Deciding which information security initiatives to undertake can be a daunting task.  Undergoing a risk assessment ensures that your approach to information security will be in harmony with your business objectives.  Developing a formalized IT risk management process ensures that the risk inherent in an IT system is properly mitigated by implementing administrative, technical and physical controls which align with the risk tolerance levels of your organization. 

A full information security risk assessment is the first requirement laid out in federal regulations such as Sarbanes-Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).  The Payment Card Industry - Data Security Safeguards also require merchants of all sizes to perform due diligence in assessing risk in their technology operations.  Even if your organization does not have a regulatory or compliance requirement for a risk assessment it is still the best way to baseline your organization's current security posture.

By assessing risks, identifying gaps and implementing controls which bring residual risk in line with business objectives, you can rest well at night knowing that your business is doing what's required to provide acceptable levels of protection.