Business continuity planning (BCP), disaster recovery planning (DRP) and enterprise risk management (ERM) are all about dealing with uncertainty, but they operate at different layers of an organisation. BCP focuses on keeping the business running, DRP focuses on recovering technology and infrastructure, and ERM focuses on managing risk to strategy and value across the enterprise.
What is a Business Continuity Plan (BCP)?
A Business Continuity Plan (BCP) is a risk management strategy that outlines how an organisation will continue operating during and after a disruptive incident. It covers critical business functions, people, processes, locations and resources, not just IT.
A robust BCP typically includes:
- Risk assessment and Business Impact Analysis (BIA) to identify critical activities, maximum tolerable downtime and key dependencies.
- Continuity strategies such as alternate sites, remote work arrangements, manual workarounds and cross-training.
- Incident response, crisis management and internal/external communication plans to guide decisions in real time.
- Regular testing, maintenance and training so that plans are lived, not just documented.
In simple terms, BCP asks: “If something serious disrupts us tomorrow, how do we keep serving customers and protecting our stakeholders?”
What is a Disaster Recovery Plan (DRP)?
A Disaster Recovery Plan (DRP) is a documented, technical plan within a disaster risk management strategy that focuses on restoring IT systems, data and infrastructure after a disruption. It is narrower in scope than BCP, but deeper in the technology domain.
Core elements of a DRP include:
- Identification of mission-critical applications, systems and data.
- Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each system.
- Detailed procedures for data backup, failover, system recovery and rebuild, network recovery and access restoration.
- Roles and responsibilities for the disaster recovery team, escalation criteria and step-by-step activation playbooks.
Where BCP cares about “how do we keep operating?”, DRP cares about “how do we get systems and data back to a usable state within agreed timeframes?”
What is Enterprise Risk Management (ERM)?
Enterprise Risk Management (ERM), as defined by the Institute of Risk Management, is “an integrated and joined up approach to managing all areas’ risks across an organisation and its extended networks.” In other words, ERM is a structured, consistent and continuous process across the whole organisation for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives.
Key features of ERM include:
- A central risk framework that defines risk governance, appetite, processes and roles.
- A portfolio view of risks: strategic risk, financial risk, operational risk, compliance risk, reputational risk, cyber risk, ESG risks, governance risk and more.
- Integration of risk thinking into planning, budgeting, project approval and performance management.
- Continuous monitoring, reporting and improvement, often guided by a risk maturity model.
ERM asks: “What might stop us achieving our objectives, and how do we manage those risks in a coordinated, value-focused way?”
How They Relate and Overlap
BCP and DRP are tactical and operational; ERM is strategic and integrating.
- BCP and DRP sit under the operational/IT risk umbrella within an ERM framework.
- ERM applies risk identification to uncover key risks such as business interruption, technology failures and cyber incidents, and then drives the need for BCP and DRP as risk responses.
- A mature ERM programme treats BCP and DRP not as standalone compliance documents but as critical capabilities for resilience and value protection.
Practically:
- ERM defines risk appetite for downtime, data loss and operational disruption.
- BCP translates this into continuity strategies (for example, maximum tolerable outage for front-office operations).
- DRP translates this into technical recovery targets (RTO/RPO) and infrastructure designs (backups, clustering, alternative data centres).
Why Organisations Confuse Them – and Why It Matters
BCP and DRP are frequently bundled together as “BC/DR” and sometimes mistakenly equated with ERM. This creates three risks:
- Narrow focus on IT outages
If continuity is seen only as an IT issue, non-IT critical functions (contact centres, physical logistics, offline processes, people availability) may be ignored. - Tick-box compliance
Plans created to satisfy auditors may be outdated, untested, and unknown to staff. ERM aims to embed risk and continuity thinking into regular decision-making, not just into documents. - Fragmented response
Without ERM oversight, BCP and DRP can be developed in silos by different teams, leading to inconsistent priorities, conflicting assumptions and gaps in coverage.
Treating BCP, DRP and ERM as distinct but connected disciplines helps ensure that resilience is designed at the right levels: strategic, operational and technical.
A Simple Way to Explain It to Boards and Teams
- ERM: “How do we manage all major risks to our strategy and value, in an integrated way?”
- BCP: “If something major hits, how do we keep the business running?”
- DRP: “If our IT is hit, how do we get systems and data back within acceptable limits?”
All three are needed. ERM without BCP/DRP can see risks but not execute response. BCP/DRP without ERM may protect operations but miss bigger strategic threats or misalign investment with true priorities.
Summary Table: BCP vs DRP vs ERM
| Dimension | Business Continuity Plan (BCP) | Disaster Recovery Plan (DRP) | Enterprise Risk Management (ERM) |
| Primary focus | Keeping critical business functions running during and after disruption | Restoring IT systems, data and infrastructure after disruption | Managing risks to strategy, performance and value across the whole organisation |
| Scope | Organisation‑wide: people, processes, locations, suppliers, technology | IT‑centric: applications, data, networks, infrastructure | Enterprise‑wide: strategic, financial, operational, compliance, reputational, ESG, etc. |
| Key question | “How do we continue to operate?” | “How do we restore systems and data?” | “What might prevent our objectives, and how do we manage those business risks coherently?” |
| Typical owner | Business operations, risk/BCM function, cross‑functional continuity team | IT, CIO/CTO, infrastructure and cyber teams | Board, CEO, CRO, risk committee |
| Core tools | Business Impact Analysis, continuity strategies, crisis management and communication plans | RTO/RPO definition, backup and replication, failover/run‑book procedures | Risk framework, risk appetite, risk register/portfolio, KRIs, governance and reporting |
| Time horizon | During and immediately after disruption (hours to weeks) | Technical recovery window (minutes to days) | Short‑, medium‑ and long‑term (planning cycles, strategy horizon) |
| Trigger events | Any major disruption: pandemic, fire, outage, facility loss, supplier failure, cyber incident | Primarily technology and data incidents, including cyberattacks and infrastructure failures | |
| Relationship to others | Implements ERM’s operational risk and resilience strategies at process/business‑unit level | Implements part of BCP and ERM’s IT/cyber risk response | Sets direction and priorities; drives the requirement for BCP and DRP |
| Success measure | Ability to maintain or quickly resume critical services with acceptable impact | Ability to meet RTO/RPO and restore systems without major data loss | Improved risk‑adjusted performance, fewer surprises, stronger resilience and better decisions |
