Information Security Risk Assessment

Hello there i am in the process of performing risk assessment for all departments of the company.  i followed that approach for identification and evaluation of the asset value: 1- interviewed each head of department. identified information assets (started with electronic data). for each information asset (electronic data) - for example customer information, payroll information, etc. identified the asset containers (where such assets are stored (for example - Navision application, MS-sql database, user's PC, company file servers, backup tapes, etc.).  2- Interviewed each head of department in relation to information asset value (which is based to a predefined BIA matrix). for example what could be the impact in case the confidentiality of the information asset is compromise. i used values low - moderate - high. and i repeated that for each asset. 3- based to that information i put the value of information asset containers to max of the asset values that store (for example if NAVISION has customer information (moderate) and payroll information (high) - then i put the value of confidentiality for NAVISION to high. 4- during interviews I identified around 50 information assets (electronic data) and i mapped them to 5 information assets (navision and its related infrastructure (ms-sql and windows), file server, User PCs and backup tapes). all of them were rating as high (using the above mentioned logic). 5- after that i identified threats/vulnerabiltiies for each of these 5 assets. 6- i calculated risks using formula = propability * impact (which is evaluated in point 3). please let me know if this correct.. or i am missing something. thanks