Explanation of the most common business continuity terms

The pandemic has increased organizations’ interest in business continuity, as a way to protect themselves against disruption of their operations. However, in most cases, there is no time to wait for learning about business continuity processes, policies, procedures, and terms.

In this article, we offer help in understanding the difference between the most common business continuity terms, mainly based on the ISO 22301 glossary, the leading ISO standard for business continuity management.

Business continuity terms explained: Key definitions

Resume vs. recovery

Resume refers to having operations working again with a smaller capacity and in a different environment (e.g., operations resumed in the alternative site), while recovery refers to having operations back to normal conditions (i.e., main site is operational again). Restore, or restoration, is also a term that can be used instead of recovery.

MAO vs. RTO

Think about the maximum time your business can afford to be down after a disaster (e.g., minutes, hours, days, etc.) – this is the Maximum Acceptable Outage (MAO). Now, think about how fast after a disaster you want your business to resume operations – this is the Return Time Objective (RTO). In recent days, the term MTPD (Maximum Tolerable Period of Disruption) is replacing the use of MAO (both terms have the same meaning).

The relationship between them is that RTO can be equal to or smaller than MAO, but never greater – an RTO greater than MAO does not make sense, because you would be resuming operations after the impact has become so big that doing business might lead to bankruptcy.

RTO vs. RPO

The Recovery Time Objective (RTO) is the time after a disaster in which business operation(s) must be resumed. For example, if the RTO is 2 hours, then it means you want to resume delivery of products or services, or execution of activities, within 2 hours.

The Recovery Point Objective (RPO) is the amount of data, measured in terms of time before the occurrence of a disruption, the business is willing to lose. For example, if the RPO is 1 hour, then it means you can afford the loss of the data stored/processed during the hour before the occurrence of a disruption.

Difference between crisis, disaster, and incident

  • An incident is any situation that can result in a negative impact on normal operations.
  • A crisis is an unstable situation that requires immediate attention and action.
  • A disaster is a situation where losses are greater than the normal capacity of an organization to handle them.

Considering these definitions, an incident can lead to a crisis, which can lead to a disaster. An example of an incident that can lead to a crisis and a disaster would be a fire (without immediate attention and action, it can destroy assets and facilities that cannot be easily replaced). Other examples are a pandemic, an earthquake, or a riot.

Difference between resiliency, business continuity, and BCM

  • Resiliency refers to the capacity to adapt to new situations.
  • Business continuity refers to the capacity to continue to deliver products or services after a disruptive event.
  • Business continuity management (BCM) refers to the general process to ensure business continuity.

Considering these definitions, business continuity management helps build business continuity, which covers one aspect of resiliency (please note that you can have new situations that an organization will need to adapt to that do not involve a disruptive event, like the enforcement of a new regulation).

BIA vs. risk assessment

The Business Impact Analysis (BIA) is the process by which you get to understand the impact of a disaster on your business processes and services over time. The risk assessment is the part of the risk management process by which you identify, analyze, and evaluate risks to which your organization is exposed, in order to prioritize the most relevant ones.

BIA and risk assessment are used together to help define business continuity and disaster recovery strategies and plans, and there is no specific sequence in which they need to be performed.

For further information, see Risk assessment vs. business impact analysis.

Business Continuity Policy vs. Business Continuity Plan

The Business Continuity Policy is a top management document that defines the high-level guidelines, objectives, and responsibilities for business continuity planning and management, while the Business Continuity Plan is an operational document to define the steps for immediate response, resumption, and recovering of business operations after a disaster.

For further information, see The purpose of Business continuity policy according to ISO 22301.

Business Continuity Plan vs. Crisis Management Plan

A Business Continuity Plan (BCP) defines the activities to respond to a specific disruptive situation, as well as to resume and recover a service or process from the disruption.

Meanwhile, a Crisis Management Plan is a set of business-oriented activities (e.g., evaluation of business impacts, declaration of emergency/crisis/disaster, press communication, follow up of immediate response, resume and recovery activities, etc.) to be performed to ensure overall handling of critical situations that can negatively impact an organization. Crisis Management Plan is neither a term defined by ISO 22301, nor does it have a universal definition, because it has a wider application than only on disaster situations (e.g., on public relations crises, on financial crises, etc.), and may or may not be part of the Business Continuity Plan.

BCP (Business Continuity Plan) vs. BRP (Business Resumption Plan)

The Business Resumption Plan is a concept not present in ISO 22301, but widely used in other frameworks, like NIST 800-34, BS 25999-1, APS 232, NFPA 1600, COBIT, HB 292-2006, and PAS 77.

In these documents, the BRP refers to the actions needed to resume normal operations following the recovery of their critical processes, while a BCP is a concept covered in ISO 22301, and it represents a wider document, which covers not only the actions to resume operations, but also to respond to a disruptive event, and to recover and restore normal operations. Considering these definitions, the content of a BRP would be part of a BCP.

To assemble a puzzle, you have to know its pieces

Business continuity and disaster recovery are already a challenge by themselves, and designing and implementing them without understanding their fundamental terms only adds unnecessary difficulties.

While this article can offer you a quick start for understanding business continuity, you should consider reading the definitions directly from the sources mentioned at the beginning of this article.

To have a better understanding of ISO 22301 terminology and requirements, download this free white paper: Clause-by-clause explanation of ISO 22301.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.