|UPDATED: September 16, 2016|
(Acronym for Associate Business Continuity Professional)
Affiliate Membership of the Business Continuity Institute
This non-certified membership grade is for those who have an active interest in the industry but do not have any formal business continuity certification.
Notification that a potential disruption is imminent or has occurred; usually includes a directive to act or standby.
A site held in readiness for use during/following an invocation of business or disaster recovery plans to continue urgent and important activities of an organization.
Alternate Work Area
Recovery environment complete with necessary infrastructure (e.g., desk, telephone, workstation, and associated hardware and equipment, communications).
(Acronym for Associate Member of The Business Continuity Institute)
Annual Loss Exposure/Expectancy (ALE)
A risk management method of calculating loss based on a value and level of frequency.
Annual Program Review (APR)
A structured yearly opportunity for top management to review the status of important components of the business continuity management program, with the objectives of approving future initiatives, allocating resources and confirming program scope.
The component of Disaster Recovery that deals specifically with the restoration of business system software and data after the processing platform has been restored or replaced.
The designated area at which employees, visitors, and contractors assemble if evacuated from their building/site.
Anything that an organization signifies as important or valuable. This could include technology equipment, real estate, operating equipment, intellectual property, reputation, and financial resources.
ABCP (Associate Business Continuity Professional)
The Associate Business Continuity Professional level is designed for individuals with less than two years of industry experience, but who have minimum knowledge in continuity management, and have passed the DRII qualifying exam.
Associate Fellow of the Business Continuity Institute (AFBCI)
This certified membership grade is designed for professionals that have significant experience in business continuity and have held the MBCI membership grade for more than three years.
Associate Member of The Business Continuity Institute (AMBCI)
This is a certified membership grade and is designed for professionals that have at least one year’s experience in business continuity and who have taken and passed the Certificate of the BCI (CBCI) Examination.
Associate Healthcare Provider Continuity Professional (AHPCP)
The AHPCP level is designed for individuals with less than two years of industry experience, but who have minimum knowledge in continuity management, and have passed the Healthcare qualifying exam.
Associate Public Sector Continuity Professional (APSCP)
The APSCP level is designed for individuals with less than two years of industry experience, but who have minimum knowledge in continuity management, and have passed the Public Sector qualifying exam.
Associate Risk Management Professional (ARMP)
The ARMP level is designed for individuals with less than two years of Risk Management experience, completed the DRII Risk Management class, and have passed the Risk Examination.
a) The amount of work that accumulates when a system or process is unavailable for a long period of time. This work needs to be processed once the system or process is available and may take a considerable amount of time to process.
A process by which data (electronic or paper-based) and programs are copied in some form so as to be available and used if the original data from which it originated is lost, destroyed or corrupted.
An independent source of power, usually fueled by diesel or natural gas.
The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.
Business Continuity Coordinator
A role within the BCM program that coordinates planning and implementation for overall recovery of an organization or unit(s).
Business Continuity Management (BCM)
The process that organizations use to ensure business continuity is maintained across their organization.
Business Continuity Management Program
Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management.
Business Continuity Management Team
A group of individuals functionally responsible for directing the development and execution of the business continuity plan, as well as responsible for declaring a disaster and providing direction during the recovery process, both pre-disaster and post-disaster.
Similar terms: disaster recovery management team, business recovery management team.
Business Continuity Plan (BCP)
Documented procedures that guide organizations to respond, recover, resume and restore to a pre-defined level of operation following disruption.
Note: Typically this covers resources, services and activities required to ensure the continuity of critical business functions. (Source= ISO 22301:2012)
Business Continuity Planning
Business Continuity Planning is the process of developing prior arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions can continue within planned levels of disruption. The end result of the planning process is the BC Plan.
Business Continuity Plan Administrator
The designated individual responsible for plan documentation, maintenance, and distribution
Business Continuity Steering Committee
A committee of decision makers, (e.g., Business leaders, technology experts and continuity professionals) tasked with making strategic policy and continuity planning decisions for the organization, and for providing the resources to accomplish all business continuity program goals.
Business Continuity Strategy
An approach selected by an organization to ensure its recovery and continuity in the face of a disaster or other business disruption.
Business Continuity Team (BCT)
Designated individuals responsible for developing, execution, rehearsals, and maintenance of the business continuity plan.
Business Impact Analysis (BIA)
A process designed to assess the potential quantitative (financial) and qualitative (non-financial) impacts that might result if an organization was to experience a business disruption.
Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) which disrupts the normal course of business operations at an organization’s location.
Similar terms: outage, service interruption.
Business Interruption Costs
The impact to the business caused by different types of outages, normally measured by revenue lost.
Business Interruption Insurance
Insurance coverage for disaster related expenses that may be incurred until operations are fully recovered after a disaster. Business interruption insurance generally provides reimbursement for necessary ongoing expenses during this shutdown, plus loss of net profits that would have been earned during the period of interruption, within the limits of the policy.
Business Recovery Coordinator
An individual or group designated to coordinate or control designated recovery processes or testing.
Business Recovery Team
A group responsible for: relocation and recovery of business unit operations at an alternate site following a business disruption; and subsequent resumption and restoration of those operations at an appropriate site.
Business Recovery Timeline
The approved sequence of activities, required to achieve stable operations following a business interruption. This timeline may range from minutes to weeks, depending upon the recovery requirements and methodology.
Business Unit Recovery
A component of Business Continuity which deals specifically with the recovery of a key function or department in the event of a disaster.
A document that graphically depicts the calling responsibilities and the calling order used to contact management, employees, customers, vendors, and other key contacts in the event of an emergency, disaster, or severe outage situation.
An umbrella term which generically encompasses business processes or activities, and/or technology systems or applications.
Capability Resilience Level (CRL)
The relative degree to which a capability can be impacted by a single disaster event.
A system whereby one person or organization calls out/contacts others who in turn initiate further call-outs/contacts as necessary.
(Acronym for Certified Business Continuity Professional)
Certificate of the Business Continuity Institute (CBCI)
This entry level certified membership grade is for those professionals that have passed the Certificate of the BCI (CBCI) Examination. This is a demonstration of knowledge of business continuity and not a demonstration of experience. It is valid for three years. CBCI holders are encouraged to progress to AMBCI or MBCI membership grades to demonstrate their level of experience.
Certified Business Continuity Auditor (CBCA)
The CBCA level is designed for the specialist who can verify the effectiveness of an organization's business continuity program against the landscape of standards, guidelines and industry regulations. The professional should demonstrate a minimum of 2 years of knowledge and experience in the fields of business continuity, emergency management and/or auditing and pass the DRII administered Audit Examination.
Certified Business Continuity Lead Auditor (CBCLA)
The CBCLA level is designed for audit team leaders. The professional should demonstrate 5 years of experience in the fields of emergency management, enterprise risk management, leadership, business continuity and/or auditing and pass the DRII administered Audit Examination.
Certified Business Continuity Professional (CBCP)
The CBCP level of certification is for individuals who have demonstrated knowledge and working experience in the business continuity/disaster recovery industry. The level requires more than two years of experience. Applicants must be able to demonstrate specific and practical experience in five of the subject matter areas of the Professional Practices.
Certified Functional Continuity Professional (CFCP)
The CFCP level of certification is for individuals who have demonstrated knowledge and working experience in the business continuity/disaster recovery industry. The level requires more than two years of experience. Applicants must be able to demonstrate specific and practical experience in three of the subject matter areas of the Professional Practices.
Certified Business Continuity Vendor (CBCV)
The CBCV certification is for individuals with some knowledge in business continuity planning, but who are non-practitioners within an organization. CBCVs provide services to the industry and have acquired the experience for certification. An active ABCP, CFCP, CBCP, or MBCP certification is required.
Certified Healthcare Provider Continuity Professional (CHPCP)
The CHPCP level is designed for the professional demonstrating 2 years of experience in the fields of emergency management, business continuity, management and clinical care principles/healthcare and passing the DRII administered Healthcare Examination. The individual should also demonstrate experience in five of the Professional Practices areas.
Certified Public Sector Continuity Professional (CPSCP)
The CPSCP level is designed for the professional demonstrating 2 years of experience in the fields of public sector recovery planning, emergency management, business continuity and passing the DRII administered Public Sector Examination. The individual should also demonstrate experience in 5 of the Professional Practices areas.
Certified Risk Management Professional (CRMP)
The CRMP level is designed for the professional demonstrating 2 years of experience specializing in the field of risk management. The individual must pass the DRII administered Risk Management Examination and demonstrate experience in 5 of the Professional Practices areas.
a) Tool to remind and /or validate that tasks have been completed and resources are available, to report on the status of recovery. b) A list of items (names or tasks etc.) to be checked or consulted.
A method used to exercise a completed disaster recovery plan. This type of exercise is used to determine if the information such as phone numbers, manuals, equipment, etc. in the plan is accurate and current.
An environmentally equipped facility that provides only the physical space for recovery operations while the organization using the space provides its own office equipment, hardware and software systems and any other required resources to establish and continue operations.
The (facility) location, local to the event but outside the immediate affected area, where tactical response, recovery and restoration activities are managed. There could be more than one command center for each event reporting to a single Emergency Operations Center.
The component of Disaster Recovery which deals with the restoration or rerouting of an organization’s telecommunication network, or its components, in the event of loss.
An agreement made by a group of organizations to share processing facilities and/or office facilities, if one member of the group suffers a disaster.
A list of key people to be notified at the time of disruption or as needed.
An event specific preparation that is executed to protect an organization from certain and specific identified risks and/or threats.
Process of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization.
Continuity of Operations (COOP)
Management policy and procedures used to guide an enterprise response to a major loss of enterprise capabilities or damage to its' facilities. It defines the activities of individual departments and agencies and their subcomponents to ensure their essential functions are performed.
Continuity Of Operations Plan (COOP)
Management policy and procedures used to guide an enterprise response to a major loss of enterprise capabilities or damage to its' facilities. It defines the activities of individual departments and agencies and their subcomponents to ensure their essential functions are performed.
A system or application that supports operations which continue with little to no noticeable impact to the user.
The ability of an organization to perform its processes without interruption.
The system/process by which top management of an organization are required to carry out and discharge their legal, moral and regulatory accountabilities and responsibilities.
A category of risk management that looks at ensuring an organization meets its corporate governance responsibilities takes appropriate actions and identifies and manages emerging risks.
Cost Benefit Analysis
A process (after a BIA and risk assessment) that facilitates the financial assessment of different strategic BCM options and balances the cost of each option against the perceived savings.
A situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action. (Source = ISO 22301)
The overall direction of an organization’s response to a disruptive event, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, and ability to operate.
Crisis Management Team
A team consisting of key leaders (i.e., media representative, legal counsel, facilities manager, disaster recovery coordinator, etc.), and the appropriate business owners of critical functions who are responsible for recovery operations during a crisis.
Critical Business Functions
The critical operational and/or business support functions that could not be interrupted or unavailable for more than a mandated or predetermined timeframe without significantly jeopardizing the organization.
Looking forward in the logistical process (downstream) of a product or service, any consumer that would have a critical business function impacted by a disruption or outage to the customer’s critical functions as documented in the BIA. A critical customer could be anywhere in the logistical output process of a business function.
Critical Data Point
See: Recovery Point Objective
Physical assets whose incapacity or destruction would have a debilitating impact on the economic or physical security of an entity (e.g., organization, community, nation).
Looking back in the logistical process (upstream) of a product or service, any supplier that could cause a disruption or outage to the organization’s critical functions as documented in the BIA. A critical supplier could be anywhere in the logistical input process of the customer’s critical business function.
Data Backup Strategies
Data backup strategies will determine the technologies, media and offsite storage of the backups necessary to meet an organization’s data recovery and restoration objectives.
The copying of production files to media that can be stored both on and/or offsite and can be used to restore corrupted or lost data or to recover entire systems and databases in the event of a disaster.
Data Center Recovery
The component of Disaster Recovery which deals with the restoration of data center services and computer processing capabilities at an alternate location and the migration back to the production site.
The act of copying data from one location to a storage device at another location in or near real time.
The restoration of computer files from backup media to restore programs and production data to the state that existed at the time of the last safe backup.
The partial or full duplication of data from a source database to one or more destination databases.
A formal announcement by pre-authorized personnel that a disaster or severe outage is predicted or has occurred and that triggers pre-arranged mitigating actions (e.g., a move to an alternate site.)
A fee charged by a Commercial Hot Site Vendor for a customer invoked disaster declaration
Denial of (Physical) Access
The inability of an organization to access and/or occupy its normal, physical, working environment.
The reliance or interaction, directly or indirectly, of one activity, or process, or component thereof, upon another.
One method of validating a specific component of a plan. Typically, the owner of the component reviews it for accuracy and completeness and signs off.
Diploma of the Business Continuity Institute (DBCI)
This certified membership grade is a standalone credential. It is an academic qualification in Business Continuity and a route to higher membership grades of the BCI depending on years of experience.
Situation where widespread human, material, economic or environmental losses have occurred which exceeded the ability of the affected organization (2.2.9), community or society to respond and recover using its own resources.
The process, policies and procedures related to preparing for recovery or continuation of technology infrastructure, systems and applications which are vital to an organization after a disaster or outage.
Note: Disaster Recovery focuses on the information or technology systems that support business functions, as opposed to Business Continuity which involves planning for keeping all aspects of a business functioning in the midst of disruptive events. Disaster recovery is a subset of Business Continuity.
Disaster Recovery Plan
The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the Business Continuity Management Program.
Disaster Recovery Planning
The process of developing and maintaining recovery strategies for information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity.
Note: Priorities for IT recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis (BIA) process. IT resources required to support time-sensitive business functions and processes should also be identified.
A strategy for a) Delivering equipment, supplies, and materials at the time of a business continuity event or exercise. b) Providing replacement hardware within a specified time period via prearranged contractual arrangements with an equipment supplier at the time of a business continuity event.
The transfer of data by electronic means to a backup site, as opposed to the physical shipment of backup tapes or disks.
Any incident, whether natural, technological, or human-caused, that requires responsive action to protect life or property.
Emergency Control Center (ECC)
The Command Centre used by the Crisis Management Team during the first phase of an event. An organization should have both primary and secondary locations for an ECC in case one of them becomes unavailable/inaccessible. It may also serve as a reporting point for deliveries, services, press and all external contacts.
The person designated to plan, exercise, and implement the activities of sheltering in place or the evacuation of occupants of a site with the first responders and emergency services agencies.
Emergency Operations Center (EOC)
An emergency operations center is a physical (e.g., a conference room) or virtual (e.g., telephone conference call) location designed to support emergency response, business continuity and crisis communications activities. Staff meets at the EOC to manage preparations for an impending event or manage the response to an ongoing incident.
Source – FEMA ICS Glossary
The capability that enables an organization or community to respond to an emergency in a coordinated, timely, and effective manner to prevent the loss of life and minimize injury and property damage.
A documented list of activities to commence immediately to prevent the loss of life and minimize injury and property damage.
Emergency Response Plan
A documented plan usually addressing the immediate reaction and response to an emergency situation
Emergency Response Procedures
The initial response to any event and is focused upon protecting human life and the organization’s assets.
Emergency Response Team (ERT)
Qualified and authorized personnel who have been trained to provide immediate assistance.
Enterprise Wide Planning
The overarching master plan covering all aspects of business continuity within the entire organization.
The process by which event-related information is communicated upwards through an organization's established chain of command.
The movement of employees, visitors and contractors from a site and/or building to a safe place (assembly area) in a controlled and monitored manner at time of an event.
Executive / Management Succession Plan
A predetermined plan for ensuring the continuity of authority, decision-making, and communication in the event that key members of executive management unexpectedly become incapacitated.
A people focused activity designed to execute business continuity plans and evaluate the individual and/or organization performance against approved standards or objectives. Exercises can be announced or unannounced, and are performed for the purpose of training and conditioning team members, and validating the business continuity plan. Exercise results identify plan gaps and limitations and are used to improve and revise the Business Continuity Plans.
Note: Types of exercises include, e.g.: tabletop exercise, simulation exercise, operational exercise, mock disaster, desktop exercise, full rehearsal.
An appointed role that is assigned to assess whether the exercise aims / objectives are being met and to measure whether activities are occurring at the right time and involve the correct people to facilitate their achievement. The exercise auditor is not responsible for the mechanics of the exercise. This independent role is crucial in the subsequent debriefing.
See Exercise Owner
The person responsible for the mechanics of running the exercise.
Note: The Coordinator must lead the exercise and keep it focused within the predefined scope and objectives of the exercise as well as on the disaster scenario. The Coordinator must be objective and not influence the outcome. They perform the coordination to make sure appropriate exercise participants have been identified and that exercise scripts have been prepared before, utilized during, and updated after the exercise.
An exercise observer has no active role within the exercise but is present for awareness and training purposes. An exercise observer might make recommendations for procedural improvements.
An appointed role that has total management oversight and control of the exercise and has the authority to alter the exercise plan. This includes early termination of the exercise for reasons of safety or the aims / objectives of the exercise cannot be met due to an unforeseen or other internal or external influence.
A plan designed to periodically evaluate tasks, teams, and procedures that are documented in business continuity plans to ensure the plan’s viability. This can include all or part of the BC plan, but should include mission critical components.
A set of detailed instructions identifying information necessary to implement a predefined business continuity event scenario for evaluation purposes.
The potential susceptibility to loss; the vulnerability to a particular risk.
The extra cost necessary to implement a recovery strategy and/or mitigate a loss. An example is the cost to transfer inventory to an alternate location to protect it from further damage, cost of reconfiguring lines, overtime costs, etc. Typically reviewed during BIA and is a consideration during insurance evaluation.
(Acronym for Fellow of the Business Continuity Institute)
Fellow of the Business Continuity Institute (FBCI)
This prestigious certified membership grade is the highest obtainable, and is designed for professionals with over ten years’ experience, that have also held MBCI or AFBCI grades for a substantial period of time and have made significant contributions to the institute and the industry.
Person responsible for ensuring that all employees, visitors and contractors evacuate a floor within a specific site.
An exercise that simulates a Business Continuity event where the organization or some of its component parts are suspended until the exercise is completed.
A survey whose aim is to identify the differences between BCM/Crisis Management requirements (what the business says it needs at time of an incident) and what is in place and/or currently available
The process of making something more secure, resistant to attack, or less vulnerable.
Health and Safety
The discipline by which the wellbeing of all employees, contractors, visitors and the public is safeguarded.
Note: All business continuity plans and planning must be cognizant of H&S statutory and regulatory requirements and legislation. Health and Safety considerations should be reviewed during the Risk assessment.
Systems or applications requiring a very high level of reliability and availability. High availability systems typically operate 24x7 and usually require built-in redundancy to minimize the risk of downtime due to hardware and/or telecommunication failures.
Areas identified during the risk assessment that are highly susceptible to a disaster situation or might be the cause of a significant disaster.
A facility equipped with full technical requirements including IT, telecom and infrastructure, and which can be used to provide rapid resumption of operations.
Note: Hot sites usually refer to IT and telecom capabilities. When used in the same context for business users they are more often referred to as Work Area Recovery Sites.
The ability of an organization to provide support for its associates and their families before, during, and after a business continuity event to ensure a viable workforce. This involves pre planning for potential psychological responses, occupational health and employee assistance programs, and employee communications.
Possible disruptions in operations resulting from human actions as identified during the risk assessment. (i.e., disgruntled employee, terrorism, blackmail, job actions, riots, etc.)
The effect, acceptable or unacceptable, of an event on an organization. The types of business impact are usually described as financial and non-financial and are further divided into specific types of impact.
An event which is not part of standard business operations which may impact or interrupt services and, in some cases, may lead to disaster.
Incident Command System (ICS)
A standardized on-scene emergency management construct specifically designed to provide for the adoption of an integrated organizational structure that reflects the complexity and demands of single or multiple incidents, without being hindered by jurisdictional boundaries.
Note: ICS is the combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure, designed to aid in the management of resources during incidents. It is used for all kinds of emergencies and is applicable to small as well as large and complex incidents. ICS is used by various jurisdictions and functional agencies, both public and private, to organize field-level incident management operations.
Source: FEMA ICS Glossary
The process by which an organization responds to and controls an incident using emergency response procedures or plans.
Incident Management Plan (IMP)
A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process.
Commands the local emergency operations center (EOC) reporting up to senior management on the recovery progress. Has the authority to invoke the recovery plan.
The response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively.
Note: An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status.
The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organization.
The term infrastructure refers to the entire system of facilities, equipment, and services that an organization needs in order to function.
Source: ISO22301 2012 Plain English
Integrated Capability Analysis (ICA)
An analytical methodology which considers concurrent and contextual review of multiple metrics, to provide a more complete picture regarding a particular plan, artifact, or aspect of the business continuity program.
An exercise conducted on multiple interrelated components of a Business Continuity Plan, typically under simulated operating conditions. Examples of interrelated components may include interdependent departments or interfaced systems.
Examination of a plan that addresses multiple plan components, in conjunction with each other, typically under simulated operating conditions.
A temporary location used to continue performing business functions after vacating a recovery site and before the original or new home site can be occupied.
Note: Move to an interim site may be necessary if ongoing stay at the recovery site is not feasible for the period of time needed or if the recovery site is located far from the normal business site that was impacted by the disaster. An interim site move is planned and scheduled in advance to minimize disruption of business processes; equal care must be given to transferring critical functions from the interim site back to the normal business site.
Internal Hot site
A fully equipped alternate processing site owned and operated by the organization.
Priority procedures and actions in a Business Continuity Plan that must be executed within the first few minutes/hours of the plan invocation.
The time it takes for a supplier - either equipment or a service - to make that equipment or service available.
Note: Business continuity plans should try to minimize this by agreeing to Service Levels (Service Level Agreement) with the supplier in advance rather than relying on the supplier's best efforts.
Logistics / Transportation Team
A team comprised of various members representing departments associated with supply acquisition and material transportation, responsible for ensuring the most effective acquisition and mobilization of hardware, supplies, and support materials. This team is also responsible for transporting and supporting staff.
Unrecoverable resources that are redirected or removed as a result of a Business Continuity event.
Note: Such losses may be loss of life, revenue, market share, competitive stature, public image, facilities, or operational capability.
Designated position activated at the time of a Business Continuity event to assist in managing the financial implications of the event and should be involved as part of the management team where possible.
The technique of instituting mechanisms to lessen the exposure to a particular risk. Loss reduction involves planning for, and reacting to, an event to limit its impact. Examples of loss reduction include sprinkler systems, insurance policies, and evacuation procedures.
Loss Transaction Recovery
Recovery of data (paper within the work area and/or system entries) destroyed or lost at the time of the disaster or interruption.
Note: Paper documents may need to be requested or re-acquired from original sources. Data for system entries may need to be recreated or reentered.
An alternative method of working following a loss of IT systems.
Note: As working practices rely more and more on computerized activities, the ability of an organization to fallback to manual alternatives lessens. However, temporary measures and methods of working can help mitigate the impact of a business continuity event and give staff a feeling of doing something.
Master Business Continuity Professional (MBCP)
The MBCP is DRI International's highest level of certification and is reserved for individuals with significant demonstrated knowledge and skill in the business continuity/disaster recovery industry. The certification is tailored to individuals with at least five years of industry experience and demands a high level of industry commitment, as well as additional and continual enhancement of the individual’s knowledge and skill level. Applicants must be able to demonstrate specific and practical experience in seven of the subject matter areas of the Professional Practices.
(Acronym for Member of the Business Continuity Institute)
(Acronym for Master Business Continuity Professional)
Member of the Business Continuity Institute (MBCI)
This certified membership grade is aimed at professionals that have at least three years’ experience in business continuity and who have taken and passed the CBCI Examination with merit.
Minimum Planning Duration (MPD)
A recovery strategy imperative, established by an organization, which mandates how long each contingency plan’s recovery strategy is expected to endure, while relying only on resources or dependencies identified in the plan.
Minimum Planning Radius (MPR)
A recovery strategy imperative, established by an organization, which identifies the minimum geographic range of an event that its contingency plans must address.
The critical operational and/or business support activities (either provided internally or outsourced) required by the organization to achieve its objective(s) i.e. services and/or products.
Applications that support business activities or processes that could not be interrupted or unavailable for 24 hours or less without significantly jeopardizing the organization.
A mobilized resource purchased or contracted for the purpose of business recovery.
The mobile recovery center might include, e.g.: computers, workstations, telephones or electrical power.
Mobile Standby Trailer
A transportable operating environment, often a large trailer, that can be configured to specific recovery needs such as office facilities, call centers, data centers, etc.
This can be contracted to be delivered and set up at a suitable site at short notice.
The activation of the recovery organization in response to a disaster declaration.
One method of exercising teams in which participants are challenged to determine the actions they would take in the event of a specific disaster scenario.
Note: Mock disasters usually involve all, or most, of the applicable teams. Under the guidance of exercise coordinators, the teams walk through the actions they would take per their plans, or simulate performance of these actions. Teams may be at a single exercise location, or at multiple locations, with communication between teams simulating actual ‘disaster mode’ communications. A mock disaster will typically operate on a compressed timeframe representing many hours, or even days.
N + 1
A fault tolerant strategy that includes multiple systems or components protected by one backup system or component. (Many-to-one relationship)
An interruption of voice, data, or IP network communications.
Any place physically located a significant distance away from the primary site, where duplicated and vital records (hard copy or electronic and/or equipment) may be stored for use during recovery.
The risk of loss resulting from inadequate or failed procedures and controls.
Note: This includes loss from events related to technology and infrastructure, failure, business interruptions, staff related problems, and from external events such as regulatory changes.
The actions required to rapidly and gracefully suspend a business function and/or system during a disruption.
The interruption of automated processing systems, infrastructure, support services, or essential business operations, which may result, in the organizations inability to provide services for some period of time.
A review of a specific component of a plan by personnel (other than the owner or author) with appropriate technical or business knowledge for accuracy and completeness.
The management process of keeping an organization’s Business continuity management plans up to date and effective. Maintenance procedures are a part of this process for the review and update of the BC plans on a defined schedule. Maintenance procedures are a part of this process.
Controls aimed at deterring or mitigating undesirable events from taking place.
The ordering of critical activities and their dependencies are established during the BIA and Strategic-planning phase. The business continuity plans will be implemented in the order necessary at the time of the event.
The process for evaluating a business function based on observations and does not involve measures or numbers. Instead, it uses descriptive categories (e.g., customer service, regulatory requirements) to allow for refinement of the quantitative assessment.
Note: This is normally done during the BIA phase of planning.
See Drop Ship.
Agreement between two organizations (or two internal business groups) with similar equipment/environment that allows each one to recover at the other’s location.
Financial losses due to an event that may be reclaimed in the future, e.g. through insurance or litigation. This is normally identified in the Risk Assessment or BIA.
Implementing the prioritized actions required to return the processes and support functions to operational stability following an interruption or disaster.
The time period between a disaster and a return to normal functions, during which the disaster recovery plan is employed.
Recovery Point Capability (RPC)
The point in time to which data was restored and/or systems were recovered (at the designated recovery/alternate location) after an outage or during a disaster recovery exercise.
Recovery Point Objective (RPO)
The point in time to which data is restored and/or systems are recovered after an outage.
Note: RPO is often used as the basis for developing backup strategies and determining the amount of data that may require recreation after systems have been recovered. RPO for applications can be enumerated in business time (i.e., “8 business hours” after a Sunday disaster restores to close of business Thursday) or elapsed time, but is always measured in terms of time before a disaster. RPO for systems typically must be established at time of disaster as a specific point in time (e.g., end of previous day’s processing) or software version/release.
Recovery Services Agreement / Contract
A contract with an external organization guaranteeing the provision of specified equipment, facilities, or services, usually within a specified time period, in the event of a business interruption.
Note: A typical contract will specify multiple components (e.g., a monthly subscription fee, a declaration fee, usage costs, method of performance, amount of test time, termination options, penalties and liabilities).
A designated site for the recovery of business unit, technology, or other operations, which are critical to the enterprise.
A structured group of teams ready to take control of the recovery operations if a disaster should occur.
Recovery Time Capability (RTC)
The demonstrated amount of time in which systems, applications and/or functions have been recovered, during an exercise or actual event, at the designated recovery/alternate location (physical or virtual). As with RTO, RTC includes assessment, execution and verification activities. RTC and RTO are compared during gap analysis.
Recovery Time Objective (RTO)
The period of time within which systems, applications, or functions must be recovered after an outage. RTO includes the time required for: assessment, execution and verification. RTO may be enumerated in business time (e.g. one business day) or elapsed time (e.g. 24 elapsed hours).
Notes: Assessment includes the activities which occur before or after an initiating event, and lead to confirmation of the execution priorities, time line and responsibilities, and a decision regarding when to execute.
Execution includes the activities related to accomplishing the pre-planned steps required within the phase to deliver a function, system or application in a new location to its owner.
Verification includes steps taken by a function, system or application owner to ensure everything is in readiness to proceed to live operations.
The sequence of recovery activities, or critical path, which must be followed to resume an acceptable level of operation following a business interruption.
Note: The timeline may range from minutes to weeks, depending upon the recovery requirements and methodology.
The ability of an organization to absorb the impact of a business interruption, and continue to provide a minimum acceptable level of service.
The process and procedures required to maintain or recover critical services such as “remote access” or “end-user support” during a business interruption.
The reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required. In addition to addressing matters of life safety and evacuation, Response also addresses the policies, procedures and actions to be followed in the event of an emergency.
Process of planning for and/or implementing procedures for the repair of hardware, relocation of the primary site and its contents, and returning to normal operations at the permanent operational location.
The process of planning for and/or implementing the restarting of defined business processes and operations following a disaster.
Note: This process commonly addresses the most critical business functions within BIA specified timeframes.
Potential for exposure to loss which can be determined by using either qualitative or quantitative measures.
Risk Assessment / Analysis
Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls.
Note: Risk analysis often involves an evaluation of the probabilities of a particular event.
Risks of similar types are grouped together under key headings, otherwise known as ‘risk categories’.
Note: Risk categories include reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, Outsourcing, people, technology and knowledge.
All methods of reducing the frequency and/or severity of losses including exposure avoidance, loss prevention, loss reduction, segregation of exposure units and non-insurance transfer of risk
The culture, processes and structures that are put in place to effectively manage potential negative events.
Note: As it is not possible or desirable to eliminate all risk, the objective is to reduce risks to an acceptable level.
A common technique used by Risk Managers to address or mitigate potential exposures of the organization. A series of techniques describing the various means of addressing risk through insurance and similar products.
The process of identifying that all employees, visitors and contractors have been safely evacuated and accounted for following an evacuation of a building or site.
Salvage & Restoration
The act of conducting a coordinated assessment to determine the appropriate actions to be performed on impacted assets.
Note: The assessment can be coordinated with Insurance adjusters, facilities personnel, or other involved parties. Appropriate actions may include: disposal, replacement, reclamation, refurbishment, recovery or receiving compensation for unrecoverable organizational assets.
A pre-defined set of Business Continuity events and conditions that describe, for planning purposes, an interruption, disruption, or loss related to some aspect(s) of an organization’s business operations to support conducting a BIA, developing a continuity strategy, and developing continuity and exercise plans.
Note: Scenarios are neither predictions nor forecasts.
A periodic review of policies, procedures, and operational practices maintained by an organization to ensure that they are followed and effective.
The pre-planned assumption of risk in which a decision is made to bear loses that could result from a Business Continuity event rather than purchasing insurance to cover those potential losses.
The process and procedures required to maintain or recover critical services such as “remote access” or “end-user support” during a business interruption.
Service Continuity Planning
A process used to mitigate, develop, and document procedures that enable an organization to recover critical services after a business interruption.
Service Level Agreement (SLA)
A formal agreement between a service provider (whether internal or external) and their client (whether internal or external), which covers the nature, quality, availability, scope and response of the service provider.
Note: The SLA should cover day-to-day situations and disaster situations, as the need for the service may vary in a disaster.
Service Level Management (SLM)
The process of defining, agreeing, documenting and managing the levels of any type of services provided by service providers whether internal or external that are required and cost justified.
One method of exercising teams in which participants perform some or all of the actions they would take in the event of plan activation.
Note: Simulation exercises, which may involve one or more teams, are performed under conditions that at least partially simulate ‘disaster mode’. They may or may not be performed at the designated alternate location, and typically use only a partial recovery configuration.
Single Point of Failure (SPOF)
A unique pathway or source of a service, activity, and/or process.
Note: Typically, there is no alternative and a loss of that element could lead to a failure of a critical function.
Formal notification that the response to a Business Continuity event is no longer required or has been concluded.
A test conducted on a specific component of a plan in isolation from other components to validate component functionality, typically under simulated operating conditions.
Types of exercise in which team members physically implement the business continuity plans and verbally review each step to assess its effectiveness, identify enhancements, constraints and deficiencies.
Student Membership of the Business Continuity Institute
This is a non-certified membership grade for students that are in part- or full-time study in business continuity and resilience related disciplines.
See: Recovery Services Agreement / Contract
The complete logistical process (life cycle) of a product or service including: raw materials, transportation, manufacturing, distribution, through end-of-life.
Note: The process can be traced from the acquisition of the raw material through a business function to the end-of-life of the product or service.
Supply Chain Resilience Analysis
A proactive analysis of vulnerabilities affecting the logistical process of a product or service to establish risk thresholds. These thresholds are then compared to a company’s risk appetite.
Note: This analysis would include the identification of critical suppliers and critical customers.
Set of related technology components that work together to support a business process or provide a service.
The procedures for rebuilding a computer system and network to the condition where it is ready to accept data and applications, and facilitate network communications.
The procedures necessary to return a system to an operable state using all available data including data captured by alternate means during the outage.
Note: System restore depends upon having a live, recovered system available.
Table Top Exercise
One method of exercising plans in which participants review and discuss the actions they would take without actually performing the actions.
Note: Representatives of a single team, or multiple teams, may participate in the exercise typically under the guidance of exercise facilitators.
Defined mandatory and discretionary tasks allocated to teams and/or individual roles within a Business Continuity Plan
Technical Recovery Team
A group responsible for: relocation and recovery of technology systems, data, applications and/or supporting infrastructure components at an alternate site following a technology disruption; and subsequent resumption and restoration of those operations at an appropriate site.
A pass/fail evaluation of infrastructure (example-computers, cabling, devices, hardware) and\or physical plant infrastructure (example-building systems, generators, utilities) to demonstrate the anticipated operation of the components and system.
See ExerciseTests are often performed as part of normal operations and maintenance. Tests are often included within exercises.
A combination of the risk, the consequence of that risk, and the likelihood that the negative event will take place.
The provisioning of counseling assistance by trained individuals to employees, customers and others who have suffered mental or physical injury as the result of an event.
The process of helping employees deal with trauma in a systematic way following an event by proving trained counselors, support systems, and coping strategies with the objective of restoring employees psychological well being.
The worst-case financial loss or impact that a business could incur due to a particular loss event or risk. The unexpected loss is calculated as the expected loss plus the potential adverse volatility in this value.
Note: It can be thought of as the worst financial loss that could occur in a year over the next 20 years.
Uninterruptible Power Supply (UPS)
A backup electrical power supply that provides continuous power to critical equipment in the event that commercial power is lost. The UPS (usually a bank of batteries) offers short-term protection against power surges and outages.
Note: The UPS usually only allows enough time for vital systems to be correctly powered down.
A set of procedures within the Business Continuity Plan to validate the proper function of a system or process before returning it to production operation.
Records essential to the continued functioning or reconstitution of an organization during and after an emergency and also those records essential to protecting the legal and financial rights of that organization and of the individuals directly affected by its activities.
An alternate processing site which is equipped with some hardware, and communications interfaces, electrical and environmental conditioning which is only capable of providing backup after additional provisioning, software or customization is performed.
Work Area Facility
A pre-designated space provided with desks, telephones, PCs, etc. ready for occupation by business recovery teams at short notice.
Note: May be internally or externally provided.
Work Area Recovery (WAR)
The component of recovery and continuity which deals specifically with the relocation of a key function or department in the event of a disaster, including personnel, essential records, equipment supplies, work space, communication facilities, work station computer processing capability, fax, copy machines, mail services, etc. Office recovery environment complete with necessary office infrastructure (desk, telephone, workstation, hardware, communications).
Work Area Recovery Planning
The business continuity planning process of identifying the needs and preparing procedures and personnel for use at the work area facility.
Alternative procedures that may be used by a functional unit(s) to enable it to continue to perform its critical functions during temporary unavailability of specific application systems, electronic or hard copy data, voice or data communication systems, specialized equipment, office facilities, personnel, or external services.