Business Continuity Glossary
  • 1. BS 11200

    BS 11200 is the new British Standards Institution Guidance and Good Practice on Crisis Management. Published in 2014, it supersedes PAS 200:2011. 

  • 2. Non-technical skills

    These are the mental (cognitive), social and interpersonal skills that support specific technical skills, such as legal, HR, finance, or corporate affairs.  In crisis management terms, non-technical skills include crisis decision-making, situational awareness, team-working, communication and leadership.

    Source: Steelhenge

  • 3. Minimum business continuity objective (MBCO)


    Minimum level of services and/or products that is acceptable to the organisation to achieve its business objectives during a disruption

    Source: ISO 22301

  • 4. Maximum acceptable outage (MAO)


    The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.

    Associated term: Maximum tolerable period of disruption

    Source: ISO 22301

  • 5. Interested Party

    Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity.

    Source: ISO 22301

    Associated term: Stakeholder

  • 6. Prioritised Activities

    Activities to which priorities must be given following an incident in order to mitigate impacts.

    Source: ISO 22300

    Associated term: Critical activities

  • 7. Crisis Management Plan

    Clearly defined and documented plan of action and supporting check lists and tools for use at the time of a crisis or major incident. Typically covers the response structure, roles and responsibilities, resources, services and actions needed to manage the crisis and minimise its impact.

    Source: Steelhenge

    Associated Term: Incident Management Plan

  • 8. Top management

    Person or group of people who direct and control an organisation at the highest level. In larger organisations, this may be the Board, Directors, Senior Management Team whilst in a small organisation, top management might be the owner or sole proprietor

  • 9. Threat

    A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organisation, the environment or community

    Associated Term: Hazard

  • 10. Test

    A test is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned. 

    NOTE: Most exercises are not 'tests'. Tests are usually associated with ICT recovery when a component or system can definably pass or fail. 

  • 11. Stakeholders

    Those with a vested interest in an organisations achievement

    Note: This is a wide-ranging term that includes, but is not limited to, internal and ‘outsourced’ employees, customers, suppliers, partners, employees, distributors, investors, insurers, shareholders, owners, government and regulators

    Associated term: Intersted parties

  • 12. Risk treatment

    Selection and implementation of measures to modify risk

    Source: BCI 2011

  • 13. Risk management

    Structured development and application of management culture, policy, procedures and practices to the tasks of identifying, analysing, evaluating risk and subsequently developing measures to prevent or mitigate the affects, of the risk

  • 14. Risk assessment

    Overall process of risk identification, analysis and evaluation

    Source: ISO Guide 73

  • 15. Risk appetite

    Amount and type of risk that an organisation is willing to pursue or retain

  • 16. Risk

    Effect of uncertainty on objectives

    Source: ISO Guide 73

  • 17. Resilience

    The capacity of an organisation to plan for and adapt to change or disruption, through anticipation, protection, responsive capacity and recoverability.

    Source: Steelhenge

  • 18. Residual risk

    Level of risk remaining after all cost-effective actions have been taken to lessen the impact, probability and consequences of a specific risk or group of risks, subject to an organisation's risk appetite

    Source: BCI 2011

  • 19. Recovery time objective (RTO)


    Period of time follwing an incident within which:

    • a product or service must be resumed, or
    • an activity must be resumed; or
    • resources must be recovered.

    Note: For products, services and activities, the recovery time objective must be less than the time it would take for the adverse impacts that would arise as a result of not providing a product/service or performing an activity to become unacceptable i.e. less than the maximum tolerable period of disruption (MTPD)or maximum acceptable outage (MAO)

  • 20. Recovery point objective (RPO)

    Point in time to which data must be recovered after a disruption has occurred

    Source: ISO 27031

  • 21. PD 25888:2011

    Additional guidance to BS 25999 on Organization Recovery following disruptive incidents.  Created by the British Standards Institution as a Published Document and remains valid as guidance to ISO 22301.

    Source: Steelhenge

  • 22. PD 25666:2010

    PD 25666 is a Published Document created by the British Standards Institution to provide guidance on Exercising and Testing for Continuity and Contingency Programmes.  It is also referenced in BS 11200, the British Standard for Crisis Management.

    Source: Steelhenge

  • 23. PD 25111:2010

    Additional guidance to BS 25999 on Human Aspects of Business Continuity.  Created by the British Standards Institution as a Published Document and remains valid as guidance to ISO 22301.

    Source: Steelhenge

  • 24. PAS 200:2011

    Publically Available Specification on Crisis Management - Guidance and Good Practice; developed and published by the UK Government's Cabinet Office and British Standards Institution. BS 11200, published in 2014, has superseded PAS 200:2011.

    Source: Steelhenge

  • 25. Operational resilience

    Ability of an organisation, staff, system, telecommunications network, activity or process to absorb the impact of a business interruption, disruption or loss and continue to provide an acceptable level of service

    Source: BCI 2011

  • 26. Maximum tolerable period of disruption (MTDP)


    The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.

    Associated term: Maximum acceptable outage

    Source: ISO 22301

  • 27. Likelihood

    Chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies or mathematical probabilities

    Note: Likelihood can be expressed qualitatively or quantitatively

  • 28. ISO/PAS 22399:2007

    Publically available specification, published by the ISO, for Societal Security - Guideline for incident preparedness and operational continuity management.  Will be replaced by ISO 22301 and ISO 22313 once these standards are published.

    Source: Steelhenge

  • 29. ISO 27031

    ISO Standard for Information Technology - Security techniques - Guidelines for information and communication technology readiness for business continuity.

    Source: Steelhenge

  • 30. ISO 27001

    ISO Standard for Information Security

    Source: Steelhenge

  • 31. ISO 31000

    ISO Standard for Risk Management

    Source: Steelhenge

  • 32. ISO 22320:2011

    ISO for Societal Security - Emergency Management - Requirements for Incident Response

    Source: Steelhenge

  • 33. ISO 22313

    ISO Standard for Societal Security - Business Continuity Management Systems - Guidance Document. Published December 2012.

    Source: Steelhenge

  • 34. ISO 22301

    ISO Standard for Societal Security - Business Continuity Management Systems requirements.  Published in May 2012 and supersedes BS 25999-2. Steelhenge is now certified in ISO 22301.

    Source: Steelhenge

  • 35. Invocation

    Act of declaring that an organisation’s business continuity plan needs to be put into effect in order to continue delivery of key products or services

    Source: ISO 22301

    Associated Term: Activation

  • 36. Incident management plan

    Clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process.

    This is sometimes referred to as a crisis management plan although it is not the term used in ISO 22301.

    Associated Term: Crisis management plan

  • 37. Incident

    Situation that might be, or could lead to, a business disruption, loss, emergency or crisis

    Source: ISO 22301

  • 38. Impact

    Evaluated consequence of a particular outcome

    Source: BCI 2011

    Related term: Consequence

  • 39. ICT services

    Combination of human, physical and logical assets together with data which support an organisation in its day-to-day activities and consist of tools and/or facilities provided to access and use information and to communicate both internally and externally

    Source: Steelhenge

  • 40. ICT disaster recovery plan

    Clearly defined and documented plan which recovers ICT capabilities when a disruption occurs

    Source: ISO 27031

    Associated Term: ICT continuity plan

  • 41. ICT disaster recovery

    Ability of the ICT elements of an organisation to support its critical business functions to an acceptable level within a predetermined period of time following a disruption

    Source: ISO 27031

  • 42. ICT continuity

    Capability of the organisation to plan for and respond to incidents and disruptions in order to continue ICT services at an acceptable predefined level

  • 43. Gap analysis

    A technique to identify the differences between BCM/Crisis Management requirements and what is actually in place and/or available. This may be conducted against a particular Standard eg ISO 22301 or ISO 27031

  • 44. Exercise

    Process to train for, assess, practise and improve performance in an organisation.

    NOTE: Exercises can be used for: validating policies, plans, procedures, training, equipment and inter-organisational agreements; clarifying and training personnel in roles and responsibilities; improving inter-organisational coordination and communications; identifying gaps in resources; improving individual performance; identifying opportunities for improvement and controlled opportunity to practise improvisation. 

    Source: ISO 22301

    Associated terms: Rehearsal, Test.

  • 45. Emergency planning

    Development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency

  • 46. Disruption

    An event that interrupts normal business, activities, operations, or processes, whether anticipated (e.g hurricane, political unrest) or unanticipated (e.g power failure, technology failure, earthquake, terror attack)

  • 47. Disaster recovery (DR)

    The strategies and plans for recovering and restoring the organisations technological infrastructure and capabilities after serious disruption. DR is now normally only used in reference to an organisation's IT and telecommunications recovery

    Source: BCI 2011
  • 48. Critical activities

    Those activities which have to be performed in order to deliver the key products and services which enable an organisation to meet its most important and time-sensitive objectives

    Note: In ISO 22301, the term 'critical activities' has been replaced with 'prioritised activities'. See definition below. 

  • 49. Crisis centre

    The facility used by the crisis management team. It is usually equipped with the necessary systems, technology and tools to support the team in their crisis management function

    Associated Term: Crisis suite, Crisis operations centre; Emergency operations centre, Command centre
  • 50. Cloud computing

    The generic term used to describe internet based computing where users access applications or services hosted by a third party. Users pay for the service either on a monthly contract or a "pay as you go" basis. It is comparable to the way people use mobile phone services
  • 51. Civil emergency

    Event or situation which threatens serious damage to human welfare in a place in the UK, the environment of a place in the UK, or the security of the UK or of a place in the UK (UK Civil Contingencies Act 2004)

  • 52. Cascade system

    A system whereby one person or organisation calls out/contacts others who in turn initiate further call-outs/contacts as necessary

    Source: BCI 2011
  • 53. Business impact analysis

    Process of analysing activities and the effect that a business disruption might have upon them

    Source: ISO 22300

  • 54. Business continuity strategy

    Approach by an organisation that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption

  • 55. Business continuity policy

    A BCM policy sets out an organisation's aims, principles and approach to BCM, what and how it will be delivered, key roles and responsibilities and how BCM will be governed and reported upon

    Source: BCI 2011
  • 56. Business continuity plan (BCP)

    Documented procedures that guide organisations to respond, recover, resume and restore to a pre-defined level of operation following a disruption

    Source: ISO 22301

  • 57. Business continuity management system (BCMS)

    Part of the overall management system that implements, operates, monitors, reviews, maintains and improves business continuity

    NOTE: The management system includes organisational structure, policies, planning activities, responsibilities, procedures, processes and resources

    Source: ISO 22301

  • 58. Business continuity programme

    Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management

    Source: ISO 22301

  • 59. Business continuity management lifecycle

    Series of business continuity activities which collectively cover all aspects and phases of the business continuity management programme

  • 60. Business continuity management

    A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
    Note: Business continuity management involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall programme through training, exercises and reviews, to ensure that business continuity plan(s) stays current and up-to-date

    Source: ISO 22301

    Associated Term: BCM

  • 61. Business Continuity Institute (BCI)

    The Institute of professional Business Continuity Managers

    Source: BCI 2011
  • 62. Business continuity

    Capability of the organisation to continue delivery of products or services at acceptable predefined levels following disruptive incident

    Source: ISO 22300

  • 63. BS 25999

    BS 25999 is the British Standard for Business Continuity Management first published in 2006 as a code of practice (BS 25999-1:2006) and followed in 2007 by the specification (BS 25999-2:2007). BS 25999-1 has been superseded by ISO 22313 and BS 25999-2 has been superseded by ISO 22301. 

  • 64. BS 25777

    BS 25777 is the British Standard for ICT Continuity Management published in 2008 as a code of practice (BS 25777-1:2008). It has been superseded by ISO/IEC 27031:2011 and withdrawn
  • 65. Battle Box

    A container - often literally a box or brief case - in which data, essential information and equipment is stored to support those responding to an emergency, crisis or incident

    Associated Term: Grab bag
  • 66. Backup

    A process by which data, electronic or paper based, is copied in some form so as to be available and used if the original data from which it originated is lost, destroyed or corrupted

    Source: BCI 2011
  • 67. Audit

    The process by which procedures and/or documentation are measured against pre-agreed criteria or standards
  • 68. Assurance

    In this context, assurance describes the enhanced confidence an organisation has in its resilience through business continuity and crisis planning
  • 69. Asset

    An item of value owned by an organisation such as physical assets (e.g. buildings and equipment); financial assets (e.g. currency, bank deposits and shares) and non-tangible assets (e.g. goodwill, reputation)
  • 70. Alternate Site

    The site to which time critical business operations would relocate if access to the principal site were unavailable

    Associated Term: Cold site, Warm site, Hot site, Recovery site, Back up site
  • 71. Activity

    Process or set of processes undertaken by an organisation (or on its behalf) that produces or supports one or more products or services. NOTE: Examples of such processes include accounts, call centre, IT, manufacture, distribution

    Source: ISO 22301

  • 72. Activation

    The process governing the implementation of business continuity or crisis management procedures, activities and plans in response to an emergency, event, incident and/or crisis

    Associated term: invocation

For more information please contact us