How would you respond if I asked you:
- How much data can you afford to lose before it impacts your business?
- Oh, and how much downtime could you absorb without access to your applications and data?
I’ll have a guess that you answered, “zero and zero”.
And in a perfect world, this would set the requirements for your cybersecurity solutions. But the truth is, it’s not that simple, and for most businesses, that level of restoration is just not physically or financially feasible.
So, let me ask you this instead:
Can you afford to invest in the right backup strategy? More to the point: can you afford not to?
With the inevitability of file corruption, accidental (or intentional) deletion and ransomware threats, being prepared for downtime, so you can quickly restore your data – and your business operations – isn’t just desirable. It’s essential.
Preparation is key
Being prepared means getting a comprehensive 3-2-1 backup strategy in place. But just before you click on that link^ to get an automated cloud backup solution that manages everything for you.
It’s a good idea to get an idea of what your backup requirements are, so your business is not left down and out when disaster strikes.
Oh, and helping you to get clear on your backup requirements is precisely what this article will help you to do.
So, let’s get started.
Your Business Recovery and Time Objectives
Referred to as your RPO and your RTO, these little acronyms have a big say on how much data your business can afford to lose and how long it takes you to get back up and running. And it’s important that you understand what they are, so your backups can meet your business requirements when it hits the fan.
What is an RPO and RTO?
Recovery Point Objective (RPO)
This refers to a time in the past to which your data will be restored.
Your RPO is defined by the maximum amount of data you’re willing to lose from the time of a data-loss incident to the time of your last backup.
RPO Example: If you decide to have an RPO of 4 hours for your emails, then you will have a maximum 4-hour data gap between the time of the data loss and the point your emails will be recovered to.
Recovery Time Objective (RTO)
This refers to a time in the future when you’ll be back up and running.
Your RTO is defined by the maximum amount of time it takes from the data-loss incident to a point in the future at which your data will be operational again.
RTO Example: If your email is subject to a data-loss disaster and has an RTO of 2 hours, then your IT team have an objective to get your emails back up and running within 2 hours of the data-loss incident before it starts to impact your business operations.
Now, it’s a given that you’re going to have different requirements and priorities for each unit and application within your business.
You may have some business units and applications that you wouldn’t notice missing. Whereas you’ll have others that you consider critical to the day-to-day or minute-to-minute operations of your business. This is why you need to define a separate RPO and RTO for each of your business applications.
How to define your RPO and RTO
I hate to be a downer, but I don’t have a one-size-fits-all solution that defines your RPO and RTO for you. And not because I don’t want to share, but because it doesn’t exist.
Establishing your RPO and RTO is a process that typically starts with analysing your business requirements and inviting conversation and input from your business and IT experts.
Every business is different, and your business will have a different set of applications and priorities for the next. Having said that, this free Backup 101 Toolkit and the following steps will help guide your discussions, so you can establish an RPO and RTO for each area of your business, even if you don’t know where to start.
Step#1 – Download our RPO and RTO template
Click here to get your copy of our Ultimate Guide to Backing up Your Business, which includes a pre-prepared RPO and RTO template, so you can quickly and easily document your requirements.
Step #2 – Define your tiers of priority
Using tiers simplifies the process of categorising your business applications. Here are some sample tiers that you may want to consider using.
Oh, and please keep in mind that these are generic. You’ll need to define what applications are considered critical and not-so-critical based on your business requirements.
0 – 1 Hour: Mission Critical
These are your critical applications, systems and processes that your business can’t afford to lose any more than 1 hour’s worth of data. This may include applications that are updated frequently.
An example might be your financial systems, CRM databases or an industry-specific application that your business relies on to generate products or meet service-level agreements.
1 - 2 hours: Business Critical
This tier might be used for critical business units that you can’t afford to lose more than 2 hours’ worth of data.
Examples might include your email accounts or customer support instant chat applications
2- 4 Hour: Semi-Critical
Used for semi-critical business units, this tier can be used for applications that you can’t afford to lose more than 4 hours’ worth of data.
Examples might include your email accounts or customer support instant chat applications
4 – 8 Hour: Important
Applications and systems that fall into this category can’t lose more than 8 hours of data. These are not considered critical to your business operations and may include your sales collateral, lead generation systems, or perhaps your website.
8-12 Hour: Non-Critical
You may decide to use this tier for any applications that can’t tolerate losing more than 12 hours of data. Typically, these applications and files are not changed as frequently as the previous tiers.
An example of this might be your human resources documentation or weekly reports.
12-24 Hour: Low Priority
Data that falls under this category should tolerate a maximum amount of 24 hours’ worth of data loss. These are likely to be archives or data that is not regularly updated.
Step #3 - Everyone likes making a list, right?
Now that you’ve established your tiers of priority, the next step is to complete the first column of the RPO & RTO template with a list of every system and application your business uses day to day.
If you’re unsure where to start:
- Have a think about the applications that you use on a typical day
- Call your IT Partner for their input; or
- Talk to your team members
Step#4 – What functions do your applications perform
Next to each application, jot down the role it serves in your organisation. Oh, and while it may seem easy to write down ‘Email’ next to Microsoft Outlook, keep in mind the broader picture too.
For example, if your business uses a customer booking system that links to your Outlook calendars or you use your email accounts for sales purposes, don’t forget to write that down too.
Step #5 – Frequency
As a general rule of thumb, you can begin to get a sense of your RPO requirements by the frequency at which your files are updated.
The more frequently your files are updated, the shorter your RPO needs to be in order to restore the most up-to-date version of your files.
For each application in your list, try to complete this sentence:
Our important data changes ___ times per Hour/Day/Week/Month (Delete as appropriate)
This may be difficult to get 100% accurate, which is fine for now. The idea here is to get as close as you can, so when you present your data to your business and IT experts, they’ll be able to suggest the best cloud backup solution for your business requirements.
Step #6 – Who and what is impacted?
Up next is to make a note of the team members, groups and systems that will be affected by the data loss of each of your applications.
Step #7 – Potential loss
From lost time and revenue to corporate reputations and SLAs, the data you lose – and the repercussions you’ll face - will vary from system to system.
This is why it’s a good idea to jot down the potential losses each application could cause, so your business and IT experts can get a sense of the importance and the potential consequences of your data loss.
Step #8 – Schedule a coffee
Remember those tiers you copied and pasted and defined in step #2?
This is where they – and your IT Partner come in.
After you’ve collected all of the data for each of your business units, schedule a coffee with your business and IT experts, so you can run through the results and assign a priority tier to each of your applications.
Keep in mind that these steps are not a definitive calculation for your RPO and RTO requirements. That will develop with the collaboration between your organisation's business and IT experts. What these steps do provide is enough information for you to get the ball rolling, so you can identify the gaps in your current backup solution and the areas that need more attention to ensure your backups - and your investment - can restore your business when the time comes.
Meeting your business objectives with Office Solutions IT
If there’s anything worse than seeing your data disappear, it’s waiting for help. And not knowing when – or if – it will come back. But with our reliable and affordable cloud backup in place, you’ll be able to restore your data and get back up and running fast, even if disaster strikes.
Our cloud backup service offers to take the time and hassle out of managing your business-critical off-site backups.
It’s automated, it routinely tests your restoration data and manages your backups for you, so you don’t have to. Oh, and if disaster does strike, you’ll get direct access to your data ASAP. To get it, just click here to schedule that coffee.
Frequently Asked Questions
How do you increase RPO?
One effective strategy organisations use to enhance their Recovery Point Objective (RPO) is to increase the frequency of backups. By doing so, you can significantly reduce potential data loss to ensure that your most recent data is always available for recovery.
While increasing backup frequency is beneficial, it may not be feasible for all data types due to various constraints or operational considerations. Therefore, teams should prioritise backup schedules for business-critical data to minimise disruptions in the event of a data loss incident.
Why is RPO important?
Recovery Point Objective (RPO) determines the minimum frequency with which backups should be conducted to maintain data integrity and availability. This measure helps organisations establish a baseline for how often data backups should occur and minimise potential data loss during disruptions that could affect business operations.
Define your RPO parameters to identify appropriate disaster recovery technologies and solutions and effectively safeguard critical data.
Why is it important for a business to know both RPO and RTO?
Having a clearly defined Recovery Point Objective (RPO) allows you to establish a backup schedule that aligns with your organisation's operational requirements, which minimises the risk of significant data loss during cyber incidents. An RPO ensures that your most recent data is always available for recovery, which is essential for maintaining business continuity.
On the other hand, Recovery Time Objective (RTO) focuses on the prompt restoration of critical systems and applications following a disruption. Together, RPO and RTO help reduce downtime and mitigate financial and operational costs associated with prolonged outages.
What is the best practice for RPO?
To achieve an optimal Recovery Point Objective (RPO), schedule backups with high frequency. The principle is straightforward: the more frequently you back up your data, the better your RPO will be. Additionally, consider keeping the most sensitive data on well-established backups for added security.
What does the Recovery Time Objective measure?
Recovery Time Objectives (RTOs) assess the time required for your IT team to restore data and systems after a cyber disaster, such as a data breach or loss. They serve as a benchmark for evaluating the resilience and preparedness of your IT infrastructure in the event of a cyber incident. When you establish an RTO for your organisation, you gain a clear understanding of the maximum allowable downtime before your operations experience significant impact.
What is an acceptable RTO?
Recovery Time Objective (RTO) can vary based on an organisation's specific IT needs and priorities. Ideally, an RTO should be as close to zero as possible to minimise downtime and reduce potential financial and operational consequences associated with IT outages. While this sounds ideal, achieving a minimal RTO requires robust disaster recovery planning, an efficient IT infrastructure, and proactive measures to ensure that systems can quickly and effectively return online.
