In my current role, the discovery and follow-up meetings are used to collect information in the following areas: application environment overview, hardware, software, network transmissions, authentication and authorization, logging and auditing, storage, and support and maintenance. This information needs to gel with the data in the ECQ (Environmental Change Questionnaire) that is filled in by the SME (Subject Matter Experts) of the group that wants the assessment completed. The ECQ has these most commonly used sections focused on datasets (data in storage), hardware, software, and networks. The ECQ is a database and contains all the latest entries for a request.
The discovery questions can be kept in a template that has questions for each of the sections that belong in the change summary of the risk. The requests change summary needs to focus only on changes related to the specific request, not the security plan associated with the request. Remember a security plan can have multiple requests (changes) to that plan over time. So once that narrative is completed it needs to be tuned to list all of the reference plans (technologies) that are associated with the requests change.
The assessor should target discovery and other common questions towards SMEs that reveal specific risks. Some risks are not easily seen and require creative questions. Also the depth of the risk may need greater exploration because the risk could have cascading or explosive ramifications (eg. a critical risk in a storage subsystem towards applications that run on them).
The TVM section of the risk assessment must contain all risks found in the discovery analysis and the risks in the assessment summary. There is a database of risks, vulnerabilities, threats, impacts, controls, and mitigating controls risks. This matrix is the core of risk creation and is kept in a formula based database. This TVM database should be carefully examined periodically to determine that the most dangerous threats are elevated in their rankings and the others that arent as serious anymore (eg. due to deployment of better IT technology) are decreased. A strong TVM enables consistency in evaluations over time. Only assessor judgment or formula changes lead to different results.