An organization could select and review actions (administrative, managerial, technical, etc.) implemented in the last year(s), understand their purpose and determine what risks, i.e. probable deviations from expected, were or could be addressed by them and what context of the organization was pertinent to these risks. As a result, the organization will have ample baseline data for determining risks for the present. The best would be to get access directly to preventive actions taken in response to potential nonconformities (per se risks) but this data are usually limited. Will this preliminary step to determining risks be helpful?