Defining RPO and RTO in the Age of Cloud Computing

One of the best practices in well run IT organizations is for CIOs and IT managers to evaluate the risk of data loss, and establish business continuity plans that outline backup and recovery along with their respective Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). But first, information technology teams and business stakeholders must start with a common understanding of what RPO and RTO mean in terms of backup and recovery.

  • Recovery Point Objective (RPO): The maximum acceptable age of the data that can be restored (or recovery point) and the version of data lost. For simplicity, RPO can be thought of as the time between the time of data loss and the last useful backup of a known good state.
  • Recovery Time Objective (RTO): The maximum acceptable length of time required for an organization to recover lost data and get back up and running. This value may be defined as part of a larger Disaster Recovery Plan across an organization that also includes applications like Office 365. For simplicity, RTO can be thought of as the time it takes, from start to finish, to recover data to an acceptable current good state.

Defining RPO and RTO as part of disaster recovery scope, in the age of SaaS and Cloud

As you review your disaster recovery plan and your RPO and RTO, it’s critical to classify and determine the applications and data that are:

  1. Existentially-critical: The organization will likely cease to exist if these first-tier systems or data are unavailable or compromised.
  2. Mission-critical: There will be significant, but not existential, harm to employee productivity, organizational reputation, and potentially revenue if these second-tier systems or data are unavailable or compromised.
  3. Optimal-for-performance: There will be a reduction in organizational efficiency, but otherwise limited impact on the organization’s mission if these third-tier systems or data are unavailable or compromised.

There’s no “one size fits all” answer when calculating RPO and RTO. IT and stakeholders must assess the MTPD (Maximum Tolerable Period of Disruption) on an application-by-application, dataset-by-dataset basis, then layer protection based on what your organization has defined as existentially-critical, mission-critical, and optimal-for-performance.


With the advent of robust, widely adopted collaboration platforms like Microsoft Office 365, some of what had been IT costs and responsibilities are now offloaded to the vendor, freeing IT to better focus on protecting existentially-critical systems and applications. Office 365 “assumes” some of the responsibility that used to be the IT organization’s alone — for example, Office 365 SLAs contain provisions related to data center outages, infrastructure management, and data storage. Microsoft even provides some recovery tools. For more details, read this blog post.

But while SaaS vendors like Microsoft offer some protections for mission-critical applications and data, IT is still ultimately responsible for ensuring the organization is protected, and can meet RPO and RTO requirements. SaaS vendors cannot protect you from you — you need to establish RPO and RTO to recover from sync errors, administrator errors, and malicious actors who may corrupt or permanently delete your organization’s data.

Ransomware and Office 365 RTO

What makes this discussion of Office 365 RTO urgent is the staggering increase in the number of types of ransomware purpose-built to shut your organization out of not just email, but shared documents and files such as those in OneDrive for Business and SharePoint Online. The cost of ransomware is also non-trivial — damage is forecast to hit $11.5B by 2019. For more on ransomware vectors and attacks, read this blog post.

Action steps to take today

If your organization is using Office 365, your teams should set time for the following actions:

  1. Review current RPO and RTO to ensure they reflect what serves your organization best when recovering SaaS data.
  2. Assess the potential impact of ransomware and your organization’s current ransomware response plan.
  3. Test your current recovery approaches for adequate RTO of Office 365 mail, data and files.

It’s vital to have tested processes in place to protect critical data before an attack happens. Many ransomware attacks are not preventable — system vulnerabilities will be exploited, and if you are attacked, there is no guarantee your data will be recoverable. When building your RPO and RTO plan, layered protection should include proven backup solutions such as Spanning Backup for Office 365 that can restore critical data to the last-known-good version before the attack occurred.

Why You Need SaaS Backup