RTO vs RPO: Understanding the Difference

Given the high costs of system downtime, every organization should endeavor to develop and implement a disaster recovery plan that ensures business continuity. In the course of developing that plan, two measurements will play a major role in determining what the plan needs to accomplish. Understanding the differences between RTO vs RPO will make it much easier for planners to determine the scope of their disaster recovery plan.

Read Also: Data Center Migration Best Practices

What are RTO and RPO in Disaster Recovery?

To understand how organizations approach disaster recovery and business continuity, it’s important to know how to define RTO vs RPO. These disaster recovery metrics help to determine how much time will be needed to bounce back from a severe downtime situation.

What is RTO?

An abbreviation of Recovery Time Objective, RTO represents the maximum tolerable downtime a business can afford to endure. The recovery time measures how long it will take to get its critical systems back online. If a business can get by without its IT systems for a long period of time, it will have a much higher recovery time objective than a company that will feel the impact of that loss very quickly.

As one may expect, RTO is heavily determined by how much an organization relies on its network and computing systems. That doesn’t necessarily mean, however, that a business that may not seem particularly technology-dependent wouldn’t need to have a low RTO. If a plumbing contractor, for instance, handles all of its work orders and billing through an online system, losing access to that system for a day could result in lost customers and revenue.

A lower RTO time typically means that an organization needs to invest in more significant preparation and system redundancies. Higher RTO times can usually afford to get by with less sophisticated (and expensive) solutions.

What is RPO?

While RTO focuses on the business’s technology systems as a whole, RPO is more specific. An abbreviation of Recovery Point Objective, RPO measures how long a company can afford to operate without lost data. Unless a network is set up to deliver full data backup in real time, data is backed up at regular intervals as part of a recovery point system. These backups could occur at intervals of a few days, hours, or even minutes. The organization’s RPO is equal to these intervals. It represents the amount of time the company can afford to operate with old data, since any data generated between the backup point and the downtime event could be lost.

Lower RPO times are common among companies that are highly dependent upon having actionable, up-to-date information to power their systems and processes. A higher RPO typically indicates that whatever data is being gathered isn’t used to inform moment to moment decisions.

What’s the Difference Between RTO vs RPO?

Although RTO and RPO sound very similar and both are very important for any disaster recovery strategy, they measure quite different aspects of business operations and needs in the event of a disaster. For a big picture perspective, RTO encompasses all aspects of an organization’s technology stack. It takes into consideration how computing systems influence operations throughout the entire organization. Since many of these systems are interdependent, RTO has to account for the way an outage in one area can disrupt operations in another.

For that reason, RTO is important for building a disaster recovery plan to deal with the consequences of an outage. It identifies vulnerabilities and forces IT teams to consider how, when, and in what order essential services will be restored after a disaster strikes.

By contrast, RPO has a narrow focus on data. It asks the key question that needs to be answered when backup systems are being designed: how important is it to have up-to-date data available at all times? This determination will have an impact on an organization’s disaster recovery plan. If data doesn’t have to be current or near-current, the business can probably afford to tolerate a higher RTO. On the other hand, if data needs to be backed up continuously and available at all times, the disaster recovery plan should be designed around a very low RTO target.

Examples of RTO vs RPO

Determining RTO is one of the most important steps of creating a disaster recovery plan because it will dictate how much the organization needs to invest in redundancy and failover systems. For instance, if a company has an RTO of four hours, then it will be able to operate for four hours without key systems for four hours before that downtime begins to have a measurable impact on its business.

Revenue-generating applications are typically the first systems prioritized after a disaster, which is why things like CRM systems and finance systems rarely have an RTO higher than four hours. Critical infrastructure systems, such as directory service applications, are even more important, usually featuring an RTO of two hours or less. Less essential servers and systems that aren’t directly related to revenue generation or service delivery can often afford much higher RTOs.

An organization’s RPO has a major impact on its storage and backup systems. Consider a company with an RPO of one hour. All data will need to be backed up somewhere (often off-site) and easily accessible in the event of a disaster. This small window of time means that the redundancy solution will probably resemble the primary system it’s backing up. Additional servers with sufficient hard drives to store backup data and potentially take over as a failsafe system would be the most likely solution.

By contrast, a company with an RPO of five days (120 hours) would only need to back up data at five-day intervals. It’s unlikely that the RTO would be greater than this time span, which means that the main systems would be back up and running before a new backup is necessary. That means there will be ample time to retrieve and upload the backup data, making less expensive storage solutions like tapes or disks more viable.

How Do You Calculate Your Risk?

Accurately assessing RTO vs RPO should be important step in the creation of any disaster recovery and business continuity plan. Ideally, every application a company uses should have its own RTO to help prioritize recovery efforts in the event of a disaster.

The loss of critical systems and data can be devastating for an organization. Every moment lost to downtime can be directly translated into financial costs in the form of lost revenue, missed opportunities, and damaged customer relationships. That’s why having a comprehensive disaster recovery plan in place before a disaster occurs is so important. By prioritizing essential systems and data, IT personnel can keep downtime to an absolute minimum and mitigate the risks associated with disaster in all its ugly forms.

Ruben Harutyunyan

Back to top