Formulating an IT security risk assessment methodology is a key part of building a robust information security risk management program. The process generally starts with a series of questions to establish an inventory of information assets, procedures, processes and personnel.