Once the processes have been prioritised and the critical technology infrastructure, hardware, software and information resource needs of the processes which depend upon IT have been identified, it is necessary to design the way in which recovery from an incident can be effectuated. Given the requirements and the various methods of recovery, decisions must be made as to how recovery may be best achieved. Factors such as budget, manpower and compliance will drive the decision making process. A list of options can be drawn up and weighted to aid decision making. For this reason, the management of the organisation will be asked to accept both the risks treated and the ones that will not be treated. This can happen within the activity “Risk Acceptance” of the IT Risk Management process.