Before escalating to senior management, a risk practitioner must understandhow seriousthe issue is for the enterprise. That means first assessing thebusiness impactof the noncompliance (financial, regulatory, reputational, operational) so that management is givencontextualizedinformation rather than just “we are noncompliant.”

In ISACA’s CRISC framework, risk assessment always requires understandinglikelihood and impactbefore risk response and escalation decisions. Evaluating the potential impact allows:

Identification of which processes, customers, or jurisdictions are affected.

Estimation of the magnitude of legal/regulatory exposure.

Understanding whether immediate containment actions are needed.

Preparation of meaningful options and recommendations for senior management.

Options A and B (evaluating controls and implementing compensating controls) are importantlater, as part of risk response / treatment. However, without first knowing theimpact, you cannot determine how urgent or extensive the remedial actions must be.

Option C (evaluating industry response) may be useful for benchmarking, but it doesnothelp the enterprise understand its own specific exposure and obligations and therefore is secondary to an internal impact assessment.

This aligns with CRISC guidance thatthe primary result of a risk assessment is input for risk-aware decisionsand that risk professionals mustassess likelihood and impact to determine risk significance before escalation and treatment(see the risk assessment and risk profile–related guidance in your CRISC notes).