A “perfect” risk assessment isn’t the goal.
Several years ago I worked with a client to help develop a formal risk assessment process for their organization. This client has a very knowledgeable and capable security department, and they were ready to formalize a process for risk assessment and start rolling it out across the company. They were a little ashamed that it has taken them until now to create such a process, and as we talked through how the risk assessment process would work, they swallowed hard and indicated that it seemed to be a very daunting undertaking.
What they figured out is that even without a formal process or training, they’d been doing risk assessments informally for a long time. Formal methodology or not, security professionals can’t help thinking about risks – it’s how we’re wired. The client then became less concerned about how difficult it would be to conduct a risk assessment and started making a list of the initiatives that would need to be evaluated once their process was ready to go.