5.2 Risk management
📘CompTIA Security+ (SY0-701)
Reporting & Business Impact: Key Metrics
When managing IT risks, organizations need to measure and report how disruptions affect business operations. This is called business impact analysis (BIA). The main goal is to minimize downtime and data loss if something goes wrong.
There are four important metrics used to report business impact:
1. RTO – Recovery Time Objective
- Definition: RTO is the maximum amount of time an IT system or service can be down before it seriously affects the business.
- Purpose: Helps IT teams plan how quickly they need to restore systems.
- Example in IT:
- A company’s email server has an RTO of 2 hours.
- If the server crashes, IT must restore it within 2 hours, or critical communication is impacted.
Exam Tip: Remember, RTO is about time until recovery, not data loss.
2. RPO – Recovery Point Objective
- Definition: RPO is the maximum amount of data loss a business can tolerate, measured in time.
- Purpose: Determines how often data should be backed up.
- Example in IT:
- A database has an RPO of 4 hours.
- If the database fails, the company can lose up to 4 hours of data, because backups are made every 4 hours.
Exam Tip: RPO is about data, while RTO is about time to restore service.
3. MTTR – Mean Time to Recovery / Repair
- Definition: MTTR is the average time it takes to repair a failed system and restore it to normal operation.
- Purpose: Measures IT efficiency in resolving problems.
- Example in IT:
- A web server crashes 5 times in a month.
- Repair times were: 1h, 2h, 1.5h, 3h, 2h → MTTR = (1+2+1.5+3+2)/5 = 1.9 hours.
- This tells the IT team how long, on average, it takes to fix this server.
Exam Tip: MTTR is often used to compare with RTO—you should aim for MTTR ≤ RTO.
4. MTBF – Mean Time Between Failures
- Definition: MTBF is the average time a system runs without failing.
- Purpose: Helps plan maintenance and understand system reliability.
- Example in IT:
- A file server runs 1000 hours before experiencing a failure.
- After maintenance, it runs another 1200 hours before the next failure.
- MTBF = (1000 + 1200)/2 = 1100 hours.
- This helps IT plan proactive maintenance or replacements.
Exam Tip: MTBF is about system reliability, not recovery.
How They Work Together in IT
To manage IT systems effectively:
| Metric | Focus | Example |
|---|---|---|
| RTO | Time to restore service | Email server must be up within 2 hours |
| RPO | Acceptable data loss | Database backup every 4 hours |
| MTTR | Average repair time | Fix a web server in ~1.9 hours |
| MTBF | Average uptime before failure | Server runs 1100 hours on average before breaking |
- Scenario:
If an online application goes down:- RTO tells how quickly users need the app back.
- RPO tells how much data can be lost (from backups).
- MTTR shows how fast IT can usually fix it.
- MTBF shows how reliable the app is overall.
Exam Tip: Questions may ask you to match definitions with RTO, RPO, MTTR, MTBF or calculate average times using given data.
✅ Quick Memory Tricks for Exams:
- RTO = Time to Restore
- RPO = Data Loss Allowed
- MTTR = Average Repair Time
- MTBF = Average Time Before Failure
