Even if you are assessing your own organization, you need to develop a deep understanding of things for your risk assessment to be successful. Overall you are trying to discover.

• The organization’s goals and objectives
• Its structure and individual roles and responsibilities
• What ‘normal’ looks like
• The critical processes
• Risk attitudes, tolerance and appetite
• The operating environment and likely threats
• Sensitivities and potential conflicts or roadblocks
• Any upcoming changes to ‘normal’

You can achieve this through a combination of document reviews and interviews. Ideally, conduct the review beforehand and make sure that you plan out your interviews in advance.

Gather as much information as time allows as the assessment will probably require more data than you think.