Business Continuity: Establishing RTO and RPO

Business continuity planning (BCP) isn't optional. If there is an unplanned disruption in service, the BCP will help your organization regain its productivity. The plan typically contains all the information necessary for backups, workarounds, plan administrators, and who to contact at backup sites. 

Business Continuity Plans with Cloud Services

BCP emerged from disaster recovery plans where the focus was on getting the IT infrastructure back up and running. As data has become the lifeblood for some companies, the need for more comprehensive plans has emerged with a focus on returning to normal business operations. 

Business continuity planning can get sticky as businesses transition to the cloud. For many organizations, this represents the first time they've shared security responsibilities with a third party, and it may be challenging to get comfortable with this arrangement. The company must be willing to give over a little control to take full advantage of cloud benefits.  

Unfortunately, no cloud provider can save a company from itself. No matter how much responsibility a third-party provider takes on, they can't be responsible for administration errors, lost devices, or bad login practices. Ultimately, the data belongs to your organization. You need to be sure you have the right disaster recovery, cybersecurity, and other business continuity plans in place for your business.

Essential Elements of a Business Continuity Plan 

There are two critical metrics that every organization needs to set when building their BCP - Recovery Point Objective (RPO) and Recovery Time Objective (RTO). 

  • Recovery Point Objective (RPO):

    • This is the maximum acceptable time between the data loss and the last good backup.

  • Recovery Time Objective (RTO):

    • This is the maximum acceptable time for a business to be up and running after a disaster. RTO is the time it takes, from start to finish, to recover the necessary data and systems for normal business processes.

It might seem like the answer is easy as your organization likely wants to lose the least amount of data as possible and be back up and running immediately. The tradeoff is the cost. The closer you get to zero on either of these metrics, the higher the price.

Along with measuring these two areas to determine a company's business continuity preparedness, it's also important to classify applications and data according to how critical they are to the company's operations:

  • Existentially critical applications and data are those that will immediately cause the organization to stop running if they are not available.
  • Mission-critical data and systems are central to employee productivity and business processes, but there are ways to work around them if absolutely necessary.
  • Optimal–for-performance systems, if not available, will cause a reduction in productivity, and service may not be as seamless, but the business can function at acceptable levels without them.

Organizations are increasingly aware that a ransomware attack or other cybersecurity breach could destroy their business. As a result, more companies have developed specific ransomware response plans. 

Changing requirements, increasing cyber threats, and cloud applications make BCP much more complicated. At the same time, in an always connected, digital economy, an organization's dependence on its data has never been greater. Does your organization have a robust business continuity plan? If you're not sure, contact us at BlackPoint IT Services. We can help you assess your business continuity plan and determine what plan of action is necessary to protect your assets for the future.

Contact BlackPoint IT