III.A.3     Impact of Disruption

Through the BIA process, management should evaluate the potential impact of disruptive events, including operational, financial, and reputational impacts. Management should establish recovery objectives after determining a disruption’s impact. Common measurements include recovery point objective (RPO), recovery time objective (RTO), and maximum tolerable downtime (MTD). Where applicable, these measurements should be evaluated for alignment with third-party service providers’ contracted recovery expectations.

Figure 3: Recovery Objectives (Relative to an Event)

Figure 3 depicts a timeline of recovery objectives relative to an event.   An Event is depicted in the center of the timeline. Preceding the Event, management has to determine the Last Viable Restore Point.   On the timeline, the timeframe between the Last Viable Restore Point and the Event is known as the Recovery Point Objective and the Data Loss during this timeframe is Definite.  The first point after the Event is when All Functionality is Recovered. The timeframe between the Event and the point when All Functionality is Recovered is known as the Recovery Time Objective. During this period of time, there is the potential for additional data loss. Also, Downtime is Acceptable only to the point when All Functionality is Recovered.  The second point after the Event is the Critical Disruption Point.  During the timeframe between All Functionality Recovered and the Critical Disruption Point, there is the Potential for additional Data Loss and Down Time during this period is Excessive.  Finally, the combined timeframe between the Event and the Critical Disruption Point is considered the Maximum Tolerable Downtime.

As illustrated in figure 3, the RPO represents the point in time, before a disruption, to which data can be recovered (given the most recent backup copy of the data) after an outage. Refer to section IV.A.2, “Data and Cyber Resilience,” for additional information regarding backups.

As illustrated in figure 3, the RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources and business processes. Determining the RTO is important for selecting appropriate technologies and strategies. When it is not feasible to meet an RTO, management should verify whether the RTO is realistic, initiate an action plan and milestone(s) to document the situation, and, when appropriate, plan for its mitigation. Management should consider interrelated RTOs for each business function to determine the total downtime caused by a disruption. Establishing realistic RTOs assists management in determining a critical path and hierarchy for recovery. For example, a process with a shorter RTO that is dependent upon on a process with a longer RTO may indicate a gap that should be analyzed further.

Whether driven by customer expectations or technological advancement, previously established RTOs that were a few hours in duration may now require near real-time recovery. Therefore, it may be appropriate for management to reevaluate currently acceptable RTOs.

As illustrated in figure 3, the MTD represents the total amount of time the system owner or authorizing official is willing to accept for a business process disruption and includes all impact considerations. The MTD is important for contingency planners when selecting an appropriate recovery method and developing the scope and depth of recovery procedures. Examiners may encounter other terminology to describe MTD (e.g., maximum allowable downtime).

Failure to meet established metrics, such as RPO, RTO, and MTD, may have operational impacts, including discontinued or reduced service levels, inability to meet security requirements, workflow disruptions, supply chain disruptions, and delays of business initiatives. The financial impact could include the loss of revenue, increased costs, or fines and penalties.


Previous Section
III.A.2 Interdependency Analysis
Next Section
III.B Risk Assessment