Differences Between a Vendor's Disaster Recovery and Business Continuity Plans

An essential component of any critical vendor relationship is understanding how they will respond to and recover from a business-disrupting event, such as a natural disaster, cyber incident, or unplanned staffing shortage. Reviewing a vendor’s business continuity plan (BCP) and disaster recovery plan (DRP) helps ensure your organization isn’t negatively impacted by your vendor’s unpreparedness.

Although BCPs and DRPs are often used interchangeably, they serve two different purposes. It’s important to understand the difference between BCPs and DRPs to avoid any uncertainty about whether your vendor is prepared to continue and restore its operations during a business-disrupting event. 

Key Differences Between a Vendor’s Disaster Recovery and Business Continuity Plans 

BCPs and DRPs are often developed together to reach similar goals around maintaining and resuming operations. Still, there are some important differences that are worth understanding about a vendor’s BCP and DRP. Here are four key differences: 

1. Strategic objectives vs calculated plans – BCPs are strategic objectives that should address the vendor’s goals and plans on how they will maintain operations amid the unexpected loss or disruption of personnel, locations, and business functions. On the other hand, a vendor’s DRP should cover its specific processes and procedures on resuming its operations after a business-disrupting event. 
2. Business resiliency vs resuming operations – BCPs attempt to avoid business interruptions by proactively implementing plans and controls designed to increase the business’s resiliency to potential disaster scenarios outlined in the BCP. DRPs guide disaster recovery personnel in reacting and responding to events that transcend the BCP and these plans help recover the organization’s people, facilities, and systems to normal operations.
3. Preventative vs reactive – A vendor’s BCP will contain certain activities intended to prevent or mitigate negative consequences from an incident.
   
   The BCP activities may include:
   • Risk assessment – This identifies, analyzes, and evaluates the vendor’s business continuity risks, which include vulnerabilities, threats. and current safeguards.
   • Succession planning – This describes how the vendor will address personnel loss through strategies like cross-training, staffing agencies, and job rotations.
   • Planning with public entities – The plan should identify emergency services and local or state disaster relief agencies.
   • Relevant communications – The vendor should outline its process for communications with its identified key vendors, clients, employees, and the media. Communications should also describe breach/disruption notification procedures.
   • Ongoing maintenance – The vendor should demonstrate that its BCP is reviewed on a recurring basis, and modified, if needed. Many changes can initiate modification including staffing changes, new processes, or new products and services. These reviews might occur annually, bi-annually, or quarterly, depending on the vendor’s policies. Maintenance should also include storing the BCP in an off-site location and ensuring it’s secure and available.
   • Testing – A BCP should be tested within the last 12-18 months of your organization’s review. Tabletop, simulated, or functional are common testing types you may see. Any issues that were discovered during testing should be addressed or in the process of being addressed.
   A vendor’s DRP will focus on how to respond and react to a business-disrupting event. These DRP processes and procedures may include the following:
   • Assessing the severity and scope – Before performing other activities in the DRP, the vendor should decide if the incident qualifies as a disaster.
   • Collecting and quantifying resources – This can refer to the gathering of disaster recovery personnel at the command center.
   • Recovery – These activities generally include recovering operations, communicating to disaster recovery personnel, and ensuring restoration to normal operations.
   • Notifying customers – DRPs should include the timeline and process for notifying customers of the event. Certain events are subject to regulatory requirements, so it’s essential to understand when the vendor will notify your organization. 
   • Testing – Tabletop, simulated, or functional testing should be performed within the previous 18 months. Backup data should also be tested or restored, at least annually. The vendor should show evidence that any issues have been addressed or are currently being addressed.
4. Components for resiliency and restoration – Your vendor’s BCP should contain several components that provide evidence of its operational resiliency. 
   
   These BCP components include:
   • Identified teams or individuals – A BCP should list the teams or individuals who are responsible for creating and maintaining it. This allows your organization to easily identify the responsible parties and address any questions or concerns. 
   • Business impact analysis (BIA) – This describes the extent of which a disaster or emergency could interrupt the vendor’s operations and negatively impact the vendor’s business continuity. The BIA should define the vendor’s recovery time objective (RTO) and recovery point objective (RPO). RTO is the targeted duration of time by which a process should be restored after an incident. RPO is the maximum amount of data loss that the vendor can experience while still being operable. The BIA may also define the maximum tolerable downtime (MTD), which is the most time a vendor can be inoperable before an incident causes a material loss. RTO and RPO are often tested with disaster recovery, as this piece of the planning process crosses both the BCP and the DRP.
   • Facility loss contingencies – These details explain how the vendor will continue operations if their primary facilities are unavailable because of an incident. Relocation plans, remote access availability, and failover and backup locations would fall under this category. Personnel recovery to normal operations may also be included in facility loss contingencies.
   • Pandemic contingencies – A BCP should address contingencies for pandemic-related events, such as mass absenteeism, inability to travel to certain locations, remote work capabilities, and shutting down operations.
   • Senior management and board involvement – The vendor’s board of directors and/or senior management should be involved in creating, reviewing, and approving the BCP. This ensures the highest level of leadership has an awareness of the vendor’s preparedness for business-disrupting events.
   DRP components – Your vendor’s DRP should include components that show evidence of its ability to restore its operations after an incident. As with the BCP, the DRP should include identified teams or individuals and senior management and board involvement. 
   
   Additional details in a DRP may include:  
   • Backup procedures – These help validate whether the vendor is keeping your data safe and accessible during and after an incident. Backup procedures should describe on-site and off-site backups, as well as evidence that backup data is replicated to an alternate location. Monitored alerts and encryption are also important to verify.
   • Location details – The DRP should include location details for the primary data center and recovery sites. These sites should be geographically diverse to ensure the same event is unlikely to impact them both at the same time. Disaster recovery site configuration may describe three types of locations – cold, warm, and hot. A cold location requires significant preparation to use, as it doesn’t contain any servers, hardware, or backup data. A warm location requires minimum preparation, but has the necessary servers, hardware, and backup data on site. A hot location is fully prepared and can be used at any moment. 

3 Tips to Address Insufficient Vendor Business Continuity and Disaster Recovery Plans  

Now that you understand some of the key differences between BCPs and DRPs, it’s important to consider the next steps if you have concerns about your vendor. Maybe your vendor hasn’t tested its BCP in a few years or the DRP doesn’t address the specific product your organization uses. Here are some tips to consider:

• Document everything – Make sure to document any gaps or deficiencies, along with your communication with the vendor on how and when they plan to remediate those issues. You may want to consider amending or adding contract language to ensure the vendor is contractually obligated to resolve the issues within a certain time frame. 
• Obtain formal risk acceptance – The board and senior management should be informed about the adequacy of BCPs and DRPs, especially when the vendor is critical to your operations. If there are any problems, they should be notified and given the details of the vendor’s plan to remediate the issues to decide whether to formally accept the risk.
• Track the issues – It’s important to continually track any issues and follow up with the vendor through remediation. Ongoing activities like periodic risk re-assessments may need to occur more frequently until the vendor has resolved the issues with its BCP and DRP.

A vendor’s business continuity and disaster recovery plans will provide a lot of insight into whether they are adequately prepared for a business disrupting event. A BCP will reveal how the vendor will maintain its operations, while a DRP will ensure it can recover its losses and resume its services. Evaluating both plans is an essential step that will support your own organization’s resiliency.