Businesses have always been prone to a multitude of threats, ranging from natural catastrophes to accidents like fires, which could disrupt the entirety of their operations.
As processes became digital, the resilience of organisations increased through their ability to store data in the cloud. However, this brought new risks as well.
As more organisations opt to use the cloud to store data, the possibility of encountering threats like malware and ransomware keeps increasing, intensifying the need for strategies to protect data. This risk calls for continuity plans to evolve to ensure that businesses remain functional in the event of any disruption.
Plans that predict risks and their impacts are known as Business Continuity Plans (BCPs); they aim to protect businesses from various disasters to ensure their operations do not shut down. Below we discuss BCPs and the importance of metrics like Recovery Point Objectives and Recovery Time Objectives to be included in them.
Contents
Business Continuity Plans and their Development
A Business Continuity Plan involves the creation of a systemic strategy for avoidance, prevention, and recovery from potential threats to a business to ensure that companies do not collapse in the event of an unforeseen accident.
Planning for business continuity essentially involves the identification of risks, their impact, security measures taken for their avoidance, and planning for recovery if they occur. The process of developing a solid BCP includes:
- Identification of Time-Sensitive Functions
The first step is the conduction of a Business Impact Analysis to functions crucial to your business.
- Recovery Planning
This step involves the identification and implementation of methods that need to be carried out to recover critical functions.
- Choosing a Team
A business continuity team is created within this step, and a BCP is compiled.
- Training the Team
The last step of business continuity planning is training and testing the team while simulating risk scenarios.
RPOs and RTOs in Business Continuity Plans
One critical aspect of such Business Continuity Plans is the clear development and identification of Recovery Point Objectives and Recovery Time Objectives. These metrics are explained in detail below.
What is a Recovery Point Objective?
A Recovery Point Objective, or RPO, is the threshold of data loss – measured in time – an enterprise can handle without severe disruptions to its operations. Essentially, RPO determines the maximum age of the data in backup storage required to allow an organization to function should a network or computer system failure occur.
How Do RPOs Work to Schedule Backups?
An organization’s loss tolerance is defined in its Business Continuity Plan. The BCP entails procedures for recovery after disasters, including the backup frequency determined by RPOs.
RPOs are different for organizations. Often, sensitive data in high-priority applications demand shorter RPOs, requiring frequent backups. They can be as short as near-zero, classifying any data loss as intolerable.
In organizations that deal with such applications, sophisticated data protections and replication systems need to be deployed to satisfy short RPOs.
Data Classification by RPO
RPO calculations often begin by classifying data into tiers according to its level of criticality to an organization. Typically, four tiers are used:
Tier 1: 0 to 1hr RPO
This tier includes critical data that a company cannot afford to lose, even by a minute. The operations providing and using such data are dynamic, the data itself probably impossible to recreate due to the large number of variables involved.
This is the data whose loss would result in repercussions in the form of financial damages and legal accountability. Patient records and banking transactions lie in this tier.
Tier 2: 1 to 4hr RPO
Within this tier lies semi-critical data: though important, a minor loss would not prove devastating.
Tier 3: 4 to 12hr RPO
This data is unessential, and your company or team can tolerate up to 12 hours of its loss.
Tier 4: Over 12hr RPO
This data is not critical at all, or maybe it is stored in the form of hard copies as well, allowing for easy recollection.
The number of tiers may further vary per organization. For example, some may deal with a large amount of such extremely sensitive data that they may need a category just for near-zero.
Similarly, some organizations may deal in lengthy processes, letting their tiers have an RPO of days or weeks or months. The key to determining an effective average RPO is to ask the right questions when classifying data.
Now that RPO has been elaborated in detail, let’s discuss the Recovery Time Objective.
What Is a Recovery Time Objective?
The Recovery Time Objective is the maximum length of time an organization deems acceptable to restore normal operations after a data loss: it is the highest amount of downtime tolerable without facing a paramount loss. The smaller the RTO, the greater the probability of incurring losses as time passes after an outage.
Defining Recovery Time Objectives in BCPs allows the timely creation of policies and employment of relevant technologies to attempt to make the organization recover within a certain duration of time.
Balancing Criticality and Budget
Short, strict RTOs and RPOsare expensive to achieve. For instance, hourly backups will make your data secure, but will require more storage and network resources than daily backups. As a result cost and necessity shall have to be balanced at some point.
To stay within your budget, you need to accurately identify your desired RTO and RPO values and then search for cost-effective ways to attain them. For example:
- Critical data can be continuously copied from primary storage to always-active secondary storage, but this configuration can get expensive. You can start performing incremental data backups after full backups have been conducted; these only backup new and modified data, leading to shorter backup windows at lower costs.
- Use cloud backup locations instead of building a secondary IT stack to keep the costs down and make the data easily accessible.
Endnote
When dealing with risk management, businesses need to find a way to have solid plans while investing smartly in the minimum amount of resources possible.
Within business continuity and disaster recovery plans, metrics like RPO and RTO are paramount to ensure that less guesswork and more management are involved.
Effective data loss prevention and a solid strategy to employ if any downtime occurs are crucial to smooth operations of a business, and so organizations need to invest in backup systems to ensure they stay prepared for any unexpected scenario.
