When does RTO begin?

Answer: As you mentioned, ISO 22301 does not give a very precise definition, but the logic of Recovery Time Objective is the following: it should define a time within which an organization must recover a particular activity/process/resource, so that the damage doesn't get too big. Since the damage does not depend on the timing of your assessment and it primarily depends on the total duration of a disruption, this means that the RTO time begins at the moment of an incident occurrence (i.e. at the time the disruption begins).

The start time cannot be time of incident. I large enterprises the teams will always try and resolve the issue. Failover is a lot resort in most incidents

I’m assuming that by failover you mean Disaster Recovery Plan because the failover concept is related to protective controls that automatically takes over when the main system fails, i.e., it is the first resort in most incidents, while the Disaster Recovery Plan refers to the actions to be performed when main facilities/systems cannot be recovered within an acceptable timeframe (i.e., within the Recovery Time Objective – RTO).

Considering that, the RTO needs to be considered from the time the disruption is perceived by the customer (the RTO is defined from the customer point of view), so it needs to start when the disruption is reported or detected.

What happens is that, for example, if you have an RTO of 10 hours and your DRP needs 3 hours to be implemented, the DRP only needs to be started after 7 hours of the start of the incident, and by this time the teams may solve the situation.

For further information, see:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
• Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/