How to do a risk analysis
Everything you need to run a structured risk analysis — from method and frameworks to practical templates and tools.
By Kim Borg, Founder of VER&IT and RiskNote. 25+ years of experience in information security and risk management. · Last updated
What is a risk analysis?
A risk analysis is a structured method for identifying, assessing and prioritising risks that may affect an organisation's goals, assets or functions. The purpose is to provide a basis for well-grounded decisions on how risks should be handled — by reducing, transferring, accepting or avoiding them.
A complete risk analysis contains six core components:
Protected assets
What needs to be protected — information, people, finances, brand, availability.
Threats and vulnerabilities
What can go wrong — from cyber attacks and supplier failures to staff shortages.
Likelihood assessment
How probable it is that something happens, based on history and environment.
Consequence assessment
How severe the outcome will be, expressed in measurable terms (money, downtime, customer loss).
Risk evaluation
Combining likelihood and consequence against the organisation's risk tolerance.
Action plan
What will be done about it — with owner, deadline and follow-up.
Risk analysis is the foundation of systematic security work under frameworks such as ISO 31000, ISO 27005, NIS2, GDPR and ISO 27001. In some contexts (especially workplace safety), the process is called risk assessment — the terms are often used synonymously.
Why is risk analysis important?
Risk analysis matters for three reasons.
Regulatory compliance. NIS2, GDPR, ISO 27001, DORA and similar regulations all require documented risk management. Without a risk analysis, the organisation cannot show that security work is systematic.
Resource prioritisation. No organisation has an unlimited security budget. The risk analysis shows which risks are actually worth addressing first — based on likelihood, consequence and cost of action.
Decision support for leadership. A risk analysis translates technical and operational risks into a language that management and the board can act on. It makes security a business issue, not an IT issue.
How to do a risk analysis — seven steps
A condensed version of the structured method. Each step links to a deep-dive article.
Step 1 — Identify protected assets
Start by listing what the organisation actually needs to protect: information, availability, financial assets, brand, people, compliance. Without protected assets, the risk analysis becomes an abstract exercise. Read more: Identifying protected assets →
Step 2 — Define the scope
Decide clearly what is in scope — the whole organisation, a specific process, a system, a supply chain. Define the time horizon and the stakeholders involved. Read more: Scope and boundaries →
Step 3 — Identify threats and risks
Systematic, cross-functional work. Walk through threats per protected asset, per threat category (cyber, physical, personnel, supplier, regulatory) and per scenario. Involve both IT and the business. Read more: Identifying threats and risks →
Step 4 — Assess likelihood and consequence
Use a 5×5 matrix with clearly defined scales. Define what each level actually means — in money, downtime, customer loss or another measurable unit. Read more: Likelihood and consequence →
Step 5 — Prioritise actions
The end product is not red cells in the matrix — it is a prioritised list of actions. Pick a strategy per risk: reduce, transfer, accept or avoid. Prioritise by effect per effort. Read more: Prioritising actions beyond the matrix →
Step 6 — Keep the analysis alive
A risk analysis is not a one-off project. Review regularly and update on incidents, changes and new regulatory requirements. Clear ownership is essential. Read more: Keeping the analysis alive →
Step 7 — Map to frameworks
Make sure the risk analysis meets the requirements of the frameworks that apply — ISO 27001, NIS2, GDPR, DORA or others. Read more: Risk analysis and compliance →
[Read the full main guide step by step →](/guide/genomfora-riskanalys)
Common frameworks and standards
Different frameworks place different requirements on how a risk analysis is conducted and documented.
ISO 31000 — General risk management
International standard for risk management at an overarching level. Defines principles, framework and process. Used as the basis for other standards. Learn more about ISO 31000 →
ISO 27005 — Information security risks
Focuses specifically on risks tied to information security. Complements ISO 27001 and provides detailed methodology for risk assessment.
ISO 27001 — Information security management
Requires documented risk assessment and risk treatment plan. Risk analysis is a central part of certification. Learn more about ISO 27001 →
NIS2 directive
Swedish legislation since 2025. Requires risk management measures for essential and important entities within critical infrastructure, health care, public administration and more. Learn more about NIS2 →
GDPR and DPIA
When processing personal data that entails high risk, a data protection impact assessment (DPIA) must be performed — a specific type of risk analysis. Learn more about GDPR risk analysis →
DORA — Digital Operational Resilience Act
Regulates operational resilience for the financial sector within the EU. Requires extensive ICT risk management.
MSBFS 2020:6
The Swedish Civil Contingencies Agency's regulations on systematic information security work for state authorities.
[Which framework applies to your organisation? →](/guide/genomfora-riskanalys#step-7)
Gross, net, and residual risk
A mature risk analysis distinguishes three risk measures per risk. These are the terms ISO 27001 auditors and boards expect to see:
Gross risk (inherent risk)
The risk without any controls or treatments. How bad could it get at worst? Essential for justifying investments.
Net risk / residual risk
The risk after existing controls are factored in. This is the value compared against your risk tolerance.
Target risk
The level you aim to reach after planned treatments. The gap between net and target risk shows whether planned actions are enough.
Why does it matter? A risk with high gross risk but low net risk (thanks to strong controls) needs control maintenance, not new treatments. Read more in the risk register guide →
Tools and templates
Two resources that speed things up — a free Excel template and the RiskNote app.
Downloadable risk analysis template (Excel)
A structured Excel template with a 5×5 matrix, protected-asset inventory and action list — built along ISO 31000. Open download, no registration. Download the template →
RiskNote — AI-driven risk analysis in 20 minutes
Mobile app that guides you through the risk analysis. You describe the business, the AI suggests relevant risks based on industry and protected assets, and you get a structured risk register with a 5×5 matrix in 20 minutes. Works for NIS2, GDPR, ISO 27001 and ISO 31000. Available on iOS and Android, 11 languages. Learn more about RiskNote →
Deep dive per step
In-depth material for each step of the method.
Identifying protected assets
What actually needs protecting — and how to avoid missing assets that are critical but invisible. Read the deep dive →
Scope and boundaries in risk analysis
How to set clear boundaries without missing dependencies. Read the deep dive →
Identifying threats and risks
Cross-functional method with four perspectives: asset, threat category, scenario, supply chain. Read the deep dive →
Likelihood and consequence — scales that work
How to define the 5×5 matrix levels in measurable terms you can defend. Read the deep dive →
Prioritising actions beyond the matrix
Why red cells aren't an action plan — and how to get the most effect per effort. Read the deep dive →
Keeping the risk analysis alive
Review cycles, ownership and triggers that keep the analysis out of a drawer. Read the deep dive →
Risk analysis and compliance
How to map the analysis to ISO 27001, NIS2, GDPR and DORA without double work. Read the deep dive →
Summary
Risk analysis is not about filling a blank Excel sheet with categories. It's about understanding — in a structured way — what the organisation needs to protect, what can go wrong, and which actions give the most effect per effort.
The method is seven steps: protected assets → scope → threats and risks → assessment → action prioritisation → ongoing follow-up → framework mapping.
Tools like RiskNote make the method accessible to more people — without replacing human judgement.
Method first. Tools second. Security always.
Questions about risk analysis, or want to discuss how RiskNote fits your organisation? Contact us →
Frequently asked questions about risk analysis
How often should a risk analysis be updated?
A risk analysis should be revised at least annually, and always on significant changes — new systems, new suppliers, reorganisations, incidents or changed regulatory requirements. For organisations under NIS2 and ISO 27001, continuous updating is an explicit requirement.
What is the difference between threat, vulnerability and risk?
Threat is what can happen (ransomware attack, supplier failure). Vulnerability is the weakness that makes the threat possible (unsafe backups, single supplier). Risk is the combination of threat, vulnerability and consequence for a protected asset.
Which scale should be used in the risk analysis?
A 5×5 matrix (likelihood × consequence) is the most common and usually most useful choice. The scale itself isn't the point — what matters is that the levels are clearly defined in measurable terms before the assessment begins.
Who should conduct the risk analysis?
The risk analysis should be conducted cross-functionally — IT, business, leadership and possibly external experts. A lone analyst always misses important perspectives. Clear ownership is crucial, however: someone must be responsible for getting it done and keeping it current.
Do you need a risk analysis to comply with NIS2?
Yes. NIS2 requires risk management measures, and the foundation for those is a documented risk analysis. Without it, the organisation cannot show that security work is systematic — which is an explicit requirement.
What is the difference between risk analysis and risk assessment?
The terms are often used interchangeably. In the ISO standards, risk assessment is an umbrella concept covering risk identification, risk analysis (analysis of likelihood and consequence) and risk evaluation (comparison against criteria). In everyday usage, "risk analysis" often refers to the whole process.
How long does a risk analysis take?
With the traditional method (blank Excel sheet), a first version often takes several weeks or months — a lot of time goes into structuring and debating categories. With a structured tool like RiskNote, a first version can be ready in 20 minutes, and then refined together with the business.
What is ISO 31000?
ISO 31000 is the international standard for risk management. It provides principles and a framework that apply to all types of risk and all types of organisation — not just information security. It's often used as a starting point and complemented with more specific standards such as ISO 27005.
What does a risk analysis cost?
The cost varies dramatically depending on the method. A consultant-led risk analysis for a mid-sized organisation typically costs 10,000–50,000 EUR. With RiskNote or a comparable tool, the cost can be reduced to a fraction — while the work also becomes more continuous.
More guides
From guide to risk register in 20 minutes
RiskNote takes the method on this page and automates what should be automated. You describe the business, the AI suggests relevant risks, and you get a 5×5 matrix and action list. Free to try.