Inherent risk ratings are determined by assessing the impact and likelihood of a threat or vulnerability occurring:
A. after internal controls are taken into account.
B. before the risk appetite is established.
C. after compensating controls have been applied.
D. before internal controls are taken into account.
A. after internal controls are taken into account.
B. before the risk appetite is established.
C. after compensating controls have been applied.
D. before internal controls are taken into account.