A team conducting a risk analysis is having difficulty projecting the financial losses that could result
from a risk. To evaluate the potential losses, the team should:
A.
 compute the amortization of the related assets.
B.
 calculate a return on investment (ROI).
C.
 apply a qualitative approach.
D.
 spend the time needed to define exactly the loss amount.
Explanation:
The common practice, when it is difficult to calculate the financial losses, is to take a qualitative
approach, in which the manager affected by the risk defines the financial loss in terms of a weighted
factor {e.g., one is a very low impact to thebusiness and five is a very high impact). An ROI is
computed when there is predictable savings or revenues that can be compared to the investment
needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing
potential losses. Spending the time needed to define exactly the total amount is normally a wrong
approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of
public image due to a hack attack), that situation is not likely to change, and at the end of the day,
the result will be a not well-supported evaluation.