Qualitative measures are methods of expressing risk levels using descriptive terms, such as high, medium, or low, based on subjective criteria, such as likelihood, impact, or severity. Qualitative measures are often used to identify and prioritize risks, and to communicate risk information to stakeholders1.

Residual risk is the level of risk that remains after the risk response has been implemented. Residual risk reflects the effectiveness and efficiency of the risk response, and the need for further action or monitoring2.

Emerging threats are new or evolving sources or causes of risk that have the potential to adversely affect the organization’s objectives, assets, or operations. Emerging threats are oftencharacterized by uncertainty, complexity, and ambiguity, and may require innovative or adaptive risk responses3.

The best reason to use qualitative measures to express residual risk levels related to emerging threats is that qualitative measures are better able to incorporate expert judgment. Expert judgment is the opinion or advice of a person or a group of people who have specialized knowledge, skills, or experience in a particular domain or field. Expert judgment can help to:

Provide insights and perspectives on the nature and characteristics of the emerging threats, and their possible causes and consequences

Assess the likelihood and impact of the emerging threats, and their interactions and dependencies with other risks

Evaluate the suitability and effectiveness of the risk responses, and their alignment with the organization’s risk appetite and tolerance

Identify and recommend the best practices and lessons learned for managing the emerging threats, and for improving the risk management process45

Qualitative measures are better able to incorporate expert judgment than quantitative measures, which are methods of expressing risk levels using numerical or measurable values, such as percentages, probabilities, or monetary amounts. Quantitative measures are often used to estimate and analyze risks, and to support risk decision making1. However, quantitative measures may not be suitable or feasible for expressing residual risk levels related to emerging threats, because:

Quantitative measures require reliable and sufficient data and information, which may not be available or accessible for the emerging threats

Quantitative measures rely on mathematical models and techniques, which may not be able to capture or reflect the complexity and uncertainty of the emerging threats

Quantitative measures may create a false sense of precision or accuracy, which may not be justified or warranted for the emerging threats

Quantitative measures may be influenced or manipulated by biases or assumptions, which may not be valid or appropriate for the emerging threats67

Therefore, qualitative measures are better able to incorporate expert judgment, which can enhance the understanding and management of the residual risk levels related to emerging threats.

The other options are not the best reasons to use qualitative measures to express residual risk levels related to emerging threats, but rather some of the advantages or disadvantages of qualitative measures. Qualitative measures require less ongoing monitoring than quantitative measures, because they are simpler and easier to apply and update. However, this does not mean that qualitative measures can eliminate or reduce the need for monitoring, which is an essential part of the risk management process. Qualitative measures are better aligned to regulatory requirements than quantitative measures, because they are more consistent and comparable across different domains and contexts. However, this does not mean that qualitative measures can satisfy or comply with all the regulatory requirements, which may vary depending on theindustry or sector. Qualitative measures are easier to update than quantitative measures, because they do not depend on complex calculations or formulas. However, this does not mean that qualitative measures can always reflect the current or accurate risk levels, which may change over time or due to external factors. References =

Qualitative Risk Analysis vs. Quantitative Risk Analysis - ISACA

Residual Risk - ISACA

Emerging Threats - ISACA

Expert Judgment - ISACA

Expert Judgment in Project Management: Narrowing the Theory-Practice Gap

Quantitative Risk Analysis - ISACA

Quantitative Risk Analysis: A Critical Review

[CRISC Review Manual, 7th Edition]