{"id":64075,"date":"2021-01-18T11:42:58","date_gmt":"2021-01-18T11:42:58","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=64075"},"modified":"2024-12-21T12:27:52","modified_gmt":"2024-12-21T12:27:52","slug":"explanation-of-most-common-business-continuity-terms","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2021\/01\/18\/explanation-of-most-common-business-continuity-terms\/","title":{"rendered":"Explanation of the most common business continuity terms"},"content":{"rendered":"<p>The pandemic has increased organizations\u2019 interest in business continuity, as a way to protect themselves against disruption of their operations. However, in most cases, there is no time to wait for learning about business continuity processes, policies, procedures, and terms.<\/p>\n<p>In this article, we offer help in understanding the difference between the most common business continuity terms, mainly based on the <a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-22301\/\">ISO 22301<\/a> glossary, the leading ISO standard for business continuity management.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-64076 size-full\" src=\"\/wp-content\/uploads\/\/sites\/5\/2021\/01\/business-continuity-terms-explained-key-definitions.png\" alt=\"Business continuity terms explained: Key definitions\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2021\/01\/business-continuity-terms-explained-key-definitions.png 1000w, \/wp-content\/uploads\/sites\/5\/2021\/01\/business-continuity-terms-explained-key-definitions-300x188.png 300w, \/wp-content\/uploads\/sites\/5\/2021\/01\/business-continuity-terms-explained-key-definitions-768x482.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h2>Resume vs. recovery<\/h2>\n<p><em>Resume<\/em> refers to having operations working again with a smaller capacity and in a different environment (e.g., operations resumed in the alternative site), while <em>recovery<\/em> refers to having operations back to normal conditions (i.e., main site is operational again). <em>Restore<\/em>, or <em>restoration<\/em>, is also a term that can be used instead of <em>recovery<\/em>.<\/p>\n<h2>MAO vs. RTO<\/h2>\n<p>Think about the maximum time your business can afford to be down after a disaster (e.g., minutes, hours, days, etc.) &#8211; this is the <em>Maximum Acceptable Outage (MAO)<\/em>. Now, think about how fast after a disaster you want your business to resume operations &#8211; this is the <em>Return Time Objective (RTO)<\/em>. In recent days, the term <em>MTPD (Maximum Tolerable Period of Disruption)<\/em> is replacing the use of MAO (both terms have the same meaning).<\/p>\n<p>The relationship between them is that <em>RTO<\/em> can be equal to or smaller than <em>MAO<\/em>, but never greater &#8211; an <em>RTO<\/em> greater than <em>MAO<\/em> does not make sense, because you would be resuming operations after the impact has become so big that doing business might lead to bankruptcy.<\/p>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>RTO vs. RPO<\/h2>\n<p>The <a title=\"Recovery Time Objective (RTO)\" href=\"https:\/\/advisera.com\/27001academy\/knowledgebase\/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo\/\" target=\"_blank\" rel=\"noopener\"><em>Recovery Time Objective (RTO)<\/em><\/a> is the time after a disaster in which business operation(s) must be resumed. For example, if the <em>RTO<\/em> is 2 hours, then it means you want to resume delivery of products or services, or execution of activities, within 2 hours.<\/p>\n<p>The <em>Recovery Point Objective (RPO)<\/em> is the amount of data, measured in terms of time before the occurrence of a disruption, the business is willing to lose. For example, if the <em>RPO<\/em> is 1 hour, then it means you can afford the loss of the data stored\/processed during the hour before the occurrence of a disruption.<\/p>\n<h2>Difference between crisis, disaster, and incident<\/h2>\n<ul>\n<li>An <em>incident<\/em> is any situation that can result in a negative impact on normal operations.<\/li>\n<li>A <em>crisis<\/em> is an unstable situation that requires immediate attention and action.<\/li>\n<li>A <em>disaster<\/em> is a situation where losses are greater than the normal capacity of an organization to handle them.<\/li>\n<\/ul>\n<p>Considering these definitions, an <em>incident<\/em> can lead to a <em>crisis<\/em>, which can lead to a <em>disaster<\/em>. An example of an incident that can lead to a crisis and a disaster would be a fire (without immediate attention and action, it can destroy assets and facilities that cannot be easily replaced). Other examples are a pandemic, an earthquake, or a riot.<\/p>\n<h2>Difference between resiliency, business continuity, and BCM<\/h2>\n<ul>\n<li><em>Resiliency<\/em> refers to the capacity to adapt to new situations.<\/li>\n<li><em>Business continuity<\/em> refers to the capacity to continue to deliver products or services after a disruptive event.<\/li>\n<li><em>Business continuity management (BCM)<\/em> refers to the general process to ensure business continuity.<\/li>\n<\/ul>\n<p>Considering these definitions, <em>business continuity management <\/em>helps build <em>business continuity<\/em>, which covers one aspect of <em>resiliency<\/em> (please note that you can have new situations that an organization will need to adapt to that do not involve a disruptive event, like the enforcement of a new regulation).<\/p>\n<h2>BIA vs. risk assessment<\/h2>\n<p>The <em>Business Impact Analysis (BIA)<\/em> is the process by which you get to understand the impact of a disaster on your business processes and services over time. The <em>risk assessment<\/em> is the part of the risk management process by which you identify, analyze, and evaluate risks to which your organization is exposed, in order to prioritize the most relevant ones.<\/p>\n<p><em>BIA<\/em> and <em>risk assessment<\/em> are used together to help define business continuity and disaster recovery strategies and plans, and there is no specific sequence in which they need to be performed.<\/p>\n<p>For further information, see <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-risk-assessment-treatment-management\/#section23\" target=\"_blank\" rel=\"noopener\">Risk assessment vs. business impact analysis<\/a>.<\/p>\n<h2>Business Continuity Policy vs. Business Continuity Plan<\/h2>\n<p>The<a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-policy-amp-bia&#038;doc=business-continuity-policy\" target=\"_blank\" rel=\"noopener\"> <em>Business Continuity Policy<\/em><\/a> is a top management document that defines the high-level guidelines, objectives, and responsibilities for business continuity planning and management, while the <a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-plan&#038;doc=business-continuity-plan\" target=\"_blank\" rel=\"noopener\"><em>Business Continuity Plan<\/em><\/a> is an operational document to define the steps for immediate response, resumption, and recovering of business operations after a disaster.<\/p>\n<p>For further information, see <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2013\/06\/04\/the-purpose-of-business-continuity-policy-according-to-iso-22301\/\" target=\"_blank\" rel=\"noopener\">The purpose of Business continuity policy according to ISO 22301<\/a>.<\/p>\n<h2>Business Continuity Plan vs. Crisis Management Plan<\/h2>\n<p>A <em><a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-plan&#038;doc=business-continuity-plan\" target=\"_blank\" rel=\"noopener\">Business Continuity Plan<\/a> (BCP)<\/em> defines the activities to respond to a specific disruptive situation, as well as to resume and recover a service or process from the disruption.<\/p>\n<p>Meanwhile, a <em>Crisis Management Plan<\/em> is a set of business-oriented activities (e.g., evaluation of business impacts, declaration of emergency\/crisis\/disaster, press communication, follow up of immediate response, resume and recovery activities, etc.) to be performed to ensure overall handling of critical situations that can negatively impact an organization. <em>Crisis Management Plan<\/em> is neither a term defined by ISO 22301, nor does it have a universal definition, because it has a wider application than only on disaster situations (e.g., on public relations crises, on financial crises, etc.), and may or may not be part of the <a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-plan&#038;doc=business-continuity-plan\" target=\"_blank\" rel=\"noopener\">Business Continuity Plan<\/a>.<\/p>\n<h2>BCP (Business Continuity Plan) vs. BRP (Business Resumption Plan)<\/h2>\n<p>The <em>Business Resumption Plan<\/em> is a concept not present in ISO 22301, but widely used in other frameworks, like NIST 800-34, BS 25999-1, APS 232, NFPA 1600, COBIT, HB 292-2006, and PAS 77.<\/p>\n<p>In these documents, the <em>BRP<\/em> refers to the actions needed to resume normal operations following the recovery of their critical processes, while a <em>BCP<\/em> is a concept covered in ISO 22301, and it represents a wider document, which covers not only the actions to resume operations, but also to respond to a disruptive event, and to recover and restore normal operations. Considering these definitions, the content of a <em>BRP<\/em> would be part of a <em>BCP<\/em>.<\/p>\n<h2>To assemble a puzzle, you have to know its pieces<\/h2>\n<p>Business continuity and disaster recovery are already a challenge by themselves, and designing and implementing them without understanding their fundamental terms only adds unnecessary difficulties.<\/p>\n<p>While this article can offer you a quick start for understanding business continuity, you should consider reading the definitions directly from the sources mentioned at the beginning of this article.<\/p>\n<p><em>To implement ISO 22301 easily and efficiently, use our<\/em> <a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 22301 Documentation Toolkit<\/a> <em>that provides step-by-step guidance and all documents for full ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The pandemic has increased organizations\u2019 interest in business continuity, as a way to protect themselves against disruption of their operations. However, in most cases, there is no time to wait for learning about business continuity processes, policies, procedures, and terms. In this article, we offer help in understanding the difference between the most common business &#8230;<\/p>\n","protected":false},"author":41,"featured_media":64076,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[277,849,1071,1828,1829,1830,1831,1832,1833,1834,1835,1836],"class_list":["post-64075","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-risk-assessment","tag-bcp","tag-bia","tag-rto","tag-rpo","tag-disaster","tag-brp","tag-mao","tag-incident","tag-crisis","tag-resiliency","tag-business-continuity-terms"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/64075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=64075"}],"version-history":[{"count":2,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/64075\/revisions"}],"predecessor-version":[{"id":103208,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/64075\/revisions\/103208"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/64076"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=64075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=64075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=64075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}