As a risk management professional, you are calculating annualized loss expectancy based on input parameters such as asset value, exposure factor, single loss expectancy, and the annual rate of occurrence. Which of the following is the end purpose? (Wentz QOTD)
A. Qualitative risk analysis
B. Quantitative risk analysis
C. Risk prioritization
D. Risk evaluation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Risk evaluation.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

This question is designed to promote the concept of risk evaluation of ISO 31000. The annualized loss expectancy (ALE) is one form of quantitative risk analysis technique to determine risk exposure as the input of the risk evaluation process.

Risk prioritization is one of the core tasks of risk evaluation. Before that, risk acceptance criteria are applied to determine which risks are to be treated. Once the risks to be treated are determined, risk evaluation criteria are applied to prioritize those risks. As a result, risk evaluation is a better option than quantitative risk analysis and risk prioritization because it is more comprehensive.

Reference

---

作為風險管理專業人士，您正在根據資產價值、敞口係數、單一損失預期和年發生率等輸入參數計算年化預期損失。 以下哪個是最終目的？ (Wentz QOTD)
A. 定性風險分析
B. 定量風險分析
C. 風險優先排序
D. 風險評估