery procedures. Usually, recovery plans don’t take into consideration human resource element, rather it is limited to IT facilities and back ups. Further lesson from 9/11 is that organizations need to think of the company as a whole, including people and processes, as well as IT. Prior to 9/11, many firms in the United States did not really take account of staff in their plans.  Having remote data centers is very good, but if there are no staff, or absent key staff as a result of an incident, this can bring an organization to its knees. After the collapse of the world trade center, staffs were evacuated and backup facilities were without either primary or back up personnel to execute the BCP and keep the business operating. This places the need for employee consideration in terms of communication, transportation and welfare in BCP planning and not just focusing on IT and data recovery centers. 

The attitude of Nigerian businesses towards BCM connotes the saying” we want to incur the losses and then our insurance will pay”. The question is why would you want to suffer losses that have strategic implication on your survival and continuity when you can be proactive, plan ahead and minimize losses that will erode investments and losses which would have been potentially invested in the provision of public goods?

 Disaster recovery Vs BCM

• While BCM will provide protection against unforeseen and anticipated disruptions to business, thereby limiting impact and losses both financial and otherwise, companies with dependence on disaster recovery are exposed to the severe losses (Investment, human resources) arising from a disaster event.

• While BCM provides strategies to continue operations irrespective of any disaster, Disaster recovery plans suggests that a temporary or permanent closure of business operation in the event of a disaster event.

• Usually, there is a gap between the occurrence of a disaster and recovery. While this gap exists, the business is open to reputation damage, negative public perception, share and stock devaluation, litigation and so on. However, with BCM, no gap created as business resumes operation immediately while implementing the BCP.

Overall,  it is clear that dependence on disaster recovery is a short-sighted strategy, hence a well thought, prepared and holistic strategy will not only minimize the risk of business disruption, but will also minimize liability exposures, reduce financial loses as well as operational and reputation loses. Government agencies and parastatals across all levels together with business enterprises must have a change of focus to pursuing BCM rather than relying on recovery. Unless we prepare in advance, a crisis/disaster event will inevitably shut down flow of business operations. It is unlikely that businesses without an effective BCM strategy will react positively during such an event and the probability of survival and recovery is next to zero.