Your interesting question gets to the heart of general principles of risk management for any business enterprise--manufacturing, lending, retail--and any governmental authority, such as the EPA, that must identify and manage specific risks.
In theory (and in fact, in many cases), the factors that should guide a company's risk assessment are the real and potential risks that pose a threat to the individual company's or organization's primary activity. If the company is a manufacturing business, for example, the external risks would include the overall economic climate, the domestic and international market for the company's goods, the ability of the company to obtain raw materials with which to make its products. The internal risks would include such things as the ability to attract an effective workforce, the manufacturing facility itself (its condition, modernization), access to power to run the facility. in this example, risk managers would be closely examining all the factors that influence the company's ability to manufacture--internal and external risks--and then create a risk assessment model that mitigates internal and external risks.
An appropriate risk assessment, which includes ways to mitigate risks, is driven by an analysis of all things that pose a risk to the company's success and survival. In practice, risk management professionals try to understand everything possible about a company's operations and products and then look at risks in a descending order of importance. That is, the most threatening risks--those that would kill the company--are identified first, and then risk mitigation techniques are created for those risks, and then the remaining risks are identified and mitigated usually in their order of threat.
To answer your question in another way--if a company fails to identify any factor that poses a risk to its operations and therefore does not include that risk in its risk assessment, that oversight could, in some cases, destroy the company or, in other cases, impede its ability to operate and threaten its profitability.
In sum, then, a company's risk assessment always starts by an intense examination of all the factors that threaten its success, both internally (that is, within the company itself) and externally (all factors over which the company may have no control or little control), and then the risk management team designs a program to mitigate those risks, usually in the order of the risks' magnitude. The process, which sounds complicated, is usually guided by the risk management team's common sense, and the risk mitigation process begins with the question, "What can kill this company or impede its growth?"