A Risk Assessment does two things: firstly, it gives you a good idea of where to start work (i.e. the areas with the highest risk), and, secondly, it provides evidence for senior management that your work has been successful (i.e. you have lowered the risk level).
I recommend doing a Risk Assessment before you start anything else, in order to determine the order in which you undertake tasks. If you then repeat the exercise every six or twelve months, you’ll get an idea of what progress has been made.
Your organisation may already have a method of evaluating risk. If so, use that. However, if not, you can download a template Risk Assessment below!