The Editorial Advisory Board’s Glossary of Terms Committee, in cooperation with the Disaster Recovery Institute International, revised the definition of the venerable term “recovery time objective” (RTO) in this fall’s update to the DRJ Glossary. The new definition answers two issues that have plagued the term: when does the recovery time clock start and stop? By addressing these gaps, the definition expands the perspectives and clarifies the responsibilities of stakeholders for this important concept. This article elaborates on the definition and addresses key implications.
[Please see the new definition in the glossary at www.drj.com/ tools/tools/glossary-2.html. This definition applies equally to technical or business (work area) recovery situations.]
Whether an organization enumerates RTOs in business time or elapsed time, or both, is a matter of choice. Selecting the “type of time” will answer this question in advance: if a disaster occurs at 2 a.m. on Saturday, must the organization recover a four-hour RTO by 6 a.m., or by the start of business on Monday? That decision requires involvement of all stakeholders. Failing to specify the type of duration will complicate recovery effort prioritization if more than one RTO must be satisfied after a disaster. Using a mixture of both types of duration will help organizations sequence recovery resource activities when responding to larger scale events. Organizations can focus initial efforts on recovering “elapsed time” RTOs if resources are unable to immediately address all recovery requirements.
As to the first issue, the new definition’s assessment component clearly includes the time that transpires between a disaster and the response or declaration. Normally, assessment begins immediately after a disaster. Assessment can begin before a disaster if the initiating event (e.g., a hurricane) is “predictable,” but RTO duration excludes assessment time prior to the disaster. Determining the assessment component requires involvement of both the recovery team and the supported organization.
The execution component encompasses the classic, best-known element of RTO. Before this new definition, some organizations probably included only this element in their RTO concept. The recovery team generally leads during this component.
While verification may receive the least focus, it is arguably the most important. The organization owns this component, although the recovery team would help resolve any issues. The inclusion of this component answers the second issue: RTO concludes after the supported organization conducts its verification of the function’s or application’s readiness.
The new definition poses several implications that merit further reflection. This section addresses considerations related to RTO duration and recovery testing conclusions.
Assessment duration will differ between organizations, and perhaps within the same organization. The shorter (or more optimistic) the assessment estimate is, the more importance an organization’s crisis management process assumes in limiting assessment duration. At least two hours could be required for this component, particularly for disasters occurring in non-business hours. In (technology) situations when recovery is automated, assessment time may approach zero.
Verification duration will depend on the particular application or function under consideration, and will increase in proportion to its complexity. Only the supported organization can quantify this duration. Minimizing the length of this component will require the supported group to employ wellrehearsed test scripts.
Exercise results must embrace all three components of RTO when describing recovery durations. One concept gaining increased use in exercises is (recovery time) capability or achieved. This concept describes the amount of time in which an application or function was actually recovered during an exercise. Omitting assessment or verification duration from the recovery time capability/ achieved presents a false (and overly optimistic) picture to the supported organization.
Frank Lady, CBCP, CISSP, PMP is a vice president of business continuity at a Fortune 50 company. He has been a member of the DRJ Editorial Advisory Board since 2008, and co-chairs its Glossary of Terms Committee. Lady welcomes article feedback and glossary of terms suggestions at firstname.lastname@example.org.