Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are essential to the success of any business continuity program. With a wide range of potential business interruptions, RTO and RPO are two of the most critical factors of a disaster recovery or data protection plan. Along with Business Impact Analysis (BIA), RTO and RPO are viable strategies to be included in Business Continuity Planning (BCP).
Recovery Time Objective (RTO)
RTO refers to how much time an interruption can last for any business function – this often involves information technology software or hardware – before the business is adversely affected in terms of loss of money or reputation. RPO is a measure of how much data can be lost or inaccessible before the company is significantly harmed. Much of the time, specific RTOs are determined by a firm’s information technology department and how much downtime could be experienced before processes and internal and external clients are affected and how long it will be before systems are restored. Inevitable outages and resulting repairs that take a few hours can be more damaging than interruptions and subsequent fixes that take days. Most information technology recovery strategy needs are of critical importance. The IT department should be at the forefront of any RTO and RPO data recovery in collaboration with the applications’ users. IT failures are commonplace, and having a backup process can limit RTO to seconds, depending on the function being served. An increase in the number of cyberattacks worldwide has placed added importance on RTO and RPO. Knowing how much time and amount of data can be lost before a company is negatively impacted can prompt senior management to budget accordingly in terms of seeking preventative measures. A successful RTO analysis provides IT the opportunity to prioritize certain functions and assign sufficient resources to make sure the business is minimally impacted.
Recovery Point Objective (RPO)
While RTO is the minimum amount of downtime, you can afford it before your business suffers. The Recovery Point Objective is the point in time you’d like to go back to retrieve clean versions of your files. How often backups run, and how much space is available to store the backups are crucial factors in RPO analysis. Senior management must place limits on RTO and RPO based on the application and resulting cost considerations involved to minimize damage. Many large companies invest heavily in technology upgrades each year with an eye on acceptable levels of RTO and RPO. After all, time is money. A 2016 study by an independent business continuity software provider determined that a corporation with annual revenue of $100 million would lose around $275,000 during an RTO of 24 hours, $45,000 on an RTO of four hours, and $7,600 on an RTO near zero. A similar study conducted by IHS in 2016 showed that outages cost businesses an estimated $700 billion a year. A comprehensive business continuity plan relies on RTO and RPO to help minimize potential downtime during an unexpected interruption. More than ever before, customers want to use businesses they can depend on because many choices exist in a competitive market.
IT Disaster Recovery Plan
A successful Disaster Recovery (DR) plan involves input from company executives and key personnel in every department. A critical first step is the creation of a Disaster Recovery plan includes a Business Impact Analysis (BIA) and provisions for ongoing employee training. A BIA is performed to determine which functions and processes must be prioritized to limit any unexpected interruption of service effectively. A DR plan is developed to outline the necessary step-by-step procedures for successful prevention or recovery.
Depending on the scope of the business involved, a DR plan can be rather concise or a document consisting of hundreds of pages contained in a large binder. Each employee should be given at least one copy of the plan and perhaps a second copy to keep at home if the company office cannot be accessed in case of an emergency. One best practice is to put copies of the disaster recovery strategies in a bright orange folder or binder for quick identification when needed.
Many DR plans use decision trees to help employees become familiar with a variety of potential disasters that could trigger a business continuity event and what actions need to be taken for every process and function that could be adversely affected.