The paper reports on a method for software risk assessments that takes into account “primary facts” and “secondary facts”. Primary facts are those obtained through automatically analyzing the source code of a system, and secondary facts are those facts obtained from people working with or on the system, and available documentation. We describe how both types of facts are retrieved, and how we are bridging the interpretation gap from the raw facts (either primary or secondary) to a concise risk assessment, which includes recommendations to minimize the risk. This method has been developed while performing numerous risk assessments, and is continuously being fine-tuned.