DRII CBCP LATEST 2026 STUDY GUIDE QUESTIONS AND
SOLUTIONS RATED A+
✔✔Internal Threats - ✔✔System failures, process failures, human error, insider threats.
✔✔External Threats - ✔✔Weather, cyberattacks, political instability, supply chain
issues.
✔✔Risk Scoring - ✔✔Probability × Impact = Risk Rating.
✔✔High Risk - ✔✔High probability + high impact.
✔✔Information Gathering - ✔✔Interviews, surveys, document reviews.
✔✔Risk Treatment Options - ✔✔Mitigate, Transfer, Accept, Avoid.
✔✔Mitigate - ✔✔Implement controls to reduce risk probability or impact.
✔✔Transfer - ✔✔Shift risk through insurance or third-party agreements.
✔✔Accept - ✔✔Do nothing; risk is tolerable.
✔✔Avoid - ✔✔Stop or change the risky activity.
✔✔Existing Controls - ✔✔Controls already in place to reduce risk.
✔✔Residual Risk - ✔✔Risk remaining after controls are applied.
✔✔Who Approves RA Results? - ✔✔Leadership or the Steering Committee.
✔✔What Is a Control? - ✔✔A safeguard or countermeasure.
✔✔What Is the Highest Risk? - ✔✔High impact and high probability.
✔✔RA Output - ✔✔Prioritized list of risks with recommendations.
✔✔BIA Purpose - ✔✔Identify critical processes and determine RTO/RPO.
✔✔Primary Output of BIA - ✔✔RTO (Recovery Time Objective).
✔✔RTO - ✔✔Time allowed before unacceptable impact occurs.
✔✔RPO - ✔✔Maximum allowable data loss measured in time.
, ✔✔MTD / MTPD - ✔✔Maximum tolerable downtime; beyond this, severe impact or
failure occurs.
✔✔Critical Process - ✔✔Process that must resume quickly to prevent severe impact.
✔✔Dependencies - ✔✔People, systems, data, vendors, and facilities required.
✔✔Impact Types - ✔✔Financial, operational, legal, regulatory, reputational, customer.
✔✔RA vs BIA - ✔✔RA identifies threats; BIA identifies impacts and timing.
✔✔BIA Steps - ✔✔Gather data → Validate → Analyze impacts → Determine RTO/RPO
→ Prioritize processes.
✔✔Process Prioritization - ✔✔Based on impact over time and MTD.
✔✔Data Gathering - ✔✔Interviews, surveys, questionnaires.
✔✔Who Owns Processes? - ✔✔Business units own and validate criticality.
✔✔What Before BIA? - ✔✔Risk Assessment.
✔✔What After BIA? - ✔✔Strategy development.
✔✔What Determines RTO? - ✔✔Impact analysis from the BIA.
✔✔Purpose of BIA - ✔✔Determine recovery priorities and timelines.
✔✔Business Continuity Strategies - ✔✔Purpose: Identify solutions that meet RTO/RPO
requirements.
✔✔Strategy Driven By - ✔✔BIA results (RTO, RPO, criticality).
✔✔Alternate Sites - ✔✔Hot, Warm, Cold sites for continuity.
✔✔Hot Site - ✔✔Fully equipped and ready immediately; highest cost.
✔✔Warm Site - ✔✔Partially equipped; moderate recovery time.
✔✔Cold Site - ✔✔Empty space; cheapest; longest recovery.
✔✔Manual Workarounds - ✔✔Temporary non-technology processes.
SOLUTIONS RATED A+
✔✔Internal Threats - ✔✔System failures, process failures, human error, insider threats.
✔✔External Threats - ✔✔Weather, cyberattacks, political instability, supply chain
issues.
✔✔Risk Scoring - ✔✔Probability × Impact = Risk Rating.
✔✔High Risk - ✔✔High probability + high impact.
✔✔Information Gathering - ✔✔Interviews, surveys, document reviews.
✔✔Risk Treatment Options - ✔✔Mitigate, Transfer, Accept, Avoid.
✔✔Mitigate - ✔✔Implement controls to reduce risk probability or impact.
✔✔Transfer - ✔✔Shift risk through insurance or third-party agreements.
✔✔Accept - ✔✔Do nothing; risk is tolerable.
✔✔Avoid - ✔✔Stop or change the risky activity.
✔✔Existing Controls - ✔✔Controls already in place to reduce risk.
✔✔Residual Risk - ✔✔Risk remaining after controls are applied.
✔✔Who Approves RA Results? - ✔✔Leadership or the Steering Committee.
✔✔What Is a Control? - ✔✔A safeguard or countermeasure.
✔✔What Is the Highest Risk? - ✔✔High impact and high probability.
✔✔RA Output - ✔✔Prioritized list of risks with recommendations.
✔✔BIA Purpose - ✔✔Identify critical processes and determine RTO/RPO.
✔✔Primary Output of BIA - ✔✔RTO (Recovery Time Objective).
✔✔RTO - ✔✔Time allowed before unacceptable impact occurs.
✔✔RPO - ✔✔Maximum allowable data loss measured in time.
, ✔✔MTD / MTPD - ✔✔Maximum tolerable downtime; beyond this, severe impact or
failure occurs.
✔✔Critical Process - ✔✔Process that must resume quickly to prevent severe impact.
✔✔Dependencies - ✔✔People, systems, data, vendors, and facilities required.
✔✔Impact Types - ✔✔Financial, operational, legal, regulatory, reputational, customer.
✔✔RA vs BIA - ✔✔RA identifies threats; BIA identifies impacts and timing.
✔✔BIA Steps - ✔✔Gather data → Validate → Analyze impacts → Determine RTO/RPO
→ Prioritize processes.
✔✔Process Prioritization - ✔✔Based on impact over time and MTD.
✔✔Data Gathering - ✔✔Interviews, surveys, questionnaires.
✔✔Who Owns Processes? - ✔✔Business units own and validate criticality.
✔✔What Before BIA? - ✔✔Risk Assessment.
✔✔What After BIA? - ✔✔Strategy development.
✔✔What Determines RTO? - ✔✔Impact analysis from the BIA.
✔✔Purpose of BIA - ✔✔Determine recovery priorities and timelines.
✔✔Business Continuity Strategies - ✔✔Purpose: Identify solutions that meet RTO/RPO
requirements.
✔✔Strategy Driven By - ✔✔BIA results (RTO, RPO, criticality).
✔✔Alternate Sites - ✔✔Hot, Warm, Cold sites for continuity.
✔✔Hot Site - ✔✔Fully equipped and ready immediately; highest cost.
✔✔Warm Site - ✔✔Partially equipped; moderate recovery time.
✔✔Cold Site - ✔✔Empty space; cheapest; longest recovery.
✔✔Manual Workarounds - ✔✔Temporary non-technology processes.
