I responded with the key risks I look at, they kind of matched the COSO framework, but I think my own risk identification methods were impressive too. They would also have been happy with the actual COSO framework. My point is, try to think out of the box when you don't know the answer instead of just saying "I don't know".