This is the risk that is
inherent to a specific function and sub process and is measured before
taking control measures into account.
If Personal Identifiable
Information (PII) were to be lost in that specific sub process it might have a
Critical, High, Medium or Low impact.
Where the volume of PII is low
and the type of personal information is not sensitive or special personal
information is not processed the Inherent risk might be low.
Where the volumes of the PII
is high in a sub process and there is sensitive and special personal
information are processed in that sub process the Inherent Risk might be
Critical.