During the risk evaluation phase decisions have to be made concerning which risks need treatment and which do not, as well
as concerning on the treatment priorities. Analysts need to compare the level of risk determined during the analysis process
with risk criteria established in the Risk Management context (i.e. in the risk criteria identification stage). It is important
to note that in some cases the risk evaluation may lead to a decision to undertake further analysis.
Organisation
Responsible
Risk Manager
Accountable
Senior Management
Consulted
Domain Expert Risk Owner Internal Audit
Informed
Senior Management
Input/Output
Input data
D69 Controls relative to assets D70 Impacts relative to assets D62 Assessment activities criteria D68 Threats relative to assets D72 Risks relative to asset groups D67 Classified assets D63 Asset class. scheme D71 Risks relative to assets