Module 41: Disaster Recovery Management (DRM)
Controls reduce likelihood.
Disaster Recovery reduces impact.
Disaster Recovery Management ensures that:
- Critical systems can be restored
- Data loss is minimized
- Downtime is limited
- Business operations can resume
- Risk exposure remains within tolerance
DRM focuses on availability and resilience.
CRISC evaluates alignment between recovery capability and business impact.
What the exam is really testing
When DRM appears, CRISC is asking:
- Are RTO and RPO aligned with business requirements?
- Is recovery strategy proportionate?
- Are plans tested?
- Are roles clearly defined?
- Is resilience integrated into architecture?
- Are recovery risks escalated appropriately?
CRISC favors structured alignment — not maximum redundancy.
Key concepts
Recovery Time Objective (RTO)
Maximum acceptable time to restore a system after disruption.
If actual recovery exceeds RTO → tolerance breach.
Recovery Point Objective (RPO)
Maximum acceptable data loss measured in time.
Example: 4-hour RPO means up to 4 hours of data may be lost.
Maximum Tolerable Downtime (MTD)
Maximum time a business process can be disrupted before severe impact.
RTO must be less than or equal to MTD.
CRISC frequently tests RTO vs MTD alignment.
Disaster recovery vs business continuity
Disaster Recovery:
IT systems restoration
Business Continuity:
Maintaining critical business operations
DR is a component of BC.
CRISC may test confusion between the two.
Recovery strategies
Common recovery strategies include:
- Backup & restore
- Cold site
- Warm site
- Hot site
- Active-active redundancy
- Cloud failover
- Replication
Higher resilience = higher cost.
CRISC tests proportionality.
Example scenario
A system has an MTD of 24 hours. The organization defines an RTO of 48 hours.
Primary issue?
A. Strong resilience
B. Misalignment between RTO and business tolerance
C. Excessive mitigation
D. Weak inherent risk
Correct answer:
B. Misalignment between RTO and business tolerance
RTO must align with business tolerance.
Slightly harder scenario
A critical financial reporting system has an RPO of 24 hours due to cost constraints. Regulatory requirements mandate near-zero data loss.
What governance weakness exists?
A. Strong mitigation
B. RPO misaligned with regulatory requirements
C. Weak KPI
D. Poor change management
Correct answer:
B. RPO misaligned with regulatory requirements
Recovery objectives must align with compliance requirements.
Disaster recovery testing
DR plans must be:
- Documented
- Tested periodically
- Updated after changes
- Reviewed after incidents
- Aligned with architecture changes
Untested DR plans provide false assurance.
CRISC frequently tests lack of testing.
Types of DR testing
- Tabletop exercises
- Simulation testing
- Parallel testing
- Full interruption testing
Testing maturity matters.
Failure to test reduces confidence in recovery capability.
Risk in DRM
Weak DRM increases:
- Availability risk
- Financial risk
- Regulatory risk
- Reputational risk
- Concentration risk
Over-investment in DRM may increase cost without proportional benefit.
CRISC prefers balance.
Cloud & DRM
Modern DRM considerations include:
- Cloud region redundancy
- Shared responsibility model
- Multi-region architecture
- Data residency compliance
- Vendor failover capability
Cloud does not eliminate recovery planning.
Example scenario
An organization implements full active-active redundancy for a low-impact internal system.
What principle is MOST relevant?
A. Excessive appetite
B. Cost-benefit misalignment
C. Strong governance
D. Risk avoidance
Correct answer:
B. Cost-benefit misalignment
Recovery investment must align with impact.
The most common exam mistakes
Candidates often:
- Confuse RTO and RPO.
- Assume maximum redundancy is always best.
- Ignore cost-benefit analysis.
- Forget to test recovery plans.
- Fail to align recovery objectives to BIA.
- Overlook regulatory impact on recovery design.
CRISC evaluates alignment discipline.
Slightly uncomfortable scenario
DR testing consistently identifies recovery delays exceeding RTO, but no corrective action is taken.
What governance principle is MOST compromised?
A. Inherent risk assessment
B. Escalation and remediation discipline
C. KPI alignment
D. Threat modeling
Correct answer:
B. Escalation and remediation discipline
Testing without remediation undermines governance.
Quick knowledge check
1) RTO must align with:
A. KPI thresholds
B. Business impact analysis (BIA) results
C. Patch cycles
D. Heatmap severity
Answer & reasoning
Correct: B
RTO is driven by business tolerance.
2) RPO primarily measures:
A. Maximum downtime
B. Maximum acceptable data loss
C. Incident frequency
D. Vendor SLA
Answer & reasoning
Correct: B
RPO defines acceptable data loss.
3) DR plans that are not tested most directly increase:
A. Inherent risk
B. False assurance and availability exposure
C. Risk avoidance
D. KPI performance
Answer & reasoning
Correct: B
Untested plans cannot be relied upon.
Final takeaway
Disaster Recovery Management must:
- Align with BIA
- Define RTO, RPO, MTD clearly
- Balance resilience and cost
- Be documented
- Be tested
- Be updated after change
- Trigger remediation when testing fails
CRISC rewards alignment between:
Business impact → Recovery objectives → Architecture → Testing → Escalation.
Resilience must be intentional — not assumed.