Business Continuity vs Disaster Recovery: They're Not the Same

A Business Continuity Plan (BCP) is a comprehensive plan that identifies critical business functions, assesses the risks that could disrupt them, and defines the strategies, procedures, and resources needed to maintain or quickly resume those functions during and after a disruption. The scope of a BCP extends well beyond IT — it covers people, facilities, supply chains, communications, regulatory obligations, and stakeholder management. A BCP answers the question: "How does the business keep operating when something goes seriously wrong?"

A Disaster Recovery Plan (DRP) is a subset of the BCP that focuses specifically on restoring IT systems, data, and infrastructure after a disruption. The DRP details how servers will be recovered, which backup systems will be activated, how network connectivity will be restored, and what the priority order is for bringing applications back online. While the BCP might address how staff will work from home if the office is inaccessible, the DRP addresses how the email server, file shares, and ERP system will be made available to those remote workers.

Treating business continuity and disaster recovery as the same thing creates dangerous blind spots. An organisation with an excellent DRP can fail catastrophically if it has not addressed the non-IT aspects of continuity. Consider a scenario where a bushfire destroys an office. The DRP ensures that servers and data are recovered from cloud backups within hours. But without a BCP, no one has thought about where staff will work, how clients will be contacted, who has authority to make emergency expenditures, or how insurance claims will be managed. Conversely, a BCP without a DRP is equally incomplete — the plan may direct staff to work from home, but if the IT systems they depend on are down, they cannot do anything productive.

The Business Impact Analysis is the foundation of both BCP and DRP. A BIA systematically identifies the organisation's critical business functions and quantifies the impact of their disruption over time. For each function — such as order processing, customer support, payroll, or manufacturing — the BIA determines the Maximum Tolerable Period of Disruption (MTPD): the longest the function can be unavailable before the consequences become unacceptable. From the MTPD, the organisation derives its Recovery Time Objective (RTO) — the target time to restore the function — and Recovery Point Objective (RPO) — the maximum acceptable data loss.

Conducting a BIA involves interviewing business unit leaders and process owners to understand dependencies, peak periods, regulatory deadlines, and financial impacts. The output is a prioritised list of business functions ranked by criticality, along with their RTO and RPO targets. This list drives every subsequent decision — which systems get replicated to a DR site, which staff are designated as essential during a crisis, and how much the organisation should invest in resilience measures. Without a BIA, continuity and recovery planning is guesswork.

Business continuity planning follows a structured lifecycle. Step 1: Initiation and governance — secure executive sponsorship, appoint a BC coordinator, and define the scope of the programme. Step 2: Risk assessment and BIA — identify threats (natural disasters, cyberattacks, supply chain failures, pandemics, utility outages) and conduct the business impact analysis. Step 3: Strategy development — for each critical function, define the continuity strategy. This might include alternative work locations, cross-training of staff, redundant suppliers, manual workaround procedures, or IT failover to a DR site.

Step 4: Plan development — document the BCP with clear activation criteria, roles and responsibilities, communication trees, and step-by-step procedures for each scenario. Step 5: Testing and exercising — validate the plan through tabletop exercises, functional drills, and full-scale simulations. Step 6: Maintenance and improvement — review the plan at least annually, after every significant incident, and whenever the business undergoes major changes such as acquisitions, relocations, or technology migrations. A BCP that sits in a drawer untested and unmaintained provides a false sense of security.

Testing is where plans meet reality, and most organisations do not test enough. A tabletop exercise is the simplest form: key stakeholders gather around a table (or a video call) and walk through a scenario verbally, discussing what they would do at each stage. Tabletop exercises are inexpensive, non-disruptive, and excellent at exposing gaps in communication plans and decision-making authority. A functional drill tests a specific component of the plan in practice — for example, failing over the ERP system to the DR site and verifying that users can connect and transact. A full-scale simulation exercises the entire plan end-to-end, including activating alternate work sites, invoking communication trees, and running business operations on DR infrastructure for a sustained period.

For MSPs advising clients, the recommended cadence is a tabletop exercise every six months and a functional DR failover test at least annually. Document all test results, including what worked, what failed, and what actions are needed. Feed these findings back into the plan maintenance cycle. Clients who have never tested their plan should start with a tabletop exercise — it is low risk and often reveals surprising gaps, such as contact lists with outdated phone numbers or staff who have changed roles since the plan was written.

Australian organisations looking for formal guidance on business continuity can reference two key standards. AS/NZS 5050:2020 — Business Continuity: Managing Disruption-Related Risk is the Australian and New Zealand standard that integrates business continuity with enterprise risk management. It provides a risk-based framework for identifying, assessing, and treating disruption-related risks, and is designed to complement the broader risk management standard AS/NZS ISO 31000. AS/NZS 5050 is particularly useful for organisations that want to embed continuity planning within their existing risk management governance rather than treating it as a standalone programme.

ISO 22301:2019 — Business Continuity Management Systems is the international standard for establishing, implementing, maintaining, and continually improving a business continuity management system (BCMS). It follows the familiar Plan-Do-Check-Act cycle and is certifiable, meaning organisations can obtain independent verification of their BCMS. While formal certification may be overkill for smaller clients, the structure of ISO 22301 provides an excellent checklist for building a comprehensive BCP. Many government tenders and regulated-industry contracts in Australia now ask suppliers to demonstrate alignment with ISO 22301 or AS/NZS 5050.

As a managed service provider, your primary responsibility falls within the disaster recovery domain — ensuring that IT systems, data, and connectivity can be restored within agreed RTO and RPO targets. However, there is a significant consulting opportunity in helping clients develop their broader BCP. Many SMBs lack the internal expertise to conduct a BIA, develop continuity strategies, or run tabletop exercises. By offering BCP advisory services alongside your technical DR capabilities, you position yourself as a strategic partner rather than just a technology vendor. This deepens the client relationship and creates a recurring engagement model built around annual BIA reviews, plan updates, and testing exercises.