Recovery Time Objective. Anyone who deals with Business Continuity or Disaster Recovery – as a planner, responder or auditor – is familiar with the term. It appears in every Business Continuity Management (BCM) ‘Standard’. It is the generally-accepted benchmark by which BCM programs measure both goals and achievement.
Recovery Time Objective (RTO) has be around since the early days of Disaster Recovery.
The BCM process (as exemplified by industry ‘standards’) relies on several organizational metrics as benchmarks for goals and achievements. RTO is a useful parameter for planning – and for gauging the result of an exercise or test. But in today’s connected world, news – especially bad news – travels at the speed of the Internet.
As a relative measure (comparing the criticality of one business operation against another) RTO is a useful measure. So for planning purposes, RTO can help determine relative criticality; providing the ‘order of battle’ in which business processes (or IT services) must be restored.
But shouldn’t our understanding of the implications of internet propagation & amplification also influence our recovery goals? Should some algorithmically-generated RTO serve as our only recovery goal?
We need to understand that RTO is a planning metric – not an incident response objective. The reality in today’s wired world is that every Business Continuity recovery objective should be as sas possible.
In fact, it’s probably time to introduce another valuable acronym: AQAP (As Quickly as Possible). It’s time to stop pretending that RTO has any meaning beyond its value as a relative planning metric. Why not use “ASAP”? Because its meaning has already been morphed by common usage; it often means “when I get around to it” or “if I ever find the time”). Incident Response needs a clear and obvious objective. That’s what makes the acronym AQAP perfect for the role. There’s no mistaking As Quickly as Possible for ASAP.
Let 2017 be the year that Business Continuity Management stops treading the same old path and faces the fact that the Response to any business disruption – no matter how limited – requires recovery AQAP: As Quickly as Possible. AQAP is the new paradigm for Incident Response.
