You are on page 1of 5

In this article you will learn:

● What Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are.
Why they are critical to your data recovery and protection strategy.
● Intelligent data management starts with a plan to avoid catastrophic losses —
disaster recovery planning can guarantee the survival of your business when an
emergency strikes.
● How business continuity planning minimizes the loss of revenue while also
boosting customer confidence.

Recovery Time Objective and Recovery Point Objective may sound alike, but they are entirely
different metrics in disaster recovery and business continuity management.

Find out how to plan accordingly with the proper resources, before you need them. Much like
having insurance, you may never use it – or it may save your company.

In this article, we will examine the critical differences between RPO and RTO and clear up any
confusion!

RTO: Recovery Time Objective


RTO dictates how quickly your infrastructure needs to be back online after a disaster.
Sometimes, we use RTO to define the maximum downtime a company can handle and maintain
business continuity. This is often a target time set for services restoration after a disaster.
For example, a Recovery Time Objective of 2 hours aims to have everything back up and
running within two hours of service disruption notification.

Sometimes, such RTO is not achievable. A hurricane or a flood can bring down a business,
leaving it down for weeks. However, some organizations are more resilient to outages.

For example, a small plumbing company could get by with paperwork orders and invoicing for a
week or more. A business with a web-based application that relies on subscriptions might be
crippled after only a few hours.

In the case of outsourced IT services, RTO is defined within a​ ​Service Level Agreement​ (SLA).
IT and other service providers typically include the following support terms in their SLA:

● Availability:​ the hours you can call for support.


● Response time:​ how quickly they contact you after a support request.
● Resolution time:​ how quickly they will restore the services.

Depending on your business requirements, you may need better RTO. With it, the costs
increase as well. Whatever RTO you choose, it should be cost-effective for your organization.

Businesses can handle RTO internally. If you have an in-house IT department, there should be
a goal for resolving technical problems. The ability to fulfill the RTO depends on the severity of
the disaster. An objective of one hour is attainable for a server crash. However, it might not be
realistic to expect a one-hour solution in case of a natural disaster in the area.

RTO includes more than just the amount of time needed to recover from a disaster. It should
also include steps to mitigate or recover from different disasters. The plan needs to contain
proper testing for the measures
RPO: Recovery Point Objective
An RPO measures the ​acceptable amount of data loss after a disruption of service​.

For example, lost sales may become an excessive burden against costs after 18 hours. That
threshold may put a company below any sales targets.

Backups and mirror-copies of data are an essential part of RPO. It is necessary to know how
much data is an acceptable loss. Some businesses address this by calculating storage costs
versus recovery costs. This helps determine how often to create backups. Other businesses use
cloud storage to create a real-time clone of their data. In this scenario, a failover happens in a
matter of seconds.

Similar to RTO and acceptable downtime, some businesses have better tolerance for data loss.
Retrieving 18 hours of records for a small plumbing company is possible, but may not be
detrimental to the business operation. In contrast, an online billing company may find itself in
trouble after only a few minutes of data loss.

RPO is categorized by time and technology:

● 8-24 hours:​ These objectives rely on external storage backups of the production
environment. The last available backup serves as a restoration point.
● Up to 4 hours:​ These objectives require ongoing snapshots of the production
environment. In a disaster, getting data back is faster and brings less disruption to your
business.
● Near zero:​ These objectives use enterprise cloud backup and storage solutions to mirror
or replicate data. Frequently, these services replicate data in multiple geographic
locations for maximum redundancy. The failover and failback are seamless.

Both RTO and RPO involve periods of time for the measurements. However, while RTO focuses
on bringing hardware and software online, RPO focuses on acceptable data loss.

Calculation of Risk
Both RTO and RPO are calculations of risk. RTO is a calculation of how long a business can
sustain a service interruption. RPO is a calculation of how recent the data will be when it is
recovered.

Calculating RTO

We base RTO calculation on projection and​ ​risk management​. A frequently used application
may be critical for business continuity in the same way a seldom-used application is.
Hence, the importance of an application does not have to be the same as the frequency of
usage. You need to decide which services can be unavailable for how long and if they are
critical to your business.

To calculate RTO, consider these factors:

● The cost per hour of outage


● The importance and priority of individual systems
● Steps required to mitigate or recover from a disaster (including individual components or
processes)
● Cost/benefit equation for recovery solutions

Calculating RPO

Calculating an RPO is also based on risk. In a disaster, a degree of data loss may be imminent.
RPO becomes a balancing act between ​the impact of data loss on the business and the
cost of mitigation​. A few angry customers, because their orders are lost, might be an
acceptable loss. In contrast, hundreds of lost transactions might be a massive blow to a
business.

Consider these factors when determining your RPO:

● The maximum tolerable amount of data loss that your organization can sustain.
● The cost of lost data and operations
● The cost of implementing recovery solutions
RPO is the maximum acceptable time between backups​. If backups are performed every 6
hours, and a disaster strikes 1 hour after the backup, you will lose only one hour of data. This
means you are 5 hours under the projected RPO.

Disaster Recovery Planning

Disasters come in many forms. Such as a natural disaster, hurricane, flood, or a wildfire. A
disaster could also refer to a catastrophic failure of assets or infrastructure, like power lines,
bridges, or servers.

Disasters include all​ ​types of cybersecurity attacks​ that destroy your data, compromise credit
card information, or even disable an entire site.

With so many definitions of disaster, it is helpful to define them in terms of what they have in
common. For organizations and IT departments, ​a disaster is an event that disrupts normal
business operation​.

Dealing with disasters starts with planning and prevention.​ Many businesses use cloud
solutions in different geographical regions to minimize the risk of downtime. Some install
redundant hardware to keep the IT infrastructure running.

A crucial step in data recovery is to develop a Disaster Recovery plan.

Consider the probability of different kinds of disasters. Different disasters may warrant different
response plans. For example, in the Pacific Northwest, hurricanes are rare, but earthquakes can
occur. In Florida, the reverse is true. Cyber attacks may be more of a threat to larger businesses
with extensive online presence than smaller ones. A DDoS attack might warrant a different
response than a data breach.

A​ ​Disaster Recovery Plan​ helps to bring systems and processes online much faster than ad hoc
solutions. When everyone plays a specific role, a recovery strategy can proceed quickly. A DR
plan also helps put resources in place before you need them. Therefore, response plans
improve Recovery Time and Recovery Point Objectives.

Difference Between RTO and RPO is Critical

While closely related, it is essential to understand the differences between Recovery Time
Objective and Recovery Point Objective

RTO refers to the amount of time you need to bring a system back online. RPO is a business
calculation for acceptable data loss from downtime.

Improve these metrics and employ a Disaster Recovery plan today.

You might also like