crisc-d2-risk-assessment-risk-analysis-methodologies

Risk Analysis Methodologies

isaca-crisc · framework · Production-ready

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Risk Analysis Methodologies

Risk analysis methodologies are structured analytical approaches that convert raw threat and vulnerability data into actionable risk scores, ratings, or financial exposure estimates — enabling decision-makers to compare risks against risk appetite and justify control investments. Within ISACA CRISC, risk analysis sits between risk identification (upstream: threat modeling, BIA, vulnerability analysis) and risk response (downstream: control selection, risk register population). Two primary method families exist: Quantitative methods express risk in financial terms using probability × impact calculations (e.g., ALE = SLE × ARO). Qualitative methods express risk using descriptive scales such as High/Medium/Low based on calibrated expert judgment. Most mature organizations apply a Hybrid approach — qualitative screening to identify which risks warrant deeper analysis, followed by quantitative modeling for financially material risks.

Where it stops · what it isn't

—IS: Estimating likelihood and impact of identified risks to produce a risk rating, score, or financial exposure figure
—IS: Selecting and applying specific techniques (ALE, risk matrix, Monte Carlo simulation, Delphi, three-point estimation) appropriate to data availability and organizational context
—IS NOT: Risk Identification — discovering and cataloging threats and vulnerabilities is a preceding step; analysis assumes risks are already identified
—IS NOT: Risk Response/Treatment — deciding to accept, mitigate, transfer, or avoid a risk follows analysis; analysis informs but does not make that decision
—IS NOT: Threat Modeling — characterizing attacker behaviors, TTPs, and attack paths is a distinct upstream process that supplies likelihood inputs to risk analysis
—IS NOT: Vulnerability Assessment — technical scanning and control gap analysis provides raw input data but is not itself risk analysis
—IS NOT: Risk Monitoring — tracking whether risk levels change over time is a downstream activity; risk analysis produces a point-in-time or periodic risk estimate

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Business Impact Analysis (BIA)Threat ModelingVulnerability Analysis

ENABLES

Risk Register PopulationRisk Response and Control SelectionRisk Scenario Development

RELATED TO

Inherent Risk / Residual Risk / Current Risk Assessment

PART OF

IT Risk Assessment (CRISC Domain 2)

CONSTRAINS

Risk Appetite and Tolerance Thresholds

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.