According to the CRISC Review Manual (Digital Version), the next course of action when a risk practitioner finds the IT department’s recovery time objective (RTO) for a key system does not align with the enterprise’s business continuity plan (BCP) is to consult with the IT department to update the RTO. The RTO is the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place. The RTO should be aligned with the BCP, which is a set of policies, procedures, and resources that enable the organization to continue or resume its critical business functions in the event of a disruption. Consulting with the IT department to update the RTO helps to:
Ensure that the RTO reflects the current business requirements and expectations for the availability and recovery of the key system
Evaluate the feasibility and cost-effectiveness of achieving the RTO with the existing IT resources and capabilities
Identify and implement the necessary changes or improvements in the IT infrastructure, processes, and controls to meet the RTO
Test and validate the RTO and the IT recovery procedures and verify their compatibility and consistency with the BCP
Communicate and coordinate the RTO and the IT recovery plan with the relevant stakeholders, such as the business owner, the risk owner, and the senior management
References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751
Submit