What is the need of the Recovery Point Objective (RPO)?

In disaster recovery planning, the recovery point objective (RPO), also referred to as the system restore point, is the determination of which files should be recovered in the event of an outage or other network or hardware issue in order to keep the business running smoothly. In other words, it determines which restore points the system should be restored to. For a business to determine its RPOs, it would need to determine which files are most critical and which are less critical and put them on recovery intervals to have all files backed up within a specific time period (by either minutes, hours, or days). The RPO is then specified in the business continuity plan. By ensuring that the files are regularly and automatically backed up, the business can ensure that, should an IT outage of any kind occur, their files are accessible and recoverable. This will also reduce file losses.

To create restore points, RPOs should generally be backed up less than every 60 minutes if they are critical to business operations. The most important and business-critical files should be updated very frequently. For files that are semi-critical, they should be backed up between every 1-4 hours. Files that are important but not critical can be updated every 4-12 hours, and anything else can be updated every 24 hours. Some items may even be able to be backed up less frequently, but then the risk of losing data increases.

In addition to time considerations, RPO metrics can also be affected by the size of the data backups and the available save space, network bandwidth and transfer speeds for digital data transfers, the location of the data backup, and the method used for back up (whether digital or physical).

Files can be backed up on cloud platforms; external hard drives, discs, or tapes; mirrored to a third-party location; or a combination of multiple methods. It is valuable to have data backed up in separate locations as an additional fail-safe. For instance, if the only backup method used for the most valuable data is cloud storage, this could cause additional issues retrieving the data depending on the root cause of the initial outage. Similarly, if hard drives, disks, or other physical file storage systems are used, it is beneficial to have them geographically located away from the original file-saving location to ensure that both data sets would not become unavailable due to the same incident. However, though the physical data files should be a fair distance away from the original save location, they would also need to be a reasonable distance away for quick retrieval in order to stay within the designated recovery time objective (RTO).

The RTO is also a key figure to determining how files are backed up and recovered, as it is the time that the business has available to get its operations back into a full-function without incurring large damages. Together, the RPO and RTO help the business determine which files need to be recovered and how quickly. Both the RPO and RTO are determined by analyzing business costs and budgets, and both metrics must fit within the business’s budget. Though financial impacts are a highly important factor in establishing the business’s RPO and RTO, non-financial measures must also be considered, like impact on customers and customer service, employees, etc.

To make the RPO and RTO even more impactful and valuable to the company, they are paired with a business impact analysis. The business impact analysis provides detailed information on the potential impact of business and operational disruptions. The business impact analysis aligns with the RPO and RTO by measuring the level of damage that the company would take if the RPO and RTO are under or over the target.

When it comes to business continuity and disaster management, the business must identify its RPO and RTO, as these are items that will help the business ensure that the right files are recovered as quickly as possible in order to keep the business operating and profitable in the event of a disaster. The RTO and RPO are added, along with the business impact analysis, into the business continuity management plan to ensure a well-planned business response in the face of any potential disasters.

Leave a Comment

Your email address will not be published.

Have Questions?

Want to find out more about how Resilience3™ security, risk, and compliance solutions will improve your business resiliency?