There are two fundamental components of a disaster recovery plan that help organizations make business decisions – Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Have you ever asked yourself, “Well, what is RPO?” or “What is RTO?” Let us clear that up for you…
While they sound similar, they are in fact very different in terms of how they help organizations plan for and manage risk.
Recovery Time Objective (RTO)
RTO, or Recovery Time Objective, is the time needed to recover your business activities after a given outage has occurred. It can be thought of in terms of hours, days or weeks. You’ll definitely want your RTO to be as short as possible (with a best-practice timeframe being around 15 minutes).
For example – a mid-sized company (such a general contracting firm or office supply company), might be able to work manually for a few days while their systems get repaired. However, an online retailer (such as eBay or Amazon) would be in big trouble if their systems were down for even an hour.
The lower the total outage time your business can afford to be out of commission, the higher the cost of the solution(s) needed to meet the required response expectation. Basically… if your cost of downtime is a lot (such is with financial services or e-commerce), then you most definitely want to invest in creating a detailed disaster recovery and business continuity plan.
Recovery Point Objective (RPO)
RPO, or Recovery Point Objective, focuses on the data and essentially considers the time between data backups and the accounts of various backup periods that are to be saved. Basically, in the event of a disaster or outage, the RPO is the amount of data loss that your company or organization can possibly sustain. Think of it this way – how much data can you afford to lose if a disaster occurs?
For example – For an e-commerce business, the loss of even a few minutes of data can be devastating. However, for perhaps a small manufacturer, data loss of a few hours isn’t so big of a deal.
Similar to RTO, the lower the amount of rework your business can absorb and the more copies that need to be saved, the higher the cost of the solution(s) needed to provide the expected response to a given outage.
RTO and RPO built into your Disaster Recovery Plan
An important item to note is that organizations should evaluate RTO and RPO for each application independently to ensure the best possible return on investment (ROI). Essentially, a business may need different RTP/RPO arrangements for email, accounting data, files saved in a LAN driver folder structure, etc. (as some data may be more critical than other data). Hence, each “application” should be evaluated separately to ensure appropriate coverage is provided. Successful Disaster Recovery Plans will give very specific RTO’s and RPO’s for every level of the business.
Stay tuned for future posts in this series focusing on best practices in disaster recovery and business continuity. Our next blog post will cover the environment assessment considerations involved in a Business Impact Analysis and Disaster Recovery Plan.
And be sure to check out our other blog posts around disaster recovery and business continuity:
– The difference between a Business Impact Analysis and a Disaster Recovery Plan (and why you need both)
– The 4 essential steps to protect your business from disaster (INFOGRAPHIC)