Re: Business Continuity – Disaster Recovery and Crisis Management differences
Here's how BS 25999 defines these concepts:
Incident management - what you do as an immediate consequence of an incident
Business continuity management - what you do to sustain the business while you recover from the incident
Disaster recovery - what you do to put things back as they were
Confusingly, and in the best traditions of English as a context-dependent language, planning for all three (incident management, business continuity and disaster recovery) is called Business Continuity Management. (I didn't write this stuff, I just write about it.) "Crisis management" is what BS 25999 would call incident management - emotional terms were largely avoided in the standard.
For example: a stray meteorite hits your call centre:
Incident management - determine that it was indeed a meteorite (or something capable of obliterating your call centre), notify authorities, next of kin, care for walking wounded, etc ... and kick off the business continuity plan ...
Business continuity management - sustain calls using a temporary call centre with temporary computer and phone systems, data restored from backups and either existing or temporary staff
Disaster recovery - rebuild the call centre, get new equipment and new staff if some were lost in the disaster. Maybe return to a "new normal" rather than the old normal: consider maybe two call centres, miles apart so that if one fails, the other picks up traffic; perhaps put them under mountains, safe from direct meteorite hits. (Or put anti-meteorite missile systems on their rooves!)
Many businesses have the disaster recovery plan but fail to plan for incident management and business continuity. Incident management planning includes, for example, who takes decisions and how does everyone communicate ... and what happens when the mobile phone batteries die?
It's said that the first few hours are critical and time lost early magnifies later consequences. One business had a plan that said, "Take taxis across town to the backup data centre." When push came to shove they lost valuable time because nobody was prepared to pay for taxis, fearing they would not get the expense reimbursed. Moral of the tale: plan ahead for discretionary spending on transport, gear, food and drink, e.g. with company credit card.
Another major mistake is not planning for media management. CEO's often need to be trained to talk to the media in such a fashion as to not make matters worse, obvious example being the first days of the BP oil spill in the Gulf.
There's much more than this to consider, hence BS 25999 - which will be an ISO shortly, sorry, can't remember the number.
Some organizations do BC to improve their ability to ride unexpected situations (weather events, man-made disasters, or smaller things like something bad in the drinking water, loss of electric power or internet); some report reduced insurance premiums; some reduce the probability of late product or service delivery and the associated penalty clauses. Early adopters include global IT services companies and financial services institutions, for which stoppages can be expensive.
BS 25999 was introduced in the UK as one of many responses to several major incidents including some terrorist bombs, an explosion at an oil refinery and some major flood events in order to improve UK resilience. BC plans are mandated upon local and national government, first responders (blue lights and government) and second responders (public utilities).
Hope this helps,
Pat