Book A Demo Today

Risk Management, Business Continuity & Disaster Recovery

Published on March 18, 2019

What are the relationships between Risk Management, Business Continuity and Disaster Recovery?

Risk Management, Business Continuity, Disaster Recovery… in today’s economy where we are forced to think more and more around the security and sustainability of our businesses in a world with ever-increasing risks - from the increase in cyberattacks to global warming creating more and more adverse weather conditions affecting the day to day running of operations - these are all phases which we commonly hear.

However, there can be some ambiguity over the relationship and differences between each concept.

In this article we will try to get to the bottom of just how these align, and in contrast, how they differ.


Although there has never been an official term defined, Risk Management (RM) is explained by the Economic times as ‘the practice of identifying potential risks in advance, analysing them and taking precautionary steps to reduce/curb the risk.

The definition of Business Continuity (BC), by the official standard (ISO 22301), is ‘The capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident’.

In layman’s terms, therefore, we can determine that RM is about attempting to avoid business disruption from happening entirely, whereas BC focuses on how to maintain functionality should a disruption occur, by predetermining what the minimum levels of staff, systems, resources, etc. are required before operations could continue within a company.

Of course, no matter how much planning an organisation carries out, there is still no way to guarantee a business disruption will not take place, so albeit Risk Management is an essential practise for any organisation, it cannot be successful as a stand-alone practice. If a company wishes to prepare itself in the best way possible for such incidents, they would also require a Business Continuity Management System (BCMS).

We can therefore conclude that both methods are essential for adequate preparation and protection and should ideally work together to strengthen operations against disruption.

Disaster Recovery

If we have ‘how to recover in case of a disruption’ covered by Business Continuity, what is the purpose of the Disaster Recovery concept?

The answer is all about the technology side of things - technical systems, servers and processes.

If BC is around determining minimum requirements to continue operations, disaster recovery (DR) is about the tangible elements within those minimum requirements.

DR focuses on laying out the critical systems required and identifying how long can pass before an unacceptable level of data is lost due to a disruption, deemed an organisations Recovery Point Objective (RPO), and how quickly an organisation must recover its business processes in order to avoid negative consequences following an incident, the Recovery Time Objective (RTO).

The BC concept is then much more of a broader approach than that of DR – looking at getting an entire business up and running again following an incident, to include not just systems but all of the additional elements which allow a firm to operate including premises, people and external partners/suppliers – so much so that it can be said that disaster recovery forms part of a complete BCMS.


So, what's the takeaway here?

The simple answer is that from all three concepts we have explored, each have their own place entirely separate to the next and are all of huge importance for an organisation who wishes to best protect itself and minimise loss and negative impacts in the event of any business disruption.

While Risk Management helps an organisation to prepare for, and attempt to avoid business disruptions, there are no guarantees and no way to avoid some incidents out with human control.

When an unavoidable incident occurs, Disaster Recovery can determine and support an organisations technical activity in terms of backing up systems and data when an outage occurs, but this does not consider other aspects including one of the most valuable assets to a business – its people.

BCM is an essential element for a company to consider if it wishes to protect its resources external to those which are data-based.

The most comprehensive solution an organisation can therefore adopt is to undertake, and integrate, all three methods, which will work in a complimentary fashion to one another.

A continuous cycle whereby Risk Management identifies potential disruptions or incidents, Disaster Recovery determines RPOs and RTOs, and both sets of information are utilised to update Business Continuity plans and improve the quality of Business Impact Analysis (BIA) data, which is regularly tested and findings fed back into RM and DR to revise the BCMS, is the optimal way in which organisations can provide the most effective protection against disruption.