Business continuity is about keeping your mission running during a disruption; disaster recovery is the narrower job of restoring your IT systems and data afterward. A nonprofit that has both can survive a flood, a ransomware attack, the sudden loss of an executive director, or a frozen grant payment without abandoning the people who depend on it.
The good news: you do not need a consultant or a budget to start. The federal government publishes free, fill-in-the-blank templates through Ready.gov, CISA, and the FTC. This guide walks you through a Business Impact Analysis, plain-English RTO and RPO, the 3-2-1 backup rule, an incident-response outline, emergency communications, insurance, and a worked one-page plan you can adapt today.
Continuity vs. Disaster Recovery: Two Different Jobs
People use these terms interchangeably, but they answer different questions, and a good plan needs both.
| Question | Business Continuity (BC) | Disaster Recovery (DR) |
|---|---|---|
| What is it? | Keeping the whole organization delivering its mission during disruption | Restoring IT systems and data after they fail or are compromised |
| Scope | People, facilities, services, cash flow, communications | Servers, laptops, cloud apps, databases, backups |
| Sample question | “How do we keep feeding 200 families if the kitchen floods?” | “How fast can we get the donor database back online?” |
| Owner | Executive director / board | IT lead or managed service provider |
DR is a subset of BC. You can recover every server in an hour and still fail your mission if staff cannot reach the building, payroll bounces, or vulnerable clients have nowhere to go. Plan for the mission first, then make sure the technology supports it.
Five disruptions every nonprofit should plan for
- Natural disaster — flood, fire, hurricane, wildfire smoke, extended power outage.
- Cyberattack — ransomware encrypting your files, or a data breach exposing client records.
- Sudden leadership loss — your ED resigns, is hospitalized, or dies; nobody else knows the bank logins.
- Funding shock — a major grant is cut, a reimbursement is delayed 90 days, a key donor lapses.
- Pandemic / public-health event — staff cannot gather; in-person services must go remote overnight.
Start With a Business Impact Analysis (BIA)
A Business Impact Analysis is the foundation of everything else. As Ready.gov puts it, a BIA “predicts the consequences of a disruption to your business” and gathers the information you need to build recovery strategies. You are answering three questions for each thing your nonprofit does:
- Which functions are critical? Not everything is. Distinguish life-safety and mission-critical services (e.g., a shelter bed, a meals route, medication delivery) from things that can wait (e.g., the annual gala planning).
- What is the impact if it stops — and does that impact grow over time? A missed payroll on day 1 is survivable; on day 14 you lose staff.
- What is the maximum tolerable downtime (MTD)? The longest a function can be unavailable before the harm becomes unacceptable — to clients, to finances, to reputation, or to legal standing.
Download the free Ready.gov Business Impact Analysis Worksheet (PDF) and have each program lead complete one for their area. When you collect them, you get an organization-wide picture of what must be protected first.
Worked BIA snippet: a small food-relief nonprofit
| Function | Impact if down | Impact grows after… | Max tolerable downtime |
|---|---|---|---|
| Daily meal distribution | Vulnerable clients miss meals; health risk | Same day | 24 hours |
| Refrigeration / cold storage | Food spoilage; inventory loss | 4–6 hours | 6 hours |
| Payroll processing | Staff unpaid; attrition; trust damage | 1 pay cycle | 3 days |
| Donor / CRM database | Lost giving history; stalled fundraising | 1–2 weeks | 5 days |
| Social media / website | Reduced visibility | Several weeks | 2 weeks |
Notice how the rankings fall out naturally: cold storage and meal distribution are protected first; the website can wait. The BIA is what stops you from spending your scarce recovery energy on the wrong things.
RTO & RPO in Plain English
Two acronyms drive every disaster-recovery decision. They sound technical, but the ideas are simple.
- RTO — Recovery Time Objective: the target time to get a function back up. “We need the case-management system running again within 4 hours.” RTO answers how long can we be down?
- RPO — Recovery Point Objective: the maximum amount of data you can afford to lose, measured backward from the moment of failure. An RPO of 1 hour means you must be able to restore to a point no more than an hour before the incident — so you must back up at least hourly. RPO answers how much work can we afford to redo?
Think of a flight you must catch. RTO is how long you can survive being stranded at the airport. RPO is how far back your last “save point” is — how much luggage you are willing to leave behind.
Your RTO must be shorter than the maximum tolerable downtime you found in the BIA — if MTD is 24 hours, an RTO of 36 hours fails. And your RPO sets your backup frequency: an RPO of one day is fine with nightly backups; an RPO of one hour is not.
| System | RTO (back online in) | RPO (max data loss) | What that requires |
|---|---|---|---|
| Email / communications | 4 hours | 1 hour | Cloud email with continuous sync |
| Client case records | 8 hours | 4 hours | Backups every few hours; tested restore |
| Accounting / payroll | 2 days | 1 day | Nightly backup; offsite copy |
| Public website | 1 week | 1 week | Weekly export is sufficient |
Backups: The 3-2-1 Rule (and Why Offline Matters Now)
You cannot meet any RPO without good backups, and the canonical standard — cited by US-CERT/CISA in its Data Backup Options publication — is the 3-2-1 rule:
- 3 copies of any important file (the original plus two backups);
- 2 different media or storage types (e.g., a local drive and the cloud), so one failure mode does not take out everything;
- 1 copy stored offsite — physically away from your building.
The ransomware upgrade: 3-2-1 plus offline
The CISA #StopRansomware Guide (published with the FBI, NSA, and MS-ISAC) stresses keeping offline, encrypted backups and testing that you can actually restore from them. Why offline? Modern ransomware deliberately seeks out and encrypts connected backups. A backup that is always online with the same credentials as your live data can be destroyed in the same attack. At least one copy should be immutable or air-gapped — disconnected from the network.
Two rules nonprofits break constantly:
- Untested backups are not backups. Schedule a restore drill at least twice a year. The first time most teams try, they discover the backup was incomplete, corrupted, or missing a key folder.
- SaaS data is your responsibility. Cloud apps for donations, email, and files protect their infrastructure, not your data from your mistakes. If a staffer deletes a year of records or an account is compromised, you may need your own export to recover.
Incident-Response Basics
When something goes wrong at 2 a.m., nobody should be inventing a process. An incident-response plan (IRP) is a short, pre-agreed sequence so people act instead of freeze. For a cyber incident or data breach, the FTC’s “Data Breach Response: A Guide for Business” organizes the work into three moves:
- Secure your operations. Take affected systems offline (do not wipe them — you may need them as evidence), change credentials, and assemble a response team that can include IT, legal, leadership, and communications.
- Fix the vulnerability that allowed it, and verify the attacker no longer has access before you reconnect.
- Notify the right people — affected individuals, law enforcement, and any regulators or funders your obligations require. The FTC guide even includes a model breach-notification letter you can adapt, and points people to IdentityTheft.gov.
A six-step incident-response outline (print and post it)
- Detect & report — anyone who notices something wrong calls the incident lead; no blame for raising a false alarm.
- Assess & contain — isolate affected systems; stop the spread; preserve evidence.
- Activate the plan — incident lead decides whether to declare an incident and notifies leadership.
- Communicate — trigger the call tree; designate one spokesperson; do not post on social media until facts are confirmed.
- Recover — restore from clean backups; rebuild rather than “unlock” after ransomware; confirm systems are clean.
- Review — within two weeks, hold a blameless debrief and update the plan with what you learned.
One clear rule prevents a second disaster: do not pay a ransom on impulse. Federal guidance discourages paying because it does not guarantee recovery and funds further crime. Report ransomware to CISA and the FBI through the channels in the #StopRansomware Guide, and involve your insurer and counsel before deciding anything.
Emergency Communications & the Call Tree
In a crisis, the failure is almost never a lack of goodwill — it is that nobody knows who to call, on what number, in what order. A call tree (sometimes called a phone tree or notification cascade) solves this: one person notifies a small group, each of whom notifies the next, so the whole organization is reached in minutes without one person making forty calls.
| Tier | Who | Notifies | Within |
|---|---|---|---|
| 1 | Incident Lead | Executive Director, Board Chair, IT lead | 15 min |
| 2 | Executive Director | Program managers (2–4 people) | 30 min |
| 3 | Each program manager | Their staff and key volunteers | 60 min |
| 4 | Communications lead | Clients, funders, partners, public | As approved |
Make the call tree work under real conditions:
- Store it offline. If the contact list lives only in the system that is down, it is useless. Keep a printed copy and an offline copy on key people’s phones.
- List two channels per person — phone and a non-work email or text — because the disruption may have taken out your normal channel.
- Name one spokesperson. Mixed messages erode trust faster than silence. Everyone else routes media and rumor to that person.
- Pre-draft holding statements. The National Council of Nonprofits emphasizes timely, honest communication after a disaster — a short “we are aware, here is what we know, here is what to do” holding statement buys you time to confirm facts.
Insurance That Actually Pays Out
Insurance is your financial recovery plan. Three coverages matter most for continuity, and nonprofits routinely carry the first while missing the other two.
- Property insurance covers physical damage to your building, equipment, and inventory. Most organizations have this — but check whether it covers flood (often a separate policy) and whether your contents are insured at replacement cost rather than depreciated value.
- Business interruption insurance replaces lost revenue and covers continuing expenses (rent, payroll) while you are shut down after a covered event. This is the coverage that keeps the lights on during recovery, and it is the one nonprofits most often lack. Confirm it is included and understand the waiting period before it pays.
- Cyber liability insurance covers the costs of a breach or ransomware event — forensics, legal notification, credit monitoring for affected clients, and sometimes business interruption from a cyber cause. Insurers increasingly require basic controls (multi-factor authentication, tested backups, staff training) as a condition of coverage.
Three questions to ask your broker this quarter
- “If we are closed for three weeks after a fire, does our policy cover lost program revenue and ongoing payroll — and what is the waiting period before it pays?”
- “Is flood covered, or do we need a separate policy for our location?”
- “Does our cyber policy cover ransomware, breach-notification costs, and the cost of restoring data — and what controls must we maintain to stay covered?”
Whatever your coverage, keep a current, photographed or video inventory of equipment and a copy of your policies in your offsite backup. Claims move faster when you can prove what you lost.
The Human Side: Staff Safety, Payroll & Vulnerable Clients
A continuity plan that protects servers but not people has its priorities backwards. Three human commitments belong at the top of every plan.
1. Staff and volunteer safety comes first. No data, building, or deadline is worth a life. Your plan should state, plainly, that in a life-safety emergency people evacuate or shelter first and account for one another before anyone thinks about operations. Maintain an up-to-date roster and a simple “all-accounted-for” check-in method.
2. Payroll continuity. Staff who are not paid cannot keep serving — and a missed payroll can trigger legal and trust problems quickly. Make sure more than one trusted person can authorize payroll, that you can run it remotely, and that the credentials and process are documented somewhere a backup person can reach in an emergency. This single point of failure — only the ED can pay people — sinks more small nonprofits in a crisis than any technical outage.
3. Preserve mission-critical services for vulnerable clients. For the people you serve, a disruption to your services is the disaster. Decide in advance, for each critical service:
- Who depends on it, and what happens to them if it stops for a day, a week, a month;
- A minimum viable version — e.g., a reduced meal route, a phone check-in instead of an in-person visit, a warm hand-off to a partner agency;
- Backup partners — a written, reciprocal agreement with a peer organization to cover each other’s clients in an emergency.
Continuity for a nonprofit is not really about the organization surviving — it is about the people who would have nowhere else to turn if you didn’t. That is what you are protecting.
A Worked One-Page Continuity Plan
A plan nobody can read in a crisis is a plan nobody will use. Capture the essentials on a single page, store it offline, and review it twice a year. Here is a filled example for a small community nonprofit — copy the structure and replace the contents with your own.
| HILLSIDE COMMUNITY SERVICES — ONE-PAGE CONTINUITY PLAN (rev. June 2026) | |
|---|---|
| Activation | Incident Lead (or ED) declares an incident and starts the call tree. |
| Incident Lead | J. Rivera — cell 555-0101 / backup: M. Osei 555-0144 |
| Critical functions & RTO | Meal distribution (24h) · Cold storage (6h) · Payroll (3d) · Client case records (8h) |
| Who restores IT | Managed IT provider, NorthStar — 24/7 line 555-0190 (contract #4471) |
| Backups | 3-2-1: local NAS + cloud + monthly offline drive in board chair’s safe. Restore tested Jan & Jul. |
| Emergency comms | Spokesperson: ED. Call tree + holding statement stored on printed sheet in go-bag and on leads’ phones. |
| Alternate site | St. Luke’s parish hall (MOU on file) for distribution if main site unusable. |
| Mutual aid | Eastside Pantry covers our meal clients; we cover theirs. Contact: 555-0177. |
| Insurance | Property + business interruption: policy #PB-2231. Cyber: policy #CY-0098. Broker: 555-0160. |
| Vital records (offsite) | Bank logins, insurance policies, EIN/501(c)(3) letter, payroll credentials, client roster, equipment inventory. |
| Payroll continuity | ED and Treasurer can both authorize; process documented in offsite vault; can run remotely. |
| Review cadence | Reviewed every January and July; after any real incident; after any leadership change. |
Build yours on the free Ready.gov Business Continuity Plan template (PDF), fill in the gaps with your BIA results, and you have a working plan in an afternoon — not a binder that gathers dust.
A steadier funding base is part of resilience
A funding shock is one of the five disruptions every nonprofit should plan for — and diversified, recurring local support is one of the best hedges against it. Good Circles is free for nonprofits: when your supporters shop at participating local merchants, your organization receives 10% of the merchant’s net profit on each purchase (not 10% of the price), shoppers save roughly 10%, and merchants keep 89% while paying just a 1% platform fee. A conservative estimate is roughly $72 per active supporter per year — about $36,000/year from 500 supporters — a resilient, recurring revenue stream that does not depend on a single grant. Launching September 2026.
Learn more for nonprofitsSources & tools
Free first
- Ready.gov — Business Continuity Planning — DHS/Ready Business hub with free, fill-in-the-blank Business Continuity Plan and Business Impact Analysis templates.
- Ready.gov — Business Impact Analysis Worksheet (PDF) — Printable worksheet each program lead completes to rank critical functions and maximum tolerable downtime.
- CISA #StopRansomware Guide — Federal best practices (CISA/FBI/NSA/MS-ISAC) to prevent, respond to, and recover from ransomware — stresses offline, tested backups.
- FTC — Data Breach Response: A Guide for Business — Step-by-step breach response (secure, fix, notify) with a model breach-notification letter you can adapt.
- National Council of Nonprofits — Disaster Recovery — Nonprofit-specific guidance and links to federal disaster assistance, IRS relief, and SBA disaster loans.
Paid — optional labor-savers
- Managed IT / MSP with backup-and-DR service — A managed service provider that runs, monitors, and tests your 3-2-1 backups and handles restores. Worth it when you have no in-house IT and cannot reliably test your own backups or meet a tight RTO.
- Cyber liability insurance — Coverage for breach forensics, client notification, credit monitoring, and sometimes ransomware and cyber business interruption. Worth it when you store client personal data or process donations and could not absorb the five-figure cost of a breach response.
- Backup-as-a-Service for SaaS apps — Third-party backup for cloud email, CRM, and file storage that you control independently of the vendor. Worth it when your critical records live in cloud apps and a deletion, lockout, or compromise would be unrecoverable from the vendor alone.
Last verified 2026-06-17. Figures and rules change — verify at the source before you act.
FAQ
What is the difference between business continuity and disaster recovery?
Business continuity is the broad job of keeping your whole organization delivering its mission during a disruption — covering people, facilities, services, cash flow, and communications. Disaster recovery is the narrower, technical job of restoring your IT systems and data after they fail or are compromised. Disaster recovery is one piece of business continuity: you can restore every server quickly and still fail your mission if staff cannot reach the building, payroll bounces, or clients have nowhere to turn. Plan for the mission first, then make sure the technology supports it.
What do RTO and RPO mean?
RTO, the Recovery Time Objective, is the target time to get a function back online after it goes down — it answers how long you can be out of service. RPO, the Recovery Point Objective, is the maximum amount of data you can afford to lose, measured backward from the moment of failure — it answers how much work you could afford to redo, and it sets how often you must back up. If your RPO is one hour, nightly backups are not enough; you need backups at least hourly. Your RTO should always be shorter than the maximum tolerable downtime you identified in your Business Impact Analysis.
What is the 3-2-1 backup rule?
The 3-2-1 rule, cited by US-CERT and CISA, says keep three copies of any important file (the original plus two backups), on two different types of storage so a single failure cannot destroy everything, with at least one copy stored offsite away from your building. Because ransomware now targets connected backups, federal guidance adds that at least one copy should be offline or immutable — disconnected from your network — and that you should regularly test that you can actually restore from it. An untested backup is not a backup.
What should a nonprofit do first if it is hit by ransomware?
Do not pay the ransom on impulse and do not wipe the affected machines — you may need them as evidence. Following the FTC and CISA guidance, isolate the affected systems to stop the spread, assemble your response team, and preserve evidence. Notify your leadership, your insurer, and legal counsel, and report the incident to CISA and the FBI through the channels in the #StopRansomware Guide. Recover by rebuilding from clean, offline backups rather than trusting an attacker to unlock your files, and notify affected clients and regulators as your obligations require. Paying is discouraged because it does not guarantee recovery and funds further crime.
What insurance does a nonprofit need for continuity?
Three coverages matter most. Property insurance covers physical damage to your building, equipment, and inventory — check whether flood is included and whether contents are covered at replacement cost. Business interruption insurance replaces lost revenue and covers ongoing expenses like rent and payroll while you are shut down after a covered event; it is the coverage that keeps you afloat during recovery and the one nonprofits most often lack. Cyber liability insurance covers breach forensics, client notification, credit monitoring, and sometimes ransomware and cyber-related business interruption. Ask your broker specifically how each would respond to a multi-week closure.
How often should we update our continuity plan?
Review it at least twice a year, and always after a real incident or any change in leadership, staff, vendors, or insurance. Twice-yearly is also a good cadence for a backup restore drill — the first time most teams test, they discover the backup was incomplete or could not be restored. Keep the plan short enough that people will actually read it in a crisis, store a printed and offline copy outside any system that might be down, and make sure more than one person knows the critical credentials and processes so the plan does not depend on a single point of failure.