When establishing the risk management context for calculating risk, the formulas and methods for combining impact and likelihood must be consistent with the defined criteria. This ensures that the risk calculations are accurate and meaningful. If the formulas and methods are not consistent, the resulting risk scores may not accurately reflect the true level of risk.
While risk appetite and tolerance (A) are important for overall risk management, they don't directly dictate the formulas for calculation. KRIs and KPIs (C) are used for monitoring, not calculation.
[Reference: ISACA materials on risk assessment methodology, likely within the Risk IT Framework and related publications, emphasize the importance of consistent and well-defined methods for calculating risk. This ensures that risk scores are comparable and meaningful across the organization., ]
Submit