What triggers updates to the risk assessment?

Updates to a risk assessment should come from both time-driven and event-driven triggers. Regular, time-driven reviews ensure the assessment stays current by reevaluating risks on a set schedule, catching drift, new assets, or evolving threat information even when no incidents occur. Event-driven updates respond to real changes in the environment—adding or removing systems, implementing new controls, discovering new vulnerabilities, changes in business processes, or after a security incident—so the assessment immediately reflects new risk levels. Limiting updates to only an annual schedule misses interim changes, and waiting only for major incidents delays visibility and remediation. Budgets changing isn’t by itself a trigger for updating risk, since the assessment should reflect actual risk posture and control efficacy, not finances alone.