What is disaster management? And how is it different from BC/DR?
We won’t blame you if you use some of the terms interchangeably. After all, they all refer to some aspect of disaster planning, whether it’s preventing a disaster or responding to one. But if you want to ensure both the safety of employees and the continuity of operations at your organization, then it’s important to know the subtle differences between each term.
Here’s what you need to know.
What is disaster management?
Disaster management (DM) is the process of managing all phases of a disaster scenario: before, during and after the event occurs. These phases are typically divided into four distinct stages: prevention, preparation, response and recovery.
Together, those four stages represent what is referred to as the disaster management cycle, because each stage flows into the next and ultimately feeds back into the first, starting all over.
The term “disaster management” is sometimes used as an umbrella term to describe all the tactics, steps and systems that an organization uses as part of its disaster planning. A key component that differentiates it from IT-specific business continuity planning is the additional focus on the human element: safety, shelter, evacuation and so on.
DM vs. DR – what’s the difference?
So, what’s the difference between disaster management and disaster recovery?
Typically, disaster recovery is specific to IT infrastructure and operational continuity. Also referred to as business continuity and disaster recovery (BC/DR), it refers to the systems and protocols for recovering after an event has disrupted operations. For example, restoring lost data from a backup is an example of a critical disaster recovery process.
Disaster recovery can indeed be part of disaster management, but it would just be one component within the fourth stage of the cycle: recovery.
Disaster management is different from disaster recovery in that DM encompasses the much larger picture of disaster planning at an organization, not just the mechanisms for IT recovery.
So, it’s part of business continuity planning?
Yes, it can be – though the key difference between business continuity and disaster management is that BC is focused primarily on keeping the business running, whereas DM is also focused on the safety of employees, hazards created by a disaster and so on.
Some organizations include their disaster management protocols within their business continuity plan (BCP) and vice versa. Every BCP should define its objectives at the start of the document. So if your BCP will be focused exclusively on IT, then you’ll want to have separate documentation for your DM planning.
4 stages of disaster management
DM consists of 4 stages, helping organizations to plan and prepare for every angle of a disaster scenario.
Here’s a simple way to think about each of these stages:
- Prevention: How do we prevent the disaster from happening in the first place? This stage occurs prior to the event and includes things like risk assessments and business impact analyses, which help to identify vulnerabilities and preventative measures.
- Preparation: How do we prepare for a likely disaster? This stage includes all the steps that an organization must take in preparation for a disruptive event, such as emergency drills, training, acquiring supplies, designating shelters and so on.
- Response: How do we respond after disaster strikes? This stage occurs after the disaster and includes the most immediate steps necessary for a successful recovery, including damage assessments, emergency aid and mitigation efforts.
- Recovery: How do we recover from a disaster? This is the final stage of the DM cycle and it includes all the steps and systems needed to bring everything “back to normal.” In IT, this could mean things like data recovery or restoring/replacing failing server hardware. Outside of IT, it could mean resuming full operational levels, repairing a damaged structure, completion of a permanent relocation and so on.
Performing a final assessment is an important last step of the recovery stage. A company should assess every aspect of the disaster, including how it happened, how the company responded and the effectiveness of that response. This assessment will help to identify what went right, as well as opportunities for improvements.
This is also how the last stage of disaster management feeds back into the first stage, restarting the cycle. When the assessment identifies weaknesses in response or a lack of adequate planning, the prevention and preparation stages should then be updated with better solutions and procedures.
Real-world disasters in the workplace
Disasters in a business setting can take numerous forms.
Any event that can threaten your operations—even if it’s just the Internet going down or a few computers being infected by malware—can turn into a costly disaster. That’s why it’s critical to plan not only for the most severe natural disasters but also the threats to your bottom line.
The U.S. Department of Homeland Security lists the following examples of hazards that businesses need to prepare for:
- Natural hazards like floods, hurricanes, tornadoes, and earthquakes
- Health hazards such as widespread and serious illnesses like the flu
- Human-caused hazards including accidents and acts of violence
- Technology-related hazards like power outages and equipment failure
40% of businesses affected by natural or human-caused disaster never reopen their doors. And yet, nearly two-thirds of surveyed businesses reported they do not have an emergency plan for their business.
Where to start
It’s common for smaller businesses to put off their disaster management planning because they don’t know where to start or they don’t have the resources to invest in a comprehensive preparedness program.
But planning for disaster, while critical, does not need to be a massive undertaking. The first step to creating this program is implementing a preparedness policy.
Here’s how to do it:
- Create a document that outlines the policy
- Define the goals and objectives of your DM program
- Designate roles and responsibilities (Who does what?)
- Evaluate risks and their impact on the business
Examples of objectives for a basic preparedness program:
- Ensure the safety of employees, visitors and contractors from potential disaster scenarios
- Minimize disruptions of business operations
- Protect physical structures, assets and equipment
- Safeguard data, IT infrastructure and services
- Ensure the company’s reputation and brand
You may find that each one of these objectives branches off into its own list of comprehensive planning strategies – and that’s fine. For example, you will likely determine the need to develop a separate business continuity plan or IT disaster recovery plan.
To simplify things, complete the initial list of objectives first. Then, go back to build more specific goals, steps and protocols underneath each one.
Policies, procedures and precautions
Strong disaster management policies will make your business better prepared for a disaster. These policies should dictate both the pre-event precautionary procedures and post-disaster protocols.
Let’s take the sample objective above: “Ensure the safety of employees…” That’s a pretty broad goal, so how do you actually achieve it? The key is to develop policies for that objective that apply to each of the four DM stages.
Here are some examples that could apply to each:
- Prevention: Precautionary policies for installing smoke detectors, complying with fire codes, building construction codes, continual risk assessments, deployment of anti-malware solutions, etc.
- Preparation: Policies for conducting employee training & education, emergency response drills, evacuation plans, supply acquisition, etc.
- Response: Procedures for responding to the disaster, “putting out the fire,” contacting authorities, enacting IT disaster recovery protocols, step-by-step plans for getting employees to safety, activating emergency communication plans, etc.
- Recovery: Policies for restoring operations back to 100%, business relocation, structure damage repair, IT hardware replacement, restoring workforce levels, etc.
The long road to recovery
Larger disasters can take weeks, months or even years for a full recovery. One full year after the city of Atlanta was hit by ransomware in 2018, the city was still recovering its systems and deploying new technologies to prevent it from happening again.
In Texas, as Houston-area businesses are now preparing for the 2019 hurricane season, some businesses are still recovering from Hurricane Harvey in 2017.
Disaster management policies alone won’t guarantee an organization’s survival after a devastating event. But they can greatly reduce risk and make recovery efforts much faster and more seamless. That speed is essential to a company’s ability to recover.
Rough obstacles for small businesses
Small companies are especially vulnerable to disaster. Unlike larger companies, they don’t have the resources to sustain a prolonged recovery.
According to FEMA, 90% of small businesses fail within a year if they are unable to reopen their doors within 5 days after a disaster.
In the case of Hurricane Harvey, one of the most difficult challenges for very small businesses was not the flooding or structural damage repairs: it was finding new staff after employees were displaced by the storm.
Tips for making disaster management more manageable
Every business needs to plan for disaster. But the size of your investment in disaster management will largely depend on the size of the business.
- For the smallest businesses, developing a disaster management plan is a fundamental first step, even if the initial planning is a bit light. It is most important to be aware of all the risks to your operations and have a plan for recovery.
- Companies with more employees need to take DM planning even more seriously. Employee safety is a chief concern, as is their ability to do their jobs and keep the business running. Small to medium businesses can make this process easier by creating a small team consisting of personnel from different parts of the company.
- Medium to large businesses must adopt a more comprehensive range of policies to protect all aspects of the business. They should make larger investments in teams and technologies to ensure both the safety of workers and continuity of operations.
If you’re new to the DM planning process, consult with an experienced disaster planning specialist or use public resources like those from Ready.gov to see how to properly organize the planning for your business.
Don’t forget data protection
Backing up your data is a crucial component of any disaster management strategy. For more information on today’s advanced data protection solutions for small to medium-size businesses, request a free demo or contact our business continuity experts at Invenio IT. Call (646) 395-1170 or email [email protected].