37 risk methodologies, one platform
From quantitative FAIR to climate TCFD, through EBIOS RM, MEHARI, HAZOP, OCTAVE, COSO ERM — ResiPlan covers every approach with a unified UI and automatic cross-linkage between methods.
Qualitative(6)
ISO 31000
Enterprise risk management framework — scope beyond cyber.
Best for: Enterprise-wide risk management
ISO 27005
Info security risk management reference, aligned with ISO 27001.
Best for: Information security risk management
MEHARI
Audit-based risk method maintained by CLUSIF.
Best for: Audit-driven security reviews
OCTAVE Allegro
Carnegie Mellon methodology focused on information assets.
Best for: Asset-centric security assessment
NIST SP 800-30
US federal reference for information security risk assessment.
Best for: US federal & NIST CSF alignment
ISO 27036
Supplier relationship security risk management.
Best for: Supplier & third-party security governance
Quantitative(5)
FAIR + Monte Carlo
Financial quantification with integrated Monte Carlo engine.
Best for: Cyber risk and information security
Monte Carlo
Generic Monte Carlo engine for any risk scenario.
Best for: Simulating uncertainty across many risks
VaR (Value at Risk)
Historical, variance-covariance, Monte Carlo VaR methods.
Best for: Market risk on financial portfolios
Risk Quantification
Loss curves, expected value, probability distributions.
Best for: Putting a number on an existing register
CVaR / Expected Shortfall
Conditional Value at Risk — expected loss beyond the VaR threshold.
Best for: Tail risk on financial portfolios
Scenario(10)
EBIOS Risk Manager
French reference, 5 workshops: scoping → treatment.
Best for: French organizations & public sector
Bow-Tie Analysis
Threat → top event → consequences with preventive / reactive barriers.
Best for: Visualising barriers around a critical event
HAZOP
Industrial hazard and operability study with guide words.
Best for: Industrial process safety
FMEA / FMECA
Failure Mode & Effects Analysis with RPN scoring.
Best for: Ranking technical failure modes
Kinney Method
Kinney risk score (P × E × C) — safety/industrial sector.
Best for: Occupational health & safety
Insider Threat
Employee/contractor malicious or accidental risk analysis.
Best for: Malicious or negligent insiders
Social Engineering
Phishing, pretexting, baiting — scenario-based exposure map.
Best for: Human-factor attack exposure
Change Risk
Pre-change risk assessment for IT, org, strategic pivots.
Best for: Assessing a change before you make it
Dynamic Attack Graph
Simulate attack paths across your real asset dependency graph.
Best for: Seeing how an attacker moves laterally
Fault Tree Analysis
Top-down deductive failure analysis with boolean logic gates.
Best for: Root-causing a single critical failure
Sectoral(7)
COSO ERM
ERM framework for US-listed companies (SOX).
Best for: Board-level ERM and SOX alignment
Credit Risk
PD / LGD / EAD credit exposure modeling — banking.
Best for: Banking credit exposure
ALM (Asset-Liability)
Interest rate + liquidity risk on balance sheet.
Best for: Balance-sheet interest & liquidity risk
Concentration
Herfindahl-Hirschman index for concentration + stress.
Best for: Spotting over-reliance on few counterparties
Systemic Risk
Cascading failure across interconnected entities.
Best for: Contagion across interconnected entities
Legal & Regulatory
Litigation, sanctions, regulatory change exposure.
Best for: Litigation and regulatory change exposure
Human Reliability (HRA)
Critical in nuclear / aviation / healthcare — quantifies human error.
Best for: Quantifying human error in critical operations
Strategic(16)
Third-Party Risk
Vendor questionnaires, due diligence, re-assessment cycle.
Best for: Supply chain & vendor management
Supply Chain Risk
Multi-tier mapping, single-source, geographic concentration.
Best for: Multi-tier supply chain exposure
Vendor Questionnaires
SIG, CAIQ, custom assessment templates.
Best for: Collecting supplier assurance at scale
TCFD Climate
Physical + transition risk under RCP and NGFS scenarios.
Best for: Climate physical & transition risk
Geopolitical
200+ country ratings, sanctions exposure, supply chain.
Best for: Country, sanctions and conflict exposure
PESTEL
Political, Economic, Social, Techno, Environmental, Legal scan.
Best for: Scanning the macro environment
Risk-Based Approach
AML/CFT risk-based methodology for financial compliance.
Best for: AML/CFT compliance
Threat Intelligence
CVE feeds, sector threat tracking, IOC management.
Best for: Keeping up with live threats
KRI / KPI Dashboards
Key Risk Indicators with thresholds, alerts, trends.
Best for: Monitoring risk over time
Risk Appetite
Define appetite per category + tolerance thresholds.
Best for: Setting how much risk you accept
Appetite Exposure
Real-time exposure vs appetite monitoring.
Best for: Watching exposure against your appetite
Reputational Risk
Brand exposure monitoring with media, social, and stakeholder sentiment analysis.
Best for: Brand and stakeholder sentiment exposure
Strategic Risk
Board-level risks to business model, market position, competitive pressure.
Best for: Board-level business model risk
Business Process Risk
Risk mapping per business process with control effectiveness scoring.
Best for: Process-level risk and control mapping
Project Risk
Project-level risk register with owner, probability, impact, mitigation per milestone.
Best for: Risk on a single project or programme
Model Risk (SR 11-7)
Risk of loss from adverse decisions based on incorrect model outputs — banking regulation.
Best for: Validating the models you decide with
Why it matters
No single methodology covers all your cases. Mature organizations combine 4 to 8 methods based on context.
Everyone uses their preferred method
Your cyber team loves FAIR, your BCM uses HAZOP, your CISO wants EBIOS. No more silos — all methods in one repository.
Cross-referencing automatic
A risk modeled in FAIR automatically appears in the ISO 27005 register. EBIOS scenarios populate the Bow-Tie trees.
Consistent reporting
Board dashboards aggregate qualitative + quantitative views. Translate FAIR € amounts into ISO heat map for regulators.
37 methodologies vs the market
Most GRC suites ship a handful of risk methods. ResiPlan gives you the full toolbox — qualitative, quantitative, scenario-based, sectoral and strategic — feeding one register.
Frequently asked questions
Do I have to use all 36?
No — pick the methods that fit your sector and maturity. They all feed the same register, so you can add more over time.
Which method should I start with?
ISO 31000 or ISO 27005 for a general baseline; EBIOS RM for cyber; FAIR or Monte Carlo when leadership wants euro-quantified risk.
Can one risk use several methods?
Yes — model a risk once and overlay FAIR, Bow-Tie or a scoring matrix; results consolidate into board-ready dashboards.