Garry Poole explains why RPOs are a vital tool for persuading senior management to invest in a business continuity programme.
Business continuity staff clearly understand the importance of Recovery Time Objectives, i.e. “the target time set for resumption of product, service or activity after an incident”. (Draft BS 25999- 1 Code of Practice For Business Continuity Management”). However, how many, particularly those who are new to the subject, fully understand not only the meaning but the immense significance of the term ‘Recovery Point Objective’? Recovery Point Objective (RPO) means “The point in time to which work should be restored following a business continuity incident that interrupts or disrupts an organisation” (PAS 56 2003 ‘Guide to BCM’). How many business continuity managers realise that this definition is a key step towards the Holy Grail many of them are seeking, i.e. how to persuade their senior management to invest in a business continuity programme?
Why? Because most modern organisations depend upon their technological infrastructure, and understanding RPOs can greatly assist in optimising technological expenditures. When the term RPO is applied to data it can be interpreted to mean “the point in time to which data should be recovered following a business continuity incident”. Why is this significant? Let’s look at three scenarios:
* Two young children use their home computer to play games, surf the Internet, instant message friends etc. Unfortunately the computer breaks down. They plead with their parents for several weeks and eventually they buy a new one for them. When the new computer arrives they load up their games and start surfing and messaging again. The last backup of the old computer was taken by their parents six months ago. The six month old backup is loaded onto the new computer and the kids are not too upset to find some information they had stored has been lost. So, let’s say for simplicity their RPO was zero, i.e. they didn’t have one. It should be noticed that no time or money was spent by them or their parents other than on the first backup disc that was purchased six months ago and the time to complete the backup. We could say they have ‘Zero RPO’.
* A young entrepreneur is running a SOHO (Small Office / Home Office) business with several staff. At the end of every day’s business they use an Internet system to undertake a backup of the critical data on their computers and store it encrypted in a secure data centre away from the risks surrounding their office. The data is also stored in a backup data centre in another geographic location. They pay a relatively small sum of money for this service which supports their RPO of recovering critical data to its point at close of business. We could call this an example of ‘Close of Business RPO’.
* A group of City financial traders cannot afford to lose any critical data connected with their trades for financial regulatory and commercial reasons. Some of their data is so highly critical to them that if their systems fail when they are restored it must be restored exactly to the point where it was when the failure occurred. In order for this to be achieved they have a very sophisticated and highly resilient storage area network (SAN). They have to budget for the operation and maintenance of this SAN which is critical to the future of their business. We could call this an illustration of ‘Point of Failure RPO’.
During a business continuity programme it should be determined across the critical activities of an organisation where on the scale between Zero RPO to Point of Failure RPO the RPOs for the critical data resides. This information then becomes a key component of an organisation’s risk appetite and assists in deciding the amount of money an organisation is prepared to spend on resilience.
As data storage requirements grow and grow these issues will increasingly become a key issue for business continuity managers. Store too much data and the organisation could be crippled by the associated costs, store too little and an unforeseen impact could have mission critical consequences. To gain this understanding the generalist business continuity professional will need to work closely with technology specialists to solve this complex problem, i.e. how much should an organisation spend on its data storage and the resilience of associated systems. Understanding RPOs is absolutely vital in this context. However, we must not forget that other key factors have to be taken into account when building our cost model, such as how long we need to store data, what level of security is needed and how quickly the data needs to be recovered.
Finally, it should be noted that the above discussion relates the term Recovery Point Objective to data, but RPO also applies to physical processes. In this instance, the term can simply be explained by analogy to an incident involving cooking a desert cake. Halfway though cooking, power fails for an hour. The Chef would not just leave the dessert to continue to cook after power is restored but would put fresh mix in the oven before continuing. So in simple terms his/her Recovery Point Objective was the ‘Beginning of recipe’. The same frequently applies to manufacturing processes such as producing food products and drugs. Furthermore, understanding RPOs in these instances is critical to safety.
Author: Garry Poole FBCI BA Hons, managing director of Automata.
•Date: 14th July 2006 • Region: World • Type: Article •Topic: Selling to the board
Rate this article or make a comment - click here