Categorizing systems into discrete risk levels to determine appropriate governance controls and oversight requirements.