Contact Us

Continuity Insights Management Conference

Understanding Differences Between Disaster Recovery (DR) and Business Continuity (BC)

By Bob Alsan:

For over two decades, I have been on a crusade to educate companies on terminology differences among Disaster Recovery and Business Continuity. Throughout my career, I have held roles in each area as Director of Business Continuity or Director of Disaster Recovery.  Most companies don’t know the job description required for each discipline, let alone the proper terminology. More than once, I was hired for Business Continuity when in fact they needed IT Disaster Recovery support or vice versa.

I will try to bring some real life examples and standard definitions to help you better understand.  A good starting point is the standard definition. Note: both BC and DR are essential for a company, having one and not the other puts a company at risk. According to DRI International:

  1. Business Continuity: An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services. (NFPA 1600)
  2. Disaster Recovery (DR): The technical aspect of business continuity. The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration of those operations at a more permanent site. (DRJ)

Disaster Recovery (DR) lends itself to Technology. Think of it as a subset of Business Continuity with the focus on Digital Data.  It may be better to refer to it as IT Disaster Recovery (IT DR) to emphasize the point.

Business Continuity (BC) lends itself to overall process to maintain business operations and life safety. Business Continuity is focused on Business Operations. It is the apex entity, at the very top, entailing subsets such as Disaster Recovery, Crisis Communications, Pandemic Planning, Business Continuity Planning, Emergency Response, etc.

This terminology continues to cause confusion. Perhaps we should just begin calling them PPC – People Process Continuity (for BC) and TC – Technology Continuity (for DR).

Pop Quiz – does this resemble DR or BC (answers at bottom)

  1. Gripping virus spreads in USA, impacting your office workers. ☐BC – ☐DR
  2. Your backup servers fail. ☐BC – ☐DR
  3. The production datacenter’s generator fails during activation use. ☐BC – ☐DR
  4. Chemical spill near your Main call center closes building for days. ☐BC – ☐DR
  5. Hurricane approaching your main offices (HR, Marketing, Sales, and Legal). ☐BC – ☐DR
  6. Snow and ice storm closes your headquarters office. ☐BC – ☐DR
  7. Business decides their automated financial systems have to be recovered in 1 hour, not the current 8 hours. ☐BC – ☐DR
  8. New law requires your Pandemic plans to be documented and tested annually. ☐BC – ☐DR
  9. The CEO and CFO are involved in an accident and unable to work for months. ☐BC – ☐DR
  10. Your CIO becomes hostile and sabotages the backup data replication process. ☐BC – ☐DR

Company size matters
Smaller companies may have someone filling the role of both DR and BC tasks. This was true for me, as I started out at smaller companies that required someone to fill both roles. As my career progressed into much larger companies, the role differentiation became more apparent.

For larger companies, it is essential that the DR and BC teams work in harmony. However, during crisis management calls, each conduct their individual team tasks then join the call to share their actions. There are countless tasks and action items for each discipline to manage, making it dysfunctional for one area to manage both.  After the incident, DR immediately begins technology damage assessment and recovery, while BC manages to get people and operations back to normal business.

Certifications, standards, and training began to expand out into separate DR and BC buckets. For example, ISO 22301 and ISO 22313 are focused on Business Continuity, whereas ISO 27031 lends itself to IT and Communications Disaster Recovery.  There is some overlap in these standards, but essentially the scope and focus appeal to DR or BC.

Your infrastructure can sway DR BC emphasis
Both DR and BC are essential for operating companies.  However, if you are a pure SaaS Cloud operations, then your business may require more DR emphasis (DR lends itself to Digital Data). In this example, your employees may be virtual and distributed. You may be sharing a datacenter with others (colocation) not owning your datacenter or some of the equipment. Your customers access your services from a 3rd party datacenter, putting the onus of risk upon the datacenter. Note: you should have a solid service level agreement in place. Hence, although having both, emphasis may fall more to DR than BC.

If you are a brick and mortar manufacturer, then BC and Occupational Health and Safety may be the emphasis (BC lends itself to Business Operations). Of course you will have DR in place, but more people, processes and offices entail an emphasis on BC, life safety, operations recovery relocation sites, OSHA, etc.

The DR BC terminology confusion will continue, as will my crusade to educate the masses.

Pop Quiz Answers:

  1. BC – pandemic
  2. DR – server backup
  3. DR – datacenter
  4. BC – relocation of call center operations
  5. BC – hurricane response (notice Information Technology or datacenter not mentioned)
  6. BC – similar to hurricane example above
  7. DR – application recovery (automated financial systems – not manual workarounds were mentioned)
  8. BC – pandemic
  9. BC – executive succession
  10. DR – backup replication

About the Author: Bob Alsan, Director Business Continuity Program with Ultimate Software, has 25 years of experience developing and implementing global Business Continuity and Disaster Recovery Plans. He is certified in Business Continuity and Project Management. His professional Information Technology and Business Continuity career includes working for Fortune 100 and Big 4 Accounting firms based in London, Istanbul, Kiev, Bahrain, New York, Boston, North Carolina, South Carolina, and Florida. He participates in RIMS, PMI, BRCCI, BCI, ANSI, ISO, DRI, ITIL, and ASIS memberships and activities. He can be reached at

Continuity Insights

Similar Articles

The Cost of Faulty Risk Management – and How to Avoid It

By Atul Vashistha, Supply Wisdom: Fines resulting from poor risk management controls are becoming commonplace in the financial industry – and this new trend is just as expensive as it …

ACP News: 2020 Summit, National Board Election Results

The Association of Continuity Professionals (ACP) has announced that its 2020 Summit will take place at the Hyatt Regency Hill Country Resort in San Antonio, TX. The Summit will immediately …

A Good Cyberdefense – Keep a Low Profile

The FBI estimates that there were 15,690 email compromises of businesses and other organizations in 2017, resulting in $675 million in losses. Reported ransomware attacks resulted in $2.3 million in …

Leave a Comment

Share to...