Most risk analyses stop at a list. You gather the team, list risks, assign a number to each one. Then the list goes into a binder and gets forgotten.
Consequence analysis is the step that makes the list useful. Instead of only asking “what could happen?” you ask “what does it mean for us if it does?” That is the difference between an exercise and a tool.
This article covers three proven methods for risk and consequence analysis, what ISO standards actually require, and how to get started without drowning in detail.
What is Risk and Consequence Analysis?
Risk analysis identifies threats. Consequence analysis assesses what the threat means - financially, operationally, legally, or for health and safety.
They go together. Without consequence analysis you don’t know which risks are serious enough to act on. Without risk analysis you have nothing to assess.
Systematic risk work means:
- Identify risks - what could go wrong?
- Analyze consequences - what does it mean if it does?
- Assess likelihood - how probable is it?
- Prioritize - which ones need action first?
- Act and follow up - who does what, when, and did it improve?
Method 1: The 5x5 Matrix
A 5x5 matrix is the most common tool for risk and consequence analysis. It is simple to understand and works for most companies.
Here is how it works:
- Consequence is rated 1-5: from negligible (1) to catastrophic (5)
- Likelihood is rated 1-5: from highly unlikely (1) to almost certain (5)
- Risk score = consequence x likelihood (1-25)
A score of 1-4 is green (acceptable), 5-12 is yellow (needs action), 15-25 is red (immediate action required).
The matrix works when you need a quick, consistent way to prioritize between different types of risks. The trade-off is that it is relatively coarse - two risks can get the same score for completely different reasons.
Method 2: FMEA
Failure Mode and Effects Analysis (FMEA) is a more detailed method originating in manufacturing. It suits processes where predictability is critical.
In FMEA, each failure mode is assessed on three parameters:
- Severity - how serious is the effect?
- Occurrence - how often does the failure happen?
- Detection - how easy is it to catch the failure before it causes harm?
The Risk Priority Number (RPN) = S x O x D, where 1 is lowest risk and 1000 is highest.
FMEA gives a more nuanced picture than the 5x5 matrix but takes more time and thoroughness. Use it when 5x5 is not enough - for critical processes, product development, or food safety.
Method 3: Bow-tie Analysis
Bow-tie analysis visualizes risk scenarios from cause to consequence, with preventive and mitigating barriers.
The method works well for complex risks where one event can have multiple causes and multiple consequences - for example an IT incident, a workplace accident, or a production shutdown.
The bow-tie model shows:
- Threats (left side) - what could trigger the event?
- Preventive barriers - what stops it from happening?
- Event (center) - the risk itself
- Mitigating barriers - what reduces the damage if it happens?
- Consequences (right side) - what is the outcome?
Bow-tie is more visual and educational than the other methods, making it good for training and communicating with management. The drawback is that it gets unwieldy with many risks.
What ISO Standards Require
All management system standards follow the same basic structure (Annex SL) and require risk-based thinking in clause 6.1.
ISO 9001:2015, clause 6.1 requires you to determine risks and opportunities that need addressing so the management system can achieve its intended results. Actions must be proportionate to the potential impact.
ISO 14001:2015, clause 6.1 requires you to determine risks and opportunities related to environmental aspects and compliance obligations. This covers environmental impact - emissions, resource use, waste.
ISO 27001:2022, clause 6.1 is the most detailed. It requires a defined risk assessment process with criteria, analysis of consequences and likelihood, risk owners, and prioritization for treatment. This covers information security - confidentiality, integrity, availability.
None of the standards prescribe a specific method. 5x5, FMEA, and bow-tie are all acceptable as long as they are consistent, repeatable, and documented.
Common Mistakes
Starting too broad. Trying to cover every risk in the organization at once becomes unmanageable. Start with one process, one area, or one department.
Forgetting follow-up. A risk analysis without feedback is wasted time. Decide from the start when and how risks will be reviewed.
Choosing the wrong method. 5x5 is often sufficient. FMEA is not better just because it is more complex. Pick the method that matches what you actually need to know.
Mixing risk types. Operational risks, strategic risks, and compliance risks need different analyses. Putting everything in one matrix gives a useless picture.
Systematic Risk Work in AmpliFlow
AmpliFlow’s risk module is built to handle risk and consequence analysis for all three standards. You can define your own methods, use the 5x5 matrix or FMEA, connect risks to processes and actions, and follow up in management review.
Everything connects. A risk you identify links directly to an action with an owner and deadline. When management reviews the risk picture, they see real-time data, not an old printout.
Need help getting started with risk work? Book a demo and we will show you how it works in practice.
