Threat and Risk Assessment Methodologies

TRA Methodologies

Risk Assessment Methodologies

We’ve gathered a selection of methodologies used in Canada and internationally to guide risk assessments across CI domains. This is not a complete list, but a temporary reference point. Our future-state system will catalogue, assess, and align methodologies within a centralized platform—powering high-quality, standardized, and evidence-informed assessments across Canada’s critical infrastructure ecosystem.

Methodology Name	Year	Summary	Link
All-Hazards Risk Assessment (AHRA)	2013	A comprehensive all-hazards approach that evaluates both malicious and non-malicious threats, taking into account vulnerabilities and potential consequences to inform mitigation strategies.	Link
Harmonized Threat and Risk Assessment (HTRA) Methodology	2007	A modular framework designed to assess risks to assets, employees, and services, integrating with project management and system development life cycles for both strategic and operational applications.	Link
Hazard Identification Risk Assessment (HIRA)	2023	Widely used in Ontario and several jurisdictions across Canada to systematically identify hazards and assess the associated risks to inform emergency management programs.	Link
Hazard, Risk and Vulnerability Analysis (HRVA)	2023	A comprehensive tool used in British Columbia and other provinces to identify hazards, evaluate risks and vulnerabilities, and inform emergency plans and mitigation strategies.	Link
National Risk Profile (NRP) Methodology	2023	Combines the All-Hazards Risk Assessment and Emergency Management Capability Assessment methodologies to evaluate Canada’s disaster risks and emergency management capabilities.	Link
Threat and Risk Assessment Guide – GCPSG-022	2025	A guide developed by the RCMP to assist in conducting threat and risk assessments, serving as a companion to the RCMP’s TRA course and providing guidance for government departments.	Link
Risk Assessments for Public Health Professionals	2023	Guidelines provided by the Public Health Agency of Canada for assessing risks to public health, aiding in the development of recommended actions and exploration of potential outcomes.	Link
Design Basis Threat	2011	A structured approach used primarily in the nuclear and high-security sectors to define potential adversary capabilities, intentions, and tactics for which protection systems must be designed. It informs physical security system design and regulatory compliance.	Link
ISO 31000 – Risk Management Guidelines	2018	Internationally adopted and widely used across Canadian jurisdictions and private industry, ISO 31000 provides principles and guidelines for risk management applicable to any organization.	Link
CSA ISO/IEC 27005: Information Security Risk Management	2018	Provides guidelines for information security risk management aligned with ISO/IEC 27001, used in Canadian cyber and IT security domains.	Link