If you’ve ever had to recover data after something went wrong, you’ll know how quickly a gap in your backup strategy can turn into a very costly problem. The two metrics at the heart of any solid backup and recovery plan are RPO and RTO — and understanding both is especially important when your business depends on SaaS tools like Microsoft 365 or Google Workspace to keep things running day to day.
This article breaks down what RPO and RTO actually mean, why they matter more than most businesses appreciate, and how to set targets that genuinely reflect your risk.
What Is RPO (Recovery Point Objective)?
Your RPO is essentially the answer to this question: how much data can your business afford to lose?
More precisely, it’s the maximum amount of time’s worth of data that you can lose after an incident before the impact becomes unacceptable. If your RPO is four hours, you’re comfortable losing up to four hours of work. If it’s 15 minutes, you need near-continuous backup.
Think of it this way: if a ransomware attack hits at 3pm and your last backup ran at 9am, you’ve lost six hours of data. Whether that’s acceptable depends entirely on what your business was doing in those six hours.
What Is RTO (Recovery Time Objective)?
Your RTO answers a different question: how long can your business afford to be without access to a system or data?
It’s the maximum acceptable length of downtime after an incident — the point at which disruption becomes damaging enough to threaten revenue, operations, or client relationships. An RTO of two hours means your systems need to be back up and running within two hours of a failure.
RPO is about data. RTO is about time. Both matter, and they’re not always aligned. A business might have a low RPO (very little data loss acceptable) but a higher RTO (happy to wait longer for a full recovery) — or the other way around. The balance depends on the system and the business.
Why SaaS Doesn’t Solve This For You
This is where a lot of businesses get caught out. Many assume that because they’re using a cloud platform, their data is automatically backed up and recoverable. That’s not quite how it works.
SaaS providers are responsible for the availability of their infrastructure. They’re not responsible for your data. If you accidentally delete a file, if a disgruntled employee wipes a shared drive, or if ransomware corrupts your environment, you’re often left with limited or no native recovery options beyond a short retention window.
We cover this in detail in our Microsoft 365 backup guide, and it’s a point worth repeating: SaaS is not a backup strategy.
For this reason, setting clear RPO and RTO targets for your SaaS environment is essential — and then making sure your actual backup solution can genuinely meet those targets.
Why These Numbers Matter More Than You Think
According to the UK Government’s Cyber Security Breaches Survey, the majority of UK businesses that experience a cyber incident report it disrupting their operations. The financial toll of downtime, data loss, and recovery can run into tens of thousands of pounds — sometimes more — depending on the size of the business and the systems affected.
Beyond the direct financial cost, there’s also a regulatory dimension. Under UK GDPR, you’re required to report certain personal data breaches within 72 hours of becoming aware of them. The ICO has issued substantial fines to UK businesses that failed to handle data incidents properly. Your recovery targets aren’t just an IT consideration — they carry legal weight too.
This is why RPO and RTO decisions should involve the whole business, not just your IT team.
How to Set RPO and RTO Targets That Fit Your Risk
Start with your most critical systems
Not every SaaS tool carries the same weight. Your CRM, email platform, and finance software likely need a much lower RPO and RTO than, say, an internal project management tool used for non-urgent tasks.
Map your systems and rank them by business impact. What would happen if you lost four hours of CRM data? What if your email was down for half a day? Getting answers to these questions from people across the business — not just IT — will give you a much clearer picture of where your targets should sit.
Consider your regulatory environment
If you operate in financial services, legal, healthcare, or any other regulated sector, you may have external requirements that effectively set a minimum standard for your RPO. Compliance frameworks can also mandate specific backup retention periods and recovery testing schedules.
If your business has offices across Europe, this adds another layer. Different data residency requirements across jurisdictions can affect how and where your backups are stored. Working with a provider that offers european it services across multiple locations can help you navigate these obligations without creating inconsistency in your recovery posture.
Test your RTO against real-world scenarios
One of the most common mistakes businesses make is setting an RTO on paper without ever testing whether they can actually meet it. You might assume your team can restore access to Microsoft 365 within two hours, but if you’ve never run that recovery scenario, you simply don’t know.
Testing matters — and it’s often where businesses discover the gaps in their approach. Our article on cloud-to-cloud backup mistakes goes into some of the errors that make recovery slower and more complicated than it needs to be.
Account for human error, not just technical failure
Ransomware and hardware failures get a lot of attention, but accidental deletion is one of the most common causes of data loss in SaaS environments. Your RPO needs to account for the possibility that data might have been deleted or corrupted some time before anyone notices. If your backup only goes back 30 days but the deletion happened six weeks ago, you have a serious problem.
This is also why layering in a dark web monitoring company service adds real value — by detecting compromised credentials early, you reduce the risk of an attacker sitting quietly inside your environment for weeks before causing visible damage.
Make it a business decision, not just an IT setting
Recovery targets should be signed off by senior leadership, not buried in your backup software configuration. Finance needs to understand the cost implications of downtime. Operations needs to confirm what’s truly mission-critical. Legal needs to consider compliance risk.
If you’re managing this across a wider organisation with multiple offices or regions, working with a provider of multinational it support solutions can significantly ease the coordination effort and ensure your recovery planning is consistent across the board.
Common Mistakes to Avoid
- Setting the same RPO and RTO for everything — not every system is equal. Blanket targets waste money on low-priority tools and under-protect the ones that really matter.
- Not reviewing targets when the business changes — if you’ve added new SaaS tools, expanded into new markets, or taken on larger clients, your risk profile has changed. Your recovery targets should reflect that.
- Choosing a backup solution before defining your targets — it should work the other way around. Define your RPO and RTO first, then find a solution that can meet them.
- Overlooking transitions — if you’re moving between platforms, your platform migration services provider should ensure backup coverage applies to both the old and new environments throughout the process, not just one or the other.
- Assuming your cloud-to-cloud backup is set up correctly without reviewing it — configuration errors are common and can silently undermine your ability to recover when you need to.
Google Workspace Users: The Same Rules Apply
It’s easy to assume that Google’s infrastructure makes data loss unlikely. But the same principles apply. If your business runs on Google Workspace, you need a backup strategy that maps to your RPO and RTO. We’ve covered this in our Google Workspace backup article for anyone who’d like to explore this in more depth.
Pulling It All Together
Your RPO and RTO aren’t a one-time decision. They’re an ongoing conversation between IT and the rest of the business, and they need to evolve as your organisation grows, your SaaS footprint expands, and the regulatory landscape shifts.
The businesses that get this right are the ones that treat backup and recovery as part of a broader risk management strategy — not an afterthought. If your current SaaS backup approach doesn’t have clearly defined recovery targets, or if you’re unsure whether your backup can actually meet the targets you’ve set, that’s worth addressing sooner rather than later.
For businesses with teams in multiple locations, this becomes even more complex. That’s why many organisations turn to providers of multinational it support services to coordinate recovery planning across different regions and regulatory environments. Similarly, it’s worth confirming whether your microsoft 365 support services london provider includes backup and recovery as part of your agreement — it’s often not included as standard.
And don’t underestimate the value of prevention. Reducing the frequency of incidents in the first place — through tools like those offered by an anti phishing company — means you’re less likely to need your recovery plan at all.
Frequently Asked Questions
What is the difference between RPO and RTO? RPO (Recovery Point Objective) defines how much data you can afford to lose, measured in time. RTO (Recovery Time Objective) defines how long you can afford to be without access to a system. Both need to be defined for each critical system individually, not applied as a single figure across your entire IT environment.
Does Microsoft 365 automatically back up my data? No. Microsoft 365 ensures the availability of its service infrastructure, but it doesn’t provide comprehensive backup of your data. Deleted files, corrupted mailboxes, and accidental overwrites can all result in permanent data loss without a separate backup solution in place.
How often should RPO and RTO targets be reviewed? At a minimum, review them annually. You should also revisit them whenever there’s a significant change to the business — such as adopting a new SaaS platform, expanding into new markets, or taking on clients with specific compliance requirements.
What’s a realistic RPO for a small to mid-sized UK business? It depends entirely on the system. For email and CRM, many businesses target an RPO of between one and four hours. For lower-priority tools, 24 hours may be perfectly acceptable. The key is to base targets on business impact rather than what’s technically easiest to achieve.
What happens if I don’t meet my RTO during a real incident? If your actual recovery takes longer than your defined RTO, the consequences depend on your business. These can include missed SLAs with clients, regulatory breaches, revenue loss, reputational damage, and in some cases, legal liability. This is exactly why testing your recovery process before an incident occurs is so important.
Ready to Get Your Recovery Targets Right?
If you’re not confident that your current SaaS backup strategy maps to your actual recovery objectives — or if you’ve never formally defined your RPO and RTO at all — now is a good time to change that.
Northern Star has been helping UK businesses build more resilient IT environments for over 16 years. Whether you need guidance on backup strategy, SaaS recovery planning, or wider IT support, our team is happy to have a straightforward conversation about where you are and what would genuinely help.
Get in touch with our team today — no pressure, just a practical conversation about your needs.
