After risk assessment, your company assigned you to prepare a disaster recovery plan to handle the identified disasters. A hot site, warm site, and cold site are common alternatives to the primary site. You are considering the backup site alternatives when preparing the disaster recovery plan. Which of the following will be your most concern?
A. Risk Appetite
B. Management Buy-in
C. Maximum Tolerable Downtime
D. Recovery Time Objective
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Recovery Time Objective.
The following is my justification:
- Goals or objectives drive the planning processes.
- Maximum Tolerable Downtime (MTD) is the business requirement that dominates the objectives of disaster recovery planning (DRP), Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
- RTO and RPO drive DRP. The decision of the recovery site is part of DRP and should be driven by the RTO.
- RTO must not exceed MTD.
- If a critical business process with 24 hours of MTD, the RTO of the underlying information system(s) must not exceed the MTD, 24 hours.
- If the IT department commits to recovering the information system(s) within 16 hours, the RTO is 16 hours. The information system(s) must be recovered within 16 hours (RTO).
- The decision of the recovery site is the most critical factor that affects the recovery speed of the information system(s). That’s why RTO is the most concern.
- Risk Appetite is developed in the context establishment stage
- Context establishment is the first step in risk management processes.
- The risk assessment has been completed, and you are assigned to handle the risk, that implies the risk management program is kicked off and the risk appetite is developed.
- According to COSO, risk appetite is defined as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.”.
- Management buy-in means the management accepts or supports something. e.g. idea, initiative, proposal, or solution.
- The risk management program has been kicked off. It provides evidence that management buy-in is not a problem.
- Since you are assigned to handle the risk/disaster, it demonstrates the management buy-in.