Answer: The definition of RTO and RPO for critical systems is generally done by the person responsible for the application (e.g. by the HR Department Head for a HR system, by the Financial Department Head for an accounting system, etc.), considering the inputs of interested parties impacted by a disruption on application operation (e.g., IT staff, organization's users, customers, regulators, etc.), but these must be approved by top management.
2 - Can the RTO and RPO be the same for a system? Which does the business provide? RTO or RPO?
Answer: RTO and RPO are completely different concepts, so they can be the same for a system. The RTO refers to a recovery time to be achieved, while the RPO refers to a point in time on which the system must be recovered with stability (any information in the period shorter than that will be lost or not considered).
For example, if an application has an RTO of 1 day and a RPO of 4 hours, it means that this application can be recovered ( resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.