How to define your recovery time objectives
By Charlie Maclean-Bristol FBCI FEPS
Defining the recovery time objectives (RTO) for your activities is one of the most critical things the business continuity manager will carry out. Get them wrong and the whole basis for your recovery strategy is flawed. Often, rather than being an objective assessment, the RTO is driven by internal politics and by managers wanting their part of the organization (and hence themselves) to be seen as important.
For a long while I have wondered if there was any scientific way, or even a rule of thumb, for defining your RTOs but I have never come across one. A while ago I reached out to the BCMIX LinkedIn Group to ask how members went about defining their RTOs. I got lots of explanations of the process for defining them but no set rule. Most people said that defining RTOs was a combination of common sense, knowledge of the organization, and experience. These are all very good but how is a beginner going to get that experience?
In the absence of any set method of defining RTOs here are my thoughts on the subject:
The first step for defining the RTOs is to define the ‘maximum tolerable period of disruption’ (MTPD) for the activity in question. For those of you not familiar with MTPD, it is a term used in the Business Continuity Institute’s Good Practice Guidelines 2013, which defines it as “the time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable”. There is an equivalent concept outlined in ISO 22301. This can be found in section 8.2.2 where the standard asks you to assess the impacts over time, as part of the business impact analysis.
In setting the MTPD you are looking for the “…duration after which an organization’s viability will be irrevocably threatened....”
I think that many people struggle with the concept of the MTPD and for most organizations it is very difficult to define precisely. There are very few organizations that could survive 30 days but not 31 days, for example.
On a slow news day an organizational incident could be number one item in the news and the company’s reputation may be retrievably damaged; while on another day the same incident might not even be picked up by the media.
There is also the issue that some organizations, especially government organizations, may not be allowed to fail; or when a small part of a multinational fails it is very unlikely to cause the demise of the whole organization.
So, in defining your MTPD, we are looking for a ‘ball park’ time at which the organization's viability is irretrievably threatened.
As we can see above, ‘irretrievably threatened’ means different things to different organizations. Before defining the MTPD it is important to agree what the criteria for the organization would be. These could range from:
The importance of these criteria is that they have to be tailored to the individual organization.
For an organization which works 24/7, such as a hospital, I would change the timescales to perhaps:
Even if the MTPD of an activity is a rough estimation, we can still use the MTPD to differentiate between different activities. Some activities will have a longer MTPD than others and this starts to give us an indication of which activities are the first to be recovered and which can wait a while.
It is important that, if you are going to use MTPD to define your RTOs, you use the same criteria each time to define your RTO. If you use different scenarios for ascertaining the MTPD for different activities then it will very much skew your findings. I use the phrase “if the entire activity was to stop”, disregarding any particular scenario when the failure of that activity led to the organization being irretrievably damaged.
Once we have the MTPD of all our activities, we are in a position to start to estimate our RTO. I say here 'estimate' as the RTO may change slightly after the design (strategy) stage of the business continuity lifecycle. In looking at an appropriate strategy to recover the RTO for practical or financial reasons you may have to adjust your RTO. In deciding on the RTO we know that the RTO must sit somewhere on a timeline before the start of the incident and the MTPD. See below:
Once we have decided on the RTO then we should go forward to the ‘design’ stage of the business continuity lifecycle. Within the design stage we look at, and then agree, the recovery strategy for that activity. It must be noted that the RTO may change in the design stage as it may have to be adjusted to make a particular strategy work. Once the RTO has ‘gone firm’ I believe that all the RTOs of the activities across the organization should be signed off by a senior manager. This to check that they meet the requirements of the organization and are acceptable to the senior managers of the organization.
I have taught the rule of thirds on a number of training courses and I would be interested if there are any comments on it.
Charlie Maclean-Bristol FBCI FEPS is director of PlanB Consulting.
•Date: 17th February 2015 • UK/World •Type: Article • Topic: BC plan development