“Recovery Point Objective (RPO) – Do we get the point?”
Business Continuity and IT Disaster Recovery planning tends to first focus on system and application recovery (Recovery Time Objective - RTO) and data recovery (Recovery Point Objective – RPO) second. That makes sense when you consider the order it which things are usually recovered, but does it really? Isn't the data or the information the life blood of the company? Isn't that why it is called Information Technology and not just technology?
Customer information, financial data, product specifications, research data, procedures, accounts payable, forms (the list could go on and on) is what the company runs on.
I read two articles recently - Michael O'Dwyer's "How snapshot recovery ensures business continuity" and Marc Staimer's "Why Business Continuity Processes Fail and How To Recover Them." Both share a lot of good information about improving data backup methods and timeliness. They explain how important the RPO is to disaster recovery planning and talk about backup and restore procedures, media, storage and locations. I would like to add some additional considerations for determining the RPO and developing recovery strategies that will meet the business need.
Not all company data resides in specialized applications. Businesses tend to have a lot of information stored as paper or word processing documents - documents that are critical to their day-to-day business. These may be stored on local servers, on SharePoint, IBM, Google, Jive Software, Box, or in some "cloud". Do the businesses define in their plan which documents are critical? Do they define when the data has to be available to them or they can't function?
Not all the data is critical to recovery. How do you separate it? Who sets the RPO? If IT sets the backup time frame for the data recovery, do they ask the business what their need is? How much data they can afford to lose? Does the business have a way to recreate the data that is lost?
Then there is all the data that is still in paper form. What data has come in through the mail or fax machine that has not been entered into any electronic system yet?
Recovery strategies depend on timing. How long it has been since the last backup will tell us how much data could be lost. Is this amount of loss acceptable? Should the data be backed up more frequently or stored in a safe accessible place? What is the timing of the backups and are they full or incremental?
These are just a few of the questions that need to be asked when setting up your recovery point objectives and data recovery strategies. Other considerations include:
- Has the data been analyzed and prioritized into what is critical, necessary or optional to support the business recovery?
- Have the businesses been asked what amount of data loss is acceptable?
- Does the RPO meet the business need?
- Where is your data? Is it centralized or is it all over the place, on local servers, on SharePoint, in the "cloud".
- When is the data or the business's access to that data restored?
- What about email and web data? When do you need to recover access to that data?
- How is it recovered?
- Can just the critical docs be restored in a timely manner or does the whole storage system have to be restored before the business can get to them?
- How do the users access to the recovered data?
- How much data is lost between backups?
- Can the lost data be recreated?
- Does your BC/DR tool help you make important data available quickly?
Nimble Storage's Radhika Krishnan says "businesses need a backup and recovery solution that's both scalable and efficient without slowing down production during the workday." I agree. These are some of the questions that need to be answered in order to create a recovery point objective (RPO) that the company can live with without losing too much of its "lifeblood". Where do you and your company stand? Have you asked all the "right" questions?
Please comment below. I'd love to hear your thoughts.