Comprehensive? Well, pretty good.
The kind of thing that could keep a client’s IT staff occupied for weeks. If they had hard copy to annotate and work with.
Its interesting that classical Business Continuity Planning works more along the lines of a FMEA than Threat-Risk Analysis. BCP identifies the business processes that are most essential and hence must be brought back into operation with the most urgency – that is what are the most critical failures that will affect the operation of the business.
The TRA approach has many flaws ranging from the fact that threats are just about infinite and mostly unknown, that vulnerabilities are infinite and unknowable, that they interact in complex ways, which boils down to playing whack-a-mole, and that there is not enough information for statistical analysis.
FMEA on the other hand identifies criticality regardless of the cause.