RTO, or Recovery Time Objective, is the target time set by an organization for recovering its systems and process following an incident. It is a form of risk acceptance that organization is willing to bear when disaster strikes or an incident occurs. The RPO or Recovery Point Objective defines the point in time that the process or system will recover to.
The time between the RPO and the incident or disaster is the accepted loss in data that the organization will bear. Ideally, both RTO and RPO should be as close to zero as possible. It is critical to mention these values in the policy definition as it serves to provide a strict time-period for the response team to contain and mitigate incidents without causing failures in business continuity.