There are three parts, or "phases" to creating risk assessment reports.
Phase 1: Pre-assessment. During this time the level of threat is determined, data is collected, and templates are created to monitor and measure the severity of the dangers and risks.
Phase 2: Assessment. Takes the information gathered in the pre-assessment phase and develops it. Assessment includes document review, system characterization, threat and vulnerability identification, and risk determination, which is arrived at by way of calculation and valuation matrixes. After all this data has been evaluated, the risk manager then makes recommendations for risk mitigation.
Phase 3: Post-Assessment. In the final phase, risk mitigation is implemented and monitoring is established over the long term.