Cybersecurity, IT Maturity
Executives make difficult decisions daily involving tradeoffs between economic realities and probabilities. When leaders develop a business continuity plan (BCP) to protect their organization when—not if—a computer outage occurs, they must acknowledge tough situations and their own limitations. A good business continuity plan accounts for the people, locations, and processes involved in all kinds of unexpected scenarios and failure events.
Downtime is costly for businesses with revenue models that depend on data centers. According to one study, businesses lose an average of about $5,000 per minute during a data center outage.
Therefore, system outages present risks that should be accurately weighed against the investments required to protect the business, and that involves knowing the RPO and RTO of your business continuity plan.
Understanding Your Recovery Capacity
When computer outages occur, everything can be thrown off kilter. A business continuity plan outlines the steps necessary to get employees and systems back up and running. That’s where RPO and RTO become very important.
First, determine how downtime will impact your organization. A business impact analysis (BIA) examines department functions, determines their level of importance (critical or non-critical), and then correlates the possible downtime for each function to its impact on the bottom line.
Next, decide how to mitigate the damage as effectively as possible. To plan accordingly and have realistic expectations of your BCP, you must understand the recovery point objective (RPO) and recovery time objective (RTO) of your data.
Recovery Point Objective Centers on Data
Recovery point objective (RPO) is an IT function that focuses on data backup plans. If a system goes down, from what point in time can that data be recovered?
In a perfect world, all data would be saved continuously. However, the cost of such redundancy is prohibitive. A general rule of thumb is the more often data is backed up and the more computer resources are used, the higher the technology expenses become.
Typically, total expenses revolve around factors like the type of storage selected, the amount of storage needed (rates usually go down as volumes rise), and where the backup occurs, on-site or in the cloud.
Determining the RPO involves a series of tradeoffs. Revenue generating applications often receive more frequent and more effective backups. For instance, an e-commerce system may back up every five minutes, while a shift scheduling system backs up once a day.
Recovery Time Objective Emphasizes Time
Meanwhile, your recovery time objective (RTO) is the acceptable amount of time a person, location, or process of your business can endure a disruption of data before needing to restore that business function. While no function can be offline forever, certain instances have more of an impact than others. Is 2 hours too long or is 24 hours too long?
For example, if an e-commerce store loses money every moment the web site is down, it will be the first system an enterprise tries to restore. Whereas, an app tracking employee vacation is not as critical to restore.
Additionally, restoration is a complex process with many variables, starting with the level of disruption. After a natural disaster, if team members cannot access the workplace at all, an alternative location is needed. There, the employees are outfitted with new systems, the organization switches to new communication lines, and temporary offices are established. Again, the more redundancy desired, the higher the cost of the process.
Chances are good that your organization will face a business disruption at some point. After all, is your business prepared for a cybersecurity attack? Understanding the basic BCP terms and the tradeoffs they represent enables you to construct an effective, cost efficient BCP to manage an tech outage proactively rather than reactively and limit damage to your business.