Tools review · April 2026 · 7-minute read
You don’t need a six-figure ERM platform to do quantitative risk modelling. The five tools below are free, mature, and used in production by serious risk teams. Each fills a specific need; together they cover most of the quantitative-risk workflow.
1. R + the fitdistrplus and EnvStats packages
What it does. Fits probability distributions to your data (loss histories, claim amounts, project overruns) and produces parameter estimates with confidence bounds. fitdistrplus handles standard distributions (lognormal, gamma, Weibull); EnvStats adds environmental and tail-focused distributions.
Best for. Anyone moving from “average” or “worst-case” thinking to distributional thinking. The first 90 minutes you spend with these packages will outperform the next quarter of risk-register maintenance.
Watch out for. R’s learning curve. If your team has zero coding background, budget two weeks for a basic working setup. Consider Python alternatives below if R feels too heavy.
2. Python + SciPy + arviz
What it does. Same distributional fitting plus full Bayesian workflow (priors, posterior sampling, posterior predictive checks). arviz standardises diagnostic outputs across PyMC, Stan, and other Bayesian libraries.
Best for. Teams that already have Python literacy from data-science work. The Python ecosystem for Bayesian risk is now richer than R’s, especially for hierarchical models.
Watch out for. Bayesian methods reward investment but punish shortcuts. Plan to read Statistical Rethinking (McElreath) or equivalent before deploying outputs to decision-makers.
3. FAIR-U (FAIR Institute training tool)
What it does. Free web-based tool for FAIR (Factor Analysis of Information Risk) modelling — the dominant quantitative methodology for cyber risk. FAIR-U lets you build single-loss-event models with PERT distributions and run Monte Carlo simulations without installing anything.
Best for. Cyber risk and information-security teams running their first quantitative analyses. Also useful as a teaching tool for ERM teams adjacent to cyber.
Watch out for. FAIR-U is intentionally simplified. For production work with multiple risks and aggregate loss distributions, you’ll need RiskLens (paid) or roll your own in R/Python.
4. The Metalog Distribution (Excel and code libraries)
What it does. A flexible, parameter-light distribution family designed to fit any expert-elicited or empirical data without choosing a parametric form. Free Excel templates, R, Python, and Stata implementations.
Best for. Expert elicitation workflows where you want SME estimates (10th, 50th, 90th percentile) translated into a usable distribution without arguing about lognormal vs. gamma. Also strong for project cost contingency modelling.
Watch out for. Metalog is mathematically powerful but pedagogically unfamiliar. Expect to invest time explaining it to non-technical stakeholders.
5. Causal (free tier)
What it does. Spreadsheet-style modelling with native probabilistic variables. Type “150 to 200” and the cell becomes a uniform distribution; type “PERT(50, 100, 250)” and you get a PERT. Outputs include automatic Monte Carlo and tornado diagrams.
Best for. Risk leaders who want quantitative outputs without learning to code. The free tier is genuinely useful — paid tiers add collaboration features but no analytical limits worth mentioning.
Watch out for. Causal is hosted SaaS — your data sits on their servers. Read their data-handling terms before uploading sensitive risk data.
How to choose
If you’re starting from zero: Causal. The lowest-friction entry point.
If you have a coding-capable team: R or Python + Metalog. The most powerful combination, with full control over methodology.
If your focus is cyber: FAIR-U first, then graduate to commercial FAIR tools or roll your own when you outgrow it.
Whichever path you pick, the goal is the same: stop producing risk artefacts that nobody uses, and start producing distributional outputs that connect to actual decisions. Tools are the easy part. The hard part is the discipline.
We do not accept payment from any tool vendor for inclusion in our reviews. See our Editorial Standards. Last updated: 29 April 2026.