Predicting a future disaster is nearly impossible, but fortunately, preparing for one and deciding your organization’s aftermath is getting easier. Their abbreviated names are very similar but RTO and RPO are two very different elements that should be considered carefully when developing a business continuity plan.
The academic definitions are as follows:
The recovery time objective (RTO) is the targeted duration of time between the event of failure and the point where operations resume.
A recovery point objective (RPO) is the maximum length of time permitted that data can be restored from, which may or may not mean data loss. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.
To more concisely define the difference: RPO is the time from the last data backup until an incident occurred [that may have caused data loss] and RTO is the time that you set to recover the lost data.
Disaster Recovery Planning
To minimize the impact of a disaster, it is necessary to plan in advance, determining your organization’s tolerance for data loss and recovery time.
Recovery Time Objective (RTO)
RTO timelines are decided amid Business Impact Analysis (BIA) during business continuity planning. It is the result of strategies decided by senior management based on a target amount of time for the organization to recover its IT and business operations.
Questions to consider:
- How current is my data at the recovery site?
- By department, how much data loss is acceptable and have we quantified the cost of the acceptable loss?
Recovery Point Objective (RPO)
RPO, on the other hand, is viewed as your company’s loss tolerance, or how much data it is prepared to lose should a disaster strike. To decide this, management must consider how much time it can operate without data before its objectives are impacted.
Questions to Consider:
- How long will it take to bring an environment online once a disaster or major incident is declared?
- How much downtime is acceptable and have we quantified the cost of the acceptable downtime on a per application basis?
RTO Vs RPO
The main difference is in their purposes – being focused on time, RTO is focused on downtime of services, applications, and processes, helping define resources to be allocated to business continuity; while RPO, being focused on amount of data, has as its sole purpose to define backup frequency.
Another relevant difference is that, in relation to the moment of the disruptive incident, RTO looks forward in time (i.e., the amount of time you need to resume operations), while RPO looks back (i.e., the amount of time or data you are willing to lose).
What are RTO and RPO in disaster recovery?
RTO is used to determine what kind of preparations are necessary for a disaster, in terms of money, facilities, telecommunications, automated systems, personnel, etc. The shorter the RTO, the greater the resources required.
RPO is used for determining the frequency of data backup to recover the needed data in case of a disaster. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in big danger, but if you did it every hour, it might cost you too much and not bring additional value to the business.
Both Recovery Time Objective and Recovery Point Objective are determined during the business impact analysis (BIA), and the preparations for achieving them are defined in the business continuity strategy.
Business Continuity Example Scenario:
If an organization decides on an RTO of 4 hours and a disaster occurs at noon, the organization’s services need to be restored by 4PM.
Say the same organization decides on a 5 hour RPO and a backup of data is taken at noon. The next scheduled backup is for 5PM. Any disaster that occurs between noon and 5PM can be restored to the noon backup, therefore resulting in a maximum of a 5 hour loss of data.