Risk assessment is part of the risk management process to identify exposure, likelihood and business risks so that the necessary protection measures could minimize the impact.
The tricky thing is most often controls are implicitly assumed, e.g. the access control to the target application relies on the robustness of the Identity Provider enforcing the defined roles & privileges, the effectiveness of anti-malware protection relies on the backend process to refresh for up-to-date definition, the platform and system applications are regularly hardened from known vulnerabilities, network perimeter controls are defined correctly and so on. Therefore, it is important to align and set the scene what key assumptions are referred in the very first step before assessing risks.
If any of these is incorrect, then the exposure will be under-estimated and so for the residual risks.