business plan for rto

What Are Recovery Time Objectives (RTO) Best Practices?  

• October 19, 2023

Daniel Naftchi

Co-founder & CTO

Maximizing Business Resilience With RTO and RPO: A Guide to Best Practices

The recovery time objective and recovery point objective are crucial elements for cybersecurity.

With similar-sounding acronyms, both are significantly different.

The Recovery Time Objective concerns the downtime your business can tolerate after an incident or a disaster. Recovery Point Objective, however, talks about how much data your business can afford to lose before any harm occurs.  

According to the latest research by ITIC, the hourly cost of downtime has exceeded $300,000 for about 91% of SMEs and large enterprises. All in all, about 44% of respondents reported that even one hour of downtime could cost them more than $1 million .

If you are still wondering what RTO and its importance are, keep reading.

What is the Recovery Time Objective, and Why is it important?

The Recovery Time Objective (RTO) is focused on the time frame within which an organization can resume its normal operations after a disaster.

Per the definition by the Computer Security Resource Center , The overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes.

One of the significant goals of RTO is to determine the time duration required for a recovery process to come into action after a major incident and for businesses to resume their normal operations.

So now that you know what RTO is and its goals, let’s delve into its importance.  

T he Recovery Time Objective is critical for various reasons, including:

• Reducing downtime
• Financial losses mitigation
•  Customer trust maintenance
• Meeting the regulatory requirements
• Safeguarding reputation and managing risk

Operational continuity, resource allocation, effective planning, and training and improvement are some of the critical features of RTO.

The recovery time objective is important as it offers a measurable and practical framework for your organization to both plan for and respond to disruptions effectively. RTO contributes to your business’ resiliency and continuity.

Why is RTO Important in Business Continuity?

Recovery Time Objective (RTO) is a critical concept in a business continuity plan.

RTO is the maximum time your business can afford to survive without certain functions or systems after a disruptive event like a cyberattack, hardware failure, or a natural disaster. The recovery point objective is a significant metric used to determine how quickly your business can bounce back and resume its operations to avoid any negative consequences.

Let’s understand the relationship between recovery time objective and business continuity.

Defining Recovery Goals:

RTO is your guide that helps in establishing recovery goals within your business continuity plan.

RTO will help your business set specific targets. These targets will help you decide how quickly you will need to restore your critical functions and systems to minimize disruptions.

Influencing Resource Allocation:

During the planning phase, the recovery time objective influences resource allocation and helps your organization in prioritizing the systems/processes, which have to recover first and accordingly allocate the resources. The shorter the recovery time objectives, the higher the priority and more resource allocation.

Risk Assessment:

The recovery time objective is based on the potential risks and impacts your business faces.

It typically considers financial losses, customer dissatisfaction, regulatory compliance, and reputation damage as some of the critical factors. By assessing these risks, organizations can tailor their business continuity strategies more effectively.

Technology and Infrastructure Planning:

The recovery time objective considerations affect technology and infrastructure decisions. Businesses may invest in redundant systems, backup data centers, or cloud services to meet their recovery time objective requirements. These investments aim to ensure that critical operations can be quickly restored in the event of a disruption.

Testing and Training:

Recovery Time Objective plays a crucial role in the testing and training phases of a business continuity plan. Organizations can meet their RTO targets with regular testing. Staff must be trained to execute recovery procedures effectively within the specified time frames.

Continuous Improvement:

Business Continuity Plans have to be reviewed and updated periodically to reflect technology, operations, and risk changes. Recovery Time Objective may be adjusted as part of this process to align with evolving business needs and objectives.

Compliance and Reporting:

For some industries, the regulatory requirements mandate certain recovery time objectives for specific critical data or functions.

It is essential to meet those compliance or else there could be legal implications.

Recovery time objective is a crucial component of a business continuity plan as it helps your business to determine how quickly you need to recover after a disruption happens. A well-defined recovery time objective is essential for minimizing downtime, mitigating financial losses, and maintaining customer trust during and after a crisis.

Understanding the Roles of RTO and RPO in Disaster Recovery

The two critical metrics in disaster recovery planning are RTO and RPO. 

These metrics help your organization to define and measure the preparedness and ability of your business to recover from different disaster types like natural disasters, hardware failures and cyberattacks, or any other disruptive events.

Let’s Understand What Role RTO Plays in Disaster Recovery.

• It prioritizes recovery efforts. 
• It sets clear expectations. 
• It allocates resources per their requirements. 

Role of RPO in Disaster Recovery:

• It protects data during a disaster.
• It helps in risk management. 
• Application recovery and synchronization is another critical role of RPO.

RTO and RPO are fundamental concepts in disaster recovery planning.

While RTO focuses on downtime, RPO focuses on data loss.

RTO and RPO are interconnected and must align with your organization’s overall business continuity strategy. They are critical for creating a disaster recovery plan that meets business needs while managing the associated risks and costs effectively.

Key Differences Between RTO and RPO

Rto best practices for your business.

Recovery Time Objective’s best practices ensure that you optimize risk tolerance – a critical aspect of risk management and ensure that your operations run smoothly despite a disaster.

Risk Tolerance Assessment with Stakeholders:

• Engage your organization’s key stakeholders like executives, department heads, and IT personnel.  
• Identify and evaluate the risk tolerance levels your business can accept. The step involves understanding how much downtime and data loss your business will be able to tolerate before negative consequences take over.

Realistic Service-Level Agreements (SLAs):

• SLAs are agreements defining the level of expectations in services and performances across the different departments of your organization or your organization and your service providers.
• SLAs should be clear while specifying recovery time objectives (RTO) and recovery point objectives (RPO). While RTO is the maximum allowable downtime, RPO is the maximum data loss allowed.

Rank Your Applications into Tiers Per Their Importance 

• Categorize your applications and data into tiers as per their importance and criticality.
• Tier 1 can include mission-critical applications that need the shortest RTO and RPO.
• Tier 2 can encompass important but not mission-critical applications.
• Tier 3 can include less critical systems.

Existing Backup and DR Technology Effectiveness Assessment:

• Regularly evaluate your current backup and disaster recovery (DR) solutions to understand how well they are meeting your business needs.
• Assess your existing technology for performance, reliability, and scalability.         

Modern Backup and Recovery Technologies:  

• Keep yourself updated on the current advancements in backup and recovery technologies.
• Explore the capabilities of these technologies to improve RTO and RPO and improve data protection while reducing operational risks.

Exercising Due Diligence:

• Conduct thorough due diligence before you implement new backup and recovery technologies or when you outsource these services.
• You must evaluate all the potential vendors or service providers for their track records, security measures, and compliance with industry standards.
• You must ensure the solution you choose aligns with your risk tolerance and SLAs. 

These are some of the best practices that can help you optimize your recovery time objective strategies, minimize downtime, and safeguard your business against data loss and operational disruptions.

Final Words

Understanding and optimizing your Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are pivotal for business continuity.

However, in our increasingly digital landscape, the resilience of your Identity and Access Management (IAM) systems is just as vital. Given that IAM is often the backbone of modern enterprises, its failure can be catastrophic, affecting both operational efficiency and cybersecurity. Particularly in cloud-based IAM systems like Okta, the shared responsibility model puts the onus on organizations to safeguard their data and configurations.

Here’s where Acsense can make a difference.

As your trusted partner for enterprise IAM resilience, we offer targeted, automated backup and recovery solutions that align with your RTO and RPO goals. With features like one-click recovery and continuous data verification, acsense enables you to tackle vulnerabilities, be they human errors or cyber threats like ransomware and insider risks.

Don’t leave your IAM resilience to chance.

Book a call with the Acsense team to schedule a demo and learn how RTO and RPO are equally important for your IAM systems and infrastructure to keep its operations up and running during an emergency.

• What is a reasonable recovery time objective? The reasonable recovery time objective is the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place.
• What is the best recovery point objective? The best Recovery Point Objective is when it is set to frequently update the files, implying the recovery point is no longer than a few minutes. In short, zero is the ideal recovery point objective.
• What are RTO and RPO requirements? RTO and RPO requirements are the specific values or targets established by an organization to define the maximum acceptable downtime and data loss in the event of a disaster, system failure, or disruption. These requirements are crucial components of disaster recovery and business continuity planning and are tailored to the needs and priorities of the organization.
• What is the RPO industry standard? RPO has no single industry standard that applies universally to all organizations. RPO requirements vary broadly based on factors like business nature, regulatory requirements, data sensitivity, and the technology infrastructure in place. What is an acceptable RPO for your organization may not be adequate for others.

—–

Looking to stay in the loop on the latest IAM trends and updates?

Subscribe to the FiveNines IAM newsletter today and gain access to exclusive insights from industry leaders, groundbreaking companies, and global news outlets. Don’t miss out on the must-read monthly newsletter that delivers the juiciest edition yet of IAM resilience.

Subscribe on Linkedin now and stay ahead of the curve!

Ha’shiezaf st. 4 Raanana 4366411 Israel

Suite 201, 900 Foulk Rd Wilmington DE 19803 USA

• Website Terms
• Privacy policy
• Accessibility Declaration

Subscribe to our Five Nines IAM newsletter

© 2023 by Acsense, All rights reserved

Suite 201, 900 Foulk Rd, Wilmington DE 19803 USA

Subscribe to our newsletter

© 2023 by acsense, All rights reserved

How to Start a RTO: Steps, Costs, Timeline, and Alternatives

• Gianpiero Rusconi
• Last Updated: 7 March, 2024

Interested in establishing your own Registered Training Organisation (RTO)? It’s a rewarding venture that lets you shape Australia’s future workforce. This guide will take you through the precise steps, costs, marketing requirements and necessary considerations for creating your RTO.

What is an RTO

An RTO is a recognised provider of Vocational Education and Training (VET). As an RTO, you will play a pivotal role in teaching practical skills and granting nationally recognised qualifications to your customers.

Starting an RTO: Things to Consider

Starting an RTO is no small undertaking. As with any well-delivered project, consideration needs to be given to planning out the business and opportunity that you see in front of you and working out if it is viable. A great (and fun) place to start is just by reading up about the history of VET in Australia. This will give you a great background and understanding of the industry. More importantly, here are some of the must-have considerations when starting your RTO.

1. Researching Your Market

Kick-start your journey by understanding your potential market. Look for skills gaps in your local industries and decide what qualifications you can offer to fill these. Your market research should cover the demand for these qualifications, potential learners, and competition.

2. Developing Your Business Plan

Your business plan is the backbone of your RTO. This should outline your strategic direction, market positioning, growth plans, financial projections, risk management, and staffing strategy. The Australian government offers a free Business Plan template to get you started.

3. Designing Training and Assessment Strategies

Each RTO must deliver training and assessments compliant with the Standards for Registered Training Organisations (RTOs) 2015. Select the training packages you’ll provide and draft your strategy for training and assessment. Make sure it meets the needs of your learners and employers. If you need some tips on improving your training and assessment strategy , we have the perfect guide for you.

4. Gathering Infrastructure and Resources

Your infrastructure should align with the type of training you’re providing. This includes acquiring suitable training facilities, learning materials, and technology. For instance, a cloud-based platform like Cloud Assess can streamline your operations and make RTO compliance easier.

5. Staffing Your RTO

Staffing your RTO involves recruiting qualified trainers and assessors who also have the necessary vocational competencies. Keep in mind that your staffing should align with the scale of your RTO and the scope of your registration.

6. Common Problems RTO Managers Face

To avoid surprises, you should do adequate research about common problems that RTO managers face . This includes managing copious amounts of paper (if you don’t choose an online solution), managing visibility, ensuring efficiency and growth, meeting compliance requirements, and guaranteeing the best possible student experience.

RTO Registration Process: A Step-by-Step Guide

1. initial registration application.

Starting your RTO involves a detailed initial registration process managed by ASQA (Australian Skills Quality Authority). You should also check out ASQAs detailed guide on initial registration to understand the process in more detail. Here are the crucial elements you need to prepare and submit:

• Business Plan: Your business plan should include details on your strategic and operational plans, market research, financial projections, and marketing strategies. The Australian government provides a free business plan template here .
• Understand the Regulatory Requirements: Familiarise yourself with the VET Quality Framework and the Standards for RTOs 2015. They provide a national set of standards to ensure consistent, high-quality training and assessment services in the vocational education and training (VET) system.
• Self-assessment against the Standards: As part of the initial registration process, you should conduct a self-assessment of how your organisation meets the requirements of the Standards for RTOs 2015. This is a useful tool to ensure that you are meeting all the necessary requirements. This self-assessment allows you to critically examine your resources, practices, and capabilities in alignment with the required standards.
• Fit and Proper Person Requirements Declaration: This form ensures that you, and other key personnel, meet the character requirements set by ASQA. Each person with managerial control must fill out this form. It can be found here .
• Financial Viability Risk Assessment (FVRA) Report: This demonstrates your capability to sustain operations financially. You’ll need to provide a range of financial documents, including forecasted revenue and expenses, and a business viability report. ASQA provides a useful tool here .
• Training and Assessment Strategies: For each qualification, course, or unit of competency you intend to offer, prepare a strategy outlining how you plan to deliver training and conduct assessments. ASQA provides guidelines here .
• Curriculum Vitae for all Trainers/Assessors: You will need to provide evidence of the qualifications and vocational competency of all your trainers and assessors.
• Policies and Procedures: Submit your planned policies and procedures that detail how your RTO will operate and ensure compliance with the Standards for RTOs 2015.
• Pay the Application Fee: The application fee is AUD $600 and is non-refundable.
• Submission of Evidence: After paying the application fee, you’ll have 90 days to submit your evidence of compliance to ASQA via ASQAnet. Make sure to check out some common RTO compliance concerns before submitting your evidence – this can save you a lot of time (and money).
• Await Initial Assessment: ASQA will review your application for completeness, which can take up to 30 days. If anything is missing or needs clarification, they will contact you.
• Risk Assessment and Audit: If your application passes the initial assessment, it moves to the risk assessment and RTO audit stages. These stages generally take 3-5 months but can take longer depending on the complexity of your application and scope of registration. This is explained more in detail in the next part of this post. At this point, you will be invoiced for the assessment at a cost of $8000 AUD.

Before you apply for registration, you should have everything ready because ASQA expects that you’re ready to start operating at the time of application. It’s critical to understand that applying to become an RTO means you’re committing to continuous compliance with the VET Quality Framework , which includes the Standards for RTOs 2015, and other relevant legislation.

Once your application is submitted through ASQAnet , ASQA will conduct an initial assessment, which might be followed by an audit. It’s essential to be prepared and familiar with this process so you can successfully register your RTO.

2. The Audit Process (ASQA Assessment)

The audit process includes both a risk assessment and a more in-depth audit:

• Risk Assessment: Once your application passes the initial assessment phase, ASQA conducts a risk assessment. During this process, ASQA considers various factors such as the proposed scope of your registration, the level of experience your staff members have, and your past compliance history if applicable.
• Notification of Audit: If your application progresses past the risk assessment, ASQA will notify you of the audit. The notice will provide the details of the audit, including the audit’s scope, the standards to be audited against, the proposed audit team members, the proposed dates, and a request for any additional information if required.
• Audit Plan: You will receive an audit plan that will detail the specific processes and practices that will be reviewed during the audit.
• Conducting the Audit: The audit itself may be conducted at your premises or remotely, depending on the circumstances. During the audit, ASQA auditors review your documentation, observe your practices, and interview your staff and students if applicable. They aim to assess your compliance with the VET Quality Framework.
• Audit Report: After the audit, the audit team will prepare a report outlining their findings. If non-compliances are identified, you will be provided with an opportunity to address these.
• Addressing Non-Compliances: If non-compliances are found, you have 20 working days to provide evidence that you’ve rectified these issues. If you need more time, you can request an extension from ASQA.
• Final Decision: After all non-compliances have been addressed, ASQA will make a final decision regarding your RTO registration. If approved, you will receive your RTO registration certificate.

Remember, the audit is an ongoing process, not a one-time event. ASQA conducts regular audits to ensure that RTOs maintain compliance with the VET Quality Framework. Always aim to prepare for and cooperate with these audits to maintain your RTO status.

How Long Does it Take to Start an RTO? Registration Timeline

Overall, the initial registration process generally takes approximately 4 to 6 months. This is split up according to the following steps:

• Submitting your application: The timeline starts with you submitting necessary documentation via ASQAnet.
• Initial assessment stage: Review of your application for completeness, possibly requesting additional information (up to 30 days).
• Risk assessment and audit stages: Duration can vary, typically taking an additional 3-5 months.

Please note that the durations provided are approximate and can vary based on the complexity of the application and other factors.

Be aware that ASQA maintains close monitoring for the first two years of operation to uphold standards. Stricter scrutiny was also implemented since July 1, 2018, with the additional evidence-based requirements that we discussed.

To make sure your registration proceeds as quickly as possible, prepare your application thoroughly and respond promptly to ASQA’s requests. Consider consulting an experienced professional or organization specialising in RTO registration for guidance.

Cost of Starting an RTO

1. initial registration application fee or lodgement fee.

The initial investment for starting an RTO is $600 AUD as of 2023 and it is non-refundable.

2. Assessment Fee

This fee covers the cost of ASQA’s assessment of your application, including the audit. As of the most recent information, the assessment fee is a fixed amount of $8,000. This fee must be paid within 90 days after you submit the application, and it’s refundable in part if your application does not proceed to audit.

3. Annual Registration Fee

Once your RTO is established, you’ll also need to pay an annual registration fee. This fee is tiered based on the number of qualifications you deliver:

• 0–4 qualifications: AUD $1,130
• 5–10 qualifications: AUD $3,220
• 11–60 qualifications: AUD $6,975
• 61 or more qualifications: AUD $10,730

4. Ongoing Costs

Complying with the VET Quality Framework involves regular audits, maintaining and upgrading training resources, staff professional development, and administrative costs. These can be substantial and should be factored into your budgeting.

One of the biggest costs that RTOs face is with regards to ensuring compliant training. While this can be done using traditional methods, one of the most cost effective ways to do this is using an RTO software for training and assessment. Cloud Assess is a software that can ensure ease of training and compliant assessment for all your students.

Tip: Before investing in this solution, make sure you know how to make the most out of our RTO software.

Potential Revenue Streams

Your main source of income will be student fees. Depending on your courses, you may also qualify for government funding programs. Remember, your pricing should be fair and competitive.

• Government Funding: Many RTOs benefit from government funding schemes. These schemes can be complex and often vary between different states and territories in Australia. Understanding these schemes and how they might apply to your RTO can be a significant source of revenue.
• Corporate Partnerships: RTOs can establish partnerships with businesses to offer specific training programs tailored to their needs. This could be a significant source of revenue and could also increase your RTO’s reputation in the industry.
• Consulting Services: RTOs with expertise in a particular industry or vocational area could offer consulting services to businesses. These services might include designing custom training programs, offering advice on skills development strategies, or assessing existing training programs for quality and effectiveness.
• Online Courses and International Students: With the right infrastructure, RTOs can offer online courses to students all over the world. This could dramatically expand the market reach of your RTO and offer a significant revenue stream. Just make sure that you are complying with CRICOS requirements .
• Short Courses and Workshops: In addition to standard qualifications, RTOs can offer short courses or workshops that provide specific skills training. These can be offered to both individuals and businesses and can provide additional revenue.
• Sale of Training Materials or Resources: If your RTO develops its own training materials or resources, these could potentially be sold to other organisations or learners.

Remember, your primary goal as an RTO is to provide quality training and assessment that meets the needs of your learners and the industry. While exploring these revenue streams, it’s crucial to maintain this focus to ensure your RTO’s long-term success.

Alternatives to Starting an RTO

While starting an RTO may be an attractive option for some, it’s important to consider alternative pathways that can still provide opportunities in the Vocational Education and Training (VET) space.

It’s important to thoroughly research and understand the requirements and implications of these alternatives. Each option comes with its own considerations, such as contractual agreements, legal obligations, and alignment with the VET regulatory framework. Consulting with industry professionals or relevant organisations can provide valuable insights and guidance on the best alternative pathway for your specific goals and circumstances.

Here are a few alternatives to starting your own RTO:

1. Partnerships with Existing RTOs

Instead of starting from scratch, you can explore collaborations or partnerships with established RTOs. This allows you to leverage their resources, expertise, and infrastructure while delivering your specialised training programs under their registration.

2. Subcontracting

Subcontracting arrangements involve partnering with an existing RTO to deliver specific training programs on their behalf. This allows you to focus on delivering training without the full administrative and compliance responsibilities of being an independent RTO.

3. Course Accreditation

If you have expertise in a specific field, you can consider seeking course accreditation instead of establishing an RTO. Course accreditation allows you to develop and deliver a single accredited course without the need for full RTO registration.

4. Consultancy and Training Services

Another option is to provide consultancy and training services within your area of expertise. You can offer customised training solutions, workforce development programs, or consultancy services to businesses and organisations without the need for RTO registration.

5. Employment in Existing RTOs

If you are passionate about vocational education and training but not keen on the administrative responsibilities of running an RTO, you can explore employment opportunities within existing RTOs. This allows you to contribute to the sector while working in a supportive and established organisation.

Final Thoughts

Starting an RTO involves numerous steps, investment, and continuous commitment to quality and compliance. But the opportunity to create a real impact makes it all worth it. With this guide, you’re now equipped to embark on your RTO journey.

Starting an RTO is an exciting opportunity to shape Australia’s future workforce. With the proper research and planning, you will be able to embark on this rewarding journey in no time. Get ready to make a positive impact and empower learners in the vocational training landscape.

Deliver Your Skills Training Without Compromise

How Cloud Assess Supports RTOs in Addressing ASQA’s Risk Priorities

What is assessment validation and why do you need it, asqa performance assessment: understanding the rto audit process.

• +1 855.488.5327
• [email protected]
• Mon - Fri: 9:00am - 5:00pm ET

Understanding RTO and RPO: Ensuring Business Continuity

• February 1, 2024

In the world of disaster recovery and business continuity planning, two critical terms, RTO and RPO often come into play. They are RTO (Recovery Time Objective) and RPO (Recovery Point Objective). These acronyms may sound technical, but they are essential for any organization looking to safeguard its data and operations in the face of disruptions. In this blog, we’ll delve into what RTO and RPO mean, their significance, and the key differences between them.

What is RTO?

RTO, or Recovery Time Objective, is a pivotal concept in disaster recovery and business continuity planning. At its core, RTO represents the maximum allowable downtime for a system, application, or process following a disruptive event. In simpler terms, it answers the critical question: “How quickly must we recover our operations after an incident to minimize adverse impacts?”

RTO is a crucial metric because it directly ties into an organization’s ability to serve its customers, maintain productivity, and mitigate financial losses during a downtime event. The shorter the RTO, the faster the recovery needs to be. Conversely, a more lenient RTO allows for a more gradual recovery process.

Here are some key aspects of RTO:

• Time-Based Objective : RTO is expressed in a specific timeframe, which could range from minutes to hours or even days, depending on the nature of the business process or system in question. For example, an e-commerce platform might have an RTO measured in minutes, while a non-critical internal reporting tool might have an RTO measured in hours.
• Impact Assessment : Determining the appropriate RTO involves assessing the potential impact of downtime on the organization. Factors to consider include financial losses, customer satisfaction, contractual obligations, and regulatory compliance.
• Resource Allocation : Achieving a shorter RTO often requires more significant investments in redundancy, failover systems, and disaster recovery infrastructure. Organizations need to strike a balance between the cost of achieving a low RTO and the potential losses incurred during extended downtime.
• Testing and Validation : RTO is not just a theoretical concept; it must be tested and validated through disaster recovery drills and exercises. These tests help ensure that the organization can meet its recovery objectives in practice.

Network Administrator Career Path

This comprehensive training series is designed to provide both new and experienced network administrators with a robust skillset enabling you to manager current and networks of the future.

What is RPO?

RPO, or Recovery Point Objective, complements RTO and focuses on a different aspect of disaster recovery. While RTO addresses the downtime an organization can tolerate, RPO deals with data loss – specifically, the maximum allowable amount of data that can be lost without causing significant harm.

Here’s a closer look at RPO:

• Data Loss Threshold : RPO quantifies the acceptable data loss in terms of time. For example, if an organization has an RPO of one hour, it means that it can afford to lose data generated within the last hour. Any data loss beyond that threshold could lead to negative consequences.
• Data Backup and Replication : Achieving a low RPO typically requires robust data backup and replication strategies. Regular data backups, continuous data synchronization, and real-time data replication are common techniques used to minimize data loss.
• Industry and Compliance Considerations : Certain industries and regulatory requirements may mandate specific RPO levels. For instance, financial institutions often have stringent RPO requirements due to the critical nature of financial data.
• Balancing RPO and Cost : Achieving a near-zero RPO can be expensive, as it may necessitate continuous data mirroring and high availability solutions. Organizations must evaluate the cost implications of achieving their desired RPO against the potential business impact of data loss.

In summary, while RTO and RPO are distinct concepts, they work in tandem to shape an organization’s disaster recovery strategy. RTO focuses on minimizing downtime, ensuring swift recovery, and maintaining operational continuity. RPO, on the other hand, centers on data integrity, dictating how much data can be lost without significant repercussions. Both RTO and RPO are critical considerations for organizations aiming to safeguard their operations and data against disruptions.

Lock In Our Lowest Price Ever For Only $14.99 Monthly Access

Your career in information technology last for years.  Technology changes rapidly.  An ITU Online IT Training subscription offers you flexible and affordable IT training.  With our IT training at your fingertips, your career opportunities are never ending as you grow your skills. Plus, start today and get 10 free days with no obligation.

RTO vs. RPO: Key Differences

While both RTO and RPO are crucial for disaster recovery planning, they serve different purposes:

• RTO focuses on time and recovery speed, aiming to minimize downtime.
• RPO is concerned with data integrity and how much data can be lost without severe repercussions.

It’s essential to strike the right balance between these two objectives when crafting a disaster recovery strategy. For example, a financial institution may have a low RTO and RPO, as any downtime or data loss could lead to substantial financial losses. In contrast, a less critical service may have more lenient RTO and RPO requirements.

Calculating Appropriate RTO and RPO

Calculating Recovery Time Objective (RTO) and Recovery Point Objective (RPO) is a crucial step in disaster recovery planning. These objectives help organizations determine their tolerance for downtime and data loss. Here’s how you can calculate RTO and RPO:

Calculating RTO (Recovery Time Objective):

• Identify Critical Processes and Systems: Start by identifying the processes, systems, or applications that are critical to your organization’s operations. These are the components that you want to set an RTO for.
• Gather Data on Current Performance: Gather data on the time it takes to recover these critical components under normal circumstances. This can include historical recovery times from past incidents or simulations.
• Consider Business Impact: Assess the potential impact of downtime for each critical component. This could involve quantifying financial losses, customer dissatisfaction, contractual obligations, and regulatory compliance issues.
• Set Realistic Targets: Based on the gathered data and business impact assessment, set realistic RTO targets. Ensure that these targets align with the organization’s ability to recover within the desired timeframe.
• Document and Communicate: Document the RTO objectives for each critical component and communicate them across the organization. Ensure that relevant teams and stakeholders are aware of these objectives.
• Test and Revise: Regularly test your disaster recovery plan through drills and exercises. Use these tests to validate whether you can meet your RTO objectives and make adjustments if necessary.

Calculating RPO (Recovery Point Objective):

• Identify Critical Data Sources: Determine which data sources are critical for your organization. These could be databases, file servers, or other repositories containing essential data.
• Data Loss Assessment: Assess the impact of data loss for each critical data source. Consider the implications of losing a specific amount of data, whether it’s minutes, hours, or days of data.
• Frequency of Data Backups: Determine how frequently you should back up the critical data sources to minimize data loss. This frequency will become your RPO. For example, if you decide to perform backups every 4 hours, your RPO is 4 hours.
• Select Backup and Replication Solutions: Choose appropriate backup and replication solutions that can meet your RPO requirements. Ensure that these solutions provide the ability to recover data to a point in time consistent with your RPO.
• Document and Test: Document the RPO objectives for each critical data source and implement backup and replication processes accordingly. Regularly test your backup and recovery procedures to ensure they meet your RPO targets.
• Monitor and Maintain: Continuously monitor your backup and replication processes to ensure they are keeping up with the defined RPO. Any deviations or failures should be addressed promptly to maintain data integrity.

Remember that RTO and RPO are not static values; they can evolve as your organization’s needs change. Regular reviews and updates to your disaster recovery plan are essential to ensure that your RTO and RPO objectives remain aligned with your business priorities and risk tolerance.

RTO and RPO in Action

Imagine a scenario where a company’s data center experiences a power outage. The RTO in this case might be a few hours, indicating that the organization needs to get its systems back online within that timeframe. The RPO could be set at 15 minutes, meaning that data loss should not exceed 15 minutes’ worth of transactions.

To achieve these objectives, businesses implement various strategies, such as data replication, backup solutions, and failover systems. These measures are vital for ensuring that RTO and RPO goals are met consistently.

RPO in Cybersecurity

In the context of cybersecurity, RPO takes on added significance. It not only relates to data loss in the event of a cyberattack but also factors in data integrity and the ability to recover unaltered data. Cybersecurity RPO is often closely tied to data backup and security measures to protect against ransomware and other threats.

RTO and RPO: Critical for Business Continuity

In conclusion, RTO and RPO are fundamental concepts in disaster recovery and business continuity planning. They help organizations define their objectives regarding downtime and data loss, guiding the development of robust strategies to ensure resilience in the face of disruptions. Understanding the meaning and significance of RTO and RPO is a crucial step toward safeguarding your business and its vital data assets.

Key Term Knowledge Base: Key Terms Related to RTO, RPO, and Ensuring Business Continuity

Understanding key terms related to RTO (Recovery Time Objective), RPO (Recovery Point Objective), and business continuity is crucial for professionals in the fields of IT, cybersecurity, and business management. These concepts are integral to designing effective disaster recovery plans and ensuring minimal disruption to business operations in the event of unexpected incidents. Familiarity with these terms enhances one’s ability to develop, implement, and maintain strategies that safeguard business data, maintain service availability, and ensure organizational resilience.

Frequently Asked Questions Related to the RTO and RPO

What factors should i consider when determining the appropriate rto and rpo for my organization.

When defining your Recovery Time Objective (RTO) and Recovery Point Objective (RPO), consider the nature of your business processes, financial implications of downtime, customer expectations, regulatory requirements, and the cost of implementing recovery solutions. It’s essential to strike a balance that aligns with your organization’s priorities.

Can you provide examples of industries with stringent RTO and RPO requirements?

Industries such as healthcare, financial services, and telecommunications typically have strict RTO and RPO demands due to the critical nature of their operations. For instance, healthcare providers often require near-zero RTO for patient record systems to ensure patient care is not compromised during outages.

What role does data backup and replication play in achieving a low RPO?

Data backup and replication are fundamental components of achieving a low RPO. Continuous data backups, data synchronization, and real-time replication mechanisms ensure that data is duplicated and readily available, minimizing data loss in the event of a disruption.

Is there a one-size-fits-all approach to determining RTO and RPO, or should they vary for different systems and processes within an organization?

RTO and RPO should be tailored to the specific needs and criticality of each system or process. Not all systems require the same level of availability or data integrity. It’s common for organizations to have different RTO and RPO objectives based on the criticality of the services they provide and the associated risks.

How do I ensure that my organization can meet its RTO and RPO objectives in practice?

Regular testing and validation through disaster recovery drills and exercises are essential. These tests simulate real-life scenarios, allowing you to assess the effectiveness of your recovery strategies and make necessary adjustments.

Leave a Comment

Your email address will not be published. Required fields are marked *

Take advantage of our expert lead IT focused online training for 10 days free.  This comprehensive IT training contains:

All Access Lifetime IT Training

$ 699.00 $ 249.00

All Access IT Training – 1 Year

$ 279.00 $ 129.00

All Access Library – Monthly subscription

$ 49.99 $ 14.99 / month with a 10-day free trial

AZ-104 Learning Path : Become an Azure Administrator

$ 51.60 – $ 169.00

Comprehensive IT User Support Specialist Training: Accelerate Your Career

Entry Level Information Security Specialist Career Path

$ 129.00 $ 51.60

Getting Started in IT: Tips for Jumpstarting Your Career

Are you looking to getting started in IT but don’t know where to begin? Starting a career in the tech industry can be daunting, with

Agile vs Traditional Project Management

Definition of Project Mangaement Project Management is a structured approach that involves planning, organizing, and carrying out tasks and resources to achieve specific goals within

CySA+ Objectives – A Deep Dive into Mastering the CompTIA Cybersecurity Analyst (CySA+)

This blog post provides an in-depth exploration of the CySA+ objectives, essential for those preparing for the CySA+ exam or those interested in enhancing their

You Might Be Interested In These Popular IT Training Career Paths

Network Security Analyst Career Path

Kubernetes Certification: The Ultimate Certification and Career Advancement Series

• No Comments

Unlock endless learning opportunities with over 2,500 hours of IT training at our lowest price ever. Plus, get all new and updated online courses for free while your subscription remains active.

Cancel at your convenience.  This exceptional deal on IT training provides you access to high-quality IT education at the lowest monthly subscription rate in the market.  Boost your IT skills and join our journey towards a smarter tomorrow.

• Monday - Friday: 9am - 5pm ET
• Office: +1 855.488.5327

SHOPPING CART

• Quick Byte Answers
• Our Instructors
• Privacy Policy
• Career Paths

CONNECT WITH US

Business solutions.

• Reseller Opportunities
• Team Training
• Affiliate Opportunities
• Student Login

RTO and RPO: Making It Simple

RTO and RPO are two of the most important concepts in business continuity and IT disaster recovery. Today’s post will explain what they are, why they matter, and how to use them, illustrating their use with straightforward examples.

Related on MHA Consulting :  All About RTOs: What They Are and Why You Have To Get Them Right

Two Critical Concepts

The concepts of recovery time objective (RTO) and recovery point objective (RPO) are critical in developing a solid business continuity management (BCM) and IT disaster recovery (IT/DR) program. Let’s define them:

Recovery time objective (RTO)

Relates to business processes and their supporting applications. The maximum length of time that a business process and its associated applications can be unavailable following a disruption in order to prevent an unacceptable amount of impact.

Example: If a company’s RTO for its online customer sales process is four hours, it means that the organization must recover and resume its online storefront within four hours of a disruption.

Recovery point objective (RPO)

Relates to technical processes. The RPO for a given process is the amount of data from it, as measured in time, that can be recreated manually following its restoration after an outage.

Example: If a company has an RPO of one hour for its customer database, it means that after a disruption, the organization can only afford to lose up to one hour’s worth of data, and the recovery process must restore the data to a state that is no more than one hour old from the time of the disruption.

Both RTO and RPO are essential components of an organization’s business continuity and disaster recovery planning. They help determine the necessary strategies, resources, and technologies required to ensure the continuity of critical business functions and minimize the impact of disruptions.

The organization determines the RTOs of its key business processes and their supporting applications through an analysis of its needs. It determines the RPOs of its key technical processes through an analysis of its capabilities. (See below for a more in-depth discussion of how RTOs and RPOs are determined.)

Any gaps between the RTO and RPOs relating to an essential business process must be addressed by business continuity plans and strategies.

The Long and Short of It

A process can have a short RTO and a long RPO or vice versa. Alternately both the RTO and RPO can be short or long.

The following examples illustrate these possibilities:

Accounting: Long RTO, short RPO. In most organizations, general ledger (GL) accounting is a business process with a fairly long RTO, typically several days. This is because, if the accounting process is disrupted, it is usually a matter of quite a few days before the outage has a serious impact. However, the RPO of the technical and data side of the accounting function is very short.It might be four hours, but it could be as short as zero. This is because it’s virtually impossible to recreate accounting data after the fact.

Public-facing website: Short RTO, long RPO. This is your typical Company.com website providing basic information to the public. These typically have a short RTO because if the site goes dark it can immediately attract negative attention and undermine the company’s reputation. However, the RPO for the site is generally fairly long—e.g., 24 hours or more—because the information on such sites tends to be relatively static and any updates that are lost can recreated fairly easily.

Storefront website: Short RTO, short RPO. The company site that takes orders, tracks stock, and so on. This function has a short RTO because when such a site goes down, a meaningful impact on the company’s revenues and reputation can begin almost immediately. The function has a short RPO because the information in the system changes quickly and there’s no way to recreate it if lost.

Policy and standards oversight: Long RTO, long RPO. This process is important over the long-term, but an outage of a few days is unlikely to have a serious impact on the organization. Hence the long RTO. And while policies and standards do change from time to time, the rate of updating is generally slow and losses of data of up 24 hours could most likely be recreated with little difficulty. This means the technical and data processes pertaining to this area will have a long RPO.

RTOs and RPOs in Practice

The RTO for a given business process and its supporting applications is arrived at through an analysis of the company’s overall operations and prioritization by staff. The question to ask in determining an RTO is, how long can the process be down before the impact on the company becomes unacceptable?

The RPO for a given application is determined by identifying how much data from the application the staff could manually recreate. As mentioned previously, this is measured in terms of time (e.g., up to two hours’ worth, up to eight hours’ worth, and so on).

Manually recovering the data means recreating it by various methods such as reproducing it from memory, locating it in other applications or in hard copy, or contacting customers and asking them to resubmit their orders.

Knowing the RTOs and RPOs for the processes and technologies used across your organization helps you understand how you need to protect both processing and technology needs. Knowing these metrics helps ensure that your strategies, implementation, and plans are neither overly aggressive (wasting resources) or inadequate (providing insufficient protection).

Devising Your Categories

Every organization must devise its own scale of RTO and RPO categories. It is best to limit the number of categories to around five or six. More can be a maintenance nightmare.

The following is a scale of RTOs that we have seen work well for many organizations:

And here is a scale of RPOs that many organizations have used successfully:

Once a company devises its categories, each of the its key business processes are analyzed and placed into an RTO category and an RPO category. These designations guide the subsequent development of the company’s recovery plans and strategies.

Determining RTOs and RPOs

How does a company go about determining the RTO and RPO categories for its processes and applications?

The BCM office should develop proposed categories for RTOs and RPOs based on the organization’s known risks and needs. In doing this, the IT team can be a good place to start. The BCM team should make note of the times IT uses for its current protection and recovery strategies. Using those values, the BCM office can make adjustments based on discussions with management to understand the general times departments would need to be recovered.

After the categories are defined, the organization should perform a Business Impact Analysis . Making the best choices depends on factoring in information and insights commonly held across many different levels within the organization.

The final decisions regarding RTOs and RPOs should emerge after the BIA. Once defined, those proposals should be submitted to upper management for review.

Throughout this process, the BCM office has the job of educating others, facilitating the discussion, seeking consensus, and obtaining the necessary approvals.

Every organization should review its RTOs and RPOs on a regular basis. This is because organizations and the environment change. A company that has outgrown its recovery plan has no recovery plan. It is critical that RTOs and RPOs be kept up to date.

Program Cornerstones

RTOs indicate how soon after a disruption a given business process and its supporting applications must be restored to prevent an unacceptable impact to the organization. RPOs are a metric of how much data from a given technical process, as measured in time, can be manually recovered in the event of an outage.

RTOs and RPOs for key processes and technologies are typically determined through a collaborative process led by the BCM team and calling on the judgment and expertise of people from across the organization. Once determined, the two types of objectives become cornerstones of the organization’s business continuity and IT/DR program.

Further Reading

For more information on RTOs and RPOs and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:

• About Time: Deciding When to Start Your RTO Countdown
• After the BIA: Save Time and Money by Fine-Tuning Your Application RTOs
• All About RTOs: What They Are and Why You Have To Get Them Right
• Navigating Resilience: How to Create a BCM Roadmap
• All About BIAs: A Guide to MHA Consulting’s Best BIA Resources

Richard Long

Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.

Getting the Most Out of Your BCM Consultant: Do’s and Don’ts

Rating your bc skills: little white lies can create ticking time bombs, you may also like, herrera unplugged: how to hamstring your bc consultant.

Herrera Unplugged is an occasional series in which MHA Consulting CEO Michael Herrera shares his candid views on current hot-button business continuity topics. You might think that a company spending a substantial sum […]

Healthcare Under Attack: Building Resilience in the Face of an Aggressive Cyber Threat

Healthcare organizations are uniquely vulnerable to hackers and are subject to more than their share of cyberattacks. In today’s post, we’ll look at the measures hospitals and other facilities that care for […]

MHA and Kroll: Coming Together to Move Ahead   

The recently announced partnership between MHA Consulting and Kroll is a tremendous win for both firms and their clients. It’s also an exciting milestone for me personally as someone who, twenty-five years […]

Learn from the Best

Get insights from almost 30 years of BCM experience straight to your inbox.

We won’t spam or give your email away.

• In the Community

Business Continuity

Crisis Management

Disaster Recovery

Program Augmentation

Training and Awareness

Discover our intuitive BCM software.

Learn from the best.

Compliance Confidence

BIA On-Demand

BCM Planner

See Our Software in Action

Schedule a demo.

BCM Services backed by experience

• MSP360 News
• MSP Business
• Backup and DR

Recommended for you

• Disaster-Recovery-as-a-Service (DRaaS) Overview
• Disaster Recovery Testing

Understanding RPO and RTO

RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are the two key parameters that businesses should develop before creating their business continuity and disaster recovery ( BCDR ) plans. Both metrics help to design the recovery process, define the recovery time limits, the frequency of backups, and the recovery procedures.

Although RTO and RPO might seem alike, there are core differences you should consider. In this guide, we will overview the recovery time and recovery point objective concepts and define their differences.

Table of Contents

RTO vs. RPO Explained

To understand the difference between RTO and RPO, let’s first look at the definition of each term and the types of information it measures.

What is RTO?

RTO ( the Recovery Time Objective ), is a metric that defines the time to recover your IT infrastructure and services following a disaster to ensure business continuity.

To calculate RTO, consider these factors:

• The cost per hour of outage.
• The importance and priority of individual systems.
• Steps required to recover from a disaster (including individual components and processes).
• Available budget and resources.
• Direct-to-cloud recovery
• Recovery with a bootable drive
• File-level and VM restore
• Remote recovery

Determining the RPO is important because you will lose at least some data during a disaster, even if your backups are near instant. Most businesses back up their data at fixed intervals -- once an hour, once a day, or perhaps just as rarely as once a week.

For example, if your frequency of backup is once a day at midnight and there is a disaster at 8 AM, you will lose 8 hours of data. If your RPO is 24 hours or more, you’re in good shape. If your RPO is, say, four hours, you're not.

The RPO has yet another layer of depth if we are considering live production datasets. Let’s imagine that your production database is down. You have the RPO of four hours, hence you can afford to lose four hours' worth of data. If your backups are done once every two hours, you have to recover the data in two hours, rather than four. Why? Because each hour of downtime, you actually lose data that would normally be inserted, modified, or deleted from your production database.

Here are the factors for determining your RPO:

• The maximum tolerable amount of data loss that your organization can sustain.
• The cost of lost data.

Differences Between Recovery Objectives

RTO and RPO are both business metrics that can help you calculate how often to perform data backups.In other words, you can determine backup frequencies through it. However, there are some key differences:

• Assessment basis. RTO reflects your overall business needs. It’s a measure of how long your business can survive with IT infrastructure and services disrupted. In contrast, RPO is solely about data. It determines how often to back up data and does not reflect other IT needs.
• Cost relevance. The costs associated with maintaining the desired RTO may be greater than those of a granular RPO. That’s because RTO involves your entire business infrastructure, rather than just data.
• Ease of calculation. In some ways, RPO is easier to implement because data usage is relatively consistent and there are fewer variables. Since recovery time affects your entire operation, not just data, it is more complicated. Recovery time can depend on factors such as the time of day or day of the week when the disruptive event occurs. Administrators must have a good understanding of the speeds with which different types of restores can take place for the different types of critical systems. Only then can an RTO be properly negotiated and met based on the needs of the business owners.

RTO, RPO, and Disaster Recovery Planning

Realistic RTO and RPO goals serve as a basis for a solid disaster recovery plan that guarantees business continuity. It’s not tricky to set near-zero RTO goals as they require continuous replication.

hbspt.cta.load(5442029, 'a99bf554-4786-40d2-8e73-43bf625d6417', {});

At the same time, to meet your IT budget, senior management should avoid excessive investment in RTO and RPO assurance. For example, if your business RTO is 4 hours and your IT infrastructure is capable of a 2-hour restore time, you should either cut the RTO measurement or consider the infrastructural changes that will ease the budget pressure.

Further reading Disaster Recovery FAQ: Essential Definitions for IT Pros and MSPs

Top Tips to Upgrade Your RTO and RPO in 2024

1. Check if your backup vendor has a flexible feature set Backup parameters matter; finding a reliable backup solution with multiple versions of your data and a retention plan going back at least 90 days is the best option. Along with retention policies, it’s a good idea to increase the number of snapshots of mission-critical data.

2. Fine-tune your processes Having data in place and a schedule of backups doesn’t necessarily mean that your recovery process will go smoothly. You might not have hardware on hand or your team members might lack knowledge of the recovery process. These details could result in extended recovery time, so consider reviewing and fine-tuning your complex processes beforehand.

3. Watch your budget Since keeping more snapshots and versions requires more storage space and capacity, it also requires more expenditure. Consider keeping some versions on local storage to cut the costs.

4. The 3-2-1 rule is a must Since keeping more snapshots and versions requires more storage space and capacity, it also requires more expenditure. You could keep some versions on local storage to make use of the advantage of the fast data recovery.

Further reading The 3-2-1-1-0 Backup Rule: Extend Your Backup Security

5. Have a disaster recovery plan in place To cover all possible failure scenarios, develop a consistent disaster recovery plan that will satisfy your RTO and RPO goals.

Further reading Disaster Recovery Planning Checklist for MSPs

6. Testing is everything Constantly test your disaster recovery strategy to expose its gaps. Understanding the bottlenecks will help to fine-tune the plan and avoid serious failures in the future.

Further reading Disaster Recovery Testing for MSPs

7. Update your disaster recovery plans according to the new realms

Many businesses were not ready for the sudden move to the home offices. You should adopt your disaster recovery strategy according to the new work-from-home policies, taking into consideration the specifics of the decentralized data backups.

Further reading Disaster Recovery Planning Best Practices

Data loss prevention for business continuity is a crucial requirement for any business. MSP360 Managed Backup makes it easy to meet your RTO and RPO goals, no matter how large or small your business is or what internal IT operations you support. It will unlock business impact analysis that lets business unit leaders know all about relevant RTO and RPO values in real-time and understand what’s happening in their organization’s process from IT to marketing.

To learn more about how MSP360 Managed Backup can help protect your business data, sign up for a free trial , or schedule a demo .

Why Customers Left Veeam For Druva | Why Customers Left Veeam For Druva | Read the stories

Tech/Engineering

What is the Difference Between RPO and RTO? Real Meaning

October 22, 2021 Jaspreet Singh, Founder and CEO

What is the difference between RTO and RPO in disaster recovery solutions?

Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important parameters of a disaster recovery or data protection plan. These are objectives that can guide enterprises to choose an optimal cloud backup and disaster recovery plan .

The RPO/RTO, along with a business impact analysis, provides the basis for identifying, analyzing, and explaining viable strategies for inclusion in the business continuity plan. Viable strategy options include any which would enable resumption of a business process in a time frame at or near the RPO/RTO.

At first glance, these two terms appear to be quite similar. The best way to understand the difference between RPO and RTO is to associate the “RP” in “RPO” by imagining that they stand for “Rewrite Parameters” and the “RT” in “RTO” as “Real-Time.”

What does RTO mean in disaster recovery solutions?

Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity. In other words, the RTO is the answer to the question: “How much time did it take to recover after notification of business process disruption?“

RPO designates the variable amount of data that will be lost or will have to be re-entered during network downtime. RTO designates the amount of “real time” that can pass before the disruption begins to seriously and unacceptably impede the flow of normal business operations.

What does RPO mean in cloud data protection?

Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”

Example: If the last available good copy of data upon an outage is from 18 hours ago, and the RPO for this business is 20 hours then we are still within the parameters of the Business Continuity Plan’s RPO. In other words it answers the question – “Up to what point in time could the business process’s recovery proceed tolerably given the volume of data lost during that interval?”

How do you calculate RPO?

There are many factors that impact the RPO for your business and it will vary with each application. Below are some of the factors that can affect RPOs :

• Maximum tolerable data loss for the specific organization
• Industry-specific factors — businesses dealing with sensitive information such as financial transactions or health records must update more often
• Data storage options, such as physical files versus cloud storage, can affect the speed of recovery
• The cost of data loss and lost operations
• Compliance schemes include provisions for disaster recovery, data loss, and data availability that may affect businesses
• The cost of implementing disaster recovery solutions

There is always a gap between the actuals – Recovery Time Actual (RTA) and Recovery Point Actual (RPA) – and objectives introduced by various manual and automated steps to bring the business application up. These actuals can only be exposed by disaster and business disruption rehearsals.

What are some of the common types of backups?

Traditional backups.

In traditional tape backups, if your backup plan takes 2 hours for a scheduled backup at 0600 hours and 1800 hours, then a primary site failure at 1400 hours would leave you with an option to restore from 0600 hours backup, which means RPA of 8 hours and 2 hours RTA.

Continuous replication

Replication provides higher RPO guarantees as the target system contains the mirrored image of the source. The RPA values depend upon how fast the changes are applied and if the replication is synchronous or asynchronous. RPO is dependent on how soon can the data on target/replicated site be made available to the application.

How can Druva help your organization’s cloud backup and disaster recovery?

Druva provides a cloud-based data protection service, ranging from backup/recovery to providing cyber resilience. Druva also delivers all-inclusive services with no need to manage hardware, software, or the associated cost and complexity. Specifically, Druva’s cloud disaster recovery solution, ensures workloads on-premises or in the cloud are backed up directly to Druva’s Cloud. 

Your organization can recover on-premises (failback), or in the cloud ( failover ) across any AWS region/account. Druva’s one-click automated disaster recovery solution can also help your organization reduce system downtime and save up to 50% lower total cost of ownership (TCO).

Traditional backups are often only run at night due to the resources they consume. In contrast, Druva’s patented source global deduplication allows backups to run quicker and consume fewer resources. Our customers can meet RPOs ranging from minutes to one hour, depending on the workload being protected. 

Learn more about cloud disaster recovery and how Druva brings together backup, disaster recovery, and archival for data center workloads .

What is Recovery Time Objective (RTO)?

Grasping the Technique: The Often Misconstrued 'RTO' Unravelled in the Sphere of Business Resiliency

At the heart of organisational durability and a tactical roadmap directing towards reestablishing regular operations post-disruptions, lies the often misrepresented 'Recovery Time Objective' (RTO). This guide aims to deconstruct and demystify the RTO. Let's dive into the nuances of RTO and comprehend its significance.

Fundamentally, RTO operates as a benchmark, indicating the admissible duration of a business halt post a major disturbance before it starts to severely impact the corporation. In the present landscape, RTO serves as a time-centric protective measure, meticulously designed to resume business operations after an occurrence that might prevent operational continuity.

This Python scheme elucidates the strategic rationale behind the calculation of RTO in practical instances. The function calculate_RTO determines the RTO by deducting the period of disturbance from the revival span.

To optimise our comprehension of RTO, we can refer to a sample table:

This chart indicates potential business operations and their corresponding RTOs. For example, if the fortitude of email correspondence is compromised, the organisation deems an interruption of a maximum of 4 hours as bearable, beyond which the damages may intensify.

Understanding RTO is crucial for companies as it helps in creating recovery strategies post-interruptions wisely. This knowledge allows them to plan their preventive actions tactfully, centred on the prominence of various business operations.

Salient points regarding RTO include:

• RTO symbolises the maximum stretch acceptable for a business operation to recommence after a catastrophe.
• It guides companies in structuring and skillfully directing their resurgence initiatives post disruptions.
• RTO varies across different operations, its metrics being directly linked with the importance of the respective operation.

In closing, Recovery Time Objective (RTO) plays a prominent part in ensuring business resilience and forming recuperation plans following a detrimental event. It paves the path for recovery, thus validating the blueprint for corporate actions and helping in cushioning potentially harmful impacts of a mishap. A profound apprehension and vigorous RTO approach can mark the unseen difference between an insignificant snag and a significant organisational disruption.

Unwrapping RTO: A Quintessential Component of Disaster Counteraction

In the context of managing crises and sustaining commercial equilibrium, it's imperative to highlight the notion of Recovery Time Objective (RTO). At first, it may seem overwhelming, but an intricate exploration reveals it as a simple, yet crucial cog in a strong disaster counteraction scheme.

The Recovery Time Objective (RTO) essentially refers to the estimated period taken by a standard business function to recommence after an unforeseen disruption, thereby evading any potential negative implications associated with operational hiatus. It signifies the time needed to restore regularity, or something parallel to it, subsequent to the occurrence of an unforeseen incident.

Breaking down the definition:

Estimated Period : This term pertains to the utmost time duration you're comfortable with for your application to be offline, typically mirroring your capacity for dormant periods.

Standard Business Function : This pertains to any routine operation executed by your enterprise, spanning from conducting transactions to report generation.

Recommence : This refers to the process needing not merely to be operational but more so ready to carry out its assigned tasks.

Unforeseen Disruption : This covers any event, natural or human-induced, responsible for interfering with your business operations.

Potential Negative Implications : This indicates the possible harmful effect the disruption can inflict on your business, ranging from profit demise to reputation damage.

Interpreting the RTO is indispensable for businesses as it elucidates the utmost acceptable downtime for a system before it inflicts substantial damage to the business. Moreover, it aids in formulating a disaster recovery scheme that's realizable and effective.

Take into account this example:

In this Python code sample, a business activity faces an impediment. The compute_RTO function compares the impediment duration with the acceptable inactive period (RTO). If the inactive period exceeds the RTO, a disaster counteraction outline turns obligatory.

The essence of RTO varies between businesses and their operational aspects. For instance, an online retail platform might have a short RTO for its payment gateway as any disruption has immediate ramifications on sales and customer satisfaction. On the contrary, the same platform might opt for a longer RTO for its data gathering function, as it bears no direct impact on customer interactions.

In encapsulation, the Recovery Time Objective (RTO) plays a pivotal part in disaster counteraction planning. It endows businesses with the capacity to specify the maximum acceptable inactive period for any operation and devise an apt recovery strategy. The correct understanding and incorporation of RTO could mark the difference between a minor operational interruption and a substantial business disruption.

Synopsis: Grasping the Complexities of Recovery Time Objective (RTO) - Comprehensively Elucidated

Amid the domain of operational dependability and catastrophe mitigation, the Recovery Time Objective (RTO) serves as an indispensable measure. It acts akin to the rhythmic throbbing of your contingency plan, a driving force that fuels your enterprise even when circumstances are unfavorable. Yet, what constitutes RTO? What's its process, and why is its relevance so crucial? Now is the time to untangle this persisting enigma.

RTO, when defined in basic terms, is the anticipated span within which a company's processes should be reinstated post an upheaval or encumbrance for sidestepping repercussions jeopardizing continual business functionality. It represents the chronometric device that begins instance tracking from the minute a mishap transpires, aiming for the juncture when your infrastructure needs to be functional once more.

The Python sample code above sketches a straightforward IncidentBounceBack class. The revival_period method computes the deadline for completing recovery, relying on the disruption moment and the RTO.

RTO isn't a universal solution but differs based on corporate specifics, and even amidst different processes in a single enterprise. As an example, an online merchant could place high priority on their website with a minimal RTO, but allocate more time to their email framework.

The table above exemplifies diverse RTOs across distinct company procedures. The web-based marketplace, being the chief income source, has the minimal RTO. The electronic mail system, though significant, can withstand extended downtime. The personnel management system, less critical, holds the maximum RTO.

RTO is derived based on the duration of tolerable data loss, denoted as the Recovery Point Objective (RPO) . Should your RPO be 4 hours, your RTO must ideally fall short of that.

RTO calculation requires consideration of several variables:

• The prominence of the commercial procedure
• The tolerable outage
• Expense linked to outages
• Resources needed for revival

To conclude, appreciating RTO is essential for any enterprise. It serves as a critical lifeline, keeping your business buoyant in a crisis scenario. RTO acts as the constant reminder of how much time you have to restore your systems to functionality. Comprehending RTO isn't limited to its definition, but extends to recognizing its significance and determining how to calculate it specifically for your business model.

Understanding Recovery Time Bound (RTB): Vital Signs of Business Resilience

Picture the vast realm of institutional resilience and crisis control as an incessant chronometer. One essential figure that emerges in this context is the Recovery Time Bound (RTB) - a meter akin to the heartbeat of your business breath, setting the pace of recovery. It outlines the interval between an unplanned disruption to your business and the required revival of operations to mitigate harmful impacts. Simply put, it signifies the maximum dormancy span an establishment can tolerate.

To fully apprehend the concept of RTB is akin to being aware of your organization's pulse rate. It mirrors the health status of your establishment during a crisis scenario. A lower RTB implies a brisker pace of recovery for your business. But, how is this essential metric determined? Let's delve into it.

Pinpointing Principal Business Functions

The initial stride towards establishing your RTB is pinpointing the primary functions of your business. These encompass the tasks, which if disturbed, could cause considerable harm to your organization's effectiveness. For instance, if you operate a digital retail business, your central functions could include website operations, revenue generation, and product delivery mechanisms.

Evaluating the Consequences of Inactivity

Once you've identified the core operations, the ensuing stride is to determine the possible outcomes of inactivity affecting these tasks. This entails calculating the financial impact your organization might face if these functions cease to operate. This projected loss could encompass lost sales opportunities, penalties from contract violation, and a drop in repeat clientele.

Assigning the RTB

With the calculated risk of inactivity, it's time to designate your RTB. This indicates the longest duration you can allow your key operations to remain inactive. Hereunto, striking a balance between the disruption cost and recovery cost is pivotal. A shorter RTB demands considerable resources towards a robust recovery plan.

The Python code snippet above is a basic method to determine RTB. It helps weigh the financial effects of dormancy against recovery expense and recommends the lesser value.

Consider how the RTB can vary for two imagined companies:

Company Alpha can endure 2 hours of website downtime, while Company Beta can only allow a 1-hour delay in its dispatch process.

In conclusion, time never stops ticking in business resilience context. Gaining a thorough understanding of your RTB is imperative in ensuring your business promptly regains equilibrium after disruption. Reduced RTB means a faster recovery expectation which might call for substantial recovery plan investment. Hence, regulating this sensitive balance is necessary.

Disentangling the Principles of Industry Perpetuity: The Masonry Role of RTO

The labyrinth of industry perpetuity manifests a plethora of salient components, among those the Recovery Time Objective (RTO) assumes a keystone role, predominantly within the realm of catastrophe countermeasure planning. This exploration intends to delve deeper into the nuanced applications and relevance of RTO, shedding light on its vital role in maintaining unbroken business trajectories.

Before proceeding, a revisit to the RTO definition is expedient. At its nucleus, RTO denotes the forecasted timeframe needed to revert company operations after any unforeseen interruptions or disasters, without impacting the fluent progression of business. This time span, commonly expressed in hours, minutes, or even seconds, reflects the tolerable downtime permitted for an enterprise's IT landscape.

In the Python snippet above, a hypothetical entity, Firm A, assigns itself a RTO threshold of 240 minutes. This signifies, after the dust of any disaster has settled, Firm A strategizes to bring back its crucial operations within the 240-minute timeline to elude extensive losses.

Moving forward, a comprehensive understanding of RTO's eminent standing within the context of industry perpetuity follows:

Manifests Quantifiable Goals : RTO provides a lucid, measureable recovery goal for technical rescue teams to strive towards.

Shapes the Blueprint of Disaster Countermeasures : A key player in sketching and executing an effective disaster recovery plan, RTO assists to pinpoint the necessary resources, manpower, and procedures needed to meet the desired recovery schedule.

Assists in Hazard Evaluation : By identifying an RTO, corporations can estimate potential monetary ramifications of downtime, and make educated decisions regarding investments into efficient disaster countermeasures.

Automates Recovery Hierarchy : Not all systems carry the same degree of impact. Some are more critical to the business flow than others. Hence, RTO aids in arranging recovery efforts based on the importance of various systems.

Reinforces Regulatory Adherence : For institutions functioning within regulated industry brackets, meeting the outlined RTOs can often be a critical aspect of regulatory fulfillment.

In a nutshell, the Recovery Time Objective (RTO) emerges as an agile parameter in the construct of industry perpetuity. It outlines the recovery timeframe, navigates the planning for disaster countermeasures, assists in hazard evaluation, orchestrates recovery focus, and facilitates regulatory conformance. Comprehension and adept manipulation of RTO can significantly improve a corporation's resilience against interruptions and disasters.

Operational Flow: Decoding the Effect of RTO

Delving into the sectors of business sustainability and catastrophe recovery, a key player that often comes into the spotlight is the Recovery Time Objective (RTO). This salient measure lends a helping hand to corporations in preserving efficient workflows, even in the wake of unanticipated setbacks. So, what embodies RTO, and how does it abet the unhindered performance of an enterprise? Let's explore this notion further.

The Recovery Time Objective (RTO) stands tall as a vital gauge that captures the maximum permissible time lapse that a business operation or app can afford post a calamity or disturbance. In layman's terms, it marks the time bracket within which a business needs to revive its functionalities to ward off the unwelcome outcomes ensuing from a rupture in business consistency.

To shed light on the function of RTO, envision a scenario. Imagine you are at the helm of an e-commerce venture. A sudden glitch results in your website going offline due to a server meltdown. Here, RTO translates to the maximum downtime your website can tolerate before it begins to heavily dent your business - say, a couple of hours. If your RTO is a couple of hours, your contingency recovery plans should aspire to reactivate your website within this window.

RTO doesn't come in a universal size that fits all. It gravitates from one enterprise to another, or even amidst diverse processes within a single entity. For instance, the RTO assigned to a high-priority process like real-time transaction handling could be much more stringent than that allotted to a less critical task like email marketing.

Grappling with the role of RTO in business continuity entails perceiving its bearings on two principal sectors: expense and peril.

Expense: The more stringent the RTO, the less the downtime an enterprise endures, culminating in minimized potential revenue leakage. However, striving for a condensed RTO often calls for sturdier (and pricier) catastrophe recovery mechanisms. Hence, enterprises need to weigh the cost incurred during downtime and the expense of revival.

Peril: An elongated RTO could signify an escalated risk of forfeiting business to rivals, tarnishing the brand's image, or even grappling with legal implications in certain instances. Thus, carving out the RTO involves gauging the quantum of risk an enterprise is prepared to shoulder.

To cap it off, the Recovery Time Objective (RTO) serves as a quintessential yardstick in chalking out business continuity strategies. It aids businesses in ascertaining their capacity for withstanding downtime, empowering them to map their catastrophe recovery protocols proficiently. By grasping the implications of RTO, businesses can vouch for unimpeded workflows, curtailing the ramifications of setbacks on their profits and stature.

Coordinating The Bounce-Back: Expounding The Significance of RTO

In the realm of corporate resilience and response to unforeseen incidents, Time to Recover (RTO) forms a cornerstone. This component that shapes a certain period during which an interrupted business function must regain normalcy to fend off unacceptable aftermaths. So, what gives RTO such considerable gravity? Let's delve into the core of this crucial component.

• Mitigating Repercussions on Functional Streams

RTO's primary goal is to curtail the impact a disturbance can place on business functions. The longer a functional stream stays inactive, the more sizeable the prospective damages. By tactically setting a feasible RTO, enterprises can equip themselves to resume action swiftly, mitigating both operative and financial fallouts.

In the Python code above, the tentative loss is computed based on the downtime and per-hour earnings. If the downtime exceeds the RTO, the projected loss could be substantial.

• Guiding Recovery Method Choices

RTO is more than just a numeral indicator; it is a strategic guide. It helps companies in choosing their recovery path. For instance, a company with a low RTO might need to set aside finances for rapid recovery methods, like high-availability options. In contrast, a company with a high RTO could cope with slower, yet more budget-friendly recovery solutions.

• Distribution of Resources Based On Priority

All business functions are not created equal, with some bearing more significance than others. By delineating RTOs for different functions, organizations can competently manage resource distribution during the recovery phase. Functions with the lowest RTOs are viewed as most crucial and hence, take precedence during recovery initiatives.

The Python code above visualizes the concept of ranking business functions according to their respective RTOs. The tasks with the shortest RTOs take priority.

• Complying With Regulatory Standards

In certain sectors, specific regulatory bodies necessitate that businesses abide by certain RTO guidelines for particular functions. By developing and sticking to these RTOs, companies can ensure they are in regulatory compliance.

• Building Trust Among Stakeholders

Finally, well-defined RTOs can aid in fostering confidence among stakeholders, including customers, employees, and investors. It is a reassurance that the business is prepared for disruptions and has a quick recovery plan in place, thereby mitigating potential adversarial impacts on stakeholders.

In summary, the Time to Recover (RTO) is a vital element of any corporate resilience and disaster recovery plan. It serves to lessen operational consequences, direct recovery methods, aid in the distribution of resources, assure regulatory compliance, and enhance stakeholder trust. Hence, it is essential for businesses to understand the importance of RTO and proficiently integrate it into their recovery plans.

Subscribe for the latest news

Type above and press Enter to search. Press Esc to cancel.

• Advisera Home
• ISO in General

Partner Panel

ISO 22301 Documentation Toolkits

Iso 22301 training.

• Documentation Toolkits
• White Papers
• Templates & Tools

Where to Start

New ai tool.

• Live Consultations
• Consultant Directory
• For Consultants

Dejan Kosutic

• Get Started

RTO and RPO: What is the difference between Recovery Time Objective and Recovery Point Objective?

Updated: December 13, 2023.

When developing Business Continuity Plans (BCPS) or Disaster Recovery Plans (DRPs), two terms appear quite often: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). While paramount to the definition of BCPs and DRPs, RTO and RPO aren’t easy concepts to understand, which can lead to plans that either allocate more resources than needed, or to plans that won’t achieve the expected outcomes.

In this article, you will see how ISO 22301 , the leading ISO standard for business continuity management, defines these parameters, as well as examples of their application and how they can be used to build robust and reliable plans that allow the optimization of resources considering the desired outcomes.

RTO definition: The amount of time after a disaster in which business operations need to be resumed and resources need to be available for use.

RPO definition: The amount of data loss that would be acceptable for an organization as a consequence of a disaster.

What is the RTO?

The definition of RTO, Recovery Time Objective, is the amount of time after a disaster in which business operations need to be resumed and resources are again available for use. The RTO definition can be found in ISO 22300 , which defines the vocabulary for ISO 22301.

For example, if the RTO is two hours, then this means you must resume delivery of products or services, or execution of activities, in two hours – therefore,  your business continuity and disaster recovery plans need to consider the RTO during their development.

What is the RPO?

The definition of RPO, Recovery Point Objective, is the amount of data loss that would be acceptable for an organization as a consequence of a disaster (e.g., a catastrophic loss of software or hardware).

The meaning of RPO is also given by ISO 22301: The definition of the Recovery Point Objective, or RPO, is the amount of data a business can afford to lose in terms of time, or in terms of amount of information.

As an example, think about a database for recording all transactions in a bank (e.g., payments, transfers, scheduling, etc.). Usually, in such a case RPO is zero, because even in just a few minutes, hundreds of transactions can be made, and this information cannot be lost and cannot be easily recovered in any other way.

Now think about a source code repository where software developers keep their work. It is relatively easy to rewrite one day of lost coding for a software developer, but more than that can be difficult or impossible to recreate. In this case, the RPO would be 24 hours, which means that the backup needs to be done at least every 24 hours.

The point is, the harder it is to recover or recreate the data, the shorter the RPO needs to be.

RTO vs. RPO: What is the difference?

The main difference between RTO and RPO is in their purposes – being focused on time, RTO is focused on the downtime of services, applications, and processes, helping define resources to be allocated to business continuity; while RPO, being focused on the amount of data, has as its sole purpose to define backup frequency.

Another relevant difference is that, in relation to the moment of the disruptive incident, RTO looks forward in time (i.e., the amount of time you need to resume operations), while RPO looks back (i.e., the amount of time or data you are willing to lose).

What are RTO and RPO in disaster recovery and business continuity?

RTO is used to determine what kind of preparations are necessary for a disaster, in terms of money, facilities, telecommunications, automated systems, personnel, etc. The shorter the RTO, the greater the resources required.

RPO is used for determining the frequency of data backup to recover the needed data in case of a disaster. If your RPO is four hours, then you need to perform backup at least every four hours; every 24 hours would put you in big danger, but if you did it every hour, it might cost you too much and not bring additional value to the business.

Both Recovery Time Objective and Recovery Point Objective are related to business continuity by means of the business impact analysis (BIA), where they are determined, and the business continuity strategy, where preparations for achieving them are defined.

See these articles to learn more about RTO, RPO, and BIA: Five Tips for Successful Business Impact Analysis , and Backup policy – How to determine backup frequency .

RTO and RPO – are they related?

Although RTO and RPO are both crucial for business impact analysis and for business continuity management, they are not directly related, and neither conflict with each other (one deals with time and the other with an amount of data), so it does not make sense to talk about RPO vs. RTO.

Should RPO be less than RTO?

Since RTO and RPO are not directly related, RPO does not need to be less than RTO or vice-versa – you could have an RTO of 24 hours and an RPO of one hour, or an RTO of two hours and an RPO of 12 hours.

For example, an e-commerce site may need to be online 4 hours after a disruption, so RTO is four hours. Now, this same e-commerce site has two databases, one for its product catalog, which is updated once a week, and the second to record sales (thousands per day). The RPO for the first database can be one week, but for the second, the RPO should be near zero.

The importance of RTO and RPO in cyber security

Although RTO and RPO were initially introduced regarding disruptive events related to natural disasters and direct man-made attacks (e.g., vandalism and terrorism), the increasing dependence of businesses  makes RTO and RPO also useful for cybersecurity. For example, RTO and RPO enable cybersecurity teams to plan responses to cyberattacks, like DoS and ransomware.

Related Products

ISO 27001 Premium Documentation Toolkit

ISO 27001 Lead Auditor Course

Upcoming free webinar, related articles.

You may unsubscribe at any time. For more information, please see our privacy notice .

Join us at one of our events. Register Today

• Newsletters
• Client Portal
• Make Payment
• (855) Marcum1

Services Search

Understanding rpo and rto: their roles in a disaster recovery plan and business impact analysis.

By Joseph Giella , Vice President - Data Protection Strategy, Marcum Technology

A disaster recovery plan (DRP) is a set of documented processes and procedures containing detailed instructions about how to respond to and recover from disruptive events. This can include events such as cyber-attacks, natural disasters, electrical blackouts, hazmat exposure, or something as drastic as the terrorist attacks of 9/11. The disaster recovery plan is basically a documented set of actions to be executed following a disaster, which focuses on resuming work quickly and reducing further interruptions. Increasingly, disasters have been attributed to cybersecurity-related events.

Dr. Steven Covey, in his bestselling book, “The Seven Habits of Highly Effective People,” offers as one of those habits: “Begin with the End in Mind.” Nothing could be more applicable to properly executed disaster recovery planning. The “begin” is the business impact analysis (BIA), and the “end” is the successful completion, execution and maintenance of the DRP.

Disaster recovery planning often focuses on two critical objectives that define the limits of acceptable data loss and downtime — recovery point objective (RPO) and recovery time objective (RTO). RPO and RTO are the management-defined objectives for moving from the current state to the desired state of preparedness.

RPO is the point in time (prior to the outage) to which systems and data must be restored.

RTO is the period of time (after an outage) during which systems and data must be restored to the predetermined RPO without causing significant damage to the business, as well as the time spent restoring the application and its data.

These two objectives represent the organization’s defined requirements for the amount of downtime and permanent data loss management has determined the organization can tolerate.

Source: Symantec Corp.

The above graphic indicates a timeline for recovery points and times. The lightning bolt represents the occurrence of a disaster/unplanned downtime.

A goal of disaster recovery planning is to achieve the quickest resumption of operations at the lowest cost. This is a challenge in that technology costs are the highest for the quickest recovery. Prioritization in the order of which functions must be recovered first will ensure that the most mission-critical systems are available as soon as possible.

The disaster recovery plan) begins with the business impact analysis. The BIA identifies each business function and, after interviews with key personnel and management are completed, assigns an RTO and RPO value. For example, RTO for email services might be one hour and RPO might be zero. An RPO of zero would be necessary for SEC-regulated firms, where a court could impose large fines for each day that an evidentiary email message could not be produced, such as in a case of insider trading.

When RPO and RTO are known for all systems, workloads and applications, as well as the cost of downtime for the business they support, the right decisions can be made to protect data. IT leadership is empowered to select the right technologies and build a suitable strategy around data protection and disaster recovery.

Business Impact Analysis

A business impact analysis can help assess and weigh the impact and consequences, both financial and non-financial, of an interruption in business operations. These findings can help organizations determine their availability service level agreements (SLA), or the level of service expected by the customer from the entity providing the service. Most often, multiple SLAs are defined to match the various levels of criticality determined during the BIA.

For example, the following SLAs for uptime are commonly utilized:

• 99.9%, or three 9s, corresponds to 8 hours 45 minutes and 36 seconds of downtime per year.
• 99.99%, or four 9s, corresponds to 52 minutes and 34 seconds of downtime per year.

In DRP, it is crucial to prioritize recovery services relative to their contribution to the business. Not all services are created equal, nor should the investment in recovery efforts be the same.

Steps after BIA

While no two DRPs are alike, subsequent steps revolve around a central framework to support the organization’s objectives as defined by the RPO and RTOs identified.

An example of subsequent steps would resemble the following:

• Set Clear Recovery Objectives
• Identify Professionals and Stakeholders– internal and external
• Document Existing Network Infrastructure
• Identify and Select Recovery Processes
• Define an Incident Criteria Checklist
• Document Disaster Recovery Procedures
• Identify Intervals for Testing and Test
• Continuously Update DRP

With the constantly changing world and business environment, the DRP needs to be constantly updated and tested regularly. Most IT managers view technology initiatives as projects with milestones and deliverables that have start and completion dates. In contrast, DRP is not a project; rather, it is a program that must be maintained and revisited often to stay ahead of emerging threats, address evolving business targets, and leverage technology advances.

Although there is no standard frequency for reviewing and updating your disaster recovery plan, you should review, test and update your DRP at least annually to make sure everything is functioning as expected. Quarterly updates and reviews are even better.

Constant testing ultimately unveils limitations in your existing DRP. Keep eliminating these flaws so that the new changes will be aligned with your company’s requirements.

Data processing operations are volatile in nature, resulting in frequent changes to equipment, programs and documentation. These actions make it critical to consider the plan as a living, breathing and ever-changing document.

Disaster recovery planning should also serve to streamline technology processes, identify and refresh hardware, and reduce the risk of human error. You are not just preparing to recover from a disaster. You are working to make your business more bullet-proof, efficient, and as profitable as possible.

To learn more about Marcum Technology data protection services , contact us at [email protected] .

Related Insights & News

QSBS Exclusion – What is it?

Section 1202 offers significant benefits to those shareholders who qualify, so a thorough examination of the rules is an important step that should be undertaken before taking the exclusion.

Elder Fraud Financial Losses Continue to Rise

Cybersecurity threats affecting businesses in april 2024, audit innovations: how emerging technology is transforming the audit landscape, u.s. district courts see decline in patent litigation despite rise in patents granted, upcoming events.

Managed IT Services Mastery: Choosing the Right MSP & Unlocking Business Benefits

Marcum Manufacturing Forum

Cromwell, CT

The Pivot in Workforce Management Practices for 2024 and Beyond

Marcum’s Governmental Accounting & Reporting Training Course

Warwick, RI

Political and Market Update featuring Michael Townsend

Cocktails & Conversations

Providence, RI

The Future of Finance: Moving from On-Premises to Cloud-Based ERP Systems

Portland, ME

Navigating the Nuances of Crypto Taxation: Lessons Learned from the 2023 Filing Season

Hartford, CT

Understanding Social Security

Bedford, NH

Innovate for Impact

Washington, DC

New York, NY

Essentials of an Operating Reserve Policy for Nonprofits

Marcum Women’s Forum: Courage

Cyber Threats and Prevention: A Growing Concern for Businesses

Burlington, MA

Greenwich, CT

Nashville, TN

Cleveland, OH

The Marcum & GNHCC 2024 Regional Real Estate Forum

Branford, CT

Mission Possible: Nonprofits in the Age of Digital Finance

Integrating FP&A Software into Your Financial Operations

Top 5 Nonprofit Investment Insights

New Haven, CT

Navigating the Presidential Election: Insights for Nonprofit Investment Reserves

Streamlining the Financial Close Process: How Close Management Software Transforms Efficiency

Marcum Women’s Initiative: Coffee and Conversations

Robotic Process Automation and AI: The Next Frontier in Finance Transformation

Marcum New England Construction Summit

Marcum Mid-South Construction Summit

Marcum Ohio Construction Summit

Warrensville Heights, OH

Related Services

Cybersecurity & Digital Forensics , Technology Consulting , Advisory , Incident Response Services , Cybersecurity Services , Digital Investigations & Litigation Support , Business Process Improvement , Digital Advisory Services , Blockchain , ERP Automation , Financial Solutions , Data Analytics , Intelligent Automation , Infrastructure Solutions & Services , Cloud Services , Small Business Solutions , Wireless & Mobility Solutions , Managed Endpoint Detection , Managed IT Services , Infrastructure Design & Engineering , Data Storage , Software-Defined Networking , IT Staff Augmentation , Telecom Optimization , Virtualization , Managed Cybersecurity Services , Strategic IT Consulting , CIO/CTO as a Service , Digital Transformation , Enterprise System Selection , IT Due Diligence , IT Transformation , Post Deal IT Value Creation , Strategic IT Assessments , Strategic IT Road Mapping

Related Industry

Have a question ask marcum.

Understanding RTO Planning: A Comprehensive Guide to Recovery Time Objectives for MSPs in 2023

Due to cyberattacks like ransomware, natural disasters, and system outages, data loss is no longer a question of  if  it will happen, but when it does, will you be prepared?  96% of companies  had at least one outage resulting in downtime in the last three years. Even more concerning,  1 in 5 organizations  experienced a “serious” or “severe” outage in the previous 3 years resulting in significant financial loss, reputational damage, compliance breaches, and in severe cases, loss of life.

Practical Recovery Time Objective (RTO) planning is essential to the comprehensive  business continuity and disaster recovery  (BCDR) solutions MSPs use to protect clients. It helps minimize the impact of disruptions while restoring critical business functions to maintain operations. Unfortunately,  72% of organizations  are not well-positioned for disaster recovery. Fortunately, MSPs can provide a complete BCDR solution that helps clients develop a robust disaster recovery plan with an effective RTO.

Table of Contents

RTO Planning and Disaster Recovery

Defining recovery time objective (rto).

Recovery Time Objective (RTO) measures when a disruptive event occurs and when IT resources must be fully operational. It’s calculated using the per-hour  downtime  costs and any service level goals the company needs to meet. Essentially, it determines how long a company can afford a business interruption.

RTO varies based on backup and disaster recovery (BDR). For example, recovery takes much longer if you only back up file and folder data to conserve costs but forgo application and configuration backup. In that scenario, you must physically replace the servers and applications before restoring the file and folder data. A faster but more expensive solution is to create a backup image of all critical applications and their configurations. With comprehensive backup, RTO significantly decreases to get clients back to work faster.

Importance of RTO in Disaster Recovery

RTO has a central role in disaster recovery planning as it’s used to assess, prioritize, and establish the right strategies to recover all systems, processes, and applications after disruptions hit. Assigning an RTO to a system helps businesses identify which are most important for business continuity. Prioritizing essential systems ensures that business-critical operations are up and running first.

RTO is also influential in determining equitable resource allocation in disaster recovery planning. A shorter Recovery Time Objective requires higher investments in backup, redundancy, and recovery solutions, while a longer RTO is more cost-effective and less resource-intensive.

Lastly, RTOs is a factor when designing the disaster recovery strategy for each system and process that keeps a business moving. For example, high-availability solutions with real-time data replication and BDR automation typically deliver a short RTO, and traditional backup and disaster recovery result in a longer RTO.

Relationship between RTO and Recovery Point Objective (RPO)

While RTO and Recovery Point Objective (RPO) are both units of time that help underpin a data recovery program, the two figures are subtly different. As you just learned, RTO measures the time from when a disaster hits to when IT resources need to be fully operational again. It is the maximum amount of time that data might be lost and unrecoverable.

Operationally, RPO is how often you must back up a client’s data to recover from a potential disaster. You can have different RPOs for different data types, and backups can occur at different intervals based on RPO. For example, if you set the backup interval to one backup a day, you risk losing a whole day’s worth of data after a disaster. But if you back up every 15 minutes, you only risk losing 15 minutes’ worth of data. At the same time, the more you back up, the more storage space you need. Your BCDR solution may include worry-free storage, or you might have to navigate tiered storage without pooling. The latter frustrates MSPs and clients who struggle to scale cost-effectively, navigating size limits and surprise storage overages.

Read more:   RTO vs RPO: Two key components of BCDR success

The most significant difference between RTO and RPO is that RPO looks to past events, whereas RTO is a future-facing figure that sets a timeline for recovery operations. In both cases, the costs of maintaining business continuity decrease as the time frames lengthen – however, the potential negative fallout for the business increases. Think of RTO and RPO on a spectrum with costs and levels of protection on a sliding scale that are working against each other. The goal is to identify where clients are on that spectrum to determine if the existing position protects the business or leaves it vulnerable.

Key Factors in RTO Planning

A company’s business continuity plan or business impact analysis (BIA) dictates RTO planning. These multi-step processes start by addressing the following factors so that when you develop your RTO plan, it streamlines disaster recovery planning.

Identify Critical Business Functions

MSPs can’t protect what they don’t know exists, so identifying critical business functions is the first step in RTO planning. Clients need to create an inventory of everything – whether it’s required for business or not: systems, applications, workstations, laptops, servers, and so on. Then, they prioritize the inventory based on what’s required when – starting with an immediate response to “stop the bleeding” and ending with 100% of business functions restored.

Using this information, MSPs can act quickly and deliberately during recovery to minimize the consequences and costs of downtime and business disruptions. Understanding the extent of downtime helps optimize disaster recovery planning. New replacement devices, non-compliance fines, legal fees, reputational damage, lost revenue, and employee productivity are all potential costs associated with downtime.

To help clients avoid these, MSPs can implement targeted risk mitigation strategies like runbooks. Creating  runbooks  within your BCDR solution lets you configure an automatic deployment plan for virtualized devices. Runbooks are specific to each virtual environment with settings to identify which devices to virtualize and in what order, what resources are allocated to each device, and how long to wait between device deployments.

With the efficiency of runbooks, MSPs can push a button to initiate disaster recovery. Other best practices include establishing recovery procedures for each function, implementing fault-tolerant systems or redundancies, and regularly testing and updating disaster recovery plans to ensure effectiveness.

Assess Risks and Potential Disasters

Now that you know how to prioritize disaster recovery, you need to think about what the disaster might look like. Cybersecurity risks change as businesses expand their reliance on dispersed data and bad actors develop new attack strategies to encrypt, steal, or hold it for ransom. The risk of natural disasters depends heavily on the location of the business, but all companies are susceptible to power outages, storms, appliance failures, and human error.

Assessing the likelihood and impact of these threat vectors helps MSPs deliver an RTO that reflects the criticality and vulnerability of business functions. This information also enables MSPs to implement targeted risk mitigation strategies, including redundancy, fault-tolerant systems, automated backup and recovery solutions, and contingency plans tailored to specific threats. It’s also essential for establishing an effective  incident response plan  that answers the question, “What now?” after disasters strike. Based on the RTO of critical business functions, companies can quickly move through their disaster recovery procedures.

Additionally, updates are critical to the effectiveness of disaster recovery planning. For example, many SMBs failed to understand a pandemic’s short- and long-term impact. As a result, many MSPs scrambled to reassess and update their protocols to account for future pandemics. Reassessing risks and potential disasters should be part of regularly scheduled disaster recovery updates to protect against and plan for the data loss incidents most likely to occur.

Understand Dependencies and Resource Requirements

Recovery Time Objective planning also requires MSPs to understand dependencies like interrelated systems, processes, applications, and third-party vendors. They also need to know what resources are required and available for hardware, software, labor, and budget.

By identifying dependencies, MSPs can create a more comprehensive disaster recovery plan that accounts for the interrelated nature of the company’s processes, applications, and systems. Considering all critical components and disaster recovery efforts, you can appropriately address the full scope of potential disruptions and sequence disaster recovery efforts. For instance, if a particular application relies on a specific database, restoring the database first is vital so that application recovery goes smoothly. Sequencing minimizes downtime and creates efficient and effective recovery efforts.

Dependencies also include relationships with third-party vendors or service providers outside of MSPs. Understanding these dependencies enables companies to coordinate their disaster recovery efforts with external partners and account for potential disruptions in their supply chain or service providers.

Developing an Effective RTO Plan

With a prioritized list of critical business functions, potential risks and disasters, and business dependencies and resource requirements, MSPs can move forward with their RTO plan.

Establish Realistic RTOs

The realisticness of your RTO is central to implementing an adequate disaster recovery plan, ensuring compliance with regulations, and balancing the costs of robust protections against the potential impact of an incident. If you’ve completed a BIA and the key factors listed above, you should be able to establish and fulfill a competitive, high-value RTO.

Using the ranked list of critical business functions, MSPs can prioritize the shortest RTOs for the most important systems and deprioritize longer RTOs for less essential operations. Next, evaluate the resources available to support your RTO. Are you capable of meeting the RTO target set? Or do you need to adjust it to set accurate expectations with clients?

Collaborating and communicating with internal and external stakeholders gets everyone on the same page for RTOs. The fewer questions and confusion during disaster recovery, the better, so document and reinforce disaster recovery and RTO planning for efficiency.

Implement Data Backup and Disaster Recovery Strategies

Your solutions must be able to deliver the RPO and RTO expected by clients. BCDR requires backing up data, replicating that data to the cloud, and restoring those backups when disaster strikes. Historically, backing up and replicating to the cloud has taken significant time. The reason is traditional chain-based backups, including traditional/forward and inverse/reverse chain directions. While they are still available, chain-based backups are widely considered legacy due to reseeding and storage requirements, backup failures, and compliance complexities.

Chain-Free backup technology , however, eliminates reseeding, storage overages, and backup burn. Instead, it delivers flat-fee pooled storage, custom and secure retention, and near-instant recovery. The time and labor savings alone make Chain-Free backup the right choice. And with accelerated recovery, you can also increase the competitiveness of RPO and RTO in service level agreements (SLAs). MSPs can use Axcient’s proprietary Chain-Free backups to ensure a 1-hour RTO and a 15-minute RPO.

Furthermore, MSPs can leverage innovations in automation for efficient and reliable BCDR. For example, anti-ransomware and data loss technology stop permanent data loss from malicious cyberattacks. Additionally, pairing an inexpensive local cache USB or NAS device decreases recovery and failback times. And self-managed disaster recovery via virtualization in the cloud lets you restore data immediately versus waiting on your vendor.

Regularly Test and Update

After implementing a disaster recovery plan, conduct regular tests to validate its effectiveness and identify potential issues or gaps. Tabletop exercises, partial recovery tests, or full-scale simulations prepare MSPs to meet RTO expectations and create opportunities to improve disaster recovery planning.

Personnel also plays a crucial role in disaster recovery efforts. They support the execution of the plan during actual emergencies, so they must be well-trained and aware of their roles and responsibilities during these critical and often chaotic times.

RTO Planning in Practice: Case Studies

Here are some examples of RTO planning in action by MSPs, showcasing successful implementation and lessons learned across various industries:

MSPs Supporting Healthcare Providers. An MSP worked with a hospital network to develop a comprehensive RTO plan. The MSP analyzed the hospital’s critical IT systems, including its Electronic Health Records (EHRs) and medical imaging systems, and established RTOs based on the potential impact of downtime on patient care. The MSP implemented a combination of on-site and off-site backups and deployed redundant systems to ensure quick recovery. As a result, the hospital network recovered from an unexpected power outage and maintained continuity of care.

Lesson learned: Recovery time planning in healthcare should prioritize critical systems that directly impact patient care and safety.

MSPs Supporting the Retail Industry. An MSP assisted a large retail chain establish an RTO plan to protect its point-of-sale (POS) system and e-commerce platform. The MSP identified critical systems, assessed potential risks, and assigned RTOs to minimize revenue loss during outages. They implemented a cloud-based backup and recovery solution that restored systems quickly after a ransomware attack, minimizing downtime and financial impact.

Lesson learned: In the retail industry, RTO planning should focus on systems that directly impact revenue generation and customer experience.

MSPs Supporting Manufacturing. A manufacturing company partnered with an MSP to develop an RTO plan for their production systems and supply chain management. The MSP assessed the impact of disruptions on operations and established RTOs for all critical systems. They used a combination of on-prem and cloud-based backups and redundant systems for core functions. When the company experienced a hardware failure, it recovered quickly and maintained production with minimal downtime.

Lesson learned: RTO planning in manufacturing prioritizes production and supply chain operations, and often requires individual RTOs due to the complexity of the supply chain.

RTO Planning Best Practices

Collaborate and communicate.

RTO planning isn’t just for IT or MSPs. It requires cross-functional involvement to maximize effectiveness. Engage internal departments, critical stakeholders, and third-party partners in the RTO planning process. Of course, this also includes your disaster recovery team, leaders from operations and finance, senior management, and your BCDR provider so that everyone understands the plan for disaster recovery.

Document and Keep Records

Documentation is critical for establishing and maintaining RTO regardless of who’s available during a disaster. Whether you call it a disaster recovery plan, incident response plan, or cybersecurity playbook, MSPs and their clients need a detailed, step-by-step guide for disaster recovery. It should include the RTO for each business function, priorities and timeframes for restoring systems and standard operating procedures (SOPs) for recovery within specified RTOs.

Additionally, clearly define the responsibilities of individuals and teams involved in disaster recovery efforts, and maintain accurate records of RTO planning activities, including risk assessments, BIAs, and disaster recovery tests. Documentation is valuable for audits, compliance, and identifying areas for improvement.

Regularly Review and Improve

You will continually be enhancing and improving disaster recovery readiness and RTOs. Periodically review and update your RTO plan to ensure it remains adequate and relevant, considering changes in business infrastructure, processes, and applications. Also, test the RTO plan regularly to validate its effectiveness and mitigate potential gaps. Incorporate lessons learned during testing, after actual cyber incidents, and in response to current threat vectors and RTO planning best practices.

Wrapping Up

RTO planning is a crucial aspect of business continuity and disaster recovery. With RPO, MSPs can identify critical business functions, assess risks and potential disasters, and consider dependencies and resources to develop a robust plan that aligns with client objectives. Effective RTO planning involves communication, documentation, and ongoing improvements. Utilizing the steps and best practices outlined above, MSPs can protect clients’ data despite devastating events.

Get started with RTO planning using the  Axcient RTO Calculator ! Just enter your recovery data and see your RTO results in hours instantly. Also, check out our MSP-only BCDR solution,  x360Recover , to discover how your MSP can deliver a competitive RTO that supports business growth and reliable disaster recovery.

How well could you sleep with reliable cloud-based backups and recovery?

Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:

RTO Business Planning

Starting and running an RTO, as in any other business is hard work. The more preparation you do before start up, the better your chance of avoiding financial and personal heartache. Take the time out now to do the research, the planning and grow the foundations. It will hold you in good stead later down the track. For your RTO to succeed, it is important to fully understand what it takes to start, run and grow.

Planning helps to establish how you will stand out from the crowd.

This preparation is not only needed for your planning but also for your initial audit through a business plan complete with financial plans/projections.

Think of the reasons for your business or career successes to date. You’ll probably come up with a series of traits that are uniquely yours and characteristics that other RTO’s can’t begin to duplicate; because they are yours. That’s why you’ve decided to become an RTO.

Planning equals better results, better targeting and will help minimise any problems you may encounter. Paint a picture with words that brings to life how you will get your business started and how you will continuously grow and improve it for the next three to five years.

RTO Business Plan – Template to guide you through RTO planning 

What is a business plan for an rto.

A business plan is a document which is a blue print of how, when and what your business is going to do with its RTO. It contains a formal statement about your business goals, the reasons why they are believed attainable, evidence to show you can achieve them and the plan for reaching those goals. Your Business Plan is to tell people about your business and will be read very carefully by those with whom you will be having relationships, including accrediting bodies, auditors, lenders and investors.

It is valuable information that the Registering body will read and understand more about you and your specific circumstance.

The business plan is a long-term planning document and it will cover a lot of ground. Make sure you have a good plan of action so you know what you want to achieve and how to achieve it.

A properly developed business plan helps to shape the actual opportunity into a tangible reality. More specifically, for your business the business plan is required by the registering authority and must contain information about how the business is going to run and grow.

Business plans can vary enormously, what you are aiming for is providing a clear, informative document that sells your idea to the RTO regulator. Build a strategy for preparing your business plan preparation.

Business Plan Preparation 

There is a lot to consider which inlcudes information on you and any other Directors for the business. When I mentor clients I want to know their WHY. Why they are doing it, does it have a solid foundation that is going to last one round of funding? We dig deep, so that you really have a business that is going to be sustainable.  

Here are some considerations when preparing your RTO Business Plan:

• Why do you really want to go into the business of an RTO?
• Is there an identified market for the application of scope
• Have you asked them how they wish the training to look, what skills are needed, and any specific equipment needs to be covered?
• What are your goals for the RTO, in the short term and long term?
• What skills are needed to start, run and grow the RTO? Do you have them or do you need to outsource them?
• Have you a clear plan the implementation of its training and/or assessment?
• Organisational chart showing all areas of the business
• How much money will it cost to commence your specific RTO?
• How much income will the RTO need to generate to survive?
• How many students will I need to generate the required income?
• How much time, effort and resources are you prepared to invest in the RTO?
• How you will develop a system to ensure you meet compliance to AQTF and all legislation, Acts, regulations.

If you are seeking information on an RTO Business Plan contact Merinda. 

The RTO Success – The online course to guide you through the steps to set up your RTO – comes with an RTO Business and guidance from Merinda 

Share this:

• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Twitter (Opens in new window)
• Click to share on WhatsApp (Opens in new window)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of follow-up comments by email.

Notify me of new posts by email.

Copyright © 2024 RTO Mentor - All Rights Reserved

Opening Hours: Monday – Friday 8am – 5pm

Phone: 0439 544 105 Email: [email protected]

RTO Business Plan

• No Comments

One of the key components for initial application to become an RTO is a comprehensive RTO business plan. It allows the governing body to really get a feel for your proposed business. It will also aid in gaining finance should your require. It should outline the Who, What, Where, When, How and Why of your proposed business.

Some people may suggest they can have their business plan complete in a few days, in all honesty it can weeks, even months to get it right. Heres a few things to following:

• Do your research  – You will need to make quite a few decisions about your business including structure, marketing strategies and finances before you can complete your plan. By having the right information on hand you can also be more accurate in your forecasts and analysis.
• Determine who the plan is for  – Does it have more than one purpose? Will it be used internally or will third parties be involved? Deciding the purpose of the plan can help you target your answers. Remember you are developing an RTO Business Plan, not only for yourself and your bank, but also as a key component for initial application. Your Business Plan will be risk assessed by the governing body, so make sure it is quite comprehensive.
• Do not attempt to complete your business plan from start to finish  – First decide which sections are relevant for your business and set aside the sections that don’t apply. You can always go back to the other sections later.
• Get some help  – If you are not confident in completing the plan yourself, you can enlist the help of your support group; friends, family, accountant and business advisors such as ourselves. However, in essence you are the one that knows your business best.
• Actual vs. expected figures  – Existing businesses can include actual figures in the plan, but if your business is just starting out and you are using expected figures for turnover and finances you will need to clearly show that these are expected figures or estimates.
• Write your summary last  – Use as few words as possible. You want to get to the point but not overlook important facts. This is also your opportunity to sell yourself. But don’t overdo it.
• Review. Review. Review  – Your business plan is there to make a good impression. Errors will only detract from your professional image so ask a number of impartial people to proofread your final plan.

What to include in a business plan? A business plan provides direction, keeping you on track and is usually a requirement when you seek finance. Depending on your business type, your plan could include the following sections:

• Title page  – This describes what the plan is for and includes general information on your business.
• Business Summary  – A one-page overview written after your business plan is finalised.
• About your business  – This is typically called the management plan or operations plan. It covers details about your business including structure, registrations, location and premises, staff, and products/services.
• About your market  – This is the marketing plan. It should outline your marketing analysis of the industry you are entering, your customers and your competitors. This section should also cover your key marketing targets and your strategies for delivering on these targets. Dont forget a SWOT! Stengths, weaknesses, Opportunities & Threats. A SWOT shows you have really considered your market and you have done your research.
• About your future  – This section covers your plans for the future and can include a vision statement, business goals and key business milestones.
• Supporting documentation  – List all of your attachments under this heading in your plan for referral. For example:financial tables.

When you have finished your business plan

• Review it regularly . Business planning is an ongoing business activity. As your business changes many of the strategies in your plan will need to evolve to ensure you business is still heading in the right direction. Having your plan up to date can keep you focused on where you are heading and ensure you are ready when you need it again.  Remember a Business Plan is a live document so it really does require to be reviewed at a minimum every 12 months.
• Distribute your plan . A business plan is a blueprint for how your business will run and reveals what future direction your business will take. Understandably you will want to be careful who you show your plan to and avoid your competition seeing it.

Contact us to email you out a Business Plan template in word format to start the process.

Author impact

Leave a reply cancel reply.

You must be logged in to post a comment.

• RTO Desktop Audit
• RTO Review Audit
• Post Audit Rectification
• RTO Setup and Registration
• CRICOS Registration
• RTO Consultation
• Extension to Scope
• Transfer of Ownership

Contact Details

(Providing services nationally )

Please use our contact form or email us at: [email protected] 

© 2024 Impact Workforce Training Group.

• RTO Consulting
• RTO Audits & Rectification
• Training & Assessment Material Review & Development
• Become An RTO

Disaster Recovery & Business Continuity Blog

Write on Disaster & Business Continuity Planning

RTO, RPO and Other Issues in Business Continuity

In today’s well-connected world, the fight for market share is intense. For many businesses, a few minutes of downtime can lead to lost revenue. Imagine the financial consequences of a fully fledged disaster that can last hours or days or in some case rather rare cases even longer. A well thought out Business Continuity/ Disaster Recovery (BCDR) plan is an imperative for any business that wants to ensure survival post disaster.

A well planned and drafted Business Continuity and Disaster Recovery (BCDR) plan requires input from several aspects of the business. These inputs define the contours of the businesses activities and the relative importance of each activity. However, two very important parameters for business continuity, that have to be defined upfront are Recovery Time Objective [RTO] and Recovery Point Objective [RPO].

Recovery Time Objective [RTO]

The recovery time objective is defined as the period for which the business can be out of operation without significant risks or losses. After careful analysis, managers should arrive at the maximum duration for which systems can be down. This is the Recovery Time Objective. Performance to meet RTO objectives requires adequate resources are available. The resources required should be carefully determined and management must commit to this.

The RTO clock should start from the time the recovery processes is set in motion. When the service is back online, DR Managers should analyze the time taken against the recovery time objective and see if the recovery period was less than the goal. In case recovery took a longer period, a detailed analysis of all procedures and systems should be undertaken, to improve RTO performance. This ensures future disruptions are less painful.

Recovery Point Objectives [RPO]

The recovery point objective can be defined as the maximum acceptable data loss measured over time. This relates to the backup storage which is required to resume normal operations in the event of a system failure.

To get a clear idea of this concept, it is best to look at a practical example. If the RPO of a business is set at one hour, then back up of data must be done every hour. The RPO is completely independent of the RTO. The RTO and RPO are the two basic parameters, among others, that enable managers to draft a suitable disaster recovery plan for business continuity .

Once the RTO and RPO parameters have been determined, other parts of the disaster recovery plan can be put together. The other aspects of the disaster recovery plan business continuity are:

• Identify all the internal key personnel without whom the business cannot function. Though this list can have as many names that are essential, it should be kept to the minimum. Critical functions and contact information must be identified and recorded. Alternate methods of communication should also be in place.
• While stop gap measures can be introduced so that key personnel work from home, for longer periods of time, alternate locations should be identified as a part of the planning process.
• A contact list of critical vendors, contractors and suppliers should be made. The contact information should also be a part of the disaster recovery plan. In addition to these people, a list others such as attorneys, bankers, IT consultants, utility companies, police, fire, water, hospitals etc., who may be needed for the operational issues, should also be available.
• Critical equipment, models, vendors etc should be identified and listed as a part of the plan. For example, some businesses depend heavily on fax machines for others it may be tailor-made specialized software. Alternates for critical equipment and software are absolutely essential for business continuity.
• Identify all critical documents such as legal papers, articles of incorporation, utility bills, banking information, lease papers, tax returns, critical HR papers etc. Copies of this must be available so as to restart the business.
• Make a list of other contingency equipment required. The list should show where items such as vehicles, computers, fax machines, printers etc. can be sourced in the event of a total loss of facility.
• A contingency operational location should be identified in the event of a total facility loss. Business operations can be resumed from the contingency location. It could be from a hotel, a vendor’s office etc. The contingency location should be clearly identified in the business continuity plan and should be known to all personnel.
• A responsibilities grid should be drawn up. Each responsibility should be listed and assigned to a person and an alternate. The plan should include detailed step-by-step instructions listing out who should do it, how should it be done.

Once all the parts that form the disaster recovery plan for business continuity have been determined, it should be put together in a cogent and easy to understand manner. Since it is a reference document of vital importance numerous copies should be available preferably to all employees. All key personnel should have an up to date copy at all times. Extra copies could be stored in off-site locations, homes of critical personal and also in a safety deposit box. However, a far more efficient method is to use a cloud based automated system such as the one developed by www.disasterrecovery.org .

It is imperative that everyone in the company knows relevant parts of the business continuity plan . Hold training classes for all employees, without exception, and make these classes mandatory. This will ensure that in the event of a disaster, everyone knows what is to be done. The plan should be thoroughly tested to see if it works properly. Conduct mock drills and see if any parts of the plan need fine tuning.

As the saying goes – nothing goes exactly according to plan and the smart planners know how to develop a flexible plan that adapts to different situations.

• ← Batteries Cost a Few Dollars But They Save Lives
• Disaster Recovery & Business Continuity – Different Concepts But Same Side of the Coin Nevertheless →

RTO vs. RPO: What’s the Difference and How are They Used?

In business continuity and IT disaster recovery, the terms RTO and RPO are both often used in conversations about recovery requirements.

While the terms are closely related, they have distinct meanings and uses.

This blog will define RTOs and RPOs with a closer look at how these terms are used in business continuity and IT disaster recovery programs.

What is Recovery Time Objective (RTO)?

According to ISO 22300:2021 , a Recovery Time Objective (RTO) is the “period of time following an incident within which a product or service or an activity is resumed, or resources are recovered.”

In business continuity and operational resilience conversations, RTO defines a specific period of time and is generally stated as a set number of hours, days, weeks, etc.

In simple terms, an RTO starts the clock ticking to mark the amount of time your organization can survive downtime and return to normal operations while maintaining continuity. You can use the RTO term for both business functions and resources. This is important to note because this is not the same for RPO.

RTOs vary from organization to organization, but here are some of the factors that might influence your RTO:

• How much revenue your organization will lose for every hour of downtime
• How much loss your organization can absorb/endure
• Resources needed to restore operations to normal
• Customer tolerance for downtime

When discussing business continuity, your resources may cover a range of categories, including applications, vendors, facilities, people, and equipment. Each resource can have a unique RTO denoting the period of time that a specific resource should resume operations after a disruption.

According to the Federal Emergency Management Agency (FEMA), about 25% of businesses do not re-open after disasters. And, according to another report, about 16% of small-to-midsize business (SMB) executives don’t know their organization’s RTOs. Another quarter say if they experience a disaster, they think they can recover data within 10 minutes or less, with closer to 30% saying it could be done in less than an hour.

Unfortunately, conceptualizing and identifying RTOs is tricky. That’s why it’s important to take a closer look at the scope of RTOs to ensure you always set appropriate RTO timeframes for your resources—especially those that are most critical for your core operations.

The reality is, an RTO is based on many factors, and for some, an RTO could range from hours to weeks/months. To identify appropriate RTOs for your business functions, consider downtime impact, including various impact types, such as financial, legal, operational, and reputational.

How do you identify an RTO?

To identify an RTO, consider these two questions:

• At which point after a disruption would my organization experience significant, negative impacts?
• What would those impacts be?

Answers to these questions can help align the “significant, negative impacts” with your organization’s risk appetite.

It’s important to note that if your executive leadership team accepts a certain risk tolerance, your RTOs should align with those tolerance levels.

To help you further identify resource RTOs, align your resources back to the business functions they support.

Think of it like this: If a business function can be down for a period of time, the resources required to perform that function can also be down for that amount of time. (Of course, there are always exceptions, such as information security tools that should always run.)

You should also consider any manual workarounds your team can use. If there are viable manual workarounds, the resource itself may have a longer RTO because downtime would not have as great of an impact on operational resilience.

What Are Some RTO Examples?

RTOs vary from organization to organization. However, here are some RTO examples. What would these same RTOs look like for your organization?

• Email application: 4 hours
• Finance systems and services: 1-2 days
• Customer Relationship Management System (CRM): 1 day

What is Recovery Point Objective (RPO)?

According to ISO 22300:2021 , a Recovery Point Objective (RPO) is the “point to which information used by an activity is restored to enable the activity to operate on resumption; can also be referred to as ‘maximum data loss.’”

The term RPO generally applies to a system or application that stores data. RPOs are metrics for determining how much data you’re willing to lose (or how much data you’re willing to re-enter) from backup to disaster recovery.

There are different ways to think about data loss. For example, you can think holistically–losing an entire database—or you can think about data loss from a transaction standpoint–losing the previous [period of time] of updates, files, transactions, etc.

When you talk about RPOs, you should refer to transactional data instead of archived data. For example, a legal contracts repository. Your RPO would apply to new or updated files, not historical data.

In other words, a one-day RPO or data loss tolerance means you could lose one day’s worth of updates or uploads to the system.

When determining RPOs, consider alternate sources of the data, including recreating lost data or work. If you have a backup source for the data—or if you can easily recreate the data—there may be more data loss tolerance.

Here are some factors that might influence your RPO:

• Number of critical applications and systems
• Complexity of these applications and systems
• Data volume
• Data back-up methods
• How frequently data changes
• Data back-up frequency
• Data storage and accessibility
• Internal resources

It’s of note talking about RPOs that your organization’s back-up frequency may have the biggest impact on your RPO, but the frequency is sometimes overlooked in resiliency planning.

While many (hopefully most) organizations have routine data and system backups, those backups may not occur at the frequency an organization actually needs, something often not discovered until after a disaster or significant disruption.

So if these backups are so important, why don’t organizations do them more frequently?

In many cases, frequent backups are cost-prohibitive. The more data your organization has, and the more frequently it’s replicated and stored, the more storage space you need, which quickly adds up in costs.

Why is this important?

Because, if you experience a disaster or disruption, you can anticipate the possibility of data loss. Your RPO helps determine how much data you can risk losing, based on the amount of time from your most frequent backup to return to normal.

RTO and RPO Differences

Though RTOs and RPOs are related, there are differences. While RTOs look forward in time (the amount of time you have to recover), RPOs look backward (when was your last best data backup and how long do you need to restore it?)

RPOs range in time from no data loss (0 hours) to a few days, depending on a variety of factors.

RTOs and RPOs are important factors in disaster recovery and business continuity planning . If you don’t know your RTO and RPO metrics, the bulk of your resiliency planning could be for naught—particularly if you underestimate how long your organization can survive downtime or the volume of data your organization can lose and still survive.

And while some organizations know their own time-related metrics, industry feedback suggests that as a whole, we don’t do a great job exploring RTOs for our vendors and suppliers. Supplier and vendor RTOs can directly impact and skew your own recovery metrics.

How are RTO and RPO Terms Used in Business Continuity/IT Disaster Recovery Programs?

RTOs and RPOs are commonly used:

• To prioritize business functions in the time of a disruption, letting leadership know which functions should be brought up when
• To conduct a gap analysis against capable recovery times to identify business continuity and IT disaster recovery risks
• To select appropriate recovery and backup strategies for resources/data, including how much your organization will spend on workarounds/alternatives

RTOs and RPOs: How Castellan Can Help Your Organization with Business Continuity

RTOs and RPOs set the foundational requirements for your business continuity and IT disaster recovery programs. It is important to understand and define these terms early in your program and routinely re-evaluate your RTOs and RPOs as your organization evolves.

Do you need help better understanding RTOs and RPOs and the role they play in your organization’s resilience? Contact a Castellan advisor today and we’ll be happy to help work through all of your questions.

Share This, Choose Your Platform!

Related posts.

Resilience Lessons from the Tragic Collapse of the Francis Scott Key Bridge

Geopolitical Risk: 3 Techniques to Protect Your Business

APRA CPS 230: What You Need to Know Now

• Using ISO 27031 to Guide IT Disaster Recovery...
• Business Continuity Management (BCM) Defined
• Business Continuity Roles and Responsibilities

Review our cookie policy

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.

Privacy Overview

Industry-leading Cloud Services for the Channel

Infrastructure

Saas backup, backup as a service (baas), disaster recovery as a service (draas), service enhancements, dr as a service (draas), partner challenges, customer challenges, how we work, partnering with us, find a partner, why virtualdcs, business continuity planning: what are rpo and rto.

• November 1, 2012

RPO and RTO are two of the most common abbreviations used when discussing Backup , Disaster Recovery  and Business Continuity planning, but what exactly are these terms and what do they mean for organisations?

What does RPO stand for in Disaster Recovery?

Recovery Point Objective (RPO) describes the amount of data that the organisation could afford to lose in the event of a disaster and is one of the most important aspects of Business Continuity planning.

Typical questions used to identify a required RPO level include: ‘How many transactions can you afford to lose?’ ‘Do you have a manual paper trail as a backup?’ and ‘Do you have compliance issues if you lose data?’

What does RTO stand for in Disaster Recovery?

Recovery Time Objective (RTO) also plays a strong part in Continuity planning. RTO is defined as the target amount of time that it should take for systems to be restored.  For example, how long can your business last without being able to send or receive emails, answer the phone or take a customer’s order?

When addressing the RPO and RTO of I.T. systems it is highly recommended that the business performs and evaluation on each system and their dependencies on that system in order to establish an individual RPO and RTO.

An example of the importance of RPO and RTO could be for an online retailer, where their daily tasks include taking orders electronically from customers in volume and dispatching the orders from their warehouse via a paperless system. Getting the right balance in this situation is vital, here are some scenarios:

To ensure a successful Disaster Recovery plan is in place for your organisation it is essential to assess what level of protection is most suited for your requirements and the likelihood of any disaster occurring.

For a full recommendation on RPO and RTO for your business call virtualDCS on 03453 888 327 or email [email protected]

Share the news to:

Sign up to the virtualDCS Newsletter

Get the latest tips, tricks, opinions and news from the experts, straight to your inbox., your form submission is subject to our company’s privacy policy. by providing your information on this page you are consenting to opt in to virtualdcs’ use of your details to contact you regarding the products and services that we offer, including our newsletter..

• 03453888327
• [email protected]
• 42 Leeds and Bradford Road, LS5 3EG

Industry-leading Cloud Services for the Channel.

virtualDCS delivers innovative Cloud solutions to the Channel, including Veeam Backup (BaaS) and Disaster Recovery (DRaaS) , Microsoft 365 Backup and Infrastructure as a Service (IaaS) solutions from UK data centres . Resell cloud computing & Veeam by becoming a partner now or take a look at our Veeam Pricing tool .

©2024 Virtual Data Centre Services Limited (virtualDCS)

Company No: 07238621 | VAT No: 937 2025 33

•   English
•   Deutsch
•   Italiano
•   Français

RTO vs. RPO: What’s the Difference?

In this article, we take a closer look at two important concepts that are used in disaster recovery planning: recovery time objective (RTO) and recovery point objective (RPO).

• Cost Optimization
• Disaster Recovery

May 02, 2024

Recovery time objective (RTO) and recovery point objective (RPO) are two concepts that are used in business continuity and disaster recovery planning to establish a business’s tolerance for data loss and recovery time in the event of a failure.

Recovery time objective (RTO) and recovery point objective (RPO) are two important concepts used in disaster recovery planning. Both represent critical points of failure.

RTO is the service level defining how long a recovery may take before unacceptable levels of damage occur from an outage. Meanwhile, RPO is the service level defining the point in time when data loss resulting from an outage becomes unacceptable. Exceeding both has the same result: business suffers. 

In this article, we’ll deep dive into what the key differences are between RTO and RPO and why they’re important in a disaster. We’ll also cover how you incorporate them into disaster planning and what to prioritize. 

RTO in Disaster Recovery

RTO, as stated above, is the maximum amount of time a business can function without a specific application. After that time, the business suffers. That can range from the inability to appropriately onboard and schedule staff if a staff resourcing system is down to the inability to process revenue if a digital storefront or payment processing system is down. 

That means that RTO will vary between different systems and even how different systems interact with different parts of the business. The level of granularity depends on the criticality of the system to support business operations. 

Organizations typically define RTO as a time period greater than zero. Very critical systems might have a very low RTO time, ranging from one to four hours. Less critical systems may have RTO times ranging from hours to days. Establishing those times depends on what priorities a business sets for itself and the resources it can bring to bear during disaster recovery.

RPO in Disaster Recovery

RPO is a corollary to RTO with a much different focus. RPO refers to the amount of data, typically expressed in time, that can be lost before business operations suffer. The volume of data will change drastically, depending on the services provided by the downed system. 

For example, hospitals use electronic health record (EHR) systems to sustain clinical care operations. EHR systems tend to have low RPO due to the patient safety issues downtime presents. Building access systems that can operate independently in a disaster may have a very high RPO, especially if they safeguard a low-trafficked area. 

RPO helps define RTO. If high volumes of data loss are unsustainable or unacceptable, then the RTO must be low for that system. The system must be up to receive data within the specified RTO so that the RPO isn’t compromised. There are ways to mitigate that and will depend on how you structure a disaster recovery strategy.

Remember, though, RPO is focused almost entirely on the data itself and preserving its integrity. 

How RTO and RPO Play Into a Disaster Recovery Strategy

RTO and RPO both play heavily into a disaster recovery strategy. They converge for very technologically oriented processes and tend to align for business-critical processes. That means that for very critical system-dependent business processes or functions, downtime and data loss approach unacceptability. 

When thinking about RTO, there are a few concepts to think about when crafting a strategy:

• Resource availability: Since no organization has infinite staff or money, there are limits on resources that can be brought to bear recovering from a technological disaster. RTOs for different systems need to reflect their criticality to business operations so finite resources can be leveraged to bring up more critical systems first. 
• Business priorities: A disaster recovery strategy must account for business priorities like revenue, supply chain, staff management, and others. Those priorities should be ranked by way of importance. Systems supporting more important functions should be prioritized over those that support less important functions.
• Support systems: Some systems may aid in disaster recovery but may otherwise be indicated as low importance because of their only indirect and tangential support of mission-critical priorities. Systems that ease and expedite disaster recovery efforts should be prioritized for recovery.

Similarly, when thinking about RPO, business continuity and disaster recovery plans should factor in these key concepts:

• Backups: For business processes with relatively low RPO, think about frequent backups to assure continuity and preservation of RPO levels.
• Data volumes: Data volumes will impact RPOs because of the ability to preserve continuity during downtime. Very high data volume processes are difficult to back up frequently if backups aren’t correctly architected and could result in large volumes of lost data in a downtime.
• Cost: Backups cost money. All backups take up storage space, which can be priced by the gigabyte, and cloud backups may incur ingress and egress charges depending on architecture. A careful cost versus risk of loss analysis is a helpful tool to plan for disaster recovery. 
• Data criticality: Less critical data might not need to be backed up as frequently as highly critical data. Evaluating data criticality to business processes is key to managing appropriate recovery objectives.
• Data changes: Some data stores may experience regular high volumes of changes, while others will rarely change. Backup frequency and maintenance should account for the statefulness of the target data set.

Based on these factors, it’s straightforward to see why high-velocity, high-volatility, data-driven technology workflows that support critical business functions may have both low RTO and low RPO. Fortunately, these correlated concepts have a common resolution: tailored backup solutions with rapid recovery. 

SLA Perception vs. Reality: RPO and RTO

Many IT managers believe meeting their RPO and RTO SLAs is achievable. But reality often fails to meet perception.  A report by ESG stated 90% of respondents reported their organization could not withstand in excess of an hour’s worth of lost data before experiencing significant business impact, equating to an estimated mean RPO of 22 minutes.This is especially troublesome when nearly half of these organizations indicated that their data is typically at least a week old, with the overall average age being 49 days. The amount of data restored as part of a typical recovery effort tends to skew older, especially for larger recoveries. 

The vast majority (71%) of one-day old recoveries are less than 50 GB, which could simply be explained by the nature of these types of recoveries, such as corrupted tables, deleted files, etc., and make it much easier to deliver on operational recovery SLAs. Past the one-day window, a significant and progressive jump occurs towards larger recoveries—longer time means more data, and likely more recovery time and resources. 

Disaster Recovery as a Service with Pure Protect

A cyber resiliency architecture can significantly minimize RTO and RPO by implementing robust backup and disaster recovery solutions that ensure rapid system restoration and data retrieval after a cyber incident.

Pure Protect™//DRaaS does exactly that. Its tailored solutions are right-sized for businesses and their critical assets. Pure Protect //DRaaS also keeps your data where you need it: in your custody and at your fingertips. By maintaining it in your AWS cloud, Pure Protect //DRaaS also ensures that you can maximize recovery speed through cloud-preconfigured workloads. 

What’s more, Pure Protect //DRaaS helps you test your backups and resilience in a segmented test environment that maximizes your preparation for the worst, while avoiding unwanted disruptions to your production environment. Pure Protect //DRaaS is a highly resilient, highly transparent solution for all your disaster recovery needs. 

Disaster recovery planning can be a daunting proposition. Keeping RTO and RPO in mind conceptually as you plan is key. Thinking about recovery as downtime in hours and gigabytes streamlines the ability to focus on key metrics and requirements. 

Those requirements and metrics revolve around doing business. What’s important to your business and keeping it running is the focus of your disaster recovery efforts. Those hours and gigabytes directly translate into dollars and understanding how to minimize that loss as quickly as possible will make your organization more resilient and ready for disaster. 

Written By: Pure Storage

Related Stories

Failover vs. Failback: What’s the Difference? 

Failover and failback are two key concepts in disaster recovery and business continuity. Here,...

How to Deploy a Docker Image with Ansible

In this guide, you’ll find the steps for deploying a Docker image with Ansible,...

Docker vs. Podman

Containers bring many benefits to software development. Here, we look at two popular containerization...

Terraform vs. Docker: What’s the Difference? 

In this article, we look at the differences between Terraform and Docker, two powerful...

Top Stories

Demystifying directflash modules vs. ssds vs. hdds vs. hybrid.

• Today's news
• Reviews and deals
• Climate change
• 2024 election
• Fall allergies
• Health news
• Mental health
• Sexual health
• Family health
• So mini ways
• Unapologetically
• Buying guides

Entertainment

• How to Watch
• My Portfolio
• Latest News
• Stock Market
• Premium News
• Biden Economy
• EV Deep Dive
• Stocks: Most Actives
• Stocks: Gainers
• Stocks: Losers
• Trending Tickers
• World Indices
• US Treasury Bonds
• Top Mutual Funds
• Highest Open Interest
• Highest Implied Volatility
• Stock Comparison
• Advanced Charts
• Currency Converter
• Basic Materials
• Communication Services
• Consumer Cyclical
• Consumer Defensive
• Financial Services
• Industrials
• Real Estate
• Mutual Funds
• Credit cards
• Balance Transfer Cards
• Cash-back Cards
• Rewards Cards
• Travel Cards
• Personal Loans
• Student Loans
• Car Insurance
• Morning Brief
• Market Domination
• Market Domination Overtime
• Opening Bid
• Stocks in Translation
• Lead This Way
• Good Buy or Goodbye?
• Fantasy football
• Pro Pick 'Em
• College Pick 'Em
• Fantasy baseball
• Fantasy hockey
• Fantasy basketball
• Download the app
• Daily fantasy
• Scores and schedules
• GameChannel
• World Baseball Classic
• Premier League
• CONCACAF League
• Champions League
• Motorsports
• Horse racing
• Newsletters

New on Yahoo

• Privacy Dashboard

Yahoo Finance

Some of the most talented, high-ranking workers at apple, microsoft, and spacex jumped ship after return-to-office mandates, new study reveals.

The focus of return-to-office discussions have long focused on the individuals. Why might workers prefer to stay home? Which age groups are most amenable to in-person work, and which are most combative? Does office collaboration make the most sense for creative types or heads-down numbers people? Can workers really be productive left to their own devices?

Yet the lingering question of how widespread remote work shapes company outcomes, as well as the wider sector landscape, largely remains unanswered because the whole experiment remains in flux. But a new working paper from researchers at the University of Michigan and University of Chicago, titled “Return to Office and the Tenure Distribution,” comes fairly close to positing an answer: Return-to-office (RTO) mandates, when they’re not wanted, are bad news for companies looking to keep their talent.

The researchers matched 260 million resumes to company data to analyze causal effects of RTO mandates on employees’ tenure at Microsoft , SpaceX , and Apple . In scientific terms, they found “a reduction in counterfactual tenure that increases for employees with longer tenure.” In layman’s terms: When the firms enacted RTO mandates, senior employees headed for the door—often to direct competitors—who let them work from home.

The number of top-brass employees at Microsoft—as a share of the company headcount—dropped by over 5% post-mandate; at Apple, it was 4%. (Microsoft mandated 50% of the week in-office; Apple, just one day a week.) SpaceX was the worst of the bunch, with a 15% drop, which the researchers chalk up to its uniquely stringent requirement: Five days a week in-person. That human outflow poses an enduring threat to “productivity, innovation, and competitiveness”—the component parts that separate a thriving company from one in freefall.

Microsoft’s internal data doesn’t align with the paper’s findings, Amy Coleman, its vice president of human resources and corporate functions, told Fortune via email. The term “return to office mandate” is also inaccurate, she said, adding that Microsoft is a hybrid workplace “that revolves around flexibility and a mix of workstyles across worksite, work location and work hours.” In 2022 , Microsoft’s chief human resources officer Kathleen Hogan told Fortune the company considers “working from home up to 50% of the time as standard.”

Representatives for Apple and SpaceX did not respond to Fortune’s request for comment, though an Apple spokesperson told the Washington Post that the study drew “inaccurate conclusions” and “does not reflect the realities” of Apple’s business or attrition rates.

The human toll of forcing their hand

The statistical analysis came from People Data Labs resumé data, David Van Dijcke, a coauthor and University of Michigan economics PhD student, tells Fortune . “The takeaway is definitely that the effects [of RTO mandates] are more deleterious than people thought before.”

Granted, the study is far from all-encompassing; it only studied three major firms, and they were all “early movers” in the RTO push, Van Dijcke acknowledges, pointing to each of their 2022 mandate announcements. That meant senior employees who left Microsoft, Apple, and SpaceX had “pretty good outside options,” namely competing companies that offered remote work with far fewer strings attached.

“If we think of Covid as ending in 2022, that was certainly followed by an influx of people claiming they would leave—and then really leaving when the first return-to-office mandates happened,” Anthony Nyberg, a management professor at the University of South Carolina’s Darla Moore School of Business, tells Fortune. “Apple and Microsoft really agonized over how to change their policies— Amazon , too, made many public comments.”

To be sure, Nyberg went on, mandating an office return is a major strategic decision—and even in the Michigan study, which found a statistically significant portion of high-earning workers leaving, it remains unclear whether that’s necessarily a bad thing for their former companies. “A big part of this is likely to become a sorting effect in terms of talent finding their best-fit organizations,” Nyberg says. “And people going to competing companies has been a truism for all of eternity.”

Plus, especially within the tech industry, moving to a competitor that’s offering to shell out more money is hardly much to write home about. Particularly if you work remotely, changing jobs is “no more than getting a new laptop shipped to you,” Nyberg says.

It’s harder at the bottom

A major asterisk to the data that Van Dijcke hopes people understand: Senior people may leave after a RTO more often, and in much greater numbers than entry- or mid-level workers, because senior leaders simply have more to gain. “They’re older, they’re more skilled, companies want to hire them for their expertise,” Van Dijcke says; greener employees don’t command the same sway. “We also saw that employees who leave aren't forced to accept suboptimal jobs—demotions,” he adds.

Earlier literature shows a preference for fully remote jobs is lowest among the youngest employees, who have the most to gain from in-person collaborative work. “That seems to explain the pattern we observed—that senior employees leave at higher rates,” Van Dijcke says. “They have better options, and they also want to work from home more than junior employees do.”

Even so, no RTO mandate should come at the expense of the bottom line, Nyberg stresses. “As soon as an organization can no longer achieve its strategic directives, halt the RTO plan,” he says. “But even during this period, these organizations keep enacting layoffs, which certainly suggests they’re not in a people shortage yet. And layoffs are much more dangerous, broadly speaking.”

Indeed, layoffs, especially across Big Tech , often have long-term lagging effects, making workers likelier to leave due to disrupted culture and fractured trust. But mandates are pushing people out, too; poor morale might just be poor morale. ( Ninety-nine percent of companies found a drop in employee satisfaction following their RTO mandate issuance, per a recent University of Pittsburgh study.)

Many experts see the whole decision simply. “An organization is really hurting itself if it forces people to come back,” Stephan Meier, chair of the Management Division at Columbia Business School, tells Fortune, adding he personally thinks the future will be hybrid . “People are really motivated by having flexibility in how they organize their days. But a lot of leaders grew up in an in-office environment—that was their way to control employees, that’s how they thought the world worked, that’s what worked for them and it’s why they’re on top.”

Mandates, for the most part, miss the point; workers will come back on their own accord if they feel doing so would bring a material benefit—or make it easier to deliver on their own work objectives.

Nonetheless, if a company is hellbent on having full offices—even if that can only be accomplished by force—Meier says “now is probably a better time [to enact a mandate] than two years ago,” owing to the pressure of mass layoffs and dire economic uncertainty . But companies that roll out mandates, he stresses, are missing the point.

“Being a leader means finding something that benefits everyone, and makes the firm run better,” Meier says. And fears of depressed financial outcomes stemming from remote work are far overblown; underperformers existed long before the pandemic, and no change in work arrangements will necessarily create more of them. “Before quiet quitting , there was Microsoft solitaire—a different way of phoning it in,” Meier says.

All told, the findings in the report don’t seem too egregious to Nyberg, the South Carolina professor, who’s spent decades—through financial crises and boom periods—assessing the flow of human capital. “But then again, I’m old.”

This story was originally featured on Fortune.com

One third of senior execs plan to ditch roles over return to office mandates

Return to office demands have caused friction with staff for some time, but even c-suite executives are now pushing back

One-third of executives plan to abandon their current roles if forced to comply with return to office (RTO) mandates, according to new research from Gartner.

This survey, which fielded responses from 3,500 employees, also revealed that 19% of those in non-executive roles would leave their organization due to RTO rules, highlighting rising tensions between employees and employers. 

“Organizations must weigh the benefits and risk of onsite requirements on employee attrition and engagement,” Gartner said.

Gartner pointed out that organizations and prospective employees are “misaligned” on RTO, with senior members of staff often leaving or avoiding roles with strict on-site requirements.

The firm found that 36% of executive job seekers who have faced RTO demands said it influenced their decision to leave the role, while a third stated that employers had discontinued hiring processes over the last year owing to “expectations that employees would return to a physical workspace”.

“Retaining key talent has become harder due to mistrust between employees and employers, employee burnout and disengagement, and fiercer competition in the labor market,” senior director at Gartner Caitlin Duffy said.

“With RTO mandates influencing the job-seeking and loyalty of senior-level candidates and employees, organizations that force workers to come into the office are likely to weaken their leadership bench and complicate succession planning,” she added. 

Get the ITPro. daily newsletter

Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.

Return to office mandates causing friction

Citing a previous survey of 170 HR leaders, Gartner mentioned some of the areas in which workforces are seeing a rising demand in office attendance and penalties for unfulfilled on-site rules.

63% of respondents reported an increased expectation to spend days in the office, while 13% said that the consequences of not meeting requirements had intensified.

 “While 58% of executives with a mandate to return to the office said their organization provided a convincing reason for the decision, many senior leaders are unwilling to come back into the office,” said Gartner’s Caroline Ogawa.

Gartner included the key ways in which employers can begin to remedy this problem, referring to the need of businesses to “motivate rather than mandate” by encouraging feelings of capability, autonomy, and connection via hybrid office spaces. 

How leaders of hybrid teams can help staff succeed

Employers should also look to create reasons for on-site attendance, such as brainstorming activities or offsite events, as well as ensuring employees themselves are part of the decisions to shape the RTO requirements.  

If employers want to retain staff, they also need to give a clear reason for RTO - Gartner cites that employees who understand why their employers are demanding RTO show greater levels of engagement, effort, and retention. 

George Fitzmaurice is a staff writer at ITPro , C hannelPro , and CloudPro , with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.

Why legacy tech skills are a point of concern – and how leaders can keep them alive

Neurodivergent workers are burning out at record pace — here’s what employers can do to improve support

‘Opposites attract’: Why the LogRhythm-Exabeam merger makes sense

Most Popular

2024 State of procurement report

A leader’s guide to battling workforce burnout

How to scale AI workloads taking an open data lakehouse approach

Creating a proactive, risk-aware defense to thrive in today’s dynamic risk environment

• 2 Hackers are targeting Windows Quick Assist remote desktop features to deploy ransomware
• 3 UK releases draft code of practice for AI security
• 4 HPE supercomputer push continues with Aurora
• 5 NCSC CTO says what everyone is thinking about software security

Walmart will lay off hundreds of corporate workers, require others to relocate

The country’s largest retailer and employer mandated that the majority of workers in Dallas, Atlanta and Toronto move to its headquarters in Bentonville, Ark.

Walmart will lay off hundreds of corporate staff and require the majority of employees working remotely or at a handful of off-site offices to relocate, the company announced Tuesday.

Walmart is the largest employer in the country, with 1.6 million workers. The majority of employees work in stores or warehouses. Chief people officer Donna Morris said in an email to staff that the number of associates being laid off is “small in percentage” relative to the size of the company.

The retail giant mandated that the majority of employees in Dallas, Atlanta and Toronto move to its headquarters in Bentonville, Ark. Other staffers will go to locations in the San Francisco Bay Area or the New York metropolitan area. Employees affected by the news have already been notified, the company said.

“We believe that being together, in person, makes us better and helps us to collaborate, innovate and move even faster,” Morris said in the email. “We also believe it helps strengthen our culture as well as grow and develop our associates.”

Walmart has been investing in enhancing its in-person office experience, particularly at its headquarters known as Home Office. The company began new construction on a 350-acre campus in 2019 and aims to open in phases through 2025. The new campus has a child care center, hotel, 360,000-square-foot health and fitness center, food hall, 37-mile walking and biking trail, and auditorium.

GET CAUGHT UP

70 years later, 1 in 3 Black people say integration didn’t help Black students

Journalists sue Chicago Tribune owner alleging pay discrimination

Abbott grants Daniel Perry pardon in murder of Black Lives Matter protester

NFL disavows Harrison Butker’s comments, cites commitment to inclusion

6 Airbnb red flags to spot before you make a booking mistake

The company, which reports its first-quarter earnings on Thursday, has been cutting costs recently. Last month, it announced it was shuttering Walmart Health, an initiative started in 2019 that offered in-person health clinics at 51 stores as well as virtual visits. The company, which last year said it planned to open two dozen more, said it “determined there is not a sustainable business model for us to continue.”

Walmart follows several other large companies in asking white-collar workers to relocate as part of a push for more in-person work. The move comes amid a national stalemate over the return to offices: The effort to get workers back together in person has been ongoing since 2021, and scores of knowledge workers have long since made the transition. Yet office occupancy has hovered stubbornly around 50 percent of pre-pandemic levels across the country’s top metro areas since early 2023, according to data tracked by Kastle Systems.

As the labor market has cooled and layoffs have risen, more leaders have used their leverage to push for a greater return to offices. But workers have been reluctant to give up the flexibility they gained during the pandemic, and they’ve shown their resistance through petitions against RTO, leaving the company and even filing lawsuits .

Since the pandemic waned, hybrid work has become the dominant model for knowledge workers, with 54 percent of remote-capable workers operating under hybrid schedules, according to data from Gallup.

Executives have extolled the value of in-person work since the onset of return to offices, citing benefits to company culture, productivity and collaboration. CEOs such as Tesla’s Elon Musk, Meta’s Mark Zuckerberg and Nike’s John Donahoe have criticized remote work for leading to drop-offs in innovation and productivity. But they’ve provided little hard evidence for these claims, and are probably relying on decades-old research about the importance of co-location of teams, according to Christopher Myers, an associate professor of management and organization health at Johns Hopkins University.

Older research about the benefits of co-location for innovation tends to focus on examples of “things that came about because two people who happened to be near each other started talking about a problem they were having,” such as Post-it notes and Gorilla Glue, said Myers, who is also a scholar with the Academy of Management. But that’s far less applicable in today’s landscape, where technology allows workers to connect far more easily when they’re not in the same place.

“We have more options other than face-to-face interaction now,” Myers said. “Relying on that old research and that old perspective may not be as relevant or helpful.”