Regulatory
Required, not optional
HIPAA Security Rule, PCI DSS v4.0, SOC 2, ISO 27001, NIST 800-171, GDPR, NYDFS Part 500, and DORA all mandate a documented risk assessment. Many require annual or post-change reassessment.
Pillar guide · ~14 min read · Updated May 2026
What is a risk assessment?
A risk assessment is the structured process of identifying what could go wrong, scoring how likely and how damaging each risk is, and deciding what to do about it. The output is a current register of named risks with owners, scores, controls, and treatment plans. Every credible framework (ISO 31000, NIST SP 800-30, ISO 27005, COSO ERM) describes the same five activities: identify, analyse, evaluate, treat, and monitor.
- Reading level
- Practitioner
- Frameworks
- ISO · NIST · FAIR
- Audience
- Risk · GRC · Cyber
- Last reviewed
- May 2026
01 · Definition
What is a risk assessment?
A risk assessment is the structured process of identifying hazards or threats, analysing how likely each one is and how damaging it would be, and deciding what to do about it. The output is a register of named risks with scores, owners, controls, and a treatment plan. Frameworks differ in labels; the underlying activity does not.
The discipline goes back decades in health-and-safety law (OSHA in the US, the HSE in the UK), and was generalised by the International Organization for Standardization in ISO 31000 in 2009 (revised 2018). Today the term applies across domains: cyber, operational, financial, strategic, compliance, physical security. The mechanics are the same; the risks, controls, and stakeholders differ.
Hazard or threat
The thing that could cause harm. A vulnerability in a system, a chemical in a workplace, a market shift, a vendor failure, an adversary.
Likelihood
How probable the harm is, over a defined time window. Expressed on an ordinal scale (Low/Medium/High) or a probability distribution for quantitative work.
Impact
The consequence if it occurs. Dollar loss, downtime, regulatory penalty, harm to people, reputational damage, lost opportunity.
“Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.”
02 · Why it matters
Why does a risk assessment matter?
Boards, regulators, insurance carriers, and customers now expect a defensible risk story, not a control checklist. A working risk assessment produces that story.
Board accountability
The SEC and DORA test
The 2023 SEC cyber disclosure rules and the EU's Digital Operational Resilience Act require boards to demonstrate that material risks are identified, assessed, and managed. A current register is the answer to both.
Insurance
Carrier pre-conditions
Cyber insurance applications now treat the existence of a documented risk assessment as a pre-condition for quoting. Carriers want to see the methodology, the register, and the treatment plan.
Named regulators that require risk assessments
- US HHS Office for Civil Rights (HIPAA Security Rule §164.308)
- PCI Security Standards Council (PCI DSS v4.0 Req 12.3.1)
- AICPA (SOC 2 TSC CC3.1, CC3.2)
- ISO/IEC (ISO 27001 Clause 6.1.2)
- US NIST (SP 800-30, 800-39, 800-37 RMF)
- EU Commission (DORA Art. 6, GDPR Art. 35 DPIA)
- NY DFS (Part 500 §500.09)
- FFIEC (IT Examination Handbook)
- UK HSE (Management of Health and Safety at Work Regulations 1999)
- US OSHA (29 CFR 1910 hazard assessment)
03 · The process
The 5-step risk assessment process
ISO 31000 calls them risk identification, analysis, evaluation, treatment, and review. NIST SP 800-30 splits the same activities across prepare, conduct, communicate, and maintain. The labels drift; the work does not.
- Step 01
Identify the risks
List the things that could go wrong, against the assets, processes, or objectives that matter. Pull from interviews, audit findings, past incidents, threat intelligence, and the risk register from the last cycle. Each risk gets a one-sentence statement: a threat, a vulnerability, and a consequence.
OutputA working list of named risks with owners assigned. No scoring yet. - Step 02
Analyse likelihood and impact
For each risk, work out how likely it is to occur and what the consequences would be if it did. Use the same scale across the whole register so the numbers are comparable. Most teams start with a 5x5 ordinal matrix; a smaller subset of risks gets a dollar-denominated analysis later.
OutputAn inherent score per risk (likelihood multiplied by impact), before any controls are credited. - Step 03
Evaluate against appetite
Compare the inherent score to the organisation's documented risk appetite. Anything above the line needs a treatment decision. Anything below the line gets accepted, with the rationale captured in the register so the next reviewer understands why.
OutputEach risk classified as accept, treat, transfer, or avoid; treatment owners named. - Step 04
Treat the risk
For risks that need treatment, design the controls. Some are preventative (training, access reviews, segmentation), some are detective (monitoring, audits), some are corrective (incident response, backups). Map each control to the risk it reduces, and set a target residual score that the treatment is expected to deliver.
OutputA treatment plan with target score, owner, deadline, and the controls that link the two. - Step 05
Monitor and review
Risks change. Controls drift. New threats appear. A working assessment is reviewed quarterly for the top quartile, annually for the full register, and immediately when material events occur (new system, new vendor, new regulation, post-incident). Key risk indicators (KRIs) carry the watch between reviews.
OutputAn evergreen register that reflects current exposure, not last year's snapshot.
The fifth step is where most programmes go wrong. Running steps one through four once a year and producing a deck is not a working risk assessment, it is a snapshot that goes stale within a quarter. Programmes that hold up under audit and under board scrutiny run step five continuously: KRIs breach thresholds, control tests fail, incidents land, and the residual scores on the affected risks update without waiting for the next cycle.
04 · Scoring
The 5x5 risk matrix explained
The 5x5 risk matrix is the workhorse of step two. You rate likelihood from 1 to 5, rate impact from 1 to 5, and multiply the two for a risk score from 1 to 25. The colour bands turn that number into a decision: green is accept, amber is treat where it pays, orange is escalate, red is act now.
| Likelihood ↓ / Impact → | 1Insignificant | 2Minor | 3Moderate | 4Major | 5Severe |
|---|---|---|---|---|---|
| 5Almost certain | 5Medium | 10High | 15Extreme | 20Extreme | 25Extreme |
| 4Likely | 4Low | 8Medium | 12High | 16Extreme | 20Extreme |
| 3Possible | 3Low | 6Medium | 9Medium | 12High | 15Extreme |
| 2Unlikely | 2Low | 4Low | 6Medium | 8Medium | 10High |
| 1Rare | 1Low | 2Low | 3Low | 4Low | 5Medium |
Low1 to 4
Accept and monitor. Manage by routine procedures.
Medium5 to 9
Treat where cost-effective. Assign an owner and a review date.
High10 to 14
Treatment required. Escalate to management; track to a target.
Extreme15 to 25
Immediate action. Senior leadership attention; stop or remediate.
The matrix is fast and easy to read, which is exactly why boards like it. The catch is calibration: "likely" and "major" have to be defined in writing so two assessors score the same risk the same way. Document the scale once, and a 3x3 matrix works for a small register while the 5x5 gives you the resolution a larger programme needs.
Want the grid ready to use? Read how the risk assessment matrix works in depth, or download the free risk matrix template.
05 · Methodologies
Qualitative vs quantitative methodologies
The honest answer is that mature programmes run both. Qualitative for breadth across the whole register; quantitative for depth on the risks the board will ask about by name.
Qualitative
Ordinal scales, heat maps, fast and shareable
When: Use it for the full register, especially early in the programme.
- Score likelihood and impact on a 1-to-5 (or 1-to-3) ordinal scale
- Plot results on a heat map, escalate anything above the appetite line
- Fast: minutes per risk once scoring criteria are documented
- Default for ISO 27005, NIST 800-30, and OCTAVE Allegro
Trade-off
Hard to defend with precision. 'High' means different things to different people unless the criteria are tightly documented and assessors are calibrated.
Quantitative
Dollars, distributions, loss-exceedance curves
When: Use it for the top 10 to 20 risks, where investment trade-offs are real.
- Express risk in monetary terms: loss event frequency multiplied by loss magnitude
- FAIR is the de facto standard; Monte Carlo for distributions
- Outputs an annualised loss expectancy and a loss-exceedance curve
- Lets a CFO compare cyber spend against other investments on equal footing
Trade-off
Slow and data-hungry. Easy to anchor on bad assumptions; the maths hide the inputs. Overkill for tail risks where qualitative will do.
The practical pattern
Score the whole register qualitatively on a 5x5. Identify the top 10 to 20 risks the board cares about. Run FAIR on those. Reconcile both views on the dashboard so the heat map shows the qualitative picture and the loss-exceedance curve shows the quantitative one. Two views, one register, no double-counting.
06 · The two scores
Inherent vs residual risk
Every risk carries two scores, and the gap between them is the point of the whole exercise. Score the matrix twice: once before controls, once after.
Inherent risk
The exposure before any controls are credited: the raw threat against the asset, scored on likelihood and impact as if nothing were in place to reduce it. It tells you how big the problem is at its source.
Residual risk
The exposure that remains after the controls currently in place are credited. It is the number that decides whether a risk sits inside your appetite or needs more treatment. Residual, not inherent, is what you manage day to day.
The gap between inherent and residual is the work your existing controls are doing. The gap between residual and your target residual is the work the planned treatment still owes. Boards want all three numbers on one line: where we were, where we are, and where we are heading. Read the full inherent vs residual risk guide.
07 · A common mix-up
Risk analysis vs risk assessment
The two terms get used as if they mean the same thing. They do not. Risk analysis is one step inside the broader risk assessment.
ISO 31000 is explicit about the nesting. Risk assessment is the overall process, and it contains three activities in order: risk identification (finding what could go wrong), risk analysis (working out the level of each risk by scoring likelihood and impact), and risk evaluation (comparing that level against your appetite to decide what to act on).
So risk analysis is the middle stage, the part where you actually put numbers on a risk. Risk assessment is the full identify-analyse-evaluate cycle that wraps around it and produces the register and the treatment decisions. Every risk analysis happens inside a risk assessment; not every part of a risk assessment is risk analysis.
08 · Frameworks
Risk assessment frameworks worth knowing
You do not have to pick one and live with it forever. Most mature programmes run a stack: an enterprise wrapper (ISO 31000 or COSO ERM), a methodology (ISO 27005, NIST 800-30, or OCTAVE), and a quantitative engine (FAIR) for the top risks.
ISO 31000
Enterprise-wide risk management
The international standard for risk management principles, framework, and process. Sits above any specific domain (cyber, operational, financial) and gives the common vocabulary boards and regulators recognise.
NIST SP 800-30
Information security risk
The US National Institute of Standards and Technology guide for conducting information system risk assessments. Pairs with NIST 800-39 (organisational) and NIST 800-37 (the RMF). Default for US federal contractors.
ISO/IEC 27005
Information security risk (ISMS)
The risk methodology that lives inside ISO 27001. Tells you how to identify, analyse, evaluate, and treat information security risks against the Annex A control set. Required reading if you are pursuing or maintaining ISO 27001 certification.
OCTAVE Allegro
Information asset risk
Operationally Critical Threat, Asset, and Vulnerability Evaluation. Developed at Carnegie Mellon SEI, focuses on the information assets themselves rather than on systems. Compact and self-directed, popular with mid-size teams.
FAIR
Quantitative cyber risk
Factor Analysis of Information Risk. The de facto standard for expressing cyber risk in dollar terms. Pairs with a Monte Carlo simulation to produce loss-exceedance curves the CFO and board will recognise.
COSO ERM
Enterprise risk for public companies
The Committee of Sponsoring Organizations framework. Widely used by US public companies and is the reference cited by SOX internal controls work. Twenty principles organised around governance, strategy, performance, review, and information.
09 · Categories
Common risk categories
Six categories cover the vast majority of enterprise risks worth tracking. Use them as a starter taxonomy, then split or merge as the programme matures.
Operational
Risks from people, processes, and systems. Process failures, key-person dependencies, change-management gaps, capacity issues, vendor outages. The category that touches the most day-to-day work.
Cyber and IT
Threats to confidentiality, integrity, and availability of information systems. Ransomware, phishing, exploitation, insider misuse, cloud misconfiguration. The fastest-growing category on most registers since 2020.
Financial
Liquidity, credit, market, currency, and counterparty exposures. Owned by the finance and treasury functions, but the controls (segregation of duties, reconciliations, approvals) overlap with operational and compliance work.
Strategic
Risks to the organisation's ability to meet its objectives. New competitors, technology shifts, customer-base changes, M&A integration. Long-horizon, hard to quantify, but the category boards ask about first.
Compliance and regulatory
Risks of non-compliance with laws, standards, and contractual obligations. HIPAA, PCI DSS, GDPR, SOC 2, SOX, sector-specific rules. Often the trigger for the first formal risk assessment a programme runs.
Physical and environmental
Site security, workplace safety, fire, flood, severe weather, infrastructure failure. Usually owned by facilities or EHS teams, but the residual score feeds the enterprise register alongside cyber and operational.
No category is independent of the others. A ransomware event is a cyber risk that lands as an operational outage, a financial loss, a compliance breach (HIPAA, GDPR), and a strategic reputational hit. The register should record the primary category, but the controls and the impact analysis touch the rest.
10 · Terms
Risk assessment vs risk management vs risk register
The three terms get used interchangeably. They are not the same thing. Knowing the difference is the first sign of a mature programme.
| Term | What it is | Frequency |
|---|---|---|
| Risk assessment | A bounded activity that identifies, analyses, and evaluates risks against a defined scope (an asset, a system, a process, the enterprise). Produces a register and a treatment plan. | Periodic (typically annual, with quarterly updates and event-triggered reassessments) |
| Risk management | The ongoing discipline that includes governance, appetite-setting, assessments, treatment execution, monitoring, incident response, and reporting. The programme that contains the assessments. | Continuous (every working day) |
| Risk register | The artefact. A structured record of every risk identified, with scores, owners, controls, treatment decisions, target scores, review dates, and an audit trail. The source of truth that every dashboard and board pack reconciles to. | Live (updated as evidence arrives) |
The simplest way to remember it: the assessment is what you do, the register is what you keep, and risk management is the programme that runs both. A programme that does an assessment without maintaining the register has a report. A programme with a register but no scheduled reassessments has a museum.
11 · Tooling
Tools and templates
A spreadsheet works for a first assessment. It breaks the moment a programme adds a second framework, a third assessor, or a fourth business unit. Below are the free templates we publish, plus what the platform adds when the spreadsheet gives out.
Free templates and checklists
Use these as starting points. Each one maps to a recognised framework and is structured so the work transfers cleanly into any GRC platform later.
When the spreadsheet gives out
A platform centralises the register, the control library, and the treatment workflow. Assessments run against any framework; controls cross-map so one piece of evidence pays off across HIPAA, ISO 27001, SOC 2, PCI DSS, and NIST.
Authoritative sources
Where to read the primary documents
The frameworks referenced on this page are published by international standards bodies, US federal agencies, and academic research centres. Direct links below.
- ISO 31000:2018 Risk management guidelinesInternational Organization for Standardization
- NIST SP 800-30 Rev. 1 Guide for Conducting Risk AssessmentsNIST Computer Security Resource Center
- NIST Cybersecurity Framework 2.0National Institute of Standards and Technology
- ISO/IEC 27005:2022 Information security risk managementInternational Organization for Standardization
- OCTAVE Allegro: Improving the Information Security Risk Assessment ProcessCarnegie Mellon Software Engineering Institute
- COSO Enterprise Risk Management FrameworkCommittee of Sponsoring Organizations of the Treadway Commission
- OSHA Hazard Identification and AssessmentUS Occupational Safety and Health Administration
- Risk assessment under the UK Health and Safety ExecutiveUK Health and Safety Executive
12 · Free downloads
Templates and worksheets
Everything on this page, ready to use. Each download maps to a recognised framework and is structured so the work transfers cleanly into a GRC platform when the spreadsheet gives out.
Free risk matrix template
The 5x5 matrix as a ready-to-use grid with the bands and scoring built in.
Free risk assessment template
A structured worksheet for the full identify, analyse, evaluate, treat flow.
Free risk register template
The living artefact: risks, scores, owners, controls, and review dates.
Risk assessment matrix
How the matrix works, when to use 3x3 versus 5x5, and how to calibrate it.
Free vendor risk assessment checklist
Apply the same method to third parties before and after onboarding.
13 · Frequently asked
Risk assessment, answered
The questions that come up on the way to a working programme, with practitioner answers.
What is a 5x5 risk matrix?
A 5x5 risk matrix is a grid that scores each risk by multiplying its likelihood (rated 1 to 5) by its impact (rated 1 to 5), giving a number from 1 to 25. The cells are coloured into bands: low (roughly 1 to 4, green), medium (5 to 9, amber), high (10 to 14, orange), and extreme (15 to 25, red). The band tells you what to do, from accept and monitor at the low end to immediate senior-leadership action at the high end. It is the most common qualitative scoring tool because it is fast, visual, and easy to explain to a board, though the bands have to be documented so 'likely' and 'major' mean the same thing to every assessor.
What is the difference between risk analysis and risk assessment?
Risk analysis is one step inside a risk assessment. In ISO 31000 terms, risk assessment is the overall process that contains three activities: risk identification (finding the risks), risk analysis (working out likelihood and impact, the level of risk), and risk evaluation (comparing that level against your risk appetite to decide what to act on). So risk analysis is the middle stage where you actually score each risk, while risk assessment is the full identify-analyse-evaluate cycle that surrounds it and produces the register and treatment decisions.
What is a risk assessment in simple terms?
A risk assessment is the structured process of working out what could go wrong, how bad it would be, how likely it is, and what to do about it. The output is a register of risks with scores, owners, and treatment decisions. Every credible framework (ISO 31000, NIST 800-30, ISO 27005, COSO ERM) describes the same five activities under slightly different labels: identify, analyse, evaluate, treat, and monitor.
What are the five steps of a risk assessment?
Identify the risks; analyse the likelihood and impact of each; evaluate them against the organisation's risk appetite; treat the ones that exceed appetite by adding controls or transferring the risk; and monitor the register so it reflects current exposure. The first four happen during the assessment itself, the fifth keeps it useful between assessments. Most organisations run a full review annually and update the top-tier risks quarterly.
Who is responsible for conducting a risk assessment?
Accountability sits with senior management; the operating responsibility usually sits with a risk function (CRO, head of risk, GRC manager) or, for cyber-specific assessments, with the CISO and security team. The work itself is collaborative: each risk needs a named owner from the business, and subject-matter experts contribute scoring input. Internal audit and the audit committee typically review the methodology and the resulting register.
How often should a risk assessment be performed?
Run a full enterprise risk assessment at least annually. Update the top quartile of risks quarterly. Trigger ad-hoc reassessments on material events: a new system going live, a major vendor onboarded, a regulatory change, a sector incident, or any internal incident that revealed a control gap. Modern programmes supplement scheduled assessments with continuous monitoring (KRIs, control tests, compliance findings) so residual scores update as evidence arrives.
What is the difference between qualitative and quantitative risk assessment?
Qualitative uses ordinal scales (Low / Medium / High, or 1 to 5) for likelihood and impact, then plots them on a heat map. Fast, accessible, good enough for most risks. Quantitative expresses risk in dollar terms via FAIR or Monte Carlo simulation: loss event frequency multiplied by loss magnitude, with distributions, producing an annualised loss expectancy. Most programmes run qualitative across the whole register and reserve quantitative for the top 10 to 20 risks where the cost of being wrong is high.
What is the difference between a risk assessment and risk management?
A risk assessment is one activity inside the broader discipline of risk management. The assessment produces the register, scores, and treatment decisions. Risk management is the ongoing programme that includes governance, appetite-setting, monitoring, reporting, incident response, and feedback into strategy. Put simply: the assessment is what you do; risk management is how you run the function that decides what to do with the output.
What is the difference between a risk assessment and a risk register?
The risk assessment is the process; the risk register is the artefact. The register is the structured record of every risk identified during the assessment, with its score, owner, controls, treatment decision, target score, next review date, and status. The register persists between assessments and gets updated as conditions change. A risk assessment without a maintained register is a report that goes stale within a quarter.
What goes in a risk assessment report?
Scope and methodology (what you assessed, how, against which framework), executive summary of the top risks, the full risk register, the treatment plan with owners and deadlines, the residual risk profile relative to appetite, and recommendations. Mature reports add: cross-mapping to compliance findings, KRI thresholds, scenario analysis on the top quantitative risks, and a comparison to the previous assessment cycle. Length varies from 10 to 80 pages depending on audience.
What is inherent risk versus residual risk?
Inherent risk is the exposure before controls are considered: the raw threat against the asset. Residual risk is the exposure that remains after the controls currently in place are credited. The gap between the two is the work the existing controls are doing. The gap between residual and the target residual is the work the planned treatment still owes. Boards want to see all three numbers on the dashboard: where we were, where we are, and where we are going.
What is risk appetite and why does it matter for an assessment?
Risk appetite is the level of risk the organisation is willing to accept in pursuit of its objectives. Without a documented appetite, the assessment has no decision criterion: every High becomes urgent, every Medium gets argued. Setting appetite once, at the board level, in qualitative statements per risk category (low for regulatory, moderate for operational, higher for innovation) gives every assessment a defensible line to compare against. Translate appetite to quantitative thresholds where you can.
Do small businesses need to do a risk assessment?
Yes, and the smaller the team the more disciplined the assessment should be (because there are fewer people to absorb the consequences of missing a risk). Start with the top 20 to 40 risks across operational, cyber, financial, compliance, and strategic categories. Score them qualitatively on a 5x5. Assign an owner to each. Review quarterly. That is a working programme. Frameworks like NIST IR 7621 (small business) and ISO 31000 scale down cleanly; resist the temptation to skip the register because the organisation is small.
What software helps with running a risk assessment?
A spreadsheet works until the programme adds its second framework, its third assessor, or its fourth business unit. At that point the cost of keeping spreadsheets in sync exceeds the cost of moving to a platform. A modern risk and compliance platform centralises the register, the control library, and the treatment workflow; runs assessments against any framework; cross-maps controls to compliance requirements; and produces the board pack without a manual rebuild every quarter. RiskWatch supports this pattern across 40+ frameworks on a single tenant.
Curious what running a risk programme on RiskWatch could save? Try the ROI calculator.
From definition to a running register
See how RiskWatch turns a risk assessment into a living register in days.
The Global Register, Risk Templates for ISO 31000 / ISO 27005 / NIST 800-30 / FAIR, KRI library, and Risk-vs-Compliance mapping, all on one platform. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime