The BEST answer is A because impact is business-context dependent. Inherent risk impact should be estimated based on how the risk could affect the organization’s objectives, operations, processes, assets, and stakeholders before considering controls. ISACA’s CRISC exam outline places inherent and residual risk under Risk Analysis and states that CRISC candidates must understand likelihood and impact of threats, vulnerabilities, and risk scenarios. ISACA’s risk analysis discussion explains that risk analysis evaluates both the possibility of occurrence and “the determination of the impact on business objectives”; for impact assessment, business impact information is often prepared by business function managers/risk owners. The uploaded CRISC notes also state that risk scenarios estimate frequency and impact, assessors determine magnitude of impact after likelihood, and top-down/business-objective context is important.
B and D are useful for understanding the threat landscape and future trends, but they do not by themselves estimate the organization-specific impact. C can help when reliable historical data exists, but historical modeling alone may not reflect current business context, changed operations, or stakeholder impact. For CRISC-style “BEST” questions, organizational stakeholders/risk owners provide the most relevant impact input.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit