Qualitative risk assessment is used when quantitative data (monetary loss, exact downtime cost, RTO) is unavailable or unreliable. The SecurityX CAS-005 GRC objectives note that qualitative methods rely on expert judgment, likelihood scales, and impact ratings rather than financial calculations. In this case, insufficient metrics rule out quantitative analysis. Option A (work experience) is irrelevant to the choice of assessment type. Option C (risk register) supports tracking, not selecting the assessment method. Option D describes a quantitative goal, which is not possible with the given lack of metrics.