This risk analysis process/method blends risk, security, incident and problem management, creatively combining imaginary with actual data and concerns: Imagine you've experienced a 'typical' incident affecting whatever [information] asset/s you are risk-assessing - such as a physical incident affecting the office. Consider various types of incident, of various scales and importance e.g . an office break-in, vandalism, professional hit, insider theft, fire, flood ... or whatever. For now, pick out whatever type/s of incident seems most likely and/or damaging for further consideration - not least, real incidents that have occurred (this analysis might follow an actual incident for maximum reality!). Start exploring the associated threats, vulnerabilities and impacts, using information about actual incidents (under similar circumstances) to inform your analysis - or wing-it using common sense. This step initiates the risk analysis, clarifying the asset/s and risks of most