---
title: Business Continuity Management
date: 2026-06-01T17:19:00+02:00
author: Hannes Heckel
canonical_url: "https://www.fast-lta.de//en/glossary/business-continuity-management"
section: Glossar
---
BCM defines which business processes are classified as critical, how long they may be unavailable (Maximum Tolerable Downtime, MTD) and what financial, operational and reputational damage occurs per hour of downtime per critical process (Business Impact Analysis, BIA). From these findings, Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are derived and embedded in the technical backup and recovery architecture.

A Business Continuity Plan (BCP) documents how systems are restored after a total failure: trigger criteria, roles and responsibilities, restoration sequence, technical recovery steps per system and communication plans. Critically: the BCP must be available offline — printed, in a safe. If the IT infrastructure is compromised, a SharePoint folder containing the BCP may also be inaccessible.

NIS2 and DORA make BCM a legal obligation for affected organizations. This includes documentation of RTOs and RPOs, regular recovery tests and a crisis management plan. Management must approve and actively monitor BCM measures.

### RTO / RPO

RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo)

### RTO / RPO

RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

 

## Frequently asked questions

#### What is the difference between BCM and disaster recovery?

BCM is the overarching organizational framework covering all aspects of business continuity — prevention, response, recovery and communication. Disaster Recovery (DR) is the technical subset of BCM focused on restoring IT systems after a failure. A DR plan is a component of the BCM plan.

#### What is a Business Impact Analysis (BIA)?

A BIA analyzes the financial, operational and reputational damage per hour of downtime for each critical business process. From the BIA, the Maximum Tolerable Downtime (MTD) is derived, from which RTO and RPO follow. Without a BIA, there is no factual basis for dimensioning the backup architecture.