Skip to content
FortaRisks
Back to the glossaryGovernance and risk management

Risk assessment

A risk assessment is the process of identifying the threats to an organization's assets, evaluating their likelihood and impact, and deciding how to treat them. It is the methodological core of risk management and a central requirement of standards such as ISO 27001.

Updated on July 2, 2026

What is a risk assessment?

A risk assessment is the structured process by which an organization identifies what can go wrong, evaluates how likely and how severe it is, and decides what to do about it. It ties abstract threats to concrete assets and to a measurable impact on the organization.

It is the method that makes security rational. Rather than protecting everything the same way, you concentrate effort where the risk warrants it, against explicit criteria.

Why it matters for your organization

A risk assessment is the foundation of any defensible security decision. It justifies why you invest here rather than there, and lets you account for those choices to leadership, auditors and regulators.

It is also an explicit requirement of many frameworks. ISO 27001, for example, places risk assessment at the center of the management system: without it, compliance has no foundation.

The key steps

  • Identification: assets, threats and vulnerabilities.
  • Estimation: likelihood and impact of each risk.
  • Evaluation: ranking against criteria and risk appetite.
  • Treatment: reduce, transfer, avoid or accept.
  • Monitoring: periodic reassessment and on any significant change.

Where organizations most often fall short

The classic trap is treating the risk assessment as a one-off deliverable produced for an audit, then forgotten. A risk assessed once and never revisited quickly loses relevance. The other mistake is scoring by gut feel, without data or method: the assessment looks rigorous but rests on impressions.

Frequently asked questions

What are the steps of a risk assessment?

Identify the assets and the threats targeting them, estimate the likelihood and impact of each risk, prioritize the resulting risks, then decide on treatment: reduce, transfer, avoid or accept. Everything is documented to be defensible and reassessed periodically.

Qualitative or quantitative risk assessment?

The qualitative approach places risks on scales (low, medium, high) and suits most organizations. The quantitative approach expresses risk in financial values, more precise but more data-intensive. Many combine the two: qualitative to triage, quantitative for the major risks.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.