Risk assessments analyze internal threats, such as an employee with too much access to critical systems, and external threats, ranging from physical disruption to potential threat actors, such as cybercriminals out to steal credit card data. HIPAA requires organizations to perform risk analysis as part of their security management processes. Organizations shouldn't undergo a single risk assessment, security experts say, but instead should create an ongoing risk management program to help identify and mitigate risks and help drive spending decisions. Risk assessment identifies vulnerabilities and configuration errors that can weaken systems. It also analyzes each threat to determine the conditions under which an attack is most likely, the likelihood of occurrence and the potential damage. According to Forrester Research, organizations must first understand the data and systems that need to be protected and then measure the likelihood of an attack's occurrence targeting the data and systems. Controls already in place need to be taken into account as well as the costs required to mitigate the foreseen risk. HIPAA requires the process be documented.