RPO and RTO: What They Are and Why They Matter

December 14, 2017
Data Protection, Disaster Recovery

In an industry (IT) notorious for its abundance of acronyms, it’s easy to dismiss RPO and RTO as the same thing or, at the very least, not that much different from one another. Recovery point objective (RPO) and recovery time objective (RTO) do sound very similar. Both are key metrics in business continuity. Both involve a disruption to business in which data and/or systems are unavailable.

Is it that much different to recover data back to a certain point as opposed to recovering it in a certain amount of time so your business can be back up and running?  The answer is a “yes,” and it’s because neither concept is solely about data recovery.

Know Your RPO

RPO refers to the point back in time from which you want your critical data restored after a system disruption or failure. It tells you how much time from the point of the outage you can afford to lose. RPO can be measured in intervals ranging from minutes, hours, or even days. A smaller RPO means that less data is lost, which is critical for normal business operations.

RPO determines the frequency with which you’ll need to replicate data from your production site to a DR site. To achieve a smaller RPO, you need more frequent backups. If your RPO for an application is one hour or less prior to disaster, you’ll need to replicate data at least hourly. If you can’t afford to lose any data, ever, you’ll need to implement synchronous replication for that application. That means your data must be written to a DR site at the same time it’s being written at your production site.

Keep in mind that the lapse after your last backup translates into lost data, and can have major repercussions if your business relies on that data for its normal operations. However, it’s not necessarily good business sense to back up everything or to back it all up frequently. The more frequently you back up, the more copies you must maintain. And, backups aren’t free.  

Know Your RTO

RTO refers to how quickly you must restore access to data and IT systems after a disaster or other business-disrupting event occurs, so your business can be up and running again.  In simple terms, it’s the maximum tolerable length of downtime following a disaster. It’s less about data loss, and more about having the application or data available. Not all data, applications and system have the same RTO, because some aren’t as important for day-to-day business continuity. Your internal data warehouse may need to come back online in several hours, while a customer-facing website may need to be back up immediately. By quantifying and ranking the RTOs for each critical process, you’ll be able to prioritize resources to restore the ones with lower RTOs before the rest of them.

The Pre-RPO/RTO Steps

To define RPO and RTO for your company, you’ll need to answer several questions. Among them: Which of your IT assets are most important for ensuring your business can keep operating?  Which would you need access to first following a disaster?  Which could wait?  How long could you wait for access?  Following these steps will help with the answers:

  • Inventory your assets to determine what you have. Get input from others within your company as “shadow IT” could have introduced essential data and applications without the knowledge of your IT department. Identify any application and system dependencies.
  • Conduct a risk assessment to examine the vulnerability of your IT assets to events that can cause downtime. Look at all possible disaster scenarios, as well as weaknesses that could make your IT assets susceptible to disaster or other business disruption.
  • Perform a business impact analysis (BIA) to determine the operational, financial and reputational effects to your business if your IT assets were not available. Look at the assets individually. Determine their importance to your company’s ability to conduct business. Establish the priorities for restoring business functions and related data or applications. Don’t forget about any compliance requirements.
  • Consult third-party companies that specialize in disaster recovery (DR) and business continuity (BC). They can help you with these steps, as well as evaluate the various strategies for achieving your company’s RPO and RTO requirements.


By understanding and defining your company’s RPO and RTO requirements, you can identify and put in place the resources needed to minimize the effects of any business-disrupting event, from a natural disaster to a cyber-attack. For more information, take advantage of these free resources from US Signal:

A Guide to DR Planning

Data Protection 101

Or, talk to a US Signal expert. Call 866.2. SIGNAL or email [email protected]