Critical processes, RTO and RPO

Answer: To identify the business critical processes you must first understand your organization's context and identify your relevant interested parties requirements (e.g., products and services they demand, delivery conditions, laws and regulations to be fulfilled, etc.). Based on that you can identify which processes are critical to your business.

Regarding RTO and RPO, they are more defined than calculated, because they are based on the needs and expectations of your interested parties, which most of the time reflects clauses in contracts, laws or regulations, and historical data (statistical data can also be present). So, if your definition of RTO or RPO can be supported by a solid justification, it is not mandatory for you do to search a formula to calculate them.

This article will provide you further explanation about BIA and RTO and RPO:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

This material will also help you regarding BIA and RTO and RPO:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/