Business continuity metrics: How much can you afford to lose?

It could be your worst nightmare. A server overheats, starting a fire that consumes your computer room before the sprinkler system kicks in and completes the disaster process. You've lost facilities, hardware, network and data. Now what?

There are four primary assets needed to effectively operate an information system: facilities, hardware, network and data. In the event of a disaster, hardware and networks can be replaced, and facilities can be moved to a new location. In fact, with the exception of data, almost every company asset can be replaced. Therefore, your top priority should be to protect the asset that's most at risk and hardest to replace: your data.

Data loss can result from any number of factors, such as:

  • Human error

  • Operating system or application software bugs

  • Hardware failure

  • Fire, smoke or water damage

  • Power outages

  • Employee theft or fraud

  • Man-made disasters such as sabotage, hacking or viruses

  • Natural disasters such as earthquakes or hurricanes

For today's organizations, the loss of their most important corporate asset can have a huge negative impact in real dollars, lost opportunity, customer dissatisfaction, shareholder insecurity and overall corporate image. Regardless of the cause, data disruption and loss pose a significant risk for any business.


Businesses need to strike a balance between the level of business risk they can tolerate and the cost of perfect security. Initially, all businesses would say they can't afford to lose any data and they can't tolerate any downtime. But protection on that scale is probably cost-prohibitive and overzealous. It's unlikely that all applications are equally mission-critical and all systems are equally vital. That's where metrics like RTO and RPO enter the discussion.

IDC research determined that 98% of all companies are adversely affected by unscheduled downtime. This speaks directly to the need for recovery time objectives (RTO) to guide your company when disruptions occur. Proven and tested RTO metrics will give you confidence in how quickly you can recover critical systems and be back in business serving customers.

In addition, Gartner Inc. research found that 93% of organizations that have experienced a significant data loss are out of business within five years. This research confirms the need for recovery point objectives (RPO). Once your company's systems are back online after a disaster, your RPO standards help keep data loss to a minimum.

Business continuity plans start by determining the RTO and RPO for a particular company's applications. The relative importance of RTO and RPO is different for every organization. For example, an e-commerce Web site may tolerate a higher RPO than RTO, because while the business cannot afford to be off-line, orders that end up backlogged may not affect the customer experience as negatively. A financial services firm, however, would likely have close to zero RTO and RPO because not only does it need to be up and running quickly, but also the large majority of financial services firms store most of their files electronically. Brokers, for example, need immediate access to their up-to-date files so the business can move forward serving and handling transactions on behalf of its clients.

Four key components for RTO/RPO

After determining your organization's RTO and RPO, it's time to make sure you've got a backup and recovery solution that supports them. Businesses should look for a solution that incorporates the following four components:

No. 1: Continuous backup

Only half of U.S. businesses perform some form of data backup, and surveys find that these businesses don't always do an adequate job. Because some organizations have limited or no IT staff to handle backup, they perform bulk server backup sporadically, use traditional tape for backup and typically perform the task after business has closed for the day.

That means that if a virus, fire, power outage, natural disaster or human error results in the need to restore data, the most recent data that companies can expect to recover is from the previous night. How can you eliminate this window of vulnerability? Ask your provider for continuous backup that allows data to be captured as it is changed -- essentially in real time -- so that whenever there is a change in a file, it is captured and protected immediately.

No. 2: Automatic off-site storage

Even if your business is rigorous about backup and you're sure you have at least last night's data available to recover, are you equally rigorous about ensuring that the tape is safely stored in an off-site location? Perhaps you invest in scheduling the time to backup, physically remove tapes and arrange for pickups by a third party to transport your tapes to a remote vault. But more likely your company doesn't make these investments. Look for a service that provides safe and accessible data vaulting and that transmits the data via the Internet, so physical damage to tapes is avoided entirely and the data is immediately available for system recovery.

No. 3: Immediate recovery

Recovery is the process of restoring operations and specifically, data, after an outage or disaster. It's an obvious point, but often overlooked: Being able to immediately recover data is critical to ensuring business continuity. Online services provide a means of recovering data immediately from any Web interface. Look for a service that offers this level of convenience and control.

No. 4: The guarantee

There are very few, if any, guarantees in the IT world, especially when considering disaster recovery preparedness. Backup and recovery software vendors will have RTO and RPO ranges within their service-level agreements, but none will provide an absolute guarantee because there are too many elements outside of their control, such as tape quality or the ability of the internal IT staff.

Online backup and recovery services, however, are able to provide the luxury of a guarantee because the entire process is managed by experts at the service provider, and the technical components of the service are fully automated. When evaluating any backup and recovery solution provider, make sure to ask if they guarantee the recovery, rather than just the backup, of data.


When most companies formulate business continuity plans, the first concern is typically how fast they can get their business running again. While this is a critical concern, it's only half of the recovery equation. The second part of a recovery plan needs to focus on the amount of data the organization can afford to lose.

Establishing business continuity metrics such as RTO and RPO is critical in business continuity planning. Devoting attention to RTO and RPO is the only way to guarantee your organization will still be able to operate in the event of a disaster. After all, when it comes to disaster recovery planning, do you want your business up and running quickly, but operating with data that's a week or even a day old?

Bob Cramer is CEO of LiveVault, a provider of managed online server backup, vaulting and recovery services in Marlboro, Mass. He can be reached at

Copyright © 2004 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon