Operational risk management

Easily identify, measure, control and monitor the operational risks of your organization→


security risks

Ensures the confidentiality, integrity and availability of your information assets →



Keep track of all regulations and regulations that your organization must comply with →


Money laundering risk management

Easily identify, establish controls and monitor AML risks→



Improve your internal audit processes, support regulatory compliance, and generate value for your organization through continuous improvement →
 New e-book NIST SP 800-53 Complete Guide
Nueva llamada a la acción

14 methods and tools to manage risk

14 methods and tools to manage risk Pirani


According to a survey conducted by PWC, companies with sustained growth and higher profit margins are those that adopt a comprehensive risk management program. Therefore, managing risk increases profitability.

Contrary to what many may think, risk management is not only necessary in the financial sector. It is also an obligation for SMEs and the productive sector. But for this to be done in the best possible way, any organization must use a variety of methods and techniques that enable it to address threats in a systematic and organized manner. Below, we will discuss the main methods and tools to do so in each of the phases of management: identification, assessment and rating.

Methods for identifying risk

The risk management process begins with the identification of threats. In order to recognize them properly, there are different methods of risk analysis, which can be classified in two types: deductive and inductive.

Normally, a procedure is followed to recognize failures and errors, which will allow a solution to be established for each of these events. These are some of them:

What if

The what if analysis is used at the preliminary stage of management when risks are identified. This method consists of scheduling meetings with experts who know a specific process in detail. At the initial meeting, questions are raised to detect future risks. The following meetings are to find causes, consequences and actions.

Preliminary Risk Analysis (PRA)

This risk management methodology serves to identify potential risks at the start of a project. Since it involves a systemic analysis, each phase of a specific process is addressed. By breaking it down into its parts, general risks can be associated with particular stages.

By having this information, the registration table is completed, in which the risks, causes, consequences and categories are recorded.

Five whys

The purpose of this risk management approach is to recognize the root cause of a problem. Through repetitive questions, the origins of a risk event are identified.  

This risk methodology consists of group work in which the problem is presented and questions are asked that lead to deciphering its root cause. The number of questions asked will depend on the complexity of the event being analyzed.

FMEA (Failure mode and effective analysis)

The FMEA method aims to identify, classify and eliminate in advance the failures in a company's projects or processes.

This risk management approach begins with the identification of errors. These are then classified by rating the risks according to frequency, severity, and detection. After they have been classified and prioritized, the most serious failures are established and addressed as a matter of priority.


Checklists are used by an organization to ensure that appropriate actions are being taken to mitigate risks.

Requirements are recorded in order to track risks and follow up on prevention recommendations. In front of each of the conditions, the boxes that correspond to the tasks that have already been completed are selected. Thanks to this ease of use, when comparing the methods of risk analysis, checklists stand out for helping in the decision-making process.

Checklists are used by an organization to ensure that appropriate actions are being

SWOT matrix

The SWOT matrix is one of the methods you need to know to manage risk. SWOT consists of the analysis of strengths, weaknesses, opportunities and threats. This method begins with an internal analysis, which identifies the strengths and weaknesses of the business. The external context is then analyzed to identify opportunities and threats.

Ishikawa Diagram

This risk management approach is known as the fishbone diagram.  It takes into account all the factors involved in a production process: material, method, measurement, machine, environment and labor.

Through brainstorming or creativity sessions, we try to achieve a better understanding of the causes of a failure or problem. 

Risk analysis questionnaire

The questionnaire consists of developing a series of questions to define the likelihood that loss events will occur.  Each of the questions touches on issues that may involve some risk. After the list has been made, it should be reviewed and supplemented according to the requirements of each project or process.

Process flowchart

This risk analysis tool illustrates the operating sequence of a process, which is why it is important to determine the flow of a company's activities.

When preparing these diagrams, nomenclature standardized by organizations such as ISO and ANSI is used, which facilitates their understanding regardless of the process being described.

Analysis of financial statements and other company information

Based on the analysis of financial statements, the errors and mistakes that an organization made in previous projects are assessed. This way, the problems and losses caused by a risk situation are identified. Having this panorama facilitates the understanding of the business and its processes. With that information at hand, managers can define the likelihood that those errors and failures will recur, and thus be able to take timely preventive action.


Inspection is carried out in order to monitor the general industry or assembly context. As a result, a more impartial identification of the risks is achieved, since the conclusions thereof are generated after having experienced firsthand the processes and the company's human resources.

Methods for assessing risks

There are two types of methods for rating and assessing risk: the qualitative method and the quantitative method.

Qualitative method

This method for assessing risks is used when time and budget are scarce, as it requires less investment of resources. Qualitative analysis takes into account threats, vulnerabilities, impact and, occasionally, controls.

In order to reduce the degree of subjectivity and improve the degree of accuracy, techniques specific to the quantitative method are used. 

Quantitative method

The quantitative method uses mathematical techniques and statistics to collect relevant information. Based on this data, a numerical value is assigned to the materialization of an event. Therefore, it is the method that allows the association of a probability and its corresponding distribution to the risk event and its consequences.

The quantitative analysis is usually performed once the qualitative analysis has been done, although they can also be done independently or even simultaneously. In any case, it is important to carry them out as a complement that further enriches the analysis.

The decision regarding which method to use will depend on a series of factors such as the nature of the company, the availability of money, the quality of the available information and time.

Tools for managing risk

In addition to methods for identifying and assessing risk, there is a set of tools that facilitate analysis, such as checklists, the risk or control matrix, and risk management software.

Tools for managing risk


Risk management checklists are used in internal audit processes. They are used to identify critical points and verify that prevention and impact mitigation procedures are being fully complied with.

The process for developing a checklist is as follows:

  • Define risk sources.
  • Divide the aspects of the project.
  • Ask questions to address potential problems.
  • Answer the questions.
  • Use the results to make decisions. 

Control matrix

The probability and impact matrix, also known as the risk matrix, is used to identify, rate and assess risks. This way, the most urgent are addressed as a matter of priority. An Excel table shows the likelihood, from 1 to 5, that a risk will materialize. 5 is almost certain and 1 is very unlikely for it to happen. This matrix helps to recognize threats and their causes in order to propose preventive measures.

A probability and impact matrix is used to classify risks, their sources and treatments. The matrix is used as a means to facilitate analysis after risks have been identified. The most urgent are selected, responsibilities are assigned and the acceptance level is established.  

The risk situation of an entity is diagnosed based on the information documented in the matrix. Therefore, this method should cover the different business fronts of a company in order to compare the projects, areas, products and processes. 

How to design a risk matrix

A control matrix is designed using the Delphi method. First, a group of experts or specialists is consulted on aspects related to the internal and external context of the project. The components, threatened resources and possible threats to the object of analysis are identified and reflected in the matrix.

The matrix is built by placing the threatened resources (components) at the top of the rows and the threats at the top of the columns. Components are the resources to be protected and the threats are the negative events that may cause loss or affect the components.

Advantages and limitations of the control matrix for managing risk

First of all, the main advantage of the control matrix is its ease of use. It can be managed by any member of the organization with a working knowledge of the criteria. Another great advantage of this tool relies on its ability to classify and prioritize risks at different levels. 

However, according to ISO/IEC31010, the control matrix also has several negative aspects:

  •     It cannot cover all risk events.
  •     It may lead to ambiguity in the analysis.
  •     The level of subjectivity is increased.
  •     It is difficult to compare the level of risk.
  •     Risks cannot be added.

Risk Management Software

Excel Matrix or risk management software: which is better? That's probably what many risk managers, who are just starting to look for useful tools to automate the process, are wondering. As we explained earlier, the Excel risk matrix has many limitations, which prevents objective decision-making. That is when it is necessary to opt for risk software to make the task easier.

Risk management software is an effective alternative because it reduces subjectivity in analysis, facilitates decentralization, and ensures comprehensive risk management.

Compared to the Excel matrix, risk management software optimizes monitoring, strengthens the risk culture within the company and helps make internal processes visible.

What are the characteristics of good risk software?

There are certain features that good risk software should have. In the first place, it must be configurable, that is to say, it must be customizable and adaptable to the company's needs and methodology.

Secondly, it must be integrable with the company's other information systems, such as customer service or the accounting system.

It must also be able to update itself according to changes in regional and international regulations. For example, Pragma Cero complies with

Finally, it is important to have optimal support service that allows you to implement the risk management software properly and help you with any difficulties you may have when incorporating it into your risk management.

All You Need to Know About the Implementation of AI In Risk Management

Let's start now!

Take your company's risk management to another level using specialized software that fits your needs.

Get started