Terms such as RTO, RPO and MTPD are thrown up during any discussions around Business Continuity management (BCM) and in general about Risk management. I often wondered how well the term RPO is understood and agreed in terms of the definition and context.
Let me narrate a unique experience of mine that could prove to be of immense use to at least some of the readers:
My quest for understanding RPO in a logical, contextual and consistent fashion started few months ago. During one of our internal ‘brainstorming’ sessions, a colleague pointed out that:
- RPO is not or should not be specific to, and limited to data alone and
- itshould be applied to various other aspects like knowledge, process, and activity etc.
At that moment, I couldn’t agree with him. To be honest, I was a bit confused and what I have read, been taught and practiced all the while was being challenged.
I had been feeding my brain with the notion that RPO helps in determining “data loss tolerance“. After this debate, somewhere in the back of my mind, I was skeptical that I may be (or rather what I understood so far might be) wrong.
My colleague’s thoughts and arguments prompted me to research further on the topic. I did a quick search on Google. Top 10 results including Wikipedia were in my favor. All these sites were voicing more or less the same opinion: i.e. RPO refers to “data recovery” or “data loss”.
But, I was not convinced, andcontinued my research to understand RPO better. With an open mind, I started going through definitions provided by global standards and guidelines such as BS 25999, ISO/IEC 22301:2012, BCI GPG 2013 and PAS 56 etc.
Examples of what I found:
Definition for RPOas per ISO/IEC 22301:2012:“point to which information used by an activity must be restored to enable the activity to operate on resumption”.
According to PAS 56, the definition for RPO: “The point in time to which work should be restored following a business continuity incident that interrupts or disrupts an organization”
Strangely, none of the above has referred anywhere that RPO is specific to data or rather sited any references to data. Slowly and surely, I reached a state where I had to correct my understanding of the definition of RPO.
This is what I learned:
ISO/IEC 22301:2012 definition of RPO do stress on “information used by an activity”. However, in my opinion, Information is a very broad term. Information can be in various forms such as data, knowledge, processes, activities and actions.
Hence, during RPO analysis it is important that we consider all forms of information, rather than limiting to data alone.
Let me site an interesting example, (which I have come across during my net research – with due credits where applicable) supporting my understanding of RPO, and conclude this discussion:
Let us assume that a Chef/Baker is preparing a cake.
He completes all the initial activities such as collecting of raw material, cleaning, measuring and mixing. His next activity is about to bake the mixed content in the oven for an hour.
At this instant, power fails for 4 hours.
The Chef would not just leave the cake to continue to cook after power is restored but would put fresh mix in the oven before continuing. So in simple terms his/her Recovery Point Objective was the ‘Beginning of baking’ and he need all the know-how, specific requirements for the cake, raw materials, the equipment’s etc to be recovered/restored, in order to continue with his ‘business’.
The same logic frequently applies to manufacturing processes such as producing food products and drugs.
And yes, I couldn’t find”data” in the above example? Did you?
Please share your thoughts.