Risk factor : Difficulty of Exploit vs Business Impact

The Risk Factor concept used by the CCWAPPSS is the answer to the question : Could this vulnerability lead to major issues ?

To figure out the Risk Factor of a vulnerability, the auditor has to answer the following questions :

• Is the exploitation of this vulnerability trivial or sophiticated ?
  
• Could the exploitation of this vulnerability have an impact on the business activity ?