What is the first step in risk assessment for MS-500 - Microsoft 365 Security Administration professionals?