🧠 Domain 1 – Security and Risk Management

⚖️ D1.6 – Risk Acceptance and Treatment (🇬🇧 / 🇫🇷)

This memo summarizes the four main risk response strategies used in risk management and business continuity planning.

🎯 What is Risk Treatment?

Risk treatment is the process of selecting and implementing measures to modify risk.
The most common strategies are:

Strategy	Description	FR
Avoid	Eliminate the risk entirely by removing the asset or process	Éviter : supprimer le risque en arrêtant l'activité
Transfer	Shift the risk to a third party (e.g. insurance, outsourcing)	Transférer : assurance ou externalisation
Mitigate	Reduce the likelihood or impact by applying controls	Réduire : mettre en place des mesures de sécurité
Accept	Acknowledge the risk and document the decision	Accepter : accepter le risque tel quel, mais le documenter

🧠 FR : La gestion du risque consiste à choisir l’une de ces 4 stratégies, selon le contexte, le coût et le niveau d’acceptation.

✅ Risk Acceptance – What to Do

If you accept a risk, you:

Do not attempt to reduce it
Do not transfer it
Acknowledge it and formally document the rationale

📌 Typical action:

Document your decision-making process
Ensure management has signed off on the decision

🧠 FR : Quand on accepte un risque, on ne fait rien de plus, sauf l’écrire, le tracer, et le valider avec les décideurs.

❗ CISSP-style Example Question

You have completed your risk assessment and decided to accept a moderate risk.
What is the next appropriate step?

✅ Answer: Document the acceptance decision and rationale

🔁 BCP / DRP Risk Response Context

Phase	Action
During BIA	Identify impact and tolerances (RTO, RPO)
During Risk Analysis	Quantify the risk (qualitative / quantitative)
During Planning	Select risk response: avoid / mitigate / transfer / accept
After decision	Document and proceed accordingly

🧠 FR : L’acceptation est une réponse comme une autre. Ce n’est pas une faiblesse, tant qu’elle est justifiée et tracée.

💡 Tip for Exam

If you see the phrase “you chose to accept the risk”, look for an option that says:
📄 “Document the decision”
✅ Not “reduce”, “analyze”, or “implement” anything

🕓 RTO vs RPO vs MTD – Recovery Objectives (⏱️ / 💾 / ⛔)

These three metrics are essential in disaster recovery and business continuity planning.

Acronym	Meaning	What it measures	Easy way to remember
RTO	Recovery Time Objective	⏱️ Max time a system can be down before causing serious impact	🕓 "Time before pain begins"
RPO	Recovery Point Objective	💾 Max acceptable amount of data loss (in time)	💾 "How far back you can rewind"
MTD	Maximum Tolerable Downtime	⛔ Absolute max time a business can survive interruption	🔥 "Hard limit – beyond this = failure"

✅ Examples (Real World – Backup Scenario)

Term	Example
RTO	After a ransomware attack, the system must be restored in less than 4 hours to avoid legal penalties.
RPO	Daily backups run at 2am. If the server crashes at 6pm, we’ll restore from 2am = 16 hours of data lost. If that’s acceptable, RPO = 16 hours.
MTD	The company says: “If email is offline more than 8 hours, we lose clients.” → MTD = 8 hours. So: RTO must be ≤ MTD.

🧠 FR :

RTO : Temps max d'arrêt avant que ça fasse très mal 💥
RPO : Quantité de données que tu peux te permettre de perdre
MTD : Limite absolue, au-delà = dommage majeur ou mort de l’activité

🧾 Simple Examples for CISSP 🔹 RTO (Recovery Time Objective)

A company can afford to be offline for up to 4 hours after an incident.
🎯 RTO = 4 hours

🧠 EN: This is the maximum tolerable downtime before the impact becomes unacceptable. 🔹 RPO (Recovery Point Objective)

Backups are performed every 15 minutes, so in case of a crash, the company accepts losing up to 15 minutes of data.
🎯 RPO = 15 minutes

🧠 EN: This defines the "point in the past" to which you can restore data without major consequences.

🔹 MTD (Maximum Tolerable Downtime)

The company says: “If our order system is down for more than 6 hours, we start losing revenue and clients permanently.”
🎯 MTD = 6 hours

🧠 EN: This is the absolute limit of downtime. Beyond that, the business continuity is seriously at risk.

🧾 Exemples simples pour CISSP 🔹 RTO (Recovery Time Objective)

Une entreprise peut accepter d’être hors ligne pendant 4 heures maximum après un incident.
🎯 RTO = 4 heures

🧠 FR : C’est la durée d’arrêt maximale tolérable avant que les impacts deviennent inacceptables.

🔹 RPO (Recovery Point Objective)

Les sauvegardes sont faites toutes les 15 minutes, donc on accepte de perdre au maximum 15 min de données en cas de crash.
🎯 RPO = 15 minutes

🧠 FR : C’est le "point dans le passé" vers lequel on peut restaurer sans conséquences majeures.

🔹 MTD (Maximum Tolerable Downtime)

La companie dit : “Si notre système de commande tombe en panne plus de 6 heures, nous allons commencer à perdre les revenues et les clients de manière permanente.”
🎯 MTD = 6 heures

🧠 FR: C'est la limite absolue de l'arrêt. Au dela de ceci, la continuité des affaires est sérieusement à rique.

💡 Critical Formula

🧠 In CISSP questions :

✅ RTO must always be ≤ MTD

🧠 Tip for Exam

If a question asks:

“How long can you delay restoration before business suffers?”

➡️ Answer = RTO

If it asks:

“How much data can we afford to lose?”

➡️ Answer = RPO

If it asks:

“What is the absolute maximum outage allowed?”

➡️ Answer = MTD

⬆️ Back to top