The risk identification process involves identifying and documenting all the risks that constitute potential loss exposures for the organization and affect the achievement of its strategic goals. Some risks may not adversely affect the organization and it is important to differentiate between negative risks and positive risks or opportunities. While exploiting, enhancing and sharing positive risks with significant upside potential may be important in some circumstances, the organization should never lose sight of the negative risks and potential threats. In order to drive accountability and leverage available expertise, leadership teams, risk management professionals, subject matter experts, front line staff closest to the risks and other key stakeholders need to be fully involved in the process. Risk identification should never be based on intuition, guesswork and opinions. There are many useful internal and external information sources that can be used to identify potential risks and document their characteristics. As illustrated previously, some of the common sources of risk information include incidence reports, insurance claims, patient complaints, satisfaction surveys, audits, product recalls, hazard alerts, published literature, and many others. To provide a solid basis for risk identification, it is a good idea to categorize all potential sources of risk into risk domains.