On Risk Management, Business Continuity, and Security
|24 November, 2017|
The Recovery Time Objective or RTO is the amount of time for planning purposes an organization is prepared to allow to elapse after an incident before an activity is restored to some minimum level of operation at an alternative location.
The Recovery Time Objective needs to be decided in consultation with the person responsible for the activity.
In general, the shorter the RTO the more effort and expense will be required in preparing and planning for the recovery of the activity. In particular, a very short RTO implies staffed facilities on stand-by (or duplicate facilities) that can take over the activity if one location for this activity is disrupted. (e.g. a data center might transfer operations to another data center).
Less critical activities can have longer recovery time objectives: an HR department could probably delay recruitment operations for a number of weeks with little ill-effect.
Recovery Time Objectives need to be consistent with activities and resources on which the activity depends: there is no point in spending extra effort to recover an activity in a day if it depends upon another activity which will take a week to recover.
The Recovery Time Objective should be consistent with any activities or resources which the activity or resource depends on. For example, if an activity depends upon a resource whose RTO is 3 days, it probably does not make sense if its RTO is shorter than 3 days: if both are disrupted, then the resource is disrupted, then the activity cannot restart for at least 3 days.
The Recovery Time Objective needs to be decided in consultation with the person responsible for the activity and with any other person responsible for an activity which relies on the data.
© Albion Research Ltd. 2017