A couple of key aspects of continuity management is not well-explained in the ITIL framework:

a) Recovery Time Objective (RTO) and
b) Recovery Point Objective (RPO)

These are very key concepts within Business Continuity Planning – and hence of IT Service Continuity Management process as well.
ITIL, even in Version 3, has limited the reference to the glossaries and abbreviations as well as a couple of passing reference here and there.

Recovery Time Objective (RTO) defines the time limit within which business service/information need to be restored, post a disruption under abnormal business conditions (read disaster).

For example, let us assume a business process X has to be restored within 24 hours from an abnormal interruption (disaster) – to avoid irrecoverable impact /loss to the business. In this case, 24 hours is the RTO for this business process.


Now, imagine this business process is closely dependent on an Application A. Here, the IT service management (through the process of ITSCM) has to take the objective of putting plans in place to ensure this application will be restored within 24 hours (or even in a lesser timeframe than that). Now that will set the RTO for this application as well (that can be treated as one of the Service Levels for this IT Service).

Recovery Point Objective (RPO) defines the amount of data/information loss that business can tolerate in a disaster scenario – measured in time.

For example, in the same business process X mentioned above, assume the business cannot tolerate to lose data for more than 8 hours of the operation. It implies that business can tolerate the loss of the information that was processed upto 8 hours prior to the interruption.
In other words, if there is an interruption to the business process at 4:00 PM, the RPO states that the business need access to the information related to that process at least till 8:00 AM that day. (Assuming a round the clock operation here).
In this scenario, ITSCM inherits the objective of ensuring there are necessary plans for data backup every 8 hours of the business operation.

Hence from the above example, it is clear that the RPO (which is measuring the tolerable data loss) could demand a lesser time frame, even when the RTO (which measures the delay in recovery) has longer allowable time frames.
This explains why these are key parameters that should be considered by ITSCM process to align fully to the Business continuity requirements.

Note: the timelines mentioned above (in both cases) are just examples – it should be as agreed with the business, based on a structured Business Impact Analysis.

Advertisements