When disaster strikes—whether it's a cyberattack, power outage, or natural disaster—community financial institutions must be prepared to restore operations as quickly and efficiently as possible. Three critical metrics guide business continuity and disaster recovery (BC/DR) planning: Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Maximum Tolerable Downtime (MTD). Understanding these terms can help institutions build resilient systems and meet regulatory expectations while keeping customers confident and operations running smoothly.
RTO is the maximum amount of time that systems and services can be down before causing significant damage to the institution. It defines how quickly you need to recover critical operations after an outage.
For example, if your core banking system has an RTO of four hours, that means your recovery plan must ensure that services are restored within that timeframe—whether through backups, alternative sites, or other contingencies.
Why It Matters: A lower RTO means faster recovery, but it requires more investment in technology, redundancy, and staffing. Institutions need to balance speed and cost when setting RTOs for different systems.
RPO determines the maximum allowable data loss measured in time. It answers the question: How far back can we go and still be okay?
For instance, if your RPO for customer transactions is 15 minutes, you must ensure that backups or replication strategies prevent data loss beyond that window. If an outage occurs at 3:00 PM, the most recent recoverable data should be from no earlier than 2:45 PM.
Why It Matters: Lower RPOs require frequent data backups or real-time replication, which can be costly. Critical systems, like transaction processing, typically have near-zero RPOs, while less critical data (e.g., archived emails) may have longer RPOs.
MTD represents the absolute maximum time an institution can afford for a system to be unavailable before the business faces irreversible consequences. It includes both the recovery time and the time spent attempting to fix the issue before switching to a recovery solution.
For example, if an institution determines its MTD for online banking is eight hours, then both the troubleshooting and actual recovery efforts must fit within that window. Exceeding MTD can lead to severe regulatory, financial, and reputational harm.
Why It Matters: MTD sets the outer boundary and drives both RTO and RPO decisions. If your MTD is 24 hours but your RTO is four hours, your recovery strategy must align to meet that requirement.
These three metrics work together to shape a strong disaster recovery strategy:
For institutions, getting these numbers right is crucial—not just for operational resilience but also for regulatory compliance. GLBA, FFIEC, and other banking regulations require institutions to have robust business continuity and disaster recovery plans in place.
When setting RTO, RPO, and MTD, it's essential to consider regulatory expectations, customer needs, and available resources. Conducting regular risk assessments, testing disaster recovery plans, and investing in the right technology will help ensure that when disruptions occur, your institution is ready to respond swiftly and effectively.
Need help refining your BC/DR strategy? Let’s talk about how to build a recovery plan that keeps your institution secure and resilient.