In this paper, an exercise called Riches, Ruins & Regulations has been devised to uncover business risks in a non-technical and interesting way. Riches, Ruins & Regulations is moderated by a member of the security team and performed by a small group of LOB leaders. The primary purpose of the exercise is to uncover information assets of significant value if stolen, potential attacks that might cause great damage, and costs associated with failure to meet regulatory requirements.