likelihood or frequency of incidents and significant or potential impacts in order to prioritizing the management of information technology risk; (3) establishment of tools and measures for managing risk level