How to Determine Your Recovery Point Objective (RPO)

Statistics show that as many as 40-60% of businesses never re-open their doors after a disaster occurs. 

For those that do open, Forbes claims, “only 29% were still operating after two years.  And guess what likely becomes of those that lost their information technology for nine days or more after a disaster?  Bankruptcy within a year.”

To avoid this happening to you it is imperative to implement a disaster recovery strategy. 

Recovery Point Objective or “RPO” is one of the most important parameters when it comes to ensuring business continuity. Basically, your RPO is the amount of time in which a company must restore its operations after a disaster has occurred. This might include a cyberattack, natural, or industrial disaster. 

To determine your RPO, you will need to work out how much of the data contained within your systems and applications you can do without. 

For example, if your business is able to lose three hours from the exchange server without it having a severe impact on your business, your RPO will be three hours. It will also set how often you will need to make backups as well as understand which backups are necessary for you. 

The Importance of an RPO

To understand the value of an effective disaster recovery strategy, we can look at previous examples where well-known companies went wrong.

Delta, the world-famous airline company, lost more than $150 million in revenue due to an IT infrastructure outage in 2016. The five-hour computer outage meant that the airline had to cancel approximately 1,000 flights on the day as well as another 1,000 flights in the following few days.

On the other hand, when hurricane Harvey hit Southeast Texas, Gaille Media, an internet marketing company was ready for the chaos that ensued. As Lake Houston overflowed, the offices of the small marketing business were flooded leaving them destroyed fir the following three months.

Gaille kept all of its vital data stored in the cloud meaning that its staff were able to work from home as they never lost access to critical documents. 

Determining Your RPO

When considering your RPO, you will first have to create a list of all systems and applications that your business uses to successfully complete operations. Then, it is important to clarify as to which functions they perform and how users might be affected by their loss.

It is also imperative to calculate the potential financial losses including loss of sales or salaries that would need to be paid to idle workers. This needs to be done for each application. Additionally, different times of the year need to be taken into consideration as they all bear varying degrees of consequences.

After calculating these possible situations, you must determine how long you can keep functioning before these losses become impossible for you to handle. 

If you hold customer data, what are the service obligations you have with them? This might give you a clue as to how quickly you must recover the data. Are there customers that need real-time access to their data. Maybe you have a website selling products which will result in direct financial losses if it goes down? These are all questions that need to be thought about when determining your RPO.

As soon as you have the answers to these questions and have the recovery time for each application you will be able to calculate your RPO. If there is one particular application that will cause the most amount of damage to your business, you will need to use the time that it takes to recover that application as your RPO. Otherwise, if they are all equally valuable you can use the average time that it would take for all of them and utilize that as your RPO.


by JP Buntinx via The Merkle News

Comments