BCM defines which business processes are classified as critical, how long they may be unavailable (Maximum Tolerable Downtime, MTD) and what financial, operational and reputational damage occurs per hour of downtime per critical process (Business Impact Analysis, BIA). From these findings, s (RTO) and s (RPO) are derived and embedded in the technical backup and recovery architecture.

A Business Continuity Plan (BCP) documents how systems are restored after a total failure: trigger criteria, roles and responsibilities, restoration sequence, technical recovery steps per system and communication plans. Critically: the BCP must be available offline — printed, in a safe. If the IT infrastructure is compromised, a SharePoint folder containing the BCP may also be inaccessible.

NIS2 and make BCM a legal obligation for affected organizations. This includes documentation of RTOs and RPOs, regular recovery tests and a crisis management plan. Management must approve and actively monitor BCM measures.

Frequently asked questions

BCM is the overarching organizational framework covering all aspects of business continuity — prevention, response, recovery and communication. Disaster Recovery (DR) is the technical subset of BCM focused on restoring IT systems after a failure. A DR plan is a component of the BCM plan.
A BIA analyzes the financial, operational and reputational damage per hour of downtime for each critical business process. From the BIA, the Maximum Tolerable Downtime (MTD) is derived, from which RTO and RPO follow. Without a BIA, there is no factual basis for dimensioning the backup architecture.