Answer: The definition of RTO and RPO for critical systems is generally done by the person responsible for the application (e.g. by the HR Department Head for a HR system, by the Financial Department Head for an accounting system, etc.), considering the inputs of interested parties impacted by a disruption on application operation (e.g., IT staff, organization's users, customers, regulators, etc.), but these must be approved by top management.
2 - Can the RTO and RPO be the same for a system? Which does the business provide? RTO or RPO?
Answer: RTO and RPO are completely different concepts, so they can be the same for a system. The RTO refers to a recovery time to be achieved, while the RPO refers to a point in time on which the system must be recovered with stability (any information in the period shorter than that will be lost or not considered).
For example, if an application has an RTO of 1 day and a RPO of 4 hours, it means that this application can be recovered ( resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.
As for which one is provided by the business, in fact both are provided by them. Most often business people thinks in terms of RTO (when the business must be resumed after a disruption), but from the general information they provide during a Business Impact Analysis (BIA) you also can identify the RPO.
These materials will provide you further explanation about RTO, RPO and BIA :
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Implementing Business Impact Analysis according to ISO 22301 [free webi nar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/