ISO 31010 is the companion standard to ISO 31000. Where 31000 sets out the principles, framework, and process for risk management, 31010 covers the actual analytical techniques — over thirty methods spanning identification, analysis, and evaluation. Most risk functions use two or three of these techniques, usually the most generic, and ignore the rest. The standard is most useful when treated as a tool catalogue: pick the technique that fits the question rather than running the same method on every risk.
The Three Stages and the Techniques That Fit Each
31010 organises techniques against the risk assessment process: identification (what could happen?), analysis (how likely and how severe?), and evaluation (what does this mean compared to our risk criteria?). Some techniques span multiple stages; others are sharply focused on one. Brainstorming and structured what-if analysis are identification techniques. Fault tree analysis, event tree analysis, and Bayesian networks lean heavily into analysis. Bowtie analysis spans identification and analysis. Cost-benefit analysis sits in the evaluation stage.
Bowtie Analysis: An Underused Tool for Operational Risk
The bowtie diagram visualises a single hazardous event in the centre, with threats flowing in from the left and consequences flowing out to the right, with preventive controls between threats and event and mitigating controls between event and consequences. The structure is intuitive enough for non-specialists, rigorous enough to surface gaps in either preventive or mitigating control coverage, and useful for communicating risk pictures to leadership without abstracting them into a single number. For incident-prone operational risks, bowtie consistently produces clearer thinking than a numeric heatmap.
FMEA Where Failures Have Knowable Modes
Failure Modes and Effects Analysis (and its more detailed variant FMECA) systematically examines a system, identifies how each component or process step can fail, the consequences of each failure, and the controls that detect or prevent it. FMEA produces a Risk Priority Number (RPN) that orders failure modes for treatment. The technique is most powerful in product, process, and equipment risk — anywhere the failure modes are knowable in advance and the effects can be characterised. It is less useful for emergent or strategic risks where the failure modes themselves are uncertain.
A useful diagnostic for a risk function: when did your team last apply a different technique to a different problem? If the answer is years, the function has converged on a single method that gets applied to everything. The convergence makes outputs comparable across time but obscures the cases where a different technique would have produced clearer thinking. ISO 31010 is most useful when treated as a deliberate menu of methods, not as a reference document nobody opens.
When Quantitative Methods Pay Back
Monte Carlo simulation, Bayesian networks, and quantitative fault-tree analysis are technically demanding and produce outputs that can be misinterpreted by audiences accustomed to qualitative ratings. They are also the right tools when the question is "what is our exposure under uncertainty?" — capital allocation decisions, insurance retention modelling, project schedule risk, cybersecurity loss expectancy. Risk functions that build the capability to apply these methods produce different conversations with finance and the board than ones that operate exclusively with red-amber-green ratings.
Picking Techniques: A Practical Heuristic
- Hazardous event with knowable threats and consequences — bowtie analysis
- Engineered system or process with discrete failure modes — FMEA / FMECA
- Process safety, hazardous operation review — HAZOP
- Strategic or emergent risk where the failure modes are themselves uncertain — scenario analysis
- Quantification under genuine uncertainty — Monte Carlo or Bayesian methods
- Communication to non-technical audiences — bowtie, scenario narrative, risk matrix
- Root cause investigation after an incident — fault tree, 5 Whys, fishbone
The Discipline That Holds the Toolkit Together
A risk function with thirty techniques and no discipline produces inconsistent outputs. A risk function with two techniques and strict discipline produces consistent outputs that miss important questions. The mature practice combines a deliberate technique catalogue with consistent process — define the question, pick the appropriate method, document the analysis, present results in the form the decision-maker can use. ISO 31010 is the catalogue. ISO 31000 is the process. Used together, they produce risk practice that informs decisions rather than just documenting them.