Risk assessment methodology

Category: Risk identification & assessment · Reviewed by Amy Price, Account Executive · Last reviewed

Risk assessment methodology

A risk assessment methodology is the documented approach an organisation uses to identify, analyse and evaluate risk. ISO 31000:2018 splits risk assessment into three sequential steps: identification, analysis and evaluation.

Identification

The systematic search for events that could affect objectives. Outputs: a populated risk register. Tools: hazard identification, HAZOP, FMEA, bowtie, scenario analysis.

Analysis

The understanding of the nature of each risk — its sources, likelihood, consequence and the effectiveness of existing controls. Outputs: scored entries on a defined matrix. Tools: quantitative (Monte Carlo, GLMs), qualitative (likelihood-impact scoring) or semi-quantitative.

Evaluation

The comparison of analysed risks against risk criteria — appetite, tolerance, legal duty, ethical limits — to decide which require treatment, which can be accepted and which require escalation. Outputs: prioritised treatment plans.

Documentation requirements

A defensible methodology document records:

• Scope (which risks, what time horizon, which entities).
• Criteria (appetite, tolerance, materiality thresholds).
• Identification techniques used.
• Scoring scales (likelihood and impact bands defined in measurable units).
• Aggregation and prioritisation rules.
• Roles (who identifies, who scores, who challenges, who signs off).
• Review cadence.

References

• ISO 31000:2018, Clauses 6.3–6.5.
• IEC 31010:2019.
• HSE INDG163.
• PRA SS5/14 — Solvency II: ORSA.

Cross-references

• Hazard identification
• Risk register
• Quantitative risk assessment
• Qualitative risk assessment

Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.