A business continuity and disaster recovery (BCDR) plan should include a business impact analysis, defined recovery time and recovery point objectives, a documented backup and recovery strategy, a communication plan, clear roles and responsibilities, and a testing schedule. Without all six components, you have a document — not a plan. And according to Veeam research, 76% of organizations would not survive more than three days of downtime, so this is not optional.
What Is the Difference Between Business Continuity and Disaster Recovery?
These terms are often used interchangeably, but they address different problems.
Business continuity (BC) is the broader strategy for keeping your business running during and after a disruption. It covers people, processes, facilities, and technology. If your office floods, business continuity determines how your team keeps working — from where, with what tools, and for how long.
Disaster recovery (DR) is the technology-specific subset of business continuity. It focuses on restoring IT systems, data, and infrastructure after an outage. If your server fails, disaster recovery determines how fast your data comes back and from which backup.
You need both. A disaster recovery plan without business continuity leaves your team sitting at home with no idea what to do. A business continuity plan without disaster recovery gives your team a plan but no working systems to execute it.
What Goes Into a Business Impact Analysis?
The business impact analysis (BIA) is the foundation of your entire BCDR plan. It answers one question: what happens to your business when specific systems go down?
For each critical system, document:
- What the system does and who depends on it
- Revenue impact per hour of downtime. Just one hour of downtime can cost a small business $10,000 or more.
- Operational impact — which processes stop, which can continue manually
- Regulatory impact — does downtime trigger compliance violations or breach notification requirements
- Reputational impact — how do clients and partners perceive the outage
This analysis drives every other decision in your plan. You cannot set meaningful recovery targets without understanding what each hour of downtime actually costs.
What Are RTO and RPO, and Why Do They Matter?
These two metrics define the core of your disaster recovery strategy.
Recovery Time Objective (RTO): How long can your business tolerate a system being down? If your RTO for email is 4 hours, your DR plan must be capable of restoring email within 4 hours.
Recovery Point Objective (RPO): How much data can you afford to lose? If your RPO is 1 hour, your backup system must capture data at least every hour. Any data created between the last backup and the outage is gone.
According to a Datto BCDR report, nearly 1 in 3 IT managers lack confidence that their backup systems can actually meet their recovery targets. The gap between what leadership expects and what the technology can deliver is where businesses get hurt.
Here is a practical framework for setting RTOs and RPOs:
| System | Typical RTO | Typical RPO |
|---|---|---|
| Email and communication | 1–4 hours | 1 hour |
| Line-of-business applications | 2–8 hours | 1–4 hours |
| File storage and documents | 4–12 hours | 4 hours |
| Website and public services | 1–4 hours | 24 hours |
| Archive and historical data | 24–72 hours | 24 hours |
Your specific targets will differ based on your business impact analysis.
What Should Your Backup Strategy Cover?
Your backup strategy is the engine that makes disaster recovery possible. It needs to address:
What gets backed up. Every critical system identified in your BIA. This includes data, configurations, application settings, and system images — not just files.
Where backups are stored. Follow the 3-2-1 rule: maintain 3 copies of your data, on 2 different types of media, with 1 copy stored offsite or in the cloud. This protects against hardware failure, ransomware, and physical disasters simultaneously.
How often backups run. Frequency must match your RPOs. If you cannot lose more than 1 hour of data, hourly backups are the minimum.
How backups are protected. Backups must be encrypted, access-controlled, and immutable (meaning they cannot be modified or deleted by ransomware). Veeam reports that 41% of data is compromised during a cyberattack, and only 57% of compromised data is recoverable. If attackers can reach your backups, your recovery plan fails.
How often backups are tested. A backup that has never been restored is a hope, not a plan. Test your backups regularly.
What Should Your Communication Plan Include?
When systems go down, communication is the first casualty — especially if email and phones run on the same systems that failed. Your communication plan needs:
- An out-of-band communication method. Text messages, personal cell phones, or a separate messaging platform that does not depend on your primary systems.
- A contact tree. Who calls whom, in what order. Include employees, key clients, vendors, your IT provider, insurance carrier, and legal counsel.
- Pre-drafted templates. During a crisis, no one writes well under pressure. Draft notification templates for clients, employees, and regulators in advance.
- A spokesperson. Designate who communicates externally. Mixed messages from multiple people make a bad situation worse.
Who Owns What During a Disaster?
Your plan must assign clear roles:
- Incident commander — makes the call to activate the BCDR plan
- IT recovery lead — manages technical restoration (often your MSP)
- Communications lead — handles internal and external messaging
- Business operations lead — manages manual workarounds and client-facing continuity
- Documentation lead — records decisions, timelines, and actions for post-incident review
Every person named in the plan should know their role before a disaster occurs. If people are reading the plan for the first time during an emergency, the plan has already failed.
How Often Should You Test Your BCDR Plan?
Testing turns a document into a capability. At minimum:
- Quarterly: Test backup restoration for critical systems. Verify that RTOs and RPOs are achievable.
- Annually: Run a tabletop exercise where your team walks through a simulated disaster scenario. Identify gaps in communication, decision-making, and technical readiness.
- After every significant change. New servers, new applications, office moves, staff changes — any of these can invalidate parts of your plan.
According to Veeam research, 76% of organizations say they would not survive more than three days of downtime, yet only 58% of backup restores meet their recovery time targets. Testing is the difference between survival and closure.
ROI Technology Inc. builds and tests BCDR plans for businesses across Western Washington. With decades of in-house IT experience and $0 in ransomware losses among our managed clients, we know what works. Contact us to assess your disaster readiness.