This is the risk that is inherent to a specific
function and sub process and is measured before taking control measures into
account.
If Personal Identifiable Information (PII) were to be lost in that
specific sub process it might have a Critical, High, Medium or Low
impact.
Where the volume of PII is low and the type of personal information is
not sensitive or special personal information the Inherent risk might be
low.
Where the volumes of the PII is high in a sub process and there is
sensitive and special personal information in that sub process the Inherent
Risk might be Critical.