Business Contingency Preparedness

Glossary of Contingency Planning Terminology

BUSINESS CONTINUITY PLANNING: The overall process of developing an approved set of arrangements and procedures to insure your business can respond to a disaster and resume its critical business functions within a required time frame objective. It is an ongoing process to plan, develop, and implement disaster recovery procedures to ensure the optimum availability of the critical business functions. The primary objective is to reduce the level of risk and cost to you and the impact on your staff, customers and suppliers.

CONTINGENCY PLAN: A specific planned response to an event which is possible, but uncertain, to occur.

CRITICAL BUSINESS PROCESS: A process in your business which is critical for the continuation of your business. The criticality of each process may change at various times during the activity and life of your business. The Business Impact Analysis will identify these processes, critical time frames and support requirements.The process may be an internal or external process.

DISASTER: A sudden, unplanned calamitous event that causes great damage or loss. In the business environment, it is an event that creates an inability on an organization's part to provide the critical business functions for some predetermined period of time.

DISASTER MITIGATION: Activities taken to eliminate or reduce the level of risk to life, property and your business from hazards.

DISASTER PREPAREDNESS: Activities, programs, and systems developed prior to a disaster that are used to support and enhance mitigation, emergency response, and recovery.

DISASTER PREVENTION: Measures employed to prevent, detect, or contain incidents, which, if left unchecked, could result in disaster.

IMPACT TOLERANT: Interruptions come in all sizes. Your ability to tolerate or control an unexpected and potentially disastrous event and to minimize its impact will depend on your Plan. You will be impact tolerant when the result of a large or small "undesirable" event does not impair your delivery of business processes. When your staff and your business are impact tolerant, you have successfully completed all the steps in the Contingency Planning Process.

PROOF-OF-CONCEPT: Can It be done? Did the terms of our contract or Service Level Agreement adequately define the process and the outcome as expected and required? In the Business Continuity Planning Process, this term is often associated with the documented process and requirements of successful disaster recovery agreements and reveals if the tests used to "prove" the agreements actually work.

RECOVERY TIME OBJECTIVE (RTO): RTO is the maximum acceptable length of time that can elapse before the unavailability of a business function severely impacts the business entity. The RTO is comprised of two components: a) the time before a disaster is declared, during which time the impact begins, is recognized and is identified, and b) the time to perform the tasks documented in the disaster recovery plan for resumption of the critical business functions.

RECOVERY POINT OBJECTIVE (RPO): RPO is the point to which a recovery process must restore process functionality to enable the business to meet or exceed deliverable requirements. Depending on agreements in place, minimum RPO requirements may be less, for short periods of time, immediately following an impact and prior to acceptable normal production recovery.

REGULAR PLAN TESTING: A Contingency Plan that is not a) documented b) approved c) tested, d) communicated and e) maintained can not be certain that the Plan will "work". Regular completion of the Contingency Planning Process and validation of the Plan is also necessary. It is highly recommended that the Plan be tested at least once per year and more frequently as warranted due to major staff, asset, business process or procedure changes. If in any phase of your evaluation process you "ASSUME", then you should revalidate your implemented Plan. Policy statements should define plan validation requirements.

RESILIENCY: Your business is "Impact Tolerant" and you are able to effectively maintain "Business Continuity" if any impact does occur.

RISK ANALYSIS: The process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls that are in place to reduce organization exposure, and evaluating the cost for each such control. The risk analysis often includes an evaluation of the probabilities of a particular event.

RISK MANAGEMENT: A management approach designed to prevent and reduce risks, including business process and system development risks, and to lessen the impact of their occurrence. The objective is to identify the risks and mitigate to an acceptable level while considering the risk impact, probability and cost of mitigation implementation options.

SERVICE LEVEL AGREEMENT: A documentation of specific expectations to be provided by a support or service organization or an individual. For computer related providers, the items documented and approved may include requirements for recovery time objective, notification time lines and individuals to contact, off-site back-up and storage, post-disaster workspace definitions and many more items which you do not want to assume will be available or be completed. For transportation providers the items included may be type of transportation vehicle, departure and arrival time frames, bonding requirements, trip plans, etc. Each SLA is unique and as specific as you require for the service being covered by the agreement. A comprehensive SLA should include metrics for terms of the agreement. Including, parties involved, timeframe of the agreement, the process for determining the metrics and any penalty for non-compliance.

ZZZ: What you are able to do at night when your Contingency Plan works!