Business Continuity & Disaster Recovery Planning Guide

Introduction

The purpose of this guide is to provide a structured process you can follow to develop a Business Continuity & Disaster Recovery plan for your firm. It is important to understand the distinction in order to develop an effective plan: business continuity focuses on maintaining business operations during and after the disruption, while disaster recovery focuses on restoring systems and data after a disruptive event. These two disciplines are related but distinct – business continuity is largely operational while disaster recovery is largely technical.

The scope of this guide is intentionally streamlined to support small to medium Canadian law firms and aligns with modern risks such as cloud reliance, cybersecurity threats, remote work impacts, and current backup and recovery practices.

This guide was written in 2026.

How to Use This Document

Use this guide to plan your business continuity & disaster recovery approach. This guide is organized based on the recommended planning order, and corresponds to the sections in the accompanying template:

1. Purpose & Scope
2. Roles & Responsibilities
3. Risk Assessment
4. Mitigations
5. Procedures
6. Maintenance & Testing

Follow the guidance in each numbered section below to complete the corresponding section in the companion Business Continuity & Disaster Recovery Plan – Sample Template.

Key Concepts & Objectives

The foundational concepts of business continuity & disaster recovery are presented in the following sections.

Business Continuity (BC)

The practice of preparing strategies and processes to keep essential operations running during and after disruptions. Its goal is to minimize business interruptions and maintain key services, protecting the firm’s reputation, assets, and client relationships.

Disaster Recovery (DR)

The process of restoring essential systems, data, and operations after disruptions. Its goal is to protect the firm’s assets as well as client information, and return them to the state they were prior to the disruption.

Business Impact Analysis (BIA)

Identifies critical business functions and assesses the impact of disruptions. For this purpose, the focus should be on impact rather than cause—for example, both floods and pandemics may limit office access, requiring similar responses. It’s the lack of access to the office we are mitigating, not the cause.

Recovery Objectives

Recovery objectives define how fast the firm expects to recover as well as how much data loss is acceptable. These concepts determine the approach and investment required for backup, replication and redundant systems.

• Recovery Time Objective (RTO): The maximum acceptable time a function or system can be unavailable.
• Recovery Point Objective (RPO): The maximum acceptable data loss, measured in time.

While the ideal goal would be close to zero for both, the cost of achieving that will be prohibitive, so compromises are required. Firms should consider their obligations to clients and their law society in determining reasonable RTOs and RPOs.

Client Confidentiality

The purpose of BC & DR is to recover from any disaster that impacts the firm’s ability to operate. Some of those disaster scenarios may also threaten client confidentiality or personally identifiable information (PII). One example of this is a ransomware situation where a third party has gained access to confidential information and threatens to release it unless payment is made.

It is important to understand the BC & DR plan does not mitigate the risk of these scenarios occurring, rather it is focussed on recovering from the disaster so that the firm can continue to operate, without paying a ransom, in this example.

While planning for BC & DR, firms should keep these important concepts in mind:

1. The BC & DR plan is not intended to prevent compromise to client confidentiality or personally identifiable information. Firms should have separate and distinct policies and procedures to mitigate these risks as well as define what actions are required should they occur, some of which may be legislated (e.g. breach notification). The CBA’s Privacy and Ethics: A Toolkit for Lawyers provides further guidance in these areas.
2. Notwithstanding (1.) above, the planning process for BC & DR will identify risk scenarios that may result in compromises to client confidentiality or personally identifiable information. The planning process should include the actions required in those scenarios, with reference to the policies and procedures noted in (1.) above.
3. BC & DR will typically require additional copies of confidential information to meet their objectives. Firms must ensure these additional copies are as well-protected as the originals so that the BC & DR plan is not introducing new risks to client confidentiality.

Your Law Society

Your provincial law society is a resource you can use both in planning for BC & DR as well as during incidents. You should also be cognizant of any requirements to inform your law society of incidents and be sure to include those scenarios in your plan.