RPO and RTO: Two Critical Components of BCDR Success

It’s human nature to minimize “what if” scenarios in favor of problems that are on the table today. Unfortunately, this mindset can lead to poor planning in the enterprise, particularly when it comes to disaster recovery and delivering on ideal Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for critical business systems. Downtime can be a significant economic blow or possibly an existential threat to businesses of all sizes. Typically the last to react, government agencies worldwide have recently issued advisories of increased cyber attacks targeting MSPs and their clients, underscoring the need for robust planning and disaster recovery testing.

Managed services providers that aid clients with business continuity and disaster recovery (BCDR) can be more proactive in communicating with clients about “what ifs.” In a perfect world, a BCDR plan would instantaneously restore a company’s applications and data. The price tag of such a plan, however, would be cost-prohibitive for most companies. This is where educated choices come in based on the predetermined RPO/RTO needs of the affected organization.

Helping clients understand these concepts will aid them in determining how much protection they want (or can afford) and how much risk they’re willing to take. By attaching hard figures to RPO and RTO, MSPs are well positioned to encourage clients to design a more robust recovery plan as they gain a clearer understanding of how costly and damaging downtime can be, right down to a stark per-hour loss figure.

Defining RTO and RPO

While RTO and RPO are both units of time that help underpin a data recovery program, the two figures are subtly different. RTO measures the amount of time from the moment a disruptive event occurs to when the IT resources must be fully operational. RPO is the maximum period of time in which data might be lost and unrecoverable in a disaster recovery plan.

How Should I Explain Recovery Time Objective (RTO)?

It is important for your clients to understand that RTO measures the amount of time from the moment a disruptive event occurs to when the IT resources must be fully operational. The number is calculated using the per-hour costs of downtime coupled with any service level goals the company may need to meet. Essentially, it’s a marker of how long the company can afford a business interruption.

Companies should understand that more inexpensive methods of disaster recovery, such as backing up file and folder data only instead applications and configurations, will lead to much longer recovery times, as there will be a need to engage in physical replacement of servers and applications before the file and folder data can be restored. A faster (but costlier) solution would involve the creation of a backup image of all critical applications as well as their configurations, which would significantly reduce RTO.

How Should I Explain Recovery Point Objective (RPO)?

MSPs must educate their clients to understand that Recovery Point Objective, or RPO, is the maximum period of time in which data might be lost and unrecoverable in a disaster recovery plan. In other words, it’s how often you need to back up their data to be able to recover from a potential disaster. Different RPOs are possible for different types of data, and backups can be set at different intervals accordingly. For example, if you set the backup interval at once a day, you might lose a whole day’s worth of data in the event of a disaster. However, if you set the interval at 15 minutes, you would only lose 15 minutes of data. Of course, the more often you back up your data, the more storage space you’ll need. One way to minimize storage space requirements is to create an active-active high availability virtualized environment. This will allow you to continue working even in the event of an outage, providing true business availability.

Also, be sure your clients understand the biggest difference between RTO and RPO; RPO looks to past events, whereas RTO is a future-facing figure that sets a timeline for recovery operations. In both cases, as the time frames lengthen, the costs of maintaining business continuity decrease, but the potential negative fallout on the business increases. MSPs should help clients grasp that RTO and RPO exist on a spectrum with costs and levels of protection on a sliding scale working against one another. The goal should be to pinpoint for clients where they are located on the spectrum, and whether their existing position will protect the business.

Determining RPO/RTO Targets

When figures such as RPO and RTO are theoretical, client companies may be more willing to roll the dice. One way that MSPs can successfully leverage RTO and RPO to close more business is by attaching hard numbers to the concepts to allow customers to quantify precisely what downtime will cost them in black and white.

Precise RTO and RPO figures will be dictated by a company’s business continuity plan, or business impact analysis (BIA). The continuity plan will be the basis of the design of the company’s computer systems and infrastructure. The BIA should contain a risk analysis, which will be used in part to calculate RTO and RPO. The BIA will outline the technologies, personnel, and facilities that will be used in the event of a disaster, and should include elements of financial loss, such as fees, fines, lost business revenue, and necessary overtime by IT personnel. Companies may also wish to include indirect losses, such as a loss of goodwill and reputation, or increased customer churn.

It’s not a simple process. The BIA may vary depending on the nature of the threat to the IT infrastructure. (The analysis of an extended power outage might look very different from predictions involving a ransomware attack, for example.) Calculations for applications will vary depending on how critical the applications are: a client’s HR database, for example, might be completely unharmed by days-long outages, but their financial transactions or online ordering system might need near real-time responses.

When all these risks and scenarios have been defined and quantified, IT departments can make a stark analysis of infrastructure assets and their corresponding tolerance for risk. They will be able to calculate RPO and RTO values and communicate them to the business’ senior management team.

Provide Your Clients With Best-in-Class RPO and RTO

Axcient x360Recover provides MSPs with industry-leading recovery capabilities. With a recovery point objective (RPO) of just 15-minutes, and a recovery time objective (RTO) of less than 1-hour, disaster recovery is fast and dependable. As a result, MSPs can meet and exceed competitive SLAs to win more clients, reduce downtime, promote productivity, and deliver on the promise of uninterrupted business continuity. Start your free 14-day trial today to explore Axcient’s industry-leading platform.