3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Is a formal written risk assessment policy and/or process in place, including risk ranking, assessment and formal reporting to management? Have an initial and periodic risk assessments been conducted? Is the frequency to assess risks to organizational operations, assets, and individuals defined?.