Below is the recommended cycle of events:
Figure 5.1 Lifecycle of risk analysis and management
The above cycle works on a regular basis. Once per year or every two years should suffice. Some regulations say or imply that this should be yearly but the more common view, and one which an auditor would like to see, is that the risk exercise is done at least every two years or when there are major changes in perceived threats.
The steps are these:
Review threats with stakeholders to agree risk areas
Go through an exercise with stakeholders and, in particular, the functional departments to agree which areas of threat represent areas ...