What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following
RISK is the
PROBABILITY that a
THREAT will exploit a
VULNERABILITY to cause harm to an
R = f(T, V, A)
Why do you think they are called "TVAs"?
More sensibly the risk is the sum over all the various ..
This isn't just me sounding off. Richard Bejtlich says much the same thing and defends it from various sources. I can't do better that he has.
In one of the forums I subscribe to the question came up "How often should one carry out an internal audit?" There were variations on this to do with external audits as well. Lets suppose you aren't one of the relicrant types that take the attitude that audits aren't necessary or that an audit - or a risk analysis for that mater - needs to be done just the once.
How often? Yearly? Ever Six Months? Every Month?
Maybe. maybe not.
If you are one of a certain set of classes of organizations there are rules that mandate when you get audited. For example, if you process credit cards then the PCI:DSS rules apply to you.
And so forth.