I have spent a good bit of my time over the past few months helping customers with risk assessments. Since many of the major regulatory frameworks, including HIPAA, PCI, and SSAE 16, all call for them, organizations have been forced, some kicking and screaming, to engage in reviewing their risks.
Many companies treat the requirement for a completed risk assessment as a an exercise in “papering the file” – it must be done, so get through it as fast as possible, put it on file, and move on to something important. I don’t find this surprising, given that the guidance provided as part of the requirements is either minimal, or impossibly confusing. For example: HIPAA Section 164.308(a)(1)(ii)(A) has only 23 words on the subject; PCI 12.1.2 has 15; and SSAE 16 makes only general references.