A
Access Denial – See: Denial of Access. [BCI]
Acceptable Risk – That level of risk (likelihood of occurrence and consequence of impact) for any activity or situation that is sufficiently low that society (or an organisation within society that is managing the risk) is comfortable with it. Society (and an individual organisation) does not generally consider expenditure in further reducing such risks justifiable. (Adapted from Australian National 1994.)
Activation – The implementation of business continuity procedures, activities and plans in response to a Business Continuity Emergency, Event, Incident and/or Crisis (E/I/C). See: Invocation. [BCI]
Activity – a process or set of processes undertaken by an organisation (or on its behalf) that produces or supports one or more products or services.
NOTE: Examples of such processes include accounts, call centre, IT, manufacture, distribution. [BS25999-2]
Activity – A set of actions designed to achieve a particular result. Activities are usually defined as part of Processes or Plans, and are documented in Procedures. [ITIL]
ALE – See: Annual Loss Exposure/Expectancy.
Alert – A formal notification that an E/I/C has occurred which may develop into a Business Continuity Management or Crisis Management invocation. [BCI]
Alert – Notification that a potential disaster situation is imminent exists or has occurred; usually includes a directive for personnel. To stand by for possible activation. [DRI]
Alert – (Service Operation) A warning that a threshold has been reached, something has changed, or a failure has occurred. Alerts are often created and managed by System Management tools and are managed by the Event Management Process. [ITIL]
Alternate Site – A site held in readiness for use during a Business Continuity E/I/C to maintain the business continuity of an organisation’s Mission Critical Activities. The term applies equally to office or technology requirements. Alternate sites may be ‘cold’, ‘warm’ or ‘hot’. This type of site is also known as a Recovery Site. See: Cold Site; Warm Site; Hot Site; Recovery Site. [BCI]
Alternate Site – An alternate operating location to be used by business functions when the primary facilities are inaccessible:
– Another location, computer centre or work area designated for recovery.
– Location, other than the main facility, that can be used to conduct business functions.
– A location, other than the normal facility, used to process data and/or conduct critical business functions in the event of a disaster. [DRI]
Alternate Work Area – Recovery environment complete with necessary infrastructure (desk, telephone, workstation, and associated hardware and equipment, communications, etc.). [DRI]
Alternative Routing – The routing of information via an alternative cable routing medium (i.e. using different networks should the normal network be rendered unavailable). [BCI]
Annual Loss Exposure/Expectancy (ALE) – A risk management method of calculating loss based on a value and level of frequency. [DRI]
Application – Software that provides functions that are required by an IT Service. Each application may be part of more than one IT service. An application runs on one or more servers or clients. [ITIL]
Application Recovery – The component of disaster recovery that deals specifically with the restoration of business system software and data after the processing platform has been restored or replaced. [DRI]
Assembly Area – The designated area at which employees, visitors and contractors assemble if evacuated from their building/site. [BCI & DRI]
Asset – An item of property and/or component of a business activity/process owned by an organization. There are three types of asset:
1 physical assets (e.g. buildings and equipment)
2 financial assets (e.g. currency, bank deposits and shares)
3 non-tangible assets (e.g. goodwill, reputation). [BCI & DRI]
Asset – (Service Strategy) Any resource or capability. Assets of a Service Provider include anything that could contribute to the delivery of a service. Assets can be one of the following types: Management, Organisation, Process, Knowledge, People, Information, Applications, Infrastructure, and Financial Capital. [ITIL]
Asset – Anything that has value to the organisation. [ISO/IEC 13335-1:2004 & ISO/IEC 27001:2005]
Asset Risk – A category of risk management that looks at maximising investment related activities and managing such adverse factors as, the collapse of an investment market, currency mismatches and poor investment performance. This type of risk is also known as Investment Risk. [BCI]
Associate Business Continuity Institute (ABCI) – A professional certification granted by the Business Continuity Institute for business continuity practitioners who are currently working in business continuity management but do not yet have sufficient experience to qualify for the MBCI or SBCI designation. [DRI]
Associate Business Continuity Professional (ABCP) – The ABCP level is designed for individuals with less than two years of Continuity Management experience, but who have minimum knowledge in continuity management, and have passed the qualifying exam. [DRI]
Assurance – The activity and process whereby an organisation can verify and validate its BCM capability. [BCI]
Audit – Systematic examination to determine whether activities and related results conform to planned arrangements and whether these arrangements are implemented effectively and are suitable for achieving the organisation’s policy and objectives. [BS EN ISO 9000:2005]
Audit – The process by which procedures and/or documentation are measured against pre-agreed standards. [BCI]
Availability – (Service Design) Ability of a configuration item or service to perform its agreed function when required. Availability is determined by reliability, maintainability, serviceability, performance and security. Availability is usually calculated as a percentage. This calculation is often based on agreed service time and downtime. It is best practice to calculate availability using measurements of the business output of the IT service. [ITIL]
Availability – The property of being accessible and usable upon demand by an authorised entity.
[ISO/IEC 13335-1:2004 & ISO/IEC 27001:2005]
Availability – Ability of a component or service to perform its required function at a stated instant or over a stated period of time.
NOTE: Availability is usually expressed as a ratio of the time that the service is actually available for use by the business to the agreed service hours. [ISO/IEC 20000-1:2005]
B
Backlog – The effect on the business of a build-up of work that occurs as the result of a system or process being unavailable for an unacceptable period. A situation whereby a backlog of work requires more time to action than is available through normal working patterns. In extreme circumstances, the backlog may become so marked that the backlog cannot be cleared. [BCI]
Backlog
– The amount of work that accumulates when a system or process is unavailable for a long period of time. This work needs to be processed once the system or process is available and may take a considerable amount of time to process.
– A situation whereby a backlog of work requires more time to action than is available through normal working patterns. In extreme circumstances, the backlog may become so marked that the backlog cannot be cleared. [DRI]
Backup – A process by which data, electronic or paper based, is copied in some form so as to be available and used if the original data from which it originated is lost, destroyed or corrupted. [BCI & DRI]
Backup – (Service Design) (Service Operation) Copying data to protect against loss of integrity or availability of the original. [ITIL]
Backup Generator – An independent source of power, usually fueled by diesel or natural gas. [DRI]
Battle Box – A container – often literally a box or briefcase – in which data and information, e.g. BCP, is stored so as to be immediately available to those responding to an E/I/C. [BCI]
BCI – See: Business Continuity Institute.
BCM – See: Business Continuity Management.
BCMS – See: Business Continuity Management System.
BCP – See: Business Continuity Plan.
BIA – See: Business Impact Analysis.
BIRRA – See: Business Impact Resource Recovery Analysis.
Blue Light Services – Usually refers to the civil services of Police, Fire and Ambulance. See: Emergency Services; Statutory Services. [BCI]
Bronze Control – The agreed civil Emergency Services term for Operational Control. See: Operational Control; Level 3 Control. [BCI]
Building Denial – See: Denial of Access. [BCI]
Business Activity – A group of activities/processes undertaken by an organisation to produce a product and/or service and/or in pursuit of a common goal. [BCI]
Business Continuity – Strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. [BS25999-2]
Business Continuity – The ability of an organization to provide service and support for its customers and to maintain its viability before, during, and after a business continuity event. [DRI]
Business Continuity Coordinator – A role within the BCM program that coordinates planning and implementation for overall recovery of an organization or unit(s). [DRI]
Business Continuity Institute (BCI) – The Institute of professional Business Continuity Managers. Website: www.thebci.org. [BCI]
Business Continuity Institute (BCI) – An international organization established to enable members to obtain guidance and support from fellow business continuity practitioners. The BCI promotes the highest standards of professional competence and commercial ethics in the provision and maintenance of business continuity planning and services. [DRI]
Business Continuity Management (BCM) – Holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
NOTE: Business continuity management involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall programme through training, exercises and reviews, to ensure the business continuity plan(s) stays current and up to date. [BS25999-2]
Business Continuity Management (BCM) – A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. [BCI & DRI] The management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the plan stays current and up to date. [DRI]
Business Continuity Management (BCM) – (Service Design) The business process responsible for managing risks that could seriously impact the business. BCM safeguards the interests of key stakeholders, reputation, brand and value-creating activities. The BCM process involves reducing risks to an acceptable level and planning for the recovery of business processes should a disruption to the business occur. BCM sets the objectives, scope and requirements for IT Service Continuity Management. [ITIL]
Business Continuity Management Activity – An action or series of actions that form a part of a BCM process. [BCI]
Business Continuity Management Co-ordinator – A role that is assigned the overall responsibility for co-ordinating the organisation(s) or business unit(s) BCM programme. See: Business Recovery Planner; Business Recovery Co-ordinator; Disaster Recovery Administrator. [BCI]
Business Continuity Management Life Cycle – Series of business continuity activities which collectively cover all aspects and phases of the business continuity management programme. [BS25999-2]
Business Continuity Management Life Cycle – The complete set of activities and processes divided into various stages that are necessary to manage business continuity. [BCI]
Business Continuity Management Maturity – The level and degree to which BCM activities have become standard and assured business practices within an organisation. See: Maturity. [BCI]
Business Continuity Management Personnel – Those assigned responsibilities defined in the BCMS, those accountable for BCM policy and its implementation, those who implement and maintain the BCMS, those who use or invoke the business continuity and incident management plans, and those with authority during an incident. [BS25999-2]
Business Continuity Management Plan – A clearly defined and documented plan for use at the time of a Business Continuity Emergency, Event, Incident and/or Crisis (E/I/C). Typically, a plan will cover all the key personnel, resources, services and actions required to manage the BCM process. See: Business Continuity Plan (also known as BCP). [BCI]
Business Continuity Management Planning – The advance planning and preparations that are necessary to identify the impact of potential losses; to formulate and implement viable recovery strategies; to develop recovery plan(s) which ensure continuity of organisational services in the event of an E/I/C; and to deliver a comprehensive training, testing and maintenance programme. See: Contingency Planning; Disaster Recovery Planning; Business Recovery Planning. [BCI]
Business Continuity Management Policy – A BCM policy sets out an organisation’s aims, principles and approach to BCM, what and how it will be delivered, key roles and responsibilities and how BCM will be governed and reported upon. [BCI]
Business Continuity Management Process – A set of activities/processes with defined outcomes, deliverables and evaluation criteria that form a distinct part of the BCM life cycle. [BCI]
Business Continuity Management Process – The Business Continuity Institute’s BCM Process provides guidance on good practices that cover the whole BCM life cycle and combines five key elements:
1 understanding your business
2 BCM strategies
3 developing a BCM response
4 establishing a BCM culture
5 exercising, maintenance and audit. [DRI]
Business Continuity Management Program – An ongoing management and governance process supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services through exercising, rehearsal, testing, training, maintenance and assurance. See: Disaster Recovery Programme; Business Recovery Programme; Contingency Planning. [BCI & DRI]
Business Continuity Management Programme – Ongoing management and governance process supported by top management and appropriately resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services through training, exercising, maintenance and review. [BS25999-2]
Business Continuity Management Response – Element of BCM concerned with the development and implementation of appropriate plans and arrangements to ensure continuity of critical activities and the management of an incident. [BS25999-2]
Business Continuity Management System (BCMS) – That part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity.
NOTE: The management system includes organisational structure, policies, planning activities, responsibilities, procedures, processes and resources. [BS25999-2]
Business Continuity Management Team – A defined number of roles and responsibilities for implementing the Business Continuity Management Plan. See: Business Recovery Team. [BCI]
Business Continuity Management Team – A group of individuals functionally responsible for directing the development and execution of the business continuity plan, as well as responsible for declaring a disaster and providing direction during the recovery process, both pre- and post-disaster. Similar terms: Disaster Recovery Management Team; Business Recovery Management Team. [DRI]
Business Continuity Plan (BCP) – Documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical activities at an acceptable predefined level. [BS25999-2]
Business Continuity Plan (BCP) – A clearly defined and documented plan. See: Business Continuity Management Plan. [BCI]
Business Continuity Plan (BCP) – Process of developing and documenting arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical functions after an interruption. [DRI]
Business Continuity Plan (BCP) – (Service Design) A plan defining the steps required to restore business processes following a disruption. The plan will also identify the triggers for invocation, people to be involved, communications etc. IT Service Continuity Plans form a significant part of Business Continuity Plans. [ITIL]
Business Continuity Plan Administrator – The designated individual responsible for plan documentation, maintenance, and distribution. [DRI]
Business Continuity Steering Committee – A committee of decision makers, process owners, technology experts and continuity professionals, tasked with making strategic recovery and continuity planning decisions for the organization. [DRI]
Business Continuity Strategy – Approach by an organisation that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption. [BS25999-2]
Business Continuity Strategy – An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organization’s strategy. There may be more than one solution to fulfill an organization’s strategy. Examples: Internal or External Hot Site, or Cold Site; Alternate Work Area Reciprocal Agreement; Mobile Recovery; Quick Ship / Drop Ship; Consortium-based solutions; etc. [DRI]
Business Critical Functions – Critical operational or support activities. See: Mission Critical Activities. [BCI]
Business Critical Point – The latest moment at which the business can afford to be without a Mission Critical Activity or dependency. [BCI]
Business Function – A business unit within an organisation, e.g. branch/division. [BCI]
Business Impact Analysis (BIA) – Process of analysing business functions and the effect that a business disruption might have upon them. [BS25999-2]
Business Impact Analysis (BIA) – The management level analysis by which an organisation assesses the quantitative (financial) and qualitative (non-financial) impacts, effects and loss that might result if the organisation were to suffer a Business Continuity E/I/C. The findings from a BIA are used to make decisions concerning Business Continuity Management strategy and solutions. [BCI]
Business Impact Analysis (BIA) – A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event. [DRI]
Business Impact Analysis (BIA) – (Service Strategy) BIA is the activity in business continuity management that identifies vital business functions and their dependencies. These dependencies may include suppliers, people, other business processes, IT services, etc. BIA defines the recovery requirements for IT services. These requirements include recovery time objectives, recovery point objectives and minimum service level targets for each IT service. [ITIL]
Business Impact Resource Recovery Analysis (BIRRA) – An assessment of the minimum level of resources, e.g. personnel, workstations, technology, telephony required, over time, after a Business Continuity E/I/C to maintain the continuity of the organisation’s Mission Critical Activities at a minimum level of service/production. Generally considered to be part of a BIA, it is an integral part of any subsequent resource Gap Analysis. See: Business Impact Analysis. [BCI]
Business Interruption – Any event, whether anticipated (i.e. public service strike) or unanticipated (i.e. blackout) which disrupts the normal course of business operations at an organization’s location. Similar terms: Outage; Service Interruption. [DRI]
Business Interruption Costs – The impact to the business caused by different types of outages, normally measured by revenue lost.. [DRI]
Business Interruption Insurance – Insurance coverage for disaster-related expenses that may be incurred until operations are fully recovered after a disaster. Business interruption insurance generally provides reimbursement for necessary ongoing expenses during this shutdown, plus loss of net profits that would have been earned during the period of interruption, within the limits of the policy. [DRI]
Business Process – A process that is owned and carried out by the business. A business process contributes to the delivery of a product or service to a business customer. For example, a retailer may have a purchasing process which helps to deliver services to their business customers. Many business processes rely on IT services. [ITIL]
Business Recovery – See: Business Continuity Management (BCM). [BCI]
Business Recovery Coordinator – An individual or group designated to coordinate or control designated recovery processes or testing. [DRI] See: Business Continuity Management Co-ordinator; Business Recovery Planner; Disaster Recovery Planner; Disaster Recovery Administrator. [BCI]
Business Recovery Plan – See: Business Continuity Management Plan; Business Continuity Plan (BCP); Disaster Recovery Plan. [BCI]
Business Recovery Planner – See: BCM Co-ordinator; Business Recovery Co-ordinator; Disaster Recovery Planner; Disaster Recovery Administrator. [BCI]
Business Recovery Planning – See: BCM Planning; Contingency Planning; Disaster Recovery Planning. [BCI]
Business Recovery Programme – See: BCM Programme; Disaster Recovery Programme; Disaster Recovery Planning; Contingency Planning. [BCI]
Business Recovery Team – A team responsible for maintaining the business recovery procedures and complying with the organization’s BCM program. [DRI] See: BCM Team. [BCI]
Business Recovery Timeline – The approved sequence of activities required to achieve stable operations following a business interruption. This timeline may range from minutes to weeks, depending upon the recovery requirements and methodology. [DRI]
Business Risk – The risk that external factors, such as a fall in demand for an organisation’s products or services, will result in unexpected loss. Business risk, if managed well, can also result in a competitive advantage being gained. [BCI]
Business Unit Recovery – A component of Business Continuity which deals specifically with the recovery of a key function or department in the event of a disaster. [DRI]
Business Service – An IT Service that directly supports a business process, as opposed to an infrastructure service which is used internally by the IT service provider and is not usually visible to the business. The term Business Service is also used to mean a service that is delivered to business customers by business units. For example delivery of financial services to customers of a bank, or goods to the customers of a retail store. Successful delivery of business services often depends on one or more IT service. [ITIL]
C
Call Tree – A structured cascade process (system) that enables a list of persons, roles and/or organisations to be contacted as a part of an information or plan invocation procedure. See: Contact List; Cascade System; Reverse Cascade System. [BCI]
Call Tree – A document that graphically depicts the calling responsibilities and the calling order used to contact management, employees, customers, vendors, and other key contacts in the event of an emergency, disaster, or severe outage situation. [DRI]
Call Tree Cascade Test – A test designed to validate the currency of contact lists and the processes by which they are maintained. [BCI]
Campus – A set of buildings which are geographically grouped together. [BCI]
Cascade System – A system whereby one person or organization calls out / contacts others who, in turn, initiate further call-outs/contacts as necessary. See: Contact List; Call Tree; Reverse Cascade System. [BCI & DRI]
Casualty Bureau – The central police-controlled contact and information point for all records and data relating to casualties and fatalities. [BCI]
Certified Business Continuity Professional (CBCP) – The CBCP certification is for individuals with a minimum of two years of Enterprise Continuity Management experience in 5 of the 10 Professional Practice areas, have passed the qualifying exam and have had their DRII- Certification Application approved. [DRI]
Certified Functional Continuity Professional (CFCP) – The CFCP is designed for individuals with a minimum of two years of Continuity Management experience in three of the ten Professional Practice areas, have passed the qualifying exam and have had their DRII Certification Application approved. This certification provides a certification opportunity for those individuals with Continuity Management experience in specific functional or vertical areas vs. enterprise wide. [DRI]
Checklist –
– Tool to remind and/or validate that tasks have been completed and resources are available, to report on the status of recovery.
– A list of items (names or tasks, etc.) to be checked or consulted. [DRI]
Checklist Exercise – A method used to exercise a completed disaster recovery plan. This type of exercise is used to determine if the information such as phone numbers, manuals, equipment, etc. in the plan is accurate and current. [DRI]
CI – See: Configuration Item.
CMT – See: Crisis Management Team.
Cold Site – A site (data centre / work area) equipped with appropriate environmental conditioning, electrical connectivity, communications access, configurable space and access to accommodate the installation and operation of equipment by key employees required to resume business operations. See: Alternate Site. [BCI]
Cold Site – An alternate facility that already has in place the environmental infrastructure required to recover critical business functions or information systems, but does not have any pre-installed computer hardware, telecommunications equipment, communication lines, etc. These must be provisioned at time of disaster. [DRI]
Cold Standby – Synonym for Gradual Recovery. [ITIL]
Command Center – A physical or virtual facility located outside of the affected area used to gather, assess, and disseminate information and to make decisions to affect recovery. [DRI]
Command Centre (CC) – The facility used by a Crisis Management Team after the first phase of a Business Continuity E/I/C. An organisation must have a primary and secondary location for a command centre in the event of one being unavailable. It may also serve as a reporting point for deliveries, services, press and all external contacts. See: Emergency Control Centre (ECC); Emergency Operations Centre (EOC); Command and Control. [BCI]
Command, Control and Coordination – A Crisis Management process:
– Command means the authority for an organization or part of an organization to direct the actions of its own resources (both personnel and equipment).
– Control means the authority to direct strategic, tactical and operational operations in order to complete an assigned function and includes the ability to direct the activities of others engaged in the completion of that function, i.e. the crisis as a whole or a function within the crisis management process. The control of an assigned function also carries with it the responsibility for the health and safety of those involved.
– Coordination means the harmonious integration of the expertise of all the agencies/roles involved with the objective of effectively and efficiently bringing the crisis to a successful conclusion.
See: Level 1 Control; Strategic Control; Gold Control; Tactical Control; Level 2 Control; Silver Control; Level 3 Control; Operational Control; Bronze Control. [BCI & DRI]
Communications Recovery – The component of Disaster Recovery which deals with the restoration or rerouting of an organization’s telecommunication network, or its components, in the event of loss. [DRI]
Component Failure Impact Analysis (CFIA) – (Service Design) A technique that helps to identify the impact of CI failure on IT services. A matrix is created with IT Services on one edge and CIs on the other. This enables the identification of critical CIs (that could cause the failure of multiple IT services) and of fragile IT services (that have multiple Single Points of Failure). [ITIL]
Configuration Item (CI) – (Service Transition) Any component that needs to be managed in order to deliver an IT service. Information about each CI is recorded in a Configuration Record within the Configuration Management System and is maintained throughout its life cycle by Configuration Management. CIs are under the control of Change Management. CIs typically include IT services, hardware, software, buildings, people, and formal documentation such as process documentation and SLAs. [ITIL]
Configuration Item (CI) – Component of an infrastructure or an item which is, or will be, under the control of configuration management.
NOTE: Configuration items may vary widely in complexity, size and type, ranging from an entire system including all hardware, software and documentation, to a single module or a minor hardware component. [ISO/IEC 20000-1:2005]
Consequence – Outcome of an incident that will have an impact on an organisation’s objectives.
NOTE 1: There can be a range of consequences from one incident.
NOTE 2: A consequence can be certain or uncertain and can have positive or negative impact on objectives. [BS25999-2]
Consequence – The end result following a Business Continuity E/I/C that can be defined as loss, injury, disadvantage or gain. [BCI]
Consortium Agreement – An agreement made by a group of organizations to share processing facilities and/or office facilities, if one member of the group suffers a disaster. [DRI]
Contact List – A list of team members and/or key personnel to be contacted including their backups. The list will include the necessary contact information (i.e. home phone, pager, cell, etc.) and in many cases it is considered confidential. [DRI] See: Call Tree; Cascade System; Reverse Cascade System. [BCI]
Contingency Fund – A budget for meeting and managing operating expense at the time of a Business Continuity E/I/C. See: Expense Control. [BCI]
Contingency Plan – A plan used by an organization or business unit to respond to a specific systems failure or disruption of operations. [DRI]
Contingency Planning – Process of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization. [DRI] See: BCM Planning; Business Continuity Management Programme; Business Recovery Programme; Disaster Recovery Planning. [BCI]
Continuity Of Operations Plan (COOP) – A COOP provides guidance on the system restoration for emergencies, disasters, mobilization, and for maintaining a state of readiness to provide the necessary level of information processing support commensurate with the mission requirements/priorities identified by the respective functional proponent. The Federal Government and its supporting agencies traditionally use this term to describe activities otherwise known as Disaster Recovery, Business Continuity, Business Resumption, or Contingency Planning. [DRI]
Continuous Availability – A system or application that supports operations which continue with little to no noticeable impact to the user. For instance, with continuous availability, the user will not have to re-log in, or to re-submit a partial or whole transaction. [DRI]
Continuous Availability – (Service Design) An approach or design to achieve 100% availability. A continuously available IT service has no planned or unplanned downtime. [ITIL]
Continuous Operations – The ability of an organization to perform its processes without interruption. [DRI]
Control – Any action which reduces the probability of a risk occurring or reduces its impact if it does occur. See: Command, Control and Co-ordination. [BCI]
Control – A means of managing a risk, ensuring that a business objective is achieved, or ensuring that a process is followed. Example Controls include policies, procedures, roles, RAID, door-locks, etc. A control is sometimes called a countermeasure or safeguard. Control also means to manage the utilisation or behaviour of a configuration item, system or IT service. [ITIL]
Control and Risk Self Assessment (CRSA) – See: Control Self Assessment (CSA). [BCI]
Control Culture – Sets the tone for an organisation, influencing the control consciousness of its people. Control culture factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organises and develops its people; and the attention and direction provided by a Board. [BCI]
Control Environment – The whole system of controls, financial and otherwise, established by a Board and management in order to carry on an organisation’s business in an effective and efficient manner, in line with the organisation’s established objectives and goals. Also there to ensure compliance with laws and regulations, to safeguard an organisation’s assets and to ensure the reliability of management and financial information. Also referred to as Internal Control. See: Internal Control. [BCI]
Control Framework – A model or recognised system of control categories that covers all internal controls expected within an organisation. See: Risk Framework. [BCI]
Control Review/Monitoring – Involves selecting a control and establishing whether it has been working effectively and as described and expected during the period under review. [BCI]
Control Room Exercise – A methodology for exercising key people, communications, procedures and information flows between individuals and/or teams and different control rooms. [BCI]
Control Self Assessment (CSA) – A class of techniques used in an audit or in place of an audit to assess risk and control strength and weaknesses against a control framework. The ‘Self’ assessment refers to the involvement of management and staff in the assessment process, often facilitated by internal auditors. CSA techniques can include workshop/seminars, focus groups, structured interviews and survey questionnaires. See: Control and Risk Self Assessment. [BCI]
COOP – See: Continuity Of Operations Plan.
Cordon (Inner and Outer) – The boundary line of a zone that is determined, reinforced by legislative power, and exclusively controlled by the emergency services from which all unauthorised persons are excluded for a period of time determined by the emergency services. See: Exclusion Zone(s) (EZ). [BCI]
Corporate Governance – The system/process by which the directors and officers of an organization are required to carry out and discharge their legal, moral and regulatory accountabilities and responsibilities. [BCI & DRI]
Corporate Risk – A category of risk management that looks at ensuring an organization meets its corporate governance responsibilities, takes appropriate actions and identifies and manages emerging risks. [BCI & DRI]
Cost-benefit Analysis – Financial technique that measures the cost of implementing a particular solution and compares this with the benefit delivered by that solution.
NOTE: The benefit may be defined in financial, reputational, service delivery, regulatory or other terms appropriate to the organisation. [BS25999-2]
Cost-benefit Analysis – A process (after a BIA and risk assessment) that facilitates the financial assessment of different strategic BCM options and balances the cost of each option against the perceived savings. [BCI & DRI]
Cost-benefit Analysis – An activity that analyses and compares the costs and the benefits involved in one or more alternative courses of action. [ITIL]
Counselling – See: Trauma Counselling; Post Traumatic Stress Disorder; Trauma Management. [BCI]
Countermeasure – Can be used to refer to any type of control. The term ‘Countermeasure’ is most often used when referring to measures that increase resilience, fault tolerance or reliability of an IT service. [ITIL]
Crisis – An occurrence and/or perception that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organisation. [BCI]
Crisis – A critical event, which, if not handled in an appropriate manner, may dramatically impact an organization’s profitability, reputation, or ability to operate. Or, an occurrence and/or perception that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organization. [DRI]
Crisis Management – The process by which an organisation manages the wider impact of a Business Continuity E/I/C until it is either under control or contained without impact to the organisation or the BCP is invoked as a part of the Crisis Management process. [BCI]
Crisis Management – The overall coordination of an organization’s response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, and ability to operate. [DRI]
Crisis Management – The process responsible for managing the wider implications of business continuity. A crisis management team is responsible for strategic issues such as managing media relations and shareholder confidence, and decides when to invoke business continuity plans. [ITIL]
Crisis Management Plan – A clearly defined and documented plan of action for use at the time of a crisis. Typically, a plan will cover all the key personnel, resources, services and actions required to implement and manage the crisis management process. [BCI]
Crisis Management Team(s) (CMT) – A defined number of roles and responsibilities for implementing the organisation’s Crisis Management Plan. See: Strategic Control; Gold Control; Tactical Control; Silver Control; Operational Control; Bronze Control. [BCI]
Crisis Management Team – A team consisting of key executives, key role players (i.e. media representative, legal counsel, facilities manager, disaster recovery coordinator, etc.), and the appropriate business owners of critical functions who are responsible for recovery operations during a crisis. [DRI]
Crisis Plan – See: Crisis Management Plan. [BCI]
Critical – Usually applied to a resource or process that must be kept going (as soon as possible) at time of a Business Continuity E/I/C. [BCI]
Critical Activities – Those activities which have to be performed in order to deliver the key products and services which enable an organisation to meet its most important and time-sensitive objectives. [BS25999-2]
Critical Business Functions – The critical operational and/or business support functions that could not be interrupted or unavailable for more than a mandated or predetermined timeframe without significantly jeopardizing the organization. An example of a business function is a logical grouping of processes/activities that produce a product and/or service such as Accounting, Staffing, Customer Service, etc. [DRI]
Critical Data Point – The point to which data must be restored in order to achieve recovery objectives. [BCI & DRI]
Critical Infrastructure – Physical assets whose incapacity or destruction would have a debilitating impact on the economic or physical security of an organization, community, nation, etc. [DRI]
Critical Service – See: Mission Critical Activities. [BCI]
Critical Service – A service without which a building would be ‘disabled’. Often applied to the utilities (water, gas, electric, etc.) it may also include standby power systems, environmental control systems or communication networks. [DRI]
CSA – See: Control Self Assessment.
D
Damage Assessment – The process of assessing the financial/non-financial damage following a Business Continuity E/I/C. It usually refers to the assessment of damage to physical assets, e.g. vital records, buildings, sites, technology to determine what can be salvaged or restored and what must be replaced. [BCI]
Damage Assessment – The process of assessing damage to computer hardware, vital records, office facilities, etc., and determining what can be salvaged or restored and what must be replaced following a disaster. [DRI]
Data Backups – The copying of production files to media that can be stored both on and/or offsite and can be used to restore corrupted or lost data or to recover entire systems and databases in the event of a disaster. [DRI]
Data Backup Strategies – Data backup strategies will determine the technologies, media and offsite storage of the backups necessary to meet an organization’s data recovery and restoration objectives. [DRI]
Database Replication – The partial or full duplication of data from a source database to one or more destination databases. [DRI]
Database Shadowing – See: Emergency Data Services. [BCI]
Data Center Recovery – The component of Disaster Recovery which deals with the restoration of data center services and computer processing capabilities at an alternate location and the migration back to the production site. [DRI]
Data Mirroring – A process whereby critical data is copied instantaneously to another location so that it is not lost in the event of a Business Continuity E/I/C. See: Emergency Data Services. [BCI]
Data Mirroring – A process whereby critical data is replicated to another device. [DRI]
Data Protection – Statutory requirements to manage personal data in a manner that does not threaten or disadvantage the person to whom it refers. [BCI]
Data Protection – Process of ensuring confidentiality, integrity, and availability of data. [DRI]
Data Recovery – The restoration of computer files from backup media to restore programs and production data to the state that existed at the time of the last safe backup. [DRI]
Decision Point – The latest moment at which the decision to invoke emergency procedures has to be taken in order to ensure the continued viability of the organisation. [BCI]
Declaration – A formal announcement by pre-authorized personnel that a disaster or severe outage is predicted or has occurred and that triggers pre-arranged mitigating actions (e.g., a move to an alternate site). [DRI]
Declaration Fee – A fee charged by a Commercial Hot Site Vendor for a customer invoked disaster declaration. [DRI]
Denial Of Access – The inability of a organization to access and/or occupy its normal working environment. Usually imposed and controlled by the Emergency and/or Statutory Services. See: Site Access Denial. [BCI & DRI]
Dependency – The reliance, directly or indirectly, of one activity or process upon another. See: Mission Critical Activity Dependency. [BCI]
Dependency – The reliance or interaction of one activity or process upon another. [DRI]
Dependency – The direct or indirect reliance of one Process or Activity upon another. [ITIL]
Desk Check – One method of validating a specific component of a plan. Typically, the owner of the component reviews it for accuracy and completeness and signs off. [DRI]
Desktop Exercise – See: Table Top Exercise. [BCI & DRI]
Disaster – A sudden, unplanned catastrophic event causing unacceptable damage or loss.
– An event that compromises an organization’s ability to provide critical functions, processes, or services for some unacceptable period of time.
– An event where an organization’s management invokes their recovery plans. [DRI]
Disaster Recovery – The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions. [DRI] See: Information Technology Disaster Recovery (ITDR). [BCI]
Disaster Recovery Administrator – See: BCM Co-ordinator. Also known as Business Recovery Planner; Disaster Recovery Planner; Disaster Recovery Co-ordinator. [BCI]
Disaster Recovery Co-ordinator – See: BCM Co-ordinator. Also known as Business Recovery Planner; Disaster Recovery Planner; Disaster Recovery Administrator. [BCI]
Disaster Recovery Plan – See: BCM Plan; Recovery Plan. [BCI]
Disaster Recovery Planning – The technical component of business continuity planning. [DRI] See: BCM Planning. [BCI]
Disaster Recovery Programme – See: BCM Programme. [BCI]
Disruption – An event, whether anticipated (e.g. a labour strike or hurricane) or unanticipated (e.g. a blackout or earthquake), which causes an unplanned, negative deviation from the expected delivery of products or services according to the organisation’s objectives. [BS25999-2]
Diverse Routing – The routing of information through split or duplicate cable facilities. [BCI]
Do Nothing – (Service Design) A recovery option. The service provider formally agrees with the customer that recovery of this IT service will not be performed. [ITIL]
DR – See: Disaster Recovery.
DRI International – DRI International is a non-profit organization that ‘offers premier educational and certification programs globally, for those practitioners within the Continuity Management field.’ [DRI]
– delivering equipment, supplies, and materials at the time of a business continuity event or exercise
– providing replacement hardware within a specified time period via prearranged contractual arrangements with an equipment supplier at the time of a business continuity event. [DRI]
DRP – See: Disaster Recovery Planning.
E
ECC – See: Emergency Control Centre.
E/I/C – The acronym for Emergency(ies), Event(s), Incident(s) or Crisis(es). [BCI]
Electronic Vaulting – The transfer of data to an offsite storage facility using a communications link. See: Emergency Data Services. [BCI]
Electronic Vaulting – Electronic transmission of data to a server or storage facility. [DRI]
Emergency – An unexpected, actual or impending situation that may cause injury, loss of life, destruction of property, or cause the interference, loss, or disruption of an organization’s normal business operations to such an extent that it poses a threat. [BCI & DRI]
Emergency – Section 19, UK Civil Contingencies Act 2004
39. Subsection (1) defines 'emergency' for the purposes of Part 2. Events such as a terrorist attack, disruption of fuel supplies, contamination of land with a chemical matter and an epidemic could satisfy the definition, should they reach the required level of seriousness.
40. Subsections (2) and (3) specify exhaustively the kinds of event or situation which may threaten damage to human welfare or the environment. In order to satisfy the definition of ‘emergency’, the event or situation must threaten serious damage to human welfare in, or the environment of, the United Kingdom (or a Part or region). This definition differs to the definition of ‘emergency’ for the purposes of Part 1 of the Act in that, for Part 1, the situation must threaten serious damage to human welfare in, or the environment of, a place in the United Kingdom (rather than in the United Kingdom or in a Part or region).
41. Subsection (5) enables the Secretary of State to amend the list of events or situations which may threaten damage to human welfare by providing that in so far as an event or situation involves or causes disruption of a specified supply, system, facility or service, it is (or is not) to be treated as threatening damage to human welfare. This is designed to ensure that should a supply, system, facility or service become so essential that disruption of it would warrant the exercise of emergency powers, the Act can be amended accordingly. Subsection (6) provides that no such order may be made unless a draft has been laid before and approved by each House of Parliament.
‘Regions’ are those regions specified in Schedule 1 to the Regional Development Agencies Act 1998. There are 9 such regions; East Midlands, Eastern, London, North East, North West, South East, South West, West Midlands and Yorkshire and the Humber.
Emergency Control Centre (ECC) – The Command Centre used by the Crisis Management Team during the first phase of an event. An organization should have both primary and secondary locations for an ECC in case one of them becomes unavailable/inaccessible. It may also serve as a reporting point for deliveries, services, press and all external contacts. [BCI & DRI] See: Command Centre (CC); Emergency Operations Centre (EOC); Command, Control and Co-ordination. [BCI]
Emergency Co-ordinator – The person assigned the role of co-ordinating the activities of the evacuation of a site and/or building with the statutory and/or emergency services. [BCI]
Emergency Coordinator – The person designated to plan, exercise, and implement the activities of sheltering in place or the evacuation of occupants of a site with the first responders and emergency services agencies. [DRI]
Emergency Data Services – Remote capture and storage of electronic data, such as journalling, electronic vaulting and database shadowing/mirroring. [BCI]
Emergency Marshal – A person responsible for ensuring that all employees, visitors and contractors evacuate a site/building and report to the Emergency Co-ordinator when their designated floor/area is clear. See: Fire Marshal. [BCI]
Emergency Operations Centre (EOC) – A site from which response teams/officials (municipal, county, state and federal) provide direction and exercise control in an emergency or disaster. [BCI & DRI] See: Command Centre (CC); Emergency Control Centre (ECC); Command, Control and Co-ordination. [BCI]
Emergency Preparedness – The capability that enables an organization or community to respond to an emergency in a coordinated, timely, and effective manner to prevent the loss of life and minimize injury and property damage. [DRI]
Emergency Procedures – A documented list of activities to commence immediately to prevent the loss of life and minimize injury and property damage. [DRI]
Emergency Response – The immediate reaction and response to an emergency situation commonly focusing on ensuring life safety and reducing the severity of the incident. [DRI]
Emergency Response Plan – A documented plan usually addressing the immediate reaction and response to an emergency situation. [DRI]
Emergency Response Procedures – The initial response to any E/I/C, focused upon protecting human life and the organization’s assets. [BCI & DRI]
Emergency Response Team (ERT) – Qualified and authorized personnel who have been trained to provide immediate assistance. [DRI]
Emergency Services – Usually refers to the civil services of Police, Fire and Ambulance. See: Blue Light Services; Statutory Services. [BCI]
Enterprise – See: Organisation. [BCI]
Enterprise Wide Planning – The overarching master plan covering all aspects of business continuity within the entire organization. [DRI]
EOC – See: Emergency Operations Centre.
EPO – See: Local Authority Emergency Planning Officer.
ERT – See: Emergency Response Team.
Escalation – The process by which an E/I/C is communicated upwards through an organisation’s Business Continuity and/or risk E/I/C management reporting process. [BCI]
Escalation – The process by which event related information is communicated upwards through an organization’s established Chain of Command. [DRI]
Escalation – (Service Operation) an activity that obtains additional resources when these are needed to meet service level targets or customer expectations. Escalation may be needed within any IT service management process, but is most commonly associated with incident management, problem management and the management of customer complaints. There are two types of escalation, functional escalation and hierarchic escalation. [ITIL]
Essential Service – A service without which a building would be ‘disabled’. Often applied to the utilities (water, gas, electricity, etc.) it may also include standby power systems, environmental control systems or communication networks. [BCI]
Evacuation – The movement of employees, visitors and contractors from a site and/or building to a safe place (assembly area) in a controlled and monitored manner at time of an E/I/C. See: Assembly Area. [BCI & DRI]
Event – Any occurrence that may lead to a business continuity incident. See: Incident. [BCI & DRI]
Event – (Service Operation) A change of state which has significance for the management of a configuration item or IT service. The term Event is also used to mean an alert or notification created by any IT service, configuration item or monitoring tool. Events typically require IT operations personnel to take actions, and often lead to incidents being logged. [ITIL]
Event – An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. [ISO/IEC TR 18044:2004 & ISO/IEC 27001:2005]
Event (Information Security Event) – An information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. [BS ISO/IEC TR 18044:2004 and BS7799-3:2006]
Event Management – (Service Operation) The process responsible for managing events throughout their life cycle. Event Management is one of the main activities of IT operations. [ITIL]
Executive/Management Succession Plan – A predetermined plan for ensuring the continuity of authority, decision-making, and communication in the event that key members of executive management unexpectedly become incapacitated. [DRI]
Exclusion Zone(s) (EZ) – See: Cordon (Inner and Outer). [BCI]
Exercise – Activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure that the plan(s) contains the appropriate information and produces the desired result when put into effect.
NOTE: An exercise can involve invoking business continuity procedures, but is more likely to involve the simulation of a business continuity incident, announced or unannounced, in which participants role-play in order to assess what issues might arise, prior to a real invocation. [BS25999-2]
Exercise – An announced or unannounced execution of business continuity plans intended to implement existing plans and/or highlight the need for additional plan development. A way of testing part of a Business Continuity Plan. An exercise may involve invoking Business Continuity procedures but is more likely to involve the simulation of a Business Continuity E/I/C in which participants role play in order to assess what issues may arise, prior to a real invocation. See: Desktop Exercise; Full Rehearsal. [BCI]
Exercise – A people-focused activity designed to execute business continuity plans and evaluate the individual and/or organization performance against approved standards or objectives. Exercises can be announced or unannounced, and are performed for the purpose of training and conditioning team members, and validating the business continuity plan. Exercise results identify plan gaps and limitations and are used to improve and revise the Business Continuity Plans. Types of exercises include: Table Top Exercise; Simulation Exercise; Operational Exercise; Mock Disaster; Desktop Exercise; Full Rehearsal. [DRI]
Exercise Auditor – An appointed role that is assigned to assess whether the exercise aims/objectives are being met and to measure whether activities are occurring at the right time and involve the correct people to facilitate their achievement. The exercise auditor is not responsible for the mechanics of the exercise. This independent role is crucial in the subsequent debriefing. [DRI]
Exercise Controller – A role that is appointed to have overall management oversight and control of the exercise and the authority to alter the exercise plan. This also includes the early termination of the exercise for reasons of safety or the aim(s)/objective(s) of the exercise cannot be met due to an unforeseen or other internal or external influence. [BCI] See: Exercise Owner. [DRI]
Exercise Coordinator – is responsible for the mechanics of running the exercise. The Coordinator must lead the exercise and keep it focused within the predefined scope and objectives of the exercise as well as on the disaster scenario. The Coordinator must be objective and not influence the outcome. They perform the coordination to make sure appropriate exercise participants have been identified and that exercise scripts have been prepared before, utilized during, and updated after, the exercise. [DRI]
Exercise Directors – A role in both tabletop and command centre or live exercises. They have access to details of the whole exercise plan and ensure that it proceeds to plan. They are responsible for the mechanics of running the exercise. [BCI]
Exercise Observer – An exercise observer has no role within the exercise but is employed to observe the exercise to either assess the preparations of the organisation or the exercise players (individually or team) or to learn lessons or training or awareness. Their role in subsequent debriefing is crucial. [BCI]
Exercise Observer – An exercise observer has no active role within the exercise but is present for awareness and training purposes. An exercise observer might make recommendations for procedural improvements. [DRI]
Exercise Owner – An appointed role that has total management oversight and control of the exercise and has the authority to alter the exercise plan. This includes early termination of the exercise for reasons of safety or the aims/objectives of the exercise cannot be met due to an unforeseen or other internal or external influence. [DRI]
Exercise Plan – A plan designed to periodically evaluate tasks, teams, and procedures that are documented in business continuity plans to ensure the plan’s viability. This can include all or part of the BC plan, but should include mission critical components. [DRI]
Exercise Script – A set of detailed instructions identifying information necessary to implement a predefined business continuity event scenario for evaluation purposes. [DRI]
Exercise Umpire – A role within the exercise that is employed to assess whether the exercise aim(s)/objective(s) are being met and to measure whether activities are occurring at the right time and involve the correct people to facilitate their achievement. The role differs from the Exercise Director’s in that it does not have any responsibility for the mechanics of the exercise. Their role in subsequent debriefing is crucial. [BCI]
Expected Loss – The average financial loss or impact that can be anticipated for a particular loss event or risk. It is calculated based on experience and past information. It is normally given as the average loss amount over a specified period of time, e.g. the expected amount loss per year. [BCI]
Expense Control – The essential logging and control of all expenditure at the time of an E/I/C in a separate and distinct manner from the ‘normal’ procedure. The loss assessment and adjustment process will require this information to be readily available, once the BCM/Crisis Management process is complete. See: Contingency Fund. [BCI]
Exposure – The potential susceptibility to loss, or the vulnerability to a particular risk. [BCI & DRI]
Extra Expense – The extra cost necessary to implement a recovery strategy and/or mitigate a loss. An example is the cost to transfer inventory to an alternate location to protect it from further damage, cost of reconfiguring lines, overtime costs, etc. Typically reviewed during BIA and is a consideration during insurance evaluation. [DRI]
Extreme or Catastrophic Emergency, Event, Incident and/or Crisis – A Business Continuity E/I/C of immense proportions that has severe consequences, often damaging a large proportion of the organisation’s assets that results in a loss greater than an expected loss. [BCI]
EZ – See: Exclusion Zone.
F
Facilities Management (FM) – The function that manages all aspects of an organisation’s real estate assets and infrastructure. [BCI]
Facilities Management – (Service Operation) The function responsible for managing the physical environment where the IT infrastructure is located. Facilities Management includes all aspects of managing the physical environment, for example power and cooling, building access management, and environmental monitoring. [ITIL]
Failure – (Service Operation) Loss of ability to operate to specification, or to deliver the required output. The term Failure may be used when referring to IT services, processes, activities, configuration items etc. A Failure often causes an Incident. [ITIL]
Failure Modes And Effects Analysis (FMEA) – An approach to assessing the potential impact of failures. FMEA involves analysing what would happen after failure of each configuration item, all the way up to the effect on the business. FMEA is often used in information security management and in IT service continuity planning. [ITIL]
Fallback – Another term for alternative, e.g. a fallback facility is another site/building that can be used when the original site/building is unusable or unavailable. [BCI]
Fast Recovery – (Service Design) A recovery option which is also known as Hot Standby. Provision is made to recover the IT Service in a short period of time, typically less than 24 hours. Fast Recovery typically uses a dedicated fixed facility with computer systems, and software configured ready to run the IT Services. Immediate recovery may take up to 24 hours if there is a need to restore data from backups. [ITIL]
Fellow Business Continuity Institute (FBCI) – A professional certification granted by the Business Continuity Institute for senior business continuity practitioners with at least five years’ full-time experience and who demonstrate a thorough knowledge of all BCI Certification Standards. [DRI]
Financial Services Authority (FSA) – The UK Government body that supervises and regulates the Financial Services Sector under the Financial Services & Markets Act 2000 (FSMA). The FSA’s objectives are:
– maintaining confidence in the UK financial system
– promoting public understanding of the financial system
– securing the appropriate degree of protection for consumers
– reducing financial crime. [BCI]
Fire Marshal – See: Emergency Marshal. [BCI]
Fixed Facility – (Service Design) A permanent building, available for use when needed by an IT Service Continuity Plan. [ITIL]
Floor Warden – Person responsible for ensuring that all employees, visitors and contractors evacuate a floor within a specific site. [DRI]
FM – See: Facilities Management.
FMEA – See: Failure Modes And Effects Analysis.
Friends and Relatives Reception Centre – A secure area set aside by the Emergency Services or Local Authority for use and the interview of friends and relatives arriving at the scene of a major incident. [BCI]
Full Rehearsal – A simulation exercise involving a Business Continuity E/I/C where the organisation or some of its component parts are suspended until the exercise is completed. See: Exercise; Desktop Exercise. [BCI]
Full Rehearsal – An exercise that simulates a Business Continuity event where the organization or some of its component parts are suspended until the exercise is completed. [DRI]
G
Gain – Positive consequence. [BS25999-2]
Gap Analysis – A survey whose aim is to identify the differences between BCM/Crisis Management requirements (what the business says it needs at time of an E/I/C) and what is in place and/or available. [BCI]
Gap Analysis – A detailed examination to identify risks associated with the differences between Business/Operations requirements and the current available recovery capabilities. [DRI]
Gold Control – The agreed civil Emergency Services term for Strategic Control. See: Strategic Control; Level 1 Control. [BCI]
Goodwill – Value attributed to an organisation over and above the value of its physical assets as a result of its reputation in the market place. [BCI]
Governance – See: Corporate Governance. [BCI]
Gradual Recovery – (Service Design) A recovery option which is also known as Cold Standby. Provision is made to recover the IT service in a period of time greater than 72 hours. Gradual Recovery typically uses a portable or fixed facility that has environmental support and network cabling, but no computer systems. The hardware and software are installed as part of the IT service continuity plan. [ITIL]
H
Hardening – The process of making something more secure, resistant to attack, or less vulnerable. [DRI]
Hazard – A source of potential harm or a situation with a potential to cause loss. [BCI]
Health & Safety – The process by which the well-being of all employees, contractors, visitors and the public is safeguarded. All business continuity plans and planning must be cognizant of H&S statutory and regulatory requirements and legislation. [BCI & DRI] Health and Safety considerations should be reviewed during the Risk assessment. [DRI]
High Availability – Systems or applications requiring a very high level of reliability and availability. High availability systems typically operate 24x7 and usually require built-in redundancy to minimize the risk of downtime due to hardware and/or telecommunication failures. [DRI]
High-Risk Areas – Areas identified during the risk assessment that are highly susceptible to a disaster situation or might be the cause of a significant disaster. [DRI]
Hot Site – A site (data centre, work area) that provides a BCM facility with the relevant work area recovery, telecommunications and IT interfaces and environmentally controlled space capable of providing relatively immediate backup data processing support to maintain the organisation’s Mission Critical Activities. See: Warm Site; Cold Site; Alternate Site. [BCI]
Hotsite – An alternate facility that already has in place the computer, telecommunications, and environmental infrastructure required to recover critical business functions or information systems. [DRI]
Hot Standby – A term that is normally reserved for Technology Recovery. An alternate means of processing that minimises downtime so that no loss of processing occurs. Usually involves the use of a standby system or site that is permanently connected to business users and is often used to record transactions in tandem with the primary system. [BCI]
Hot Standby – Synonym for Fast Recovery or Immediate Recovery. [ITIL]
Housekeeping – The process of maintaining procedures, systems, people and plans in a state of readiness. [BCI]
HRDR – See: Human Resource Disaster Recovery.
Human Continuity – The ability of an organization to provide support for its associates and their families before, during, and after a business continuity event to ensure a viable workforce. This involves pre planning for potential psychological responses, occupational health and employee assistance programs, and employee communications. [DRI]
Human Resource Disaster Recovery (HRDR) – A specific strategy for dealing with risk assessment, prevention, control and business recovery for both critical (key) and non critical (non key) personnel. See: Trauma Counselling; Post Traumatic Stress Disorder; Trauma Management. [BCI]
Human Resources – Human Resources (HR) (also known as Personnel Department). [BCI]
Human Threats – Possible disruptions in operations resulting from human actions as identified during the risk assessment. (i.e. disgruntled employee, terrorism, blackmail, job actions, riots, etc.). [DRI]
I
ICS – See: Incident Command System.
Immediate Recovery – (Service Design) A recovery option which is also known as Hot Standby. Provision is made to recover the IT service with no loss of service. Immediate Recovery typically uses mirroring, load balancing and split site technologies. [ITIL]
IMP – See: Incident Management Plan.
Impact – Evaluated consequence of a particular outcome. [BS25999-2]
Impact – The potential level of impact and effect of a Business Continuity E/I/C over time on an organisation. The level of impact and effect is usually relative to the size of the organisation and its BCM resilience. The types of business impact are usually described as financial and non-financial and are further divided into specific types of impact. See: Business Impact Analysis. [BCI]
Impact – The effect, acceptable or unacceptable, of an event on an organization. The types of business impact are usually described as financial and non-financial and are further divided into specific types of impact. [DRI]
Impact – (Service Operation) (Service Transition) A measure of the effect of an incident, problem or change on business processes. Impact is often based on how service levels will be affected. Impact and urgency are used to assign priority. [ITIL]
Incident – Situation that might be, or could lead to, a business disruption, loss, emergency or crisis. [BS25999-2]
Incident – Any event that may be, or may lead to, a business interruption, disruption, loss and/or crisis. [BCI]
Incident – An event which is not part of a standard operating business which may impact or interrupt services and, in some cases, may lead to disaster. [DRI]
Incident – (Service Operation) An unplanned interruption to an IT service or a reduction in the quality of an IT service. Failure of a configuration item that has not yet impacted service is also an Incident. For example, failure of one disk from a mirror set. [ITIL]
Incident – A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. [ISO/IEC TR 18044:2004 & ISO/IEC 27001:2005]
Incident – Any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service.
NOTE: This may include request questions such as ‘How do I...?’ calls. [ISO/IEC 20000-1:2005]
Incident (Information Security Incident) – An information security incident is indicated by a single, or a series of, unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. [BS ISO/IEC TR 18044:2004 & BS7799-3:2006]
Incident Command System (ICS) – Combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure with responsibility for the command, control, and coordination of assigned resources to effectively direct and control the response and recovery to an incident. The flexible design of the ICS allows its span of control to expand or contract as the scope of the situation changes. [DRI]
Incident Management – The process by which an organization responds to and controls an incident using Emergency Response Procedures or plans. See: Emergency Response Procedures. [BCI & DRI]
Incident Management – (Service Operation) The process responsible for managing the life cycle of all incidents. The primary objective of incident management is to return the IT service to users as quickly as possible. [ITIL]
Incident Management Plan (IMP) – Clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process. [BS25999-2]
Incident Manager – Commands the local emergency operations center (EOC) reporting up to senior management on the recovery progress. Has the authority to invoke the recovery plan. [DRI]
Incident Record – (Service Operation) A record containing the details of an incident. Each incident record documents the life cycle of a single incident. [ITIL]
Incident Response – The response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status. [DRI]
Information Security – The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organisation. [ISO/IEC 27001:2005] [BCI]
Information Security – The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organization. [DRI]
Information Security – Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved. [ISO/IEC 27001:2005]
Information Technology Disaster Recovery (ITDR) – An integral part of the organisation’s BCM plan by which it intends to recover and restore its IT and telecommunications capabilities after an E/I/C. See: BCM; BCM Plan; BCM Programme; Disaster Recovery. [BCI]
Infrastructure – The underlying foundation, basic framework, or interconnecting structural elements that support an organisation. [DRI]
Infrastructure – A building and all of its supporting services. Infrastructure is usually divided into technology infrastructure (e.g. computers, cabling, telephony, etc.) and real estate infrastructure (e.g. buildings, utility supplies, air-conditioning, etc.). [BCI]
Inherent Risk – The possibility that some human activity or natural event will have an adverse affect on the asset(s) of an organisation and which cannot be managed or transferred away. [BCI]
Insurance – A contract to finance the cost of risk. Should a named risk event (loss) occur, the insurance contract will pay the holder the contractual amount. See: Risk Financing; Self-Insurance. [BCI]
Integrated Exercise – An exercise conducted on multiple interrelated components of a Business Continuity Plan, typically under simulated operating conditions. Examples of interrelated components may include interdependent departments or interfaced systems. [DRI]
Integrated Risk Management – Where current risks are managed in an integrated way across the whole breadth of the organisation. [BCI]
Integrated Test – See: Integrated Exercise. [DRI]
Interim Site – A temporary location used to continue performing business functions after vacating a recovery site and before the original or new home site can be occupied. Move to an interim site may be necessary if ongoing stay at the recovery site is not feasible for the period of time needed or if the recovery site is located far from the normal business site that was impacted by the disaster. An interim site move is planned and scheduled in advance to minimize disruption of business processes; equal care must be given to transferring critical functions from the interim site back to the normal business site. [DRI]
Intermediate Recovery – (Service Design) A recovery option which is also known as Warm Standby. Provision is made to recover the IT service in a period of time between 24 and 72 hours. Intermediate Recovery typically uses a shared portable or fixed facility that has computer systems and network components. The hardware and software will need to be configured, and data will need to be restored, as part of the IT service continuity plan. [ITIL]
Internal Audit – Audit conducted by, or on behalf of, the organisation itself for management review and other internal purposes, and which might form the basis for an organisation’s self-declaration of conformity.
NOTE: In many cases, particularly in smaller organisations, independence can be demonstrated by the freedom from responsibility for the activity being audited. [BS25999-2]
Internal Audit – An organisation’s own in-house team of auditors. Responsible primarily for evaluating the effectiveness of internal control systems and contributing to their ongoing effectiveness by providing advice and support to management. [BCI]
Internal Control – All the means, tangible and intangible, that can be employed or used to ensure that established objectives are met. [BCI]
Internal Hotsite – A fully equipped alternate processing site owned and operated by the organization. [DRI]
Invocation – Act of declaring that an organisation’s business continuity plan needs to be put into effect in order to continue delivery of key products or services. [BS25999-2]
Invocation – The act by which a Business Continuity Management or Crisis Management process is formally started. The term is often used to refer to the act of using a service such as work area recovery as offered by a commercial or third-party provider. See: Activation. [BCI]
Invocation – (Service Design) Initiation of the steps defined in a plan. For example initiating the IT Service Continuity Plan for one or more IT services. [ITIL]
ISO/IEC 27001:2005 – the Information Security Management System specification.
ITDR – See: Information Technology Disaster Recovery.
IT Recovery Planning – See: Technology Recovery Planning. [BCI]
IT Service – A service provided to one or more customers by an IT Service Provider. An IT Service is based on the use of Information Technology and supports the customer's business processes. An IT Service is made up from a combination of people, processes and technology and should be defined in a Service Level Agreement. [ITIL]
IT Service Continuity Management – (Service Design) The process responsible for managing risks that could seriously impact IT services. ITSCM ensures that the IT Service Provider can always provide minimum agreed service levels, by reducing the risk to an acceptable level and planning for the recovery of IT services. ITSCM should be designed to support business continuity management. [ITIL]
IT Service Continuity Plan – (Service Design) A plan defining the steps required to recover one or more IT services. The plan will also identify the triggers for invocation, people to be involved, communications etc. The IT Service Continuity Plan should be part of a business continuity plan. [ITIL]
J
Journaling – The process of logging changes or updates to a database since the last full backup. Journals can be used to recover previous versions of a file before updates were made, or to facilitate disaster recovery, if performed remotely, by applying changes to the last safe backup. [DRI]
Journalling – See: Emergency Data Services. [BCI]
K
Key Task(s) – Tasks identified within a Business Continuity Plan as a priority action typically to be carried out within the first few minutes/hours of the plan invocation. [BCI]
Key Tasks – Priority procedures and actions in a Business Continuity Plan that must be executed within the first few minutes/hours of the plan invocation. [DRI]
L
LBC – See: Level of Business Continuity.
Lead Time – The time it takes for a supplier – either equipment or a service – to make that equipment or service available. Business continuity plans should try to minimise this by agreeing Service Levels (Service Level Agreement) with the supplier in advance of a Business Continuity E/I/C rather than relying on the supplier’s best efforts. See: Service Level Agreement. [BCI]
Lead Time – The time it takes for a supplier to make equipment, services, or supplies available after receiving an order. Business continuity plans should try to minimize lead time by creating service level agreements (SLA) with suppliers or alternate suppliers in advance of a Business Continuity event rather than relying on the suppliers’ best efforts. [DRI]
Legislative – Actions within a Business Continuity Plan that must be prioritised as a result of legal, statutory or regulatory requirements. See: Statutory; Regulatory. [BCI]
Level 1 Control – See: Strategic Control; Gold Control. [BCI]
Level 2 Control – See: Tactical Control; Silver Control. [BCI]
Level 3 Control – See: Operational Control; Bronze Control. [BCI]
Level of Business Continuity (LBC) – The minimum level of business continuity of services and/or products that is acceptable to the organisation or industry to achieve its business objectives that may be influenced or dictated by regulation or legislation. [BCI]
Likelihood – Chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies or mathematical probabilities.
NOTE 1: Likelihood can be expressed qualitatively or quantitatively.
NOTE 2: The word ‘probability’ can be used instead of ‘likelihood’ in some non-English languages that have no direct equivalent. Because ‘probability’ is often interpreted more formally in English as a mathematical term, ‘likelihood’ is used throughout this Standard with the intention that it is given the same broad interpretation as ‘probability’. [BS25999-2]
Likelihood – See: Probability. [BCI]
Line Re-routing – A facility offered by telephone service providers to re-route dedicated telephone lines to backup or other sites. [BCI]
Local Authority Emergency Planning Officer (EPO) – The civil authority role for civil emergency planning. The role interfaces with industry especially where legislation requires. [BCI]
Logistics/Transportation Team – A team comprised of various members of departments associated with supply acquisition and material transportation, responsible for ensuring the most effective acquisition and mobilization of hardware, supplies and support materials. [BCI & DRI] This team is also responsible for transporting and supporting staff. [DRI]
Loss – Negative consequence. [BS25999-2]
Loss – A negative consequence, which may be financial, e.g. loss of cash, or non-financial, e.g. loss of information or loss of goodwill. [BCI]
Loss – Unrecoverable resources that are redirected or removed as a result of a Business Continuity event. Such losses may be loss of life, revenue, market share, competitive stature, public image, facilities, or operational capability. [DRI]
Loss Adjuster – Invaluable at the time of a Business Continuity E/I/C to assist in managing the financial implications of the E/I/C and should be involved as part of the management team where possible. Loss Adjusters often have useful contacts within the local community that can ease the burden at time of an E/I/C. Involving the Loss Adjuster with the CMT will improve the speed and effectiveness of any ensuing insurance claim. [BCI]
Loss Adjuster – Designated position activated at the time of a Business Continuity event to assist in managing the financial implications of the event and should be involved as part of the management team where possible. [DRI]
Loss Reduction – The technique of instituting mechanisms to lessen the exposure to a particular risk. Loss reduction involves planning for, and reacting to, an event to limit its impact. Examples of loss reduction include sprinkler systems, insurance policies, and evacuation procedures. [DRI]
Lost Transaction Recovery – Recovery of data (paper within the work area and/or system entries) destroyed or lost at the time of the disaster or interruption. Paper documents may need to be requested or re-acquired from original sources. Data for system entries may need to be recreated or re-entered. [DRI]
M
Major Incident – An Emergency Services definition. Any emergency that requires the implementation of special arrangements by one or more of the Emergency Services, National Health Service or a Local Authority. [BCI]
Major Incident – (Service Operation) The highest category of impact for an incident. A major incident results in significant disruption to the business. [ITIL]
Management System – System to establish policy and objectives and to achieve those objectives. [BS EN ISO 9000:2005]
Manual Procedures – An alternative method of working following a loss of IT systems. As working practices rely more and more on computerized activities, the ability of an organization to fallback to manual alternatives lessens. However, temporary measures and methods of working can help mitigate the impact of a Business Continuity E/I/C and give staff a feeling of doing something. [BCI & DRI]
Manual Workaround – A workaround that requires manual intervention. Manual workaround is also used as the name of a recovery option in which the business process operates without the use of IT services. This is a temporary measure and is usually combined with another recovery option. [ITIL]
MAO – See: Maximum Acceptable Outage.
Marshal – See: Emergency Marshal. [BCI]
Marshalling Area – A safe area where resources and personnel not immediately required can be directed to standby to await further instruction. [BCI]
Master Business Continuity Professional (MBCP) – The Master level certification is for individuals with a minimum of five years of Enterprise Continuity Management experience in 7 of the 10 Professional Practices, have passed both the qualifying exam and the Masters case study, and have had their DRII Certification Application approved. [DRI]
Maturity – See: Business Continuity Management Maturity. [BCI]
Maturity – (Continual Service Improvement) A measure of the reliability, efficiency and effectiveness of a process, function, organisation etc. The most mature processes and functions are formally aligned to business objectives and strategy, and are supported by a framework for continual improvement. [ITIL]
Maximum Acceptable Outage (MAO) – This is the timeframe during which a recovery must become effective before an outage compromises the ability of an organisation to achieve its business objectives and or survival. See: Outage; MTD; MTA. [BCI]
Maximum Time in Alternative Operations (MTA) – See: Maximum Acceptable Outage (MAO). [BCI]
Maximum Tolerable Downtime (MTD) – See: Recovery Time Objective; Maximum Acceptable Outage. [BCI]
Maximum Tolerable Period of Disruption – Duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed. [BS25999-2]
Media – News reporting function including TV, radio, internet, e-mail and newspapers. [BCI]
Member Of The Business Continuity Institute (MBCI) – A professional certification granted by the Business Continuity Institute for business continuity practitioners who understand all of the BCI Certification Standards and who have at least two years experience across the majority of the ten standards. [DRI]
Mirroring – See: Data Mirroring. [BCI]
Mission Critical Activities – The critical operational and/or business support activities (either provided internally or outsourced) without which the organisation would quickly be unable to achieve its business objective(s), i.e. services and/or products. [BCI]
Mission-Critical Activities – The critical operational and/or business support activities (either provided internally or outsourced) required by the organization to achieve its objective(s), i.e. services and/or products. [DRI]
Mission Critical Activity Dependency(ies) – The critical operational or support activities (either provided internally or outsourced) upon which a Mission Critical Activity is dependent to enable it to fully complete the Mission Critical Activity. See: Dependency. [BCI]
Mission-Critical Application – Applications that support business activities or processes that could not be interrupted or unavailable for 24 hours or less without significantly jeopardizing the organization. [DRI]
Mobile Recovery – A mobilized resource purchased or contracted for the purpose of business recovery. The mobile recovery center might include: computers, workstations, telephone, electrical power, etc. [DRI]
Mobile Standby – A transportable operating environment – often a large trailer – complete with office facilities and computer equipment that can be delivered and set up at a suitable site at short notice. [BCI]
Mobile Standby Trailer – A transportable operating environment, often a large trailer, that can be configured to specific recovery needs such as office facilities, call centers, data centers, etc. This can be contracted to be delivered and set up at a suitable site at short notice. [DRI]
Mobilisation – The activation of the recovery organisation in response to BCM invocation. [BCI]
Mobilization – The activation of the recovery organization in response to a disaster declaration. [DRI]
Mock Disaster – One method of exercising teams in which participants are challenged to determine the actions they would take in the event of a specific disaster scenario. Mock disasters usually involve all, or most, of the applicable teams. Under the guidance of exercise coordinators, the teams walk through the actions they would take per their plans, or simulate performance of these actions. Teams may be at a single exercise location, or at multiple locations, with communication between teams simulating actual ‘disaster mode’ communications. A mock disaster will typically operate on a compressed timeframe representing many hours, or even days. [DRI]
MTA – See: Maximum Time in Alternative Operations.
MTD – See: Maximum Tolerable Downtime.
N
N + 1 – A fault tolerant strategy that includes multiple systems or components protected by one backup system or component (Many-to-one relationship). [DRI]
Network Outage – An interruption of voice, data, or IP network communications. [DRI]
Nonconformity – Non-fulfilment of a requirement. [BS EN ISO 9000:2005, BS EN ISO 14001:2004]
NOTE: A nonconformity can be any deviation from relevant work standards, practices, procedures, legal requirements, etc.
O
Offsite Location – A site at a safe distance from the primary site where critical data (computerised or paper) and/or equipment is stored from where it can be recovered and used at the time of a Business Continuity E/I/C if original data, material or equipment is lost or unavailable. [BCI]
Off-Site Storage – Any place physically located a significant distance away from the primary site, where duplicated and vital records (hard copy or electronic and/or equipment) may be stored for use during recovery. [DRI]
Operational Control – The role of the operational control is to implement the tactical control action plan by allocating specific tasks within the determined areas of responsibility and command of allocated resources. See: Strategic Control; Tactical Control; Gold Control; Silver Control; Bronze Control; Level 1 Control; Level 2 Control; Level 3 Control. [BCI]
Operational Exercise – See: Exercise [DRI]
Operational Risk – The risk that deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, system failures and inadequate procedures and controls. [BCI]
Operational Risk – The risk of loss resulting from inadequate or failed procedures and controls. This includes loss from events related to technology and infrastructure, failure, business interruptions, staff related problems, and from external events such as regulatory changes. [DRI]
Orderly Shutdown – The actions required to rapidly and gracefully suspend a business function and/or system during a disruption. [DRI]
Organisation – Group of people and facilities with an arrangement of responsibilities, authorities and relationships.
EXAMPLE: Company, corporation, firm, enterprise, institution, charity, sole trader or association, or parts or combinations thereof.
NOTE 1: The arrangement is generally orderly.
NOTE 2: An organisation can be public or private. [BS EN ISO 9000:2005]
Organisation – An enterprise, a corporate entity; a firm, an establishment, a public or government body, department or agency; a business or a charity. [BCI]
Organisation (large scale or super) – An organisation that is large and complex, in the sense that it could absorb the impact of losing a complete location or business unit. The normal terminology, and perspective, needs to be scaled down by regarding individual locations or business units as self-sustaining entities. [BCI]
Organisation Risk Management – Where both current and emerging risks are managed in an integrated way across the whole organisation. [BCI]
Outage – Period of time that a service, system, process or business function is expected to be unusable or inaccessible which has a high impact on the organisation, compromising the achievement of the organisation’s business objectives. An outage is different to ‘downtime’ where process or system failures happen as a part of normal operations, and where the impact merely reduces the short-term effectiveness of processes. See: Maximum Acceptable Outage. [BCI]
Outage – The interruption of automated processing systems, infrastructure, support services, or essential business operations, which may result in the organization’s inability to provide services for some period of time. [DRI]
Outsourcing – The transfer of business functions to an independent (internal and/or external) third-party supplier. [BCI]
P
Pain Value Analysis – (Service Operation) A technique used to help identify the business impact of one or more problems. A formula is used to calculate Pain Value based on the number of users affected, the duration of the downtime, the impact on each user, and the cost to the business (if known). [ITIL]
Peer Review – A review of a specific component of a plan by personnel (other than the owner or author) with appropriate technical or business knowledge for accuracy and completeness. [DRI]
Period of Tolerance – The period of time in which a Business Continuity E/I/C can escalate to a potential disaster without undue impact to the organisation. [BCI]
Plan Currency – Business Continuity Plans must be maintained (housekeeping) to an adequate state. The measure of how up to date BC and CMT plans are kept. A good (recent) plan currency is vital if plans are to be reliable. [BCI]
Plan Maintenance – The management process of keeping an organisation’s BCM competence and capability up to date, fit for purpose and effective. [BCI]
Plan Maintenance – The management process of keeping an organization’s Business Continuity Management plans up to date and effective. Maintenance procedures are a part of this process for the review and update of the BC plans on a defined schedule. [DRI]
Portable Facility – (Service Design) A prefabricated building, or a large vehicle, provided by a third party and moved to a site when needed by an IT service continuity plan. [ITIL]
Post Traumatic Stress Disorder (PTSD) – PTSD is caused by a major traumatic E/I/C where a person experienced, witnessed or was confronted with an E/I/C that involved actual or threatened death or serious injury or threat to the physical integrity of self or others, and the person’s response involved intense fear, helplessness or horror. See: Trauma Counselling; Trauma Management. [BCI]
Pre-positional Resource – Material (i.e. equipment, forms and supplies) stored at an offsite location to be used in business recovery operations. [BCI]
Press Briefings – See: Press Conference. [BCI]
Press Conference – The provision of an organisation spokesperson(s) at a specific venue and time(s) to brief and answer any questions or enquiries from the media. [BCI]
Press Statements – Prepared statements issued to the press during and/or after a Business Continuity E/I/C. See: Press Briefings. [BCI]
Preventative Measures – are put in place to lessen the likelihood of a Business Continuity E/I/C. [BCI]
Preventative Measures – Controls aimed at deterring or mitigating undesirable events from taking place. [DRI]
Prioritisation – The order in which Mission Critical Activities and their dependencies are addressed following invocation of the BCM process. [BCI]
Prioritization – The ordering of critical activities and their dependencies are established during the BIA and Strategic-planning phase. The business continuity plans will be implemented in the order necessary at the time of the event. [DRI]
Probability – The chance of a risk occurring. [BCI]
Problem – (Service Operation) A cause of one or more incidents. The cause is not usually known at the time a problem record is created, and the problem management process is responsible for further investigation. [ITIL]
Problem – Unknown underlying cause of one or more incidents. [ISO/IEC 20000-1:2005]
Problem Management – (Service Operation) The process responsible for managing the life cycle of all problems. The primary objectives of problem management are to prevent incidents from happening, and to minimise the impact of incidents that cannot be prevented. [ITIL]
Problem Record – (Service Operation) A record containing the details of a problem. Each problem record documents the life cycle of a single problem. [ITIL]
Process – Set of interrelated or interacting activities which transforms inputs into outputs. [BS EN ISO 9000:2005]
Process – A structured set of activities designed to accomplish a specific objective. A Process takes one or more defined inputs and turns them into defined outputs. A Process may include any of the roles, responsibilities, tools and management controls required to reliably deliver the outputs. A Process may define policies, standards, guidelines, activities, and work instructions if they are needed. [ITIL]
Products and Services – Beneficial outcomes provided by an organisation to its customers, recipients and stakeholders, e.g. manufactured items, car insurance, regulatory compliance and community nursing. [BS25999-2]
Project Management – The techniques and tools used to describe, control and deliver a series of activities with given deliverables, timeframes and budgets. [BCI]
PTSD – See: Post Traumatic Stress Disorder.
Q
Qualitative Assessment – A form of assessment that analyses the general structures and systems currently in place. A descriptive methodology, which typically involves risk mapping and risk matrices. These assessments do not involve detailed measurements. [BCI]
Qualitative Assessment – The process for evaluating a business function based on observations and does not involve measures or numbers. Instead, it uses descriptive categories such as customer service, regulatory requirements, etc., to allow for refinement of the quantitative assessment. This is normally done during the BIA phase of planning. [DRI]
Quantification – The objective measure of the seriousness of risk or impact, often measured in financial or regulatory terms. [BCI]
Quantitative Assessment – A form of assessment that analyses the actual numbers and values involved. This type of methodology typically applies mathematical and statistical techniques and modelling. [BCI]
Quantitative Assessment – The process for placing value on a business function for risk purposes. It is a systematic method that evaluates possible financial impact for losing the ability to perform a business function. It uses numeric values to allow for prioritizations. This is normally done during the BIA phase of planning. [DRI]
Quick Ship – See: Drop Ship. [DRI]
R
Reception Centre – A secure area to which the uninjured can be taken for shelter, first aid, interview and documentation as appropriate to the E/I/C. See: Friends and Relatives Reception Centre. [BCI]
Reciprocal Agreement – An arrangement by which one organisation agrees to use another’s resources in the event of a Business Continuity E/I/C. [BCI]
Reciprocal Agreement – Agreement between two organizations (or two internal business groups) with similar equipment/environment that allows each one to recover at the other’s location. [DRI]
Record – Document stating results achieved or providing evidence of activities performed.
NOTE 1: Records are distinguished from documents by the fact that they function as evidence of activities, rather than evidence of intentions.
NOTE 2: Examples of records include audit reports, requests for change, incident reports, individual training records and invoices sent to customers. [ISO/IEC 20000-1:2005]
Recoverable Loss – Financial losses due to a loss E/I/C that may be reclaimed in the future, e.g. through insurance or litigation. [BCI]
Recovery – Implementing the prioritized actions required to return the processes and support functions to operational stability following an interruption or disaster. [DRI]
Recovery – See: System Recovery. [BCI]
Recovery – Implementing the prioritized actions required to return the processes and support functions to operational stability following an interruption or disaster. [DRI]
Recovery – (Service Design) (Service Operation) Returning a configuration item or an IT service to a working state. Recovery of an IT service often includes recovering data to a known consistent state. After Recovery, further steps may be needed before the IT service can be made available to the users (Restoration). [ITIL]
Recovery Management Team – A team of people that is responsible for recovering an aspect of the organisation, or obtaining the resources required for the recovery. See: BCM Team. [BCI]
Recovery Management Team – See: Business Continuity Management (BCM) Team. [DRI]
Recovery Option – (Service Design) (Service Operation) Returning a configuration item or an IT service to a working state. Recovery of an IT service often includes recovering data to a known consistent state. After recovery, further steps may be needed before the IT service can be made available to the users (Restoration). [ITIL]
Recovery Period – The time period between a disaster and a return to normal functions, during which the disaster recovery plan is employed. [DRI]
Recovery Plan – See: BCM Plan. [BCI]
Recovery Point Objective (RPO) – The point in time to which work should be restored following a Business Continuity E/I/C that interrupts/disrupts the business, e.g. ‘start of day’. [BCI]
Recovery Point Objective (RPO) – The maximum amount of data loss an organization can sustain during an event. [DRI]
Recovery Point Objective – (Service Operation) The maximum amount of data that may be lost when service is restored after an interruption. Recovery Point Objective is expressed as a length of time before the failure. For example a Recovery Point Objective of one day may be supported by daily backups, and up to 24 hours of data may be lost. Recovery Point Objectives for each IT service should be negotiated, agreed and documented, and used as requirements for service design and IT service continuity plans. [ITIL]
Recovery Services Agreement/Contract – A contract with an external organization guaranteeing the provision of specified equipment, facilities, or services, usually within a specified time period, in the event of a business interruption. A typical contract will specify a monthly subscription fee, a declaration fee, usage costs, method of performance, amount of test time, termination options, penalties and liabilities, etc. [DRI]
Recovery Site – See: Alternate Site. [BCI]
Recovery Site – A designated site for the recovery of business unit, technology, or other operations, which are critical to the enterprise. [DRI]
Recovery Strategy – See: Business Continuity Strategy. [BCI & DRI]
Recovery Team – See: BCM Team. [BCI]
Recovery Teams – A structured group of teams ready to take control of the recovery operations if a disaster should occur. [DRI]
Recovery Time Objective – Target time set for resumption of product, service or activity delivery after an incident.
NOTE: The recovery time objective has to be less than the maximum tolerable period of disruption. [BS25999-2]
Recovery Time Objective (RTO) – An essential output from the BIA that identifies the time by which Mission Critical Activities and/or their dependencies must be recovered. See: BIA; Dependency; Mission Critical Activities. [BCI]
Recovery Time Objective (RTO) – The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RTOs are often used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation. [DRI]
Recovery Time Objective – (Service Operation) The maximum time allowed for recovery of an IT service following an interruption. The service level to be provided may be less than normal service level targets. Recovery Time Objectives for each IT service should be negotiated, agreed and documented. See: Business Impact Analysis. [ITIL]
Recovery Timeline – The critical path of actions and activities that describe the speed and prioritisation of the recovery process. [BCI]
Recovery Timeline – The sequence of recovery activities, or critical path, which must be followed to resume an acceptable level of operation following a business interruption. The timeline may range from minutes to weeks, depending upon the recovery requirements and methodology. [DRI]
Recovery Window – See: Recovery Time Objective. [BCI]
Redundancy – In human resource terms, redundancy can be used to mean the provision of delegates or alternates for key employees or BCM/Crisis Management Team members. See: Backup; Alternate Site. [BCI]
Redundancy – Synonym for ‘fault tolerance’. The term Redundant also has a generic meaning of ‘obsolete’, or ‘no longer needed’. [ITIL]
Regulatory – See: Legislative; Statutory. [BCI]
Rendezvous Point (RVP) – A secure and safe location (point) to which all Emergency Services resources arriving at an emergency/statutory services outer cordon are directed for logging, briefing, equipment issue and deployment. See: Emergency Services. [BCI]
Residual Risk – The level of uncontrolled risk remaining after all cost-effective actions have been taken to lessen the impact and probability of a specific risk or group of risks, subject to the organisation’s risk appetite. See: Inherent Risk; Risk Appetite. [BCI]
Residual Risk – The risk remaining after risk treatment. [ISO/IEC Guide 73:2002]
Resilience – Ability of an organisation to resist being affected by an incident. [BS25999-2]
Resilience – The ability of an organisation, staff, system, network, activity or process to absorb the impact of a business interruption, disruption and/or loss and continue to provide a minimum acceptable level of service. See: Level of Business Continuity (LBC); Component Failure Impact Analysis. [BCI]
Resilience – The ability of an organization to absorb the impact of a business interruption, and continue to provide a minimum acceptable level of service. [DRI]
Resilience – (Service Design) The ability of a configuration item or IT service to resist failure or to recover quickly following a failure. For example, an armoured cable will resist failure when put under stress. [ITIL]
Resilient – The process and procedures required to maintain or recover critical services such as ‘remote access’ or ‘end-user support’ during a business interruption. [DRI]
Resolution – (Service Operation) Action taken to repair the root cause of an incident or problem, or to implement a workaround. In ISO/IEC 20000, Resolution processes is the process group that includes incident and problem management. [ITIL]
Resources – All assets, people, skills, information, technology (including plant and equipment), premises, and supplies and information (whether electronic or not) that an organisation has to have available to use, when needed, in order to operate and meet its objectives. [BS25999-2]
Response – The reaction to a Business Continuity E/I/C in order to assess the level of containment and control activity required. [BCI]
Response – The reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required. In addition to addressing matters of life safety and evacuation, Response also addresses the policies, procedures and actions to be followed in the event of an emergency. [DRI]
Rest Centre – A building taken over by the Local Authority for the temporary accommodation of evacuees. [BCI]
Restart – The procedure or procedures that return applications and data to a known start point. Application restart is dependent upon having an operable system. [BCI]
Restoration – Process of planning for and/or implementing procedures for the repair of hardware, relocation of the primary site and its contents, and returning to normal operations at the permanent operational location. [DRI]
Restore – (Service Operation) Taking action to return an IT service to the users after repair and recovery from an incident. This is the primary objective of incident management. [ITIL]
Resumption – The implementation of steps to enable the recovery and continuity of an organisation’s Mission Critical Activities and/or their dependencies immediately following a Business Continuity E/I/C. [BCI]
Resumption – The process of planning for and/or implementing the restarting of defined business processes and operations following a disaster. This process commonly addresses the most critical business functions within BIA specified timeframes. [DRI]
Return To Normal – (Service Design) The phase of an IT Service Continuity Plan during which full normal operations are resumed. For example, if an alternate data centre has been in use, then this phase will bring the primary data centre back into operation, and restore the ability to invoke IT Service Continuity Plans again. [ITIL]
Reverse Cascade System – A reversal of the cascade system that enables the whereabouts and safety of personnel to be established. See: Cascade System; Call Tree; Contact List. [BCI]
Risk – Something that might happen and its effect(s) on the achievement of objectives.
NOTE 1: The word ‘risk’ is used colloquially in various ways, as a noun (‘a risk’ or, in the plural, ‘risks’), a verb (to risk [something], or to put at risk), or as an adjective (‘risky’). Used as a noun the term ‘a risk’ could relate to either a potential event, its causes, the chance (likelihood) of something happening, or the effects of such events. In risk management it is important to make a clear distinction between these various usages of the word ‘risk’.
NOTE 2: Risk is defined relative to a particular objective; therefore, concern for several objectives implies the possibility of more than one measure of risk with respect to any source of risk.
NOTE 3: Risk is often quantified as an average effect by summing the combined effect of each possible consequence weighted by the associated likelihood of each consequence, to obtain an ‘expected value’. However, probability distributions are needed to quantify perceptions about the range of possible consequences. Alternatively, summary statistics, such as standard deviation, may be used in addition to expected value. [BS25999-2]
Risk – The chance of something happening, measured in terms of probability and consequences. The consequence may be either positive or negative. Risk in a general sense can be defined as the threat of an action or inaction that will prevent an organisation’s ability to achieve its business objectives. The results of a risk occurring are defined by the impact. See: Impact. [BCI]
Risk – Potential for exposure to loss which can be determined by using either qualitative or quantitative measures. [DRI]
Risk – A possible event that could cause harm or loss, or affect the ability to achieve objectives. A Risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred. [ITIL]
Risk – Combination of the probability of an event and its consequence. [ISO/IEC Guide 73:2002]
Risk Acceptance – Decision to accept a risk. [ISO/IEC Guide 73:2002]
NOTE 1: The verb ‘to accept’ is chosen to convey the idea that acceptance has its basic dictionary meaning.
NOTE 2: Risk acceptance depends on risk criteria. [BS7799-3:2006]
Risk Analysis – The systematic process of identifying the nature and causes of risks to which an organisation could be exposed and assessing the likely impact and probability of those risks occurring. [BCI]
Risk Analysis – Systematic use of information to identify sources and to estimate the risk. [ISO/IEC Guide 73:2002]
NOTE 1: Risk analysis provides a basis for risk evaluation, risk treatment, and risk acceptance.
NOTE 2: Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders.
Risk Appetite – The willingness of an organisation to accept a defined level of risk in order to conduct its business cost-effectively. Different organisations at different stages of their existence will have different risk appetites. See: Risk Context.. [BCI]
Risk Assessment – Overall process of risk identification, analysis and evaluation. [BS25999-2]
Risk Assessment – The overall process of risk identification, analysis and evaluation. [BCI]
Risk Assessment – The initial steps of risk management. Analysing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. Risk Assessment can be quantitative (based on numerical data) or qualitative. [ITIL]
Risk Assessment/Analysis – Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event. [DRI]
Risk Avoidance – An informed decision not to become involved in a risk situation. [BCI]
Risk Avoidance – Decision not to become involved in, or action to withdraw from, a risk situation. [ISO/IEC Guide 73:2002]
Risk Based Auditing – Audits that focus on risk and risk management as the audit objective. [BCI]
Risk Categories – Risks of similar types are grouped together under key headings, otherwise known as ‘risk categories’. These categories include reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, people, technology and knowledge. [BCI & DRI]
Risk Classification – The categorisation of risk, normally focusing on likely impact to the organisation or likelihood of occurrence. [BCI]
Risk Concentration – The risks associated with having Mission Critical Activities and/or their dependencies, systemic processes and people located either in the same building or close geographical proximity (zone), that are not reproduced elsewhere, i.e. a single point of failure and lack of organisational resilience. [BCI]
Risk Context – The environment in which risks exist. This can be broken down into the strategic context such as the relationship between the organisation and the external business environment, and the organisational context, such as goals, objectives, capabilities, resources, culture and strategies. See: Risk Appetite. [BCI]
Risk Control – Actions implementing risk management decisions.
NOTE: Risk control may involve monitoring, re-evaluation, and compliance with decisions. [ISO/IEC Guide 73:2002]
Risk Control – That part of risk management which involves the implementation of policies, standards, procedures and physical changes to eliminate or minimise adverse risks. See: Risk Management. [BCI]
Risk Controls – all methods of reducing the frequency and/or severity of losses including exposure avoidance, loss prevention, loss reduction, segregation of exposure units and non-insurance transfer of risk. [DRI]
Risk Criteria – Terms of reference by which the significance of risk is assessed.
NOTE: Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment. [ISO/IEC Guide 73:2002]
Risk Evaluation – The process of comparing actual risk levels with previously established risk criteria. As a result of this comparison, risks can be prioritised for further action. [BCI]
Risk Evaluation – Process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISO/IEC Guide 73:2002]
Risk Event – An event that could potentially lead to an adverse impact on the business or function. The manifestation of a risk into a reality. [BCI]
Risk Factors – Measurable or observable manifestations or characteristics of a process that either indicates the presence of risk or tends to increase exposure. [BCI]
Risk Financing – The application of techniques to fund the treatment and consequences of risk, e.g. using insurance. A means of accounting for potential loss exposures. Examples include various types of risk retention (e.g. internal contingency funds or reserves funding losses out of operating budgets, etc.) and risk transfer techniques including insurance contracts, self-insurance, captives, sinking funds, etc. [BCI]
Risk Framework – Measurable or observable manifestations or characteristics of a process that either indicates the presence of risk or tends to increase exposure. See: Control Framework. [BCI]
Risk Identification – The process of identifying what can happen, why and how. [BCI]
Risk Level – See: Risk Profile. [BCI]
Risk Management – Structured development and application of management culture, policy, procedures and practices to the tasks of identifying, analysing, evaluating, and controlling responding to risk. [BS25999-2]
Risk Management – The culture, processes and structures that are put in place to effectively manage potential opportunities and adverse effects. As it is not possible or desirable to eliminate all risk, the objective is to implement cost effective processes that reduce risks to an acceptable level, [BCI & DRI] reject unacceptable risks and treat risk by financial interventions, i.e. transfer other risks through insurance or other means, or by organizational intervention, i.e. BCM. See: Risk Control. [BCI]
Risk Management – The process responsible for identifying, assessing and controlling risks. [ITIL]
Risk Management Process – The systematic and documented process of clarifying the risk context and identifying, analysing, evaluating, treating, monitoring, communicating and consulting on risks. [BCI]
Risk Mitigation – Measure taken to reduce exposures to risks. [BCI]
Risk Perception – People view risks differently; this is usually related to their attitude to risk and whether they lean more towards being a risk taker or being risk averse. [BCI]
Risk Prioritisation – The relation of acceptable levels of risks among alternatives. See: Risk Ranking. [BCI]
Risk Profile – The combined result of consequence and probability. See: Risk Level. [BCI]
Risk Profiling – The systematic method by which all the risks and associated controls relating to an entity are identified, assessed and documented using risk management tools. [BCI]
Risk Ranking – The ordinal or cardinal rank prioritisation of the risks in various alternatives, projects or units. See: Risk Prioritisation. [BCI]
Risk Reduction or Mitigation – A selective application of appropriate techniques and management principles to reduce or mitigate either the likelihood of an occurrence or its consequences, or both. [BCI]
Risk Retention – Intentional (or unintentional) retaining the responsibility for loss or risk financing within the organisation. [BCI]
Risk Scenarios – A method of identifying and classifying risks through creative application of probabilistic events and their consequences. Typically a brainstorming or other creative technique used to stimulate ‘what might happen’. This can be achieved through creative techniques, such as brainstorming, or through the application of mathematical and statistical techniques and modelling, e.g. fault tree analysis and event tree analysis. [BCI]
Risk Standards – various Risk Standards have been published around the world providing guidance for business on managing risk. For example, the Australian/New Zealand Standard on Risk Management (AS/NZS4360: 1999). [BCI]
Risk Systemic – See: Systemic Risk. [BCI]
Risk Transfer – A series of techniques describing the various means of addressing risk through insurance and similar products. This includes recent developments such as the securitisation of risk and creation of, for example, catastrophe bonds. [BCI]
Risk Transfer – A common technique used by Risk Managers to address or mitigate potential exposures of the organization. A series of techniques describing the various means of addressing risk through insurance and similar products. [DRI]
Risk Treatment – The selection and implementation of relevant options for managing risk. The key treatments include:
– Acceptance – risks are retained by the organisation.
– Avoidance – deciding not to carry on with the proposed activities due to the risk being unacceptable or finding another alternative that is more acceptable.
– Reduction – reducing the likelihood and/or consequence of the risk.
– Transfer – transferring the risk in part or in totality to another. Insurance is an example of risk transfer. [BCI]
Risk Treatment – Process of selection and implementation of measures to modify risk.
NOTE: the term ‘control’ is used as a synonym for ‘measure’. [ISO/IEC Guide 73:2002]
Roll Call – The process of ensuring that all employees, visitors and contractors have been safely evacuated and accounted for following an evacuation of a building or site. [BCI & DRI]
Root Cause – (Service Operation) The underlying or original cause of an incident or problem. [ITIL]
Root Cause Analysis (RCA) – (Service Operation) An activity that identifies the root cause of an incident or problem. RCA typically concentrates on IT infrastructure failures. [ITIL]
RPO – See: Recovery Point Objective.
RTO – See: Recovery Time Objective.
S
Salvage – The recovery of personal effects, documentation, office and computer equipment. [BCI]
Salvage and Restoration – The act of conducting a coordinated assessment to determine the appropriate actions to be performed on impacted assets. The assessment can be coordinated with Insurance adjusters, facilities personnel, or other involved parties. Appropriate actions may include: disposal, replacement, reclamation, refurbishment, recovery or receiving compensation for unrecoverable organizational assets. [DRI]
Scenario – A pre-defined set of Business Continuity E/I/C and conditions that describe an interruption, disruption or loss related to some aspect(s) of an organisation's business for purposes of exercising a plan(s) and the people that would manage a Business Continuity E/I/C. [BCI]
Scenario – A predefined set of Business Continuity events and conditions that describe, for planning purposes, an interruption, disruption, or loss related to some aspect(s) of an organization’s business operations to support conducting a BIA, developing a continuity strategy, and developing continuity and exercise plans.
NOTE: Scenarios are neither predictions nor forecasts. [DRI]
Security Review – A periodic review of the security of tangible and intangible assets which should cover security policy, effectiveness of policy implementation, restriction of access to the assets, accountability for access and basic safety. [BCI]
Security Review – A periodic review of policies, procedures, and operational practices maintained by an organization to ensure that they are followed and effective. [DRI]
Self Insurance – The decision to bear the losses that could result from a Business Continuity E/I/C rather than take insurance to cover the risk. [BCI]
Self Insurance – The preplanned assumption of risk in which a decision is made to bear losses that could result from a Business Continuity event rather than purchasing insurance to cover those potential losses. [DRI]
Service Continuity – The process and procedures required to maintain or recover critical services such as ‘remote access’ or ‘end-user support’ during a business interruption. [DRI]
Service Continuity Planning – A process used to mitigate, develop, and document procedures that enable an organization to recover critical services after a business interruption. [DRI]
Service Failure Analysis – (Service Design) An activity that identifies underlying causes of one or more IT Service interruptions. SFA identifies opportunities to improve the IT service provider's processes and tools, and not just the IT infrastructure. SFA is a time constrained, project-like activity, rather than an ongoing process of analysis. [ITIL]
Service Level Agreement (SLA) – A formal agreement between a service provider (whether internal or external) and their client (whether internal or external) which covers the nature, quality, availability, scope and response of the service provider. The SLA should cover day-to-day situations and disaster situations, as the need for the service may vary in a disaster. [BCI & DRI]
Service Level Agreement – (Service Design) (Continual Service Improvement) An agreement between an IT service provider and a customer. The SLA describes the IT service, documents service level targets, and specifies the responsibilities of the IT service provider and the customer. A single SLA may cover multiple IT services or multiple customers. [ITIL]
Service Level Agreement (SLA) – Written agreement between a service provider and a customer that documents services and agreed service levels. [ISO/IEC 20000-1:2005]
Service Level Management (SLM) – The process of defining, agreeing, documenting and managing the levels of any type of services provided by service providers whether internal or external that are required and cost justified. [DRI]
Service Level Management – (Service Design) (Continual Service Improvement) The process responsible for negotiating Service Level Agreements, and ensuring that these are met. SLM is responsible for ensuring that all IT Service management processes, operational level agreements, and underpinning contracts, are appropriate for the agreed service level targets. SLM monitors and reports on service levels, and holds regular customer reviews. [ITIL]
Service Management – Management of services to meet the business requirements. [ISO/IEC 20000-1:2005]
SFA – See: Service Failure Analysis.
Silver Control – The agreed civil Emergency Services term for Tactical Control. See: Tactical Control; Level 2 Control. [BCI]
Simulation Exercise – One method of exercising teams in which participants perform some or all of the actions they would take in the event of plan activation. Simulation exercises, which may involve one or more teams, are performed under conditions that at least partially simulate “disaster mode”. They may or may not be performed at the designated alternate location, and typically use only a partial recovery configuration. [DRI]
Single Point of Failure – The only (single) source of a service, activity and/or process (i.e. there is no alternative), whose failure would lead to the total failure of a Mission Critical Activity and/or dependency. [BCI]
Single Point Of Failure (SPOF) – A unique pathway or source of a service, activity, and/or process. Typically, there is no alternative and a loss of that element could lead to a failure of a critical function. [DRI]
Single Point Of Failure – (Service Design) Any Configuration item that can cause an incident when it fails, and for which a countermeasure has not been implemented. A SPOF may be a person, or a step in a process or activity, as well as a component of the IT infrastructure. [ITIL]
Site Access Denial – See: Denial of Access. [BCI]
SLA – See: Service Level Agreement.
SLM – See: Service Level Management.
Social Impact – The affect and effect of a Business Continuity E/I/C on the overall well-being of a population/community. [BCI]
Sourcing – See: Supplier; Third-Party Supplier; Outsourcing. [BCI]
Specialist Of Business Continuity Institute (SBCI) – A professional certification granted by the Business Continuity Institute for specialist practitioners with at least two years of full time experience in a business continuity management related profession and who have good general knowledge of some of the BCI Certification Standards. [DRI]
Speculative Risk – A risk where there is uncertainty as to whether a gain or loss will occur. An example would be exposure to movements in exchange rates. [BCI]
SPOF – See: Single Point of Failure.
Stakeholders – Those with a vested interest in an organisation’s achievements.
NOTE: This is a wide-ranging term that includes, but is not limited to, internal and ‘outsourced’ employees, customers, suppliers, partners, employees, distributors, investors, insurers, shareholders, owners, government and regulators. [BS25999-2]
Stand Down – Formal notification that the response to a Business Continuity E/I/C has been concluded. [BCI]
Stand Down – Formal notification that the response to a Business Continuity event is no longer required or has been concluded. [DRI]
Standalone Test – A test conducted on a specific component of a plan in isolation from other components to validate component functionality, typically under simulated operating conditions. [DRI]
Standby Service – The provision of the relevant recovery facilities. See: Cold Site, Warm Site; Hot Site; Work Area Facility; Mobile Standby. [BCI]
Statutory – See: Legislative; Regulatory. [BCI]
Statutory Services – Those services whose responsibilities are laid down by law, e.g. Fire and Rescue Service, Coast Guard Service. See: Emergency Services; Blue Light Services. [BCI]
Strategic Control – The purpose of the strategic level of control is to establish a framework of policy within which tactical control will work and a strategy that tactical control will implement. In particular, the provision of resources for tactical command, the resolution and prioritisation of multiple and/or conflict demands and to determine plans for the return to business as usual or return home. [BCI]
Structured Walkthrough – A type of exercise in which team members physically implement and verbally review each step of a plan to assess its effectiveness, identify enhancements, constraints and deficiencies. See: Test. [BCI]
Structured Walkthrough – Types of exercise in which team members physically implement the business continuity plans and verbally review each step to assess its effectiveness, identify enhancements, constraints and deficiencies. [DRI]
Subscription – See: Recovery Services Agreement/Contract. [DRI]
Supplier – A person or company who supplies goods or services to the organisation. See: Sourcing. [BCI]
Supply Chain – All suppliers, manufacturing facilities, distribution centers, warehouses, customers, raw materials, work-in-process inventory, finished goods, and all related information and resources involved in meeting customer and organizational requirements. [DRI]
Syndication Ratio – The number of times that a work area is sold by the third-party providers at a resource recovery location and its availability at the time of a Business Continuity E/I/C is on a first-come-first-served basis. [BCI]
System – Set of interrelated or interacting elements. [BS EN ISO 9000:2005]
System – Set of related technology components that work together to support a business process or provide a service. [DRI]
System Denial – A failure of the IT system for a protracted period, which may impact an organisation’s ability to sustain its normal business activities. [BCI]
System Recovery – The procedures for rebuilding a computer system to the condition where it is ready to accept data and applications. [BCI]
System Recovery – The procedures for rebuilding a computer system and network to the condition where it is ready to accept data and applications, and facilitate network communications. [DRI]
System Restore – The procedures necessary to get a system into an operable condition where it is possible to run the application software against the available data. System restore depends upon having a live system available, i.e. follows system recovery. [BCI]
System Restore – The procedures necessary to return a system to an operable state using all available data including data captured by alternate means during the outage. System restore depends upon having a live, recovered system available. [DRI]
Systemic Risk – The risk that the failure of one participant or part of a process, system, industry or market to meet its obligations will cause other participants to be unable to meet their obligations when due causing significant liquidity and other problems, thereby threatening the stability of the whole process, system, industry or market. [BCI]
T
Tabletop Exercise – One method of exercising plans in which participants review and discuss the actions they would take without actually performing the actions. Representatives of a single team, or multiple teams, may participate in the exercise typically under the guidance of exercise facilitators. [DRI]
Tabletop Exercise – A paper feed scenario based method of testing plans, procedures and people. See: Desktop Exercise. [BCI]
Tactical Control – A primary role of a tactical level of control is to provide and coordinate an action plan to deal with the Business Continuity E/I/C and/or implement the policy and strategy of the strategic level of control (where the latter exists). Also to determine the priority in the allocation of resources in the co-ordination of the implementation of the plan. See: Level 2 Control, Silver Control. [BCI]
Tape Backup – Key data being backed up onto tapes at a given point in time. [BCI]
Task List – Defined mandatory and discretionary tasks allocated to teams and/or individual roles within a plan. [BCI & DRI]
Technology Recovery Planning – The process of planning for and writing procedures to address recovery of the IT and telecommunications components for the Mission Critical Activities and/or their dependencies. See: Information Technology Disaster Recovery (ITDR). [BCI]
Telecommunications – The technology of communications by telephony, radio, television, etc. [BCI]
Test – An activity in which some part(s) of a business continuity plan(s) is followed to ensure that the plan contains the appropriate information and produces the desired result. A test is distinct from an exercise in that a test occurs at an alternate site whereas an exercise is generally a simulation. See: Exercise. [BCI]
Test – A pass/fail evaluation of infrastructure (example: computers, cabling, devices, hardware) and/or physical plant infrastructure (example: building systems, generators, utilities) to demonstrate the anticipated operation of the components and system. Tests are often performed as part of normal operations and maintenance. Tests are often included within exercises. See: Exercise. [DRI]
Test Plan – A schedule of work designed to plan for testing a business continuity plan, people, systems and processes. [BCI] See: Exercise Plan [DRI]
Test Script – A detailed description of the tasks that will be undertaken whilst conducting a test. The test script details the scope of the test and defines the success criteria. [BCI]
Third-Party Provider/Supplier – An external provider of services, goods and solutions. See: Sourcing; Outsourcing; Supplier.
Threat – A combination of the risk, the consequence of that risk, and the likelihood that the negative event will take place. [DRI]
Threat – Anything that might exploit a vulnerability. Any potential cause of an incident can be considered to be a threat. For example a fire is a threat that could exploit the vulnerability of flammable floor coverings. This term is commonly used in information security management and it service continuity management, but also applies to other areas such as problem and availability management. [ITIL]
Threat – A potential cause of an incident that may result in harm to system or organisation. [BS ISO/IEC 13335-1:2004 & BS7799-3:2006]
Tolerance Threshold – The maximum period of time during which a business can afford to be without a Mission Critical Activity and/or its dependency(ies). See: Mission Critical Activities. [BCI]
Top Management – Person or group of people who direct and control an organisation at the highest level [BS EN ISO 9000:2005]
NOTE: Top management, especially in a large multinational organisation, might not be directly involved; however, top management accountability through the chain of command is manifest. In a small organisation, top management might be the owner or sole proprietor. [BS25999-2]
Trauma Counseling – The provisioning of counseling assistance by trained individuals to employees, customers and others who have suffered mental or physical injury as the result of an event. [DRI]
Trauma Counselling – The provision of assistance to staff, customers and others who have suffered mental or physical injury through being involved in an E/I/C. See: Post Traumatic Stress Disorder; Trauma Management. [BCI]
Trauma Management – Trauma Management involves helping employees deal with trauma in a systematic way following a disaster, through the delivery of appropriate support systems and coping strategies with the objective of restoring employees psychological wellbeing. See: Trauma Counselling, Post Traumatic Stress Disorder. [BCI]
Trauma Management – The process of helping employees deal with trauma in a systematic way following an event by proving trained counselors, support systems, and coping strategies with the objective of restoring employees’ psychological well-being. [DRI]
U
Unexpected Loss – The worst case financial loss or impact that a business could incur due to a particular loss E/I/C or risk. The unexpected loss is calculated as the expected loss plus the potential adverse volatility in this value. It can be thought of as the worst financial loss that could occur in a year over the next 20 years. [BCI & DRI]
Uninterrupted Power Supply (UPS) – Equipment (usually a bank of batteries) that offers short-term protection against power surges and outages. Note that UPS usually only allows enough time for vital systems to be correctly powered down. [BCI]
Uninterruptible Power Supply (UPS) – A backup electrical power supply that provides continuous power to critical equipment in the event that commercial power is lost. The UPS (usually a bank of batteries) offers short-term protection against power surges and outages. The UPS usually only allows enough time for vital systems to be correctly powered down. [DRI]
UPS – See: Uninterruptible Power Supply.
Urgency – (Service Transition) (Service Design) A measure of how long it will be until an incident, problem or change has a significant impact on the business. For example a high impact incident may have low urgency, if the impact will not affect the business until the end of the financial year. Impact and urgency are used to assign priority. [ITIL]
Utility – (Service Strategy) Functionality offered by a Product or Service to meet a particular need. Utility is often summarised as ‘what it does’. [ITIL]
Utilities – Companies and organisations providing essential services e.g. gas, water, electricity. [BCI]
V
Validation Script – A set of procedures within the Business Continuity Plan to validate the proper function of a system or process before returning it to production operation. [DRI]
Virus – An unauthorised programme that inserts itself into a computer system and then propagates itself to other computers via networks or disks. When activated, it interferes with the operation of the computer systems. [BCI]
Vital Business Function (VBF) – (Service Design) A function of a business process which is critical to the success of the business. Vital Business Functions are an important consideration of business continuity management, IT service continuity management and availability management. [ITIL]
Vital Record – Computerised or paper record which is considered to be essential to the continuation of the business following an E/I/C. [BCI]
Vital Record Location – A designated storage location for holding Vital Records. Must be away from the normal site and be secure. See: Offsite Location; Record. [BCI]
Vital Records – Records essential to the continued functioning or reconstitution of an organization during and after an emergency and also those records essential to protecting the legal and financial rights of that organization and of the individuals directly affected by its activities. [DRI]
Voice Recovery – Restoration of voice telephony services to another site. [BCI]
Vulnerability – (Service Design) A function of a business process which is critical to the success of the business. Vital business functions are an important consideration of business continuity management, IT service continuity management and availability management. [ITIL]
Vulnerability – A weakness of an asset or group of assets that can exploited by one or more threats. [BS ISO/IEC 13335-1:2004 & BS7799-3:2006]
W
Warm Site – A site (data centre / work area) which is partially equipped with hardware, communications interfaces, electricity and environmental conditioning capable of providing backup operating support. See: Cold Site; Hot Site; Alternate Site. [BCI]
Warm Site – An alternate processing site which is equipped with some hardware, and communications interfaces, electrical and environmental conditioning which is only capable of providing backup after additional provisioning, software or customization is performed. [DRI]
Warm Standby – Synonym for Intermediate Recovery. [ITIL]
Work Area Facility – A predesignated space provided with desks, telephones, PCs, etc., ready for occupation by business recovery teams at short notice. May be internally or externally provided. [BCI & DRI] See: Cold Site; Hot Site; Warm Site; Alternate Site. [BCI]
Work Area Recovery – The component of recovery and continuity that deals specifically with the relocation of a key function or department in the event of a disaster, including personnel, essential records, equipment supplies, work space, communication facilities, work station computer processing capability, fax, copy machines, mail services, etc. Office recovery environment complete with necessary office infrastructure (desk, telephone, workstation, hardware, communications). [DRI]
Work Area Recovery Planning – The business continuity planning process of preparing procedures for use at the work area facility. [BCI]
Work Area Recovery Planning – The business continuity planning process of identifying the needs and preparing procedures and personnel for use at the work area facility. [DRI]
Workaround – (Service Operation) Reducing or eliminating the impact of an incident or problem for which a full resolution is not yet available, for example, by restarting a failed configuration item. Workarounds for problems are documented in known error records. Workarounds for incidents that do not have associated problem records are documented in the incident record. [ITIL]
Workaround Procedures – Alternative procedures that may be used by a functional unit(s) to enable it to continue to perform its critical functions during temporary unavailability of specific application systems, electronic or hard copy data, voice or data communication systems, specialized equipment, office facilities, personnel, or external services. [DRI]
Z
Zone – A region or area characterised by a common feature or quality that should be considered in BCM planning, e.g. a high risk concentration of business and/or industry Mission Critical Activities in an area. See: Mission Critical Activities. [BCI]