Section: INFORMATION SECURITY GOVERNANCE

Recovery time objectives (RTOs) are best determined by business continuity officers, who are responsible for ensuring that the organization is prepared for any type of disruption. Business managers, executive management, and database administrators (DBAs) all have important roles to play in the preparation and implementation of a disaster recovery plan, but they are not the ones who should determine the RTOs.
Reference that support this statement include:
"Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)" by ISACA (Information Systems Audit and Control Association). This resource states that "BCP and DRP teams are responsible for determining the RTOs for critical processes and systems."
"Business Continuity Planning" by the Federal Emergency Management Agency (FEMA). This guide states that "RTOs are determined by the organization and are based on the criticality of the business function and the maximum acceptable outage for that function."
"Business Continuity Planning: The Process" by Continuity Central. This resource states that "The BCP team should determine the RTOs for the organization's critical functions, processes and systems." Please note that while Business Continuity Officer is responsible for determining RTOs, it is important to consider input from other stakeholders such as executive management, IT, and other department heads to ensure that RTOs align with the overall goals and priorities of the organization.