ID.RA-05 uses data on threats, vulnerabilities, likelihoods, and impacts to assess inherent risk—the risk before controls are applied—and prioritize responses. This involves developing threat models to understand risks to critical assets and guide mitigation strategies. It ensures that risk management focuses on the most pressing dangers.

This subcategory supports strategic decision-making by linking risk analysis to resource investments, emphasizing high-probability, high-impact scenarios. It provides a structured approach to weighing risks against organizational tolerances. ID.RA-05 drives a risk-based prioritization of cybersecurity efforts.