Upper management decides which risk to mitigate based on cost. This is an example of:

A.
Qualitative risk assessment

B.
Business impact analysis

C.
Risk management framework

D.
Quantitative risk assessment

Explanation:
Quantitative analysis / assessment is used to the show the logic and cost savings in replacing a server for example before it fails rather than after the failure.
Quantitative assessments assign a dollar amount.

Incorrect Answers:
A: Risk can also be calculated qualitatively and are subjective in nature.
B: A business impact analysis is the process of evaluating all of the critical systems in an organization to define impact and recovery plans. BIA isn’t concerned with
external threats or vulnerabilities; the analysis focuses on the impact a loss would have on the organization. A BIA comprises the following: identifying critical
functions, prioritizing critical business functions, calculating a timeframe for critical systems loss, and estimating the tangible impact on the organization.
C: A risk management framework is an umbrella term that concerns all risk management best practices.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 17, 28-29