MSP
SR/EN
Book an audit
Part of INTO d.o.o. · www.into.rsintomsp.com
// Backup

RTO and RPO: the two numbers that define your backup

24 June 2026 · 6 min read

Most companies think they have a backup — until the day they try to restore it. Two numbers tell you upfront what an outage will cost you and how much data you can afford to lose: RTO and RPO. If you don't know them, you're not choosing a backup solution — you're buying one blind.

RTO: how long you can stay down

RTO (Recovery Time Objective) is the maximum time a system can be unavailable before the business takes serious damage. If your ERP goes down on Monday morning, how many hours can the company run without it before invoicing, production or shipping grinds to a halt? That's your RTO.

  • An RTO of 4 hours means: the solution must bring the system back within 4 hours.
  • An RTO of 3 days means: you can use a cheaper solution, but you have to survive those three days.

The shorter the RTO, the more expensive the infrastructure — because fast recovery requires replication, "hot" standbys and automation.

RPO: how much data you can lose

RPO (Recovery Point Objective) is the maximum amount of data you can afford to lose, expressed in time. If a backup runs once a day at midnight and the system fails at 4 p.m., you've lost 16 hours of work. In the worst case, that's an RPO of 24 hours.

  • An RPO of 15 minutes → backup or replication every 15 minutes.
  • An RPO of 24 hours → a daily backup is enough.

The question for an owner is simple: how many hours of entered data — invoices, orders, records — can you lose without it being a catastrophe?

Why these two numbers change the price

Backup isn't one product, it's a spectrum. RTO and RPO determine where on that spectrum you land:

  • Daily backup to disk → cheap, RPO around 24h, RTO from hours to days.
  • Multiple backups per day + fast restore → mid-range, RPO in hours, RTO in hours.
  • Real-time replication + automatic failover → expensive, RTO and RPO in minutes.

There's no "best" backup — there's the one that hits your RTO and RPO at a price your actual risk justifies.

How to set your own numbers

Don't guess — derive them from the business:

  • Calculate what one hour of downtime costs you: lost revenue, wages for people who can't work, missed deliveries. That defines your RTO.
  • Estimate how much manual re-entry of data you can tolerate. That defines your RPO.
  • Different systems carry different numbers: an ERP and its database might demand a one-hour RPO, while a file server can tolerate 24 hours.

Asking for a single RTO/RPO for the whole company is a mistake. Sort systems by criticality and give each its own number.

A backup you haven't tested doesn't exist

The most common failure isn't the absence of a backup, but the assumption that it works. A backup you've never restored is an unknown quantity:

  • Test the restore regularly — not just whether the "job passes" without errors.
  • Keep a copy off-site, following the 3-2-1 rule: three copies, two different media, one off premises.
  • Make sure the backup covers identities and cloud services too (e.g. Microsoft 365), not just local files.

RTO and RPO are business decisions, not technical ones. Tell them to your IT partner before anyone mentions a specific product — and backup stops being a blind expense and becomes a measured insurance policy whose cost you can justify.

← All resources