nerdexam
(ISC)2

CISSP · Question #686

What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?

The correct answer is C. Identify potential threats to business availability.. Risk analysis in DR planning is fundamentally about identifying what can go wrong before mitigation strategies can be developed. Recognizing potential threats to business availability is the prerequisite step that drives all subsequent DR decisions.

Submitted by kavita_s· Mar 5, 2026Security and Risk Management

Question

What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?

Options

  • AEstablish Maximum Tolerable Downtime (MTD) Information Systems (IS).
  • BDefine the variable cost for extended downtime scenarios.
  • CIdentify potential threats to business availability.
  • DEstablish personnel requirements for various downtime scenarios.

How the community answered

(27 responses)
  • A
    4% (1)
  • B
    4% (1)
  • C
    93% (25)

Why each option

Risk analysis in DR planning is fundamentally about identifying what can go wrong before mitigation strategies can be developed. Recognizing potential threats to business availability is the prerequisite step that drives all subsequent DR decisions.

AEstablish Maximum Tolerable Downtime (MTD) Information Systems (IS).

Establishing Maximum Tolerable Downtime (MTD) is a business impact analysis (BIA) activity that occurs after risk analysis has identified threats, not during the risk analysis phase itself.

BDefine the variable cost for extended downtime scenarios.

Defining variable costs for extended downtime is a financial modeling or BIA function focused on cost quantification, which is a downstream activity that depends on risk analysis outputs rather than being its main objective.

CIdentify potential threats to business availability.Correct

Risk analysis is the systematic process of identifying, evaluating, and prioritizing potential threats-such as natural disasters, cyberattacks, hardware failures, or human error-that could disrupt business operations. Without first identifying these threats, planners cannot determine likelihood, impact, or appropriate countermeasures. This threat identification forms the foundation upon which all other DR planning elements, including recovery objectives and resource requirements, are built.

DEstablish personnel requirements for various downtime scenarios.

Determining personnel requirements for downtime scenarios is a resource planning and DR strategy development activity, not a function of risk analysis, which focuses on threat and vulnerability identification rather than staffing.

Concept tested: Purpose of risk analysis in DR planning

Source: https://www.ready.gov/business-impact-analysis

Topics

#risk analysis#disaster recovery planning#threat identification

Community Discussion

No community discussion yet for this question.

Full CISSP Practice