How to do a risk assessment
A risk assessment doesn't have to be complicated. Here's a step-by-step guide to building your first risk assessment in an afternoon, whether you're the CEO of a 15-person company or a consultant delivering to a client.
What is a risk assessment?
A risk assessment is a structured process to identify risks that can affect your objectives, assess how serious they are, and decide what to do about them. It's the same core process whether you assess cybersecurity, occupational safety, project risk, or business risk.
The global standard for risk management is **ISO 31000:2018**. It describes a generic process (identify, analyse, evaluate, treat, monitor) that works for any organisation and any type of risk. It isn't certifiable, but it's the reference that other standards (ISO 27001, NIS2, DORA) build on.
Step 1. Preparation
Executive sponsorship
A risk assessment without management backing becomes a document that never gets read. Make sure someone in management owns the process. A one-page risk management policy signed by the CEO is enough.
Define the scope
What will be assessed? The whole business, a specific area, a project, a specific process (e.g. handling of personal data)?
Define risk tolerance
What risks are you willing to accept? Which require action? Write three or four levels (e.g. score 1–3 = accept, 4–7 = watch, 8–14 = action plan, 15–25 = immediate action).
Gather the right people
A risk assessment done by one person is one person's opinion. Invite 3–6 key people with different perspectives, operations, finance, IT, customer ownership.
Step 2. Identify risks
This is the most important step. A missed risk is more dangerous than a mis-assessed one.
Some techniques for risk identification:
Structured brainstorming
Gather the group and walk through business area by business area. Ask “what can go wrong here?”
AI suggestions as starting point
Tools like RiskNote use AI to suggest 5 industry-relevant risks per analysis. Good for catching risks you've never seen.
Review past incidents
What has gone wrong before? For you, for competitors, in the industry?
Check standard lists
ISO 27005 has catalogues of typical information-security risks. Occupational safety regulations have examples of workplace risks. Use as checklists.
Process walkthrough
Walk through a critical process (e.g. invoicing, hiring, system operations) step by step and ask “what can go wrong here?”
Step 3. Analyse risks
For each identified risk, assess likelihood and consequence. Standard practice is a 5x5 matrix (likelihood 1–5 × consequence 1–5 = score 1–25).
The key is **consistent application of the scale**. Define each level up front so everyone assessing uses the same understanding.
Likelihood 1–5
1 = rare (once per 10 years), 3 = possible (once per 2–3 years), 5 = almost certain (multiple times per year).
Consequence 1–5
1 = negligible (handled in normal operations), 3 = moderate (requires management intervention), 5 = catastrophic (existential threat).
Assess in a group
One person's assessment is subjective. In a group you get nuance and consensus.
Document the reasoning
Write one line on why you chose a given L and C. Helps at later review.
Step 4. Evaluate and prioritise
Once every risk has a score, compare against your risk tolerance. Critical risks (e.g. score 15–25) require an immediate action plan. High risks (8–14) need a structured response. Medium and low can be monitored.
Watch out for **black swans**, risks with low likelihood but catastrophic consequences (L=1, C=5 gives a score of 5, which looks low but can be existential). Use qualitative judgement, not just score.
Step 5. Treat risks
Accept
The risk is within tolerance. Document and move on.
Reduce (mitigate)
Take action to reduce likelihood or consequence. Most common choice. Document action, owner, and deadline.
Transfer
Insurance, outsourcing, or contractual clauses that move the risk. Note: some risk (e.g. reputation) can't be transferred.
Avoid
Decline the activity that creates the risk. Sometimes the only reasonable choice.
Step 6. Monitor and review
Risks move. New ones appear, old ones become irrelevant, actions change the picture. A risk assessment is perishable.
Practice: quarterly review for operational risks, annual for strategic. Project risks update per sprint or steering meeting. On major change (new vendor, regulatory change, system switch) always a new round.
Frequently asked questions about risk assessment
How long does a first risk assessment take?
For an SME: 2–4 hours for the first round of identification and assessment. Plus 1–2 hours for action planning. Total half a working day for a capable person who knows the business.
Do we need a certified risk consultant?
Not for an internal assessment. For certifications (ISO 27001, ISO 9001) or particularly complex domains (DORA for finance, GDPR DPIA for high-risk processing), external expertise can be valuable.
Is the 5x5 matrix mandatory?
No. ISO 31000 is agnostic about matrix size. 5x5 is common practice. 3x3 is too coarse for most purposes. Some organisations use 7x7 or qualitative categories instead of numeric scales.
What's the difference between risk and issue?
A **risk** is something that might happen in the future. An **issue** is something that has already happened. Risks are handled through risk assessment. Issues are handled through incident management. Both processes are needed.
Should we assess risks before or after mitigation?
Both. **Gross risk** (before mitigation) shows how bad it could be without controls, important to justify investment. **Net risk** or **residual risk** (after mitigation) shows the actual picture. ISO 27001-certified organisations are expected to have both.
Skip the Excel phase
RiskNote turns steps 1–6 into a structured process. First assessment ready in an afternoon. Start a free trial today.