Don’t know your RPO’s from your RTO’s …..?

Written By Rhys Davies

Then it’s time you reviewed your disaster recovery and business continuity plan so you know your business can keep going under any circumstances.  Disaster recovery planning used to be based on relatively low risk issues such as fire, theft, or flooding.  However, the major issue that businesses now face is cyber-related, and mainly ransomware, which is a far more likely scenario than a building fire but carries the same business impact – your IT systems and business critical data become inaccessible, and your business can’t function. If you were to be hit by ransomware, then Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important objectives that will guide your business in getting back up and running.

While RPO and RTO may sound similar, they serve different purposes and, in an ideal world, their values would be as close to zero as possible.

At it’s simplest, your RPO is the point in time you can recover to in the event of a disaster.  So, if the worst was to happen then your business would lose all the data up to your set RPO. If you have an RPO of 4 hours on your critical applications then this means you would lose 4 hours of data, as 4 hours ago is the last point in time to which you can recover.

On the other hand, your RTO is the time that it takes to recover your data and applications. This means that in the event of a disaster, the RTO is the time it will take to recover from this disaster and have the data and applications back online and running.

Know that we know what RPO and RTO stand for, how do you define these objectives for your business?  The truth is there is no one-size-fits-all solution for a business continuity plan. Companies are different from one vertical to another, have different needs, and therefore they have different requirements for their recovery objectives. However, a common practice is to divide applications and services into different tiers and set RPO and RTO  values according to the service-level agreements you committed to.  It is essential to analyse your applications and determine which of them are driving your business, generating revenue and are imperative to stay operational.

For example, you can use a three-tier model to design your business continuity plan:

  • Tier-1: Mission-critical applications that require an RTPO of less than 30 minutes

  • Tier-2: Business-critical applications that require RTO of 2 hours and RPO of 4 hours

  • Tier-3: Non-critical applications that require RTO of 4 hours and RPO of 24 hours

As you can see, this is where a good business continuity plan should make all the difference, it should tell you what to do to get your business back up and running in an acceptable time period, and ensure you minimise any reputational damage as a result.  This is where we can help – contact us and we can work with you to review or create a robust business continuity policy that stands up to scrutiny and gives you confidence that your business is in good hands should the worst happen.

Rhys Davies
Previous

Virtual Desktop – what is it and can it help my business….?