Published under Risk Management
Terminology Explanation Source
QUALITATIVE ASSESSMENT The process for evaluating a business function based on observations and does not involve measures or numbers. Instead, it uses descriptive categories such as customer service, regulatory requirements, etc to allow for refinement of the quantitative assessment. This is normally done during the BIA phase of planning. The BCI, modified by ENISA
QUALITY ASSURANCE Confirming the degree of excellence of a product or service, measured against its defined purpose. This might involve a number of techniques.  For documentation it might involve inviting informed comment; for software, a method of formal testing, trialling or inviting public feedback on a beta version; for hardware, performance against specified test; for management process, comparison with a standard such as BSI5000. ENISA
QUANTIFICATION The objective measure of the seriousness of risk or impact, often measured in financial or regulatory terms The BCI
QUANTITATIVE ASSESSMENT A form of assessment that analyses the actual numbers and values involved. This type of methodology typically applies mathematical and statistical techniques and modelling. The BCI
THE RADIATION (EMERGENCY PREPAREDNESS AND PUBLIC INFORMATION) REGULATIONS 2001 (REPPIR) Implemented in the UK, the articles on intervention in cases of radiation (radiological) emergency in Council Directive 96/29/Euratom, also known as the BS596 Directive. The Directive lays down the basic safety standards for the protection of the health of workers and the general public against the dangers arising from ionising radiation. The REPPIR also partly implement the Public Information Directive by subsuming the Public Information for Radiation Emergencies Regulations 1992 (PIRER) on informing the general public about health protection measures to be applied and steps to be taken in the event of an emergency. The Health and Safety Executive (HSE)
RDD Radiological Dispersion Device. Commonly known as a "dirty bomb", designed to disperse radioactive material, with or without explosives. NASP; National Association of Security Professionals
RECIPROCAL AGREEMENT Agreement between two organisations (or two internal business groups) with similar equipment/environment that allows each one to recover at the others location The Disaster Recovery Journal, modified by ENISA
RECOVERABLE LOSS Financial losses due to an event that may be reclaimed in the future, e.g. through insurance or litigation. This is normally identified in the Risk Assessment or BIA. The BCI
RECOVERY Implementing the prioritised actions required to return the key business activities and support functions to operational stability following an interruption or disaster ENISA
RECOVERY CENTRE Location or area that a business unit relocates to in order to recover their key business activities ENISA
RECOVERY EXERCISE An announced or unannounced execution of Business Continuity Plans intended to implement existing plans and / or highlight the need for additional plan development ENISA
RECOVERY MANAGEMENT TEAM A team of people, assembled in an emergency, who are charged with recovering an aspect of the enterprise, or obtaining the resources required for the recovery ENISA
RECOVERY PERIOD The time period between a disaster and a return to normal functions, during which the disaster recovery plan is employed ENISA
RECOVERY PLAN A plan to resume a specific essential operation, function or process of an enterprise ENISA
RECOVERY POINT OBJECTIVE (RPO) The point in time to which systems and data must be recovered after an outage (e.g. end of previous day’s processing). RPOs are often used as the basis for the development of backup strategies and as a determinant of amount of data that may need to be recreated after the systems of functions have been recovered. HB 292-2006
RECOVERY SERVICES AGREEMENT/CONTRACT A contract with an external organisation guaranteeing the provision of specified equipment, facilities, or services, usually within a specified time period, in the event of a business interruption ENISA
RECOVERY SITE A designated site for the recovery of business unit, technology, or other operations, which are critical to the enterprise ENISA
RECOVERY STRATEGY A pre-defined, pre-tested, management-approved course of action to be deployed in response to a business disruption, interruption or disaster ENISA
RECOVERY TEAM A group of individuals given responsibility for the co-ordination and response to an emergency or for recovering a process or function in the event of a disaster ENISA
RECOVERY TIME OBJECTIVE (RTO) The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day) The BCI, modified by ENISA
RECOVERY TIMELINE The sequence of recovery activities, or critical path, which must be followed to resume an acceptable level of operation following a business interruption. The time-line may range from minutes to weeks, depending upon the recovery requirements and methodology. The BCI, modified by ENISA
RECOVERY WINDOW The time-scale within which time sensitive function or business units must be restored, usually determined by means of a Business Impact Analysis. ENISA
REDUNDANCY Where a system has been designed to eliminate single points of failure ENISA
RENDEZVOUS POINT Point to which all vehicles and resources arriving at the outer cordon are directed ENISA
RESIDUAL RISK The level of uncontrolled risk remaining after all cost-effective actions have been taken to lessen the impact and probability of a specific risk or group of risks, subject to the organisations risk appetite The BCI, modified by ENISA
RESILIENCE The ability of an organisation to absorb the impact of a business interruption, and continue to provide a minimum acceptable level of service The BCI
RESOLUTION An action that will resolve an Incident, i.e. allow the users to carry out their business functions.  This may be a temporary workaround. ENISA
RESOURCE REQUIREMENTS The minimum level of resources which are required by the critical processes to support the recovery activities.  These could include personnel, premises, technology, equipment and materials.  Where there is a difference between desired requirements and what can be supplied, it is identified in a Gap Analysis. ENISA
RESPONSE The reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required The BCI
RESTART The procedure or procedures that return applications and data to a known start point. Application restart is dependent upon having an operable system. The BCI
RESTORATION Process of planning for and/or implementing procedures for the repair of hardware, relocation of the primary site and its contents, and returning to normal operations at the permanent operational location ENISA
RESUMPTION The process of planning for and/or implementing the restarting of defined business processes and operations following a disaster. This process commonly addresses the most critical business functions within BIA specified time-frames. The BCI, modified by ENISA
RESIDUAL RISK Risk remaining after Risk Treatment ENISA
RESUMPTION The phase of an incident which follows Business Continuity and restores the organisation’s operations to normal functioning ENISA
RISK The chance of something happening that will have an impact upon objectives. It is measured in terms of impact and likelihood. HB 292-2006, modified by ENISA
RISK ACCEPTANCE An informed decision to accept the consequences of likely events based on risk criteria ENISA
RISK ANALYSIS Determination of the likelihood and impact of each risk occurring.  Risk Analysis provides the basis for risk evaluation, risk treatment and risk acceptance ENISA, modified by ENISA
RISK APPETITE Willingness of an organisation to accept a defined level of risk The BCI, modified by ENISA
RISK ASSESSMENT / ANALYSIS (RA) Process of identifying the risks to an organisation, assessing the critical functions necessary for an organisation to continue business operations, defining the controls in place to reduce organisation exposure and evaluating the cost for such controls ENISA
RISK AVOIDANCE An informed decision not to become involved in a risk situation The BCI
RISK CATEGORIES Risks of similar types are grouped together under key headings, otherwise known as risk categories The BCI, modified by ENISA
RISK CONTROLS All methods of reducing the frequency and/or severity of losses including exposure avoidance, loss prevention, loss reduction, segregation of exposure units and non-insurance transfer of risk ENISA
RISK ESTIMATION Process used to assign values to the probability and impact of a risk occurring ENISA
RISK EVALUATION The process of determining the significance of risk ISO/IEC Guide 73, modified by ENISA
RISK MANAGEMENT  (RM) Structured ongoing development and application of management culture, policy, procedures and practices to the tasks of identifying, analysing, evaluating and controlling the response to risk BS 25999-1, modified by ENISA
RISK MITIGATION Implementation of measures to deter specific threats to the continuity of business operations, and/or respond to any occurrence of such threats in a timely and appropriate manner The BCI modified by ENISA
RISK PROFILE The combined result of impact and probability The BCI, modified by ENISA
RISK REDUCTION OR MITIGATION The implementation of the preventative measures which Risk Assessment has identified The BCI modified by ENISA
RISK REGISTER (ORGANISATIONAL) Tool that captures and describes risks as they are identified and their profile, together with risk ownership, actions where required, date when the risk was raised, review dates, dates when actions were completed and the date the risk was closed ENISA
RISK REGISTER (IT) A Risk Register owned by ICT used to capture and describe IT related risks.  Often the most critical will be escalated to the organisational Risk Register. ENISA
RISK REGISTER (PROCESS) A Risk Register owned by the business process used to capture and describe process related risks. Often the most critical will be escalated to the organisational Risk Register. ENISA
RISK TRANSFER A common technique used by Risk Managers to address or mitigate potential exposures of the organisation. A series of techniques describing the various means of addressing risk through insurance and similar products The BCI modified by ENISA
RISK TREATMENT A systematic process of deciding which risks can be eliminated or reduced by remedial action and which must be tolerated ENISA
ROLL CALL The process of verifying that all employees, visitors and contractors have been safely evacuated and accounted for following an evacuation of a building or site The BCI
SALVAGE and RESTORATION The act of performing a coordinated assessment to determine the appropriate actions to be performed on impacted assets. The assessment can be coordinated with insurance adjusters, facilities personnel, or other involved parties. Appropriate actions may include: disposal; replacement; reclamation; refurbishment; recovery, or receiving compensation for unrecoverable organisational assets. ENISA
SCENARIO A pre-defined set of Business Continuity events and conditions that describe, for planning purposes, an interruption, disruption, or loss related to some aspect(s) of an organisation's business operations to support conducting a BIA, developing a continuity strategy, and developing continuity and exercise plans. The BCI
SCOPE Generally, the extent to which a method or procedure applies. The scope of Configuration Management may not, for example, extend to Customer information (other than on an as informed basis) and the scope of a Change Management procedure may not apply to urgent changes. Also a key concept in outsourcing as it defines which activities are covered by the base contract and which are separately chargeable. ENISA
SECOND LEVEL/LINE SUPPORT Technical resources (sometimes based within the Service Desk) called upon by Incident and Problem Management to assist in the resolution of an Incident, restoration of service, identification of a Problem or Known Error, the provision of a work-around or the generation of a Change ENISA
SECURITY All aspects relating to defining, achieving and maintaining data confidentiality, integrity, availability, accountability, authenticity and reliability ISO/IEC WD 15443-1
SECURITY REVIEW A periodic review of policies, procedures, and operational practices maintained by an organisation to ensure that they are followed and effective The BCI
SELF INSURANCE The pre-planned assumption of risk in which a decision is made to bear loses that could result from a Business Continuity event rather than purchasing insurance to cover those potential losses The BCI, modified by ENISA
SERVICE CATALOGUE The creation of a Service Catalogue (according to the ITIL Framework) is used as a starting point for the implementation of the Service Level Management process.  A Service Catalogue lists all of the services which IT provides to the business.  This catalogue should list the services from a user's perspective. ITIL
SERVICE LEVEL AGREEMENT (SLA) A formal agreement between a service provider (whether internal or external) and their client (whether internal or external), which covers the nature, quality, availability, scope and response of the service provider. The SLA should cover day-to-day situations and disaster situations, as the need for the service may vary in a disaster. The BCI
SERVICE LEVEL MANAGEMENT (SLM) The process of defining, agreeing, documenting and managing the levels of any type of services provided by service providers whether internal or external that are required and cost justified ENISA
SERVICE MANAGER A senior manager, normally reporting to the IS director, who has overall responsibility for ensuring services are delivered in accordance with agreed business requirements.  The Service Manager is also responsible for negotiating requirements with senior business representatives.  The Service Manager is responsible for the Service Management Team and is usually a member of the high level CAB.  The Service Manager should have a major say in the allocation of resources between services. ENISA
SERVICE RESUMPTION Restoring services to their Business-As-Usual state.  Invoking BC may result in a temporary location or reduced level of personnel. It may also result in some business activities which are suspended. ENISA
SILVER TEAM Tactical level of management introduced to provide overall management of the response. ENISA
SIMULATION EXERCISE One method of exercising teams in which participants perform some or all of the actions they would take in the event of plan activation. Simulation exercises, which may involve one or more teams, are performed under conditions that at least partially simulate disaster mode. They may or may not be performed at the designated alternate location and typically use only a partial recovery configuration. ENISA
SINGLE POINT OF FAILURE (SPOF) The only (single) source of a service, activity and/or method, i.e. there is no alternative, whose failure would lead to the total failure of a key business activity and/or dependency The BCI
SITE ACCESS DENIAL Any disturbance or activity within the area surrounding the site which renders the site unavailable, e.g. fire, flood, riot, strike, loss of services, forensics. The site itself may be undamaged. ENISA
SOCIAL IMPACT Any incident or happening that affects the well-being of a population and which is often not financially quantifiable UK Financial Sector Continuity
STAKEHOLDERS All those who have an interest in an organisation, it's activities and it's achievements BS 25999-1
STAND DOWN Formal notification that the response to a Business Continuity event is no longer required or has been concluded The BCI
STANDALONE TEST A test conducted on a specific component of a plan in isolation from other components to validate component functionality, typically under simulated operating conditions ENISA
STANDBY SERVICE The provision of the relevant recovery facilities, such as cold-site, warm-site, hot-site and mobile standby The BCI
STATUTORY SERVICES Those services whose responsibilities are laid down by law e.g. Fire and Rescue Service, Coast Guard Service The BCI
STRUCTURED WALKTHROUGH Types of exercise in which team members physically implement the Business Continuity Plans and verbally review each step to assess its effectiveness, identify enhancements, constraints and deficiencies The BCI
SUPPLY CHAIN All suppliers, manufacturing facilities, distribution centres, warehouses, customers, raw materials, work-in-process inventory, finished goods, and all related information and resources involved in meeting customer and organisational requirements ENISA
SWITCHOVER Switchover is the capability to manually switch over from one system to a redundant or standby computer server, system, or network upon the failure or abnormal termination of the previously active server, system, or network. Switchover happens with human intervention, unlike Failover. ENISA
SYNDICATION RATIO The number of times that Work Area Recovery Facility seats are sold by the third party providers.  Occupation at the time of an incident is on a first- comefirst-served basis. The BCI, modified by ENISA
SYSTEM Set of related technology components that work together to support a business process or provide a service. The Disaster Recovery Journal, modified by ENISA
SYSTEM DENIAL A failure of the computer system for a protracted period, which may impact an organisation’s ability to sustain its normal business activities The BCI
SYSTEM RECOVERY The procedures for rebuilding a computer system and network to the condition where it is ready to accept data and applications, and facilitate network communications The BCI, modified by ENISA
SYSTEM RESTORE The procedures necessary to return a system to an operable state using all available data including data captured by alternate means during the outage The BCI, modified by ENISA
TABLE TOP EXERCISE One method of exercising plans in which participants review and discuss the actions they would take without actually performing the actions. Representatives of a single team, or multiple teams, may participate in the exercise typically under the guidance of exercise facilitators. The BCI modified by ENISA
TASK Generically, an activity or set of activities that might be defined as part of a process.  When used within a phrase such as 'Standard Operational Task' it defines a well documented, controlled, proceduralised and, usually, low-risk activity. The procedure controlling the manner in which the task is carried out would be subject to formal Change Control. ENISA
TASK LIST Defined mandatory and discretionary tasks allocated to teams and/or individual roles within a Business Continuity Plan The BCI
TERMS OF REFERENCE A document that usually describes the purpose and scope of an activity or requirement ENISA
TEST A pass/fail evaluation of infrastructure (example-computers, cabling, devices, hardware) and\or physical plant infrastructure (example-building systems, generators, utilities) to demonstrate the anticipated operation of the components and system.  A test can also be used to demonstrate whether all or parts of the Business Continuity Plan are fit for purpose.  See Exercise The BCI modified by ENISA
TEST AUDITOR An appointed role that is assigned to assess whether the exercise aims/objectives are being met and to measure whether activities are occurring at the right time and involve the correct people to facilitate their achievement. See Exercise Auditor ENISA
TEST CONTROLLER/FACILITATOR The person who runs the test on the day in accordance with the Test Script.  See Exercise Controller ENISA
TEST PLAN A document which states the scope and objectives of the test, and the roles, responsibilities and criteria for success.  See Exercise Plan ENISA
TEST CO-ORDINATOR The Test Co-ordinator is responsible for the mechanics of running the exercise.  See Exercise Co-ordinator ENISA
TEST OBSERVER An exercise observer has no active role within the exercise but is present for awareness and training purposes. An exercise observer might make recommendations for procedural improvements.  See Exercise Observer ENISA
TEST OWNER An appointed role that has total management oversight and control of the exercise and has the authority to alter the Exercise Plan.  See  Exercise Owner ENISA
TEST REPORT A report which is written following a test, to discuss the outcomes of the test and recommendations for amendments and further work.  See Exercise Report ENISA
TEST SCRIPT A time-line for running the test.  It details what activities should be occurring, the exact details of the activities, when they should occur and who is carrying out the activity.  It will also state the criteria for success for each step.  See Exercise Script ENISA
THREAT A combination of the risk, the consequence of that risk, and the likelihood that the negative event will take place. ENISA
THREE-TIERED APPROACH Strategic, Tactical and Operational incident management tiers.  Also referred to as Gold, Silver and Bronze ENISA
TOLERANCE THRESHOLD The maximum period of time for which the business can afford to be without a critical function or process The BCI
TOP MANAGEMENT Person/s who direct and control and organisation. BS 25999-1
TRAUMA COUNSELLING The provisioning of counselling assistance by trained individuals to employees, customers and others who have suffered mental or physical injury as the result of an event The BCI, modified by ENISA
TRAUMA MANAGEMENT The process of helping employees deal with trauma in a systematic way following an event by proving trained counsellors, support systems, and coping strategies with the objective of restoring employees psychological well-being The BCI modified by ENISA
UNEXPECTED LOSS The worst-case financial loss or impact that a business could incur due to a particular loss event or risk. The unexpected loss is calculated as the expected loss plus the potential adverse volatility in this value. The BCI, modified by ENISA
UNINTERRUPTIBLE POWER SUPPLY (UPS) A backup electrical power supply that provides continuous power to critical equipment in the event that commercial power is lost. The UPS (usually a bank of batteries) offers short-term protection against power surges and outages. The UPS usually only allows enough time for vital systems to be correctly powered down. The BCI, modified by ENISA
VALIDATION SCRIPT A set of procedures within the Business Continuity Plan to validate the proper function of a system or process before returning it to production operation ENISA
VBIED Vehicle-Borne Improvised Explosive Device. A car or van filled with explosive, driven to a target and detonated. NASP; National Association of Security Professionals
VENDOR An individual or company providing a service to a department or the organisation as a whole ENISA
VIRUS An unauthorised programme that inserts itself into a computer system and then propagates itself to other computers via networks or disks The BCI, modified by ENISA
VITAL RECORDS Records essential to the continued functioning or reconstitution of an organisation during and after an emergency and also those records essential to protecting the legal and financial rights of that organisation and of the individuals directly affected by its activities ENISA
VOIED Victim Operated Improvised Explosive Device or booby-trap bomb. NASP; National Association of Security Professionals
VOLUNTARY SECTOR Organisational bodies, other than public authorities or local authorities, that carry out activities other than for profit ENISA
VULNERABILITY The existence of a weakness, or design or implementation error that can lead to an unexpected undesirable event, compromising the security of the computer system, network, application, or protocol involved. ITSEC
WARM (STANDBY) SITE Partially equipped office space which contains some or all of the system hardware, software, telecommunications and power sources.  The site may need to be prepared before receiving the system and recovery personnel.  See Work Area Recovery Facility ENISA
WORK AREA RECOVERY FACILITY (WARF) An alternate processing site which is equipped with some hardware and communications interfaces, and electrical and environmental conditioning which is only capable of providing backup after additional provisioning of software or customisation is performed The BCI modified by ENISA
WMD Weapons of Mass Destruction. WMD encompasses nuclear, biological and chemical weapons. NASP; National Association of Security Professionals
WORK AREA STANDBY A permanent or transportable office environment, complete with appropriate office infrastructure ENISA
WORK AROUND A process of avoiding an incident or problem, either by employing a temporary fix or technique that means a Customer is not reliant on a CI that is known to cause failure ENISA
WORKAROUND PROCEDURES Alternative procedures that may be used by a functional unit(s) to enable it to continue to perform its critical functions during temporary unavailability of specific application systems, electronic or hard copy data, voice or data communication systems, specialized equipment, office facilities, personnel, or external services. ENISA
Z-CARDS A patented format for publishing information, up to an A3-sized page can be folded down to credit card size. This size means it is convenient to carry and can be stored in pockets, handbags, etc. ENISA


We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more