BCM Glossary

The Agility Glossary for Business Continuity is created by our subject matter experts to collect and store definitions for terms used in the business continuity industry. This page is regularly updated to promote a common set of universal terms and to create consistency throughout multiple resources.  

To keep a business running smoothly, you need to ensure any unplanned occurrences or serious setbacks do not impact key business functions and business operations. Because this field is full of technical jargon, we have created the below business continuity glossary pulled from multiple sources to help you and your business. 

Acceptable Downtime 

Also called "maximum allowable downtime." The maximum amount of time a system can be down without direct or indirect consequences to the organization. 


Formal notification of a potentially dangerous situation that is imminent or that has occurred. It usually includes a directive for employees to stand by for possible activation. 

All Hazards 

An approach for preparedness, prevention, response, mitigation, continuity, and recovery that will address a range of threats and hazards, including natural, technology caused, and human caused. 

Alternate Site 

When the primary functions are down, an alternate site is a separate operating location to be used by business functions. 


Anything that has value to the company, such as a piece of equipment or the workforce. 


A formal inspection and confirmation to check whether the standard or set of guidelines is being followed correctly, the records are accurate, and efficiency and effectiveness targets are being met. 



The process of copying data to another location, so if the original data is lost or destroyed, there is another copy. 

Black Swan 

An unpredictable event that may bring more than expected of a situation and has potentially dire consequences. Black swan events are characterized by their extreme rarity, severe impact, and the widespread assertion they were evident in hindsight. 

Business Continuity 

The ongoing process that ensures the necessary steps are taken to maintain organizational resilience, identify potential losses and their impact, and maintain viable recovery strategies, plans, and the continuity of services. 

Business Continuity Management (BCM) 

A comprehensive business continuity management process identifies threats to a company and the impacts they may cause. This process provides a structure for organizational resilience with an effective response that protects the business's key stakeholders, reputation, brand, and value-creating activities. 

Business Continuity Management Program 

The ongoing management and administration process, supported by top management, is appropriately resourced to ensure that the necessary steps will be taken to identify the impact of losses. It ensures viable recovery strategies and the continuity of products and services through training, exercising, maintenance, and review. 

Business Continuity Management System (BCMS) 

Part of the general management system that will establish, implement, operate, monitor, review, maintain, and improve business continuity. 

Business Continuity Maturity Model (BCMM) 

A tool used to measure the level and degree to which BCM activities have become standard and assured within an organization's business practices. 

Business Continuity Plan (BCP) 

A collection of procedures and information that is developed, compiled, documented, and maintained in readiness for use in the case of an incident to enable the organization to continue to deliver critical products and services at an acceptable predefined level. 

Business Continuity Planning 

Involves developing prior arrangements that enable the organization to respond to an event so critical business functions can continue within the planned disruption levels. This process will result in the BCP. 

Business Continuity Program 

The ongoing management and administration process supported by top management and appropriately resourced to implement and maintain BCM. 

Business Continuity Strategy 

An approach taken by a business to ensure recovery and continuity in the face of a disaster or other major event or business disruptions. 

Business Impact Analysis (BIA) 

A process that defines crucial business functions and determines priority and order of recovery to satisfy overall strategic business continuity strategy goal(s) declared by upper management. The results of the BIA provide the foundation for effective continuity planning with a focus on business priorities. 

Business Interruption 

An event that disrupts the normal course of operations at a business's location. 


Call Tree 

A hierarchical communication model used in an emergency to alert specific people and coordinate recovery. It is also a graph that depicts the calling responsibilities and order used to contact management, employees, customers, vendors, and other key contacts.  

Cost-Benefit Analysis 

After a risk assessment, cost-benefit analysis is a process that calculates the financial impacts of different BCM options and balances the cost of the options again the potential savings. 


A critical event that may dramatically affect the business's reputation, profitability, and ability to operate if not handled properly.  

Crisis Management 

The organization's approach and response to handle an emergency in an effective and timely manner. The goal is to avoid or minimize downtime, damage to the business's reputation, profitability, and ability to operate. 


An attempt, via cyberspace, to disrupt, damage, or gain access to a computer, computer system, or an electronic communications network. This is a malicious attempt to target a company's use of cyberspace to disable, destroy, or control the computing infrastructure, data, or controlled information. 


Damage Assessment 

The process of defining the nature and extent of a disruption resulting from a natural, accidental, or human-caused disaster. Damage assessment provides situational awareness and critical information on the event's type, scope, and severity. 

Data Recovery 

Data recovery is a process of salvaging unavailable, lost, damaged, or formatted data from alternative storage, removable media, or files when the data stored in them cannot be accessed in a usual way.  


A pre-authorized formal announcement that an event or severe outage is predicted/has occurred. This action triggers pre-arranged mitigating measures. 

Disaster Recovery (DR) 

The process of resuming business operations following a disruption by regaining access to data, networking equipment, physical locations, power, and connectivity. The disaster recovery response team should always follow a disaster recovery plan.  

Disaster Recovery Plan 

A written process or set of procedures developed to prepare the organization to recover as quickly as possible after a disruption, including the resumption of network systems, workforce safety, and physical recovery. 

Disaster/Emergency Management 

An ongoing process to prevent, reduce, prepare for, respond to, maintain continuity during, and recover from an incident that threatens employees' life, the property of the business, the operations of the company, or the environment. 


A period of time when business operations are paused or no longer functioning as regular. Also called an outage if referring to information technology services/systems. 



An unexpected situation that could cause loss of life, injury, and property destruction and may result in the need for immediate action. This could also be the interference, loss, or disruption of a business's normal operations to the extent that it poses a threat. 

Emergency Management  

The organization and management of the resources and responsibilities for dealing with all aspects of an emergency, including preparedness, response, mitigation, and recovery. The goal is to minimize the harmful effects of all hazards, including disasters. 

Emergency Preparedness 

The capability of an organization or a community to respond to unforeseen circumstances. This should be completed in a timely, coordinated, and effective manner to prevent loss of life and injury or property damage. 

Emergency Response Plan 

A well-documented plan that facilitates and organizes the reaction and response of everyone involved in the situation to any emergency situation that could happen. 

Enterprise Risk Management (ERM) 

A plan-based company-wide business strategy that aims to identify, assess, prepare for, and mitigate any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization's operations and objectives. 

ERM typically involves identifying events and circumstances relevant to the company's goals (both risks and opportunities). These will be assessed in terms of likelihood and magnitude of impact, determining a strategy, and monitoring progress. 

By identifying and proactively addressing the risks and opportunities, the business can protect and create value for stakeholders, which can include owners, employees, customers, regulators, and even society. 

Exercise Plan 

A plan designed to evaluate tasks, teams, and procedures periodically documented in the business's continuity program to ensure the program is viable.  

One example of this is a tabletop exercise test, during which participants review and discuss the actions each employee and member of the organization would take.  


First Responder 

A member of an emergency service who is the first to arrive at the scene of an incident. This would usually be someone from the police force, the fire team, or ambulance personnel. 


Gap Analysis 

A comparison that will identify the differences between the actual and the desired outcome. 


Hot Site 

A different facility where an organization can relocate following a disaster. This backup location must have all necessary infrastructure, such as the equipment, telecommunications, and environmental elements required to recover business functions or information systems. 


Incident Management Plan (IMP) 

A clearly defined and well-documented plan of action to use during an incident. It covers key personnel, resources, services, and the steps needed to implement the incident management process. 

Incident Management Process 

A set of actions taken to respond to and resolve incidents. It includes how incidents are detected and communicated, who is responsible for different actions, what tools the business will need to resolve this, and what steps need to be taken to mitigate the incident. 

Incident Management System (IMS) 

A combination of equipment, facilities, personnel, procedures, and communications operating within an organizational structure to aid with managing resources during incidents.  

Incident Management Team 

A group of individuals responsible for developing and implementing a complete and thorough incident response plan. This team would consist of a group of trained decision-makers in incident management and prepared to respond to any situation.

Incident Response Plan 

The prepared collection of documents laying out a predetermined set of instructions and procedures to detect, respond to, and limit the consequences of an incident against the business's information technology systems.  


A contract to finance the cost of any pre-calculated risk. The insurance contract will pay the holder the contractual amount if a risk event occurs. 

Insurance is extremely important for any business to have. Insurance is there to help with costs from any unforeseen events that may happen. Without insurance, a business owner may have to pay out-of-pocket for any damages or legal claims, which can become quite costly. Types of insurance include:

  • Business Interruption Insurance: type of insurance coverage that replaces the loss of income due to a disaster-related closure or reconstruction.  
  • Contingent Business Interruption Insurance: An extension of other insurance that compensates lost profits and additional expenses resulting from an interruption of business at the customer or supplier premises. 


Malicious Code (Malware) 

Malicious code is software designed to gain unauthorized access to a program to cause extensive damage, destroy data, or compromise its availability, integrity, and confidentiality. It can adversely affect an operating system and its applications. Malware consists of several malicious software variants, including viruses, ransomware, spyware, and worms.

  • Ransomware: An extortive type of malicious software that blocks users' access to important files by encrypting their hard drive system. The decryption of the files occurs after the user pays the ransom to regain access to their system. 
  • Spyware: A type of malicious code that is covertly installed into an information system. It obtains information about an organization or individual without them knowing. 
  • Virus: A malicious software program installed without the user's knowledge that replicates itself. It can sometimes spread to other computers via email programs and can corrupt or delete data and information on the computer's hard drive. 
  • Worm: A standalone program that copies and spreads itself over a computer network. It does not have to attach itself to a software program to damage and replicate itself without human interference. Once in a computer system, it can perform malicious acts. 

Maximum Tolerable Downtime (MTD) 

The total amount of time a business process can be inoperable before it adversely affects an organization's mission. 


The response to a disaster declaration that activates the organization's recovery. It involves relocating equipment and personnel to alternate sites, which allows the business continuity plan to be fully implemented to maintain minimum service levels for each essential business process. 


Off-Site Location 

A storage site for critical data (computerized or paper) or equipment. It is usually a safe distance from the primary location and provides access to the stored data during any incident that results in the unavailability or destruction of the original data or equipment. 


The activities allowing an organization to continue functioning after a critical event or disaster. It involves short-term planning, day-to-day activities, or delivery of a business process or IT service management process. It is the lowest of three levels of planning and delivery, which also include strategic and tactical. 


The length of time a business function, service, process, or system is interrupted or inaccessible and impacts the organization's ability to achieve its objectives. 



Proactive steps put in place to minimize the effects of disruption. These activities assist the organization in responding to or supporting recovery after a disruption. It is also referred to as preparedness. 


Rapid recovery is crucial to restoring business functions after a disaster. It prioritizes the actions needed for operational stability and to support functions and processes after a disaster. Recovery is one of three components of a business continuity plan that also includes resilience and contingency. 

Recovery Point Objective (RPO) 

The point to which work should be restored or data recovered (at the designated off-site location) to allow an activity to operate after a disruption. 

Recovery Time Objective (RTO) 

The restoration and recovery time of functions or resources after an outage. It includes assessment, execution, and verification of performance levels based on an acceptable downtime. 

Recovery Timeline 

The critical path of recovery activities for the resumption of an acceptable level of business operations after a disruption. It outlines the recovery process's prioritization and speed and can range from minutes to weeks, depending on the recovery requirements. 


The ability of an organization to withstand and respond to incidents, including natural disasters, accidents, or attacks. It identifies the processes and procedures needed to recover quickly from operational disruptions. It includes critical services such as remote access and end-user support. 

Response Plan 

Documentation developed and maintained to prepare for an incident that outlines the information and procedures to be used. 

Response Time 

The reaction time it takes to assess the impact of an incident. It determines the level of activity needed to control or contain the situation. 


The possibility of an event occurring that could affect an organization's ability to achieve its objectives. It can be determined using quantitative or qualitative measures. It considers the probability of the threat occurring, the susceptibility of an asset to the threat, and the impact the threat would have if it happened. There are three types of risks – business, disaster, and operational. 

  • Business Risk: The risk that an organization will experience an unexpected loss due to internal and external factors such as a decrease in demand for or an inability to provide products or services. 
  • Disaster Risk: The likelihood of destruction, injury, loss of life, or damage from a disaster that could happen to a particular society or community over a specific time. It is often difficult to quantify; however, disaster risk can be assessed in broad terms based on the knowledge of existing hazards, population patterns, and socio-economic development. 
  • Operational Risk: The risk of unexpected loss as a result of inefficient controls and procedures. It can include internal failures related to infrastructure and technology, staff-related problems, business interruptions, or external factors such as regulatory changes.  

Risk Acceptance  

Management's acknowledgment that the potential loss from a particular risk is minimal and therefore requires no action. 

Risk Assessment 

The process of identifying the risk factors that can potentially harm an organization, analyzing the events that can damage the organization, and identifying the key functions needed for the organization to continue doing business if the event occurs. It also involves evaluating the costs associated with mitigating the risk. Evaluating the probability of an event occurring is a critical factor involved in risk analysis. 

Risk Mitigation 

The implementation of measures that reduce and respond to an organization's exposure to risk. It ensures the continuity of business operations and examines activities needed to lessen the severity of the risk. The risk management process involves the prioritization, evaluation, and implementation of suitable measures to reduce risk. 



An established set of business continuity conditions and events that define a disruption, interruption, or any loss that might affect an organization's business operations. It assists with pre-planning and supports a business impact analysis (BIA) performance, developing a continuity strategy, and continuity and exercise plans. Scenarios are not forecasts or predictions. 

Service Level Agreement (SLA) 

An official agreement between a service provider and a client (either party can be internal or external). It includes particular aspects of the service — nature, scope, quality, availability, and timeliness of service delivery by the service provider. The SLA should cover variations to the service during disasters and changes in day-to-day situations. 

Single Point of Failure (SPOF) 

A unique part of a system that, if dysfunctional, would cause the entire system to crash. There is usually no alternative or countermeasure, so a loss of any element results in a mission-critical function or activity failure. An SPOF can be a step in a process or activity, a person, or a component or part of an IT infrastructure. 

Situational Awareness 

The perception of environmental elements that may affect an organization, including its security posture and threats within a volume of time and space. It includes the meaning of both together (risk) and their status in the future. 


Test Plan 

A document outlining a work schedule designed to test an organization's business continuity plan, systems, processes, and people. 

Threat Assessment 

A process that formally determines the seriousness of a potential threat to an organization or information system and describes the nature of the threat. 


Aims to develop the skills and knowledge required to improve proficiency for better job performance. It is more formal than awareness and targets employees with specific responsibilities and duties. Awareness is more general and involves all staff. However, training is a part of the awareness and education learning sequence. 


Vital Records 

A computer or paper record is essential for an organization to continue operating during and after an emergency. They are critical for protecting the organization's financial and legal rights and the rights of the individuals directly affected by the organization's activities. 

Vulnerability Assessment 

The process of evaluating a product or information system for any weaknesses. It determines if security measures are adequate and identifies security deficiencies by assigning severity levels to them. The assessment provides data that can evaluate the effectiveness of planned security measures and confirm their adequacy after implementation. It recommends improvements if and whenever needed. 



A test that carries out the sequence of recovery steps outlined in the business continuity plan. A walk-through's objective is to determine the plan's viability, reveal design flaws, and identify omissions to improve the business continuity plan. 

Warm Site 

A standby processing site equipped to allow an organization to resume essential business activities to avoid any adverse long-term effects on its operations. It must have electricity, hardware, and communication components that provide backup operating support after software customization and additional provisioning.