This is the risk that is
inherent to a specific function and sub process and is
measured before taking control measures into account.
If Personal Identifiable Information (PII) were to
be lost in that specific sub process it might have a Critical, High, Medium or
Low impact.
Where the volume of PII is low and the type of
personal information is not sensitive or special personal information the Inherent
risk might be low.
Where the volumes of the PII is high in a sub
process and there is sensitive and special personal information in that sub
process the Inherent Risk might be Critical.