The most important step when developing risk scenarios using a list of generic scenarios based on industry best practices is to validate the generic risk scenarios for relevance. The generic risk scenarios may not be applicable or suitable for the specific context, objectives, and environment of the organization. Therefore, the risk practitioner should validate the relevance of the generic risk scenarios by comparing them with the organization’s risk profile, risk appetite, and risk criteria. Assessing generic risk scenarios with business users, selecting the maximum possible risk scenarios from the list, and identifying common threats causing generic risk scenarios are other steps that may be useful, but they are not as important as validating the relevance of the generic risk scenarios. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.