In March 2025, a mid-market financial services firm in the U.S. Midwest discovered that a single unpatched server had exposed 2.3 million customer records for 117 days before anyone noticed.
The breach cost $4.44 million in direct losses, triggered regulatory fines, and wiped out three years of customer trust built through careful relationship management. The root cause was not a sophisticated attack.
The firm had never conducted a structured risk analysis on its IT infrastructure, so the vulnerability sat in plain sight while the team focused on revenue targets.
| What Practitioners Need to Know About Risk Analysis |
| Risk analysis is the core diagnostic step within risk assessment, where you determine likelihood, impact, and velocity for each identified risk before deciding how to respond. |
| Nearly 75% of enterprises experienced at least one critical risk event in the past year, yet only 18% of ERM leaders have high confidence in identifying emerging risks. |
| ISO 31000:2018 provides the universal risk analysis framework: Communicate, Establish Context, Identify, Analyze, Evaluate, Treat, and Monitor. |
| Combining qualitative risk analysis (risk matrices, expert judgment) with quantitative risk analysis (Monte Carlo, scenario modeling) produces more defensible, decision-ready outputs. |
| Organizations with board-level ERM visibility are 20% less likely to suffer six or more critical risk events annually. |
| Every risk analysis must produce actionable outputs: updated risk registers, treatment plans with owners, KRI thresholds, and escalation triggers. |
| The ERM market is projected to reach $11.97 billion by 2030 (CAGR 14.8%), driven by regulatory pressure, cyber threats, and AI-enabled risk analytics. |
Understanding how to conduct risk analysis is essential for every organization that wants to protect its objectives and make informed decisions. Risk analysis is the systematic process of identifying, evaluating, and prioritizing threats to organizational objectives so that decision-makers can allocate resources where they matter most.
According to Gartner’s 2025 Emerging Risks Survey, nearly 75% of enterprises experienced at least one critical risk event in the past year, yet only 18% of ERM leaders express high confidence in their ability to identify emerging risks.
That gap between exposure and capability is exactly what understanding how to conduct risk analysis closes.
This guide shows you how to conduct risk analysis step by step, grounded in ISO 31000:2018 and COSO ERM principles.
We will cover how to conduct risk analysis using both qualitative and quantitative methods, show you how to build a risk register, and provide a 90-day roadmap for embedding risk analysis into your organization’s decision-making. Whether you are launching a new program or refreshing an existing enterprise risk management framework, this is your practitioner’s playbook.
The Growing Demand for Risk Analysis Capabilities
Figure 1: The ERM market is projected to grow at 14.8% CAGR, reflecting surging demand for risk analysis capabilities.
What Risk Analysis Actually Means (And Why Most Organizations Get It Wrong)
Before we unpack the how, we need to settle the what. Risk analysis is not the same as risk assessment, and it is not synonymous with risk management. These terms get conflated constantly, and the confusion leads to programs that check boxes without producing decisions.
Risk management is the overarching discipline. Risk assessment is one phase within it, and risk analysis is a sub-step within risk assessment.
Specifically, risk analysis is the process of determining the likelihood, impact, and velocity of each identified risk event.
Under ISO 31000:2018, the risk assessment phase contains three sequential activities: risk identification (what could happen?), risk analysis (how likely is it, and how severe?), and risk evaluation (does this exceed our risk appetite?).
We see organizations that do not understand how to conduct risk analysis treat a single brainstorming session as their entire process. That approach misses two critical dimensions: it fails to quantify exposure in terms that executives can act on, and it ignores the interdependencies between risks. A proper risk analysis produces a risk score for every identified threat, which feeds directly into treatment decisions and key risk indicator thresholds.
Risk Analysis Within the Risk Management Hierarchy
| Concept | Scope | Output | ISO 31000 Alignment |
| Risk Management | Enterprise-wide discipline | Risk appetite, governance structure, culture | Full framework (Principles + Framework + Process) |
| Risk Assessment | Diagnostic phase within RM | Prioritized risk register | Process: Identification + Analysis + Evaluation |
| Risk Analysis | Sub-step within assessment | Likelihood x Impact scores, risk velocity | Process: Risk Analysis (Clause 6.4.3) |
| Risk Evaluation | Sub-step within assessment | Accept / treat / escalate decisions | Process: Risk Evaluation (Clause 6.4.4) |
| Risk Treatment | Response phase | Mitigation plans, controls, KRIs | Process: Risk Treatment (Clause 6.5) |
How to Conduct Risk Analysis: 7 Steps Aligned to ISO 31000
Building on the hierarchy above, a structured risk analysis process follows the ISO 31000 lifecycle.
Each step produces a tangible deliverable, and skipping any one of them introduces blind spots that compound over time. Here is the sequence we recommend, mapped directly to the standard.
Figure 2: The seven-step risk analysis process aligned to ISO 31000:2018.
Step 1: Communicate and Consult
Before analyzing a single risk, identify who needs to be involved. Stakeholder mapping ensures that the risk analysis captures perspectives from operations, finance, compliance, IT, and the board.
COSO ERM calls this the “governance and culture” component, and without it, your risk analysis will reflect the biases of whoever happens to be in the room. Document communication channels, escalation paths, and reporting cadence upfront.
Step 2: Establish Scope, Context, and Criteria
The second step in how to conduct risk analysis is to define the boundaries of the exercise: which business units, processes, projects, or decisions are in scope? Set your risk appetite thresholds (how much risk is acceptable?) and your risk criteria (what scales will you use for likelihood and impact?).
A 5×5 risk matrix is the most common tool for qualitative risk analysis, where likelihood runs from Rare (1) to Almost Certain (5) and impact from Insignificant (1) to Catastrophic (5).
Step 3: Risk Identification
This is where you answer the question: “What could go wrong?” Use multiple techniques: workshops, SWOT analysis, historical incident reviews, process mapping, and external scanning. Capture each risk in cause-event-consequence format.
For example: “Inadequate patch management [cause] leads to a data breach [event], resulting in regulatory fines and reputational damage [consequence].” Log every identified risk in a risk register with a unique ID, owner, and category.
Step 4: Risk Analysis (The Core Step)
Now we reach the heart of the process. Risk analysis assigns a level of risk to each identified threat by assessing two primary dimensions: likelihood (how probable is the event?) and impact (how severe are the consequences?). You have two fundamental approaches:
Qualitative risk analysis uses expert judgment, interviews, and descriptive scales to categorize risks as High, Medium, or Low. The 5×5 risk matrix is the workhorse here. Multiply likelihood by impact to produce a risk score (e.g., 4 × 5 = 20, High). This is often the first approach practitioners use when learning how to conduct risk analysis in their organizations.
This method is fast, intuitive, and works well when data is limited or when you need broad organizational participation.
Quantitative risk analysis uses numerical data, probability distributions, and mathematical models to estimate risk exposure in financial or operational terms.
Techniques include Monte Carlo simulation (running thousands of iterations to produce probability curves), sensitivity analysis (tornado charts that isolate which variables drive the most variance), expected monetary value (EMV) calculations, and Value at Risk (VaR).
NIST recommends the FAIR standard specifically for integrating cybersecurity risk quantification with enterprise risk management (NISTIR 8286).
Risk Analysis Methods: What Organizations Actually Use
Figure 3: Risk matrices dominate adoption, but quantitative methods like Monte Carlo score higher on perceived effectiveness.
Step 5: Risk Evaluation
Risk evaluation compares your risk analysis results against the risk appetite thresholds you established in Step 2. For each risk, the evaluation produces one of three decisions: accept (risk is within appetite), treat (risk exceeds appetite and needs mitigation), or escalate (risk is so severe it requires board or executive attention).
This is where your risk analysis translates into action, and it is the step most programs rush through.
Step 6: Risk Treatment
For risks that require treatment, select a response strategy: avoid (eliminate the activity), reduce (implement controls to lower likelihood or impact), transfer (insurance, outsourcing), or accept (when treatment cost exceeds benefit).
Each treatment needs an owner, a deadline, a budget, and a KRI to monitor effectiveness. Document treatments in your risk register and link them to the corresponding risk analysis scores. For project-specific contexts, see our risk mitigation in project management guide.
Step 7: Monitor, Review, and Report
Knowing how to conduct risk analysis means understanding it is not a one-time exercise. Establish a monitoring cadence: quarterly formal reviews for the full risk register, monthly KRI dashboards for top risks, and immediate reassessment when material changes occur (new regulations, M&A, system upgrades, incidents).
Use risk metrics and KRIs with early-warning thresholds that trigger escalation before a risk materializes.
Report to the board using traffic-light heatmaps and trend analysis, not just static snapshots.
Why Risk Analysis Matters: The Cost of Flying Blind
The business case for knowing how to conduct risk analysis properly is no longer theoretical. The data from 2025-2026 paints a stark picture of what happens when organizations skip or underinvest in risk analysis.
Figure 4: Organizations without board-level ERM visibility suffer disproportionately more critical risk events.
According to Secureframe’s 2026 risk management statistics, nearly 75% of enterprises experienced at least one critical risk event in the past year. Firms without board-level ERM visibility were 20% more likely to suffer six or more such events.
The IBM Cost of a Data Breach Report puts the global average breach cost at $4.44 million, with an average disclosure delay of 117 days.
The Black Kite Third-Party Breach Report (2026) found that for every single vendor breached, an average of 5.28 downstream companies were publicly compromised, the highest cascade level ever recorded.
These numbers tell a clear story: risk analysis is not a compliance checkbox. Organizations that invest in structured, continuous risk analysis catch threats earlier, respond faster, and absorb shocks with less damage.
The enterprise risk management software market reflects this urgency, projected to grow from $6 billion in 2025 to $11.97 billion by 2030 at a 14.8% CAGR (MarketsandMarkets).
The Risk Analysis Landscape: What Keeps Organizations Up at Night
Transitioning from the cost of inaction to the threat landscape itself, let us examine which risk categories dominate organizational agendas in 2025-2026.
Understanding the risk landscape is the first input when learning how to conduct risk analysis, because your risk identification must reflect the threats that are actually materializing, not just the ones that are familiar.
Figure 5: Regulatory changes and cyber threats top the risk analysis agenda, but third-party and geopolitical risks are climbing fast.
Regulatory changes lead at 65%, followed by cyber threats at 58% and operational disruptions at 52%.
For practitioners learning how to conduct risk analysis, this means your risk identification process must cover regulatory scanning, cybersecurity risk assessment, supply chain dependencies, and macroeconomic variables at minimum.
Anyone learning how to conduct risk analysis must go beyond operational hazards to address the strategic and compliance risks that boards care most about.
Qualitative vs. Quantitative Risk Analysis: When to Use Each
Now that you understand how to conduct risk analysis at a process level, we address the perennial practitioner question: should you use qualitative risk analysis, quantitative risk analysis, or both? The answer depends on your data maturity, decision context, and audience.
| Dimension | Qualitative Risk Analysis | Quantitative Risk Analysis |
| Data Required | Expert judgment, historical experience | Loss data, frequency distributions, financial models |
| Output | Risk rating (High/Medium/Low), heatmap | Probability distributions, dollar estimates, confidence intervals |
| Speed | Fast (hours to days) | Slower (days to weeks) |
| Best For | Initial screening, broad risk registers, stakeholder workshops | High-value decisions, board reporting, insurance placement, capital allocation |
| Tools | 5×5 risk matrix, risk register, bow-tie diagrams | Monte Carlo simulation, FAIR, tornado charts, decision trees |
| Limitation | Subjective, hard to compare across categories | Data-hungry, can create false precision if inputs are weak |
| ISO 31000 Alignment | Clause 6.4.3 (descriptive scales) | Clause 6.4.3 (numerical analysis) |
| Recommendation | Use for all risks as baseline | Layer on top for material risks (top 10-15 by inherent score) |
Our recommendation: start every risk analysis with a qualitative pass across your full risk register. Then apply quantitative risk analysis selectively to your top 10-15 risks by inherent score.
This two-tier approach gives you breadth (nothing falls through the cracks) and depth (your most material risks get the analytical rigor they deserve).
For practical guidance on building the quantitative layer, see our tornado chart risk analysis guide.
The Financial Case for Risk Analysis: Breach Costs and Supply Chain Cascades
Moving from methodology to financial impact, let us anchor the risk analysis discussion in dollars and timelines.
Decision-makers need to see what inadequate risk analysis costs in terms they can bring to a budget meeting.
Figure 6: Inadequate risk analysis exposes organizations to multi-million-dollar breach costs and cascading supply chain compromises.
The $4.44 million average breach cost is not just a technology problem. It reflects failures in understanding how to conduct risk analysis properly: the vulnerability was not catalogued, the exposure was not quantified, and risk treatment (no control was implemented).
Supply chain cascades at 5.28x mean that your risk analysis must extend beyond your own four walls to encompass third-party risk. And the 117-day average disclosure delay indicates that monitoring and review processes are systematically failing.
Executive personal liability is also increasing; CISOs, CROs, and CCOs now face potential criminal charges and SEC enforcement actions for risk management failures (Verdantix 2026 Predictions).
Your First 90 Days: From Risk Analysis Assessment to Activation
Theory without a timeline is just aspiration.
Here is a phased roadmap showing how to conduct risk analysis from scratch, designed for a typical mid-market organization. Adjust the pace based on your organization’s size and risk maturity.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Foundation | Appoint risk analysis lead. Define scope and risk criteria. Conduct stakeholder mapping. Select risk analysis tools (matrix + register template). | Risk analysis charter. 5×5 risk criteria scales. Stakeholder RACI. Risk register template deployed. | 100% of business units identified. Risk appetite statement drafted. First risk workshop scheduled. |
| Days 31-60: Execution | Run risk identification workshops across all in-scope units. Complete qualitative risk analysis (5×5 scoring). Identify top 15 risks for quantitative deep-dive. Begin Monte Carlo or scenario modeling on top 5. | Populated risk register with 50+ risks scored. Top 15 risk profiles with treatment options. Quantitative risk analysis outputs for top 5. | Risk register covers 90%+ of known risk categories. Board-ready heatmap produced. 3+ quantitative risk analyses completed. |
| Days 61-90: Embedding | Assign risk owners and KRIs for top 20 risks. Build KRI dashboard with thresholds. Present first risk analysis report to board/exec committee. Establish quarterly review cadence. | KRI dashboard live. First board risk report delivered. Risk treatment plans with SMART actions. Monitoring protocol documented. | All top 20 risks have owners and KRIs. Board approval on risk appetite. Quarterly calendar set. First corrective actions initiated. |
Where Risk Analysis Programs Stall and How to Unstick Them
Even well-intentioned risk analysis programs hit predictable obstacles.
Having guided dozens of organizations through these programs, we see the same failure patterns repeat. Here are the most common pitfalls and the specific fixes that work.
| Pitfall | Root Cause | Remedy |
| Risk analysis treated as annual checkbox | No integration with decision-making processes | Embed risk analysis triggers at key decision points: project approval, vendor selection, budget allocation, strategy reviews |
| Risk register becomes a graveyard | No ownership, no follow-up cadence | Assign every risk an owner with a review date. Use KRI dashboards that automatically flag overdue items |
| Over-reliance on qualitative risk analysis | Lack of data or analytical skills | Start a quantitative pilot on 3-5 high-value risks. Use Monte Carlo templates. Build capability incrementally |
| Groupthink in risk workshops | Same participants, same room, same biases | Use anonymous pre-workshop surveys. Rotate participants. Include frontline staff, not just managers |
| Risk analysis disconnected from strategy | Risk function operates in a silo | Map every strategic objective to its top 3-5 risks. Present risk analysis alongside business cases, not separately |
| Ignoring risk velocity | Traditional matrices only capture likelihood and impact | Add a velocity dimension: how fast could this risk materialize? Fast-moving risks need different treatment timelines |
| No escalation protocol | Unclear thresholds for when a risk demands executive attention | Define KRI thresholds with red/amber/green bands. Auto-escalate when any KRI crosses red. Document in risk appetite statement |
| Failure to learn from near-misses | Incident reporting culture is punitive or absent | Implement a no-blame near-miss reporting system. Feed near-miss data back into risk identification and analysis cycles |
The risk analysis discipline is evolving rapidly, driven by technology, regulation, and a changing threat landscape. Here are the shifts we see reshaping how to conduct risk analysis over the next two to three years.
The risk analysis discipline is evolving rapidly, driven by technology, regulation, and a changing threat landscape. Here are the shifts we see reshaping how risk analysis is conducted over the next two to three years.
AI-powered risk analysis is moving from pilot to production. Deloitte’s 2025 Tech Value Survey found that 74% of organizations are actively investing in AI capabilities, allocating an average of 36% of digital initiative budgets to AI.
Yet only 6% currently use AI to assist in risk identification. That gap will close rapidly as natural language processing tools scan regulatory filings, news feeds, and incident databases to surface emerging risks in real time.
The risk analysis process will shift from periodic workshops to continuous, AI-augmented monitoring.
Integrated risk and resilience platforms are replacing point solutions. Organizations are consolidating risk analysis, business continuity, compliance, and audit management into unified platforms.
The NIST Cybersecurity Framework 2.0 reflects this convergence, with its new “Govern” function embedding risk analysis into enterprise governance rather than treating it as a standalone activity.
Approximately 68% of large enterprises already implement integrated governance frameworks (MarketsandMarkets), and cloud-based risk monitoring is adopted by 59%.
Personal liability for risk failures is reshaping accountability. CISOs, CROs, and CCOs now face potential criminal charges, SEC enforcement actions, and personal financial liability for risk management failures.
This trend, highlighted by Verdantix’s 2026 predictions, means risk analysis outputs must be defensible, documented, and traceable. The days of informal risk discussions with no audit trail are over.
Supply chain and third-party risk analysis is becoming non-negotiable. With the Black Kite cascade ratio at 5.28x and regulatory frameworks increasingly mandating third-party risk oversight, organizations that limit their risk analysis to internal operations are exposed.
Expect DORA-style regulations to expand beyond financial services, requiring documented risk analysis of critical third-party dependencies across all sectors.
Ready to learn how to conduct risk analysis effectively? Our team helps organizations design, implement, and mature risk analysis frameworks aligned to ISO 31000 and COSO ERM. Explore our risk management services or contact us for a consultation.
References
1. ISO 31000:2018 Risk Management Guidelines
2. COSO Enterprise Risk Management — Integrating with Strategy and Performance
3. Gartner Emerging Risks in Audit and Risk Management (2025-2026)
4. 50+ Risk Management Statistics to Know in 2026 (Secureframe)
5. Enterprise Risk Management Market Forecast 2025-2030 (MarketsandMarkets)
6. NIST Special Publication 800-30 Rev. 1: Guide for Conducting Risk Assessments
7. NISTIR 8286: Integrating Cybersecurity and Enterprise Risk Management
8. Cybersecurity Statistics 2025-2026: Global Risk and Breach Metrics
9. Black Kite Third-Party Breach Report 2026
10. ERM Trends for 2026 (Diligent)
11. Risk Management in 2026: Key Predictions (Verdantix)
12. NIST Cybersecurity Framework 2.0
13. Risk Assessment Methodology Best Practices (TrustCloud)
14. Risk Analysis: How To, Types, and Examples (Monday.com, 2026)
15. 12 Top Enterprise Risk Management Trends in 2025 (TechTarget)
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.