RPO and RTO - definition and understanding the difference

Cyber Protect Cloud

What is RPO?

Recovery Point Objective (RPO) generally refers to the amount of data that can be lost within a period most relevant to a business, before significant harm occurs, from the point of a critical event to the most preceding backup.

What is RTO?

Recovery Time Objective (RTO) often refers to the quantity of time that an application, system and/or process, can be down for without causing significant damage to the business as well as the time spent restoring the application and its data.

What is the difference between RPO and RTO?

Although both objectives are similar in measurement metrics, their objectives differ according to application and data priority:

Purpose: The RPO, deals with data loss, helping to inform the development of a backup strategy. Whereas, the RTO, deals in time to recover, helps inform the development of a disaster recovery strategy.

Priority: Where RTOs are focused on application and system restoration, RPOs are solely concerned with the amount of data that is lost following a failure event – calculating the risk and impact to overall customer transaction rather than productivity downtime.

Cost: Costs also fluctuate between the two objectives. The costs associated with maintaining a demanding RTO may be greater than those of a granular RPO, because RTO involves your entire business infrastructure, and not just the element of data.

Automation: As RPOs simply require you to perform data backups at the right intervals, then data backups can be easily automated and implemented. However, this is virtually impossible for RTOs as they involve restoring all IT operations.

Calculation variables: Based on the least number of variables, RPOs can be easier to calculate due to the consistency of data usage. RTOs are slightly more complicated as restoration times are reliant on several factors including analogue time frames and the day of which the event occurs. A shorter RPO means losing less data, but it requires more backups, more storage capacity, and more computing and network resources for backup to run. A longer RPO is more affordable, but it means losing more data.

Calculation variables may also differ according to the classification of data. Good practice for any company is to tier data into critical and non-critical tiers which will then predetermine your RPOS and RTOs in priority order.


Examples of RPO and RTO

To simply explain the difference of RTOs and RPOs, let’s take the example of a bank but across two different scenarios:

At 9am, an application has been impaired on the bank’s main server halting services locally and online for a period of 5 minutes. The bank’s RPO counted for 15 minutes’ worth of data loss and their RTO counted for 10 minutes recovery time to restore the systems and applications. Therefore, the bank was within the parameters of both objectives.

At 3am the same bank faced a shutdown of systems for a period of 3 hours. As the RPO only counted for 15 minutes’ worth of data loss, and the RTO counted for only 10 minutes downtime, it meant 2 hours and 50 minutes of the shutdown time was not accounted for. However, due to the period of time that the shutdown occurred, loss of data was not exponential as it was a low-traffic period for the bank.

How to reduce RPO and RTO

Mapping out your RPOs and RTOs, should be done simultaneously considering time, money, and reputation of the company. Collaborative input from all departments, particularly information regarding how they operate, the data they handle, and the impact to all users can predetermine the priority order of their most critical RPOs and RTOs.

From this information alone, you can then compare downtime costs with the impact on the company – looking at the variables of lost revenue, salaries, stock prices and the expense of the recovery – and then forecasting the worse incident that your company could face.

As the business grows, these variables undoubtedly will change. Therefore, constant assessment, testing, and measurement of your RTOs and RPOs will help prepare for any shortcomings that may unexpectedly surface. The three main areas to help reduce overall impact to the business (and to your wallet) includes (but not limited to):

Frequency of backup: More backups enables you to have a larger playground of data to access should a situation arises, lowering both data losses and the amount of time needed to restore such data.

Block recovery: Save time and money by isolating key blocks of data that has changed since your last backup was performed, thus enabling only data blocks that have changed to be backed up within that given time period.

Replication: By replicating your data, you instantly have a copy of your data that you can fall back on should a disaster occurs, which decreases your RTOs. Your RPO will be determined by how often you replicate your data. By rule of thumb, replication at a higher frequency means a lower RPO.

Testing RPO and RTO

As with any element of business from marketing to processes, hardware to software, RPOs and RTOs do not supersede testing and measurement. Below are 3 ways to maintain and evolve your objectives in line with potential threats and risks to the business.

Regular backup checks

Regularly assess your backup parameters, looking at retention plans, granular restoration points, automation, and protection variables; increasing the number of snapshots you have of critical data. The aim to account for all measures of a critical data disaster before it occurs.

Review & improve

Periodically review your disaster recovery plan, assessing key employee roles, backup processes and hardware modifications. This will be influenced by your most recent RPOs and RTOs – both go hand in hand, so keep all elements updated at regular intervals of the year.

Stick to the 3-2-1 rule

Keeping at least three copies of data in two independent storage locations with one copy of data stored offsite can save your data if one of the storage locations becomes inaccessible or impaired.

How RPO and RTO could develop over time

To determine how much a disaster can cost your company, consider the cost of system downtime — the impact on employee productivity, the loss of billable hours, missed sales from online activity, regulatory compliance obligations, and so forth.

Another aspect which can influence the priority and even setting your RPOs and RTOs is the development of the company internally externally. Influential changes such as additional service provisions, structural and staff changes, data growth, location etc. can shift the objectives entirely, which is why regular testing and reviews are an absolute necessity for successful disaster recovery.

Your RPOs and RTOs weighs up the most critical variables against the worst-case scenario and provides a safeguard measure against potential devastation to your business. Keep these up to date and in line with every aspect of your business – and you will be secured against most threats and critical disasters.

Plan & proactively protect with Acronis

In any disaster recovery situation, every second counts. Even with complete disk-image backups of an entire server, businesses still need to restore the system by moving data from backup storage to their production hardware which can take hours, not to mention the impact to the business itself.

With over 15 years in the industry, 200,000 attacks prevented, and managing over 5000 petabytes across the globe, to say Acronis are passionate about cybersecurity would be an understatement.

Thanks to Acronis Cyber Protection, the only active, AI-based anti-ransomware solution on the market, it offers a disaster recovery plan that integrates RPOs and RTOs, helping to safeguard all data for any environment, deployment, workload, and storage, and with any recovery method.

Get ahead of your disasters with Acronis today.

More from Acronis