Skip to main content
ResiPlan
Unique catalog on the market

37 risk methodologies, one platform

From quantitative FAIR to climate TCFD, through EBIOS RM, MEHARI, HAZOP, OCTAVE, COSO ERM — ResiPlan covers every approach with a unified UI and automatic cross-linkage between methods.

risk-methodologies.metrics
6
Qualitative
5
Quantitative
10
Scenario
7
Sectoral
16
Strategic

Qualitative(6)

Qualitative

ISO 31000

ISO 31000:2018

Enterprise risk management framework — scope beyond cyber.

Best for: Enterprise-wide risk management

Qualitative

ISO 27005

ISO 27005:2022

Info security risk management reference, aligned with ISO 27001.

Best for: Information security risk management

Qualitative

MEHARI

CLUSIF

Audit-based risk method maintained by CLUSIF.

Best for: Audit-driven security reviews

Qualitative

OCTAVE Allegro

CERT/SEI

Carnegie Mellon methodology focused on information assets.

Best for: Asset-centric security assessment

Qualitative

NIST SP 800-30

NIST

US federal reference for information security risk assessment.

Best for: US federal & NIST CSF alignment

Qualitative

ISO 27036

ISO 27036:2021

Supplier relationship security risk management.

Best for: Supplier & third-party security governance

Quantitative(5)

Quantitative

FAIR + Monte Carlo

Open Group O-RT/O-RA

Financial quantification with integrated Monte Carlo engine.

Best for: Cyber risk and information security

Quantitative

Monte Carlo

Generic Monte Carlo engine for any risk scenario.

Best for: Simulating uncertainty across many risks

Quantitative

VaR (Value at Risk)

Historical, variance-covariance, Monte Carlo VaR methods.

Best for: Market risk on financial portfolios

Quantitative

Risk Quantification

Loss curves, expected value, probability distributions.

Best for: Putting a number on an existing register

Coming soon
Quantitative

CVaR / Expected Shortfall

Conditional Value at Risk — expected loss beyond the VaR threshold.

Best for: Tail risk on financial portfolios

Scenario(10)

Scenario

EBIOS Risk Manager

ANSSI 2018

French reference, 5 workshops: scoping → treatment.

Best for: French organizations & public sector

Scenario

Bow-Tie Analysis

Threat → top event → consequences with preventive / reactive barriers.

Best for: Visualising barriers around a critical event

Scenario

HAZOP

IEC 61882

Industrial hazard and operability study with guide words.

Best for: Industrial process safety

Scenario

FMEA / FMECA

IEC 60812

Failure Mode & Effects Analysis with RPN scoring.

Best for: Ranking technical failure modes

Scenario

Kinney Method

Kinney risk score (P × E × C) — safety/industrial sector.

Best for: Occupational health & safety

Scenario

Insider Threat

Employee/contractor malicious or accidental risk analysis.

Best for: Malicious or negligent insiders

Scenario

Social Engineering

Phishing, pretexting, baiting — scenario-based exposure map.

Best for: Human-factor attack exposure

Scenario

Change Risk

Pre-change risk assessment for IT, org, strategic pivots.

Best for: Assessing a change before you make it

Scenario

Dynamic Attack Graph

Simulate attack paths across your real asset dependency graph.

Best for: Seeing how an attacker moves laterally

Coming soon
Scenario

Fault Tree Analysis

Top-down deductive failure analysis with boolean logic gates.

Best for: Root-causing a single critical failure

Sectoral(7)

Sectoral

COSO ERM

COSO 2017

ERM framework for US-listed companies (SOX).

Best for: Board-level ERM and SOX alignment

Sectoral

Credit Risk

Basel III

PD / LGD / EAD credit exposure modeling — banking.

Best for: Banking credit exposure

Sectoral

ALM (Asset-Liability)

Interest rate + liquidity risk on balance sheet.

Best for: Balance-sheet interest & liquidity risk

Sectoral

Concentration

Herfindahl-Hirschman index for concentration + stress.

Best for: Spotting over-reliance on few counterparties

Sectoral

Systemic Risk

Cascading failure across interconnected entities.

Best for: Contagion across interconnected entities

Sectoral

Legal & Regulatory

Litigation, sanctions, regulatory change exposure.

Best for: Litigation and regulatory change exposure

Sectoral

Human Reliability (HRA)

Critical in nuclear / aviation / healthcare — quantifies human error.

Best for: Quantifying human error in critical operations

Strategic(16)

Strategic

Third-Party Risk

Vendor questionnaires, due diligence, re-assessment cycle.

Best for: Supply chain & vendor management

Strategic

Supply Chain Risk

Multi-tier mapping, single-source, geographic concentration.

Best for: Multi-tier supply chain exposure

Strategic

Vendor Questionnaires

SIG, CAIQ, custom assessment templates.

Best for: Collecting supplier assurance at scale

Strategic

TCFD Climate

TCFD 2017

Physical + transition risk under RCP and NGFS scenarios.

Best for: Climate physical & transition risk

Strategic

Geopolitical

200+ country ratings, sanctions exposure, supply chain.

Best for: Country, sanctions and conflict exposure

Strategic

PESTEL

Political, Economic, Social, Techno, Environmental, Legal scan.

Best for: Scanning the macro environment

Strategic

Risk-Based Approach

AML/CFT risk-based methodology for financial compliance.

Best for: AML/CFT compliance

Strategic

Threat Intelligence

CVE feeds, sector threat tracking, IOC management.

Best for: Keeping up with live threats

Strategic

KRI / KPI Dashboards

Key Risk Indicators with thresholds, alerts, trends.

Best for: Monitoring risk over time

Strategic

Risk Appetite

Define appetite per category + tolerance thresholds.

Best for: Setting how much risk you accept

Strategic

Appetite Exposure

Real-time exposure vs appetite monitoring.

Best for: Watching exposure against your appetite

Coming soon
Strategic

Reputational Risk

Brand exposure monitoring with media, social, and stakeholder sentiment analysis.

Best for: Brand and stakeholder sentiment exposure

Coming soon
Strategic

Strategic Risk

Board-level risks to business model, market position, competitive pressure.

Best for: Board-level business model risk

Coming soon
Strategic

Business Process Risk

Risk mapping per business process with control effectiveness scoring.

Best for: Process-level risk and control mapping

Coming soon
Strategic

Project Risk

PMI / PRINCE2

Project-level risk register with owner, probability, impact, mitigation per milestone.

Best for: Risk on a single project or programme

Coming soon
Strategic

Model Risk (SR 11-7)

Fed SR 11-7

Risk of loss from adverse decisions based on incorrect model outputs — banking regulation.

Best for: Validating the models you decide with

Why it matters

No single methodology covers all your cases. Mature organizations combine 4 to 8 methods based on context.

Everyone uses their preferred method

Your cyber team loves FAIR, your BCM uses HAZOP, your CISO wants EBIOS. No more silos — all methods in one repository.

Cross-referencing automatic

A risk modeled in FAIR automatically appears in the ISO 27005 register. EBIOS scenarios populate the Bow-Tie trees.

Consistent reporting

Board dashboards aggregate qualitative + quantitative views. Translate FAIR € amounts into ISO heat map for regulators.

37 methodologies vs the market

Most GRC suites ship a handful of risk methods. ResiPlan gives you the full toolbox — qualitative, quantitative, scenario-based, sectoral and strategic — feeding one register.

Typical GRC tool
3-5 methods
ResiPlan
37 methodologies

Frequently asked questions

Do I have to use all 36?

No — pick the methods that fit your sector and maturity. They all feed the same register, so you can add more over time.

Which method should I start with?

ISO 31000 or ISO 27005 for a general baseline; EBIOS RM for cyber; FAIR or Monte Carlo when leadership wants euro-quantified risk.

Can one risk use several methods?

Yes — model a risk once and overlay FAIR, Bow-Tie or a scoring matrix; results consolidate into board-ready dashboards.

37 risk methodologies, one platform

37 Risk Methodologies — ResiPlan | FAIR, EBIOS, Bow-Tie, Monte Carlo