Risk profiling, also known as risk mapping, is a technique used to analyze a firm's portfolio of risks. Innovative risk managers are using this tool as one way to identify risk exposures. The risk-profiling discipline and process gives risk managers the critical data they need in order to decide how to control, diversify, or hedge risks. One way to look at risk profiling is to view it as a visual way of depicting possible frequency and severity of organizational risks.

Nowadays, upper management expects risk managers to offer specific strategies for a continuum of uncertainties confronting organizations. Any major threat that falls within a risk manager's blind spot can be job- and career-ending, including those that come out of left-field.

To better understand risk profiling, let's view it as encompassing five distinct components:

1. Risk identification. This step involves surveying the firm as a whole. Publicly available information often is helpful. In this phase, the risk manager also may try to link risks with specific business units.
2. Risk assessment. The practitioner then analyzes the preceding step, using yardsticks of frequency and severity. Risk managers can do this by plotting the risk-identification outcomes on a graph — called a risk map — with frequency and severity representing the two axes.
3. Risk profiling. The risk map produced in the prior stage splits into four subsections called risk families. An example of a risk family is a group of risks categorized as severe but infrequent. (Intense hurricanes or earthquakes are severe but infrequent, for example.) On a risk map with severity on the vertical axis and frequency from less to more on the horizontal axis, this cluster would be in the upper-left corner.
4. Risk quantification. Risk managers can further analyze risk families by using financial modeling techniques, quantitatively estimating losses and calculating probabilities. Risk managers may need outside experts here to fully execute this step.
5. Risk consolidation. Risks studied at divisional or subsidiary levels are aggregated at the corporate level.

The preceding are the steps of this risk-profiling process. They do not, however, illuminate the reasons why companies would be attracted to the technique.