Using the information submitted from Identify Threats and the experience of operating IT, all potential future threats should be identified as well so that planning can begin to mitigate prior to the threat realization. Once threats are identified, every threat should be associated with a risk. Risk will detail the ramifications or impact on the organization should a threat be realized within the environment. Parallel to risk assessment, the discovery of vulnerabilities should begin. Vulnerabilities will detail structure within the IT organization that lends itself to the probability of a threat being realized.