Tuesday, June 1, 2021

Business Continuity vs. Disaster Recovery

When people start to develop plans to deal with a major impact event they are confronted by two different terms: Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). A mistake often made by organizations is that if they have an IT DRP that they are OK. That is not always the case. There is quite a difference between these two plans and it is important that your organization understands the differences, and what type of planning each requires.
The nature of both of these topics is sufficiency extensive that we will not cover building a Business Continuity Plan or Disaster Recovery Plan in this post. We will save those for future posts. In this post, we will make the case that BCP & DRP are different, and you need to plan for both.

Disaster Recovery Plan
A disaster recovery plan (DRP) documents the policies, procedures and actions to limit the disruption to an organization in the wake of a disaster. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of actions intended to minimize the negative impact of a disaster and allow the organization to maintain (or quickly resume) mission-critical infrastructure functions. For most companies, the emphasis of DRP is more on their IT infrastructure than maintaining business operations.

For DRP, the question you must answer is, "If we lost any of our IT services, how would we recover?"

Business Continuity Plan
A business continuity plan (BCP) describes the processes and procedures an organization must put in place to ensure that mission-critical business functions can continue during and after a disaster. The emphasis of BCP is more on maintaining business operations than IT infrastructure.

For BCP, the question you must answer is, "If we lost our building or staff, how would we recover?"

Understanding Risk
Often, organizations consider DCP or BCP the same and plan just for one. That is an incorrect assumption. The reason why that is incorrect is either from the perspective of misunderstanding all of their risks, or choosing to accept a level of risk that is higher than the organization can actually tolerate.

Many organizations put the responsibility of mitigating operational risk on the IT department. I believe that is a misconception caused by organizational management understanding their business, but perceive IT as complicated and something they do not understand as well. Then, they look to the IT department to mitigate the risks in IT. My position is that the responsibility of mitigating operational risk falls on the Finance department since they are responsible for all the day to day accounting for the business leading to profitability. Therefore, the Finance department must ensure all risk to profitability is defined and mitigated.

Risk Assessment
The first step that an organization needs to take is to perform a risk assessment. In short, a risk assessment will identify and estimate of the types and levels of risk that will impact the organization. The next step is to compare the uncovered risks against the determination of the acceptable level of risk within each department in the organization. What should come out of the completed risk assessment are a set of risks throughout the organization, impacting both the IT and the business functions.

The risks that are identified as impacting IT will fall under the Disaster Recovery Plan. The risks that are identified as impacting the business functions will fall under the Business Continuity Plan. While the 2 plans will have details that are interrelated, the 2 plans must be defined, developed and maintained separately to be completely effective. But, they must be developed with consideration of each others goals and planned outcomes.


  1. Excellent post. Most organizational leaders need to understand the difference as it is described in this post

  2. This post came along at the right time. Recently, I've begun studying disaster recovery plans.


I encourage you to add your comment to this post...