Action Lists

A specific IS Service Continuity Management term referring to defined actions, allocated to recovery teams & individuals, within a phase of a plan.  These are supported by reference data.

Activation

The implementation of business continuity procedures, activities & plans in response to a Business Continuity Emergency, Event, Incident and/or Crisis (E / I / C).

Agreed Service Time

The time during which a particular IS service is agreed to be fully available, ideally as defined in the Service Level Agreement.  Different levels of service might apply within the agreed service time, for instance the Service Desk might not be available for all the hours that users can access their services.

Alert

A formal notification that an E-I-C has occurred which may develop into a Business Continuity Management or Crisis Management invocation.

Alert Phase

The first phase of a Business Continuity Plan in which the initial emergency procedures & damage assessments are activated.

Alternate Site

A site held in readiness for use during a Business Continuity E-I-C to maintain the business continuity of an organisation’s Mission Critical Activities. The term applies equally to office or technology requirements. Alternate sites may be ‘cold’, ‘warm’ or ‘hot’. This type of site is also known as a Recovery Site.

Alternative Routing

The routing of information via an alternative cable routing medium (i.e. using different networks should the normal network be rendered unavailable).

Assembly Area

The designated area at which employees, visitors & contractors assemble if evacuated from their building/site.

Assurance

The activity & method whereby an organisation can verify & validate its BCM capability.

Audit

The method by which procedures and/or documentation are measured against pre-agreed standards.

Availability

An umbrella term that includes reliability (including resilience), maintainability, serviceability & security.  A common definition of availability is 'the ability of a component or IS service (under combined aspects of its reliability, maintainability & security) to perform its required function at a stated instant or over a stated period of time'.  Service availability is sometimes expressed as an availability percentage, i.e. the proportion of time that the service is actually available for use by the customers within the agreed service time:

Backlog

The effect on the business of a build-up of work that occurs as the result of a system or method being unavailable for an unacceptable period. A situation whereby a backlog of work requires more time to action than is available through normal working patterns. In extreme circumstances, the backlog may become so marked that the backlog cannot be cleared.

Back-out plan

A plan that documents all actions to be taken to restore the service if the associated Change or Release fails or partially fails.  Back-out plans may provide for a full or partial reversal.  In extreme circumstances they may simply call for the IS Service Continuity Plan to be invoked.

Backup

A method by which data, electronic or paper based, is copied in some form so as to be available & used if the original data from which it originated is lost, destroyed or corrupted.

Benchmarking

A form of comparison usually between the activities of one organisation & those of one or more comparable external organisations.  Also used to describe a form of simulation modelling where the entire operational environment is replicated or simulated.

Brainstorming

A Problem Management technique used to quickly generate, clarify & evaluate a sizeable list of ideas, Problems, issues , themes, etc. by documenting 'what we know' as a team, tapping the creative thinking of the team & getting everyone involved.  The technique is particularly useful in identifying possible causes when constructing a Cause / Effect Diagram.

BS 7799

A UK BSI Standard for information security management. Section 9 deals with Business Continuity Management. The corresponding international standard is known as ISO 17799.

BS 7799-1:2000

The British Standards Institution 'Code of practice for information security management'.  Also referred to as ISO/IEC 17799-2000

BS15000

The British Standards Institution 'Specification for IS service management'.

Business Activity

A group of activities/processes undertaken by an organisation to produce a product and/or service and/or in pursuit of a common goal.

Business Activity Levels

The predicted or historic levels of business method activity that are to be or have been supported by the IS infrastructure.  Measured in business terms (e.g. number of account holders).

Business Continuity Institute (BCI)

The Institute of professional Business Continuity Managers. Website www.thebci.org

Business Continuity Management

The complete set of activities & processes divided into various stages that are necessary to manage business continuity.  Anticipating Incidents which may affect critical business functions & processes & ensuring that the organisation is capable of responding to such Incidents in a planned & rehearsed manner.

Business Continuity Management Activity

An action or series of actions that form a part of a BCM process.

Business Continuity Management Policy

A BCM policy sets out an organisation’s aims, principles & approach to BCM, what & how it will be delivered, key roles & responsibilities & how BCM will be governed & reported upon.

Business Continuity Management Process

A set of activities/processes with defined outcomes, deliverables & evaluation criteria that form a distinct part of the BCM lifecycle.

Business Continuity Management Programme

An ongoing management & governance method supported by senior management & resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies & plans, & ensure continuity of products/services through exercising, rehearsal, testing, training, maintenance & assurance.

Business Continuity Management Team

A defined number of roles & responsibilities for implementing the Business Continuity Management Plan.

Business Continuity Objective 

The desired time within which business method should be recovered, & the minimum staff, assets & services required within this time.

Business Continuity Plan

Documents describing the roles, responsibilities & actions necessary to resume business processes following a disruption.  The Business Continuity Plan will provide a defining structure for & exert a major influence upon the development of IS continuity plans.  Its scope both encompasses & exceeds IS Service Continuity Management & is normally a business responsibility.

Business Continuity Team

One of a number of groups of people with defined, agreed & documented roles within the business recovery process.

Business Critical Functions

Critical operational or support activities.

Business Critical Point

The latest moment at which the business can afford to be without a Mission Critical Activity or dependency.

Business Function

A business unit within an organisation e.g. a department, division, branch.

Business Impact Analysis

A formal analysis of the effect on the business if a specific set of IS services are not available.  It will also identify the minimum set of services that an organisation will require to continue operating.

Business Impact Resource Recovery Analysis   (BIRRA)

An assessment of the minimum level of resources e.g. personnel, workstations, technology, telephony required, overtime, after a Business Continuity E-I-C to maintain the continuity of the organisation’s Mission Critical Activities at a minimum level of service / production. Generally considered to be part of a BIA it is an integral part of any subsequent resource Gap Analysis.

Business Objectives

The measurable targets designed to help an organisation achieve its overall business strategy.

Business Operations

Activities & procedures carried out by the User community in performing the business role of an organisation.  A Service Desk is concerned with supporting & dealing with the comments & requests arising from those business operations.

Business Process

A series of related business activities aimed at achieving one or more business objectives in a measurable manner.  Typical business processes include receiving orders, marketing services, selling products, delivering services, distributing products, invoicing for services, accounting for money received.  A business method will usually depend upon several business functions for support e.g. IT, personnel, accommodation.  A business method will rarely operate in isolation, i.e. other business processes will depend on it & it will depend on other processes.  See also Process.

Business Risk

The risk that external factors, such as a fall in demand for an organisations products or services, will result in unexpected loss. Business risk, if managed well, can also result in a competitive advantage being gained.

Call Tree

A structured cascade method (system) that enables a list of persons, roles and/or organisations to be contacted as a part of an information or plan invocation procedure.

Call Tree Cascade Test

A test designed to validate the currency of contact lists & the processes by which they are maintained.

CCTA Risk Analysis & Management Method

CRAMM® is a tool for analysis & management of IS security risks, suitable for use by the IS Service Continuity & Availability Management processes.  It provides an insight into the risks to which an organisation is exposed & its use is often considered an essential first step towards attaining ISO 17799, the international standard for information security management.

Central Computer and Telecommunications Agency

The CCTA was the UK Government Centre for Information Systems responsible for producing & maintaining ITIL.  Now subsumed within the OGC.

Certification

The formal evaluation of an organisation's processes by an independent & accredited body against a defined standard & the issuing of a certificate indicating conformance.

Change

Any deliberate action that alters the form, fit or function of CIs - typically, an addition, modification, movement or deletion that impacts on the IS infrastructure.

Change Control

The procedures to ensure that all Changes are controlled, including the submission, recording, analysis, decision making, approval, implementation & post-implementation review of the change.

Clerical Backup

In case of contingency, delivering some part of the required services without the IS infrastructure.  Nowadays, as well as some manual processes, this is likely to be via standalone PCs & commercial office systems software.

Cold Stand-by/Start/Site (portable or fixed)

An empty computer room, either in portable accommodation or on a fixed site, with power, environmental control & telecommunications, but no IS equipment or software for use in an emergency.  See also Gradual Recovery.

Command Centre (CC)

The facility used by a Crisis Management Team after the first phase of a Business Continuity E-I-C. An organisation must have a primary & secondary location for a command centre in the event of one being unavailable. It may also serve as a reporting point for deliveries, services, press & all external contacts.

Consequence

The end result following a Business Continuity E-I-C that can be defined as loss, injury, disadvantage or gain.

Contingency Fund

A budget for meeting & managing operating expense at the time of a Business Continuity (E / I / C).

Continuous Availability

A characteristic of an IS service that masks from the users the effects of losses of service, planned or unplanned.  See also Continuous Operation.

Control

Any action which reduces the probability of a risk occurring or reduces its impact if it does occur.

Control Culture

Sets the tone for an organisation, influencing the control consciousness of its people. Control culture factors include the integrity, ethical values & competence of the entity’s people: management’s philosophy & operating style; the way management assigns authority & responsibility, & organises & develops its people; & the attention & direction provided by a Board.

Control Environment

The whole system of controls, financial & otherwise, established by a Board & management in order to carry on an organisation’s business in an effective & efficient manner, in line with the organisation’s established objectives & goals. Also there to ensure compliance with laws & regulations, to safeguard an organisation’s assets & to ensure the reliability of management & financial information. Also referred to as Internal Control.

Control Framework

A model or recognised system of control categories that covers all internal controls expected within an organisation.

Control Review / Monitoring

Involves selecting a control & establishing whether it has been working effectively & as described & expected during the period under review.

Control Self Assessment (CSA)

A class of techniques used in an audit or in place of an audit to assess risk & control strength & weaknesses against a control framework. The ‘self’ assessment refers to the involvement of management & staff in the assessment process, often facilitated by internal auditors. CSA techniques can include workshop/seminars, focus groups, structured interviews & survey questionnaires.

Corporate Governance

The system/process by which the directors & officers of an organisation are required to carry out & discharge their legal, moral & regulatory accountabilities & responsibilities.

Cost Benefit Analysis

A method (after a BIA & risk assessment) that facilitates the financial assessment of different strategic BCM options & balances the cost of each option against the perceived savings.

Countermeasure

An action taken to reduce risk.  It may reduce the 'value' of the asset, the threats facing the asset or the vulnerability of that asset to those threats.

Crisis

An occurrence and/or perception that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organisation.

Crisis Management

The method concerned with managing the whole range of impacts following a disaster, including elements such as adverse media coverage & loss of customer confidence.

Crisis Management Plan

A clearly defined & documented plan of action for use at the time of a crisis. Typically a plan will cover all the key personnel, resources, services & actions required to implement & manage the Crisis Management process.

Crisis Management Team(s) (CMT)

A defined number of roles & responsibilities for implementing the organisation’s Crisis Management Plan.

Critical Success Factors

The certain factors that will be critical to the success of the organisation, in the sense that if the objectives associated with those factors are not achieved, the organisation will fail - perhaps catastrophically so.  Identification of CSFs should help determine the strategic objectives of the organisation.

Customer Relationship Management

All of the activities necessary to ensure that IS Service Managers have a true understanding of their customers' needs & that the customers also understand their responsibilities.  Use of the term in an IS Service Management sense should not be confused with the specific CRM term which is generally focused on helping a business 'sell' more to its customers rather than deliver better services.

Damage Assessment

The method of assessing the financial/non-financial damage following a Business Continuity E-I-C. It usually refers to the assessment of damage to physical assets e.g. vital records, buildings, sites, technology to determine what can be salvaged or restored & what must be replaced.

Data Mirroring

A method whereby critical data is copied instantaneously to another location so that it is not lost in the event of a Business Continuity E-I-C.

Data Protection

Statutory requirements to manage personal data in a manner that does not threaten or disadvantage the person to whom it refers.

Denial of Access

The inability of a organisation to access and/or occupy its normal working environment. Usually imposed & controlled by the Emergency and/or Statutory Services.

Dependency

The reliance, directly or indirectly, of one activity or method upon another.

Disaster Recovery Planning

The processes within Business Continuity Management that focus upon recovery from, principally, physical disasters. 

Downtime

The total period that a service or component is not operational within an agreed service time.  Measured from when a service or component fails to when normal operations recommence.

Emergency

An actual or impending situation that may cause injury, loss of life, destruction of property or cause the interference, loss or disruption of an organisation’s normal business operations to such an extent that it poses a threat.

Emergency Co-ordinator

The person assigned the role of co-ordinating the activities of the evacuation of a site and/or building with the statutory and/or emergency services. 

Emergency Change

A Change planned, scheduled & implemented at very short notice in order to protect a service from an unacceptable risk of failure or degradation, lack or loss of functionality.

Emergency Services

Usually refers to the civil services of Police, Fire & Ambulance.

Escalation

Passing information and/or requesting action on an Incident, Problem or Change to more senior staff (hierarchical escalation) or other specialists (functional escalation).  The circumstances in which either vertical escalation for information/authority to apply further resources or horizontal escalation for greater functional involvement need to be precisely described, so that the purpose of the escalation & the nature of the required response is absolutely clear to all parties as the escalation occurs.  Escalation rules will be geared to priority targets.  Functional Escalation is sometimes called Referral.

Essential Service

A service without which a building would be ‘disabled’. Often applied to the utilities (water, gas, electricity, etc.) it may also include standby power systems, environmental control systems or communication networks.

Event

Any occurrence that may lead to a business continuity incident.

Exception Reporting

Reducing the Management Information produced to that which most demands or deserves attention.  The 'Top Ten' style of list is an example.

Exercise

An announced or unannounced execution of business continuity plans intended to implement existing plans and/or highlight the need for additional plan development. A way of testing part of a Business Continuity Plan. An exercise may involve invoking Business Continuity procedures but is more likely to involve the simulation of a Business Continuity E-I-C in which participants role-play in order to assess what issues may arise, prior to a real invocation.

Exposure

The susceptibility to loss, or the vulnerability to a particular risk.

Extreme or Catastrophic Emergency, Event, Incident and/or Crisis

A Business Continuity E-I-C of immense proportions that has severe consequences, often damaging a large proportion of the organisation’s assets that results in a loss greater than an expected loss.

Facilities Management (FM)

The function that manages all aspects of an organisation’s real estate assets & infrastructure.

Failure

A failure occurs when a functional unit is no longer fit for purpose.

Fallback

Another term for alternative e.g. a fallback facility is another site/building that can be use when the original site/building is unusable or unavailable.

Fault

A condition that causes a functional unit to fail to perform the required function.

Fault Tolerance

The ability of a service to continue when a failure occurs.  See also Resilience.

First Level Support

The technical & managerial resources within the Service Desk available at the initial point of contact with the Customer/User.

Fortress Approach

An approach to IS Service Continuity where the entire site is made as disaster-proof as possible.

Full Rehearsal

A simulation exercise involving a Business Continuity E-I-C where the organisation or some of its component parts are suspended until the exercise is completed.

Full Release

A release that tests, distributes & implements all components of a release unit, regardless of whether or not they have changed since the last release of the software.

Function

The actions or intended purpose of a person, team or thing in a specific role.  Service Management functions may be considered as high-level business activities, often with a broad scope & associated with a particular job, consisting of a collection of lower level activities.  The characteristics of a function are that it is continuous & represents a defining aspect of the business enterprise.  It is usually associated with more than one method & contributes to the execution of those processes.  Rarely do (or should) functions mirror the organisational structure.

Gap Analysis

A survey whose aim is to identify the differences between BCM/Crisis Management requirements (what the business says it needs at time of an (E / I / C)) & what is in place and/or available.

Hazard

A source of potential harm or a situation with a potential to cause loss.

Hot Site

A site (data centre, work area) that provides a BCM facility with the relevant work area recovery, telecommunications & IS interfaces & environmentally controlled space capable of providing relatively immediate backup data processing support to maintain the organisation’s Mission Critical Activities.

Hot Standby

A term that is normally reserved for Technology Recovery. An alternate means of processing that minimises downtime so that no loss of processing occurs. Usually involves the use of a standby system or site that is permanently connected to business users & is often used to record transactions in tandem with the primary system.

Hot Stand-by / Start / Site (internal, external or mobile

An IT Service Continuity option - either provided from within the organisation or by a 3rd party, possibly in a fixed place or mobile, consisting of a computer room with full environmental & telecommunications facilities plus the necessary hardware & software to enable the site to take over processing from the normal infrastructure with minimal disruption to services.  See also Immediate Recovery, Intermediate Recovery.

Housekeeping

The method of maintaining procedures, systems, people & plans in a state of readiness.

Immediate Recovery

In liberal terms, this IS Service Continuity option provides for the immediate recovery of services in a contingency situation.  The instant availability of services distinguishes this option from what may be referred to as 'Hot Stand-by/Start', which typically will permit services to be recovered within 2 to 24 hours depending on the criticality of the business method they support.  Depending on that business criticality, 'immediate' recovery may then vary from zero to 24 hours.  See also Gradual Recovery, Intermediate Recovery.

Impact

A measure of the effect that an Incident, Problem or Change is having or might have on the business being provided with IS services.  Often equal to the extent to which agreed or expected levels of service may be distorted.  Together with urgency, & perhaps technical security, it is the major means of assigning priority for dealing with Incidents, Problems or Changes.

Impact Analysis

The identification of critical business processes & the potential damage or loss that may be caused to the organisation resulting from a disruption to those processes, or perhaps from a proposed change.  Business impact analysis identifies the form the loss or damage will take; how that degree of damage or loss is likely to escalate with time following an Incident; the minimum staffing, facilities & services needed to enable business processes to continue to operate at a minimum acceptable level; & the time within which they should be recovered.  The time within which full recovery of the business processes is to be achieved is also identified.

Incident

An event which is not part of the standard operation of a service & which causes or may cause disruption to, or a reduction in, the quality of services & Customer productivity.

Incident Categorisation

A sub-division of Classification, which provides a means of identifying, using a series of structured codes, firstly, what appears to have gone wrong with the IS Service (the symptoms), secondly why (the cause of that failure) & thirdly identification of the component likely to be at fault.  The category codes are elements within the classification data string & are essential for fault analysis purposes.

Infrastructure

A building & all of its supporting services. Infrastructure is usually divided into technology infrastructure (e.g. computers, cabling, telephony, etc.) & real estate infrastructure (e.g. buildings, utility supplies, air-conditioning, etc.).

Inherent Risk

The possibility that some human activity or natural event will have an adverse affect on the asset(s) of an organisation & which cannot be managed or transferred away.

Interface

Physical or functional interaction at the boundary between CIs.

Internal Audit

An organisation’s own in-house team of auditors. Responsible primarily for evaluating the effectiveness of internal control systems & contributing to their ongoing effectiveness by providing advice & support to management.

Invocation

The act by which a Business Continuity Management or Crisis Management method is formally started. The term is often used to refer to the act of using a service such as work area recovery as offered by a commercial or third party provider.

ISO 9000

Guidelines & assurances of method & procedure standards for quality assurance systems.  The current version of ISO 9000 is ISO 9000:2000

Key Performance Indicator

A measure (quantitative or qualitative) that enables the overall delivery of a service to be assessed by both business & IS representatives.  KPIs should be few in number & focus on the service's potential contribution to business success.  To be effective in improving business performance, they must be linked to a strategic plan which details how the business intends to accomplish its vision & mission.  The metrics selected must address all aspects of performance results, describe the targeted performance in measurable terms & be deployed to the organisational level that has the authority, resources & knowledge to take the necessary action.

Key Task(s)

Tasks identified within a Business Continuity Plan as a priority action typically to be carried out within the first few minutes/hours of the plan invocation.

Knowledge Base

Data repository holding information on Incidents, Problems & Known Errors, enabling an organisation to match new Incidents against previous ones & thus to reuse established solutions & approaches.

Lead Time

The time it takes for a supplier – either equipment or a service – to make that equipment or service available. Business continuity plans should try to minimise this by agreeing Service Levels (Service Level Agreement) with the supplier in advance of a Business Continuity E-I-C rather than relying on the supplier’s best efforts.

Major Incident

An Emergency Services definition. Any emergency that requires the implementation of special arrangements by one or more of the Emergency Services, National Health Service or a Local Authority.

Major Incident

An Incident where the impact on the business is extreme.

Management System

The framework of processes & procedures used to ensure that the organisation can fulfil all tasks required to achieve its objectives.

Manual Procedures

An alternative process of working following a loss of IS systems. As working practices rely more & more on computerised activities, the ability of an organisation to fallback to manual alternatives lessens. However, temporary measures & methods of working can help mitigate the impact of a Business Continuity E / I / C  & give staff a feeling of doing something.

Maximum Acceptable Outage (MAO)

This is the timeframe during which a recovery must become effective before an outage compromises the ability of an organisation to achieve its business objectives & or survival.

Metric

Measurable element of a service, method or function.  The real value of metrics is seen in their change over time.  Reliance on a single metric is not advised, especially if it has the potential to affect User behaviour in an undesirable way.

Offsite Location

A site at a safe distance from the primary site where critical data (computerised or paper) and/ or equipment is stored from where it can be recovered & used at the time of a Business Continuity E-I-C if original data, material or equipment is lost or unavailable.

Operational Risk

The risk that deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, system failures & inadequate procedures & controls.

Organisation

An enterprise, a corporate entity; a firm, an establishment, a public or government body, department or agency; a business or a charity.

Outage

Period of time that a service, system, method or business function is expected to be unusable or inaccessible which has a high impact on the organisation, compromising the achievement of the organisation’s business objectives. An outage is different to ‘downtime’ where method or system failures happen as a part of normal operations, & where the impact merely reduces the short-term effectiveness of processes.

Period of Tolerance

The period of time in which a Business Continuity E-I-C can escalate to a potential disaster without undue impact to the organisation.

Plan Currency

Business Continuity Plans must be maintained (housekeeping) to an adequate state. The measure of how up-to-date BC & CMT plans are kept. A good (recent) plan currency is vital if plans are to be reliable.

Plan Maintenance

The management method of keeping an organisation’s BCM competence & capability up-to-date, fit-for-purpose & effective.

Post Implementation Review

One or more reviews held after the implementation of a Change to determine initially, if the Change has been implemented successfully & subsequently, if the expected benefits have been obtained.

Preventative

Measures put in place to lessen the likelihood of a Business Continuity E / I / C .

Prioritisation

The order in which Mission Critical Activities & their dependencies are addressed following invocation of the BCM process.

Program

An organised list of instructions that, when executed, causes a computer to behave in a predetermined manner.  Programs contain variables representing numeric data, text or graphical images & statements that instruct the computer what to do with variables.

Programme

A portfolio of projects & other activities that are planned, initiated & managed in a co-ordinated way in order to achieve a set of defined business objectives.

Project

A temporary organisation created for the purpose of delivering one or more business products according to a specified business case.

Project Management

The techniques & tools used to describe, control & deliver a series of activities with given deliverables, timeframes & budgets.

Qualitative Assessment

A form of assessment that analyses the general structures & systems currently in place. A descriptive methodology, which typically involves risk mapping & risk matrices. These assessments do not involve detailed measurements.

Quality

The totality of features & characteristics of a product or service which bear on its ability to satisfy stated & implied needs.

Quality Assurance

Confirming the degree of excellence of a product or service, measured against its defined purpose. This might involve a number of techniques.  For documentation it might involve inviting informed comment; for software, a method of formal testing, trialling or inviting public feedback on a beta version; for hardware, performance against specified test; for management process, comparison with a standard such as BSI5000.

Quantification

The objective measure of the seriousness of risk or impact, often measured in financial or regulatory terms.

Quantitative Assessment

A form of assessment that analyses the actual numbers & values involved. This type of methodology typically applies mathematical & statistical techniques & modelling. 

Reciprocal Agreement

An IS Service Continuity Planning option that depends on two organisations being willing & able to share their resources, prior to, or in the event of, an emergency.  Capacity & technical compatibility are particular issues.

Recovery

Following failure & repair, the failed CIs are recovered into the live infrastructure.  This may include recovering data to the last known recoverable state.  There may remain further steps before the service is restored to the Users, e.g. testing, transaction re-runs & notifying Users.  Recovery is the penultimate stage of the Incident life-cycle.

Recovery Centre

Where an IS unit analyses its full expenditure & investments so that they may be recovered from Customers, usually by formal charging but without profit.

Recovery Plan

See: BCM Plan.

Redundancy

Where a system has been designed to eliminate single points of failure, redundant CIs are those which can fail without affecting the delivery of service.  However, generally, once a CI has failed, the inherent redundancy will be gone & repair/replacement is required before further failures which would affect the service.

Residual Risk

The level of uncontrolled risk remaining after all cost-effective actions have been taken to lessen the impact & probability of a specific risk or group of risks, subject to the organisations risk appetite.

Resilience

The ability of an organisation, staff, system, network, activity or method to absorb the impact of a business interruption, disruption and/or loss & continue to provide a minimum acceptable level of service.

Resolution

An action that will resolve an Incident, i.e. allow the users to carry out their business functions.  This may be a temporary work-around or the permanent repair or replacement of a faulty CI.

Restoration of Service

The service is said to be restored when the users are able to method new work, i.e. the system & available data have been recovered, appropriate test performed. users informed, & any lost work repeated.  Restoration, following Recovery, is the final stage of the Incident life-cycle.

Resumption

The implementation of steps to enable the recovery & continuity of an organisation’s Mission Critical Activities and/or their dependencies immediately following a Business Continuity E / I / C 

Risk

A measure of the exposure to which an organisation may be subject.  This is a combination of the likelihood of a business disruption occurring & the possible loss that may result from such business disruption.

Risk Analysis

The systematic method of identifying the nature & causes of risks to which an organisation could be exposed & assessing the likely impact & probability of those risks occurring.

Risk Assessment

The overall method of risk identification, analysis & evaluation.

Risk Avoidance

An informed decision not to become involved in a risk situation.

Risk Based Auditing 

Audits that focus on risk & risk management as the audit objective.

Risk Control

That part of risk management which involves the implementation of policies, standards, procedures & physical changes to eliminate or minimise adverse risks.

Risk Management

The culture, processes & structures that are put in place to effectively manage potential opportunities & adverse effects. As it is not possible or desirable to eliminate all risk, the objective is to implement cost effective processes that reduce risks to an acceptable level, reject unacceptable risks & treat risk by financial interventions i.e. transfer other risks through insurance or other means, or by organisational intervention i.e. BCM.

Risk Reduction Measure

Measure taken to reduce the likelihood or consequences of a business disruption occurring (as opposed to planning to recover after a disruption.

Scope

Generally, the extent to which a method or procedure applies.  The scope of Configuration Management may not, for example, extend to Customer information (other than on an 'as informed' basis) & the scope of a Change Management procedure may not apply to 'Urgent Changes'.  Also a key concept in outsourcing, defining which activities are covered by the base contract & which are separately chargeable.

Second Level / Line Support

Technical resources (sometimes based within the Service Desk) called upon by Incident & Problem Management to assist in the resolution of an Incident, restoration of service, the identification of a Problem or Known Error, the provision of a work-around or the generation of a Change.

Service

An integrated composite that consists of a number of components, such as management process, hardware, software, facilities & people, that provides a capability to satisfy a stated management need or objective.

Service Level Agreement

A formal negotiated document that defines (or attempts to define) in quantitative (and perhaps qualitative) terms the service being offered to a Customer.  Confusion must be avoided over whether the quantitative definitions constitute thresholds for an acceptable service, targets to which the supplier should aspire or expectations that the supplier would strive to exceed.  Any metrics included in a SLA should be capable of being measured on a regular basis & the SLA should record by whom.  Typically it will cover: service hours, service availability, Customer support levels, throughputs & responsiveness, restrictions, functionality & the service levels to be provided in a contingency.  It may also include information on security, charges & terminology.

Service Manager

A senior manager, normally reporting to the IS director, who has overall responsibility for ensuring services are delivered in accordance with agreed business requirements.  The Service Manager is also responsible for negotiating requirements with senior business representatives.  The Service Manager is responsible for the Service Management Team & is usually a member of the high level CAB.  The Service Manager should have a major say in the allocation of resources between services.

Single Point of Failure

The only (single) source of a service, activity and/or method i.e. there is no alternative, whose failure would lead to the total failure of a Mission Critical Activity and/or dependency.

Stakeholders

All those who have an interest in an organisation, its activities & it achievements.  These may include Customers, partners, employees, shareholders, owners, government & regulations.

Statutory Services

Those services whose responsibilities are laid down by law e.g. Fire & Rescue Service, Coast Guard Service.

Task

Generically, an activity or set of activities that might be defined as part of a process.  When used within a phrase such as 'Standard Operational Task' it defines a well documented, controlled, proceduralised, & usually low risk, activity.  The procedure controlling the manner in which the task is carried out would be subject to formal Change Control.

Terms of Reference

A document that usually describes the purpose & scope of an activity or requirement.

Unexpected Loss

The worst case financial loss or impact that a business could incur due to a particular loss E / I / C  or risk. The unexpected loss is calculated as the expected loss plus the potential adverse volatility in this value. It can be thought of as the worst financial loss that could occur in a year over the next 20 years.

Uninterrupted Power Supply (UPS)

Equipment (usually a bank of batteries) that offers short-term protection against power surges & outages. Note that UPS usually only allows enough time for vital systems to be correctly powered down.

Virus

An unauthorised programme that inserts itself into a computer system & then propagates itself to other computers via networks or disks. When activated, it interferes with the operation of the computer systems.

Warm Site

A site (data centre/ work area) which is partially equipped with hardware, communications interfaces, electricity & environmental conditioning capable of providing backup operating support.

Work-around

A process of avoiding an Incident or Problem, either by employing a temporary fix or technique that means a Customer is not reliant on a CI that is known to cause failure.