A good starting point would be the organization’s existing risk assessment system. We have found that using an existing system harnesses the power of familiarity.
If the company does not have one, it should consider adopting a standardized system. Typical systems may include a quantitative risk assessment (scoring based on the frequency of the exposure, probability and consequence if the risk materialized) or BowTie risk assessments. See NFPA 70E®-2015 Annex F on the Risk Assessment Procedure.