In short: how they relate
These are nested levels, not competitors:
- Risk management — the broadest loop: we identify and reduce any risks (financial, operational, market…).
- BCM (business continuity management) — the part of risk management about keeping operations going during disruptions.
- BCP (business continuity plan) — a concrete plan document within BCM.
- DRP (disaster recovery plan) — the IT part of the BCP: restoring systems and data.
Comparison table
| Term | About | Scope |
|---|---|---|
| Risk management | Managing any company risk | Broadest |
| BCM | The ability to keep operating in a crisis | A subset of risks |
| BCP | Continuity plan (processes, people, suppliers) | A document within BCM |
| DRP | IT and data recovery | The IT part of the BCP |
A plain example
A ransomware cyberattack hits. Risk management assessed the likelihood in advance and invested in protection. BCM defined what is critical and how fast to recover. BCP says how to keep selling and serving customers while IT is down. DRP describes how to bring servers back from backups.
See how resilient your business really is
13 questions, 5 minutes, free — results on screen and by email.
FAQ
Are BCP and DRP the same thing?
No. A BCP is about the whole business (processes, people, suppliers, communications), a DRP is about restoring IT systems and data. A DRP is usually part of a BCP.
Is BCM part of risk management?
Yes. Risk management handles all risks, and BCM is a specialised part of it responsible for keeping operations going during disruptions.
Evgeny Telenkov
Chief Risk Officer · PhD in Economics · "Best Risk Manager of Russia 2020"
20 years in risk management. Led risk management at Beeline, Nornickel, Rosneft and EY. Built business continuity plans for Nornickel, Rostec, NSD and DIA. Trained 300+ risk and BCM specialists.