How do you rationalize assigning a risk impact/factor to an identified risk, threat, or vulnerability?
How do you prioritize similar risk impact/factor values of identified risks? How do you determine which "1" to prioritize? Why would you prioritize a "2" over a "1"?