Your data is critical and, with ransomware on the rise, protecting your data is an integral part of your Disaster Recovery Plan. Building a plan for data protection and recovery starts with knowing exactly how much data your business can withstand losing without sustaining significant damage. That calculation, measured in time, is called the Recovery Point Objective (RPO). While connected to Recovery Time Objective (RTO), RPO is different. RPO is the maximum amount of data loss your organization can handle without a detrimental effect on operations, while RTO is the maximum amount of time a computer, system, network, or application takes to restore after an outage or data loss without harm to business operations.
While RTO covers the entire IT infrastructure and has significant implications for ensuring the continuity of overall business operations, RPO is solely concerned with your company’s data and is the foundation for building your data backup and recovery strategies. In order to determine the best plan for data backup for different tiers of data, correct RPO calculations are crucial. Keep reading to find out more!
Consider working on a document on your own personal computer when disaster strikes. That disaster could be a storm that knocks out electricity or an overly playful pet who decides the cord to your computer is their new favorite tug-of-war toy—whatever it may be, you just lost whatever you were working on. So. When was the last time you saved that document? How much does that document matter? Were you jotting down a grocery list or putting the final touches on the proposal you’ve been working on for the last week—or were you finishing up the final chapter of that novel you’ve been working on for ten years? Whatever it was—everything after you last saved it is now gone. Without even realizing it, we set unofficial RPOs in our own lives every time we decide to turn on autosave on a document, change the autosave settings to save more often, or completely neglect to save a document at all. In effect, we’re placing a value—based on time—on particular data determined by how much it would cost us—whether in time, money, or any other metric—to lose that data.
To some extent, every business relies on data. And every business has different types of data that they rely on more than others—as well as tiers of data that are particularly sensitive. Determining that classification of data starts with a thorough Business Impact Analysis (BIA) that includes looking at all the types of data your organization collects and uses and asks a key question: How much of this data can we afford to lose before the damage to our business is not sustainable? Based on that, decisions on how often (and through what processes) to backup your data are made. While it is certainly hard to prevent all data loss, you can create RPOs that ensure you mitigate the losses and are able to recover from them in the case of a disaster. Let’s check out some examples of Recovery Point Objectives.
While Recovery Time Objectives and Recovery Point Objectives are intertwined in many ways, RPOs are specific to the data your company keeps. Whether it’s a customer database, financial transactions, or the list of employee birthdays, there is an RPO for all of them, and a successful Disaster Recovery Plan incorporates those into its strategies and preparation.
What is the cost of data loss? It depends on the data—and the volume of data. The consequences can be numerous—from financial to legal to reputational. Imagine two hotels. The first is a small, 20-room hotel that uses paper sign-in sheets and takes most of its reservations over the phone. They don’t even have an online reservation system. The hotel typically gets about three reservations a day and three to five check-ins. A data loss incident at that hotel is unlikely to cause major chaos. That hotel may set a long Recovery Point Objective for their reservation data—after all, with only three reservations made per day, a 24-hour Recovery Point Objective would only affect three of their guests. In that case, they may consider a manual backup of their data every day.
However, take another hotel with an active online reservation system and over 500 rooms. On an average day, it sees up to 100 check-ins. What might the consequences be of a long RPO for that hotel? Chaos, angry customers, financial loss—to name a few. That hotel may need a much shorter RPO for their hotel reservation data. In determining that RPO, they might look at their online reservation system and see how many reservations are made per hour and then determine how many missing reservations they can comfortably deal with before chaos ensues. They determine that they average 3 reservations made per hour and that their front desk staff can comfortably accommodate dealing with up to 10 guests with missing reservations showing up at one time. Based on that, they may set their RPO for their guest reservation system at 3 hours to cover a worst-case scenario of nine (three reservations an hour for three hours) all showing up on the same night at the same time. That hotel may then consider automated backups of their reservations every three hours.
Now imagine a bank that deals all day with complex financial transactions. Their RPOs will need to be near-zero—and the solutions become more complex. This can end up being a little bit of a balancing act. Business leaders will always want the least amount of data loss, the closer to zero the better, however, this does come at a bit of a cost. So businesses are often left to decide what is acceptable in the context of what is affordable when it comes to implementing protection.
See how Rubrik helped Grove Bank and Trust achieve their RPOs allowing them to withstand a hurricane.
Your Disaster Recovery Plan incorporates both your Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), and both require you to weigh the tradeoffs between downtime and loss of data and the complexity and expense of setting up the systems to ensure a swift return to pre-incident operations and data backup solutions that ensure business continuity. While RTO involves your entire IT infrastructure, RPO is laser-focused on data. RPO is simply the maximum amount of data loss—measured in time—your company can withstand without significant harm. Your company will have different RPOs for different data based on a number of factors, including how critical the data is to your business, legal and reputational implications, the ability to recreate the data, and the cost and complexity of the solutions necessary to meet shorter RPOs. With the rise in number and complexity of ransomware, as well as the myriad other potential data loss incidents, ensuring your RPOs are correctly calculated and finding the right solutions to achieve them will be key to your business surviving when disaster strikes.