Ask Our VP of Compliance: June 2019

A common question topic posed to me from both non-IT and IT professionals alike revolve around the concept of RPO and RTO with regards to Business Continuity Management.  Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important parameters of a sound disaster recovery plan.


The RPO and RTO, along with a BIA (business impact analysis), provide the basis for identifying and analyzing viable strategies for inclusion in the business continuity plan. Viable strategy options include any which would enable resumption of a business process in a time frame at or near the RPO and RTO.


RPO vs. RTO… what’s the difference? I know they sound the same… so, can they be used interchangeably? How should my business determine them?


Let’s jump right in!


What is RPO?

RPO: Recovery Point Objective

Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”


RPO designates the variable amount of data that will be lost or will have to be re-entered during network downtime.


If you back up all or most of your data in regularly scheduled 24-hour increments, then in the worst-case scenario you will lose 24 hours’ worth of data. For some applications this is acceptable. For others it is absolutely not.


What is RTO?

RTO: Recovery Time Objective

The Recovery Time Objective (RTO) is the duration of time within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity. In other words, the RTO is the answer to the question: “How much time did it take to recover after notification of business process disruption?”


RTO designates the amount of “real time” that can pass before the disruption begins to seriously and unacceptably impede the flow of normal business operations.


How are they similar?


  • Recovery time and recovery point objectives differ according to application and data priority. Even the most deep-pocket corporation cannot afford to deliver near-zero RTO or RPO for all applications, nor should they.
  • The only way to assure 100% uptime (RTO) and no lost data (RPO) is by investing in failover virtual environments with continuous data replication.
  • IT prioritizes applications and data to match the expense of achieving RTO and RPO. Note that priority is not only guided by revenue but also by risk. A company may use an application infrequently, but if its data is regulated then data loss may result in big fines.
  • Both RTO and RPO are measured in units of time. For RTO, the metric is the amount of time that passes between application failure and full availability including data recovery. RPO is also measured in units of time. The metric is the amount of time between the loss of data and the preceding backup. For both RTO and RPO, application/data priority translates directly into shorter units of time.


How are they different?


  • Despite their similarities, RPO and RTO serve different purposes. RTO is concerned with applications and systems. The measurement includes data recovery but primarily describes time limitations on application downtime.
  • RPO is concerned with the amount of data that is lost following a failure event. An annoyed user is one thing. But losing hundreds of thousands of dollars in customer transactions is far more than mere annoyance. It is catastrophic.



Digital Edge’s Disaster Recovery and Business Continuity Solutions bring together backup, disaster recovery, and archival in the cloud, removing the burden of legacy infrastructure and significantly lowering organizations’ expenses. It simplifies the process by enabling managers to back up straight to a secure cloud environment. It also mitigates the difficulty of managing mixed environments from a central location, as many times remote agency sites lack the tools to protect their data.


For more information, contact us today!

Danielle Johnsen
VP of Compliance

Danielle V. Johnsen joined the Digital Edge team in 2015 as the VP of Compliance.  With a passion for information security and organizational compliance, Danielle’s vision is to enable collaboration between 'The Business' and Information Technology, thus creating common objectives and outcomes that benefit the organization, while staying in compliance with all regulatory bodies and companywide policies. Specializing in security frameworks and policies such as: ISO 9001, ISO 27001, NYS DFS 500, NIST, HIPPA, GDPR, PCI, OSPAR, and more!