BCM Risk Solutions

Business continuity is full of jargon. We have pulled together a glossary from multiple sources. For your convenience you can reference the list below or download a PDF version. Let us know which terms annoy you the most!




The implementation of business continuity capabilities, procedures, activities, and plans in response to an emergency or disaster declaration; the execution of the recovery plan. (BS25999)

Alternate Site

An alternate operating location to be used by business functions when the primary facilities are inaccessible. (DRJ/DRII)

Business Continuity

The capability of an organization to continue delivery of products and services at acceptable pre-defined levels following disruptive incident. (ISO 22301)

Business Continuity Management

A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. (ISO 22301)

Business Continuity Management System

Part of the overall management system that establishes implements, operates, monitors, reviews, maintains and improves business continuity. (ISO 22301)

Business Continuity Plan (BCP)

Documented procedures that guide organizations to respond, recover, resume and restore to a pre-defined level of operation following disruption. (ISO 22301)

Business Impact Analysis (BIA)

A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event. (DRJ/DRII)

A process of analyzing activities and the effect that a business disruption might have upon them and on the delivery of critical products or services.

Command Center

A physical or virtual facility located outside of the affected area used to gather, assess, and disseminate information and to make decisions to affect recovery. (DRJ/DRII)


A critical event, which, if not handled in an appropriate manner, may dramatically impact an organization’s profitability, reputation, or ability to operate. Or, an occurrence and/or perception that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organization. (DRJ/DRII)

Abnormal and unstable situation that threatens the organization’s strategic objectives, reputation or viability. (BS11200)

Crisis Management

The overall coordination of an organization’s response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, and ability to operate. (DRJ/DRII)


A sudden, unplanned catastrophic event causing unacceptable damage or loss. (DRJ/DRII)

Disaster Recovery

Activities designed to restore information technology (IT) systems, including hardware, applications, data and telecommunications systems from outages.

Emergency Response

The immediate reaction and response to an emergency situation commonly focusing on ensuring life safety and reducing the severity of the incident. (DRJ/DRII)


An event which is not part of a standard operating business which may impact or interrupt services and, in some cases, may lead to disaster. (DRJ/DRII)

Adverse event that might cause disruption, loss or emergency, but which does not meet the organization’s criteria for, or definition of, a crisis. (BS11200)


Act of declaring that an organization’s business continuity arrangements need to be put in effect in order to continue delivery of key products or services (ISO 22301)

Maximum Tolerable Period of Disruption (MTPD)

Duration after which an organization’s viability will be irrevocably threatened if product or service delivery cannot be resumed (BS25999)

Time it would take for adverse impacts to become unacceptable. (ISO 22301)


Implementing the prioritized actions required to return the processes and support functions to operational stability following an interruption or disaster. (DRJ/DRII)

Recovery Point Objective (RPO)

The maximum amount of data loss that can be incurred in an incident; The targeted point in time to which systems and data must be recovered after an outage.

Recovery Site

A designated site for the recovery of business unit, technology, or other operations, which are critical to the enterprise. (DRJ/DRII)

Recovery Strategy

An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. (DRJ/DRII)

Recovery Time Objective (RTO)

The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). (DRJ/DRII)

Recovery Workspace

Recovery environment complete with necessary infrastructure (desk, telephone, workstation, and associated hardware and equipment, communications, etc.) (DRJ/DRII)

Resilience (Organization)

The ability of an organization to absorb the impact of a business interruption, and continue to provide a minimum acceptable level of service. (DRJ/DRII)

Ability of an organization to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper. (BS65000)


The reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required. (DRJ/DRII)


Risk: Effect of uncertainty on objectives (ISO31000)

Risk Management: Coordinated activities to direct and control an organization with respect to risk. (ISO31000)

Risk Management Framework: Set of components that provide the foundation and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization. (ISO31000)

Risk Mitigation: Implementation of measures to deter specific threats to the continuity of business operations, and/or respond to any occurrence of such threats in a timely and appropriate manner. (BS25999)


A combination of the risk, the consequence of that risk, and the likelihood that the negative event will take place. (DRJ/DRII)

Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage or destroy an asset.


The degree of exposure to a threat.

Download PDF