CRISC - Risk Assessment - Section 2.7
Distinguish inherent and residual risk and use business impact analysis to evaluate risk against criteria.
Distinguish inherent risk - before controls are applied - from residual risk that remains after controls, and use business impact analysis to evaluate both against defined risk criteria. Recognise that residual risk exceeding tolerance requires further treatment rather than acceptance by default.
Inherent riskResidual riskBusiness impact analysisRisk evaluation
More in this domain
Back to all Risk Assessment objectives, or the CRISC cert hub.
Examworthy is not affiliated with or endorsed by ISACA. Original, blueprint-aligned practice material only.