Why RPO and RTO are so important to effective disaster recovery

Why RPO and RTO

Business continuity is at the forefront of most IT departments. Between human error and hardware failure, no environment is completely free of risk. And with 236.1 million ransomware attacks worldwide during the first half of 2022, odds are that your organization will be targeted at some point if it hasn’t already. When it does and your network is crippled by a ransomware attack, you have only two options: pay thousands of dollars to free up your system, or restore your system with clean, but older, backups.

Paying the ransom buys the key that could free up the system immediately. However, there is no guarantee that the culprits won’t just take the money and leave your system frozen. Your safer alternative – for either ransomware or other type of data or hardware loss — is to rely on backups that can bring you back to normal with minimal data loss and acceptable downtime.

If your disaster recovery plan relies on DRaaS platforms like Veeam, you have the means to restore your system and be back online quickly. Defining “quickly” is determined by RPO and RTO. For example:

  1. If the last time you backed up was four hours before the crippling attack, you have lost four hours of data. If that data loss is acceptable and you can bridge the gap with paper orders and landline telephones, you have established a recovery point objective (RPO)—or a restore point objective.
  2. If it takes 24 hours to bring your system back to normal, you will have lost the income and productivity that timeframe represents. If you can live with that maximum 24-hour downtime, you have established a recovery time objective (RTO).

Definitions of RPO and RTO

Along with the foregoing examples of RPO and RTO, let’s look at the formal definitions of each:

Recovery point objective (RPO), according to Technopedia, is “the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs.”

RPO is the window in time between your last backup and when disaster strikes. If you only back up your system each day at 5 p.m. and disaster strikes at 4:55 p.m., you have lost everything you have done that entire business day.

Recovery time objective (RTO) is “the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations or service levels.” 

Your business continuity plan must have already identified critical applications and services. RTO, then, is your acceptable downtime. RPO is the acceptable age gap of the data.

How RPO and RTO work together and are components of a BCDR/DR plan

The terms RPO and RTO can blend together in planning for disaster recovery. Their major differences are:

  • RPO is the point in time in the past to which you need to recover 
  • RTO is the point in time in the future where you will be up and running again

Your business continuity/disaster recovery plan must factor in the consequences of data loss and downtime. RPO and RTO are the objective measurements of time and effects on how quickly—and, sometimes if—a business can continue after a serious disruption. 

So, with RPO, the question is, how often should mission-critical data be backed up? If there’s a ton of data migrating through the network, you need ahigh-performance storage and backup system, and bandwidth. The answer lies in a cost-benefits analysis that pinpoints the most important data and the effect of its loss on your operation.

With RTO, the other question is, what is the maximum length of time the business can stay offline before customers start going elsewhere? Your business continuity plan needs to measure the timelines involved in your product/services pipelines. How long can the business stay afloat without application support? 

So RPO and RTO work together in the process of business continuity planning. They identify past and future elements of the business operation so that if the present involves a disaster, you’re ready to face the challenge of moving forward.

How RPO and RTO factor into your SLA for DRaaS

Data Recovery as a Service (DRaaS) utilizing Veeam is your ticket to quickly returning to normal when your system or hardware fails, you are the victim of ransomware, or you must fully restore all or a portion of your IT environment due to other factors. When any of those events happen, RPO and RTO become very important so it’s important to have them outlined in your service level agreement (SLA). The SLA with your DRaaS service provider will be tailored to your business continuity planning for backup, restoring and guaranteeing a targeted time to returning your business to normal operations.

Your DRaaS provider will define their standard RPO and RTO parameters in their SLA, however, if your agreed mission-critical requirements are different than the standard recovery times, then you should discuss your options with your DRaaS provider. Your RPO and RTO metrics need to be aligned with your business recovery objectives, which, in turn, must mesh with benchmarks and performance targets of the provider’s SLA and your budget.


RPO and RTO are critical to your disaster recovery strategy and should be addressed with your BCDR (Business Continuity Disaster Recovery) plan. Prioritizing the importance of each network application and the order in which they need to be recovered will help you determine acceptable RPO and RTO that both meet your needs and your budget. RPO and RTO with super short windows translate to greater resilience, but the service fees can be greater. 


Submit a Comment

Your email address will not be published. Required fields are marked *