Incident response

What is the difference between business continuity planning & disaster recovery?

January 4, 2018 by

How much downtime can your business afford? What happens to your customer base if your company is down, but your competitors are able to operate? How much profit can you afford to lose without it crippling your business?

Today’s businesses cannot afford even minor disruptions. They cost time, money, market share and customer loyalty. Of course, there is a myriad of threats out there that can destabilize a company and lead to downtime, ranging from natural disasters like floods, fires and earthquakes to cyber-attacks, terrorist attacks and everything in between.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Business continuity planning helps ensure that you suffer as few repercussions of those disruptions as possible.

What is business continuity?

According to, a business continuity plan (BCP) is a tool designed to help ensure business disruptions are minimized, and the impact of those disruptions on revenue and profits is mitigated.

Business continuity actually involves four key elements:

  1. Conducting a business impact analysis
  2. Identifying, documenting and implementing critical business functions and processes for recovery
  3. Organizing a business continuity team
  4. Creating a business continuity plan

Training for the continuity team could be seen as a fifth element.

Why do you need a business continuity plan?

A business continuity plan is an essential consideration for ensuring disruptions have minimal impact on your company. But it’s about more than just “weathering the storm.” It’s about identifying and recognizing the threats your business faces, while simultaneously helping ensure assets are protected and your business personnel are not put at additional risk.

By first identifying threats, and then determining how those threats can affect your business, you can build safeguards that mitigate risk, helping ensure you can withstand attacks, natural disasters and even the effects of physical, violent attacks.

However, a good plan will also be tailored for other threats. For instance, in the case of a disease outbreak, how would your company operate? In the face of wildfires and mandatory evacuation, how would your business continue to serve customers?

What about how much time and money should you invest in planning and preparedness? There is no one-size-fits-all answer here, unfortunately. In truth, you should determine the extent of your efforts based on the results of your business impact analysis. Businesses in different industries, niches and even geographic areas will have widely varying needs in terms of planning and preparedness. In the end, your efforts should be customized to your company’s specific needs and risks.

What is the difference between business continuity planning & disaster recovery?

It can be easy to confuse disaster recovery (DR) with business continuity planning (BCP), as they’re similar. However, they are actually very different. Disaster recovery should be a part of your business continuity plan, but your business continuity plan should encompass far more than just disaster recovery.

In a nutshell, BCP comprises the plans and strategies that your business will follow to ensure it can continue to operate despite threats and disasters. Disaster recovery, on the other hand, actually refers to the collection of information technology solutions that will help with recovery if needed.

How do business continuity planning & disaster recovery work together?

As mentioned, business continuity planning refers to the strategies and plans implemented to ensure your business remains operational in the face of threats. Disaster recovery consists of technology and techniques harnessed should the worst happen. Both work together to help protect your business and reduce both the chance of data loss, as well as the impact of any data that might be lost.

For instance, your business continuity plan might require that the IT department audit business apps to determine criticality which ones are the most important, and which areas can stand the least amount of data loss. Based on the results of the audit specified in your BCP, the IT team would then create disaster recovery solutions tailored to your unique risk tolerance and risk management needs. For instance, super-critical apps might have off-site data backups performed daily, while less-critical apps might have their data backed up once every three to five days.

What is the importance of business continuity in risk management & policy planning?

Risk management and policy planning are two crucial components of running a successful business, regardless of size or industry.

Risk management involves the identification of threats and risks, determining the effects of those risks on your company and then determining ways to minimize those risks. Policy planning is simply the planning and creation of policies that personnel within your organization will follow in regard to areas affected by risks.

Questions that should be covered during policy planning include:

  • How often should your employees change their computer passwords?
  • What is your policy on personal devices brought to the workplace?
  • What is your policy regarding spam emails or obvious phishing attempts?
  • What is your policy involving remote access of the company’s network?

These are just a fraction of the potential questions that should be covered during policy planning. Ultimately, risk management and policy planning should not be seen as separate from business continuity planning. They are both critical concepts that support BCP, along with others, such as program management, testing, risk awareness and more.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.


Ultimately, both business continuity planning and disaster recovery planning are vital to your business. Business continuity planning should revolve around business processes, while disaster recovery planning should center on the technology that allows you to respond and recover from emergencies, disasters, cyber-attacks and other threats.