Glossary term
RTO / RPO
Also: Recovery Time Objective, Recovery Point Objective
Two core BCM metrics. RTO = maximum downtime by which a process must be back online. RPO = maximum tolerable data loss measured in time.
RTO example: online banking RTO 30 minutes means the service must be back within 30 minutes of an incident. RPO 5 minutes means at most 5 minutes of transactions can be lost.
Method: in the BIA each process gets an RTO and RPO definition that drives backup frequency, replication setup, failover architecture, location strategy. Low RTO/RPO are expensive: usually active-active setups, synchronous replication, multiple sites.
DORA and NIS2 require RTO and RPO per critical function to be explicitly documented and regularly tested. A BCM strategy without RTO/RPO values is not audit-defensible.
Related terms
BCM
Discipline for maintaining critical business processes during disruptions. Standards: ISO 22301, BSI…
DORA
EU regulation on digital operational resilience in the financial sector. Directly applicable since 1…
NIS2
EU directive on network and information security. Replaces NIS1, widens scope to around 30,000 Germa…
Readiness Score
A 0–100 score that quantifies how decision-ready a memo actually is. It breaks down into criteria co…
RFP (Request for Proposal)
A structured document that invites vendors to propose a solution against specified requirements, eva…
AI Act Conformity Assessment
Procedure to demonstrate that a high-risk AI system complies with the EU AI Act before being placed …
AI Act Risk Categories
Four-tier classification under the EU AI Act: prohibited (Art. 5), high-risk (Annex I/III), limited …
Audit-ready decision
A decision whose record is structured, evidence-backed and stakeholder-signed to a level that a thir…