Failing to elicit requirements is as much of a risk in the traditional, negative sense as successfully defining requirements is a positive step towards successful systems development. The discipline of risk management has long since had to deal with the spectre of emergent risk and its inherent lack of predictability. Just as risk management considers how any number of vulnerabilities in a system may be exploited by accident or by malicious intent that preys upon exposure to otherwise independent factors, so successful requirements elicitation is beholden to the ability to recognise the need for, and define, derived requirements. In this paper we suggest that risk assessment and requirements elicitation are two manifestations of the same activity: creating trustworthy software. We propose the research and development of a methodology where the two disciplines converge.