Business Continuity - Glossary
Based on ISO 22300 Security and Resilience (2021), ISO 22301 Business Continuity (2019) and Business Continuity Institute Good Practice Guidelines (2018)
| A | ||
| Activity | One or more tasks with a defined output (ISO 22301:2019) | |
| Analysis | A professional practice (PP3) within the BCMS that contains the two techniques for analysing BC requirements: Business Impact Analysis (BIA) and Risk Assessment (RA) (BCI GPG Edn 7.0:2023) | |
| Audit | Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled (ISO 22301:2019) | |
| B | ||
| Business Continuity (BC) | The capability of an organisation to continue the delivery of products and services within acceptable timeframes at a predefined capacity during a disruption (ISO 22301:2019) | |
| Business continuity champions | Persons tasked with supporting the BCMS from the perspective of their area of expertise, by inputting and maintaining the system and periodically updating documentation (BCI GPG Edn 7.0: 2023) | |
| Business Continuity Management (BCM) | The elements of BCM are: Operational planning and control; Business Impact Analysis (BIA) and Risk Assessment (RA); BC strategies and solutions; BC plans and procedures; Exercise programme; Evaluation of BC documentation and capability (ISO 22313:2020) | |
| Business Continuity Management System (BCMS) | The overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. It comprises the following professional practices (PP): PP1 - Establishing a BCMS; PP2 - Embracing Business Continuity; PP3 - Analysis; PP4 - Solutions Design; PP5 - Enabling Solutions; PP6 - Validation (BCI GPG Edn 7.0:2023) | |
| Business Continuity Plan (BCP) | Documented information that guides an organisation to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives (ISO 22301:2019) | |
| Business continuity requirements | The timeframes, resources and capabilities necessary to continue to deliver the prioritised products, services, processes and activities following a disruption (BCI GPG Edn 7.0:2023) | |
| Business Impact Analysis (BIA) |
A process of analysing the impact over time of a disruption on the organisation (ISO 22301:2019) |
|
| C | ||
| Competence | The ability to apply knowledge and skills to achieve the intended result (ISO 22301:2019) | |
| Controls | Measure that maintains or modifies risk. Controls include but are not limited to any process, policy, device, practice or other conditions or actions which maintain or modify risk (ISO 22300:2021) | |
| Crisis | An unstable condition involving an impending abrupt or significant change that requires urgent attention and action to protect life, assets, property or the environment (ISO 22300:2021) (see major incident) | |
| Crisis Management | Coordinated activities to lead, direct and control an organisation with regard to crisis (ISO 22361:2022) (see major incident management) | |
| D | ||
| Disruption | Incident whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to the organisation's objectives (ISO 22300:2021) | |
| E | ||
| Embracing Business Continuity | A professional practice (PP2) within the BCMS that enables the organisation to improve the business continuity culture underpinning the BCMS over time (BCI GPG Edn 7.0:2023) | |
| Enabling Solutions | A professional practice (PP5) within the BCMS that outlines the methodology to implement the agreed solutions, develop the response structure and BC plans to ensure that the solutions can be deployed when required (BCI GPG Edn 7.0:2023) | |
| Establishing a BCMS | A professional practice (PP1) within the BCMS that outlines how the programme will be designed and implemented (BCI GPG Edn 7.0:2023) | |
| Exercise |
Process to train for, assess, practise and improve performance in an organisation (ISO 22300:2021) |
|
| I | ||
| Incident | An event that can be, or could lead to, a disruption, loss, emergency or crisis (ISO 22301:2019) | |
| Injects | Individual timeline events that are part of an exercise (BCI GPG Edn 7.0:2023) | |
| Interested Party |
A person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity (ISO 22300:2021) (Note this is the preferred BC term - stakeholder is permitted) |
|
|
Internal Audit |
A formal, impartial evaluation that measures an organisation's BCMS against an agreed standard (BCI GPG Edn 7.0:2023) | |
| Invocation | The act of declaring that an organisation’s business continuity arrangements need to be put into effect in order to deliver key products and services (ISO 22300:2021) | |
| M | ||
| Management System | A set of interrelated or interacting elements of an organisation to establish policies and objectives, and processes to achieve those objectives (ISO 22301:2019) | |
| Major incident | An event which: Threatens serious damage to human welfare at the University; Threatens serious damage to the environment at the University; Threatens serious damage to the security of the University; Threatens serious disruption to the University's core activities (University of Oxford: 2023) | |
| Major Incident Plan (MIP) | The Major Incident Plan codifies the University's response to a major incident. The latest edition is Edn 3:2024 (University of Oxford:2023) | |
| Maximum Tolerable Period Of Disruption (MTPD) | See also maximum acceptable outage. The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable (ISO 22301: 2019) | |
| Minimum Business Continuity Objective (MBCO) | The minimum capacity or level of services or products that is acceptable to the organisation to achieve its business objectives during a disruption (ISO 22300:2021) | |
| Mutual Aid Agreement | Formal, pre-arranged understanding between two or more organisations to provide assistance to each other in the event of a disruption (University of Oxford:2023) | |
| O | ||
| Organisation | A person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (ISO 22301:2019) | |
| Organisational culture | The values, attitudes and behaviour of an organisation that contribute to the unique social and psychological environment in which it operates (ISO 22316:2017) | |
| Organisational resilience | The ability of an organisation to absorb and adapt in a changing environment (ISO 22316:2017) | |
| Outsource | The acquisition of services (with or without products) in support of a business function for performing activities using suppliers' resources rather than the acquirer's resources (ISO/TS 27036-1:2021) | |
| P | ||
| Personnel | People working for and under the control of an organisation. The term 'People' is the preferred term at the University of Oxford (ISO 22301:2019) | |
| Policy | The intentions and direction of an organisation as formally expressed by its top management (ISO 22301:2019) | |
| Prioritised activities | Activities to which urgency is given in order to avoid unacceptable impacts to business during a disruption (ISO 22301:2019) | |
| Priority suppliers | Priority suppliers are those who support prioritised activities and are identified as having the greatest impact if they fail to deliver resources, therefore impacting the organisation's ability to deliver its own products and services (BCI GPG Edn 7.0:2023) | |
| Process | Set of interrelated or interacting activities which transforms inputs into outputs (ISO 22301:2019) | |
| Products and services | The output or outcome provided by an organisation to interested parties (ISO 22301:2019) | |
| Programme | Group of programme components managed in a coordinated way to realise benefits (ISO 21503:2022) | |
| R | ||
| Recovery Point Objective (RPO) | The point to which information used by an activity must be restored to enable the activity to operate on resumption at predefined levels (ISO 22300:2021) | |
| Recovery Time Objective (RTO) | The timeframe within the MTPD for resuming disrupted activities at a specified minimum acceptable capacity (ISO 22301:2019) | |
| Resources | All assets (including plant and equipment), people, skills, technology, premises, and supplies and information (whether electronic or not) that an organisation must have available to use, when needed, in order to operate and meet its objectives (ISO 22301:2019) | |
| Risk | The effect of uncertainty on objectives. An effect is a deviation from the expected. It can be positive, negative or both and can address, create or result in opportunities and threats (ISO 31000:2018) | |
| Risk appetite | The amount and type of risk that an organisation is willing to pursue, retain or take (ISO 31000:2018) | |
| Risk Assessment (RA) | The overall process of risk identification, risk analysis and risk evaluation. Risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. it should use the best available information, supplemented by further enquiries as necessary (ISO 31000:2018) | |
| Risk management | Coordinated activities to direct and control an organisation with regard to risk (ISO 31000:2018) | |
| Risk source | An element that alone or in combination has the potential to give rise to a risk (ISO 22300:2021) | |
| Risk treatment | The process of modifying risk. Note 1: Risk treatment can involve avoiding the risk by deciding not to start or continue with the activity that gave rise to the risk, taking or increasing risk in order to pursue an opportunity, removing the risk source, changing the likelihood, changing the consequences, and sharing the risk with another party or parties (including contracts and risk financing) and retaining the risk by informed choice. Note 2: Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation, risk limitation, risk prevention and risk reduction. Note 3: Risk treatment can create new risks or modify existing risks (ISO 22300:2021) | |
| S | ||
| Scenario |
A scenario is a pre-planned storyline that drives an exercise, as well as the stimuli used to achieve exercise project performance objectives (ISO 22300:2021) |
|
| Service Level Agreement (SLA) | A commitment between a product or service provider and a client organisation, aspects of which would include quality, availability, responsibilities, and continuity capabilities, which are agreed upon by the two parties (ISO 22318:2021) | |
| Simulation | A simulation is the imitative representation of the functioning of one system or process by the means of the functioning of another (ISO 22300:2021) | |
| Solutions design | A professional practice (PP4) within the BCMS that specifies how the organisation will meet its BC requirements (BCI GPG Edn 7.0:2023) | |
| Stakeholder | A person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity (ISO 22301:2019) ('interested party' is the preferred alternative term) | |
| Supply Chain Continuity Management (SCCM) | Management process that identifies potential impacts to an organisation from disruption to its supply chain and provides an approach to manage and protect the organisation's business activities from supply chain disruption by ensuring continuity of supply of resources as well as the ability to continue its delivery of products and services (ISO 22318:2021) | |
| T | ||
| Test | A unique and particular type of exercise which incorporates an expectation of a pass or fail element within the aims or objectives of the exercise being planned (ISO 22300:2021) | |
| Threat | A potential cause of an unwanted incident which may result in harm to individuals, assets, systems or organisation, environment or the community (ISO 22301:2019) | |
| Top Management | Person or group of people who direct(s) and controls an organisation at the highest level (ISO 22301:2019) | |
| V | ||
| Validation | A professional practice (PP6) within the BCMS that confirms that the established BCMS meets the objectives set out in the policy and enables the organisation to embrace BC through an effective and efficient awareness, exercising, maintenance and review programme (BCI GPG Edn 7.0:2023) | |
| W | ||
| Workforce | People who provide a service or input to contribute to the business or organisational outcomes. This can include employees, contractors and volunteers (ISO BCI GPG Edn7.0:2023) | |
| Workplace | Any location where people conduct business for their employer or themselves (BCI GPG Edn 7.0:2023) |
Links to
- Business Continuity Policy
- Overview
- Business Continuity Plan Template
- Business Impact Analysis Template
- University Energy Supply Working Group Membership
- Business Continuity processes and guidance [Restricted]
- Training and Exercises [To follow]
Get in touch
For queries about Business Continuity and Major Incident Management
Book an appointment: Business Continuity Plan (BCP) Clinic | Compliance (ox.ac.uk)
The Business Continuity Network (BCN) is a thriving, University-wide network for anyone with business continuity responsibilities. The BCN meets via Teams every first Wednesday of each month at 9.00am for 30 minutes for horizon scanning, lessons identified, sharing good practice and answering questions. Join us!
The Business Continuity Network.
