Maximum Acceptable Outage (MAO) Explained

Organizations of today rely heavily on digital infrastructure for…everything. Even a few minutes of downtime can translate into significant financial losses, in addition to the potential harm to reputation. With the news of downtime like the 2024 CrowdStrike incident, more organizations are looking for ways to better handle such events.

This is where metrics, like Maximum Acceptable Outage (MAO), are often used to measure and assess the potential damage through downtime. Understanding and managing your business's MAO is crucial for maintaining operations and ensuring business continuity.

In this blog post, we'll explore what MAO is, why it's important, and how to manage it effectively.

Introduction to Maximum Acceptable Outage (MAO)

We understand that MAO is needed in every business impact analysis (BIA) plan. But what does that involve?

We'll start with its definition first.

What is Maximum Acceptable Outage (MAO)?

Maximum Acceptable Outage, often abbreviated as MAO, refers to the maximum length of time that a business function can be halted without causing irreparable harm to the organization.

Essentially, it's the threshold of downtime your business can endure before facing serious consequences. Calculating MAO involves assessing various factors, including the nature of your business, the services you provide, and the needs of your customers.

There are a few factors that can affect your MAO:

• Industry and business type: Certain industries, such as healthcare or finance, may have stricter regulations and compliance requirements that can impact their MAO.
• Impact on revenue: The longer a business is down, the greater the potential financial loss. This will also depend on the type of services your business offers and how much revenue is generated during downtime.
• Customer needs and expectations: Customers' expectations play a big role in determining MAO. If your customers rely heavily on your services, they may have a lower tolerance for downtime compared to other businesses.

Some good resources to learn more about MAO include:

• ISO 22300:2021 Security and resilience — Vocabulary
• ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements
• Good Practice Guidelines 2018 Edition

Why MAO matters

Understanding your MAO is crucial for assessing your IT downtime risk and is effective business continuity planning.

With a specific quantifiable limit set, you can develop strategies to ensure that any downtime stays within acceptable parameters. This not only helps in minimizing disruptions but also aids in quicker recovery, thereby safeguarding your business operations and reputation.

How to calculate MAO

Calculating MAO involves a thorough risk assessment and impact analysis. You'll need to consider various metrics such as financial loss per hour of downtime, customer dissatisfaction, and potential long-term impacts.

Here's an example of a formula for MAO calculation:

MAO = [(Customer satisfaction score x Revenue per hour) + (Estimated long-term impact)] / Potential financial loss per hour

However, it's important to note that calculating MAO is not an exact science and can vary depending on the nature of your business and industry. In general, you would be taking all aspects of potential gains divided by the potential losses. Although this might be hard to quantify, it would still give you a rough estimate of your business's MAO.

Service Continuity Requirements

What is Maximum Tolerable Period of Disruption (MTPD)?

Maximum Tolerable Period of Disruption (MTPD) refers to the maximum duration of an outage or disruption that a business can handle before it suffers permanent damage.

While MAO focuses on minimizing impacts and recovering from downtime, MTPD considers the long-term consequences and potential irreparable harm caused by extended disruptions.

Alternative metrics to MAO

In addition to MAO, there are two other metrics that play a significant role in business continuity planning: Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

While MAO focuses on the maximum downtime an organization can endure, RPO and RTO focus on how quickly the organization can recover from a disruption.

What is Recovery Point Objective (RPO)?

Recovery Point Objective refers to the amount of data loss an organization can tolerate during a disruption. It's usually expressed as a time frame, such as "recovery must be within four hours with no more than 15 minutes of data loss."

This metric helps organizations determine how frequently they should back up their data to ensure minimal data loss in the event of a disruption.

(Related reading: data loss prevention.)

RTO and RPO illustrated on a timeline, before and after a disaster occurs.  (Original image source.)

What is Recovery Time Objective (RTO)?

Recovery Time Objective refers to the amount of time an organization needs to recover its critical systems and resume operations after a disruption. It's usually expressed as a specific timeframe, such as "recovery must be within 24 business hours."

This metric helps organizations prioritize which systems need to be recovered first and develop strategies for quicker recovery.

The impact of exceeding MAO

MAO is an essential way to plan for disaster in organizations. However, this means that exceeding it can have serious consequences.

Some potential impacts of exceeding MAO include:

Financial loss

Downtime can result in direct financial losses, such as loss of revenue and productivity, as well as indirect costs such as customer dissatisfaction and damage to reputation. For example, the global IT outage in 2024, caused a total of US$1 billion in damages. CrowdStrike’s share price also dropped by 17.95% from July 15 to July 19.

Learn more about the potential financial losses in our survey and research The Hidden Costs of Downtime.

Legal consequences

In some industries, exceeding MAO can lead to legal consequences. For example, if a software company exceeds its MAO, it may face penalties for breach of contract or failure to deliver services.

Some regulations include specific requirements for MAO, such as ISO 22301, which states that organizations should determine their MAO and ensure it is understood by all parties involved.

Damage to reputation

Exceeding MAO can also harm an organization's reputation. In a digital age where news spreads quickly through social media, extended downtime can result in negative publicity and loss of trust from customers.

Strategies for managing MAO

The impacts of not accounting for MAO can be severe, which is why it's crucial to have strategies in place for managing it effectively.

Proactive measures

One of the most effective ways to manage MAO is by taking proactive measures. This includes regular system maintenance, updating software, and conducting routine checks to identify potential issues before they escalate.

Some pre-emptive measures include:

• Risk Assessment: Conduct a thorough risk assessment to identify potential threats and vulnerabilities.
• Business Continuity Plan: Develop a detailed business continuity plan that outlines steps to minimize downtime and recover quickly in the event of a disruption.

Fault tolerance and redundancy

Implementing fault tolerance and redundancy can significantly reduce the risk of exceeding your MAO.

Fault tolerance involves creating systems that can continue to operate even if a part fails, while redundancy ensures that there are backup systems in place to take over in case of a failure.

Disaster recovery planning

A comprehensive disaster recovery plan is crucial for managing MAO. This plan should outline the steps to be taken in the event of a disruption, including communication protocols, roles and responsibilities, and recovery procedures.

Regularly testing and updating this plan ensures that your business is always prepared for unexpected events.

MAO mitigation steps

Here are some additional steps organizations can take:

1. Conduct regular risk assessments and impact analysis to determine your organization's MAO.
2. Develop a comprehensive business continuity plan that outlines specific actions to minimize downtime and recover quickly in the event of a disruption.
3. Test and regularly update your business continuity plan to ensure its effectiveness.
4. Implement technologies such as data backup, disaster recovery, and high-availability solutions to reduce the risk of exceeding MAO.
5. Train employees on their roles and responsibilities during a disruption to ensure proper execution of the business continuity plan.

These steps should provide a good foundation to ensure that your business operates within the limits of the MAO you have set.

The role of technology

Technology plays a significant role in managing MAO effectively. Here are some ways technology can help:

Automated monitoring and alerts

With the help of automated monitoring tools, organizations can keep an eye on critical systems and receive real-time alerts in case of any issues. This allows for quicker response times and minimizes downtime.

Some IT monitoring tools have this feature, including our very own Splunk Infrastructure Monitoring.

Data backup and recovery solutions

Implementing robust data backup and recovery solutions ensures that important data is always available, reducing potential data loss during disruptions. These solutions can also help organizations recover quicker and meet their MAO.

High-availability systems

High-availability systems ensure that critical applications and services remain accessible even during a disruption or hardware failure. This helps minimize downtime and reduce the risk of exceeding MAO.

(Related reading: the five 9s of availability.)

Cloud computing

Advancements in technology, particularly cloud computing, have made it easier to manage MAO. Cloud services offer high availability and scalability, allowing businesses to quickly adapt to changing needs and minimize downtime.

Artificial intelligence

Artificial intelligence (AI) is another valuable tool for managing MAO. AI can monitor systems in real-time, identify potential issues, and even predict failures before they occur.

This proactive approach allows businesses to address problems swiftly, reducing the risk of prolonged downtime. This use of AI can be used to complement automated alerts to ensure timely recovery during downtime.

For example, Splunk offers AI-powered tools to assist organizations manage their MAO effectively. Some of these tools help to:

• Query your system through SPL queries using natural language
• Anomaly detection using machine learning-based thresholds
• A Machine Learning Toolkit for building custom algorithms

System resilience

Investing in technology that enhances system resilience is essential for managing MAO. This includes robust cybersecurity measures, reliable backup solutions, and automated recovery processes.

By building a resilient infrastructure, you can ensure that your business can withstand and quickly recover from disruptions.

Final thoughts

Managing MAO is crucial for the success and reputation of any organization. By taking proactive measures, implementing fault tolerance and redundancy, having a comprehensive disaster recovery plan, and leveraging technology, businesses can minimize downtime and stay within their MAO limits.

Regular monitoring, testing, and updating of strategies are essential to ensure effectiveness. With proper planning and preparation, organizations can navigate unexpected disruptions without severe consequences.  So make sure that your organization has a robust MAO management strategy in place to protect against potential risks and maintain business continuity.