Risk assessment sits at the heart of Enterprise Risk Management (ERM). It is the mechanism that turns abstract concerns into something organisations can discuss, prioritise, and act on.
Yet despite its importance, risk assessment is often one of the least consistently understood parts of ERM. Different organisations - and sometimes different teams within the same organisation - assess risk in fundamentally different ways. Some rely heavily on experience and judgement. Others use structured formulas. A smaller number attempt fully quantitative, financial modelling.
None of these approaches is inherently "wrong". The real challenge is understanding what each approach actually does, where it works well, where it breaks down, and how to choose the right level of sophistication for your organisation.
This guide walks through the most common approaches to assessing risk, from manual judgement through to advanced quantitative techniques, and explains how they are typically used in practice.
Why Risk Assessment Matters
Risk assessment is not an academic exercise. Its purpose is to support decisions:
- Which risks matter most right now?
- Where should limited resources be focused?
- Which issues need escalation to senior management or the board?
- How much residual risk is the organisation actually carrying?
If a risk assessment approach cannot answer those questions in a way that decision-makers understand and trust, it fails - regardless of how sophisticated it looks.
The Risk Assessment Spectrum
In practice, most organisations sit somewhere along a spectrum of approaches. Maturity does not mean abandoning simpler methods; it usually means being deliberate about which method is used where.
Broadly, risk assessment approaches fall into four categories:
- Judgement-based (manual residual risk setting)
- Formula-based (structured residual risk calculations)
- Scenario-based and semi-quantitative methods
- Fully quantitative and financial risk modelling
1. Judgement-Based Risk Assessment (Manual Residual Position)
This is the most common starting point.
The process typically looks like this:
- Define the inherent risk (before controls)
- Identify key controls in place
- Apply professional judgement to determine the residual risk
The residual position is often set directly by the risk owner or risk team, informed by experience, intuition, and knowledge of the business. For this to be defensible, organisations need an accurate and well-understood set of financial and non-financial impact and likelihood matrices, so risk owners can articulate why the residual position is as it is - otherwise the approach becomes hard to explain to boards, regulators, or auditors.
Why organisations use it
- Simple and quick to implement
- Low data requirements
- Works reasonably well in small teams with experienced staff
- Familiar to most risk practitioners
Where it struggles
- Highly subjective and difficult to challenge
- Inconsistent between assessors
- Hard to explain to boards, regulators, or auditors
- Poor audit trail ("why did this move from Medium to Low?")
This approach relies heavily on who is doing the assessment. When those people leave, the logic often leaves with them.
When the Risk Director Left: No One Could Explain the Scores
A 400-person financial services firm had relied on their Head of Risk to set residual risk positions across the entire register. He used 15 years of experience and "knew" why each risk was Medium or Low. When he left, his successor inherited a risk register with no documented rationale. The regulator asked "Why is this cyber risk scored Medium and that one High?" The new team had to reverse-engineer the logic from old emails and conversations. It took six months to rebuild a defensible methodology. The lesson: judgement-based assessment only works as long as the person doing it is there to explain it.
2. Formula-Based Risk Assessment (Structured Residual Calculations)
The next step along the spectrum introduces explicit logic and formulas, while still relying on qualitative inputs.
This is the most common approach in structured ERM frameworks.
How it typically works
Organisations define rules such as:
- Categorising controls (preventive, detective, corrective)
- Assigning control importance or strength
- Assessing operating effectiveness (e.g. effective, partially effective, ineffective)
- Applying formulas that adjust inherent likelihood and/or impact to derive residual risk
For example:
- A strong, effective preventive control may reduce likelihood
- A weak detective control may have minimal impact on residual risk
- Multiple controls may compound or offset each other
The exact formulas vary widely, but the key point is this:
the residual position is calculated, not simply chosen.
Why organisations use it
- More consistent and repeatable
- Easier to explain and defend
- Enables trend analysis and comparison
- Provides a clear audit trail
Common pitfalls
- False confidence if control scoring is poor
- Overly complex formulas that few understand
- Treating all controls as equal
- Forgetting that judgement still exists upstream (in scoring)
This approach is still qualitative at its core - but the logic is transparent, which is often more important than precision.
From Gut Feel to Defensible: How a Mid-Sized Insurer Fixed Its Risk Scoring
A UK general insurer with 200 staff had always set residual risk by "risk owner judgement" - which meant inconsistent scores and no clear story for the PRA. They introduced a simple formula: preventive controls reduce likelihood, detective controls don't; control effectiveness (effective / partially effective / ineffective) then adjusts the result. Within a year, every risk had a documented trail: "Inherent High, two effective preventive controls → Residual Medium." When the regulator asked how they derived residual risk, they could show the logic in one page. Board and audit sign-off became straightforward. The formula wasn't fancy - but it was explainable, and that made all the difference.
3. Scenario-Based and Semi-Quantitative Approaches
As organisations mature, some introduce scenario analysis and loss estimation alongside traditional scoring.
This may include:
- Defining plausible risk scenarios
- Estimating frequency bands (e.g. once per year, once per decade)
- Estimating impact ranges (£, operational disruption, customer impact)
- Stress-testing assumptions
- Linking scenarios to strategic objectives
These approaches are often used for:
- Operational resilience
- Cyber risk
- Financial crime
- Major regulatory or conduct risks
Why organisations use them
- Bridges qualitative and quantitative thinking
- More intuitive for executives
- Encourages forward-looking discussion
- Supports contingency planning
Limitations
- Still dependent on assumptions
- Can become time-consuming
- Quality varies significantly with facilitation skill
This approach is particularly effective when used selectively for the most material risks, rather than across the entire risk universe.
4. Fully Quantitative and Financial Risk Modelling
At the far end of the spectrum are fully quantitative approaches, often borrowed from finance, insurance, or engineering disciplines.
These may include:
- Loss distribution modelling
- Expected loss calculations
- Monte Carlo simulations
- Value-at-Risk (VaR) style techniques
- Capital modelling
These methods attempt to express risk explicitly in financial terms, often producing probability distributions rather than single scores.
Why organisations use them
- Powerful for capital-intensive or highly regulated sectors
- Enables aggregation and portfolio views
- Supports capital allocation and pricing decisions
- Aligns closely with financial decision-making
Why they are difficult
- Data-hungry
- Assumption-heavy
- Easy to misinterpret
- Can create false precision if poorly governed
Without strong data governance and risk expertise, these techniques often produce numbers that look authoritative but are not well understood.
Where These Approaches Typically Sit in an Organisation
In practice, different risk assessment approaches tend to live in different parts of an organisation. This isn't accidental, and it doesn't necessarily indicate maturity or immaturity - it reflects skills, mandates, and decision-making needs.
Understanding where each approach usually sits helps set realistic expectations about what ERM can (and can't) do on its own.
Judgement-Based and Formula-Based Approaches
(Enterprise Risk & Control Teams - First and Second Line)
Judgement-based and formula-driven risk assessments most commonly sit with:
- Enterprise Risk Management teams
- Compliance and control functions
- Second line risk teams
- In some cases, risk owners in the first line
Formula-based approaches in particular strike a practical balance here. They introduce consistency and transparency, remain understandable to non-specialists, and scale across a broad risk universe. This is why they are so prevalent in enterprise risk frameworks.
Scenario Analysis and Stress Testing
(Shared Between Risk, Finance, and Strategy)
Scenario-based approaches often sit across multiple functions. They are commonly led or facilitated by risk teams, strategy teams, finance functions, or executive workshops. Scenario analysis works well as a bridging tool - and is often used selectively for top enterprise risks, operational resilience programmes, regulatory stress testing, or strategic planning.
Quantitative and Financial Risk Modelling
(Finance, Actuarial, Treasury, or Specialist Teams)
Fully quantitative techniques most commonly sit outside traditional ERM teams - owned by Finance, Actuarial, Treasury, or specialist risk modelling groups. In many organisations, these models exist in parallel to ERM rather than within it. Clarity about boundaries matters.
How Initia Risk Supports Both Approaches
Initia Risk is built to support the approaches that matter most for day-to-day ERM: formula-based residual risk and judgement-based (qualitative) residual risk, so you can choose what fits your methodology - or use both in the same framework.
Formula-based: The platform calculates residual risk from control type (preventive, detective, corrective), control importance, and operating effectiveness. You define the rules; Initia applies them consistently and gives you a clear audit trail so you can show regulators and the board how each residual position was derived.
Judgement-based: Where you prefer risk owners to set the residual position directly, Initia allows qualitative override. This works best when it is grounded in an accurate and well-understood set of financial and non-financial impact and likelihood matrices, so the risk owner can articulate why the residual position is as it is. In Initia, those matrices are fully customisable in the tool, so you can define and maintain them in one place. Owners can input net risk based on experience and context, while the system still records who set it and when, so you keep accountability without forcing a formula where it doesn't fit.
That means you can run a formula-driven approach for most risks and use owner judgement where it makes sense - or start with judgement and introduce formulas as you mature. The goal is the same as this guide: assessment that is clear, explainable, and aligned to how decisions are actually made.
Bringing It All Together
Risk assessment is ultimately a tool for conversation and decision-making.
Whether you use gut feel, formulas, or financial models, the test is simple:
Does this help the organisation understand its risks well enough to act?
If the answer is yes, the approach is working.
If the answer is no, adding more complexity rarely fixes the problem.
The strongest ERM frameworks are not the most sophisticated - they are the ones where the assessment approach is clear, explainable, and aligned to how decisions are actually made.
For the terminology behind the scores, see gross risk vs net risk vs residual risk explained. To understand how these assessments feed into a broader programme, read how to build an ERM framework. And for the process of running first-line assessments in practice, see how to run an effective RCSA step-by-step.
For the visual layer most boards see, read our piece on the 5×5 risk matrix and heat maps. And for the underlying record that holds the scores together, see what a risk register actually is and what good looks like.