If I have an RTO for a system of 1 hr and the RPO as per backup data by IT is 4 hrs how would I rationalise the RPO? I know the business would have to suggest a suitable RPO..but how can it be rationalized? Is there a particular formula to use or ?
Answer: Basically the RPO means a volume of data stored/processed in a time frame before the occurrence of a disruption that the organization accepts to lose. For example, if you have a RPO of 4 hours, it means the organization accepts to lose stored/processed data in the last 4 hours before the disruptive incident.
Since the variables to evaluate such loss will depend of the business process evaluated, there is no general formula to apply (e.g., for a sales website the number of transactions lost can be a parameter, and for a cloud storage service the volume of data lost can be the parameter). The way to rationalize RPO is by assessing the damage for different amount of data loss - then they will be able to recognize what is acceptable and what is not.