GResilience glossary
The terms, defined.
Plain English. Cross-referenced. Maintained — because the spreadsheet of definitions you inherited isn't doing the job.
- Business Impact Analysis (BIA)
- A structured assessment of the impact a disruption to a business service would cause, and the recovery objectives required to tolerate it.
- Business Continuity Plan (BCP)
- The documented set of procedures a business follows to keep critical services available — or recover them — during and after a disruption.
- Recovery Time Objective (RTO)
- The maximum tolerable duration of disruption to a business service before significant impact occurs.
- Recovery Point Objective (RPO)
- The maximum tolerable amount of data loss measured in time, expressed as 'no more than X minutes/hours of data lost'.
- Maximum Tolerable Period of Disruption (MTPD)
- The longest a business service can be unavailable before the impact becomes unacceptable — the upper bound that constrains every RTO underneath it.
- Minimum Business Continuity Objective (MBCO)
- The minimum level of service a business must continue to deliver during a disruption to remain viable for customers, regulators and counterparties.
- After-Action Review (AAR)
- A structured post-incident review that captures what happened, what worked, what didn't, and what changes — to controls, plans or training — must follow.
- Mean Time To Recover (MTTR)
- The average time taken to fully recover from an incident, measured from detection to service restoration. The headline operational metric for resilience programmes.
- Severity Levels (SEV-1…SEV-4)
- A standard scale for classifying incident severity, from SEV-1 (customer-facing outage, all-hands) down to SEV-4 (minor, no customer impact). Drives paging, comms and escalation.
- Tabletop Exercise
- A discussion-based exercise that walks key stakeholders through a scenario to test plans, decisions and communication — without touching live systems.
- Concentration Risk
- The risk created when too many critical services depend on a single vendor, region, person or system. A primary concern under DORA and PRA SS1/21.
- ICT Third-Party Risk (DORA Art. 28)
- The risk arising from external technology providers — cloud, SaaS, processors — formalised under DORA with explicit register, contractual and exit-strategy requirements.
- DORA (Digital Operational Resilience Act)
- The EU regulation establishing operational resilience requirements for the financial sector and its ICT third-party providers, in force since January 2025.
- NIS2 Directive
- The EU directive expanding cybersecurity and resilience obligations for operators of essential and important services across critical sectors.
- NIST CSF 2.0
- The 2024 update to the NIST Cybersecurity Framework, organised around six functions — Govern, Identify, Protect, Detect, Respond, Recover — and adopted globally beyond critical infrastructure.
- SOC 2 (Type II)
- An AICPA attestation report covering the security, availability, processing integrity, confidentiality and privacy controls of a service organisation, evaluated over a sustained period.
- ISO 22301
- The international standard for Business Continuity Management Systems (BCMS), specifying requirements for planning, establishing, implementing and maintaining a BCMS.
- MITRE ATT&CK
- A globally-accessible knowledge base of adversary tactics and techniques observed in real-world attacks, used to classify and respond to security incidents.