This is the phase where threats, vulnerabilities and the associated risks are identified. This process has to be systematic
and comprehensive enough to ensure that no risk is unwittingly excluded. It is very important that during this stage all risks
are identified and recorded, regardless of the fact that some of them may already be known and likely controlled by the organization.
Organisation
Responsible
Risk Manager
Accountable
Risk Manager
Consulted
Domain Expert Internal Audit Risk Owner
Informed
Senior Management
Input/Output
Input data
D18 Impact statements D19 Historical information D17 Risk id methodology D20 Assessment tools