According to information security laws, company management is responsible with showing "due diligence" in all operations. Formal risk analysis proves and documents that due diligence was taken into account. Controls and safeguards needed for network security are then implemented.
Risk analysis procedures should be ready and ready for use with the start of every project, no matter how small. Before any project the enterprise should perform a risk analysis and define the security needs. Such a practice also insures that only what is truly needed is purchased or done.
Typically, internal security experts, such as the Chief Security Officer, should be involved in the process. The process should not last more than a couple of days and with minimum interruption to employees.
A properly performed risk analysis can analyze anything. Tasks, processes, and procedures can all be assessed for security threats. Further, management can be given a chance to decide on whether to proceed with a project.