RTO vs RPO: A Plain-Language Guide for Executives
Recovery Time Objective and Recovery Point Objective are the two numbers that define your organisation's true tolerance for downtime. Most executives don't know theirs. Here's how to find out.
When a system fails or an attack hits, two numbers determine whether your organisation survives the event intact or spends weeks rebuilding from the damage. Those numbers are the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). Most executives have heard the terms. Very few know their actual figures — and even fewer know whether their backup infrastructure can actually meet them.
Defining the Terms
RTO — Recovery Time Objective is the maximum acceptable length of time that a system, application, or business process can be offline after a failure. It answers the question: how long can we afford to be down?
If your finance system goes offline on a Monday morning and your RTO is four hours, you've committed to having it operational again by midday. If recovery takes eight hours, you've breached your RTO — and whatever downstream consequences that brings (lost revenue, regulatory breach, SLA penalties, reputational damage) are now in play.
RPO — Recovery Point Objective is the maximum acceptable amount of data loss measured in time. It answers the question: how far back can we afford to roll back?
If your RPO is two hours and an attack hits at 14:00, your last clean backup must be from no earlier than 12:00. Any transactions, records, or changes made between the backup point and the incident are lost. If that window contains two hours of payment processing, customer registrations, or stock movements, the business impact is real and quantifiable.
Why These Two Numbers Are Different
RTO and RPO are often confused or conflated. The distinction matters:
- RTO is about time to recovery — how fast can you restore operations?
- RPO is about data integrity at the point of recovery — how much do you lose when you get back?
A system with an RTO of one hour and an RPO of 24 hours can recover quickly — but will do so with yesterday's data. A system with an RPO of 15 minutes and an RTO of 72 hours has very recent data available but takes three days to restore. Neither scenario is necessarily right; the correct balance depends entirely on what the system does and what the business can tolerate.
How to Determine Your Numbers
Neither RTO nor RPO should be guessed. They should be derived from business impact analysis — a structured assessment of what each system does, what happens when it fails, and at what point the failure becomes critical.
For each key system or process, work through these questions:
For RTO:
- What revenue or operational activity stops if this system is unavailable?
- At what point does a short outage become a business-critical event? (1 hour? 4 hours? 24 hours?)
- Are there manual workarounds, and how long can they realistically sustain operations?
- Do any regulatory or contractual SLAs impose a hard deadline?
For RPO:
- How frequently does meaningful data change in this system? (Every minute? Every hour? Daily?)
- What is the cost of reconstructing data from external sources if needed?
- Are there audit, legal, or regulatory requirements that define minimum data retention points?
- Would customers or partners be affected by a data rollback to the last backup point?
The answers will differ substantially between systems. A real-time payment processing database may have an RPO of near-zero. An internal HR document management system may tolerate a 24-hour RPO without meaningful impact.
Industry Benchmarks
General benchmarks by system criticality:
| System Type | Typical RTO | Typical RPO |
|---|---|---|
| Core banking / payment systems | < 1 hour | Near-zero (synchronous replication) |
| ERP / accounting | 2–4 hours | 1–4 hours |
| Email and collaboration | 4–8 hours | 4–24 hours |
| CRM | 4–8 hours | 4–24 hours |
| Internal file shares | 8–24 hours | 24 hours |
| Archive / compliance systems | 24–72 hours | 24–48 hours |
These are starting points for conversation, not universal standards. Regulated industries — financial services under the FSCA, healthcare under the HPCSA, or critical infrastructure operators — will have specific requirements that may set a lower ceiling than these benchmarks.
How RTO and RPO Drive Backup Architecture
Once you know your numbers, they become requirements that your backup architecture must satisfy. Not the other way around.
RPO drives backup frequency. An RPO of one hour means you need backups taken at least every hour. An RPO of 15 minutes may require continuous data protection or near-synchronous replication rather than scheduled snapshots.
RTO drives recovery speed and infrastructure. A four-hour RTO sounds comfortable until you're trying to restore 10TB of data over a network connection. The recovery speed of your backup solution — measured in actual throughput, not theoretical maximums — must be validated against your RTO under realistic conditions.
Both numbers drive where data lives. Tape-based backup has low cost but typically cannot meet an RTO under 24 hours. Cloud backup with local caching can meet aggressive RTOs. Synchronous replication to a standby environment can meet near-zero RTOs but at significantly higher cost.
The Mistake Most Organisations Make
They set RTO and RPO targets in a business continuity document, then never test whether the backup infrastructure actually meets them.
A backup that runs nightly and stores data offsite may look like it satisfies a 24-hour RPO. But if restoring from that backup takes 36 hours, the RTO is broken. If the backup job silently failed three months ago and nobody noticed, both numbers are fiction.
Recovery capability should be tested on a schedule — at minimum annually, ideally quarterly for critical systems. A test restore that completes successfully under controlled conditions is the only evidence that your RTO and RPO commitments are real rather than aspirational.
What to Do with This Information
If you don't currently have documented RTO and RPO targets for your key systems, the first step is a Business Impact Analysis. This does not need to be a lengthy exercise — for most organisations, a structured conversation with the heads of each business unit will surface the critical systems and their tolerance thresholds within a few days.
Once targets are set, evaluate your current backup infrastructure against them honestly. The questions to ask:
- What is our actual backup frequency for each system? (Check the logs, not the policy document.)
- What is our demonstrated restore speed for each system? (Run a test restore — not a theoretical calculation.)
- If our primary site were unavailable, where would we restore from, and how long would it take?
- Who is responsible for monitoring backup job completion and alerting on failures?
Montana Data Company conducts Recovery Architecture Reviews that map documented RTO/RPO targets against actual backup configuration and tested restore performance, identifying gaps and recommending specific remediation steps.