This month's topic is Recovery Time Objectives (RTO), and how it relates to your Disaster Recovery Plan in establishing time constraints for your business critical applications.
What does Recovery Time Objective (RTO) mean exactly? We find this acronym in just about every discussion about backup products and storage arrays. Many IT people mistakenly think it refers to the time it takes to restore a system or an applications data. Although that is true, RTO and reality are sometimes not one in the same. The RTO is a goal or an ideal time in which you need a specific resource or service to be available following an interruption or outage. In essence, the RTO provides the maximum amount of time before an organization is negatively impacted by the interruption of one its core business processes or functions. For this reason, the task of establishing the RTO must start at the business level and not the systems level.
This information must be gathered from the various Business Units (BU) and then be analyzed. This analyze will help provide conclusions with respect to potential losses and the time frame from which they can be incurred. This Business Continuity Planning (BCP) process is known as a Business Impact Analysis (BIA), and should address the following items:
Create a list of the various functions or processes for which the BU or department is responsible for revenue generating activities, and what happens when a specific business process or function is interrupted;
Determine the financial or intangible losses an outage could cause. Financial losses include lost revenue, salaries paid to non-productive employees, extra expenses and fines. Intangible losses include damaged brand and reputation, negative public opinion or depreciated stocks;
Consider the worst possible time at which an interruption could occur like at quarter-end or year-end in the BIA and RTO;
Identify applications required to perform or assist with a specific business function. Other dependencies include other business functions, services or key roles;
Identify how critical dependencies are to a particular business function. For example, unavailability of an application that is highly critical to the function may actually halt that function.
Create a manual process or documented contingency plan that could allow temporarily capabilities to a function, which would buy some time, thus allowing a longer RTO.
Once the potential losses have been identified, the business is in a position to make a decision regarding what it considers acceptable losses. Because losses are incurred over time, this decision also dictates the maximum outage the business can tolerate for each specific function. The RTO for the business functions must therefore not exceed that maximum tolerable outage. Subsequent dependencies identified as highly critical to these business functions, must also fall under the same RTO. It must also include the applications or other business functions and their respective applications. This is where the RTO for each application and supporting infrastructure must be prioritized and established.
So, there you have it. Recovery Time Objectives are a very critical piece of an organizations business recovery strategy. To provide reliability you should consider how you respond to procurement delays, as these elements can consume part of the RTO before the actual recovery effort is even initiated. One of the primary reasons why disaster recovery plans do so poorly, is the risk of taking shortcuts and burdening users already overloaded with other work. When a person's primary role is in conflict with their disaster recovery role, the primary role almost always wins.
To view more articles:
or to inquire about an on-site presentation, please feel free to call me at 508-995-4933 or email me at firstname.lastname@example.org.
Until next time.....
Founder & Principal Consultant
Managing Your Security and Risk Needs
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2009-11-07 Michael Desrosiers
The people I distrust most are those who want to improve our lives but have only one course of action in mind. (Frank Herbert)