If you have an RPO of 0 hours what does that mean
|
Let’s say that the zero hour is 5pm the next day. That’s a little worse, because you had a whole 8am to 5pm most likely of people going in and changing data, new data arriving, email in and out. That’s a little different, that’s 21 hours and a lot of data changed. Show
That’s a much bigger impact to the organization and more data that have to be recreated or you’re just going to have to not ever get back. That’s got a bigger impact to the organization. From an RPO perspective, you try to define what is the most data we could lose, because you can’t always trust that the failure is going to happen in the morning before the next workday starts. You could have a disaster all the way up till 7:59 till we get another backup at 8pm that next night. So your exposure is 23 hours and 59 minutes for an RPO that does a once a night backup. The impact of this as you start planning for your backup strategy and your Business Continuity Plan, it’s really all about money. How much money am I losing when my users are not working and connected to the data they need to do their jobs, just as much as you have the impact you think of the impact of how much data dip could we possibly lose in this scenario. Disaster recovery planning is all about trying to have the lowest cost solution and the least amount of impact cost wise to the organization for that data being offline. When developing Business Continuity Plans (BCPS) or Disaster Recovery Plans (DRPs), two terms appear quite often: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). While paramount to the definition of BCPs and DRPs, RTO and RPO aren’t easy concepts to understand, which can lead to plans that either allocate more resources than needed, or to plans that won’t achieve the expected outcomes. In this article, you will see how ISO 22301, the leading ISO standard for business continuity management, defines these parameters, as well as examples of their application and how they can be used to build robust and reliable plans that allow the optimization of resources considering the desired outcomes. What is the RTO?, which defines the vocabulary for ISO 22301, provides a definition for the Recovery Time Objective, or RTO, which can be understood as the amount of time after a disaster in which business operation is retaken, or resources are again available for use. For example, if the RTO is 2 hours, then it means you want to resume delivery of products or services, or execution of activities, in 2 hours. What is the RPO?Still according to ISO 22301, the definition of the Recovery Point Objective, or RPO, can be understood the best if you ask yourself, for a given operation, how much data loss can you afford in terms of time or in terms of amount of information. Think about a database for recording all transactions in a bank (e.g., payments, transfers, scheduling, etc.). The database to be recovered must be practically equal to the database at the moment of the disaster (i.e., the difference close to zero), because even in just a few minutes, hundreds of transactions can be made, and this information cannot be lost and cannot be easily recovered in some other way. In this case, the RPO is near zero, which means that the backup needs to be done in real time. Now think about a source code repository where software developers keep their work. It is relatively easy to rewrite one day of lost coding for a software developer, but more than that can be difficult or impossible to recreate. In this case, the RPO would be 24 hours, which means that the backup needs to be done at least every 24 hours. The point is, the harder it is to recover or recreate the data, the shorter the RPO needs to be. What is the difference between RTO and RPO?The main difference is in their purposes – being focused on time, RTO is focused on downtime of services, applications, and processes, helping define resources to be allocated to business continuity; while RPO, being focused on amount of data, has as its sole purpose to define backup frequency. Another relevant difference is that, in relation to the moment of the disruptive incident, RTO looks forward in time (i.e., the amount of time you need to resume operations), while RPO looks back (i.e., the amount of time or data you are willing to lose). What are RTO and RPO in disaster recovery?RTO is used to determine what kind of preparations are necessary for a disaster, in terms of money, facilities, telecommunications, automated systems, personnel, etc. The shorter the RTO, the greater the resources required. RPO is used for determining the frequency of data backup to recover the needed data in case of a disaster. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in big danger, but if you did it every hour, it might cost you too much and not bring additional value to the business. Both Recovery Time Objective and Recovery Point Objective are determined during the business impact analysis (BIA), and the preparations for achieving them are defined in the business continuity strategy. See these articles to learn more about RTO, RPO, and BIA: Five Tips for Successful Business Impact Analysis, and Backup policy – How to determine backup frequency. Should RPO be less than RTO?Although RTO and RPO are both crucial for business impact analysis and for business continuity management, they are not directly related; but they don’t conflict, either (there is no such thing as RTO vs. RPO), so RPO does not need to be less than RTO or vice-versa – you could have an RTO of 24 hours and an RPO of 1 hour, or an RTO of 2 hours and an RPO of 12 hours. For example, an e-commerce site may need to be online 4 hours after a disruption, so RTO is 4 hours. Now, this same e-commerce site has two databases, one for its product catalog, which is updated once a week, and the second to record sales (thousands per day). The RPO for the first database can be 1 week, but for the second, the RPO should be near zero. Continuity management is more about preparation and less about guessingBusiness continuity and disaster recovery plans are things that organizations need to have and hope not to use, and in such cases, they need to find a balance between investing the minimum amount of resources possible, and having the maximum confidence that the plans will work. To achieve this balance, RPO and RTO are paramount. Without determining them properly, you would just be guessing – and guessing is the best way to ensure recovery disaster, instead of recovery from a disaster. You can also check out this free webinar: Implementing Business Impact Analysis according to ISO 22301, which describes how to gather all information necessary for RTO and RPO calculation. Can you have an RPO of zero?This data loss is often measured in terms of time, for example, 5 hours or 2 days worth of data loss. A zero RPO means that no committed data should be lost when media loss occurs, while a 24 hour RPO can tolerate a day's worth of data loss.
What is a good RPO time?Experts recommend not implementing an RPO of more than 24 hours, as having a daily backup is a bare-minimum best practice for nearly all data at any time of day.
What does RPO status mean?Recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization.
What does high RPO mean?A shorter RPO means losing less data but requires more backups, more storage capacity, and more computing and network resources for backups to run. A longer RPO is more affordable, but it means losing more data. Calculation variables may also differ according to the classification of data.
|
