If a server failed right now and took your business systems offline, two questions would immediately matter more than anything else. First: how long can your business survive without those systems? Second: how much data can you afford to lose? The answers to these two questions define your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) — two numbers that should sit at the heart of every UK business's disaster recovery and business continuity planning.
Despite their critical importance, RTO and RPO remain poorly understood by many UK SMEs. Business owners and managers often discover these concepts for the first time during a disaster, which is precisely the wrong moment to be learning about them. This guide explains what RTO and RPO mean in plain language, why they matter, how to calculate them for your business, and how to build a backup and recovery strategy that meets your objectives.
What Is Recovery Time Objective (RTO)?
Your Recovery Time Objective is the maximum amount of time your business can tolerate being without a particular system, application, or service before the impact becomes unacceptable. It answers the question: how long can we be down?
RTO is measured from the moment the disruption occurs to the moment the system is fully restored and operational. It includes everything — the time to detect the problem, diagnose the cause, execute the recovery procedure, verify that the restored system is working correctly, and reconnect users.
Different systems within your business will have different RTOs. Your email system might have an RTO of 4 hours because your team can function briefly without email. Your customer-facing e-commerce platform might have an RTO of 1 hour because every minute of downtime means lost revenue. Your archive storage might have an RTO of 48 hours because the data is rarely accessed and its unavailability has minimal immediate impact.
What Is Recovery Point Objective (RPO)?
Your Recovery Point Objective is the maximum amount of data your business can afford to lose, measured in time. It answers the question: how far back can we go?
If your RPO is 24 hours, it means you can tolerate losing up to 24 hours of data. A nightly backup would satisfy this requirement — in the worst case, you would lose everything since the previous night's backup. If your RPO is 1 hour, you need backups running at least every hour. If your RPO is zero, you need real-time replication where every change is immediately copied to a secondary system.
Like RTO, different systems will have different RPOs. A database recording financial transactions might have an RPO of 15 minutes because losing even a small amount of transaction data creates serious problems. A file server used for general document storage might have an RPO of 24 hours because most documents can be recreated from other sources if necessary.
RTO looks forward from the disaster: how long until we are back up? RPO looks backward from the disaster: how far back do we go to recover? Together, they define the boundaries of acceptable impact. Everything inside those boundaries is tolerable. Everything outside them is a business-critical failure that your disaster recovery plan must prevent.
Why RTO and RPO Matter for UK Businesses
Understanding your RTO and RPO is not an academic exercise. These numbers directly determine the type of backup solution you need, the disaster recovery infrastructure required, and ultimately, the cost of protecting your business. Without defined objectives, you cannot make informed decisions about technology investments, and you risk either overspending on protection you do not need or underspending and leaving your business dangerously exposed.
For UK businesses specifically, RTO and RPO have regulatory dimensions. Under UK GDPR, organisations must implement appropriate technical and organisational measures to protect personal data. If a data loss or system outage affects personal data, the ICO will consider whether your backup and recovery measures were adequate relative to the risk. Having clearly defined and documented RTOs and RPOs demonstrates that you have thought carefully about data protection and business continuity.
How to Calculate Your RTO and RPO
Calculating RTO and RPO requires a structured assessment of your business operations. Here is a practical approach.
Step 1: Identify Your Critical Systems
List every system, application, and data set your business depends on. Include email, line-of-business applications, CRM, accounting software, file storage, databases, customer-facing websites, VoIP phone systems, and any specialist tools your industry requires.
Step 2: Assess the Business Impact
For each system, evaluate the impact of it being unavailable or losing recent data. Consider financial impact (lost revenue, recovery costs, penalties), operational impact (staff unable to work, orders unable to be processed), customer impact (service degradation, reputational damage), and regulatory impact (compliance breaches, reporting failures).
Step 3: Define Tolerances
Based on the impact assessment, define the maximum tolerable downtime (RTO) and maximum tolerable data loss (RPO) for each system.
| System | Business Impact of Downtime | RTO | RPO |
|---|---|---|---|
| Email (Microsoft 365) | High — communication disrupted | 4 hours | 1 hour |
| CRM / ERP System | Critical — core operations halted | 2 hours | 15 minutes |
| Accounting Software | High — financial processing stopped | 8 hours | 4 hours |
| File Server / SharePoint | Medium — productivity reduced | 8 hours | 24 hours |
| Company Website | Medium-High — customer-facing | 2 hours | 24 hours |
| VoIP Phone System | High — customer calls missed | 1 hour | N/A |
Matching Backup Solutions to Your Objectives
Once you have defined your RTO and RPO for each system, you can select backup and recovery solutions that meet those objectives. The tighter your requirements, the more sophisticated — and expensive — the solution needs to be.
RPO of 24 hours: A nightly backup to cloud storage is sufficient. Solutions like Azure Backup, Veeam, or Acronis can perform daily backups automatically. This is the most cost-effective option but means you could lose up to a full day of work.
RPO of 1-4 hours: You need backup jobs running multiple times per day. Most modern cloud backup solutions support this, though costs increase with backup frequency due to higher storage consumption and more compute resources required.
RPO near zero: Real-time or near-real-time replication is required. This typically involves database transaction log shipping, synchronous storage replication, or application-level replication. The cost is significantly higher but may be justified for critical systems where any data loss is unacceptable.
Signs Your RTO/RPO Strategy Is Working
- RTOs and RPOs are documented for every critical system
- Backup solutions are aligned to defined objectives
- Recovery procedures are documented step-by-step
- Regular recovery tests confirm objectives can be met
- Objectives are reviewed annually as the business evolves
Signs You Need to Act Now
- No defined RTOs or RPOs for any systems
- Backups are running but never tested
- No documented recovery procedures
- Last backup test was more than 12 months ago
- You are unsure what data would be lost in a disaster
The Cost of Getting It Wrong
The consequences of misaligned RTO and RPO are severe. If your actual recovery time exceeds your business's tolerance, the impact compounds with every passing hour. Staff sit idle, customers cannot be served, orders cannot be processed, and revenue stops flowing — while costs continue. For UK businesses, the average cost of IT downtime is estimated at £5,600 per hour, though this varies enormously by industry and company size.
Data loss can be even more damaging. Lost financial records create accounting nightmares. Lost customer data triggers UK GDPR reporting obligations and potential ICO enforcement action. Lost intellectual property may be irreplaceable. And the reputational damage of telling customers their data has been lost can take years to recover from.
Testing: The Step Most Businesses Skip
Defining your RTO and RPO and implementing backup solutions to meet them is only half the job. The other half — and the half that most UK businesses neglect — is testing. A backup that has never been tested is not a backup. It is a hope.
Regular recovery tests should verify that backup data is intact and can be successfully restored, that restoration completes within the defined RTO, that the restored system is fully functional (not just partially recovered), and that the amount of data loss falls within the defined RPO. Test at least quarterly for critical systems and annually for everything else. Document the results, and use any failures as learning opportunities to improve your recovery procedures.
Your business depends on technology, and technology will eventually fail. The question is not whether a disaster will happen, but when — and whether you are prepared for it. Defining your RTO and RPO is the first step towards genuine preparedness.
Define Your RTO and RPO with Expert Help
Cloudswitched helps UK businesses assess their disaster recovery requirements, define appropriate RTOs and RPOs, and implement backup solutions that meet those objectives. Do not wait for a disaster to discover your gaps.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.