• What are your significant risks?
• Who are your affected parties and how are they affected?
• What is the current level of risk?
• What are the options for reducing and mitigating these risks?
• Where do these options lie in relation to the hierarchy of controls?
• What reduced level of risk is each option likely to provide?
• How is each of these options to be implemented?
• What is the cost of each option?