Recovery time objective (RTO). You have probably heard the term tossed around, but what does it really mean? Some define it as your tolerance for downtime, but that’s not the most accurate definition. Many businesses think they can tolerate much more downtime than they can. The real question when it comes to RTO is how much downtime can you suffer before you start losing money?
Your answer might be the same. Maybe you think you can afford 4 hours, or even a full day. But to determine your RTO – the length of time you can be without a service or application before your business is financially impacted – you also must ask yourself, how long will it take for you to recover from a major cybersecurity incident or a disaster of any kind?
Why Recovery Time Objective is Important
Are you getting the sense that RTO is more than just the amount of time you think you can be without an application or service? You should be. To determine your RTO, you must first know what you’re recovering. What are the services that your business would be crippled without? Is there any specific data that’s essential to keeping your business afloat?
Think of it this way: If a fire destroyed your business tomorrow, including all your IT equipment, and you had no backups of your systems in place, how long would it take you to recover the most essential items and data you needed to resume business? Your computers and servers might be covered by insurance, but even once you got them back, what about the applications, programs, and data stored on those devices? Do you have a backup of all your financial information that’s stored off-site and fully recoverable? What about product specs and designs? Or customer information?
The Federal Emergency Management Agency (FEMA) estimates that 40 percent of small businesses never recover from a disaster. Even businesses that do sometimes take months to years fully recover their footing, and by then, customers have moved on to other businesses. Can you afford that?
That’s why RTO is an important measurement you should invest time into determining. It clearly defines what needs to be recovered and how quickly before your business starts to suffer in ways that are difficult to overcome.
Determining Your Recovery Time Objective
Recovery time objective isn’t an arbitrary number. Two main factors go into calculating how long you can afford to be without the services and data that keep your business operational:
- The criticality of functions and data. Before you can decide what it would cost you to be offline, you need to know which of the services or functions that your business uses are most valuable. That means looking at each service or function and the data that is required to make that function work properly, then determining which would be most critical to maintaining or restoring your daily operations. For example, maybe you could live without your CRM application, if you had to, but if living without it also meant you couldn’t access customer data and records how would that impact your business? Could you still function? Could you still provide your customers with the products and services they expect? To determine your RTO, it’s necessary to understand exactly what functions and data are most critical to the operation of your business.
- The cost of an interruption in access to those services and data. Once you know what’s most critical to keeping your business functioning, then you need to look at what it would cost you if you lost those functions or data. Lost sales, which are immediate and tangible costs, should be considered, of course. But there are other costs to take into consideration as well. For example, if your business were to experience an outage that lasted four days, what would your customers think? What if the outage was four hours? Or what if that service interruption resulted in customer data exposure? Then how would your customers react? This is called reputation cost, and it’s difficult to quantify. How much would it cost your company if you lost a portion of your customer base? For example, if you experienced an outage that lasted four hours, and you lost one customer because of it, what would your business lose in sales? What if you missed one prospect that would have eventually become a customer? What is the value of that? The precise numbers will vary from business to business, but they can be determined. There is no way to know exactly how many customers or prospects might be affected by an outage, but create your best, most educated guess. That monetary figure is essential to determining your RTO.
Once you’ve determined what must be protected and what it would cost if you couldn’t access those services and data, then you can figure out your level of tolerance for outage. In most cases, you’ll find it’s much less time than you imagined.
What to Do With RTO
You didn’t just go through that exercise to determine your RTO for fun. That’s a real number that’s used to determine how much you can afford to invest into the technologies and services necessary to recover your IT infrastructure and data in the event of a loss. A rule of thumb is that you never want to invest more in recovery than the cost of the losses you’re trying to prevent. That means balancing risk and recovery.
Recovery Time Objective may seem like an intimidating measurement, but it’s one you should prioritize. Budgeting for recovery technologies and services is essential to keeping your business operational in the event of a disaster, but reaching an RTO measurement should also illuminate what your protecting and how critical it is to the survival of your business.