Recovery Point Objective

Your data is critical and, with ransomware on the rise, protecting your data is an integral part of your Disaster Recovery Plan. Building a plan for data protection and recovery starts with knowing exactly how much data your business can withstand losing without sustaining significant damage. That calculation, measured in time, is called the Recovery Point Objective (RPO). While connected to Recovery Time Objective (RTO), RPO is different. RPO is the maximum amount of data loss your organization can handle without a detrimental effect on operations, while RTO is the maximum amount of time a computer, system, network, or application takes to restore after an outage or data loss without harm to business operations.

While RTO covers the entire IT infrastructure and has significant implications for ensuring the continuity of overall business operations, RPO is solely concerned with your company’s data and is the foundation for building your data backup and recovery strategies. In order to determine the best plan for data backup for different tiers of data, correct RPO calculations are crucial. Keep reading to find out more!

The Importance of RPO

Consider working on a document on your own personal computer when disaster strikes. That disaster could be a storm that knocks out electricity or an overly playful pet who decides the cord to your computer is their new favorite tug-of-war toy—whatever it may be, you just lost whatever you were working on. So. When was the last time you saved that document? How much does that document matter? Were you jotting down a grocery list or putting the final touches on the proposal you’ve been working on for the last week—or were you finishing up the final chapter of that novel you’ve been working on for ten years? Whatever it was—everything after you last saved it is now gone. Without even realizing it, we set unofficial RPOs in our own lives every time we decide to turn on autosave on a document, change the autosave settings to save more often, or completely neglect to save a document at all. In effect, we’re placing a value—based on time—on particular data determined by how much it would cost us—whether in time, money, or any other metric—to lose that data.

To some extent, every business relies on data. And every business has different types of data that they rely on more than others—as well as tiers of data that are particularly sensitive. Determining that classification of data starts with a thorough Business Impact Analysis (BIA) that includes looking at all the types of data your organization collects and uses and asks a key question: How much of this data can we afford to lose before the damage to our business is not sustainable? Based on that, decisions on how often (and through what processes) to backup your data are made. While it is certainly hard to prevent all data loss, you can create RPOs that ensure you mitigate the losses and are able to recover from them in the case of a disaster. Let’s check out some examples of Recovery Point Objectives.

RPO Examples

While Recovery Time Objectives and Recovery Point Objectives are intertwined in many ways, RPOs are specific to the data your company keeps. Whether it’s a customer database, financial transactions, or the list of employee birthdays, there is an RPO for all of them, and a successful Disaster Recovery Plan incorporates those into its strategies and preparation.

What is the cost of data loss? It depends on the data—and the volume of data. The consequences can be numerous—from financial to legal to reputational. Imagine two hotels. The first is a small, 20-room hotel that uses paper sign-in sheets and takes most of its reservations over the phone. They don’t even have an online reservation system. The hotel typically gets about three reservations a day and three to five check-ins. A data loss incident at that hotel is unlikely to cause major chaos. That hotel may set a long Recovery Point Objective for their reservation data—after all, with only three reservations made per day, a 24-hour Recovery Point Objective would only affect three of their guests. In that case, they may consider a manual backup of their data every day.

However, take another hotel with an active online reservation system and over 500 rooms. On an average day, it sees up to 100 check-ins. What might the consequences be of a long RPO for that hotel? Chaos, angry customers, financial loss—to name a few. That hotel may need a much shorter RPO for their hotel reservation data. In determining that RPO, they might look at their online reservation system and see how many reservations are made per hour and then determine how many missing reservations they can comfortably deal with before chaos ensues. They determine that they average 3 reservations made per hour and that their front desk staff can comfortably accommodate dealing with up to 10 guests with missing reservations showing up at one time. Based on that, they may set their RPO for their guest reservation system at 3 hours to cover a worst-case scenario of nine (three reservations an hour for three hours) all showing up on the same night at the same time. That hotel may then consider automated backups of their reservations every three hours.

Now imagine a bank that deals all day with complex financial transactions. Their RPOs will need to be near-zero—and the solutions become more complex. This can end up being a little bit of a balancing act. Business leaders will always want the least amount of data loss, the closer to zero the better, however, this does come at a bit of a cost. So businesses are often left to decide what is acceptable in the context of what is affordable when it comes to implementing protection.

See how Rubrik helped Grove Bank and Trust achieve their RPOs allowing them to withstand a hurricane.

RPO FAQ

What does Zero RPO mean?

What is the average RPO?

Your Recovery Point Objective calculations are based on balancing the risks of data loss with the costs of data backup and recovery. Getting that balance right is crucial and an important part of your Business Impact Analysis. Most organizations begin by classifying their data into tiers based on how critical they are to the business. The more critical the data—the shorter the RPO.

A tiered system might break up data into four tiers:

Tier #1—Near-zero to an hour RPO

This tier would include mission-critical data that a company cannot afford to lose. The loss of even minutes of this data would likely result in severe financial, legal, safety, and/or reputational damages.

Tier #2—One- to four-hour RPO

While the loss of this data would not have as severe consequences as Tier 1 data, this data is still critical to business operations. However, a minor loss of data would not be devastating.

Tier #3—Four- to Twelve-hour RPO

This is data that is not essential to your company. The loss of up to twelve hours of data would not result in severe consequences.

Tier #4—Over twelve-hour RPO

This is data that may be able to be recreated or re-collected in some manner, and time is not as much of an issue. Or perhaps it’s data your company has hard copies of elsewhere or isn’t critical to your business operations.

Depending on the complexity of your business, you may have less than or more than four tiers. You may have some data that is so sensitive and critical that you need a category just for near-zero. Alternatively, you may have a tier that allows for an RPO of days—or even weeks or months.

The key is asking the right questions as you’re classifying data and determining those RPOs. Are you in an industry that is highly regulated—such as financial or medical—in which data loss may put literal lives on the line and/or have legal factors associated with the protection and accessibility of highly sensitive data? What SLAs apply to specific data? Is there data without which your organization is unable to function at all? Is there data that exists in hard copy elsewhere or is more or less easily recreated? If it does exist elsewhere or can be recreated, how does the volume of the data impact that (e.g., two boxes of hard-copy files will be easier to get back into your system than a warehouse full of them). What is the cost of recreating or re-collecting the data versus the cost of recovery?

Understanding the answers to these questions will give you an initial handle on how to classify your data and their associated RPOs. It will always be a balancing act. Your RPOs determine how, where, and how often you backup your data. The more data you classify as top-tier, mission-critical data, the more expensive it will be to ensure continuous protection of that data.

Why is RPO important?

What options are there for different RPO lengths?

Wrap-Up

Your Disaster Recovery Plan incorporates both your Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), and both require you to weigh the tradeoffs between downtime and loss of data and the complexity and expense of setting up the systems to ensure a swift return to pre-incident operations and data backup solutions that ensure business continuity. While RTO involves your entire IT infrastructure, RPO is laser-focused on data. RPO is simply the maximum amount of data loss—measured in time—your company can withstand without significant harm. Your company will have different RPOs for different data based on a number of factors, including how critical the data is to your business, legal and reputational implications, the ability to recreate the data, and the cost and complexity of the solutions necessary to meet shorter RPOs. With the rise in number and complexity of ransomware, as well as the myriad other potential data loss incidents, ensuring your RPOs are correctly calculated and finding the right solutions to achieve them will be key to your business surviving when disaster strikes.

DATA PROTECTION

DATA THREAT ANALYTICS

DATA SECURITY POSTURE

CYBER RECOVERY

CLOUD & SAAS

ENTERPRISE

INDUSTRIES

RESOURCES

CASE STUDIES

CONNECT

LEARN & EXPLORE

ALLIANCE PROGRAM

RESELLER PARTNERS

SERVICE DELIVERY PARTNERS