UPDATED: Maximum Tolerable Period of Disruption (MTPOD): What is it, where did it come from and why it is important to your organization?

Avalution Team Avalution Team | Jul 06, 2009

update (1)UPDATE: The British Standards Institute (BSI) has issued a corrigendum in response to this article, slightly expanding the definition of MTPOD in a business continuity management system.  The change makes explicit BSI’s intent that MTPOD be identified for critical products, services AND critical activities.  The approach described in this article establishes a MTPOD for each critical activity by mapping the activity to a critical product or service.  However, there may be some circumstances when a critical activity does not map directly to a critical product or service, but still requires an MTPOD.  An example of this situation is the Payroll function.  Some organizations define Payroll as a critical service in its own right, but other organizations consider critical products and services external facing only.  In this situation, Payroll would need an MTPOD that indicates its criticality, independent of the organization’s critical products and services.

The concept of Maximum Tolerable Period of Disruption (MTPOD) suddenly appeared with the introduction of British Standard 25999-2, published at the end of 2007.  Eighteen months later, it remains a highly misunderstood concept.  However, when applied appropriately, MTPOD will improve management’s understanding of your program and add clarity to your recovery priorities.

BS 25999-2, Section 4 states that the goal of a BIA is to “determine the impact of any disruption of the activities that support the organization’s key products and services.”  A key aspect of determining the impact of a disruption is identifying what BS 25999 calls the “Maximum Tolerable Period of Disruption,” or MTPOD.  BS 25999 defines MTPOD as the “duration after which an organization’s viability will be irrevocably threatened because of the adverse impacts that would arise as a result of not providing a product/service or performing an activity” (Updated per BSI’s Corrigendum). Put simply, MTPOD is the maximum amount of time that the organization’s key products or services can be unavailable or undeliverable before its stakeholders realize unacceptable consequences.

Start with Executive Expectations
The full application of this concept means rethinking how a BIA is approached.  While many of us start a BIA by gathering data from individual departments, MTPOD forces us to first look at products and services.  Business continuity professionals should engage their executive managers in a discussion regarding their thoughts on downtime tolerance, taking into account:

  • Customer expectations
  • Regulatory requirements
  • Reputational issues
  • Financial and operational impairment
  • Strategic consequences

Based on management input, business continuity professionals can propose preliminary Maximum Tolerable Periods of Disruption for key products or services within the scope of the business continuity program.

Map Products and Services to Critical Activities
Once MTPOD is established for key products and services, the traditional BIA data gathering process can be used to map departments and processes to each product or service.  From there, the BIA can either validate or refute these preliminary MTPOD conclusions.  Of equal importance, the BIA will identify the department, function and process details needed to achieve the MTPOD

Perhaps most importantly, the business continuity professional must understand the amount of time required to perform the process or activity in order to deliver the product or service to its key stakeholders (internal or external).  This is often referred to as cycle time.  For example, in a manufacturing company, cycle time would be how long it takes to procure necessary stock, manufacture the product, and deliver it to the customer.

Recovery Time Objectives for Critical Activities
With an understanding of MTPOD and cycle time, the business continuity professional can identify what is commonly accepted as the core output of the BIA – the Recovery Time Objective, or RTO.  RTO is the point in time following a disruption when operations must resume (at a minimum level) in order to meet downtime tolerances.  The following graphic illustrates this relationship.

Business Interruption

In Conclusion
To recap, a BIA starts with a strategic executive management-level discussion concerning MTPOD, as it relates to key products and services.  The BIA continues with:

  1. Mapping departments, functions and processes to key products and services
  2. Organizational data gathering to confirm or refute preliminary MTPOD conclusions, as well as collect department, function and process details (including cycle time)
  3. Identifying recovery time objectives based on MTPOD and cycle time
  4. Presenting BIA findings to executive management for comment and eventual acceptance

The business continuity planning process continues with the identification of response and recovery strategy options that meet recovery objectives.

Although our profession does not need another acronym, MTPOD is an important concept that will add context and validity to recovery objectives by involving management input up front and focusing on the ultimate goal – recovery of key products services.  Based on this understanding, management can ensure the proper plans are in place so the customers’ maximum tolerance is not exceeded and continual customer satisfaction is achieved.

Ready for more? Schedule a strategy session with us today!