GLOSSARY

(Taken from ASIS SPC.1-2009, all rights reserved to ASIS)

For the purposes of this document, the terms and definitions given apply.

• Acceptable Downtime: Maximum elapsed time between a disruption and restoration of needed operational capacity or capability.
• Alternate Worksite: A work location, other than the primary location, to be used when the primary location is not accessible.
• Asset: Anything that has value to the organization.
• Auditor: Person with competence to conduct an audit.
• Continual Improvement: Recurring process of enhancing the organizational resilience (OR) management system in order to achieve improvements in overall OR management performance consistent with the organization’s OR management policy.

NOTE:  The process need not take place in all areas of activity simultaneously.

• Corrective Action: Action to eliminate the cause of a detected nonconformity.
• Critical Activity: Any function or process that is essential for the organization to deliver its products and/or services.
• Criticality Assessment: A process designed to systematically identify and evaluate an organization’s assets based on the importance of its mission or function, the group of people at risk, or the significance of a disruption on the continuity of the organization. 
• Conformity: Fulfillment of a requirement.
• Consequence: Outcome of an event.

NOTE 1: There can be more than one consequence from one event.

NOTE 2: Consequences can range from positive to negative.

NOTE 3: Consequences can be expressed qualitatively or quantitatively.

• Continuity: Strategic and tactical capability, pre-approved by management, of an organization to plan for and respond to conditions, situations, and events in order to continue operations at an acceptable predefined level.
• Continuity Strategy: Approach by an organization intended to ensure continuity and ability to recover in the face of a disruptive event, emergency, crisis, or other major outage.
• Crisis: An unstable condition involving an impending abrupt or significant change that requires urgent attention and action to protect life, assets, property, or the environment. 
• Crisis Management: Holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience, with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities – as well as effectively restoring operational capabilities.
  NOTE: Crisis management also involves the management of preparedness, mitigation response, and continuity or recovery in the event of an incident – as well as management of the overall program through training, rehearsals, and reviews to ensure the preparedness, response, and continuity plans stays current and up-to-date.
• Crisis Management Team: Group of individuals functionally responsible for directing the development and execution of the response and operational continuity plan, declaring an operational disruption or emergency/crisis situation, and providing direction during the recovery process, both pre-and post-disruptive incident.

NOTE: The crisis management team may include individuals from the organization as well as immediate and first responders, stakeholders, and other interested parties.

• Criticality: Of essential importance with respect to objectives and/or outcomes.
• Damaging Potential: Harmful potential of an event, whether anticipated or unanticipated, that would impact on the ability of the organization to function effectively, cause critical harm to infrastructure, result in significant human or property losses to the organization or its stakeholders, or cause adverse effects to the reputation or integrity of the organization.
• Disaster: Event that causes great damage or loss.
• Disruption: An event that interrupts normal business, functions, operations, or processes, whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack, technology failure, or earthquake).

NOTE: A disruption can be caused by either positive or negative factors that will disrupt normal functions, operations, or processes.

• Document: Information and supporting medium.

NOTE: The medium can be paper, magnetic, electronic or optical computer disc, photography or master sample, or a combination thereof.

• Emergency: Sudden, urgent, usually unexpected occurrence or event requiring immediate action.

NOTE: An emergency is usually a disruptive event or condition that can often be anticipated or prepared for, but seldom exactly foreseen.

• Exercises: Evaluating OR management programs, rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization’s systems (e.g., technology, telephony, administration) to demonstrate OR management competence and capability.

NOTE 1: Exercises include activities performed for the purpose of training and conditioning team members and personnel in appropriate responses with the goal of achieving maximum performance.
NOTE 2: An exercise can involve invoking response and operational continuity procedures, but is more likely to involve the simulation of a response and/or operational continuity incident, announced or unannounced, in which participants role-play in order to assess what issues might arise, prior to a real invocation.

• Evacuation: Organized, phased, and supervised dispersal of people from dangerous or potentially dangerous areas.
• Event: Occurrence or change of a particular set of circumstances.

NOTE 1: Nature, likelihood, and consequence of an event cannot be fully knowable.

NOTE 2: An event can be one or more occurrences, and can have several causes.

NOTE 3: Likelihood associated with the event can be determined.

NOTE 4: An event can consist of a non occurrence of one or more circumstances.

NOTE 5: An event with a consequence is sometimes referred to as “incident”.

• Facility (infrastructure): Plant, machinery, equipment, property, buildings, vehicles, information systems, transportation facilities, and other items of infrastructure or plant and related systems that have a distinct and quantifiable function or service.
• Hazard: Possible source of danger, or conditions (physical or operational) that have a capacity to produce a particular type of adverse effects.
• Impact: Evaluated consequence of a particular outcome.
• Impact Analysis: Process of analyzing all operational functions and the effect that an operational interruption might have upon them.

NOTE:  Impact analysis includes Business Impact Analysis – the identification of critical business assets, functions, processes, and resources as well as an evaluation of the potential damage or loss that may be caused to the organization resulting from a disruption (or a change in the business or operating environment). Impact analysis identifies: 1) how the loss or damage will manifest itself; 2) how that degree for potential escalation of damage or loss with time following an Incident; 3) the minimum services and resources (human, physical, and financial) needed to enable business processes to continue to operate at a minimum acceptable level; and 4) the timeframe and extent within which activities, functions, and services of the organization should be recovered.

• Incident: Event that has the capacity to lead to human, intangible or physical loss, or a disruption of an organization’s operations, services, or functions – which, if not managed, can escalate into an emergency, crisis, or disaster.
• Incident Command Team: Consists of trained, knowledgeable personnel possessing the requisite skills to manage an emergency event.
• Integrity: The property of safeguarding the accuracy and completeness of assets.
• Internal Audit: Systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the management system audit criteria set by the organization are fulfilled.

NOTE: In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited.

• Management Plan: Clearly defined and documented plan of action, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.
• Mitigation: Limitation of any negative consequence of a particular incident.
• Mutual Aid Agreement: Pre-arranged agreement developed between two or more entities to render assistance to the parties of the agreement. 
• Nonconformity: Non-fulfillment of a requirement.
• Objective: Overall goal, consistent with the policy that an organization sets itself to achieve.
• Organization: Group of people and facilities with an arrangement of responsibilities, authorities, and relationships.

NOTE: An organization can be a government or public entity, company, corporation, firm, enterprise, institution, charity, sole trade or association, or parts or combinations thereof.

• Organizational Resilience (OR) Management: Systematic and coordinated activities and practices through which an organization manages its operational risks, and the associated potential threats and impacts therein.
• Organizational Resilience (OR) Management Program: Ongoing management and governance process supported by top management; resourced to ensure that the necessary steps are taken to identify the impact of potential losses; maintain viable recovery strategies and plans; and ensure continuity of functions/products/services through exercising, rehearsal, testing, training, maintenance, and assurance.
• Policy: Overall intentions and direction of an organization, as formally expressed by top management.
• Preparedness (readiness): Activities, programs, and systems developed and implemented prior to an incident that may be used to support and enhance mitigation of, response to, and recovery from disruptions, disasters, or emergencies.
• Prevention: Measures that enable an organization to avoid, preclude, or limit the impact of a disruption.
• Preventive action: Action to eliminate the cause of a potential nonconformity.
• Prevention of hazards and threats: Process, practices, techniques, materials, products, services, or resources used to avoid, reduce, or control hazards and threats and their associated risks of any type in order to reduce their potential impact.
• Probability: Extent to which an event is likely to occur.

NOTE 1: The mathematical definition of probability is “a real number in the scale of 0 to 1 attached to a random event. It can be related to a long-run relative frequency of occurrence or to a degree of belief that an event will occur. For a high degree of belief, the probability is near 1.”

NOTE 2: Frequency rather than probability may be used to describe risk.

NOTE 3: Degrees of belief about probability can be chosen as classes or ranks, such as:
-rare/unlikely/moderate/likely/almost certain; or

-incredible/improbable/remote/occasional/probable/frequent.

• Procedure: Specified way to carry out an activity.

NOTE: Procedures can be documented or not.

• Record: Document stating results achieved or providing evidence of activities performed.
• Recovery time objective (RTO): Time goal for the restoration and recovery of functions or resources based on the acceptable down time and acceptable level of performance in case of a disruption of operations.
• Residual risk: Risk remaining after risk treatment.
• Resilience: The adaptive capacity of an organization in a complex and changing environment.

NOTE 1: Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event.

NOTE 2: Resilience is the capability of a system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must.

• Resources: Any asset (human, physical, information or intangible), facilities, equipment, materials, products or waste that has potential value and can be used.
• Response plan: Documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident.
• Response program: Plan, processes, and resources to perform the activities and services necessary to preserve and protect life, property, operations, and critical assets.

NOTE: Response steps generally include incident recognition, notification, assessment, declaration, plan execution, communications, and resources management

• Response team: Group of individuals responsible for developing, executing, rehearsing, and maintaining the response plan, including the processes and procedures.
• Risk: Effect of uncertainty on objectives.

NOTE 1: An effect is a deviation from the expected – positive and/or negative.

NOTE 2: Objectives can have different aspects such as financial, health and safety, and environmental goals and can apply at different levels such as strategic, organization-wide, project, product, and process.

NOTE 3: Risk is often characterized by reference to potential events, consequences, or a combination of these and how they can affect the achievement of objectives.

NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances, and the associated likelihood of occurrence. 

• Risk acceptance: Informed decision to take a particular risk.

NOTE 1: Risk acceptance can occur without risk treatment or during the process of risk treatment.
NOTE 2: Risk acceptance can also be a process.

NOTE 3: Risks accepted are subject to monitoring and review.

• Risk analysis: Process to comprehend the nature of risk and to determine the level of risk.

NOTE: Risk analysis provides the basis for risk evaluation and decisions about risk treatment.

• Risk assessment: Overall process of risk identification, risk analysis, and risk evaluation.

NOTE: Risk assessment involves the process of identifying internal and external threats and vulnerabilities, identifying the probability and impact of an event arising from such threats or vulnerabilities, defining critical functions necessary to continue the organization’s operations, defining the controls in place necessary to reduce exposure, and evaluating the cost of such controls.

• Risk communication: Exchange or sharing of information about risk between the decision-maker and other stakeholders.

NOTE:  The information can relate to the existence, nature, form, probability, severity, acceptability, treatment, or other aspects of risk.

• Risk criteria: Terms of reference by which the significance of risk is assessed.

NOTE: Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities, and other inputs to the assessment.

• Risk management: Coordinated activities to direct and control an organization with regard to risk.

NOTE: Risk management generally includes risk assessment, risk treatment, risk acceptance, and risk communication.

• Risk reduction: Actions taken to lessen the probability, negative consequences, or both, associated with a risk. 
• Risk tolerance: Organization’s readiness to bear the risk after risk treatments in order to achieve its objectives.

NOTE Risk tolerance can be limited by legal or regulatory requirements.

• Risk transfer: Sharing with another party the burden of loss or benefit or gain, for a risk.

NOTE 1: Legal or statutory requirements can limit, prohibit, or mandate the transfer of certain risk.
NOTE 2: Risk transfer can be carried out through insurance or other agreements.

NOTE 3: Risk transfer can create new risks or modify existing risks.

NOTE 4: Relocation of the source is not risk transfer.

Risk treatment: Process of selection and implementation of measures to modify risk.

NOTE 1: The term “risk treatment” is sometimes used for the measures themselves.
NOTE 2: Risk treatment measures can include avoiding, optimizing, transferring, or retaining risk.

Security: The condition of being protected against hazards, threats, risks, or loss.

NOTE 1: In the general sense, security is a concept similar to safety. The distinction between the two is an added emphasis on being protected from dangers that originate from outside.
NOTE 2: The term "security" means that something not only is secure but that it has been secured.

• Security aspects: Those characteristics, elements, or properties which reduce the risk of unintentionally, intentionally, and naturally-caused crises and disasters that disrupt and have consequences on the products and services, operation, critical assets, and continuity of the organization and its stakeholders.
• Simulation exercise: Test performed under conditions as close as practicable to real world conditions.
• Source: Anything which alone or in combination has the intrinsic potential to give rise to risk.

NOTE: A risk source can be tangible or intangible.

• Stakeholder (interested party): Person or group having an interest in the performance or success of an organization.

NOTE: The term includes persons and groups with an interest in an organization, its activities and its achievements – e.g., customers, clients, partners, employees, shareholders, owners, vendors, the local community, first responders, government agencies, and regulators.

• Supply chain: The linked set of resources and processes that begins with the acquisition of raw material and extends through the delivery of products or services to the end user across the modes of transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.
• Target: Detailed performance requirement applicable to the organization (or parts thereof) that arises from the objectives and that needs to be set and met in order to achieve those objectives.
• Testing: Activities performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria.  Testing usually involves exercises designed to keep teams and employees effective in their duties, and to reveal weaknesses in the preparedness and response/continuity/recovery plans.
• Threat: Potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community.
• Top management: Directors, managers, and officers of an organization that can ensure effective management systems – including financial monitoring and control systems – have been put in place to protect assets, earning capacity, and the reputation of the organization.
• Vulnerability: Intrinsic properties of something that create susceptibility to a source of risk that can lead to a consequence.
• Vulnerability assessment: The process of identifying and quantifying vulnerabilities.

Carey Business School Management Council

Building Floor Plans and Area Maps

WASHINGTON DC CENTER-1625 Massachusetts Ave NW

Evacuation plans