Module 41: Disaster Recovery Management (DRM)
When prevention fails, how fast can you recover — and how much do you lose in the process?
Disaster Recovery Management ensures that:
- Critical systems can be restored
- Data loss is minimized
- Downtime is limited
- Business operations can resume
- Risk exposure remains within tolerance
DRM focuses on availability and resilience.
CRISC evaluates alignment between recovery capability and business impact.
What the exam is really testing
When DRM appears, CRISC is asking:
- Are RTO and RPO aligned with business requirements?
- Is recovery strategy proportionate?
- Are plans tested?
- Are roles clearly defined?
- Is resilience integrated into architecture?
- Are recovery risks escalated appropriately?
CRISC favors structured alignment — not maximum redundancy.
Key concepts
Recovery Time Objective (RTO)
Maximum acceptable time to restore a system after disruption.
If actual recovery exceeds RTO → tolerance breach.
Recovery Point Objective (RPO)
Maximum acceptable data loss measured in time.
Example: 4-hour RPO means up to 4 hours of data may be lost.
Maximum Tolerable Downtime (MTD)
Maximum time a business process can be disrupted before severe impact.
RTO must be less than or equal to MTD.
CRISC frequently tests RTO vs MTD alignment.
Disaster recovery vs business continuity
Disaster Recovery:
IT systems restoration
Business Continuity:
Maintaining critical business operations
DR is a component of BC.
CRISC may test confusion between the two.
Recovery strategies
Common recovery strategies include:
- Backup & restore
- Cold site
- Warm site
- Hot site
- Active-active redundancy
- Cloud failover
- Replication
Higher resilience = higher cost.
CRISC tests proportionality.
Example scenario
A system has an MTD of 24 hours. The organization defines an RTO of 48 hours.
Primary issue?
A. Misalignment between RTO and business tolerance
B. Strong resilience
C. Excessive mitigation
D. Weak inherent risk
Correct answer:
A. Misalignment between RTO and business tolerance
RTO must align with business tolerance.
Now consider this
A critical financial reporting system has an RPO of 24 hours due to cost constraints. Regulatory requirements mandate near-zero data loss.
What governance weakness exists?
A. Strong mitigation
B. Weak KPI
C. RPO misaligned with regulatory requirements
D. Poor change management
Correct answer:
C. RPO misaligned with regulatory requirements
Recovery objectives must align with compliance requirements.
Disaster recovery testing
DR plans must be:
- Documented
- Tested periodically
- Updated after changes
- Reviewed after incidents
- Aligned with architecture changes
Untested DR plans provide false assurance.
Expect exam questions about what happens when DR plans go untested.
Types of DR testing
- Tabletop exercises
- Simulation testing
- Parallel testing
- Full interruption testing
Testing maturity matters.
Failure to test reduces confidence in recovery capability.
Risk in DRM
Weak DRM increases:
- Availability risk
- Financial risk
- Regulatory risk
- Reputational risk
- Concentration risk
Over-investment in DRM may increase cost without proportional benefit.
CRISC prefers balance.
Cloud & DRM
Modern DRM considerations include:
- Cloud region redundancy
- Shared responsibility model
- Multi-region architecture
- Data residency compliance
- Vendor failover capability
Cloud does not eliminate recovery planning.
Example scenario
An organization implements full active-active redundancy for a low-impact internal system.
What principle is MOST relevant?
A. Excessive appetite
B. Risk avoidance
C. Strong governance
D. Cost-benefit misalignment
Correct answer:
D. Cost-benefit misalignment
Recovery investment must align with impact.
The most common exam mistakes
The trap on DRM questions is reaching for the “maximum redundancy” answer. An active-active setup for a low-impact system is not strong governance — it is cost-benefit misalignment. Also make sure you can clearly distinguish RTO (how long until systems are back) from RPO (how much data you can afford to lose). The exam will exploit that confusion.
Advanced scenario
DR testing consistently identifies recovery delays exceeding RTO, but no corrective action is taken.
What governance principle is MOST compromised?
A. Inherent risk assessment
B. Escalation and remediation discipline
C. KPI alignment
D. Threat modeling
Correct answer:
B. Escalation and remediation discipline
Testing without remediation undermines governance.
Quick knowledge check
1) RTO must align with:
A. KPI thresholds
B. Business impact analysis (BIA) results
C. Patch cycles
D. Heatmap severity
Answer & reasoning
Correct: B
RTO is driven by business tolerance.
2) RPO primarily measures:
A. Maximum downtime
B. Vendor SLA
C. Incident frequency
D. Maximum acceptable data loss
Answer & reasoning
Correct: D
RPO defines acceptable data loss.
3) DR plans that are not tested most directly increase:
A. False assurance and availability exposure
B. Inherent risk
C. Risk avoidance
D. KPI performance
Answer & reasoning
Correct: A
Untested plans cannot be relied upon.
Final takeaway
Disaster Recovery Management must:
- Align with BIA
- Define RTO, RPO, MTD clearly
- Balance resilience and cost
- Be documented
- Be tested
- Be updated after change
- Trigger remediation when testing fails
The thread that ties DRM together is alignment: business impact drives recovery objectives, which drive architecture decisions, which must be validated through testing, which must trigger escalation when results fall short. Resilience must be intentional — not assumed.