The problems I see with the typical risk assessment are as follows:
Maintaining the list of assets updated
Maintaining the status of the treatments updated and the risk level coherent with that.
Maintaining the dependency of the assets in a way that irrelevant assets (like a server) have the real risk (due to the fact that that the server allows a critical process to run).
The problem I see is that when I finish the Excel the results are no longer relevant.
There are many commercial asset management solutions that auto-discover assets and their relationships such as Service Now.
Then the discovery scans run daily or weekly on a schedule to keep it up-to-date.
Of course, nothing is perfect so it has to be put directly into the shoulders of the server and app owners to on a recurring basis and after any change control to update or fix any incorrect data or add missing data in the inventory.
For example:
a project can't go live until all systems, apps, and their relationships are updated
a new pc or server cannot be deployed until it's in the inventory
a system is decommissioned they must remove it from inventory
The risk assessor then should just be given access to the inventory but should not be required to maintain it
