Risk assessment: how to run one step by step

A risk assessment is the foundation of any serious security program. Without it you invest at random. Here is how to run a risk assessment step by step and turn it into a plan.

Risk analyst reviewing a risk matrix and heat map on screen.

Written by

Raptoric Security Program & Risk

LinkedInX / TwitterCopy link

A risk assessment is the foundation of any serious security program. Without one, a company invests at random: it buys tools that solve problems it may not have, and it overlooks the risks that can actually hurt it. A risk assessment answers a simple but essential question: what can happen to us, how likely is it, and how much would it cost. This post explains how to run a risk assessment step by step and turn it into a concrete plan.

This is part of our security program overview. We run risk assessments through governance, risk, and compliance.

What a risk assessment is

A risk assessment is a structured process of identifying what valuable things you own, what they are exposed to, and how much it would cost you if something went wrong. Risk is not the same as a threat: risk is the combination of the likelihood that a threat is realized and the impact it would have. So you do not look only at threats, but also at how likely they are and how much they would harm your specific company.

The steps of a risk assessment

An assessment follows a recognizable sequence of steps, aligned with established frameworks.¹

01
Inventory your assets
Identify what you protect: the data, systems, processes, and people that matter to the company.
02
Identify threats and vulnerabilities
For each asset, consider what threatens it and where it is weak.
03
Assess likelihood and impact
For each risk, rate how likely it is and how large the damage would be.
04
Determine the risk level
Combine likelihood and impact into a rating that lets you compare and prioritize.
05
Decide how to treat it
For each risk, decide whether to reduce, transfer, accept, or avoid it.

How to determine the risk level

The most common tool is a risk matrix, which combines likelihood and impact into a simple rating. It does not have to be complex: even a low, medium, and high scale is enough to rank risks by importance. The goal is not perfect precision but consistent comparison that helps you decide where to invest first.

Impact \ Likelihood	Low	High
Low impact	Low risk	Medium risk
High impact	Medium risk	High risk

A simplified risk matrix.

What to do with a risk after the assessment

An assessment is only valuable if it leads to action. For each risk there are four options: reduce it with controls, transfer it (for example through insurance or to a provider), accept it if it is low, or avoid it by stopping the risky activity. These decisions and their tracking make up risk management, the continuous process that follows the assessment.

The link to compliance

A risk assessment is not just good practice, it is a requirement. ISO 27001 requires a risk assessment as the foundation of the management system, and NIS2 and DORA require risk management based on that assessment. A well-run assessment therefore covers several obligations at once.

How Raptoric helps

We run a risk assessment tailored to your company and turn it into a prioritized plan, through governance, risk, and compliance. Book a scoping call.

Frequently asked questions

What is the difference between a risk and a threat?

A threat is something that can harm you, while a risk is the combination of the likelihood that the threat is realized and the impact it would have. That is why you weigh both likelihood and damage, not just whether a threat exists.

Does a risk assessment have to be complex?

No. Even a simple low, medium, and high scale is enough to rank risks by importance. The goal is consistent comparison that helps you decide where to invest first, not perfect precision.

How often should you run a risk assessment?

At least once a year, and after every major change in the company, technology, or threat landscape. An assessment is not a one-time document but a basis that needs regular refreshing.

Do regulations require a risk assessment?

Yes. ISO 27001 requires a risk assessment as the foundation of the management system, and NIS2 and DORA require risk management based on that assessment. A well-run assessment covers several obligations at once.

Sources

1NIST. SP 800-30: Guide for Conducting Risk Assessments. National Institute of Standards and Technology, 2012. Link
2ISO/IEC. ISO/IEC 27005: Information security risk management. International Organization for Standardization, 2022. Link

Want this tested on your own systems?

Our team will scope it with you on a 30-minute call.

Book a scoping call

Keep reading

All insights →

01Security Program & Risk

The NIST AI Risk Management Framework (AI RMF) explained

Read →11 min read

02Security Program & Risk

AI governance: framework, documentation, and how to start

Read →11 min read

03Security Program & Risk

The EU AI Act explained: risk tiers, obligations, and timeline

Read →12 min read