Skip to Content

Backup And Disaster Recovery

RPO and RTO: What’s the Difference?

March 07, 2022

7 minutes

plant growing in concrete security disaster recovery

RPO and RTO play unique roles within backup and disaster recovery services, helping businesses measure the ideal amounts of time that they need to backup critical data and recover from incidents that cause outages.

Here’s a quick rundown of what both of them accomplish, how they fit into a recovery plan, and what businesses can do to shorten them in order to retain more data during downtime from a cybersecurity incident.


Recovery time objective (RTO) and recovery point objective (RPO) are two measurements of time within a company’s cybersecurity incident response. Both help determine how prepared an organization is to identify, respond to, and recover from a security event. They also help measure downtime and its impact on business operations.

What is the Meaning of RPO?

RPO is the amount of time between the last recorded data backup and the start of a breach, meaning the maximum length of time that data can be restored.

For example, if an organization with an RPO of 10 minutes experiences a breach 5 minutes after the last backup, 5 minutes of data new or updated data collection will be lost.

What is the Meaning of RTO?

RTO is a number determined by an organization as the maximum amount of downtime that an organization is able to withstand after an incident. Downtime can cost businesses thousands or millions of dollars, so it’s important to reduce the amount of downtime (RTO) as much as possible.

An RTO is chosen by considering how often you backup data, how much data you collect, the importance of the data, and other factors.

In other words, how long can an organization go on before recovering from a disruption before it makes too large of an impact?

The Difference Between RPO and RTO

Essentially, an RPO represents how frequently you backup data, and an RTO represents how long until you must recover after an incident. Ideally, both numbers are small, meaning you backup data as often as possible and are back up and running very quickly and without major losses.

RPO and RTO in Disaster Recovery

Within a disaster recovery strategy, RPO and RTO help determine how long your organization will experience downtime after an incident and how much data could be lost. Part of establishing an effective recovery plan is determining the ideal RPO and RTO for your organization.

The average cost of downtime is $5,600 per minute. But, due to there being so many variables, downtime can cost some businesses up to $540,000 per hour.

How to Calculate an RPO or RTO

The “best” RPO or RTO depends on a few factors like how critical the data is to business operations and how up-to-date the data must be. For industries where information moves quickly, like retail where transactions happen frequently, you may need more backups, in slower industries you might be able to afford more time.

Related: The Biggest Cybersecurity Breaches of 2021

To dig deeper and learn more about what length of time you may need for an RPO or RTO, ask questions like:

  • How often does your data change?
  • What are you losing with each minute of downtime?
  • What does each minute of downtime cost in terms of money, productivity, services, etc.?
  • Can business still operate with these systems down?
  • How does downtime impact your customers?

Another variable to consider is your maximum tolerable period of disruption (MTPD) which is the amount of time your services can be down before it's unacceptable to your business which can mean your employees can no longer do business or that your customers will become frustrated. Basically, how long can you go before business is heavily affected to the point of losing business?

How Often Should You Backup Your Data?

Oftentimes, businesses must balance other factors when deciding on these numbers to determine an optimal choice and decide whether a larger investment in technology is needed. If the data an organization handles is less critical to business operations, a longer RPO and RTO may be OK. When data collection is necessary, and you must work with the most up-to-date information, it’s worth it to invest more in data security and backups.

In Conclusion

RPO and RTO both help businesses measure and understand the risks associated with backup and recovery from cybersecurity incidents and answer key questions like: how much data can you afford to lose and how long can your business withstand downtime before incurring losses?

If you want to learn more about RPO, RTO, or how to ensure your business is protected with an effective disaster backup and recovery strategy, contact a DOT Security representative today or check out our Insights Page to read more helpful content.