The Problem with MTPD.
There is a number buried in every business impact analysis that drives more planning decisions than almost anything else: the Maximum Tolerable Period of Disruption. It determines recovery time objectives, shapes recovery strategies, and informs how much money an organisation is prepared to spend on resilience. It sits at the heart of ISO 22301 and most established Business Continuity methodologies.
It is also, in my experience, one of the most misleading outputs of the entire BIA process.
What the evidence tells us
Consider what has happened to three major UK organisations in the past twelve months. Marks and Spencer suffered a ransomware attack in April 2025 that shut down online ordering for 46 days and took nearly four months to fully restore click and collect. The estimated cost was £300 million. Jaguar Land Rover was hit by a cyber attack in August 2025 that halted production at all three UK plants for five weeks, at a direct cost of £196 million, sending shockwaves through a supply chain employing over 100,000 people. The Co‑operative Group had its shelves stripped across 2,300 stores for weeks after an attack in late April 2025, with a reported cost of £206 million.
All three organisations are still trading. All three are still going concerns. None of them collapsed.
Now ask yourself: what MTPD did each of those organisations have written down for online sales, vehicle manufacturing, or grocery supply? Almost certainly something measured in hours or days, not weeks or months. Yet every single one of them blew past that figure by an enormous margin and came out the other side battered, bruised, and significantly poorer, but intact.
So what does the MTPD actually tell us?
The cliff‑edge assumption
The logic of MTPD is that there is a point beyond which disruption to a critical activity becomes unrecoverable. Cross that line and the organisation faces existential consequences. It sounds rigorous. It sounds measurable. But it assumes that disruption works like a cliff edge, and it does not.
Organisations do not hit a threshold at hour 73 and cease to function. They degrade. They adapt. They lose revenue, lose customers, lose reputation. The damage is cumulative and context‑dependent, not absolute. A week without online ordering in January is a different proposition from a week without online ordering in the run‑up to Christmas. A manufacturing shutdown during a model transition is different from one at peak production. The context matters enormously, and a single number cannot capture it.
Worse, the false precision of an MTPD figure gives people confidence in a number that was, in most cases, an educated guess made by a department head during a workshop eighteen months ago. It gets written into the BIA, drives the recovery strategy, and is never seriously challenged — until the incident arrives and proves it wrong.
Where BIAs earn their keep
I want to be clear that I am not arguing against business impact analysis. I am a strong advocate for the process, but for reasons that have very little to do with the MTPD figure itself.
The real value of a good BIA is in the conversation it forces. When you sit down with a department head and work through their critical activities, what you uncover are the dependencies and back‑office processes that nobody thinks about until they stop working. The payroll run that depends on a single person and a system that has not been upgraded since 2017. The supplier approval process that sits entirely in one person’s inbox. The contract management spreadsheet that has never been backed up anywhere except a local hard drive.
These are the findings that make BIAs worth doing. They surface the operational fragility that sits beneath the surface of every organisation, in the processes that are too mundane to attract attention and too critical to survive without. No board paper on resilience will ever mention the payroll interface file, but when it breaks, everybody notices within days.
A better question than “how long have we got?”
The problem is not that we ask organisations to think about the impact of disruption. The problem is that we funnel that thinking into a single number and then treat that number as though it were a fact. A more honest approach would acknowledge that the impact of disruption depends on when it happens, what else is going on, how customers and regulators respond, and a dozen other variables that no workshop can predict.
Instead of asking “what is the maximum tolerable period of disruption?” we might be better served asking “what would we need to do differently if this activity were unavailable for a day, a week, a month?” That question leads to graduated response planning, to trigger points, to thinking about what “good enough” looks like at different stages of an incident. It treats disruption as a continuum rather than a binary, and it produces planning that is far more useful when something actually goes wrong.
M&S, JLR, and the Co‑op all survived disruptions that almost certainly exceeded their documented MTPDs many times over. They survived because organisations are more resilient than any single number suggests. The BIA process should reflect that reality, not obscure it.
