Always start off with your threat analysis. You need to understand what the threats are, you have to identy what your critical assets are, you then figure out your vulnerabilities. Now take your risk and plot the severity.

identifying critical assets and threats to them identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization developing a practice-based protection strategy and risk mitigation plan to support the organization’s mission and priorities