Risk assessments provide a detailed report on the current state of your enterprise's security posture and create a road map for correcting deficiencies.
They can be focused on specific aspects of your security infrastructure, such as the effectiveness of the protective measures around critical database servers; or they can be organization-wide evaluations, such as assessing the effectiveness of the overall security program.
In either case, the risk assessment has two basic parts: technical and policy/procedures.
Assessors often use methods such as penetration tests and vulnerability scans to measure the technical aspects of a security program. They'll measure how well your program patches vulnerable servers, maintains firewall rule sets and updates IDS signatures. They'll also show how easy or difficult it would be for a worm to infect your network or for a hacker to compromise data.
Assessors will measure your organization's compliance with its own security policy, as well as laws, regulations and industry standards. Your risk assessment should first determine if you're complying with the letter of the law and if you're aligned with the best practices at comparable organizations.
While internal security teams can perform a risk assessment, it's often prudent to contract an independent party to conduct the evaluation. Outside auditors bring their breadth of knowledge and experience from working with other companies. They're also unencumbered by company politics and are free to give an honest, unbiased assessment.
A risk assessment generally results in a written report and a management presentation. The report will detail findings and recommendations, providing management with information that can then be used to develop action plans and budgets and facilitate staffing and training needs.