This involves defining the organization's level of risk tolerance, based on its goals, objectives, and overall risk profile.