RTO and RPO explained

What RTO and RPO mean

The recovery time objective answers the question "how long can we be down?" It's the maximum period a system can be unavailable before the disruption causes serious harm to the business: lost sales, broken service commitments or regulatory breaches. If your RTO is four hours, the system must be back within four hours of the outage.

The recovery point objective answers a different question: "how much data can we lose?" It's measured in time, not bytes. An RPO of one hour means your backups must run at least hourly, so the most data you can ever lose is one hour's worth. The Business Continuity Institute's glossary defines both terms precisely, and they're used consistently across the profession.

Both targets are documented in a disaster recovery plan. They're part of the language of business continuity more broadly, and the international standard ISO 22301 (business continuity management systems) treats them as fundamental inputs to any effective continuity programme.

The difference, with an example

Imagine a system fails at 11am on a Tuesday. Your RTO is four hours, so the target is to have it working again by 3pm. Your RPO is one hour, and your last backup ran at 10:30am. If you restore from that backup, you lose 30 minutes of data - well within the one-hour limit.

RTO is about downtime: how long the business can operate without that system. RPO is about data loss: how far back you have to roll, and what work or transactions disappear. A significant IT outage can damage both dimensions at once, which is why each needs its own target.

The two targets are independent. A business might set a tight RPO (backups every 15 minutes) but a looser RTO (back up within eight hours), because losing data is catastrophic but a few hours offline is tolerable. The right balance depends on the system and the business.

How RTO and RPO shape your plan and its cost

Tighter targets require more investment. A one-hour RTO demands faster infrastructure, standby systems and well-practised recovery procedures. An RPO of 15 minutes means near-continuous backup, which adds storage and processing overhead. There's a direct relationship between how ambitious the targets are and what it costs to meet them.

The right targets come out of a business impact analysis. That process establishes what each system is worth to the business and what the real cost of losing it would be. Without that foundation, RTO and RPO are guesses.

The targets then drive the design of your disaster recovery plan: which backups to run, how frequently, how systems will be restored and by whom. They turn a general intention to "be prepared" into a specific, testable commitment.

Setting realistic targets for a smaller business

Not every system needs the same targets. Your customer database and billing system probably need tight RTO and RPO values. Your internal filing archive can probably tolerate a longer outage and some data loss without serious consequence. Grading systems by criticality keeps the cost of resilience proportionate to the risk.

For most smaller businesses, a practical starting point is to list the five or six systems the business genuinely cannot operate without, set RTO and RPO targets for each, and make sure the backup and recovery arrangements actually meet them. The targets should be reviewed whenever the business changes significantly - a new system, a new service line or a change in regulatory exposure can all shift what's acceptable.

Recovery targets sit at the heart of any credible business continuity approach. Getting them documented and tested is one of the most practical steps a smaller business can take towards genuine resilience.

Frequently asked questions