The success of any disaster recovery plan hinges on whether or not two key metrics are achieved: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). But what do those two metrics mean, exactly, and why do they matter?

While the two sound somewhat similar, they actually have very different roles in your disaster recovery plan and can help you achieve business continuity in the face of disruption or downtime.

Recovery Time & Point Objectives Defined

Recovery Time Objective (RTO) can be defined as how quickly your systems or applications must be back online following a disaster. In other words, how much time after a disaster occurs can acceptably pass before systems are recovered without significant damage to the business?

Recovery Point Objective (RPO) is the acceptable level or amount of data loss following a disaster or service disruption, based on time. Another way to state this is the maximum acceptable time between backups.

RTO and RPO: Time and Risk

While both of these metrics involve the passage of time, they’re about much more than measuring time. They are also calculations of risk: How long can an organization sustain disruption caused by a disaster before systems are restored? How much data can an organization risk losing?

RTO Explained

RTO isn’t only the amount of time between the disaster and recovery. This objective is also inclusive of the steps required to reach the point of  recovery. If you have a managed services provider that you’ve contracted to provide disaster recovery services, then the RTO will be defined within your service level agreement (SLA).

RTO may be different depending upon the application or data involved. Part of establishing RTO involves assigning priority to systems and applications. Certain applications can be down for long periods without causing damage to the business. Other business-critical applications must be back online within seconds to alleviate irreparable consequences caused by the disruption.

There may be circumstances under which it isn’t possible to meet RTO, such as in the case of a natural disaster.

RPO Explained

Although RPO is expressed as a measurement of time lapsed between the last data backup and the disaster or disruption, it’s less about time and more about data loss tolerance.

Again, priority must be assigned based on the critical nature of the data and the impact to the business if that data were lost. The backup technology involved in achieving RPO is also important.

  • An RPO that is near zero uses cloud backup and storage solutions to replicate data in multiple geographic locations.
  • An RPO of up to four hours brings minimal disruption to the business because restoration relies on ongoing snapshots of the production environment.
  • An RPO of 8 to 24 hours relies on external data backups, with the most recent available backup acting as a restoration point.

How are these objectives similar?

  • When setting both RTO and RPO, you must analyze data and application priority based on how a business can carry on if either is jeopardized.
  • Priority is determined by risk as well as by revenue.
  • RTO and RPO are used together to provide recovery and continuity in case of a disaster.
  • Both objectives should be established as part of your business continuity planning.

How are RTO and RPO different?

The two have different purposes.

RTO’s purpose is relative to applications and systems. Although recovery of data is part of the objective, downtime limits are what RTO is concerned with.

RPO’s purpose has to do with measuring and establishing limits around the amount of data loss following a disaster.

What’s next?

Disaster recovery starts with proper planning and prevention. Ensure data protection, backup and recovery with AccountabilIT’s Disaster Recovery services. We’ll help you develop and implement a disaster recovery strategy that includes business-specific calculation of your RTO and RPO.  Get in touch today.