What You’ll Learn
- Business Continuity Planning vs Disaster Recovery vs Data Backup
- Why Nonprofits Need a Continuity Plan Specifically
- The Core Components of a Nonprofit Business Continuity Plan
- How to Build Your Nonprofit’s Business Continuity Plan
- Common Mistakes Nonprofits Make
- Frequently Asked Questions
- Your Next Steps
Business Continuity Planning vs Disaster Recovery vs Data Backup
These three terms are frequently used interchangeably, but they describe different scopes of planning. Understanding the difference determines what your organization actually needs to build.
| Term | What It Covers | Who Owns It | Time Horizon |
|---|---|---|---|
| Business Continuity Plan (BCP) | Full organizational operations: people, programs, communications, vendors, finances, and IT | Leadership and operations | Hours to weeks after disruption |
| Disaster Recovery Plan (DRP) | IT systems and data restoration after an incident | IT or managed IT provider | Hours to days after a system failure |
| Data Backup | Copying data to a recoverable location | IT or managed IT provider | Ongoing; supports the DRP |
A business continuity plan contains a disaster recovery plan. A disaster recovery plan depends on data backups. An organization that only has backups and no DR plan has half the technical picture. An organization with a DR plan but no BCP has the IT side covered but no plan for how programs continue, how staff communicate, or how donors and funders are notified during a disruption.
This post focuses on the broader BCP. For the technical DR and backup side, see our post on how to create a disaster recovery plan for nonprofits.
Why Nonprofits Need a Continuity Plan Specifically
Nonprofits face disruption risks that for-profit organizations often do not. Program service delivery cannot pause the way a retail operation can close temporarily. Clients in crisis, vulnerable populations being served, grant reporting deadlines, and donor trust do not wait for systems to come back online.
Specific nonprofit continuity risks that a BCP must address:
- Key person dependency: Many nonprofits have critical functions that only one staff member knows how to perform. An executive director departure, a data manager illness, or a development officer resignation mid-campaign can be as disruptive as a technology failure.
- Vendor concentration: Nonprofits often rely heavily on a single CRM, a single payment processor, and a single IT provider. If any of those go down, the organization has limited alternatives.
- Grant compliance: Grant agreements often include reporting requirements that do not pause for organizational disruptions. A continuity plan must account for which grant obligations must be met regardless of circumstances and who holds backup access to the reporting systems.
- Donor communication: A disruption that goes uncommunicated to donors can permanently damage trust. The BCP must include communication protocols and backup contact methods.
- Cash flow vulnerability: Many nonprofits operate on thin cash reserves. A disruption that halts donation processing or payroll for even two weeks can create an existential cash crisis.
Scottship Solutions builds continuity frameworks for nonprofits as part of our managed IT services, ensuring the IT components of the plan are documented, tested, and maintained alongside the organizational elements.
The Core Components of a Nonprofit Business Continuity Plan
1. Business Impact Analysis
A business impact analysis (BIA) identifies the critical functions your organization must maintain during a disruption and quantifies the impact of losing each one. For a nonprofit, critical functions typically include: client services and program delivery, donation and payment processing, payroll, grant reporting, and donor communications.
The BIA answers: if this function were unavailable for one day, one week, or one month, what would the organizational impact be? That severity rating determines how much recovery investment each function warrants.
2. Recovery Time Objectives
A recovery time objective (RTO) is the maximum acceptable time a function can be offline before the impact becomes unacceptable. A recovery point objective (RPO) is the maximum acceptable data loss measured in time. Together, RTOs and RPOs define the standards your continuity plan must meet for each critical function.
Example for a nonprofit: the donation processing function may have an RTO of 4 hours and an RPO of 1 hour, meaning the organization can tolerate 4 hours of downtime and up to 1 hour of lost transaction data. These thresholds drive the technical architecture of your backup and recovery systems.
3. Continuity Strategies for Each Critical Function
For each critical function identified in the BIA, the plan documents the specific steps to maintain or restore that function during a disruption. This is the operational core of the BCP. Example strategies:
- Program delivery: alternate service delivery locations, remote delivery protocols, priority client lists for direct outreach during outages
- Donation processing: backup payment processor account, manual check acceptance procedures, staff authorized to process emergency transactions
- Communications: staff personal contact list (not dependent on organizational email), donor notification templates, board communication protocol
- IT systems: see the disaster recovery plan for the technical recovery steps covering systems, data, and access
4. Roles and Responsibilities
A continuity plan without named owners is not a plan. Every action in the BCP must have a primary owner and a backup owner. The backup owner must be trained and capable of executing the action independently. Document this as a responsibility matrix, not a narrative.
5. Communication Plan
The communication plan covers three audiences: staff, clients and program participants, and donors and funders. Each needs a different message and a different delivery channel. The communication plan must include contact methods that do not depend on systems that may be offline, typically a combination of personal cell phones, a shared emergency distribution list maintained offline, and predefined message templates.
6. Vendor and Supplier Inventory
Document every vendor your organization depends on, what would happen if that vendor became unavailable, and what the backup option is. Pay particular attention to single-source dependencies: a single CRM with no export plan, a single cloud storage provider with no local backup, a single IT firm with no knowledge transfer documentation.
7. Testing and Maintenance Schedule
A BCP that has never been tested is not a functional plan. Test the plan at least annually with a tabletop exercise involving leadership. For IT recovery components, run an actual restore test from backup quarterly. Update the plan whenever a significant organizational change occurs: a key staff departure, a new vendor relationship, a new program, or a technology migration.
How to Build Your Nonprofit’s Business Continuity Plan
A practical sequence for a nonprofit building a BCP from scratch:
- Convene a small planning team. Include the executive director, operations lead, development director, and your IT contact. The BCP requires input from program, financial, and technology perspectives.
- Conduct the business impact analysis. List every critical organizational function. Rate the impact of losing each for 1 day, 1 week, and 1 month. Assign RTOs and RPOs to each.
- Document your current state. Map every vendor, system, and single-person dependency. This step frequently surfaces risks the organization did not realize it had.
- Write continuity strategies for the top 5 to 8 critical functions. Start with the highest-impact, shortest-RTO functions. Assign owners and backups to each.
- Build the communication plan and contact directory. Store it offline and test it by actually attempting to reach every contact on the list.
- Confirm the IT disaster recovery plan covers the technical side. The BCP’s IT section should reference a current, tested DR plan. If one does not exist, build it in parallel.
- Run a tabletop exercise. Simulate a scenario, walk through the plan, identify gaps, and update accordingly.
- Set a review calendar. Annual full review, quarterly backup test, triggered review after any significant organizational change.
Common Mistakes Nonprofits Make
- Treating backup as the plan. Having data backed up is not the same as having a recovery plan, and having a recovery plan is not the same as having a continuity plan. Each layer requires explicit documentation and testing.
- No named backups for critical roles. If the only person who knows how to run payroll is unavailable, the BCP must define who does it next and how they access the necessary systems and credentials.
- Untested plans. A plan that has never been executed during a drill will not hold under a real disruption. Tabletop exercises and actual restore tests are not optional.
- Single points of failure in vendor relationships. One CRM, one cloud provider, one IT firm, one executive director with no succession plan. Each is a continuity risk. The BCP must document alternatives or explicitly accept the risk.
- Storing the BCP only in systems that go down during a disaster. If the plan lives exclusively in a shared drive that requires organizational email to access, it is unavailable exactly when it is needed. Keep a printed copy and a version accessible via personal email or a personal device.
Frequently Asked Questions
A business continuity plan (BCP) covers the full organizational response to a major disruption, including people, programs, communications, vendor dependencies, and finances in addition to IT systems. A disaster recovery plan (DRP) covers the IT-specific steps for restoring systems and data after an incident. The DRP is a component of the BCP. An organization with only a DRP has the technology side covered but no plan for how operations continue, how staff communicate, or how clients and donors are managed during a disruption.
A first-version business continuity plan for a nonprofit with 10 to 75 staff typically takes 4 to 8 weeks to build, assuming one planning team meeting per week and dedicated documentation time between sessions. The first version covers the 5 to 8 highest-priority critical functions. It will not be perfect, but a tested imperfect plan is significantly more valuable than a comprehensive untested one. Build the first version, test it, and improve from there.
Yes. Small nonprofits are often more vulnerable to disruptions than large ones because they have fewer redundancies: fewer staff to absorb the loss of a key person, thinner cash reserves to absorb cash flow interruption, and fewer vendor alternatives when a critical system goes down. The plan does not need to be long. A 10-person nonprofit can have a functional BCP in a 10 to 15 page document covering the 5 most critical functions. What matters is that it is tested and maintained.
A recovery time objective (RTO) is the maximum acceptable time a function or system can be offline before the impact is unacceptable. A recovery point objective (RPO) is the maximum acceptable data loss measured in time. For example, an RTO of 4 hours means the organization needs a given system restored within 4 hours of a failure. An RPO of 1 hour means the organization can tolerate losing up to 1 hour of data. RTOs and RPOs drive the technical design of backup and recovery systems and determine how much investment each function warrants.
Yes. Scottship Solutions builds continuity frameworks for nonprofits as part of our managed IT services, covering the IT components of the plan, the disaster recovery plan, backup architecture and testing, and coordination with organizational leadership on the non-IT elements. We work with nonprofits in the 10 to 75 employee range and can help with a first-version plan or an audit and update of an existing one. Schedule a free consultation.
Your Next Steps
- List your 5 most critical functions. What would stop your organization from serving clients, processing donations, or meeting grant obligations? Start there.
- Check your current backup and recovery setup. If you do not know your RTO and RPO for each critical system, you do not have a tested disaster recovery plan. Confirm with your IT provider.
- Identify your single points of failure. One staff member who holds critical knowledge, one vendor with no alternative, one system with no backup access. Document each one and decide how to address it.
- Schedule a tabletop exercise. Set a date in the next 60 days to walk your leadership team through a disruption scenario. You will find gaps. That is the point.
- Schedule a free consultation with Scottship Solutions — we will review your current backup and recovery setup, identify the IT gaps in your continuity posture, and help you build the plan from there.
Sources
- FEMA — Business Continuity Planning for Organizations
- NIST — Contingency Planning Guide for Federal Information Systems (SP 800-34)
- Nonprofit Tech for Good — 2024 Nonprofit Technology Report
- NTEN — State of Nonprofit Technology
Written by
Will Facques
Senior IT Consultant at Scottship Solutions
Will works directly with nonprofit and small business clients on infrastructure, managed services, and technology implementations. He translates complex technical requirements into practical solutions that actually get done.
Certifications
PMP (Project Management Professional) • Lean Six Sigma Yellow Belt • CompTIA Network+
Industries Served
Human Services, Healthcare & Community Health, Education & Youth Development, Faith-Based, Child Advocacy, Arts & Culture