Certified in Risk and Information Systems Control (CRISC) — Question 807

Which of the following BEST indicates the risk appetite and tolerance level for the risk associated with business interruption caused by IT system failures?

Answer options

• A. IT system criticality classification
• B. Mean time to recover (MTTR)
• C. Incident management service level agreement (SLA)
• D. Recovery time objective (RTO)

Correct answer: D

Explanation

The Recovery Time Objective (RTO) is a crucial metric that defines the maximum acceptable time that IT services can be down after a failure, making it the best indicator of risk appetite and tolerance for business interruptions. In contrast, IT system criticality classification assesses importance, MTTR measures recovery efficiency, and an SLA outlines service commitments, but none specifically quantify risk tolerance like the RTO does.