There are books on this. I will try to summarize.
For a proper risk assessment, you need several things.
Document your assets. People, knowledge, intellectual property, code, data, documents, structures, motivation/morale, real property, and legality (!) can all be assets in need of protection.
Document the threat. Know what things ‘want’ to cause damage. Weather, equipment failure (air conditioning, power, malicious employee with access, flaky software, etc.
Use a matrix to determine what risks are highest. Threat (what may attack) times risk (likelihood that a threat will actually attack) gives you risk. But wait, there is a third dimension; impact.
By determining risk and impact, you have the tools needed to take effective steps to mitigate the risks.
Risk assessment is both a science and an art form. It would be best for you to buy a book and do some studying because I have only touched on this very lightly.