This is the phase where threats, vulnerabilities and the associated risks are identified. This process has to be systematic
and comprehensive enough to ensure that no risk is unwittingly excluded. It is very important that during this stage all risks
are identified and recorded, regardless of the fact that some of them may already be known and likely controlled by the organization.