CRISC Certified in Risk and Information Systems Control – Question358

Qualitative risk assessment uses which of the following terms for evaluating risk level? Each correct answer represents a part of the solution. Choose two.

A.
Impact
B. Annual rate of occurrence
C. Probability
D. Single loss expectancy

Correct Answer: AC

Explanation:

Explanation:
Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk’s level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts.
Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high.
Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100.
Risk level = Probability * Impact
Incorrect Answers: B, D: These are used for calculating Annual loss expectancy (ALE) in quantitative risk assessment. Formula is given as follows: ALE= SLE * ARO