A risk assessment is the structured process of identifying what could go wrong, judging how likely it is and how much it would hurt, and deciding what to do about it. It is the repeatable mechanic at the heart of risk management, the step that turns a vague sense of unease into a prioritized, ownable list of exposures leadership can act on.
Risk assessments are performed continuously in mature programs: on new projects, new vendors, new systems, and as part of the wider risk cycle.
See the latest GRC Webinars (Updated Daily!)
This page is part of our governance, risk, and compliance resource library. It is the operational counterpart to the broader discipline of enterprise risk management.
The risk assessment process
Most methodologies share the same core steps:
- Scope and context — define what is being assessed (a system, vendor, project, or the whole organization) and the objectives at stake.
- Identify risks — determine the threats, vulnerabilities, and events that could affect those objectives.
- Analyze — judge each risk’s likelihood and potential impact.
- Evaluate — compare the resulting risk level against the organization’s risk appetite to decide which risks need treatment.
- Treat — choose to accept, mitigate, transfer, or avoid each risk, and assign an owner.
- Document and monitor — record the assessment, feed results into the risk register, and revisit as conditions change.
Qualitative vs quantitative methods
Qualitative assessment scores likelihood and impact on descriptive scales (e.g. low/medium/high), often plotted on a risk matrix (sometimes called a heat map). It is fast, accessible, and useful for prioritization. Quantitative assessment expresses risk in numerical or financial terms — for example, estimating the probable monetary loss from an event using methods such as FAIR (Factor Analysis of Information Risk). Quantitative methods support cost-benefit decisions and board-level conversations about risk in dollars rather than colors. Many programs use both: qualitative for breadth and triage, quantitative for the risks that warrant deeper analysis.
How risk assessment fits a GRC program
Risk assessment is where compliance frameworks and risk management meet. Standards such as ISO 27001 require a documented risk assessment as the basis for selecting controls, and the results feed directly into enterprise risk management and the risk register. Vendor assessments are a specialized form, central to third-party risk management. The risk management software platforms in our directory standardize and automate much of this work.
Frequently asked questions
What is a risk assessment?
A risk assessment is the structured process of identifying risks, analyzing their likelihood and impact, evaluating them against risk appetite, and deciding how to treat them — producing a prioritized, documented view of exposure.
What is the difference between qualitative and quantitative risk assessment?
Qualitative assessment rates likelihood and impact on descriptive scales (often a risk matrix); quantitative assessment expresses risk in numerical or financial terms. Qualitative is faster for triage; quantitative supports cost-benefit and board-level decisions.
What is a risk matrix?
A risk matrix (or heat map) is a grid that plots a risk’s likelihood against its impact to produce a relative risk rating, helping teams prioritize which risks to treat first.
How often should risk assessments be done?
Continuously and at trigger points — for new systems, vendors, and projects, after significant change, and on a regular cycle as part of ongoing enterprise risk management, rather than only once a year.
Part of our governance, risk, and compliance resource library. Maintained by The Editorial Team. Last reviewed June 14, 2026.