Identifies and categorises organisation-wide strategic and operational risks. Breaks down risks by sub-categories, such as compliance, architecture, environment, financial etc. and considers mitigation activities in the context of organisational risk appetite.