Now that the information has been classified, the risk
            assessment can begin. The risk assessment will need to
            determine asset value - which in many cases is dependent on the
            information classification.

            Risk Assessment

            Risk assessment is the evaluation and analysis of the
            consequence of risk and probability that an adverse event may
            occur, and, if so, how much damage (impact) that adverse event
            would cause. The risk assessment process will identify the risk
            to the organization, estimate the level of risk, allow risk to be
            prioritized.  Which risk should be addressed before other threats,
            and justify some of the expense that will be associated with the
            response to or treatment (i.e., mitigation or reduction) of risk.

            The output from a risk assessment is provided in a report
            describing the risk and listing recommendations on how risk
            should be managed. This also means whether the identified risk
            should be mitigated, avoided, accepted, or transferred.



            Risk Analysis versus Risk Assessment
            Some reference materials have a distinction between Risk
            Analysis and Risk Assessment; others do not. As we can see,
            ISACA does not make a significant distinction between the two
            terms - risk assessment or analysis are based on consequence
            and likelihood or probability.

            ISACA defines risk assessment as A process used to identify
            and evaluate risk and its potential effects.