Annual Risk Assessment Process

Why it matters

Without a formal, documented risk assessment process, organizations operate blindfolded—unable to distinguish critical threats from noise or allocate limited security budgets effectively. Weak or ad-hoc risk assessments lead to missed high-impact vulnerabilities, compliance gaps, and misaligned security investments that fail to address the organization's actual threat landscape.

Evidence to collect

• Current-year risk assessment report with likelihood × impact scoring matrix, dated within 12 months
• Documented risk assessment methodology document (e.g. NIST, ISO 31000, or custom framework) with defined scoring scales and decision criteria
• Evidence of leadership review and sign-off (e.g. meeting minutes, email approval, or board presentation showing C-level acknowledgment of findings)
• Risk register or remediation roadmap showing how assessment findings were translated into prioritized security initiatives or projects

Testing procedure

Request the most recent risk assessment report and validate that: (1) it covers the full scope of systems, data, and threat sources relevant to the organization; (2) likelihood and impact scores are consistently applied using a documented scale (e.g., 1–5); (3) assumptions about threat sources, asset criticality, and existing controls are explicitly stated; and (4) findings were presented to senior leadership with documented acknowledgment. Interview the risk owner to confirm the assessment informed the current security roadmap and budget allocation.

Common gotchas