Many major regulatory frameworks, including HIPAA, PCI, and SSAE 16, all call for risk assessments. The guidance provided as part of the requirements is either minimal, or impossibly confusing. Many companies treat the requirement for a completed risk assessment as a an exercise in papering the file Many companies don’t like it, so get through it as fast as possible, put it on file, and move on to something important. A risk assessment can clearly be an intimidating process, but it can be an essential and relatively painless process.”]
Source: https://www.csoonline.com/article/2992252/the-dreaded-risk-assessment.html