A security manager needs to perform a risk assessment on a critical business application, in order to determine what additional controls may be needed to protect the application and its databases. The best approach to performing this risk assessment is:_____.