Objective Versus Capability

As Business Continuity Professionals, we deal with objectives and capabilities every day, whether it be for Recovery Time or Recovery Point. The recovery objective and related capability remain at the center of attention in most Business Continuity-related discussions. However, before we go any further, let's have a look at some of the most discussed terms that we, as BCP professionals, live with:

• Recovery Time Objective (RTO) is the duration of time and service level within which a business process must be restored after a disaster or disruption to avoid unacceptable consequences associated with a break in business continuity.
• Recovery Point Objective (RPO) is the maximum tolerable period within which data might be lost from an IT service due to an incident.
• Recovery Time Capability (RTC) is the duration of time and service level within which a business function can recover its services following a reported impact after a disaster with its current systems, procedures, and available resources other than IT.
• Recovery Point Capability (RPC) is the real capability of an organization to recover business-critical data following a disaster compared to its Recovery Point Objective. You may dream of recovering every bit of data after a disaster, but if you or your vendors don't have the required infrastructure, your dreams shall remain dreams.

To discuss this further, both RTO and RPO are goals derived from a successful business impact analysis, indicating the organization's need to restore and maintain availability of its most critical activities after being hit by an incident. On the other hand, RTC and RPC indicate an organization's current capabilities of resources that would be leveraged to restore the organization's most critical business activities within the limits as defined in RTO and RPO. These capabilities must meet the business demanded objectives for both business recovery and data recovery to ensure successful resumption after a disruption.

Any difference between business objectives and current capabilities leads to a serious gap in an organization's resiliency and must be brought to senior management's attention with a detailed analysis of the gap and its impact on the organization's continuity of critical services. Post which a strong work around and mitigation plan with aggressive timelines should be launched. Approved gaps must be listed in the affected Business continuity plans so users of those plans as well as concerned senior leadership are aware of the gaps and can execute identified and approved workarounds in the event of a disruption.

The gap identification closure plan should be reviewed with senior management for effective tracking and positive stakeholder influence.