Explanation:
The output of the risk assessment process is identification of appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Once risk factors have been identified, existing or new controls are designed and measured for their strength and likelihood of effectiveness. Controls are preventive, detective or corrective; manual or programmed; and formal or ad hoc.
Incorrect Answers:
A: Risk identification acts as input of the risk assessment process.
C: This is an output of risk mitigation process, that is, after applying several risk responses.
D: Residual risk is the latter output after appropriate control.