Certified in Risk and Information Systems Control (CRISC) — Question 1224

Which of the following is a risk practitioner's BEST recommendation to management when testing results indicate the organization's recovery time objective (RTO) cannot be met?

Answer options

• A. Engage IT and the business to re-evaluate the RTO.
• B. Engage business users to develop and document alternative procedures.
• C. Adjust the recovery point objectives (RPOs) to align with the RTO.
• D. Revise the RTO in the business impact analysis (BIA).

Correct answer: A

Explanation

The best recommendation is to engage IT and the business to re-evaluate the RTO because it ensures that all stakeholders are involved in addressing the issue. Adjusting RPOs or revising the RTO without collaboration may not address the underlying problems effectively. Developing alternative procedures is helpful but does not directly address the RTO issue, making it a secondary option.