A list of risks that either impact or could potentially impact an organization. Additional information is also kept, including data on frequency and severity, business units and processes impacted, related controls, other risk mitigation strategies, and any risk transfer that is applied.