The Agility Glossary for Business Continuity is created by our Subject Matter Experts to collect and store definitions for terms used in the business continuity industry. This page is regularly updated to promote a common set of universal terms and to create consistency throughout multiple resources.
To keep a business running smoothly, you need to ensure any unplanned occurrences or serious setbacks do not impact key business functions and business operations. Because this field is full of technical jargon, we have created the below business continuity glossary pulled from multiple sources to help you and your business.
Also called Maximum Allowable Downtime is the maximum amount of time a system can be down without direct or indirect consequences to the organization.
Formal notification of a potentially dangerous situation that is imminent or that has occurred. It will usually include a directive for employees to stand by for possible activation.
An approach for preparedness, prevention, response, mitigation, continuity, and recovery that will address a range of threats and hazards, all of which include natural, technology-caused, and human-caused.
When the primary functions are down, an alternate site is a separate operating location to be used by business functions.
An asset is anything that has value to the company, such as a piece of equipment or the workforce.
An audit is a formal inspection and confirmation to check whether the standard or set of guidelines is being followed correctly, the records are accurate, and efficiency and effectiveness targets are being met.
Backup is the process of copying data to another location, so if the original data is lost or destroyed, there is another copy.
A black swan is an unpredictable event that may bring more than expected of a situation and has potentially dire consequences. Black swan events are characterized by their extreme rarity, severe impact, and the widespread assertion they were evident in hindsight.
Business continuity is the ongoing process that ensures the necessary steps are taken to maintain organizational resilience, identify potential losses and their impact, and maintain viable recovery strategies, plans, and the continuity of services.
Business Continuity Management (BCM)
A comprehensive business continuity management process identifies threats to a company and the impacts they may cause. This process provides a structure for organizational resilience with an effective response that protects the business's key stakeholders, reputation, brand, and value-creating activities.
Business Continuity Management Program
The ongoing management and administration process, supported by top management, is appropriately resourced to ensure that the necessary steps will be taken to identify the impact of losses. Besides, it ensures viable recovery strategies and the continuity of products and services through training, exercising, maintenance, and review.
Business Continuity Management System (BCMS)
Business continuity management system is part of the general management system that will establish, implement, operate, monitor, review, maintain, and improve business continuity.
Business Continuity Maturity Model (BCMM)
Business Continuity Maturity Model is a tool used to measure the level and degree to which BCM activities have become standard and assured within an organization's business practices.
Business Continuity Plan (BCP)
A collection of procedures and information that is developed, compiled, documented, and maintained in readiness for use in the case of an incident to enable the organization to continue to deliver critical products and services at an acceptable predefined level.
Business Continuity Planning
Business Continuity Planning involves developing prior arrangements that enable the organization to respond to an event so that critical business functions can continue within the planned disruption levels. This process will result in the BCP.
Business Continuity Program
The ongoing management and administration process supported by top management and appropriately resourced to implement and maintain BCM.
Business Continuity Strategy
A Business Continuity Strategy is an approach taken by a business to ensure the recovery and continuity in the face of a disaster or other major events and business disruptions.
Business Impact Analysis (BIA)
BIA is a process that defines key business functions and determines priority and recovery in what order to satisfy overall strategic business continuity strategy goal(s) declared by upper management. The results of the BIA provide the foundation for effective continuity planning with a focus on business priorities.
Business Interruption is an event that disrupts the normal course of operations at a business's location.
A call tree is a hierarchical communication model used in an emergency to alert specific people and coordinate recovery. It is also a graph that depicts the calling responsibilities and order used to contact management, employees, customers, vendors, and other key contacts.
After a risk assessment, cost-benefit analysis is a process that enables the financial of different BCM options and balances the cost of the options again the potential savings.
A crisis is a critical event that may dramatically affect the business's reputation, profitability, and ability to operate if not handled properly.
Crisis management is the organization's approach and response to handle an emergency in an effective and timely manner. The goal is to avoid or minimize the downtime, damage to the business's reputation, profitability, and ability to operate.
A cyber attack is an attempt, via cyberspace, to disrupt, damage, or gain access to a computer, computer system, or an electronic communications network. This is a malicious attempt to target a company's use of cyberspace to disable, destroy, or control the computing infrastructure. Also, to destroy the data or stealing controlled information.
Damage Assessment is the process of defining the nature and extent of a disruption resulting from a natural, accidental, or human-caused disaster. Damage assessment provides situational awareness and critical information on the event's type, scope, and severity.
Data recovery is a process of salvaging unavailable, lost, damaged, or formatted data from alternative storage, removable media, or files when the data stored in them cannot be accessed in a usual way.
A pre-authorized formal announcement that an event or severe outage is predicted/has occurred. This action triggers pre-arranged mitigating measures.
Disaster Recovery (DR)
Disaster recovery is the process of resuming business operations following a disruption by regaining access to data, networking equipment, physical locations, power, and connectivity. The disaster recovery response team should always follow a disaster recovery plan.
Disaster Recovery Plan
A written process or set of procedures developed to prepare the organization to recover as quickly as possible after a disruption, including the resumption of network systems, workforce safety, and physical recovery.
Disaster Management is an ongoing process to prevent, reduce, prepare for, respond to, maintain continuity during, and recover from an incident that threatens employees' life, the property of the business, the operations of the company, or the environment.
Downtime is a period of time when business operations are paused or no longer functioning as regular. Also called an outage if referring to information technology services/systems.
An emergency is an unexpected situation that could cause loss of life, injury, and property destruction and may result in the need for immediate action. This could also be the interference, loss, or disruption of a business's normal operations to the extent that it poses a threat.
Emergency management is the organization and management of the resources and responsibilities for dealing with all aspects of an emergency, including preparedness, response, mitigation, and recovery. The goal is to minimize the harmful effects of all hazards, including disasters.
The capability of an organization or a community to respond to unforeseen circumstances. This should be completed in a timely, coordinated, and effective manner to prevent loss of life and injury or property damage.
Emergency Response Plan
A well-documented plan that facilitates and organizes the reaction and response of everyone involved in the situation to any emergency situation that could happen.
Enterprise Risk Management (ERM)
Enterprise risk management (ERM) is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization's operations and objectives.
Enterprise Risk Management is a plan-based company-wide strategy that seeks to identify, assess, prepare for and mitigate the outcome of any potential disruption. ERM typically involves identifying events and circumstances that are relevant to the company's goals (both risks and opportunities). These will be assessed in terms of likelihood and magnitude of impact, determining a strategy, and monitoring progress.
By doing this - identifying and proactively - addressing the risks and opportunities, the business can protect and create value for stakeholders, which can include owners, employees, customers, regulators, and even society.
An exercise plan is a plan designed to evaluate tasks, teams, and procedures periodically documented in the business's continuity program to ensure the program is viable.
One example of this is called the Table Top Exercise Test, during which participants review and discuss the actions each employee and member of the organization would take.
A first responder is a member of an emergency service who is the first to arrive at the scene of an incident. This would usually be someone from the police force, the fire team, or ambulance personnel.
Gap analysis is a comparison that will identify the differences between the actual and the desired outcome.
A different facility where an organization can relocate following a disaster. This back-up location must have all necessary infrastructure, such as the equipment, telecommunications, and environmental elements required to recover business functions or information systems.
Incident Management Plan (IMP)
Incident management plan is a clearly defined and well-documented plan of action to use in the time of an incident. It covers key personnel, resources, services, and the steps needed to implement the incident management process.
Incident Management Process
It is a set of actions taken to respond to and resolve incidents. It includes how incidents are detected and communicated, who is responsible for different actions, what tools the business will need to resolve this, and what steps need to be taken to mitigate the incident.
Incident Management System (IMS)
Incident management system is a combination of equipment, facilities, personnel, procedures, and communications operating within an organizational structure to aid with managing resources during incidents.
Incident Management Team
Incident management team is a group of individuals responsible for developing and implementing a complete and thorough incident response plan. This team would consist of a group of trained decision-makers in incident management and prepared to respond to any situation that may arise.
Incident Response Plan
The incident response plan is the prepared collection of documents laying out a predetermined set of instructions and procedures to detect, respond to, and limit the consequences of an incident against the business's information technology systems.
Insurance is a contract to finance the cost of any pre-calculated risk. The insurance contract will pay the holder the contractual amount if a risk event occurs.
Types Of Insurance
Insurance is extremely important for any business to have. Insurance is there to help with costs from any unforeseen events that may happen. Without insurance, a business owner may have to pay out-of-pocket for any damages or legal claims, which can become quite costly. Below we outline three different types of insurance that are handy for operations.
Business Interruption Insurance
Business interruption insurance is a type of insurance coverage that replaces the loss of income due to a disaster-related closure or reconstruction.
Contingent Business Interruption Insurance
CBI insurance is an extension to other insurance that compensates lost profits and additional expenses resulting from an interruption of business at the customer or supplier premises.
Malicious Code (Malware)
Malicious code is software designed to gain unauthorized access to a program to cause extensive damage, destroy data, or compromise its availability, integrity, and confidentiality. It can adversely affect an operating system and its applications. Malware consists of several malicious software variants, including viruses, ransomware, spyware, and worms.
Types of Malware
Ransomware: An extortive type of malicious software that blocks users' access to important files by encrypting their hard drive system. The decryption of the files occurs after the user pays the ransom to regain access to his/her system.
Spyware: A type of malicious code that is covertly installed into an information system. It obtains information about an organization or individual without them knowing.
Virus: A malicious software program installed without the user's knowledge that replicates itself. It can sometimes spread to other computers via e-mail programs and can corrupt or delete data and information on the computer's hard drive.
Worm: A standalone program that copies and spreads itself over a computer network. It does not have to attach itself to a software program to damage and replicate itself without any human interference. Once in a computer system, it can perform malicious acts.
Maximum Tolerable Downtime (MTD)
The total amount of time a business process can be inoperable before it adversely affects an organization's mission.
The response to a disaster declaration that activates the organization's recovery. It involves the relocation of equipment and personnel to alternate sites, which allows the Business Continuity Plan to be fully implemented to maintain minimum service levels for each essential business process.
A storage site for critical data (computerized or paper), or equipment. It is usually a safe distance from the primary location and provides access to the stored data during any incident that results in the unavailability or destruction of the original data or equipment.
The activities that allow an organization to continue functioning after a critical event or disaster. It involves short-term Planning, day-to-day activities, or delivery of a Business Process or IT Service Management Process. It is the lowest of three levels of planning and delivery, which also includes Strategic and Tactical.
The length of time a business function, service, process, or system is interrupted or inaccessible and impacts the organization's ability to achieve its objectives.
Proactive steps put in place to minimize the effects of disruption. These activities assist the organization in responding to or supporting recovery after a disruption. It is also referred to as Preparedness.
Rapid recovery is crucial to restoring business functions after a disaster. It prioritizes the actions needed for operational stability and to support functions and processes after a disaster. Recovery is one of three components of a business continuity plan that also includes Resilience and Contingency.
Recovery Point Objective (RPO)
The point to which work should be restored or data recovered (at the designated off-site location) to allow an activity to operate after a disruption.
Recovery Time Objective (RTO)
The restoration and recovery time of functions or resources after an outage. It includes assessment, execution, and verification of performance levels based on an acceptable downtime.
The critical path of recovery activities for the resumption of an acceptable level of business operations after a disruption. It outlines the recovery process's prioritization and speed and can range from minutes to weeks, depending on the recovery requirements.
The ability of an organization to withstand and respond to incidents including natural disasters, accidents, or attacks. It identifies the processes and procedures needed to recover quickly from operational disruptions. It includes critical services such as remote access and end-user support.
Documentation developed and maintained to prepare for an incident that outlines the information and procedures to be used.
The reaction time it takes to assess the impact of an incident. It determines the level of activity needed to control or contain the situation.
The possibility of an event occurring that could affect an organization's ability to achieve its objectives. It can be determined using quantitative or qualitative measures. It considers the probability of the threat occurring, the susceptibility of an asset to the threat, and the impact the threat would have if it happened. There are three types of risks – Business, Disaster, and Operational.
Types of Risk
Business Risk: The risk that an organization will experience an unexpected loss due to internal and external factors such as a decrease in demand for or an inability to provide products or services.
Disaster Risk: The likelihood of destruction, injury, loss of life or damage from a disaster that could happen to a particular society or community over a specific time. It is often difficult to quantify; however, disaster risk can be assessed in broad terms based on the knowledge of existing hazards, population patterns, and socio-economic development.
Operational Risk: The risk of unexpected loss as a result of inefficient controls and procedures. It can include internal failures related to infrastructure and technology, staff-related problems or business interruptions or external factors such as regulatory changes.
Management's acknowledgment that the potential loss from a particular risk is minimal and therefore requires no action.
The process of identifying the risk factors that can potentially harm an organization, analyzing the events that can damage the organization, and identifying the key functions needed for the organization to continue doing business if the event occurs. It also involves evaluating the costs associated with mitigating the risk. Evaluating the probability of an event occurring is one of the critical factors involved in risk analysis.
The implementation of measures that reduce and respond to an organization's exposure to risk. It ensures the continuity of business operations and examines activities needed to lessen the severity of the risk. The risk management process involves the prioritization, evaluation, and implementation of suitable measures to reduce risk.
An established set of business continuity conditions and events that define a disruption, interruption, or any loss that might affect an organization's business operations. It assists with pre-planning and supports a Business Impact Analysis (BIA) performance, developing a continuity strategy and continuity and exercise plans. Scenarios are not forecasts or predictions.
Service Level Agreement (SLA)
An official agreement between a service provider and a client (either party can be internal or external). It includes particular aspects of the service - nature, scope, quality, availability, and timeliness of service delivery by the service provider. The SLA should cover variations to the service during disasters and changes in day-to-day situations.
Single Point of Failure (SPOF)
A SPOF is a unique part of a system that, if dysfunctional, would cause the entire system to crash. There is usually no alternative or countermeasure, so a loss of any element results in a mission-critical function or activity failure. A SPOF can be a step in a process or activity, a person, or a component or part of an IT infrastructure. See Failure
The perception of environmental elements that may affect an organization, including its security posture and threats within a volume of time and space. It includes the meaning of both together (risk) and their status in the future.
A document outlining a schedule of work designed to test an organization's business continuity plan, systems, processes and people.
A process that formally determines the seriousness of a potential threat to an organization or information system and describes the nature of the threat.
The objective of training is to develop the skills and knowledge required to improve proficiency for better job performance. It is more formal than awareness and targets employees with specific responsibilities and duties. Awareness is more general and involves all staff. However, training is a part of the awareness and education learning sequence.
A computer or paper record is essential for an organization to continue operating during and after an emergency. They are critical for protecting the organization's financial and legal rights and the rights of the individuals directly affected by the organization's activities.
Vulnerability assessment is the process of evaluating a product or information system for any weaknesses. It determines if security measures are adequate and identifies security deficiencies by assigning severity levels to them. The assessment provides data that can evaluate the effectiveness of planned security measures and confirm their adequacy after implementation. It recommends improvements if and whenever needed.
A walk-through is a test that carries out the sequence of recovery steps outlined in the business continuity plan. A walk-through's objective is to determine the plan's viability, reveal design flaws, and identify omissions to improve the business continuity plan.
A warm site is a standby processing site equipped to allow an organization to resume essential business activities to avoid any adverse long-term effects on its operations. It must have electricity, hardware and communication components that provide backup operating support after software customization and additional provisioning.