Information risk planning is a key information governance program activity. Information risk planning requires that the organization take a number of specific steps in identifying, analyzing, and countering information risks. There are additional compliance and legal risks to identify and research. Federal, provincial, state, and even municipal laws and regulations may apply to the retention period for business or patient information. Organizations operating in multiple jurisdictions must maintain compliance with laws and regulations that may cross national, state, or provincial boundaries. A risk assessment can be compressed into five basic steps: identifying the risks, determining potential impact, evaluating risk levels and probabilities and recommend action, creating a report with recommendations and implement, and reviewing periodically. The risk mitigation plan develops risk reduction options and tasks to reduce specified risks. Metrics are required to measure progress in the risk mitigation plan. Audits provide feedback on the progress of the risk mitigation plan.