Risk aggregation in a complex organization will be MOST successful when using the same scales in assessing risk, because it can help to ensure the consistency and comparability of the risk assessment results across different units, levels, and domains of the organization. Using the same scales in assessing risk can also help to avoid the potential errors or biases that may arise from using different scales, such as overestimating or underestimating the risk exposure, or misaligning the risk appetite and tolerance. The other options are not as important as using the same scales in assessing risk, because:

Option B: Utilizing industry benchmarks is a good way to improve the quality and validity of the risk assessment results, but it does not ensure the success of the risk aggregation, which is the process of combining and consolidating the risk assessment results into a holistic and comprehensive view of the risk profile and exposure of the organization.

Option C: Using reliable qualitative data for risk items is a useful way to capture and describe the risk items, which are the sources and causes of the risks, but it does not ensure the success of the risk aggregation, which is the process of quantifying and measuring the risk items, and their likelihood and impact on the business objectives and processes.

Option D: Including primarily low-level risk factors is a necessary way to identify and assess the risk factors, which are the characteristics and attributes of the risks, but it does not ensure the success of the risk aggregation, which is the process of prioritizing and ranking the risk factors, and their significance and relevance to the organization’s strategy and goals. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 105.