Disaster recovery is not business continuity — understand the difference
An IT disaster recovery document is not a business continuity plan. Seven things BC adds that DR cannot — and a six-question audit to find your gap.
Definition
Business continuity — the capability to keep business operations running during and after disruption: people, processes, technology, facilities, and supply chain. DR is one component of BC. BC is not a component of DR.
Disaster recovery and business continuity are the two most frequently conflated terms in organisational resilience. Walk into any boardroom and ask whether the business has a continuity plan, and you will almost certainly be handed an IT disaster recovery document. It may be well-written, technically precise, and recently tested. It is also, by itself, not a business continuity plan.
The fundamental distinction
Disaster recovery
A technical discipline — replication, failover, backup integrity, RTOs and RPOs. Can rebuild a critical application within an agreed window, on agreed alternate infrastructure.
Business continuity
Spans people, processes, technology, facilities, and supply chain. Deals with what staff do when the office is shut, what manual workarounds exist, who communicates with which stakeholders, how regulatory obligations are met.
DR is a component of BC. BC is not a component of DR. A business with excellent DR but no BC has the technology to recover systems and no organisational capability to resume operations.
What BC adds that DR does not have
Business Impact Analysis (BIA): The systematic assessment of which functions are critical and the maximum tolerable disruption. DR has RTO/RPO. BC has MTPD (longest a function can be down before unacceptable damage).
Crisis communications plan: Who communicates with customers, suppliers, regulators, and journalists — with what message, at what frequency, on which channels.
Alternate work arrangements: What do staff do when the office and systems are unavailable simultaneously, which is the most common real-world scenario?
Supply chain continuity: What happens when a critical supplier is disrupted? DR does not consider third parties beyond the organisation's own infrastructure.
Regulatory notification: ICO breach notifications within 72 hours, FCA incident reports, and sector-specific obligations are BC responsibilities with statutory deadlines. Missing them is a separate offence.
"An organisation that recovers its IT systems but cannot staff them, communicate with customers, or notify regulators has not achieved business continuity. It has achieved a different kind of failure."
Closing
Start by asking one question of yourself, your IT director, and your operations director independently: if all our IT systems recovered tomorrow morning, could our business actually resume operations by tomorrow afternoon? If the three answers do not agree — or if any of them is "I'm not sure" — you do not have a business continuity plan. You have a DR plan and a hope. The first is recoverable. The second is not.