How to create a risk assessment?  Many organizations (both large and small) run into this issue.  It is a very complicated task but I will go over the basics of a risk assessment.  In a risk assessment, the risks first need to be addressed.  These risks include impacts associated with the areas of the organization related to security, auditing and disaster recovery. Identification should include tangible and intangible risks and impacts. The impacts should be quantified in terms of dollars from lost sales, property damage, increased expenses, etc.   For each asset and function, you would need to identify existing threats or risks. The risk assessment will identify the approaches to be implemented for elimination of avoidable risks and the minimization of the risks that are unavoidable.