Anything which needs to be managed before an event occurs termed to be Risk. When it comes to building or using software in a business scenario needs lot of assessment of risk. I came across CWRAF from a not-for-profit organization MITRE which provides a comprehensive framework to address security risk for application in the business context using Vignettes.Typical risk management framework from wikipedia is given in wikipedia.
There is also an excellent paper which refer information security in analogy with “Clean Water Act” and how CWRAF can help in the process. Its worth reading. Interestingly CWRAF framework starts from weakness where any other risk framework starts from the Threat. Its always weakness becomes a Threat so CWRAF addresses the risk from that perspective.
Also its very important to understand that there could be generic Security guidelines such as OWASP Top 10 which are followed while developing or implementing a product, but there are very high chances that those security guidelines are either not sufficient or not needed. This is to be determined based completely on the business need. This is were CWRAF using the CWSS (Common Weakness Scoring System) comes to the rescue.
The steps outlined in the below given picture will hep you to understand the steps involved in establishing risk assessment for a business need. Please note that already vignettes are available form the CWRAF website for E-Commerce, Banking, SCADA based applications which can be refined or reused.