Black and blue background

Disaster recovery (DR) consists of IT technologies and best practices designed to prevent or minimize data loss and business disruption resulting from catastrophic events—everything from equipment failures and localized power outages to cyberattacks, civil emergencies, criminal or military attacks, and natural disasters.

Many businesses—especially small- and mid-sized organizations—neglect to develop a reliable, practicable disaster recovery plan. Without such a plan, they have little protection from the impact of significantly disruptive events.

Infrastructure failure can cost as much as  USD 100,000 per hour  (link resides outside IBM), and critical application failure costs can range from USD 500,000 to USD 1 million per hour. Many businesses cannot recover from such losses. More than 40% of small businesses will not re-open after experiencing a disaster, and among those that do, an additional 25% will fail within the first year after the crisis. Disaster recovery planning can dramatically reduce these risks.

Disaster recovery planning involves strategizing, planning, deploying appropriate technology, and continuous testing. Maintaining backups of your data is a critical component of disaster recovery planning, but a backup and recovery process alone does not constitute a full disaster recovery plan.

Disaster recovery also involves ensuring that adequate storage and compute is available to maintain robust failover and failback procedures.  Failover  is the process of offloading workloads to backup systems so that production processes and end-user experiences are disrupted as little as possible.  Failback  involves switching back to the original primary systems.

Read our article to learn more information about  the important distinction between backup and disaster recovery planning .

Business continuity planning creates systems and processes to ensure that all areas of your enterprise will be able to maintain essential operations or be able to resume them as quickly as possible in the event of a crisis or emergency. Disaster recovery planning is the subset of business continuity planning that focuses on recovering IT infrastructure and systems.

Business impact analysis

The creation of a comprehensive disaster recovery plan begins with business impact analysis. When performing this analysis, you’ll create a series of detailed disaster scenarios that can then be used to predict the size and scope of the losses you’d incur if certain business processes were disrupted. What if your customer service call center was destroyed by fire, for instance? Or an earthquake struck your headquarters?

This will allow you to identify the areas and functions of the business that are the most critical and enable you to determine how much downtime each of these critical functions could tolerate. With this information in hand, you can begin to create a plan for how the most critical operations could be maintained in various scenarios.

IT disaster recovery planning should follow from and support business continuity planning. If, for instance, your business continuity plan calls for customer service representatives to work from home in the aftermath of a call center fire, what types of hardware, software, and IT resources would need to be available to support that plan?

Risk analysis

Assessing the likelihood and potential consequences of the risks your business faces is also an essential component of disaster recovery planning. As cyberattacks and ransomware become more prevalent, it’s critical to understand the general cybersecurity risks that all enterprises confront today as well as the risks that are specific to your industry and geographical location.

For a variety of scenarios, including natural disasters, equipment failure, insider threats, sabotage, and employee errors, you’ll want to evaluate your risks and consider the overall impact on your business. Ask yourself the following questions:

Prioritizing applications

Not all workloads are equally critical to your business’s ability to maintain operations, and downtime is far more tolerable for some applications than it is for others. Separate your systems and applications into three tiers, depending on how long you could stand to have them be down and how serious the consequences of data loss would be.

Documenting dependencies

The next step in disaster recovery planning is creating a complete inventory of your hardware and software assets. It’s essential to understand critical application interdependencies at this stage. If one software application goes down, which others will be affected?

Designing resiliency—and disaster recovery models—into systems as they are initially built is the best way to manage application interdependencies. It’s all too common in today’s  microservices -based architectures to discover processes that can’t be initiated when other systems or processes are down, and vice versa. This is a challenging situation to recover from, and it’s vital to uncover such problems when you have time to develop alternate plans for your systems and processes—before an actual disaster strikes.

Establishing recovery time objectives, recovery point objectives, and recovery consistency objectives

By considering your risk and business impact analyses, you should be able to establish objectives for how long you’d need it to take to bring systems back up, how much data you could stand to use, and how much data corruption or deviation you could tolerate.

Your recovery time objective (RTO) is the maximum amount of time it should take to restore application or system functioning following a service disruption.

Your recovery point objective (RPO) is the maximum age of the data that must be recovered in order for your business to resume regular operations. For some businesses, losing even a few minutes’ worth of data can be catastrophic, while those in other industries may be able to tolerate longer windows.

A recovery consistency objective (RCO) is established in the service-level agreement (SLA) for continuous data protection services. It is a metric that indicates how many inconsistent entries in business data from recovered processes or systems are tolerable in disaster recovery situations, describing business data integrity across complex application environments.

Regulatory compliance issues

All disaster recovery software and solutions that your enterprise have established must satisfy any data protection and security requirements that you’re mandated to adhere to. This means that all data backup and failover systems must be designed to meet the same standards for ensuring data confidentiality and integrity as your primary systems.

At the same time, several regulatory standards stipulate that all businesses must maintain disaster recovery and/or business continuity plans. The Sarbanes-Oxley Act (SOX), for instance, requires all publicly held firms in the U.S. to maintain copies of all business records for a minimum of five years. Failure to comply with this regulation (including neglecting to establish and test appropriate data backup systems) can result in significant financial penalties for companies and even jail time for their leaders.

Choosing technologies

Backups serve as the foundation upon which any solid disaster recovery plan is built. In the past, most enterprises relied on tape and spinning disks (HDD) for backups, maintaining multiple copies of their data and storing at least one at an offsite location.

In today’s always-on digitally transforming world, tape backups in offsite repositories often cannot achieve the RTOs necessary to maintain business-critical operations. Architecting your own disaster recovery solution involves replicating many of the capabilities of your production environment and will require you to incur costs for support staff, administration, facilities, and infrastructure. For this reason, many organizations are turning to cloud-based backup solutions or full-scale Disaster-Recovery-as-a-Service (DRaaS) providers.

Choosing recovery site locations

Building your own disaster recovery  data center  involves balancing several competing objectives. On the one hand, a copy of your data should be stored somewhere that’s geographically distant enough from your headquarters or office locations that it won’t be affected by the same seismic events, environmental threats, or other hazards as your main site. On the other hand, backups stored offsite always take longer to restore from than those located on-premises at the primary site, and network latency can be even greater across longer distances.

Continuous testing and review

Simply put, if your disaster recovery plan has not been tested, it cannot be relied upon. All employees with relevant responsibilities should participate in the disaster recovery test exercise, which may include maintaining operations from the failover site for a period of time.

If performing comprehensive disaster recovery testing is outside your budget or capabilities, you can also schedule a “tabletop exercise” walkthrough of the test procedures, though you should be aware that this kind of testing is less likely to reveal anomalies or weaknesses in your DR procedures—especially the presence of previously undiscovered application interdependencies—than a full test.

As your hardware and software assets change over time, you’ll want to be sure that your disaster recovery plan gets updated as well. You’ll want to periodically review and revise the plan on an ongoing basis.

The IBM Knowledge Center provides an  example of a disaster recovery plan .

Disaster-Recovery-as-a-Service (DRaaS) is one of the most popular and fast-growing managed IT service offerings available today. Your vendor will document RTOs and RPOs in a service-level agreement (SLA) that outlines your downtime limits and application recovery expectations.

DRaaS vendors typically provide cloud-based failover environments. This model offers significant cost savings compared with maintaining redundant dedicated hardware resources in your own data center. Contracts are available in which you pay a fee for maintaining failover capabilities plus the per-use costs of the resources consumed in a disaster recovery situation. Your vendor will typically assume all responsibility for configuring and maintaining the failover environment.

Disaster recovery service offerings differ from vendor to vendor. Some vendors define their offering as a comprehensive, all-in-one solution, while others offer piecemeal services ranging from single application restoration to full data center replication in the cloud. Some offerings may include disaster recovery planning or testing services, while others will charge an additional consulting fee for these offerings.

Be sure that any enterprise software applications you rely on are supported, as are any public cloud providers that you’re working with. You’ll also want to ensure that application performance is satisfactory in the failover environment, and that the failover and failback procedures have been well tested.

If you have already built an on-premises disaster recovery (DR) solution, it can be challenging to evaluate the costs and benefits of maintaining it versus moving to a monthly DRaaS subscription instead.

Most on-premises DR solutions will incur costs for hardware, power, labor for maintenance and administration, software, and network connectivity. In addition to the upfront capital expenditures involved in the initial setup of your DR environment, you’ll need to budget for regular software upgrades. Because your DR solution must remain compatible with your primary production environment, you’ll want to ensure that your DR solution has the same software versions. Depending upon the specifics of your licensing agreement, this might effectively double your software costs.

Not only can moving to a DRaaS subscription reduce your hardware and software expenditures, it can lower your labor costs by moving the burden of maintaining the failover site to the vendor.

If you’re considering third-party DRaaS solutions, you’ll want to make sure that the vendor has the capacity for cross-regional multi-site backups. If a significant weather event like a hurricane impacted your primary office location, would the failover site be far enough away to remain unaffected by the storm? Also, would the vendor have adequate capacity to meet the combined needs of all its customers in your area if many were impacted at the same time? You’re trusting your DRaaS vendor to meet RTOs and RPOs in times of crisis, so look for a service provider with a strong reputation for reliability.

Read “ Disaster Recovery as a Service (DRaaS) vs. Disaster Recovery (DR): Which Do You Need? ” for a comparative overview of both solutions.

Related solutions

Cloud disaster recovery solutions.

Protect your data with a cloud disaster recovery plan.

Zerto on IBM Cloud

Achieve RPO in seconds and RTO in minutes, with an easy-to-deploy and scalable data-protection solution.

IBM Cloud global data centers

Run smoother with deployment options for every workload. Our network is resilient, redundant, highly available.

Gain the skills and knowledge required to begin a career as an IBM Cloud Professional Architect. Validate your capabilities in an interactive curriculum that prepares you for IBM Cloud certification.

Learn the basics of backup and disaster recovery so you can formulate effective plans that minimize downtime.

Compare the costs, benefits, and functionality of on-premises disaster recovery solutions and DRaaS.

Business Continuity Plan

Power through business disruptions and ascertain operational stability with a practical and effective business continuity plan

business continuity planning with a digital tool

Published 15 Feb 2023

What is a Business Continuity Plan?

A business continuity plan is a practical guide developed by companies to enable continuous operations in the event of major business disruptions like natural disasters and global lockdowns. Business continuity planning usually involves analyzing the impact of disrupted business processes and determining recovery strategies with management. Business continuity plans should also be properly documented and tested through exercises for optimal effectiveness.

Business Continuity Plan Sample PDF Report

Business Continuity Plan | View Sample PDF

The goal of a business continuity plan is to strengthen the defense of businesses against a number of potential disruptions. It also aims to maintain critical business functions during unforeseen disasters. With a comprehensive business continuity plan, leaders can ensure that despite restrictions, there would be a reduced impact on the company, its employees, and operations.

With economies impaired by the COVID-19 pandemic , business continuity has increasingly become a top priority for organizations around the world. A business continuity plan (BCP) is important because it helps companies maintain essential functions amid or after emergency situations, protecting their reputation and minimizing financial losses. Moreover, it helps employers stay on top of disruptive incidents and empower workers to complete job tasks with confidence.

The main difference between a business continuity plan and a disaster recovery plan is that the former encompasses the latter—that is, business continuity planning includes disaster recovery planning. I SO 22301:2019 is the international standard for business continuity management (BCM) systems, and it outlines how specific plans for disaster recovery, incident preparedness, and emergency response may be needed rather than just one large plan for business continuity.

Creating a business continuity plan seems to be a daunting task at first, especially for managers of operations, information technology, and human resources as they are often designated with this duty. As recommended by the International Labour Organization (ILO), listed below are general steps in developing a business continuity plan for small to medium sized enterprises (SMEs):

Digitize the way you Work

Empower your team with SafetyCulture to perform checks, train staff, report issues, and automate tasks with our digital platform.

When planning for business continuity, it helps to break down its elements into quickly-understood segments. Keeping the plan user-focused can also help ensure usability and promote transferability. The following is a brief ILO example of how a small business owner developed a business continuity plan to mitigate the impact of COVID-19 :

COVID-19 Risk Assessment: high-risk profile

Key Products: different types of canned sardines


Potential Impact of Disruptions:

4Ps Framework Action Points:

Contact Lists:

Even when disruptions can force businesses to shut down, yours doesn’t have to. Aim for operational stability by developing and implementing a business continuity plan with the help of a simple tool like SafetyCulture (formerly iAuditor) . SafetyCulture is a digital platform that empowers people to work safely and efficiently through mobile checklists, actions, and reporting.

Using SafetyCulture as a business continuity software , here’s how different companies around the world reached business continuity amid COVID-19 :

Coming Out Strong as the Pandemic Unfolded

Footasylum is a sports fashion retailer in the UK with 70 stores and over 2,700 employees nationwide. Because of the emerging novel coronavirus outbreak, they knew it was inevitable for retail stores to close without an idea when they could safely reopen.

They used SafetyCulture to safely reopen stores by conducting a preliminary COVID-19 store opening check which provided incredibly quick insight on the current state of the stores and created actions for what needed to be done to control health and safety risks.

Now that stores are open, the team uses SafetyCulture to monitor daily activity through a retail COVID-19 daily requirements check , giving the management confidence that they are doing everything that is reasonably practicable to ensure the safety of their staff and customers.

“We have come out of this as a really strong team, and pride is really high,” said Jane Buck, Head of Human Resources and Health and Safety.

Acting at Lightning Speed to Protect Hundreds of Staff and Thousands of Customers

Statewide Independent Wholesalers (SIW) is a grocery wholesaler that holds and delivers goods for most of the major supermarkets in Tasmania, Australia . When COVID-19 hit, they needed to make decisions quickly due to the risk which was significantly high.

The grocer giant stayed completely focused on meeting COVID-19 hygiene and distancing requirements , as they do around 75 checks every week. Health, Safety, and Environmental Manager Courtney Newman shared, “SafetyCulture is a really valuable tool to do that. It’s made a huge difference to our data collection, and our behavior observation space, too.”

They managed to minimize 6.5 hours of admin time which was useful when they needed that time to keep themselves informed on the latest news and guidance. Courtney continued, “I took the SafetyCulture program and used it the way I wanted to. This means if any of our teams are doing anything of risk, we work with them to make sure they adhere to the guidelines.”

Navigating the Pandemic and Beyond with Safety, Consistency, and Quality

Snooze Eatery is a popular chain of restaurants with 43 locations in the US. During one of the most uncertain periods for hospitality businesses, they used SafetyCulture to build up a culture of safety, consistency, and quality.

During reopening, the team created the brand new role, ‘Safety Dancers’, who are in charge of cleaning, sanitizing, and managing the capacity of the eatery. This meant that guests could trust the safety and cleanliness standards of the restaurant, and enjoy a cup of coffee in bliss.

SafetyCulture has allowed them to reassure their employees and guests during a time where trust in public spaces is low because of the potential health and safety risks. They also don’t just implement COVID-19 protocols with SafetyCulture —it’s a safeguard for food and service quality across all their locations.

“It’s a unique tool. The inspections and templates make you go through a checklist, but it also makes you give proof in the form of photos and notes, and to take care of things on the spot. It holds you to the utmost perfect standard in every way.”

—Katie Birner, Snooze Eatery Assistant General Manager

Business Continuity Plan Templates

Get started with your business continuity plan by using pre-made industry templates you can customize and use on SafetyCulture. This free collection of BCP templates includes audit checklists to help you assess the effectiveness of your business continuity plan, keep it updated, and take action on areas for improvement.


SafetyCulture Content Specialist

Jona Tarlengco

Jona Tarlengco is a content writer and researcher for SafetyCulture since 2018. She usually writes about safety and quality topics, contributing to the creation of well-researched articles. Her 5-year experience in one of the world’s leading business news organisations helps enrich the quality of the information in her work.

In this article

Relevant articles, employee engagement.

Employee engagement may be influenced by various factors such as workplace culture, leadership, and ...

Journey Management

In this guide, you will learn what journey management is, why it’s important, and the most ...

Benefits Business process analysis is consequential to a company’s growth. Whether you work as a ...

workers with high employee engagement level having a fun activity

Related pages

We use cookies to provide necessary website functionality and improve your experience. To find out more, read our updated Privacy Policy .

U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

disaster recovery plan for business continuity

IT Disaster Recovery Plan

world globe

Businesses use information technology to quickly and effectively process information. Employees use electronic mail and Voice Over Internet Protocol (VOIP) telephone systems to communicate. Electronic data interchange (EDI) is used to transmit data including orders and payments from one company to another. Servers process information and store large amounts of data. Desktop computers, laptops and wireless devices are used by employees to create, process, manage and communicate information. What do you when your information technology stops working?

An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan . Priorities and recovery time objectives for information technology should be developed during the business impact analysis . Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.

Businesses large and small create and manage large volumes of electronic information or data. Much of that data is important. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential.

Resources for Information Technology Disaster Recovery Planning

IT Recovery Strategies

Recovery strategies should be developed for Information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity. Priorities for IT recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis . IT resources required to support time-sensitive business functions and processes should also be identified. The recovery time for an IT resource should match the recovery time objective for the business function or process that depends on the IT resource.

Information technology systems require hardware, software, data and connectivity. Without one component of the “system,” the system may not run. Therefore, recovery strategies should be developed to anticipate the loss of one or more of the following system components:

Some business applications cannot tolerate any downtime. They utilize dual data centers capable of handling all data processing needs, which run in parallel with data mirrored or synchronized between the two centers. This is a very expensive solution that only larger companies can afford. However, there are other solutions available for small to medium sized businesses with critical business applications and data to protect.

Internal Recovery Strategies

Many businesses have access to more than one facility. Hardware at an alternate facility can be configured to run similar hardware and software applications when needed. Assuming data is backed up off-site or data is mirrored between the two sites, data can be restored at the alternate site and processing can continue.

Vendor Supported Recovery Strategies

There are vendors that can provide “hot sites” for IT disaster recovery. These sites are fully configured data centers with commonly used hardware and software products. Subscribers may provide unique equipment or software either at the time of disaster or store it at the hot site ready for use.

Data streams, data security services and applications can be hosted and managed by vendors. This information can be accessed at the primary business site or any alternate site using a web browser. If an outage is detected at the client site by the vendor, the vendor automatically holds data until the client’s system is restored. These vendors can also provide data filtering and detection of malware threats, which enhance cyber security.

Developing an IT Disaster Recovery Plan

Businesses should develop an IT disaster recovery plan. It begins by compiling an inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software applications and data. The plan should include a strategy to ensure that all critical information is backed up.

Identify critical software applications and data and the hardware required to run them. Using standardized hardware will help to replicate and reimage new hardware. Ensure that copies of program software are available to enable re-installation on replacement equipment. Prioritize hardware and software restoration.

Document the IT disaster recovery plan as part of the business continuity plan . Test the plan periodically to make sure that it works.

Data Backup

Businesses generate large amounts of data and data files are changing throughout the workday. Data can be lost, corrupted, compromised or stolen through hardware failure, human error, hacking and malware. Loss or corruption of data could result in significant business disruption.

Data backup and recovery should be an integral part of the business continuity plan and information technology disaster recovery plan. Developing a data backup strategy begins with identifying what data to backup, selecting and implementing hardware and software backup procedures, scheduling and conducting backups and periodically validating that data has been accurately backed up.

Developing the Data Backup Plan

Identify data on network servers, desktop computers, laptop computers and wireless devices that needs to be backed up along with other hard copy records and information. The plan should include regularly scheduled backups from wireless devices, laptop computers and desktop computers to a network server. Data on the server can then be backed up. Backing up hard copy vital records can be accomplished by scanning paper records into digital formats and allowing them to be backed up along with other digital data.

Options for Data Backup

Tapes, cartridges and large capacity USB drives with integrated data backup software are effective means for businesses to backup data. The frequency of backups, security of the backups and secure off-site storage should be addressed in the plan. Backups should be stored with the same level of security as the original data.

Many vendors offer online data backup services including storage in the “cloud”. This is a cost-effective solution for businesses with an internet connection. Software installed on the client server or computer is automatically backed up.

Data should be backed up as frequently as necessary to ensure that, if data is lost, it is not unacceptable to the business. The business impact analysis should evaluate the potential for lost data and define the “recovery point objective.” Data restoration times should be confirmed and compared with the IT and business function recovery time objectives.

Last Updated: 02/17/2021

Return to top


  1. Guide to business continuity and disaster recovery in digital

    disaster recovery plan for business continuity

  2. 20 Business Continuity Disaster Recovery Plan Template Gallery Server Disaster Recovery Plan

    disaster recovery plan for business continuity

  3. Disaster Recovery or Business Continuity. What’s the Difference?

    disaster recovery plan for business continuity

  4. Disaster Recovery Plan Disaster Recovery And Business Continuity Auditing Business Continuity

    disaster recovery plan for business continuity

  5. 13+ Disaster Recovery Plan Templates

    disaster recovery plan for business continuity

  6. Disaster Recovery Plan Template

    disaster recovery plan for business continuity


  1. Introducing the National Disaster Recovery Framework

  2. Disaster Recovery Plan (DRP)

  3. International Recovery Forum 2021: Building Back Better from Compound Disasters (Full-length video)


  5. Plan for Disaster Recovery with Business Continuity Management

  6. 30 Sec Recovery from Cyber-Attack


  1. Business Continuity Plan

    Development of a business continuity plan includes four steps: Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them. Identify, document, and implement to recover critical business functions and processes.

  2. Disaster Recovery: An Introduction

    Disaster recovery planning involves strategizing, planning, deploying appropriate technology, and continuous testing. Maintaining backups of your data is a critical component of disaster recovery planning, but a backup and recovery process alone does not constitute a full disaster recovery plan.

  3. Business Continuity Plan: Example & How to Write

    Step 3: Establish the business continuity plan objectives Step 4: Evaluate the potential impact of disruptions to the business and its workers Step 5: List actions to protect the business Step 6: Organize contact lists Step 7: Maintain, review, and continuously update the business continuity plan Digitize the way you Work