Identifying risks in modern electric power systems is essential, and one of the main difficulties concerns covering the wide range of technologies that permeate its cyber and physical domains. Different risk identification methods have been proposed, but applying them individually does not guarantee coverage of both domains. On the other hand, the simple non-articulated application of a set of existing risk identification methods can lead to an exhaustive and inefficient process. This paper proposes a new Cyber–Physical Risks Identification Method (CPRIM) to comprehensively and efficiently identify risks in electrical power systems. To systematically cover risks ranging from the cyber domain to the physical domain, CPRIM combines in a complimentary and articulated way the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a Risk Factor model, and the HAZOP, establishing a novel hybrid risk identification approach. This work also proposes a method based on Jaccard and overlap indexes to quantitatively assess the complementarity and superposition that may exist when applying different risk identification methods to electrical power systems. The results obtained in a real computer-managed photovoltaic plant indicate that CPRIM can efficiently identify cyber–physical risks, showing a reasonable trade-off between system coverage and redundancy in identified risks.