What is the enterprise doing to prevent the risk from happening in the first place?
What is the enterprise doing to reduce the amount of damage that can be caused by the risk?
What is the enterprise doing to detect and respond to the risk when it happens?
