COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives
Risk identification considers both internal and external factors and their impact on the achievement of objectives
The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management
Identified risks are analyzed through a process that includes estimating the potential significance of the risk
Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk
The entity’s risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.