If all your systems went down tomorrow, would you know where to start in order to get everything up and running again? For almost all businesses, downtime results in substantial loss of revenue, has repercussions for your brand reputation and often causes data loss. Disaster recovery (DR) plans are designed to mitigate such consequences and help you resume operations as quickly as possible when your IT is offline. The key to an effective DR plan? Knowing your RPO and RTO in advance.
What’s your worst-case scenario? It probably depends on what industry you’re in, but the aim is always going to be the same – to get back up and running in as little time, and as cost effectively as possible. In order to map out how you get there, set some parameters to help you identify what measures, and what solutions, you need to put in place. That’s where RPO and RTO come into play. By understanding your recovery point objective (RPO) and recovery time objective (RTO), you can begin to plan how your business needs to react in a disaster (floods, fires, power outages and any other event that renders your systems and the data within totally inaccessible).
When did you last backup your data? More importantly, how much data can you afford to lose before the impact on your business becomes irreversible? Once you answer the latter, you can work out how often you need to be taking a snapshot of your data, just on the off chance your systems go down. This is how you set your RPO. It’s measured in time, so if you can stand to lose no more than 4 hours’ worth of data, you need to be carrying out a backup at least that often. In other words, your RPO is 4 hours.
When setting an RPO you need to balance your ideal scenario with the cost implications of more regular backups. You may wish to back up almost constantly, ensuring minimal data loss in the event of a disaster, but this would come at additional expense. For example, it may mean investing in extra hardware stored in datacentres across multiple geographical locations in order to keep your data safe – it’s unlikely that a disaster will strike in more than one location. This comes with setup costs and requires ongoing expenditure for maintenance.
Another option would be to replicate and store your data in the cloud using a disaster recovery as a service platform. This eliminates additional hardware costs, is managed by your provider and can be activated exactly when you need it. Your data can be retrieved efficiently, and costs are more manageable as you’re only billed per hour of activation.
When weighing up your RPO and the appropriate solution, take into account the potential leads you could lose, the engineer hours it would take to reproduce lost work, and any GDPR implications that could be associated with the loss of any sensitive data. Your calculation will then give you your unique recovery point objective, whether it’s 1 hour, 24 hours, a week or more.
In addition to your RPO, your RTO is crucial to establish. Your recovery time objective is all about working out how long critical business operations can be maintained without access to your ‘normal’ infrastructure i.e. during downtime. From the moment your systems go offline to the point at which everything is back up and running – that’s your RTO. This includes recovering the data and applications that are required to restore operations and works hand in hand with your RPO – as the more data you lose, the longer operations may take to reset. You might decide you need all systems restored within an hour, but if the physical work required takes 3 hours, your RTO will always be unachievable.
Calculating your RTO can be more difficult than working out your RPO, simply because there are more variables to consider. For example, would your business be more, or less, impacted if the disaster happened on a weekend? The answer is likely to be specific to your business. Seasonal peaks and troughs will all need to be considered. If you prepare for your specific worst-case scenario – unplanned downtime during peak sales period for example – and set a challenging RTO, you might find your solution becomes costly.
Once you know exactly how much data you can afford to lose, and how long you can survive unplanned downtime, it’s time to build out a plan to ensure your RPO and RTO can be met if a disaster occurs. These objectives help to set realistic expectations for your IT teams, giving them a goal to work towards, whatever the scenario.
Build out key responsibilities, system priorities and decide what solutions you may need to invest in to meet your goals. This will become the core of your DR plan, which will then sit at the heart of your business continuity plan (BCP). With the granular details of how you’ll recover your data and systems covered in your DR planning, the BCP can look at the bigger picture, encompassing everything from crisis comms to employee welfare.
Why are more than a third of SMEs using disaster recovery as a service as the basis of their DR planning? Download our free whitepaper to find out.