Determining Reporting Frequency for New Risks

B.

Visibility of impact is the best measure since it manages risks to an organization in the timeliest manner.

Likelihood of occurrence and incident frequency are not as relevant.

Mitigating controls is not a determining factor on incident reporting.

When deciding whether new risks should fall under periodic or event-driven reporting, the decision should be based on the visibility of impact and incident frequency.

Visibility of impact refers to the potential impact that a risk could have on an organization. This impact can be assessed by considering the potential financial, operational, or reputational harm that could result from the risk. If the impact of the risk is high, then it is likely that the risk should be reported on an event-driven basis. Event-driven reporting is used for risks that are high-impact and require immediate attention.

Incident frequency refers to how often a risk is likely to occur. If a risk is expected to occur frequently, then it is likely that the risk should be reported on a periodic basis. Periodic reporting is used for risks that occur with some regularity and do not require immediate attention.

Mitigating controls and likelihood of occurrence are also important factors to consider when assessing risk, but they are not as directly relevant to the decision between periodic and event-driven reporting. Mitigating controls refer to the measures that an organization has in place to reduce the likelihood or impact of a risk. While these controls can affect the decision on how to report on a risk, they are not the primary factor. Likelihood of occurrence refers to how likely it is that a risk will occur. While this factor is important for assessing risk overall, it does not have a direct impact on the decision between periodic and event-driven reporting.

In summary, the decision on whether new risks should fall under periodic or event-driven reporting should be based on the visibility of impact and incident frequency.