Business Continuity: RPO & RTO

Business Continuity is a subject that comes up daily in conversation with my clients. Essentially they have an IT infrastructure comprising of servers, applications, data and connectivity. You need all of these things to talk to each other and the more comprehensive the setup; the more power you have to control the environment. What I mean by this is that if someone invests little in IT, you are very limited in how flexible you can be when is comes to planning for things like continuity. However it doesn’t really cost the earth to obtain such solutions that would really protect your business from prolonged downtime. In my experience, a decent level of continuity has only got easier to obtain in recent years with the introduction of various cloud platforms. Now cloud is such a massive buzzword at the moment but behind all the fancy marketing, there is some benefit to be had by organisations. When preparing a proposal and beginning a scoping exercise with my clients, these are the things that i discuss.

RPO – Recovery Point Objective

Recovery point objective, or RPO, is a complex concept geared specifically towards data backup. A business that relies heavily on data is vulnerable during a shutdown. Consider, for example, a company that maintains a database that feeds an ecommerce site. If disaster strikes the datacentre, the inventory disappears or becomes out of date. As part of business continuity planning, the management must figure out how long they can afford to have no access to that system before the business fails. Or in other words, how much data they can afford to lose before it has serious consequences for their business. The answer is crucial to developing a system backup and disaster recovery schedule.

If that same business has a revolving inventory, updating the backup every hour improves the odds of recovering after the main system goes down. Companies that have few changes to their database might be able to update once a week and still stay in business. 
RPO is that deadline –the amount of data a business can afford to lose before the failure causes severe problems or shuts them down.

RTO – Recovery Time Objective

Recovery time objective, or RTO, is simpler. It is a target time for resumption of their IT activities after a disaster has struck. A business that can afford to take a week before being fully operational again does not need to put as much money into disaster recovery preparation as the organisation that needs the doors open within two hours.

A data entry operation has a short RTO, so the company should invest heavily in disaster recovery systems, maybe even a second DR site. This secondary location would maintain a full system backup with workstations able to support the business if the main office is unable to open. A small boutique would have a longer RTO and not budget for a disaster recovery centre.


RPO is specifically about data backup in order to maintain continuity. It is essential to determining how often a business should schedule data backup on their network. RTO is how long it will take an organisation to get back up and running to the Recovery Point Objective.

Although, one does not necessarily have anything to do with the other, they are both elements in disaster recovery and business continuity management. One is about how long the company can survive without data while the other is about how long they can take to reopen their doors. A company could have an RPO of three days, but an RTO of just one. For example, a restaurant may be able to operate without a computer system, but they lose money and inventory with the doors shut.

RPO and RTO are important business concepts for companies to consider when developing a system that allows them to survive after disaster strikes. Although not directly related, but they are both a necessary part of the process.

HA – High availability

If a client has specific needs for a service to never go down, having a desired 99.9% uptime target, then High Availability (HA) is something that should be considered. Mostly I have seen this achieved by creating a synchronous replication between your production servers and a target site such as a data centre, or another part of your building should it be big enough. For example I have clients that are large schools and colleges where separate buildings allow for such a solution to be implemented.

Using some of VMware vSphere’s Enterprise features, these achievements can be met, but only with careful planning and a technical architect to design your solution for you.


When it comes to RPO, what’s important it the backup technology you have decided to use. If you are using VMware then something like Veeam will allow you to customize backups to the point where you can choose different backup windows for different servers, allowing you to reach your RPO goal for a specific service within your business. The hardware in which the backup resides is also very important as when you have a disaster and need to recover, you want to be able to rely on that backup being recoverable. Tape technology has been widely used over the years and still is today, however to keep multiple versions of backups and have the ability to easily test them, something different is needed such as a NAS, SAN or something bigger like a 3PAR. Even provisioning old servers from a refresh exercise means you can recycle servers to make use of them when they have no use in the production environment anymore.

End User Continuity

A growing trend in IT today is clients wanting the ability to offer their user base continuity that matches the underlying server infrastructure. It’s all well and good having a highly available server setup, but if the user loses their desktop then it becomes pointless having invested in all that tech. End user continuity can be achieved through technology such as VMware Horizon View (see my article on this), so I feel this is a conversation that should be had at the same time as the server continuity, and for the business in general.

My advice to anyone looking to implement a solution to protect their business is to start with what you cant be without, then add the less important services to that list with the RPO and RTO for all. Then speak to your IT Partner to see what they can offer, that way you will get a solution that is based on your specific requirements and likely to filter out the over enthusiastic sales people who will just try flogging you a solution without scoping it properly.

One response to “Business Continuity: RPO & RTO

  1. When I originally commented I appear to have clicked the -Notify me when
    new comments are added- checkbox and from now on whenever a comment
    is added I recieve four emails with the same comment.
    There has to be a way you can remove me from that service? Thanks!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s