In a qualitative risk assessment, which elements are typically identified to prioritize mitigations?

In a qualitative risk assessment, you prioritize mitigations by building a complete picture of how risk could arise and how serious it would be. That means identifying what could happen (threats), where weaknesses could be exploited (vulnerabilities), how severe the consequences would be if it occurs (impacts), and how likely it is to occur (likelihood). Together, these four elements let you rate and compare different risk scenarios, so you can focus on the ones with the highest overall risk. If you only consider threats and likelihood, you miss how bad the impact could be; if you only consider impacts and vulnerabilities, you miss how probable the event is; and focusing solely on costs ignores the risk that still exists. Including all four elements provides the full context needed to prioritize mitigations effectively.