To protect information technology assets, effective risk management strategies need to be implemented. However, there is little empirical evidence on the factors that affect the successful undertaking of risk assessment. It is also not clearly known exactly how various factors affect the different stages of risk assessment and whether all factors are equally important across all stages. This research examines the experience of a large Australian university in implementing information security risk assessment and identifies a set of factors that exert considerable influence on the four stages of risk assessment initiative of the university. Finally, the implications of the findings are discussed.