In many organizations we have dealt with business continuity and disaster recovery have become fragmented. There is one team focused on the business process and their associated continuity. And then there is the IT team focused on ensuring the technology is up when it should be.
The problem is that if the two programs do not coordinate your organization will be missing a key opportunity identify risks and mitigate prior to an event occurring.
So how do you integrate the two sometimes disparate processes? In my experience it has worked most effectively when IT views the BC program as an opportunity to justify solutions needed by the business. If IT defines their own RTOs and RPOs for systems without input from the business users their opinions dictate the objectives. In most cases this becomes skewed because IT associates the users that scream the loudest with criticality. This view of technology can easily be flawed because there are many times manual work around that can be implemented for a short time during a disaster which can give IT a few extra hours. A few extra hours can be the difference between a recovery solution that costs thousands vs hundreds of thousands.
The business continuity needs to make it their goal to deliver to IT a list of RTOs/RPOs for each system. This means they need to work together to define each system. Sometimes the continuity program does not use a consistent application/system list and the data they end up providing to IT is of no use.
The IT programs needs to make it their goal to deliver to the BC program a definitive list of Recovery Times and Points for each system as well as an accurate estimate of what a lower RT/RP costs.
IT and the Continuity program owners should annually sit down to review all systems that can’t meet the RTO and RPO requirements.