RPO and RTO – what are they, and why do they matter to your business?

19 Nov 2018

RPO and RTO (recovery point objective and recovery time objective) are two important metrics you should consider as part of your wider disaster recovery plan. Here we take a closer look at both, and why they matter to any business or organisation.

RPO – Recovery Point Objective

So, what is RPO? Well, in simple terms, your Recovery Point Objective (RPO) specifies how much time you have during a data ‘disaster’ before the amount of data you lose goes beyond what’s considered acceptable as defined in your Business Continuity Plan.

In other words, it defines how much data you can realistically afford to lose before it affects normal business operations or constitutes a serious data-loss problem. The ‘point’ at which things get serious will differ according to the type of business you operate – and the nature of the data you create, hold and take ultimate responsibility for. Critically, it also differs according to when your last data backup took place. For example, an hour of data loss for a financial or legal business will be far more damaging than, say, for a recruitment agency – so your RPO should reflect this, and so should the intervals between backups of data. Basically, it should answer the question, ‘how long until data loss affects business as usual?’

So in practice, RPO looks at what just happened, while RTO focuses on how long it takes to fix…

RTO – Recovery Time Objective

And what is RTO? As the name suggests, this is your disaster recovery time: how long it should take to recover fully from data loss, or a system or application problem that exposes or restricts access to data. As with your RPO, your RTO depends on the nature of your business and the sensitivity of data it generates and/or stores – so the more business-critical and/or private the data that’s potentially compromised, the faster you need to have it fully recovered and secured. Like your RPO, you should state your RTO clearly in your Business Continuity and Disaster Recovery Plan, and ensure you have the means to meet it should anything go wrong.

RPO vs RTO

Well, there isn’t really an either/or here. At least not if you want a fit-for-purpose means of recovering from data loss or compromise. However, it’s important to reiterate the difference between the two:

  • RPO is the maximum amount of time between the last data backup and the ‘disaster’ that affects it. The more frequent the backups, the less data you lose.
  • RTO is the maximum amount of time that can pass between data loss and complete recovery of systems. Depending on the data type, this can be an hour, or 15 minutes, while for banks or legal firms, for example – RTO is ‘immediately’!

Your Disaster Recovery and Business Continuity Plans aren’t complete without a clearly defined RPO and RTO.

How to define RPO and RTO for your business

As discussed, your Recovery Point Objective and Recovery Time Objective – yes, you need both – should reflect the nature of your business and the data it generates and stores. Websites or web-connected internal systems that create, use and depend on continuously updated and/or personal and private data will aim for an RPO defined in minutes or seconds – or even zero – to maintain data integrity and seamless operations. The associated RTO will reflect this, with an emphasis on returning all business-critical systems to normal ‘as before’ functionality as soon as possible. Conversely, non-revenue-generating marketing platforms, or purely information-sharing or entertainment websites may define an RPO and RTO in hours, days or even weeks.

Once defined, both need to feature prominently in your Disaster Recovery Plan – and anyone tasked with protecting data needs to know exactly how to ensure these objectives are reached.

Why your business needs a Disaster Recovery Plan

RPO and RTO planning is just one aspect of your business or organisation’s Disaster Recovery Plan – a fully documented process that will define the recovery period for returning a business’ IT infrastructure to ‘business as usual’ as soon as possible (or in ample time to protect the business and its customers) if anything goes wrong. Remember that the causes of these ‘disasters’ can be internal, such as human error or system failure – or external, such as malware or power cuts.

One way of looking at it is to plan for the worst-case scenario and ask ‘what do we stand to lose?’ This isn’t scaremongering – it’s the best way to ensure you cover every aspect of what needs protecting, including customer data, day-to-day business functionality, and reputation. Let’s say you sell financial or legal services, or even handbags or car parts, online. You hold personal and possibly confidential data as part of what you do. What would the knock-on effects be if one of your servers or hard drives failed and your backup wasn’t as frequent as it should be? What if a flood knocks out your minute-by-minute physical backup, and your cloud solution only backs up every hour? What would the repercussions be? These are all things to consider as you define your RPO and RTO as an integral part of your overall Disaster Recovery Plan.

About BackupVault

BackupVault provides fully automated, hassle-free, UK-based backup services to organisations all over the world – from small business to global brands, to public-sector clients and large corporate enterprises.

Find out more…