Why settle for just one RTO and one RPO?

I think we can all agree that protecting data is important – perhaps even very important. So how come some still find it a daunting challenge to progress from that acknowledgement into tangible programmes to actually improve matters?

Part of the problem is that vendors love to simplify data protection conversations down to matters of RTO and RPO alone – that’s the recovery time and point objectives. The first reason it’s a problem is that that’s way too much of an over-simplification. The second that while RTO and RPO are typically assumed to be IT matters, they actually reach far wider than that.

To explain: RTO and RPO attempt to answer the fundamental questions at the heart of every data protection action. They deal with what is being protected, what protection it requires, how quickly it changes, how rapidly it must be recovered when needed, and how important is to ensure long term records of it.

RPO and RTO outline a data set’s need for protection

So RPO describes how often I need to protect my data to ensure that I can get back to what I had at the point when disaster or data corruption struck – or as close to that as possible. It therefore relates to how fast my data changes. RTO is how quickly I must make the recovered data available should disaster strike or a request come in from a user, an auditor, or even a regulator.

Answering those fundamental questions is simple enough for small numbers of different data sets. However, it becomes complicated very quickly when you have lots of different data sets of varying business importance, all of which may have very dissimilar protection and recovery needs.

Then add in questions such as where is the data, where must I recover it to in an emergency, and where will the copies be stored – including the widespread availability now of off-site/cloud data protection options, alongside in-house resources. Roll in ‘the democratization of DR‘ too, and the complexity escalates almost exponentially.

Sadly though, too few organisations are willing to invest either the skills, the time or the money in looking at what’s really needed – which almost certainly means different RTO and RPO objectives for different workloads – and at the solutions available to meet these needs.

But data protection is a business question before it’s an IT one

Worse still, these are at heart business questions, not IT issues. IT can only address them if the bigger picture is understood. And this often means getting internal political buy in from business users on what protection is really required, instead of simply giving the highest grade of protection to everything. 

As it is, many organisations assume that the data protection measures they have in place are OK because “IT has been doing this for years.” And indeed, IT has been doing it – but almost every IT professional will tell you it could be done better, if only budget and time were available.

The consequence of all this is that, despite the complexity discussed above, your organisation may end up applying the same RTO and RPO objectives to most or all of its data sets. This may be fine, but it is more likely to mean that many data sets do not have the appropriate level of protection, or that resources are wasted. And all that could end up hurting the business badly.

Data Center
Data Management