How to choose the correct RPO & RTO for your business

RPO v RTO

It may seem pedestrian to be covering RPO and RTO. Everyone knows this stuff right? Whilst many readers will already know the dictionary definition, it is commonplace to not fully understand the business implications of these decisions. This article will cover RPO and RTO but with a specific focus on how these terms relate to the business.

Definitions

clocks

RPO stands for Recovery Point Objective, whilst RTO stands for Recovery Time Objective. RPO measures the furthest point away from the current time that you must be able to roll back to. RTO is possibly simpler to understand and measures how quickly the restoration of data must occur. These are the definitions but to understand the implications for a business a better way to think about this is with two questions:

1 What is the maximum amount of data loss that is acceptable to the business? = RPO

2 How long can the business afford to be without the data or the services that rely on that data? =RTO

So I want zero right?

Once most organisations understand RPO + RTO in terms of business impact their next statement will be we cannot afford any data loss and zero down time. Whilst there will be certain circumstances where this is necessary, it will come at a price. In general the closer you get to zero for either measure the higher the cost of the solution will be. The amount of money spent on the solution needs to be proportionate against the financial and other cost of down time .  There may even be circumstances where the cost of protecting the data is more than just starting from scratch.

 

Not all data is equal

This leads nicely into the next point, not all data is equal. So whilst it may be required to assure minimum down time and zero data loss for financial data this may be less true for users file data. As well as data important to the business, organisations also need to consider industry regulatory and legal requirements around data. For example an organisation holding medical records would most certainly be required to ensure the availability of those records for years to come. Organisations will also need to consider what I would call soft factors, which are harder to measure but would include things like impact on reputation and uniqueness of the data coupled with the ability to recreate it. An example of unique data would be a media company which stores movies.

 

Putting it all together

Work through the following check points to ensure you select the correct RTO and RPO for your organisation.

  1. Understand the financial impact of down time to help to develop a budget
  2. Understand other impacts of downtime to also consider budget
  3. Understand regulatory and legal obligations
  4. Remember not all data is the same. Classifying it will allow a more targeted RPO/RTO and potentially reduce the cost of the project
  5. Ask how much data can we afford to loose, this is your RPO
  6. Ask how long can we afford for the system to be down, this is your RTO
  7. Remember cost will generally increase the closer you aim to get your RPO & RTO to zero

Stay in touch for more data protection articles by following on LinkedIn and Twitter.