Risks identified (Inherent & Residual) need to be well articulated so the recipients find the right justification and reason to be called a risk. Lack of proper articulation often results in pushing back. A lack of control opens the door to risks, but what it may lead to should be documented and relevant.
E.g., Lack of a VA&PT report for a critical application or service should be flagged, but the risk description should probably read, “Lack of an external VAPT report by an accredited third party can expose organizations to the exploitation of known and unknown vulnerabilities, resulting in compromising confidentiality, integrity, and availability.”VA gives insights on known vulnerabilities and PT on unknowns.”
