Queries on ISO22301, BCM

1) Difference between keywords 'resume' and 'recovery' w.r.t ISO22301.

Resume refers to having operations working again considering minimum specified conditions (e.g., operations resumed in the alternative site), while recovery refers to having operations back to normal conditions (i.e., main site operational again).

2) Difference between RTO and MAO as per ISO 22301. I have read the definitions as per the standard but it looks like both are same and just the difference between wording is there in their definition. Please give a detailed response as these are very confusing. Also, is MAO >= RTO always?

First is important to note that the MAO concept was present in ISO 22301:2012 and is not mentioned in ISO 22301:2019 any more, only in ISO 22300, which defines a vocabulary for ISO 22301. In the current version of ISO 22301, the concept used is MTPD (Maximum Tolerable Period of Disruption), which has the same meaning as MAO.

Considering that, the difference between MTPD and RTO is that MTPD defines the limit of time, after a disruption, for which an organization considers an impact as acceptable or unacceptable, while RTO defines when the organization wants operations to be resumed after a disruptive event.

Considering both definitions in ISO 22301, RTO can be equal or smaller than MTPD, never greater (an RTO greater than MTPD does not make sense, because you would be returning operations after impact has become unacceptable).

For example, if MTPD is 8 hours, then recovering operations at any time equal or below 8 hours is acceptable (i.e., the RTO can be any value between 0 and 8 hours, noting that the smaller the RTO, the more resources and effort you need to spent).

This article can provide further information:  

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

3) Difference between Crisis Management plan and BCP and relation between them

First is important to note that ISO 22301 does define "Crisis management plan", and ISO 22300 only define "Crisis management", which is a management process (not a plan) covering a set of processes to be taken to ensure proper handling of disruptive situations (e.g., identification of relevant impacts, mitigation of risks, response to disruptive events, etc.), while BCPs are primarily about plans that define activities to resume and recover service or process from a specific disruptive situation.
 
In this context, the Crisis Management provides the framework to define Business Continuity Plans.

4) Difference between crisis, disaster and incident along with examples

A crisis is an unstable situation that requires immediate attention and action.
 
Disaster is a situation where losses are greater than the normal capacity of an organization to handle it.
 
The incident is any situation that can result in a negative impact on normal operations.
 
Considering these definitions, an incident can lead to a crisis, that can lead to a disaster.
 
An example of an incident that can lead to a crisis and a disaster would be a fire (without immediate attention and action it can destroy assets and facilities that cannot be easily replaced). Other examples are pandemic, earthquake, and riots.

For further information, see:

• ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/

5) Difference between Resiliency and Business Continuity/BCM

Resiliency refers to the capacity to adapt to new situations.

Business continuity refers to the capacity to continue to deliver products or services after a disruptive event.
 
Business continuity management refers to the general process to ensure business continuity.
 
Considering these definitions, business continuity management helps build business continuity, which covers one aspect of resiliency (please note that you can have new situations that an organization will need to adapt to that does not involve a disruptive event, like the enforcement of a new regulation).

6) Difference between BCP and BRP ( Business Resumption plan)

Please note that ISO 22301 does not have the concept of a Business Resumption plan (Business Resumption Plans are defined in NIST 800-34, BS 25999-1, APS 232, NFPA 1600, COBiT, HB 292-2006 and PAS 77). 

In these documents, the BRP refers to the actions needed to resume normal operations following the recovery of their critical processes, while a BCP covers the actions to respond to a disruptive event, and resume, recover and restore normal operations.
 
Considering these definitions, a BRP would be part of a BCP.