A risk practitioner is documenting an IT risk scenario for a customer-facing payment service. Which combination of components makes the scenario most useful for analysis and response?
- AA list of every control currently operating on the payment platform and its last test date
- BA detailed network diagram of the payment platform and the data flows between each hosted component
- CA summary of past audit findings raised against the payment service over the previous three years
- DA threat actor, the event, the affected asset and the resulting business loss consequence Correct
Why A is wrong: Cataloguing existing controls describes the current state but omits the threat, event and consequence, so it cannot frame what could go wrong or how badly.
Why B is wrong: An architecture diagram supports analysis but is an input, not a scenario, because on its own it states no event, no actor and no loss outcome.
Why C is wrong: Prior findings are useful history but describe known weaknesses, not a forward-looking event with an actor and a quantifiable loss consequence.
Why D is correct: A complete scenario links actor, event, asset and consequence, giving analysts enough context to estimate likelihood and impact and to design a proportionate response.