A recovery time objective (RTO) is the acceptable amount of time—agreed upon by IT and application owners—to restore functionality when an application, service, data or other digital asset becomes inaccessible due to an outage or data loss event, such as a ransomware attack.
In practice, RTOs act as service-level agreements between the IT organization and the business. Similarly, recovery point objectives (RPOs) are shared decisions about how far back in time the organization can tolerate losing data, RTOs are a measurement of acceptable downtime. Both are important when developing a disaster recovery plan.
But there’s a growing divide in organizations between RTO expectations and reality, that an effective disaster recovery strategy and solution can bridge. The first step in closing the gap requires IT and application owners to come together to think through their RTOs and their impact on the business.
Applications power today’s businesses. After years of digital transformation and rapid digital services adoption during the pandemic, it’s safe to say that these apps are instrumental to how people live, work, and play today. Before the cloud reset digital access and delivery expectations, application owners may have agreed to hours or days of disrupted operations. Now, their assumption is just a few minutes.
But all applications are equally critical to your customers or your business operations. That means IT and business owners have to strategically prioritize the mission-critical applications and adopt technologies that support the lowest RTO goals.
For example, healthcare organizations might prioritize the RTO of patient monitoring and clinician resource databases over patient billing applications. In financial services, a real-time trading application would likely be ranked higher in business criticality than an application generating client investment summaries.
Whether your organization is establishing new or revisiting existing RTOs, consider these six best practices:
A candid conversation with each application owner to determine their downtime tolerance and its impact on the business are critical to setting RTO goals not only for a particular application but for the entire organization’s technology portfolio. During these meetings, leaders can assess whether application RTO expectations align with today’s downtime expectations. For example, if an application now pulls customer records in real time from an on-premises database, that database may now be considered more mission-critical than it was when it was originally deployed.
A good place to begin evaluating SLAs is to review their importance. Clearly defined and agreed upon SLAs help manage expectations between the customer (application owner) and the IT team, and are important in building trust. SLAs ease the concern over risk, and help define what happens in the event of a disaster. They define the urgency of actions to keep IT teams focused on what apps and data matter most. What level of always-on the business needs will help to determine SLAs, and downstream RTO goals.
After meeting with key stakeholders, stack rank the applications into recovery tiers based on current realities and business requirements. Again, not every application should have a mission-critical recovery time objective. As much as possible, standardize RTOs by tier so the recovery plan is simpler to follow. Should a disaster happen, such as a successful ransomware attack or an employee deleting the wrong file, the process should be clear.
As part of the ranking and tiering process, the stakeholders should evaluate the recovery methods based on the downtime tolerance, and the various ways to achieve recovery. For instance, for mission-critical applications like user authentication services, customers might deploy an automated failover/fallback solution. But for business-critical applications, a snapshot-based backup and recovery might do the job.
Organizations often have significant, long-standing investments in backup and disaster recovery technologies that are perfectly adequate for RTO goals of hours, days, or months. Evaluate if that same technology can meet today’s demands, say to rapidly recover hundreds or thousands of virtual machines (VMs) or Microsoft 365 mailboxes nearly instantly.
Modern data management solutions have readiness capabilities to address the varied tiers of application recovery businesses require:
Discover how your organization can race to near-zero RTOs and most effectively maintain business continuity.