VA's
more robust assessment method is the risk method. Here the user makes
determinations about the level of inherent risk as well as the level
of residual risk that exists after the effect of the controls is factored
into the judgment. Both risk and exposure are assessed against likelihood
of occurrence and impact to the organization. These are input using
VA's risk screening matrix - using either a "qualitative"
approach utilizing nine risk zones or a "quantitative" approach
using monetary buckets along an order-of-magnitude scale customized
for each entity individually. Both screening matrices are depicted here.
