March 28, 2017 | By Greg Dougherty
This blog on RTO and RPO first appeared in March of 2017 and was updated to reflect new information in RTO and RPO in disaster recovery on November of 2022. We then updated it again to provide more information about considerations around cyberattacks in February 2024.
A crucial part of every organization’s list of objectives is to get back up and resume operations after a disaster. Whether database corruption, power outage, SAN failure, or natural disaster, disruption in any form translates to a revenue loss for the enterprise. To minimize loss, it’s imperative to have a reliable data protection program and a sound disaster recovery plan for all operations within an enterprise.
When planning data protection and disaster recovery options, there are two critical parameters to consider: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). This post discusses these two concepts, how they differ, and how they are invariably tied to your business continuity and disaster recovery plan.
What does RTO & RPO have to do with Cyberattacks?
Nowadays when it comes to cyberattacks, its a case of when they will occur instead of if. The best thing we can do to defend against attacks and hacks is be ready for them. This means having a proactive security strategy but also having a resiliant backup and recovery procedure to keep the business moving after the attack has occurred.
When presenting the backup and recovery procedure as part of your overall cyber security to investors, management or leadership. RPO and RTO are vital metrics to show that if an attack occurs, how long it will take for business tor resume.
What is RTO?
RTO or Recovery Time Objective is the period within which an enterprise should be able to resume business processes following a disruption or disaster. The objective is to get operations back up within that acceptable time frame before serious losses can arise from the break in operations. RTO answers the question: “How much time can the organization afford to lose before services can resume after a disruption?”
For instance, if your RTO is eight hours, business operations should only be down for this long before the organization would have to deal with severe consequences from the fallout. In contrast, a business that has set two days as its RTO would have more time to put all infrastructure and systems back into place.
What is RPO?
RPO or Recovery Point Objective focuses on the amount of data that could be at risk should a disaster occur and the organization’s tolerance for data loss under such an event. This metric considers an enterprise’s data backup strategy and how much data it can afford to lose between backups.
RPO answers the question: “How much data can the organization afford to lose after a disruption before such loss seriously affects operations?”
For a business that relies heavily on data, the RPO should be much shorter, and the backups, therefore, more frequent.
RPO or Recovery Point Objective focuses on the amount of data that could be at risk in a disaster and the organization’s tolerance for data loss under such an event.
RTO and RPO: What These Mean for your Business Continuity
RTOs and RPOs are crucial metrics that organizations should consider when evaluating viable disaster recovery strategies and business continuity plans. The two parameters may not be directly related, but both are essential to the recovery process. The RPO deals specifically with data–how far back before the disaster the organization can recover data and how resilient that company can manage to be with the data loss. On the other hand, the RTO is based on a larger scale and views the business as a whole, focusing on getting services back up.
Whether one carries more weight than the other or should have higher priority depends on your industry, services, and continuity strategy. An enterprise could have an RTO of 24 hours and an RPO of 7 days or the other way around. An online university, for instance, would put more importance on resuming online classes following a major power outage even while putting its data back in order; that’s RTO. For a company maintaining the database for an e-commerce site, however, the RPO is so critical that even an hour of lost data can translate to significant losses.
Ideally, both RTO and RPO should be within concise time spans—minutes, preferably—to ensure optimal business operations. But as every enterprise would know, even a few hours of RTO and RPO are difficult to achieve. It’s worth noting that the resumption of business after a disaster does not necessitate using IT systems at all times. Manual workarounds and procedures may also be implemented in order to get as close as possible to the set RTO and RPO.
Getting the balance right between criticality and cost
Of course in an ideal world, we would have the fasted RPO and fasted RTO possible to keep our data and applications safe. However, the more comprehensive our SLAs, the more costly it is for the business.
For example, if you run a full data backup every day for lower RPO, you’ll use more storage and network resources than you would if you ran them on a weekly basis, increasing cost.
To get cost effective, identify your desired RTO/RPO metrics based on criticality tiers, then explore ways to achieve them as cost-efficiently as possible.
For example, looking at a blend of private cloud and AWS infrastructure in a hybrid model can significantly reduce cost and also offer up high availability at a much lower price than hosting data in house. For enterprises that are looking for nearly foolproof recovery plans, employing Disaster Recovery as a Service (DRaaS) solutions would help ensure a fast and seamless resumption of your business, thereby meeting and exceeding your RTO and RPO.
Let Opti9 be your guide through disaster recovery and more. Get started today with your free consultation.