4. Which step in the risk management process defines the probability and impact of each risk to determine the severity?