Risk assessment is the process which - identify hazards, analyzes and evaluates the risk associated with that hazard, determines appropriate ways to eliminate or control the hazard. In practical terms, a risk assessment is a thorough look of a workplace to identify those things, situations, processes, etc that may cause harm, particularly to people. After identification is made, you evaluate how likely and severe the risk is, and then decide what measures should be in place to effectively prevent or control the harm from happening. Risk assessments are not easy and they are not meant to be. If companies could easily identify and understand all the types of risks to their business and could evaluate how to effectively mitigate those risks, then the world would be a much more boring place. Fundamentally, while there are different titles used across formal methodologies, the expected end result is still the same: to understand what risks exist to your business and have idea solid understanding of the likelihood and impact of a realized risk. Too often I see that an information technology or information security team member is assigned to conduct a risk assessment that naturally, because of their role in the organization, becomes IT focused. While there are some technology specific risks that are adequately addressed in this manner, the intent I am focusing on is an organizational risk assessment. Information security/technology teams usually do not know the business processes and will focus their efforts on specific threats and technology and then are unable to justify, in business terms, the need for new security products. On the other side of the fence, business personnel will know their processes and what data is important for them, but most likely have little knowledge of the technology supporting their processes. This can result in “risk reducing” proposals for complicated process changes that may not be needed if new technical tools can be introduced. Bringing the teams together and bridging that knowledge gap is a key action to conducting a thorough risk assessment. To solve this issue, it is best to have a team dedicated to risk management for an organization. As an organization gets bigger, it may be appropriate to have a team or, or members of a team, assigned to different business units. While this team may be charged with drafting the formal risk assessment report(s), the purpose of this team should not be to conduct the risk assessment, but to bring together the appropriate business and technical stakeholders and facilitate the risk assessment process. Whoever is responsible for facilitating the risk assessment should be able to establish with the organization that protecting data is the primary goal and that all of the people processes, hardware, software and other technology are tools used to do something with the data. Once the premise of the assessment is understood and sensitive data elements are identified, then it is time to .