RPO and RTO are both equally important when it comes to setting the parameters of a disaster recovery or data protection plan. They ensure that your downtime and data loss is kept to a minimum to keep you running as smoothly as possible in the event of a disaster, be it natural, accidental or even after cyber-attacks. While they sound similar, they each measure separate facets of your recovery planning and need to be understood as such.
RPO – Recovery Point Objective, the interval of time between data states captured in backups. Ask yourself: how much data can your business afford to lose? To figure this out, think about the way data changes in your organization. Can you tolerate a few hours or a few days worth of lost emails, customer records, document changes, financial records, inventory records, or database changes? When planning your RPO it is wise to think about the time and cost of a “redo” to recreate lost data or renter changes, as that is how you will determine your backup schedule. The more frequent incremental backups are captured the less data will be lost. It is also important to consider how rapidly the backups can be placed onto offsite storage as a separate RPO to protect from data loss caused by a total halt of all onsite systems affecting both production and backups.
RTO – Recovery Time Objective, the amount of time required for your organization to enact disaster recovery and go from backups to running production systems. The RTO must not exceed the maximum amount of time your organization is able to survive being non-operational should a disaster strike. The quicker the recovery time, the more costly it will be to guarantee you will be up and running in the time allowed. You need to weigh the amount of loss caused by downtime compared to the out of pocket costs for backup+DR systems when coming up with a RTO for your business.