Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.
Recovery Capacity Objective: A New Metric for Business Continuity and Disaster Recovery Planning
Business continuity and disaster recovery planning professionals rely on well-known metrics that are used to drive planning of emergency operations procedures and continuity of operations procedures. These metrics are:
- Maximum Tolerable Downtime (MTD) – This is an arbitrary time value that represents the greatest period of time that an organization is able to tolerate the outage of a critical process or system without sustaining permanent damage to the organization’s ongoing viability. The units of measure are typically days but can be smaller (hours, minutes) or larger (weeks, months).
- Recovery Point Objective (RPO) – this is a time value that represents the maximum potential data loss in a disaster situation. For example, if an organization backs up data for a key business process once per day, the RPO would be 24 hours. This should not be confused with recovery time objective.
- Recovery Time Objective (RTO) – This is a time value that represents the maximum period of time that a business process or system would be incapacitated in the event of a disaster. This is largely independent of recovery point objective, which is dependent on facilities that replicate key business data to another location, preserving it in case the primary location suffers a disaster that damages business data.
- Recovery Consistency Objective (RCO) – Expressed as a percentage, this represents the maximum loss of data consistency during a disaster. In complex, distributed systems, it may not be possible to perfectly synchronize all business records. When a disaster occurs, often there is some inconsistency found on a recovery site where some data is “fresher” than other data. Different organizations and industries will have varying tolerances for data consistency in a disaster situation.
In my research on the topic of business continuity planning and disaster recovery planning, I have come across a standard metric that represents the capacity for a recovery system to process business transactions, as compared to the primary system. In professional dealings, I have encountered this topic many times.
A new metric is proposed that would establish and communicate a recovery objective that represents the capacity of a recovery system:
- Recovery Capacity Objective (RCapO) – Expressed as a percentage, this represents the capacity of a recovery process or system as compared to the primary process or system.
Arguments for this metric:
- Awareness - The question of recovery system capacity is not consistently addressed within an organization or to the users of a process or system.
- Consistency - The adoption of a standard metric on recovery system capacity will facilitate adoption of the metric.
- Planning - The users of a process or system can reasonably anticipate business conditions should a business process or system suffer a disaster that results in the implementation of emergency response procedures.