risk assessmentRisk assessment failures now carry ten-figure price tags. On October 10, 2024, TD Bank agreed to pay about $3.09 billion across coordinated resolutions, including FinCEN’s record $1.3 billion penalty and a $450 million OCC action, after regulators found its monitoring left 92% of transaction volume unassessed.

That unmonitored slice totaled roughly $18.3 trillion between 2018 and 2024, and the Department of Justice took the first guilty plea from a major US bank for money laundering conspiracy. The program looked adequate on paper; the risk assessment underneath it had never been honestly done.

Risk Assessment: Key Takeaways
TD Bank paid $3.09 billion in October 2024 after regulators found 92% of its transaction volume, some $18.3 trillion, was never risk-assessed for monitoring.
A defensible risk assessment runs five steps from ISO 31000:2018: identify, analyze, evaluate, treat, and monitor, with documented criteria at each gate.
The 5×5 likelihood-and-impact matrix remains the working standard for qualitative scoring; written band definitions are what keep ratings consistent between assessors.
Qualitative methods screen the full register fast; quantitative methods price the top exposures. Mature programs run both and let the decision pick the method.
Frequency follows risk: annual as a floor, plus trigger-based reassessment on material change, per regulatory expectations across SEC, OSHA, and sector rules.
This hub links every riskpublishing.com risk assessment guide and template, from general methodology to physical security, NIST CSF, food safety, and vendor assessments.

What a Risk Assessment Delivers

A risk assessment converts uncertainty into a ranked, owned, documented list of exposures that decisions can rest on. ISO 31000:2018 defines it as the overall process of risk identification, analysis, and evaluation, and our guide to risk assessment methodology walks through each term with worked examples.

The output is only as good as its parts, so learn the anatomy before the shortcuts. The critical components of a risk assessment cover scope, criteria, scoring, and ownership, while the hazard-versus-risk distinction stops the most common vocabulary error before it corrupts a register.

Assessment output What it answers Where it lands
Ranked risk register Which exposures matter most right now Key elements of a risk register
Scored likelihood and impact How bad, how often, against written criteria Defining likelihood properly
Treatment decisions Accept, reduce, transfer, or avoid, with owners How to mitigate risk
Assurance evidence Proof the assessment happened and was acted on Risk management techniques

Treat the risk assessment as a product with users, because it has them. The board consumes the ranking, auditors consume the evidence trail, insurers consume the loss estimates, and operational teams consume the treatment actions, and a format that serves all four is worth designing once and reusing everywhere.

The Five Steps of a Risk Assessment

Every credible framework runs the same five-step spine, whatever vocabulary it wears. Identification feeds analysis, analysis feeds evaluation against appetite, treatment closes the gaps, and monitoring reopens the loop when conditions move, which is the cycle our step-by-step risk assessment guide builds out in full.

The Complete Risk Assessment Guide: Methods, Templates, and Frameworks

Figure 1. Five steps, one loop: monitoring feeds the next identification pass.

Identification deserves more method than most teams give it. Brainstorming finds the risks everyone already knows, so structured risk identification approaches add checklists, process mapping, and incident mining, and scenario-based assessment stretches the register toward the events nobody has lived through yet.

Analyzing Likelihood and Impact in a Risk Assessment

Analysis is where discipline pays or leaks. Score likelihood in defined frequencies and impact in defined consequences, one risk at a time, with the evidence note written before the number. Teams that score first and justify later anchor on the first opinion in the room, and the register inherits that bias permanently.

Scale conventions matter more than scale choice. Whether you run 1-to-5 or 1-to-10, publish what each point means and never let a workshop invent half-points, because every act of scale improvisation quietly breaks comparability with the rest of the register and with last year’s assessment.

Evaluating Risk Assessment Results Against Appetite

Evaluation compares each scored risk against the appetite and tolerance the board approved, which is what turns a heat map into decisions. Risks inside appetite get monitored, risks outside it get treatment plans with owners and dates, and risks far outside it get escalated this week rather than filed.

For execution mechanics, work from the full walkthrough of how to conduct a risk assessment and keep the risk assessment flowchart beside the workshop agenda. The flowchart settles sequencing arguments in seconds, which preserves workshop time for the actual scoring debates.

Qualitative and Quantitative Risk Assessment Methods

Method choice is a decision about the decision. Qualitative scoring ranks a hundred risks in an afternoon; quantitative modeling prices the top five for capital and insurance choices, and our qualitative versus quantitative comparison maps which questions each method can honestly answer.

The Complete Risk Assessment Guide: Methods, Templates, and Frameworks

Figure 2. The working 5×5: scores of 15 and above demand executive attention.

The matrix stays defensible only when its anchors are written down. Define every likelihood band in frequencies and every impact band in dollars, service outcomes, or people harmed, then require an evidence note beside each score. Undefined bands are how two assessors rate the same risk three cells apart.

Decision to support Method Typical tool Depth required
Rank the full register Qualitative 5×5 matrix, criteria tables Workshop plus evidence notes
Set insurance limits Quantitative Loss modeling, exceedance curves Loss data, exposure values
Approve a major project Semi-quantitative Scored ranges with cost bands Estimates plus expert review
Meet a compliance duty Method per rule Prescribed checklist or matrix Whatever the regulator names

Semi-quantitative scoring bridges the two methods when data is partial. Assign dollar ranges to impact bands and frequency ranges to likelihood bands, and the same 5×5 matrix starts producing rough expected-loss figures, which is often enough precision for prioritization without the full modeling investment.

The Risk Assessment Template Library

Templates turn method into momentum, and this is the full shelf. Start from the master risk assessment template collection, then pull the specialized version built for your domain, because a good template carries its own criteria and saves the first two workshops.

Assessment you are running Purpose-built guide or template
General or enterprise risk Risk assessment templates collection
Cybersecurity, NIST-aligned NIST CSF risk assessment: how to run one
Framework selection, cyber Cyber risk assessment framework: NIST CSF vs ISO
Federal-style information security NIST risk assessment guide
Physical security and facilities Physical security risk assessment report guide
Vendor and third-party due diligence NIST vendor risk assessment questionnaire
Food safety, HACCP-based HACCP risk assessment matrix
Manufacturing and machine safety Injection moulding risk assessment

Bookmark this section rather than the individual guides, because the library grows. New specialized assessments join the shelf as regulations create them, DORA registers and AI system assessments being the current examples, and this hub stays the index that points at whatever exists this quarter.

Adapt before you adopt. Rename the impact categories to your services, swap the example risks for last year’s incidents, and delete every column nobody will maintain, because an over-engineered template dies in its second quarter. The best template is the one still being filled in a year later.

Two habits make any of these templates safer. Record who assessed and when, so the reassessment schedule has a baseline, and keep definitions from the hazard and risk assessment glossary attached, so a new assessor inherits the same vocabulary rather than reinventing it.

Risk Assessment Frameworks and Standards

Frameworks decide what evidence your risk assessment must produce, so pick the anchor before the tooling and name it on the assessment record itself. US practitioners usually answer to more than one framework at once, and the table below shows where each one bites hardest.

Framework or rule Who leans on it What it asks of assessments
ISO 31000:2018 Any organization; the generic anchor Documented process, criteria, and iteration
COSO ERM US corporates and their auditors Risk assessment integrated with strategy and controls
NIST SP 800-30 Federal systems, security teams Threat, vulnerability, likelihood, impact structure
NIST CSF 2.0 Critical infrastructure and beyond Assessment feeding the Identify and Govern functions
SEC cyber rules US public companies Materiality assessment on a four-business-day clock
OSHA general duty US employers Workplace hazard assessments, documented and current

The external anchors are free to cite: COSO’s ERM framework, NIST SP 800-30, the NIST Cybersecurity Framework 2.0, and ISO/IEC 27001 for the security management wrapper around it all. Citing the anchor on the assessment itself shortens every audit conversation, because the auditor’s first question is always which standard you claim to follow.

Regulated context raises the stakes on documentation. The SEC’s cyber disclosure regime turns assessment quality into filing risk, OSHA’s guidance expects workplace assessments to stay current, and White & Case’s read of the TD Bank resolution shows prosecutors now treat assessment gaps as intent evidence.

When frameworks overlap, map once instead of assessing twice. A single risk assessment can serve ISO 31000, COSO, and a NIST profile simultaneously if the record captures each framework’s required fields, and a one-page crosswalk maintained by the risk function beats three parallel assessments every time.

The Risk Assessment Mistakes Competitors Keep Making

We review risk assessments across industries, and the same six defects account for most of the value destroyed. Each is visible in the documents alone, which means each is also fixable before an auditor, regulator, or incident finds it first.

Mistake How it shows up Fix
Undefined scoring bands Same risk, three different ratings Written frequency and impact anchors on the matrix
Assessment as annual theater Register untouched between yearly reviews Trigger-based reassessment on material change
Inherited risks never challenged Last year’s register copied forward Fresh identification pass before any re-scoring
No evidence notes Scores with nothing behind them One sentence of rationale per rating, mandatory
Treatment without owners Actions listed, nobody named Owner and date on every treatment, tracked to closure
Scope drawn around comfort High-risk areas conveniently excluded Scope signed by the executive who owns the outcome

Frequently Asked Questions About Risk Assessment

What are the five steps of a risk assessment?

Identify the risks, analyze their likelihood and impact, evaluate them against your criteria and appetite, treat the ones outside tolerance, and monitor so change reopens the cycle. The sequence comes from ISO 31000:2018, and the five-step risk management process article walks each step with examples.

What is the difference between qualitative and quantitative risk assessment?

Qualitative assessment scores risks descriptively against defined bands and is fast enough to cover a whole register; quantitative assessment models risks numerically in dollars and probabilities for capital-grade decisions. Most mature programs screen qualitatively and quantify the top exposures, letting the decision at stake pick the method.

How often should a risk assessment be conducted?

Annually as a floor, with trigger-based reassessment whenever systems, suppliers, regulations, or organizational structure materially change, and immediately after significant incidents or near misses. High-velocity risks such as cyber deserve quarterly or continuous review. Our assessment frequency guide maps cadence to risk type and regulatory expectation.

What does a good risk assessment matrix look like?

A 5×5 grid with every band defined in observable terms: likelihood in frequencies, impact in dollars, downtime, or harm, and color bands tied to required actions. The matrix in Figure 2 is the working pattern. An undefined matrix produces ratings that vary by assessor, which defeats the exercise.

Which risk assessment template should I start with?

Start with the general template from our template collection if your need is enterprise-wide, or jump straight to the specialized version, cyber, physical security, vendor, or food safety, listed in the library table above. Specialized templates carry their own criteria, which saves the first two calibration workshops.

How does a risk assessment differ from a risk register?

The assessment is the activity; the register is the living record it produces and maintains. A register without a recent assessment behind it is an archive, and an assessment that never lands in a register evaporates. Keep the two joined by date-stamping every register entry with its assessment source.

Who should perform a risk assessment?

The people who own the process being assessed, guided by someone trained in the method, because ownership without method produces optimism and method without ownership produces fiction. The risk function runs the workshops, challenges the scores, and consolidates the register. Independent review, internal audit or external, belongs on the highest-stakes assessments.

Where Risk Assessment Practice Is Heading

Enforcement is converting assessment quality into legal exposure. TD Bank’s plea made an inadequate risk assessment part of a criminal narrative, and the SEC’s materiality clock does the same for cyber events, so expect assessment documentation to be read by lawyers as often as auditors.

Quantification keeps getting cheaper. Loss data from IBM’s breach research and Verizon’s DBIR now gives mid-size firms benchmark inputs that once required consultants on retainer, and that shift will pull more registers from color bands toward dollar ranges over the next two planning cycles.

Expect AI to sit on both sides of the table. Models will draft risk registers and flag scoring inconsistencies, and AI systems themselves will need assessing, with CISA’s playbooks already treating model failures as reportable events. The assessor’s judgment stays; the blank page goes.

The skill premium moves to interpretation. As tooling drafts registers and benchmarks scores, the practitioners worth their seat will be the ones who can defend a rating to a hostile audience, spot the risk the model missed, and translate a heat map into a budget decision the board signs.

 

Commission a Risk Assessment Review With Risk Publishing

If your register was copied forward last year and your matrix has no written anchors, you are carrying TD Bank’s lesson unpriced. Explore our services or contact us for an ISO 31000-aligned assessment review, and send the current register ahead so the first session starts with findings.

Index