A good starting point would be the organization’s existing risk assessment system. We have found that using an existing system harnesses the power of familiarity. If the company does not have a risk assessment system, it should consider adopting a standardized system. Typical systems may include a quantitative risk assessment (scoring based on the frequency of the exposure, probability and consequence if the risk materialized) or BowTie risk assessments. See NFPA 70E®-2015 Annex F on the Risk Assessment Procedure.