Question 20
Domain 2 — Risk Identification, Assessment, and AnalysisWhat is the difference between internal and external risk data sources?
Correct answer: B
Explanation
Internal risk data sources are generated inside the organization, such as loss records, incident reports, and audit findings. External risk data sources come from outside the organization, such as industry databases, regulators, and market reports. The distinction is based on where the data originates: within the firm versus outside it.
Why each option is right or wrong
A. There is no difference
B. Internal data comes from within the organization; external from outside
The distinction turns on the origin of the information: internal risk data are produced by the firm itself, while external risk data are obtained from outside parties or markets. In practice, internal sources include the organization’s own loss history, incident logs, and control/audit results; external sources include industry loss databases, regulatory publications, and market or vendor reports.
C. Internal data is always better
D. External data is always more expensive