Application of Risk Management Techniques
Risks
Windows Vista, while relatively current is still a lacking OS when compared to Windows 7. All desktops connect to an industry standard switch via an Ethernet cable. While this can be a risk, it is not a sizable risk. (Minimal Risk)
The two large production facilities are connected to the headquarters via an external ISP. Even with the firewalls in place, there is no accountability if the connection they contract is in use by anyone else. I would advise contacting the ISP and verifying if the connection is shared with other users and take further action depending on their answer. (Substantial Risk)
The individual sales personnel connect via VPN software, but use their individual internet connection, usually out of their home office. This can be very dangerous as they do not fall under the blanket of protection offered by the bigger offices and their terminals are at greater risk to be tampered or infected by a malicious user. (Critical Risk)
The core idea of preventing risk is to safeguard the information stored on the database server. The workers and customers of the company have private information stored there and the loss or leak of the data could be catastrophic to the company. Ergo I suggest the changes to be made to mitigate the risk of an intruder gaining access to the network. There is not a lot of information given about the entirety of the network, so much of this may not be necessary or already in place.

Risk 1 – Desktops / Local LAN
This risk would best be approached via the mitigation risk technique. Since the network is maintained via Active Directory, the company should implement workgroups/user groups and control what workers have access to; if a program, file, or other application is not part of a workers job, they have no reason to be able to access that