The CEO, CFO, and CIO are meeting to discuss the state of the organization. The company is located within a coastal city and the CEO has concerns about how prepared they are given the inherent risks of their geographic area.
The CFO tells the CEO, “Don’t worry, I’m developing a Business Continuity Plan that will outline everything necessary to keep the lights on.” The CIO then says, “Well, I’m developing a Disaster Recovery Plan that will do that as well.”
The CEO looks perplexed. Why are my CFO and CIO performing the same work and why are they calling it by two different names? The truth of the matter is that he should only be concerned if these plans are being developed in parallel without any input between the CIO and CFO.

 

Two Plans with Different Goals and Timelines

Within contemporary corporate culture, Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) have started to be used interchangeably. They are both very different documents but do depend on each other, to some degree, to keep the business alive during a potentially disastrous situation.
The primary difference between the plans has to do with its timeline in relation to the disaster event. A BCP is a plan that the business uses to plan in advance what needs to be done to ensure that key products and services continue to be available in case of a disaster. DRP plans for what needs to be done immediately after a disaster in order to recover quickly. Basically, the BCP is planning to continue business operations during a disaster while the DRP is planning to recover from that disaster.

 

To Do Your BCP and DRP Right, Do Them Together

The CFO should be analyzing the impact of risks on the organization and developing a business strategy on what the company needs to do to “keep the lights on” in the event of a disaster, while the CIO should be looking at all of the business-critical systems within the IT environment and understand the process to fail-over to other systems if a disaster should happen. However, the two are not mutually exclusive.  Without knowing the levels of accepted risk documented within the BCP, the CIO cannot develop an accurate DRP. Without an understanding of realistic recovery objectives for the business’ technology, the CFO cannot develop an accurate BCP.
The importance of the business and technology departments to be on the same page cannot be understated. Creating a BCP or a DRP in a vacuum is a recipe for comprehensive business failure. While both documents have a different list of critical risks and threats, they should all be discussed and accounted for in both plans. Aligning the goals of both groups will create a sound plan for the organization to prepare for, and recover from, a disaster under realistic terms.
So, should our CEO be concerned that the CFO is working on a BCP and the CIO is working on a DRP?  Not necessarily – but the CEO needs to make sure that they are discussing both of these plans together and reviewing them with the CEO to make sure the plan does truly “keep the lights on”.