| What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? |
| By Dejan Kosutic |
| February 07, 2012 |
|
They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different. What is RTO? So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”. This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred. RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA. What is RPO? Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job? This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much. So, what’s the difference? The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours. But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster. Cross-posted from ISO 27001 & BS 25999 blog. Comments (1)
  written by Gregg Jacobsen, February 20, 2012
I'm sorry to bring this up, but Wikipedia is wrong about the definition of RPO, likely because the source was in the IT recovery service industry. RPO is the tolerance of the enterprise for loss of data, which may, for instance, in banks and brokerage firms, is zero. There is NO tolerance for data loss, which is why they spend $millions on hot fail-over and streamed-data storage solutions. Because other industries can survive the loss of "some" data, IT recovery service vendors can more easily sell suitable recovery solutions. To allow themselves a hedge against failing to meet the RTO's and RPO's, they always stipulate the clock on moth requirements as beginning when the disaster is "declared," i.e., when enough time has elapsed for client management to decide to declare to the recovery vendor. This is simply illogical. When a disaster takes out a data center or even just the network, effectively stopping every single dependent business process, THAT is when the clock starts for critical RTO and/or PRPO systems.
Write comment
|
