The term recovery time objective refers the maximum amount of time allowed to recover resources, restart an activity, or provide services or products after a disruption event occurs. It is a targeted time period to ensure that adverse consequences do not become unacceptable.
Determining appropriate recovery time objectives (RTO) is a critical part of the process of business continuity planning. An RTO for a critical function or asset that is either unachievably short, or cripplingly long, can derail the organisation’s recovery from a business disruption.
The difficulty is that many organisations fail to apply a rigorous and consistent methodology for determining the RTO, instead relying on “common sense”, which is potentially not much better than guesswork.
The first step required to achieve a more robust RTO determination is to clearly define the Maximum Acceptable Outage (MAO) or Maximum Tolerable Period of Disruption (MTPD). This is the period of time for which the organisation can go without providing its product or service or main business activity, before unacceptable adverse impacts occur. In other words, how long can the primary business of the organisation be out of action before the long-term viability of the organisation is threatened?
In some organisations this may be a very precise timeframe, but for many it will be a ballpark, such as 3 to 4 weeks. Consideration of the relevant criteria for the organisation and its stakeholders is required in order to determine the timeframe; such as the creditors not being paid, or the loss of the majority of customers, or reputational damage sufficient to cause loss of customers and inability to attract new customers.
The MAO or MTPD can be determined for the organisation overall, as well as for each individual function or asset. Timescales can be set appropriate to the type of organisation/activity, such as 0-1 hours all the way up to 3+ months.
Once the MAO is determined, it provides clarity for the estimation of the RTO, since the function/asset must be recovered within the timeframe of the MAO.
The optimal timeframe for the RTO is neither too close to the incident (e.g. it’s often not economically efficient to recover a function within 1 hour when it can be done without for 2 weeks, since there are likely other functions that should be concentrated on first), nor too close to the MAO (if the effort to recover the function is not made until just before it’s required, there is a risk it may not be recovered in time).
Once all critical functions/assets have been assessed as to their MAO and RTO, they can be ranked for prioritisation of effort in recovering them, and this is reflected in the business continuity plan.
While many of the factors in determining the MAO and RTO are contingent, a consistently applied methodology of estimating the timeframes based on realistic and pragmatic assessments of the organisation’s reliance on the critical functions/assets will result in a more robust, and therefore more useful, business continuity process.
Please contact QRMC for more information.