The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/2047-0894.htm

Views on business continuity and Business

continuity and
disaster recovery disaster
recovery
Ihab Hanna Sawalha
Risk Management Department, American University of Madaba, Madaba, Jordan
351
Abstract
Received 23 December 2020
Purpose – There is a noticeable confusion in the literature between Business Continuity Planning (BCP) and Revised 9 March 2021
Disaster Recovery Planning (DRP). The two expressions are very often used interchangeably especially when it Accepted 5 May 2021
comes to their application. In this paper, the differences between business continuity and disaster recovery are
discussed. The disaster management cycle is also addressed in order to highlight the importance of having
plans before, during and after the occurrence of an incident.
Design/methodology/approach – A review of the extant literature on business continuity and disaster
recovery was made. A number of different views were then presented in order to provide a better
understanding of the two concepts and their potential overlap/connection. The literature review was conducted
in 2020 using a variety of academic resources ranging from journal articles to text books and credible Internet
websites. Relevant journal articles were obtained from two primary databases: Emerald Insight and
EBSCOhost. Keywords, such as DRP, continuity, disruption and BCP, were mainly used to facilitate the search
for these resources and other related material.
Findings – Reviewing the literature revealed that BCP and DRP are not the same. Yet, they are used
interchangeably very often in the literature. This indicates a possible relationship/overlap between the two.
The relationship between BCP and DRP can be viewed from a variety of perspectives, which altogether provide
a better understanding of their purposes and application.
Practical implications – On top of the need to differentiate between business continuity and disaster
recovery, the widespread impact of the current COVID-19 crisis, especially on businesses and supply chains,
has unfolded the necessity to deal with business disruptions in all their forms and the significance of quick and
effective recovery. This research clarifies the purpose of BCP and the purpose of DRP and their role in
combating impacts of disruptive incidents on businesses and organizations.
Originality/value – BCP and DRP are discussed extensively in the literature. Yet, few studies attempted to
address the precise functions of the two resulting in an obvious confusion between their meaning and purpose
which subsequently reduced the uniqueness of their application and the uniqueness of the application of each.
Only a small minority of practitioners and academics recognise the precise differences between the two. This
study aims at clarifying this misconception to a wider set of readers and interested parties.
Keywords Incident, ISO22301, Disruption, Continuity, DRP, BCM
Paper type Conceptual paper

1. Introduction
Today, the world’s conditions are increasingly becoming changeable which makes planning
a more complicated process. The global economic, environmental and social instability and
the dynamics of business environments resulted in new types of risks and disruptions.
Besides, the worldwide openness through social media, Internet and transportation exposed
many countries and organizations to new types of threats, such as reputational crises, cyber-
attacks and pandemics (Paunescu and Argatu, 2020; Glenn and Gordon, 2002).
It should be noted that such risks are likely to escalate into disasters or crises if they are
mismanaged or neglected. Azadegan et al. (2020), Bell (2019) and Zekos (2004) argued that the
requirements for business continuity are becoming more complicated as the process of
globalization was associated with the need to establish new global supply chains, business
alliances and partnerships which also introduced further risks to businesses and
International Journal of
organizations. Emergency Services
In terms of organizational responses to disruptions affecting the continuity of operations/ Vol. 10 No. 3, 2021
pp. 351-365
service delivery, two popular approaches dominate the literature; these are business © Emerald Publishing Limited
2047-0894
continuity and disaster recovery. However, there is a noticeable confusion between Business DOI 10.1108/IJES-12-2020-0074
IJES Continuity Planning (BCP) and Disaster Recovery Planning (DRP). The two expressions are
10,3 often used interchangeably in the literature especially when it comes to their application or
implementation. This paper aims at discussing the differences between business continuity
and disaster recovery.

2. Literature review
352 Organizations nowadays recognize that in order to survive and grow in an era of rapid
change, they should scan and forecast their business environments so that they become more
aware of the factors that are likely to affect their performance negatively (Yu et al., 2019; Fink
et al., 2005). Business disruptions as noted by Das (2018) are likely to occur everyday, at any
level within an organization, and vary with respect to their degree of impact. Most
importantly, getting the organization running as usual following to an incident should be a
main goal for all senior managements (Smith et al., 2019).
Hanson (2006) and Castillo (2004) argued that the traditional disaster management cycle
provides an effective framework for managing a wide spectrum of major incidents affecting
organizations and that the cycle is therefore essential for improving organizational resilience
(Figure 1). It consists of four stages: preparedness, response, recovery and mitigation.
Preparedness aims at creating a state of readiness by considering the different possible
future scenarios. Equally important, preparedness facilitates and supports the response
capability and limits unorganized behavioural response patterns when an incident occurs
(Fischer, 2005). Response represents the mechanism(s) by which an organization reacts/
replies to an incident (Hanson, 2006; Fischer, 2002). Gaillard (2007) classified the response of
humans and organizations into two broad categories: vulnerability and resilience.
Vulnerability represents the susceptibility of people and organizations to suffer from
damage, and consequently transforming minor incidents into disasters. Resilience, on the
other hand, represents the ability to withstand adverse consequences and survive.
Organizational resilience according to Foster and Dye (2005) can be improved by securing
three key components: people, core business (systems, facilities, infrastructure and processes)

Figure 1.
The disaster
management cycle
and business networks (e.g. supply chain). Recovery is the ability to restore business Business
functions following to a disruption in order to resume normal operations (Sawalha et al., 2018). continuity and
From a wider societal perspective, recovery includes activities of restoration, reconstruction
and rehabilitation of people and communities (UNISDR, 2017). Hawkins et al. (2000) classified
disaster
recovery into two types: business recovery and disaster recovery and emphasized the recovery
significance of having recovery plans for both. While business recovery aims to restore
workplace areas, disaster recovery aims to restore data, information and critical business
functions. Mitigation aims at reducing the probability of occurrence of an incident (i.e. 353
prevent it from happening).
In terms of organizational responses to disruptions affecting the continuity of operations/
service delivery in specific, two popular approaches dominate the literature; these are
business continuity and disaster recovery.

2.1 Business continuity planning

Fischbacher-Smith (2017) argued that business continuity is a holistic process that deals with
a range of task demands generated by business disruptions across the range of activities
undertaken by an organisation. Hernandez (2007) argued that BCP aims at enabling an
organization to continue providing its services or products with the same level of quality and
productivity during the occurrence of disruptive incidents.
Although BCP has been described in the literature in a variety of ways (e.g. Sawalha, 2020;
Paunescu and Argatu, 2020; Azadegan et al., 2020; Cook, 2015; Hiles, 2011; Moore and Lakha,
2006; Cerullo and Cerullo, 2004; Botha and Solms, 2004; Pitt and Goyal, 2004), there seems to
be a general consensus that it consists of the following primary stages: initiation, business
impact analysis (BIA), the development of continuity strategies, creation of the continuity
plan and the testing of the plan.
The initiation phase starts by seeking senior management’s approval to have a BC
program. According to Balboni and Marinos (2008), initiating BCP involves defining the
goals, determining timescales, identifying constraints and setting budgets. BCP should be
based on understanding the critical business functions (Castillo, 2004). Once all these
functions are identified, business impact analysis is carried out in order to recognize all the
disruptions that are likely to impact these functions and the associated levels of impact.
Armstrong-Smith (2020) described business impact analysis as a foundation for BCP.
Moore and Lakha (2006) mentioned that the BC plan is developed based on the results
obtained from the BIA process. Various continuity strategies are then proposed and
compared in terms of cost-effectiveness and efficiency. Continuity strategies should be
developed for staff, premises (workplace and information locations), technology (telephony,
applications and systems), supplies (materials and equipment) and stakeholders. This phase
also entails backing-up of vital records and determining minimum operational requirements.
Testing examines the comprehensiveness and applicability of the BC plan and if it can
cope with different types of disruptions. Full plan testing in real conditions enables the
continuity team to discover possible weaknesses in the plan (Cerullo and Cerullo, 2004).
Testing also builds confidence among people and reduces panic and chaos during an
emergency. Sawalha (2020) re-emphasized that business continuity is an enterprise-wide
process that should be embedded in the culture of the organization. In order to create this type
of culture, the continuity plan should promote a positive organizational change through
learning and training where everybody has to engage actively in the process (Rozek and
Groth, 2008). Therefore, training becomes an essential part of BCP. Training ensures the
success of BCP and motivates the participation of people in the process (Sawalha, 2020).
Maintenance provides a regular update for the action plans and ensures they are
constantly capable of responding effectively to the dynamics of the business environment.
IJES Continuous maintenance protects the organization from having to develop procedures again
10,3 each time a disruption occurs and ensures that workable action plans are still in place. In
general, there are two schemes of maintenance and updating: periodic and in-response.
Periodic maintenance is conducted regularly on monthly or annual basis, whereas,
in-response maintenance is conducted in response to sudden disruptions or in response to
the dynamics of the business environment.
354
2.2 Disaster Recovery Planning
Williamson (2007) argued that organizations are increasingly becoming reliant on IT and
data availability. DRP is primarily concerned with planning for data recovery in case data is
lost, as well as the recovery of other core business functions. In addition to the IT recovery
team, there should be other teams which will be responsible for service recovery. Duties of
service recovery include financial recovery, infrastructure recovery, records and staff
recovery (Moore and Lakha, 2006). DRP aims also at facilitating and strengthening
institutional and community relationships that can aid in the coordination of disaster
recovery in the post-disaster period.
DRP is essential for an organisation to remain viable in the face of disasters. As seen after
11 Sept., Hurricane Katrina and other disasters around the world, an organization that does
not have recovery plans often becomes the victim of disasters and never fully recovers. Many
organizations go bankrupt or close within the first year following a disaster (Hardy et al.,
2009). Based on an increased awareness, Horney et al. (2016) pointed out that a growing
number of organizations and governments nowadays are adopting disaster recovery plans to
guide the recovery processes and this has intensified notably following to the current
COVID-19 global pandemic (Al-Tammemi, 2020).
Although DRP has been described in the literature in a variety of ways (e.g. Horney et al.,
2016; Cook, 2015; Moore and Lakha, 2006; Beaman and Albin, 2008; Hawkins, 2000; Toigo,
2000), there seems to be a general consensus that it consists of the following primary stages:
forming the recovery team(s), assigning roles and responsibilities, developing backup
strategies, preparing action plans and the testing of plans.
Chow (2000) noted that the support of senior management is necessary at the early stages
of DRP. Moore (2008) described senior management commitment as a prerequisite for DRP.
When the senior management decides to plan for disaster recovery, it must assign
accountability, roles and ownership (Moore and Lakha, 2006).
Gondek (2002) and Toigo (2000) described the loss of electronic information as fatal,
therefore, Toigo (2002) and Hawkins et al. (2000) affirmed that a full reliance on a single
working electronic network could be catastrophic. The disaster recovery team should
develop various IT strategies and backup plans for all IT resources. This is typically done by
breaking down the IT processes into a set of modular components that can be then backed up
and recovered more easily (Vizard, 2008). In this phase, the disaster recovery team is also
responsible for setting the recovery alternatives, including the installation of the disaster
recovery site and the development of the backup plans. The recovery strategies developed in
this phase should address the requirements of the IT infrastructure, as well as the physical
assets and resources, including the buildings, documentation and personal requirements
(Moore and Lakha, 2006).
Implementation documentation is then created for detailed recovery procedures. Moore
and Lakha (2006) emphasized that the involvement of the damage assessment team is critical
in this phase. Damage assessment team is responsible for assessing the extent of the damage
that has already occurred. Simultaneously, functional area managers are responsible for
setting their own teams which will develop and document detailed recovery and resumption
procedures for their business areas.
 Evans (2016) affirmed that the success of DRP depends on how often the DR plan(s) is Business
tested and updated. Testing according to Beaman and Albin (2008) assures that any changes continuity and
to the IT or business processes do not necessarily trigger a need for procedural modifications.
Ashford (2007) pointed out that poorly tested plans are likely to give an organization a false
disaster
sense of security and false assurance of its capability to recover. Whereas, “the more often recovery
you test the disaster recovery plan, the greater the chance that there will be a smoother
continuity of business operations” (Zalud, 2008). Saccomanno and Mangialardi (2008)
described DRP as a dynamic process that needs to be periodically updated and emphasized 355
that the disaster recovery plan should be revised on a regular basis with respect to the
changes in business and technology.

3. Discussion: views on the relationship/overlap between BCP and DRP

Perhaps one of the main reasons that contribute to creating the confusion between BCP and
DRP is their common IT background/origin (Dadge, 2020; Slater, 2015). Cook (2015) noted
that disaster recovery is often viewed as the technical side of business continuity and
involves the restoration of operations. Others, such as Herbane et al. (2004) attributed the
cause of this misconception/overlap between business continuity and disaster recovery to
their cross-functionality (i.e. their common purpose; that is assuring the continuity of
business operations before, during and after the occurrence of disruptive incidents).
Cervone (2006) argued that both BCP and DRP are necessary for coping with disruptive
incidents. Yet, Stanton (2005) stated that: “. . .there is still confusion about the differences
between DRP and BCP, the expressions are often used interchangeably- but their functions
are not, and having a disaster recovery plan is not the same as having a business continuity
plan”. Robb (2006) argued that DRP is part of the wider area of BCP and focused on the
importance of BCP as a basis for effective DRP. Rosenblatt (2008) noted that: “disaster
recovery plans are important; however, business continuity plans are everything”.
Herbane et al. (2004) described DR as a subordinate/subset of BCP. This implies that both
have cross-functional relationship (Dadge, 2020). Slater (2015) stated that business continuity
and disaster recovery are often combined using the acronym “BC/DR”, and that this acronym
describes how an organization continues running normally before and after a disruption until
it recovers. The acronym BC/DR is prevalent in the literature (e.g. Cook, 2015; Zalud, 2008;
Beaman and Albin, 2008).
The following sections summarize/conceptualize the different views on the relationship/
overlap between BCP and DRP. The aim is to provide a comprehensive review of the most
consistent and rational views that exist in the literature in this regard.

3.1 View point 1: antecedent viewpoint

One of the main reasons behind the misperception between BCP and DRP is that each
represents one evolutionary approach/phase/direction to the same and the more
contemporary discipline of Business Continuity Management (BCM) (Herbane et al., 2004),
as shown in Figure 2. In other words, BCM has its roots in both BCP and DRP. The concept of
BCM has recently emerged from the integration of both which produced a more cross-
functional and socio-technical framework for managing business continuity. Cook (2015)
referred to business continuity management using the acronym BC/DR planning in order to
highlight that it aims at going beyond technology to include people and processes within the
organization.
BCM emerged as more inclusive approach to managing disruptions taking into
consideration that even incidents with the shortest-duration impacts could result in
greater damages (financial or non-financial). The main focus was on the continuity of
IJES
10,3

Socio-technical
BC BC
Planning Management

356 Scope of Activity

Disaster
Technical

Crisis
Response Recovery
Planning

Figure 2. Operational Cross-functional

Typology of continuity Orientation of activity
approaches
Source(s): Herbane et al. (2004)

operations since the situation has reached a tipping point where “recovery” is no longer the
primary goal to many executives. As organisations become less tolerant to interruption(s), the
perceived value of an area primarily dedicated to recovery will also decline (Baldwin, 2019).
In their turn, BCP and DRP represent two evolutionary approaches/directions for the
original concept of crisis response; meaning that they both have their roots in crisis response.
Originally, crisis response thrived during the 1970s as a way for managing business
disruptions during an age of mainframe computing; however, it was narrow in terms of the
scope of activity and the orientation of activity. Crisis response was primarily a technical and
operational process that focused on dealing with technical disruptions, neglecting other
related human factors, and was also limited to the operational level of management within the
organization, paying less attention to the higher levels including the tactical and strategic.
During the 1980s and 1990s, crisis response developed in two different directions. The first
enabled it to become more cross-functional (i.e. enabled interaction/synergy between the
different levels of management with the organization) while remaining primarily technical in
its nature. This is what had been known as DRP. The second direction enabled crisis response
to become more socio-technical (i.e. covering both technical and human/man-made
disruptions) while remaining operational in its core. This is what had been known as BCP.

3.2 View point 2: “complementary” role viewpoint

Moore and Lakha (2006) explained the complementary role/relationship between BCP and
DRP. They argued that business continuity and disaster recovery are two different but
complementary aspects/elements of the “Major Incident Management” process (Figure 3).
Major incident management is the field that is concerned with managing those catastrophic
but rare events that require special arrangements in the mobilisation of human, financial,
physical and informational resources.
Accordingly, BCP looks into the medium and longer-term aspects and focuses on all
business areas of the organization and includes strategic and systemic impact plans; stated
 Emergency
Disaster Business
Management
or Crisis
Management
continuity and
disaster
recovery

357
Major Incident
Management
Business Disaster
Continuity Recovery
Management Management

Contingency
Figure 3.
Management
Major incident
management
Source(s): Moore and Lakha (2006)

differently, BCP represents how critical business functions will be re-established in case a
disruptive incident occurs. DRP looks at the immediate actions needed both during and after
the actual occurrence of an incident in order to ensure the organization is able to function,
mitigating business interruptions; stated differently, this is how the organization will restart
functioning as soon as possible.
All in all, and along with the other elements of Major Incident Management; including
contingency management, emergency management and disaster/crisis management, BCP
and DRP complete/complement the processes by which organizations manage major
incidents. In this context, it should be noted that all the components of major incident
management listed above overlap in order to provide a comprehensive coverage of all the
required procedures and action plans.

3.3 View point 3: management “types/styles” viewpoint

Hernandez (2007) argued that BCP is a proactive type of planning. Hiles (2011) also
emphasized that BCP is a proactive process. The point here is to offer preventive measures
that will reduce the probability of an incident occurring, taking into consideration the entire
set of disruptive incidents that are likely to affect the organization internally or externally.
This is referred to as “preventive control” and is based on anticipation, scenario building and
the establishment of various “what if” assumptions.
Nevertheless, on top of the efforts that are done to anticipate different future projections, it
is significant to develop recovery plans capable of coping with disruptions if they actually
occur (Childs and Dietrich, 2002). Tura et al. (2004) defined disaster recovery as the reactive
part of response to the damage that has already occurred. It aims at resuming normal
business operations and restoring critical business functions. “If this office and everything in
it were destroyed tonight, would it be possible to do business tomorrow or at least next week?
”. This is how Hermanson et al. (2007) described the purpose of DRP. According to Thomson
(2007), disaster recovery is about getting systems up and functioning following to a
disruption. Cerullo and Cerullo (2004) pointed out that DRP is a reactive approach and
therefore is a type of “corrective control”.
IJES Thompson (2019) argued that proactive management type/style means thinking ahead,
10,3 anticipating and planning for change or crisis. Reactive management type/style means
reacting to change or crisis after it happens. Proactive strategies are designed to anticipate
possible challenges, while reactive strategies are those that respond to some unanticipated
event only after it occurs. Because no one can anticipate every possibility, no organization can
be proactive in every situation. Disasters and crises are situations that require higher levels of
synchronization between proactive and reactive planning.
358 Perhaps, one of the most illustrative examples that can be presented in this context is the
current COVID-19 pandemic and the ways it has been managed or dealt with. The
management of this outbreak included post-lockdown guidelines (as reactive measures/
corrective controls), as well as frameworks for preventing future potential impacts or a
second-wave occurrence of the outbreak (as proactive measures/preventive controls) (Kostoff
et al., 2020a, b).
3.4 View point 4: the disaster timeline/prioritisation viewpoint
According to Shaluf (2008), understanding the disaster management cycle starts by
recognizing that crises and disasters consist of three main stages: the pre-crisis/disaster
stage, crisis/disaster stage and post-crisis/disaster stage which necessitates the need for having
multiple plans to be implemented before, during and after the occurrence of such incidents
(Figure 4).
Botha and Solms (2004) argued that BCP helps organizations prepare, mitigate and
respond effectively to business disruptions and make advantage of the weak signals that
precede these incidents, while disaster recovery aims at improving the recovery capability
following to an incident. Then and Loosemore (2006) explained that BCP aims at developing
pre-crisis plans while Cerullo and Cerullo (2004) noted that DRP aims at developing post-crisis
strategies and action plans. In other words, BCP covers the mitigation, preparedness and
response stages of the disaster management cycle, whereas DRP covers the aftermath of an
incident that is the recovery phase.
This analysis also creates a sense of prioritization, order and reduces interchangeability in
roles and application as it implies that BCP should be considered first in order to assure
continuity of business operations. In case an incident occurs and disrupts the critical business
functions, then, it is the time to activate/invocate the disaster recovery plan.

3.5 Viewpoint 5: international standards’ view – the ISO 22301:2012

The ISO22301:2012 specifies the requirements for setting up and managing an effective
Business Continuity Management System (BCMS). The standard specifies: “requirements to
plan, establish, implement, operate, monitor, review, maintain and continually improve a
documented management system to protect against, reduce the likelihood of occurrence,
prepare for, respond to, and recover from disruptive incidents when they arise”. The standard
is based on concepts of “normal operations” vs “downtime” of the critical business functions.
Under normal working conditions, business functions/operations are expected to run
normally until a disruptive incident occurs. According to the ISO 22301:2012, an incident is
described as any situation that might be, or could lead to, a disruption.

Figure 4.
The disaster stages
In this context, it should be made clear that a disruption is not necessarily equal to an outage. A Business
disruption represents an interruption to the normal sequence or the regular flow of an operation continuity and
or process which from a system’s perspective can be self-corrected by the system itself in most
cases before losing the entire operation or function, whereas an outage represents a temporary
disaster
suspension or a total failure of an operation, function or activity. The purpose of a BC plan is to recovery
protect these operations/activities/functions and assure their continuity by preventing
disruptive incidents (i.e. reducing their probability of occurrence). A BC plan also aims at
fixing/correcting disruptions before they cause/turn into outages (Figure 5). 359
However, if any of these critical business functions was lost as a result of a disruptive
incident, the role of the DR plan is to guide the restoration of this function after the outage or
the downtime according to a predefined timetable (also known as the recovery time objective
– RTO). The disaster recovery plan specifies the procedures required to restore business
activities using different recovery strategies/options that support normal business
requirements (ISO 22301:2012).
The longer the downtime continues the greater the financial and non-financial losses. In
case an organization does not have a DR plan, then it is likely to fail following to a disruptive
incident. If it has a basic DR plan, then it might survive by coincidence (also known as a
“lucky escape”). However, if an organization has a fully tested DR plan, then it will incur
minimal losses during the downtime and will be able to recover and return back to normal. It
is worth mentioning in this context that a newer version of the ISO 22301 has been recently
released; that is the ISO 22301:2019 (Security and Resilience-BCMS) (Roskoski, 2020).

4. Additional insight into BCP and DRP: divergent and conflicting views from
recent studies
Another conceptually similar but technically different approach is resumption planning (also
known as operational resumption). Business resumption planning incorporates both,
continuity and recovery planning, yet, while BCP may necessarily involve adopting
temporary measures (such as office relocation, reduction of working hours and reduction of
staffing levels), business resumption planning is concerned with restoring operations to as

Figure 5.
Normal operations vs
downtime (outage)
IJES near normal levels as possible (Enisa, 2021). A typical resumption process also includes the
10,3 activation of a succession plan and strategic alliances (Robertson, 2020).
Also, “COOP”, which stands for Continuity of Operations Planning, seems to have another
conflicting nature. The term which has emerged recently, in the USA mainly, also incorporates
BCP and DRP. According to the U.S. Department of Health and Human Services (2021), the
difference is that COOP is practiced and favoured to greater extents by public and government
entities for mitigation and planning strategies that allow services to continue to be provided in
360 the face of different incidents, whereas BCP is practiced in the private sector primarily.
Cervone (2017) mentioned that traditionally BCP has been more intensively used in
projects that are formally developed and relatively large in scale. Nowadays however, the
new perspective necessities the use of BCP in less formal business environments, such as the
informatics and analytics projects which often develop organically within organizations and
do not require formal practices prevalent in IT projects for instance. The author also noted
that DRP is incident agnostic, as it generally focuses on the technical details of how data and
systems are backed up, restored and put back into production after an incident irrespective
with the type of incident.
Haraguchi (2020) was one of few researchers who raised the bar of BCP and DRP to higher
government and national levels for the purpose of strengthening the public sector’s emergency
preparedness. The author argued that government continuity plans (GCPs) are a recently
focused concept in disaster preparedness, compared to business continuity plans (BCPs) of the
private sector and linked GCP with complex adaptive systems for nations and societies.
Resilience is another concept that incorporates BCP and DRP. According to Teng-Calleja
et al. (2020), Ferguson (2019) and Burnard and Bhamra (2019), the concept of resilience is
relevant to BCP and DRP, yet it should be treated more distinctively since it touches on other
aspects, such as vulnerability and hazard at higher social and economic levels.
Walsh (2018) summarized the difference between BCP and DRP in a very simple and
straight forward manner by relating it to the time of implementation. The author argued that
the key difference is “when” the plan takes effect. A BCP aims at securing the continuity of
operations during the event and immediately after. A DR plan focuses on how to recover an
operation after the event has completed and how to return to normal.

5. Conclusions
Not only organizations are intolerant to disruptions at the present time but the entire
network of stakeholders and the public whose tolerance for disruption is at an all-time low.
Business disruptions resulting from minor incidents to extreme or catastrophic events,
such as terrorist attacks or infrastructural breakdowns, can affect all types of
organizations. Impacts of such disruptions vary in terms of the levels of damage they
can produce and the periods of discontinuity/interruption they can cause. Organizations
are less likely to survive and maintain their market share without the effective management
of business disruptions.
Perhaps, the current COVID-19 pandemic represents a clear example in this regard. The
crisis has left many businesses and organizations worldwide disrupted for varying/
prolonged periods of time. This caused huge financial and non-financial losses and disturbed
the world’s economy, movement of goods and delivery of services. In the developing
countries, impacts of such and similar crises continue to rise on the society and economy. The
pandemic also rendered several supply chains disrupted in both the developed and
developing countries and worldwide.
Few attempts were made to clarify the misconception between BCP and DRP. BCP is
different than DRP despite that the two are often appear together in the literature (Dadge,
2020). This is one of few studies that discuss explicitly and specifically the different views
that explain the links between BCP and DRP. In recent years, BCM has emerged as a Business
combination of BCP and DRP. continuity and
This paper presented a general review about the relationship between business continuity
and disaster recovery. Future studies can employ the views presented in this paper to test the
disaster
application of BCP and DRP within actual organizational settings using practical approaches. recovery
Despite the attempts of a number of researchers to clarify the differences between BCP and
DRP, the confusion still exists, especially amongst non-practitioners and still needs further
explanation (King, 2018). This research represents one step in this direction that requires 361
more elaboration mainly from practitioners in the field and IT professionals.
IT disaster recovery involves the re-establishment of systems and functions following
disruptions, whereas BCP involves planning for the continuity of the entire set of business
operations, not just the IT. In recent years, the circle of DRP has expanded to include not only
the IT component/aspect of the organization (i.e. technical components) but also the larger
social and community aspects. As the concept of community resilience evolves, disaster
recovery should address disruptions/disasters and their impacts on the society and also
promote the establishment of social and national capabilities that aim at enabling societies
and economies to recover and return to normal.
It is worth mentioning that the author encountered a number of limitations when conducting
this study. First, the scarcity of research, especially research published in quality academic
journals that views BCP and BCM from an enterprise perspective (i.e. enterprise BCM). The
majority of the existing literature views BCM, BCP and DRP as technical processes that owe
more to IT and systems. This enterprise perspective needs to be emphasized and developed
further. Second, the lack of the managerial insight into BCP and DRP. The majority of the
existing literature presents the views of practitioners and technicians from the technology
sector primarily. Third, scarcity of studies that view BCM from a strategic viewpoint. The
majority of the existing literature views BCP, BCM and DRP from a narrower operational
perspective. Fourth, the scarcity of studies in the field of BCM in general and the inaccurate mix
with other risk-related disciplines, such as disaster management, crisis management and
emergency management, which further complicated the efforts made by the author to extract
the necessary, adequate and quality information and details.

References
Al-Tammemi, A. (2020), “The battle against COVID-19 in Jordan: an early overview of the Jordanian
experience”, Front. Public Health, Vol. 8 No. 188, pp. 1-6.
Armstrong-Smith, S. (2020), “Why the BIA provides the foundation stone for business continuity”,
available at: https://www.thebci.org/news/why-the-bia-provides-the-foundation-stone-for-
business-continuity.html (accessed 3 October 2020).
Ashford, W. (2007), “IT chiefs increasingly confident in recovery plans”, Computer Weakly, Dec. 18,
2007, p. 8.
Azadegan, A., Syed, T., Blome, C. and Tajeddini, K. (2020), “Supply chain involvement in business
continuity management: effects on reputational and operational damage containment from
supply chain disruptions”, Supply Chain Management, Vol. 25 No. 6, pp. 747-772.
Balboni, S. and Marinos, L. (Eds) (2008), Business and IT Continuity: Overview and Implementation
Principles, European Network and Information Security Agency, ENISA.
Baldwin, S. (2019), “Business continuity management as an operational risk service provider: an
approach to organisational resilience”, Journal of Business Continuity and Emergency Planning,
Vol. 13 No. 2, pp. 102-110.
Beaman, B. and Albin, B. (2008), “Steps to disaster-recovery planning”, Tech Update, June 30-July 7,
2008, p. 25.
IJES Bell, S. (2019), “Organisational resilience: a matter of organisational life and death”, Continuity and
Resilience Review, Vol. 1 No. 1, pp. 5-16.
10,3
Botha, J. and Solms, R. (2004), “A cyclic approach to business continuity planning”, Information
Management and Computer Security, Vol. 12 No. 4, pp. 328-337.
Burnard, K.J. and Bhamra, R. (2019), “Challenges for organisational resilience”, Continuity and
Resilience Review, Vol. 1 No. 1, pp. 17-25.
362 Castillo, C. (2004), “Disaster preparedness and business continuity planning at Boeing: an integrated
model”, Journal of Facilities Management, Vol. 3 No. 1, pp. 8-26.
Cerullo, V. and Cerullo, M. (2004), “Business continuity planning: a comprehensive approach”,
Information Systems Management, Vol. 21 No. 3, pp. 70-78.
Cervone, H. (2006), “Disaster recovery and continuity planning for digital library systems”, OCLC
Systems and Services: International Digital Library Perspectives, Vol. 22 No. 3, pp. 173-178.
Cervone, H. (2017), “Disaster recovery planning and business continuity for informaticians”, Digital
Library Perspectives, Vol. 33 No. 2, pp. 78-81.
Childs, D. and Dietrich, S. (2002), Contingency Planning and Disaster Recovery: A Small Business Guide,
Wiley, New Jersey, NJ.
Chow, W. (2000), “Success factors for IS disaster recovery planning in Hong Kong”, Information
Management and Computer Security, Vol. 8 No. 2, pp. 80-86.
Cook, J. (2015), “A six-stage business continuity and disaster recovery planning cycle”, SAM
Advanced Management Journal, Vol. 80 No. 3, pp. 23-35.
Dadge, G. (2020), “Business continuity vs. Disaster recovery: what’s the difference?”, available at:
https://enterprisersproject.com/article/2020/8/business-continuity-vs-disaster-recovery
(accessed 9 October 2020).
Das, K. (2018), “Integrating resilience in a supply chain planning model”, International Journal of
Quality and Reliability Management, Vol. 35 No. 3, pp. 570-595.
Enisa (The European Union Agency for Cybersecurity) (2021), “Business resumption plan”, available
at: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/
bcm-resilience/bc-plan/business-resumption-plan (accessed 2 Feb 2021).
Evans, C. (2016), “Testing is a vital part of any disaster recovery plan”, Computer Weekly, 12/20/2016,
pp. 23-26.
Ferguson, C. (2019), “Utilising trade unions in business continuity management to create resilience: a
South African perspective”, Continuity and Resilience Review, Vol. 1 No. 1, pp. 36-46.
Fink, A., Marr, B., Siebe, A. and Kuhle, J. (2005), “The future scorecard: combining external and
internal scenarios to create strategic foresight”, Management Decision, Vol. 43 No. 3,
pp. 360-381.
Fischbacher-Smith, D. (2017), “When organisational effectiveness fails: business continuity
management and the paradox of performance”, Journal of Organizational Effectiveness:
People and Performance, Vol. 4 No. 1, pp. 89-107.
Fischer, H. (2002), “Terrorism and 11 September 2001: does the behavioural response to disaster model
fit?”, Disaster Prevention and Management, Vol. 11 No. 2, pp. 123-127.
Fischer, H. (2005), “The danger in over-reacting to terrorism”, Disaster Prevention and Management,
Vol. 14 No. 5, pp. 657-665.
Foster, S. and Dye, K. (2005), “Building continuity into strategy”, Journal of Corporate Real Estate,
Vol. 7 No. 2, pp. 105-119.
Gaillard, J. (2007), “Resilience of traditional societies in facing natural hazards”, Disaster Prevention
and Management, Vol. 16 No. 4, pp. 522-544.
Glenn, J. and Gordon, T. (2002), “Creating a better world: 15 global challenges”, Foresight, Vol. 4 No. 5,
pp. 15-37.
Gondek, R. (2002), “Disaster Recovery: when more of the same isn’t Better”, Journal of Business Business
Strategy, Vol. 23 No. 4, pp. 16-18.
continuity and
Hanson, A. (2006), “Organizational Responses and Adaptations after 9-11”, Management Research
News, Vol. 29 No. 8, pp. 480-494.
disaster
Haraguchi, M. (2020), “How can a municipal government continue operations during megadisasters?
recovery
An analysis of preparedness using complex adaptive systems”, Disaster Prevention and
Management, Vol. 29 No. 5, pp. 779-792.
363
Hardy, V., Roper, K. and Kennedy, S. (2009), “Emergency preparedness and disaster recovery in the
US. Post 9/11”, Journal of Facilities Management, Vol. 7 No. 3, pp. 212-223.
Hawkins, S., Yen, D. and Chou, D. (2000), “Disaster recovery planning: a strategy for data security”,
Information Management and Computer Security, Vol. 8 No. 5, pp. 222-229.
Herbane, B., Elliott, D. and Swartz, E. (2004), “Business continuity management: time for strategic
role?”, Long Range Planning, Vol. 37 No. 5, pp. 435-457.
Hermanson, D., Ivancevich, D. and Ivancevich, S. (2007), “Disaster recovery planning: what section 404
audits reveal”, The CPA Journal, Vol. 77 No. 12, pp. 60-62.
Hernandez, G. (2007), “Assessing risks through business continuity management”, Caribbean
Business, Mar. 29, 2007, pp. S4-S5.
Hiles, A. (2011), The Definitive Handbook of Business Continuity Management, Wiley, West Sussex.
Horney, J., Simon, M., Ricchetti-Masterson, K. and Berke, P. (2016), “Resident perception of disaster
recovery planning priorities”, International Journal of Disaster Resilience in the Built
Environment, Vol. 7 No. 4, pp. 330-343.
ISO 22301:2012, Societal Security-Business Continuity Management Systems-Requirements, British
Standards Institute, London.
King, T. (2018), “Business continuity vs. Disaster recovery; what’s the difference?”, available at:
https://solutionsreview.com/backup-disaster-recovery/business-continuity-vs-disaster-recovery-
whats-the-difference/ (accessed 8 October 2020).
Kostoff, R., Briggs, M., Porter, A., Aschner, M., Spandidos, D. and Tsatsakis, A. (2020a), “COVID-19:
post-lockdown guidelines”, International Journal of Molecular Medicine, Vol. 46, pp. 463-466.
Kostoff, R., Briggs, M. and Porter, A. (2020b), COVID-19: Preventing Future Pandemics, Georgia
Institute of Technology, Atlanta.
Moore, T. (2008), Disaster and Emergency Management Systems, British Standards Institute, London.
Moore, T. and Lakha, R. (2006), Tolley’s Handbook of Disaster and Emergency Management: Principles
and Practice, LexisNexis, Croydon.
National Research Council (2007), Successful Response Starts with a Map: Improving Geospatial
Support for Disaster Management, The National Academies Press, WA, DC.
Paunescu, C. and Argatu, R. (2020), “Critical functions in ensuring effective business continuity
management: evidence from Romanian companies”, Journal of Business Economics and
Management, Vol. 21 No. 2, pp. 497-520.
Pitt, M. and Goyal, S. (2004), “Business continuity planning as a facilities management tool”, Facilities,
Vol. 22 Nos 3/ 4, pp. 87-99.
Robb, D. (2006), “Lessons in business continuity and disaster recovery”, Business Communications
Review, Vol. 36 No. 11, pp. 52-55.
Robertson, G. (2020), Disaster Planning for Special Libraries, Chandos Publishing, Cambridge, MA.
Rosenblatt, J. (2008), “Why directors and C-level officers are legally liable if a disaster or disruption
occurs”, available at: http://www.thebci.org/legal.htm (accessed 9 September 2008).
Roskoski, M. (2020), “ISO 22301 Business continuity management systems standard”, International
Facility Management Journal, Mar/Apr. 2020, Vol. 30 No. 2, pp. 14-16.
IJES Rozek, P. and Groth, D. (2008), “Business continuity planning”, Health Management Technology,
Vol. 29 No. 3, pp. 10-12.
10,3
Saccomanno, P. and Mangialardi, V. (2008), “Be prepared for I.T. Disasters”, Canadian Consulting
Engineer, Vol. 49 No. 4, pp. 35-40.
Sawalha, I.H. (2020), “Business continuity management: use and approach’s effectiveness”, Continuity
and Resilience Review, Vol. 2 No. 2, pp. 81-96.
364 Sawalha, I., Shamieh, J. and Meaton, J. (2018), “Little details that make a difference: a value-based
approach to disaster management”, Journal of Business Continuity and Emergency Planning,
Vol. 12 No. 2, pp. 180-192.
Shaluf, I. (2008), “Technological disaster stages and management”, Disaster Prevention and
Management, Vol. 17 No. 1, pp. 114-126.
Slater, D. (2015), “Business continuity and disaster recovery planning: the basics”, available at: https://
www.csoonline.com/article/2118605/business-continuity-and-disaster-recovery-planning-the-
basics.html (accessed 3 October 2020).
Smith, J., Jayaram, J., Ponsignon, F. and Wolter, J. (2019), “Service recovery system
Antecedents a contingency theory investigation”, Journal of Service Management, Vol. 30
No. 2, pp. 276-300.
Stanton, R. (2005), “Beyond disaster recovery: the benefits of business continuity”, Computer Fraud
and Security, Vol. 2005 No. 7, pp. 18-21.
Teng-Calleja, M., Hechanova, M.R.M., Sabile, P.R. and Villasanta, A.P.V.P. (2020), “Building
organization and employee resilience in disaster contexts”, International Journal of
Workplace Health Management, Vol. 13 No. 4, pp. 393-411.
Then, S. and Loosemore, M. (2006), “Terrorism prevention, preparedness, and response in built
facilities”, Facilities, Vol. 24 Nos 5/6, pp. 157-176.
Thompson, S. (2019), “Difference between a proactive and a reactive business strategy”, available at:
https://smallbusiness.chron.com/difference-between-proactive-reactive-business-strategy-62157.
html (accessed 18 June 2020).
Thomson, R. (2007), Business Continuity: the Expert View, Computer Weekly, July 27, 2007.
Toigo, J. (2000), Disaster Recovery Planning: Strategies for Protecting Critical Information Assets,
Prentice Hall, New Jersey, NJ.
Toigo, J. (2002), Disaster Recovery Planning: Preparing for the Unthinkable, Prentice Hall, New
Jersey, NJ.
Tura, N., Reilly, S., Narasimhan, S. and Yin, Z. (2004), “Disaster recovery preparedness through
continuous process optimization”, Bell Labs Technical Journal, Vol. 9 No. 2, pp. 147-162.
UNSDR (2017), “Build back better: in recovery, rehabilitation and reconstruction”, available at: https://
www.unisdr.org/files/53213_bbb.pdf (accessed 3 October 2020).
U.S. Department of Health & Human Services (2021), “Topic collection: continuity of operations
(COOP)/business continuity planning”, available at: https://asprtracie.hhs.gov/technical-
resources/17/continuity-of-operations-coop-business-continuity-planning/110 (accessed 2
February 2021).
Vizard, M. (2008), “Why there’s no business continuity”, Baseline, Vol. 88, p. 18.
Walsh, K. (2018), “The difference between business continuity and disaster recovery”, available at:
https://reciprocitylabs.com/business-continuity-vs-disaster-recovery-whats-the-difference/
(accessed 9 March 2021).
Williamson, B. (2007), “Trends in business continuity planning”, Bank Accounting and Finance,
Vol. 20 No. 5, pp. 50-52.
Yu, W., Chavez, R., JacobsWong, M.C. and Yuan, C. (2019), “Environmental scanning, supply chain
integration, responsiveness, and operational performance”, International Journal of Operations
and Production Management, Vol. 39 No. 5, pp. 787-814.
Zalud, B. (2008), “News and analysis: carrying on after a disaster”, Security, Vol. 45 No. 7, pp. 12-14. Business
Zekos, G. (2004), “Ethics versus corruption in globalization”, Journal of Management Development, continuity and
Vol. 23 No. 7, pp. 631-647.
disaster
recovery
Corresponding author
Ihab Hanna Sawalha can be contacted at: i.sawalha@aum.edu.jo
365

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com
Reproduced with permission of copyright owner. Further
reproduction prohibited without permission.