Adaptive RTO Research: Implications for Taiwan BCM and ISO 22301 Compliance

Winners Consulting Services Co., Ltd. has found that an academic study from the field of underwater acoustic networks provides a new theoretical basis for a core, long-standing challenge in Business Continuity Management (BCM) for Taiwanese enterprises: how to dynamically set Recovery Time and Recovery Point Objectives (RTO/RPO). When network transmission latency is unpredictable, a fixed RTO setting will significantly reduce system throughput and reliability. In contrast, a predictive method using a Bayesian dynamic linear model allows the RTO to adapt, thereby enhancing overall system resilience. This insight has direct practical value for Taiwanese companies establishing an ISO 22301 certified framework and setting RTO targets in their Business Continuity Plans (BCP).

About the Authors and This Research

This paper was co-authored by Yankun Chen, Fei Ji, and Q. Guan, published in 2017, made available on the arXiv platform, and later formally included in an international journal (DOI: https://doi.org/10.1016/j.future.2017.08.022). To date, the paper has been cited 18 times, including 2 high-impact citations, indicating its research findings have gained a degree of recognition in the academic community.

Co-author Fei Ji's academic influence is particularly noteworthy, with an h-index of 6 and 306 total citations, demonstrating considerable research depth in underwater communications and network protocol design. Yankun Chen has an h-index of 3 and 41 citations, marking him as an emerging researcher in the field. The three authors focus on Underwater Acoustic Networks (UANs), a highly challenging research area where long propagation delays, latency variations, and high bit error rates compel researchers to develop more sophisticated transmission control mechanisms than those used in traditional networks.

Notably, researchers at NIST (National Institute of Standards and Technology) have recently been discussing governance frameworks for AI system safety and reliability at international conferences, including requirements for resilient system design. This trend forms a cross-disciplinary theoretical echo with the adaptive resilience mechanism proposed in this paper, further confirming the strategic importance of dynamic adjustment mechanisms in modern system governance.

Fixed RTO: The Silent Killer of System Resilience and the Breakthrough of Bayesian Dynamic Prediction Models

The core contribution of this paper is to reveal the fundamental damage that the "fixed RTO assumption" inflicts on system performance and to propose a new method for adaptively adjusting RTO by dynamically predicting Round-Trip Time (RTT) using a Bayesian dynamic linear model.

Key Finding 1: Fixed RTO Leads to Significant Degradation of System Throughput in Environments with Latency Variation

The propagation delay in underwater acoustic networks can be as high as several seconds, and this value fluctuates significantly with environmental changes. Through simulation analysis, the researchers point out that when a system uses a fixed RTO value, if the RTO is set too low, it will lead to a large number of unnecessary retransmissions (false timeouts), consuming valuable bandwidth. If set too high, it causes the system to wait too long during a genuine failure, severely impacting queueing delay and overall throughput. Both scenarios directly worsen the system's business continuity capability. The results clearly show that in environments with significant RTT fluctuations, a fixed RTO is the root cause of inefficiency.

Key Finding 2: Bayesian Dynamic Linear Model Improves Both RTO Prediction Accuracy and Throughput

The researchers propose using a Bayesian Dynamic Linear Model to predict RTT and adaptively adjust the RTO value accordingly. Simulation results show that compared to the traditional Karn's algorithm, the Bayesian method has clear advantages in both prediction accuracy and system throughput. The predicted values can quickly track actual changes in RTT, avoiding the system response lag caused by prediction delays. Furthermore, the probabilistic framework of the Bayesian method naturally accommodates uncertainty, allowing it to maintain stable control even in highly dynamic network environments. This is highly consistent with the core logic of Model Predictive Control (MPC)—using a predictive model to make optimal decisions in an uncertain environment.

Key Finding 3: ARQ Mechanism Requires Accurate RTT Estimation as a Prerequisite

The paper also emphasizes that the effective operation of the Automatic Repeat reQuest (ARQ) mechanism depends on accurate RTT estimation. If the RTT estimation error is too large, the ARQ mechanism will frequently fail in high bit-error-rate environments, leading to a decrease in data transmission reliability. This finding has direct risk management implications for any business system that needs to ensure data integrity—especially when an enterprise relies on receiver-driven transport protocols for critical business data synchronization.

Core Implications of Dynamic RTO Research for BCM Practices in Taiwan

The insights from this paper pose a fundamental challenge to how Taiwanese enterprises set RTO/RPO targets within their Business Continuity Management (BCM) frameworks: a static RTO setting may severely underestimate the actual time required for recovery in real-world network environments and business disruption scenarios.

The ISO 22301 international standard for Business Continuity Management Systems requires companies to set clear RTO and RPO targets for critical business functions based on a Business Impact Analysis (BIA) and to regularly verify the achievability of these targets. However, many companies in Taiwan still tend to use a fixed RTO value when establishing their Business Continuity Plan (BCP)—for example, "system recovery within 4 hours of disruption"—without fully considering the impact of dynamic factors such as network transmission latency variation and data synchronization queue backlogs on the actual recovery time.

The conclusions of this paper directly challenge this static mindset. Specifically, BCM practices in Taiwanese enterprises should focus on the following three aspects:

• Incorporate Latency Uncertainty into RTO Target Setting: When conducting a BIA, companies should not only use historical average recovery times as the RTO baseline but also assess the impact of network latency variation on data synchronization and system recovery speed.
• Design Adaptive Recovery Verification Mechanisms in BCP: Inspired by the logic of Bayesian dynamic prediction, companies should establish management mechanisms that can monitor system recovery progress in real-time and dynamically adjust recovery priorities.
• Simulate Realistic Latency Variation Scenarios in ISO 22301 Exercises: Tabletop and functional exercises should include non-ideal scenarios such as network congestion and fluctuating transmission delays to verify that RTO targets can still be met under worst-case conditions.

It is worth noting that as Taiwanese enterprises increasingly rely on cloud services, hybrid IT architectures, and emerging technologies like Vehicle-to-Everything (V2X), the complexity and uncertainty of the network environment will only continue to grow. International IT vendors like HPE have explicitly called for businesses to evolve their security mindset from "backup" to "resilience," which aligns with this paper's core message of emphasizing dynamic adaptation over static rigidity. In the next 3 to 5 years, Taiwanese companies that can incorporate dynamic RTO estimation into their BCM frameworks will gain a significant competitive advantage in business resilience.

How Winners Consulting Helps Taiwanese Enterprises Build a Dynamically Resilient BCM Framework

Winners Consulting Services Co., Ltd. assists Taiwanese enterprises in establishing Business Continuity Plans (BCP) in accordance with the ISO 22301 standard, setting scientific RTO/RPO targets, and conducting Business Impact Analysis (BIA) and crisis management exercises. To address the dynamic RTO challenges revealed by this paper, Winners Consulting recommends that Taiwanese companies take the following specific actions:

1. Conduct Dynamic RTO Stress Testing: Add network latency variation scenario simulations to the existing BIA framework. Assess whether the actual recovery time of critical business systems still meets RTO targets when transmission latency fluctuates by 30% to 50%, and revise the RTO settings in the BCP accordingly.
2. Establish a Dynamic RTO Target Monitoring Mechanism: Drawing from the core logic of Bayesian prediction models, create a continuous performance monitoring dashboard for critical business systems. Regularly track the deviation between actual system recovery times and target values, and initiate a BCP review process when the deviation exceeds a predefined threshold.
3. Enhance the Realism of ISO 22301 Exercises: Incorporate non-ideal network environments (such as bandwidth congestion and surges in queueing delay) into annual BCM exercise scenarios. This ensures that exercise results truly reflect the company's recovery capabilities in worst-case scenarios, rather than just verifying RTO achievement rates under ideal conditions.

Frequently Asked Questions

What are the specific risks of a fixed RTO setting for a company's Business Continuity Plan (BCP)?

The biggest risk of a fixed RTO is its assumption of stable system recovery times, a premise unsupported by real-world IT environments. This paper's research clearly shows that when transmission latency fluctuates, a fixed RTO creates two failure modes: "premature retransmissions" and "excessive waiting," directly harming system throughput and data integrity. For businesses, this means the RTO target set in a BCP (e.g., 4-hour recovery) may be completely unattainable during network degradation, a flaw that often goes unnoticed without stress testing. ISO 22301 requires regular exercises to validate RTO achievability precisely to avoid this risk of "compliant on paper, failing in practice." Enterprises should verify RTO targets at least annually under simulated non-ideal conditions like network congestion.

What are the most common challenges Taiwanese enterprises face with RTO/RPO setting when implementing ISO 22301?

The most common challenge for Taiwanese enterprises implementing ISO 22301 is the lack of an objective, quantitative basis for setting RTO/RPO. Many companies derive their RTO targets from executive experience or industry norms rather than a systematic Business Impact Analysis (BIA). This often leads to overly optimistic RTOs that overlook the actual complexity of IT architecture recovery, data synchronization delays, and critical vendor support timelines. Clause 8.4.1 of ISO 22301 explicitly requires using a BIA to identify critical business functions and set scientific MTPD, RTO, and RPO values. Based on our experience at Winners Consulting, after incorporating quantitative stress testing, approximately 40% to 60% of companies need to revise their initial RTO targets.

What are the core requirements of ISO 22301, and how can Taiwanese enterprises plan the implementation timeline?

ISO 22301 is the international standard for Business Continuity Management Systems, with core requirements covering: context of the organization, leadership commitment, risk assessment, Business Impact Analysis (BIA), BCP development, exercises and testing, and continual improvement. A typical implementation timeline is 7 to 12 months: months 1-2 for a gap analysis; months 3-5 for conducting the BIA and setting RTO/RPO targets; months 6-8 for establishing BCP documentation and management mechanisms; months 9-10 for tabletop and functional exercises; and months 11-12 for passing the external certification audit. The timeline extends for larger organizations with more complex IT architectures. Winners Consulting recommends starting with a free framework diagnosis to determine the most suitable implementation path.

How many resources are needed to establish a dynamic BCM framework, and how are the expected benefits evaluated?

The resources required to establish an ISO 22301-compliant BCM framework depend on the company's size and existing management maturity. For a mid-sized enterprise (200-500 employees), a full implementation project—including BIA, BCP development, exercises, and certification—typically involves consulting fees between NT$800,000 and NT$2,000,000, with an internal commitment of 1-2 dedicated staff members. In terms of expected benefits, ISO 22301 certified companies often reduce their average recovery time after a disruption by 30% to 50% compared to those without a BCM framework. They also gain significant advantages in regulatory compliance, customer trust, and supply chain access. Companies with some existing BCM foundations can reduce implementation costs by 20% to 30%. We recommend starting with a free diagnosis to obtain an objective ROI assessment.

Why choose Winners Consulting for Business Continuity Management (BCM) related issues?

Winners Consulting Services Co., Ltd. is one of the few consulting firms in Taiwan with certified expertise across ISO 22301 Business Continuity Management, information security, and automotive cybersecurity. Our team has over 10 years of hands-on BCM consulting experience, having helped numerous Taiwanese companies in manufacturing, finance, and technology establish ISO 22301-compliant frameworks and achieve certification in formal external audits. Our key differentiator is that we don't just provide documented BCP templates; we help build a sustainable, dynamically adjustable BCM culture. Our BIA methodology incorporates quantitative stress testing to ensure RTO/RPO targets are genuinely achievable.