ISO 27031 reality check: The dangerous gap in RTO between business and IT

ISO 27031 reality check: The dangerous gap in RTO between business and IT

In the world of business continuity management (BCM), there is hardly any other metric that is as fundamental and at the same time as dangerously misunderstood as the recovery time objective (RTO).

In the world of business continuity management (BCM), there is hardly any other metric that is as fundamental and at the same time as dangerously misunderstood as the recovery time objective (RTO). While specialist departments and IT departments believe they speak the same language, they often define the starting point of this critical period in fundamentally different ways. This discrepancy is not an academic quibble – it is a ticking time bomb that, in an emergency, leads to false assumptions about security, escalating conflicts and uncontrolled financial damage.

Two worlds, one key figure: When does the clock really start?

The controversy can be reduced to a simple question: When does the RTO begin? The answer to this question often divides organisations into two camps, one based on ISO standards and the other on the common practice of the BSI.

  • The business perspective (according to ISO 22301 & ISO 27031): For the business, the damage begins at the exact moment of the incident. Every second of downtime costs money, trust and market share. International standards such as ISO 22301:2019 and the new ISO 27031:2025 are unambiguous here: RTO time measurement starts with the ‘incident occurs’ – the moment the damage event occurs. This perspective is the only logical basis for a valid business impact analysis (BIA), as it captures the entire duration of the unavailability.

  • The IT perspective (common practice, often in the BSI environment): For the IT department, the RTO is often a Service Level Objective (SLO) that must be measured and reported on. In practice, the clock therefore often only starts ticking after the incident has been detected, analysed and an emergency formally declared. The detection, analysis and decision-making phases are not included in the IT RTO. 

These different starting points create ‘hidden downtime’ – a period during which the company is already suffering damage, but the IT recovery clock has not yet started ticking.

The fatal disadvantages of the discrepancy

This hidden downtime is the root cause of a cascade of strategic errors and operational risks:

  • The illusion of security arises when IT reports compliance with its 4-hour RTO because technical recovery after the emergency was declared took only 3.5 hours. However, at this point, the business has already suffered 6.5 hours of downtime (3 hours of ‘hidden downtime’ + 3.5 hours of recovery) and has long exceeded the maximum tolerance limit defined in the BIA. The IT traffic light is green, while the company is in the red.

  • Worthless business impact analyses and poor planning of solution options are the result, because when the departments define their RTO requirements, they assume the total downtime. If IT confirms this requirement with a different time calculation, all subsequent solution options are based on a false premise. The BIA thus changes from a control instrument to an instrument of self-deception.

  • A pre-programmed crisis conflict is inevitable when different expectations collide in an emergency. Management expects a restart based on the business RTO, while IT works according to its own time calculation. The result is a loss of trust, ineffective crisis management and recriminations at precisely the moment when close cooperation would be vital for survival. Underestimated risks and inadequate budgets are the result, as hidden downtime represents an uncalculated risk. The costs that arise as a result of the failure to take the necessary measures are often not taken into account in the budget.

  • Underestimated risks and insufficient budgets are the result, as hidden downtime represents an uncalculated risk. The costs incurred during this phase are not included in the risk assessment. As a result, budgets for necessary measures – such as faster detection mechanisms or manual workarounds to bridge this very period – are dismissed as unnecessary, for example.

Conclusion: A wake-up call for management and those responsible

The different interpretations of RTO are not a semantic trifle, but a fundamental governance problem. The new ISO 27031:2025 recognises this reality and demands consequences: if IT cannot meet the RTO (from the time of the incident) required by the business, the organisation is obliged to have a plan to bridge this gap – the manual workaround.

Recommendations for action for management and those responsible:

  • Creating a uniform language is crucial. Initiate a workshop between business managers and IT management with the sole aim of adopting a company-wide binding RTO definition that begins at the point of the damaging event. Anchor this definition in your BCM and ITSCM policy.

  • Measuring reality is essential. Introduce the Recovery Time Actual (RTA) metric. Measure the actual time from the simulated incident to restart in tests and exercises. This RTA is the honest measure of your resilience.

  • Make the gap transparent. Create a gap analysis that compares the business requirement (RTO) with the actual performance (RTA). This method is the basis for Create a gap analysis that compares the business requirement (RTO) with the actual performance (RTA). This method is the basis for every strategic decision, whether it is an investment in faster IT or in the development of robust manual processes.

  • Taking responsibility is fundamental. Developing workarounds is not an IT task, but the responsibility of the process owners in the specialist departments. Management must provide the necessary budgets and resources for this and establish a testing culture that sees weaknesses as learning opportunities.

Close the resilience gap

Closing the gap between business requirements and IT reality is a complex challenge. Our team of experienced BCM and IRBC specialists provides targeted support to help you put theory into practice. From moderating a crucial RTO alignment workshop to conducting a thorough gap analysis and developing practical business continuity plans, we help you build real, measurable resilience.

Contact us for a no-obligation initial consultation and take the first step from a plan on paper to a crisis-proof strategy that is put into practice.